-
-
Save parsibox/ed73da705379fa1c48e94861b948e161 to your computer and use it in GitHub Desktop.
| tcpdump -i any | |
| How to capture All incoming HTTP GET traffic (or) requests | |
| tcpdump -i any -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' | |
| ( Here 0x47455420 depicts the ASCII value of characters 'G' 'E' 'T' ' ' ) | |
| How to capture All incoming HTTP POST requests | |
| tcpdump -i any -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354' | |
| ( Here 0x504F5354 represents the ASCII value of 'P' 'O' 'S' 'T' ) | |
| How to capture only HTTP GET requests Incoming to port 80 ( Apache/NGINX) | |
| tcpdump -i any -s 0 -A 'tcp dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' | |
| How to capture only HTTP POST requests Incoming to port 80 ( Apache/NGINX) | |
| tcpdump -i any -s 0 -A 'tcp dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354' | |
| How to capture only HTTP GET calls Incoming to port 443 ( Apache/NGINX) | |
| tcpdump -i any -s 0 -A 'tcp dst port 443 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' | |
| How to capture only HTTP POST calls Incoming to port 443 ( Apache/NGINX) | |
| tcpdump -i any -s 0 -A 'tcp dst port 443 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354' | |
| How to capture both HTTP GET (or) POST Incoming calls to port 80 (or) 443 ( Apache/NGINX) Originating from 192.168.10.1 Host | |
| tcpdump -i any -s 0 -A 'tcp dst port 80 or tcp dst port 443 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354' and host 192.168.10.1 | |
| How to capture a Complete HTTP Transmission, incoming and outgoing Including both HTTP Request and Response. Associated with a Single Client along with HTML page data ( GET & POST ) on port 80 | |
| tcpdump -i any -s 0 -A 'tcp dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x3C21444F and host 192.168.10.1' | |
| ( 0x3C21444F represents the ASCII value of '<' 'D' 'O' 'C' this is to capture the outgoing HTML file | |
| 0x48545450 represents the ASCII value of 'H' 'T' 'T' 'P' this is to capture the outgoing HTTP traffic (HTTP response) ) | |
| How to monitor all the incoming HTTP Request URL’s (POST or GET) | |
| tcpdump -i any -s 0 -v -n -l | egrep -i "POST /|GET /|Host:" | |
| How to capture the Cookies from Server and from Client ( Request & Response) | |
| tcpdump -i any -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:' | |
| How to Filter HTTP User Agents | |
| tcpdump -vvAls0 | grep 'User-Agent:' | |
| How to capture a Complete HTTP Transmission, incoming and outgoing Including both HTTP Request and Response. Associated with a Single Client along with HTML data ( GET & POST ) on port 18001 | |
| tcpdump -i any -s 0 -A 'tcp dst port 18001 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x3C21444F and host 192.168.60.1' | |
parsibox
commented
Dec 4, 2018
tcpdump -i any "dst port 80" -nnvvS -s 65535 -w smpp.cap
port 80 and post
tcpdump -i any "dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354 " -nnvvS -s 65535 -w smpp.cap
tshark -R 'tcp.port==80 && http.request.full_uri contains "ajax" && http.request.method=="POST" ' -Tfields -e ip.src -e http.request.method -e http.request.full_uri
yum install wireshark
view webservice xml + view post json rest ( best )
tcpdump -i any -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354'
tcpdump -i any -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'
sudo tcpdump -i any -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20
tcpdump -i any -vvvs 1024 -l -A | grep -A 3 -E 'X-Forwarded-For:'
tcpdump -i any -vvvs 1024 -l -A | grep -A 3 -E '502 Bad Gateway'
tcpdump -i any -vvvs 1024 -l -A | grep -B 3 -E 'X-Forwarded-For:'
smpp
tcpdump -i any -nnvvS -s 65535 -w smpp.cap port 15019
https://helpx.adobe.com/campaign/kb/smpp-protocol-wireshark.html
tcpdump show only ip
tcpdump -i any port 9090 -nn | cut -d ' ' -f 3 | awk -F. '{ if (NF == 2) { print $1 } else { print $1 FS $2 FS $3 FS $4 }}'
tshark -i any -R 'tcp.port==80 && (http.request.method=="POST" )' -Tfields -e ip.src -e data -e text
httpry -i any
best command view response from POST request
tcpdump -i any -s 0 -A ' tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x30313136 '
tcpdump -i any -vvAls0 | grep 'GET'
-X : Show the packet’s contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-D : Show the list of available interfaces
-l : Line-readable output (for viewing as you save, or sending to other commands)
-q : Be less verbose (more quiet) with your output.
-t : Give human-readable timestamp output.
-tttt : Give maximally human-readable timestamp output.
-i eth0 : Listen on the eth0 interface.
-vv : Verbose output (more v’s gives more output).
-c : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.
It’s All About the Combinations
tcpdump -i any -ttnnvvS
tcpdump -i any -ttnnvvS | grep 'x-username'
for file in /root/dumps/*.pcap.gz; do sudo tshark -r "$file" -Y "frame contains "sumbit""; done