TCPDump Capture HTTP GET/POST requests – Apache, Weblogic & Websphere

TCPDump.txt

tcpdump -i any
How to capture All incoming  HTTP GET  traffic (or) requests
tcpdump -i any -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
(     Here 0x47455420 depicts the ASCII value of  characters  'G' 'E' 'T' ' ' )

How to capture All incoming HTTP POST requests
tcpdump -i any -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354'
( Here 0x504F5354 represents  the ASCII value of  'P' 'O' 'S' 'T' )

How to capture only HTTP GET requests Incoming to port 80 ( Apache/NGINX)
tcpdump -i any -s 0 -A 'tcp dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

How to capture only HTTP POST requests Incoming to port 80 ( Apache/NGINX)
tcpdump -i any -s 0 -A 'tcp dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354'

How to capture only HTTP GET calls Incoming to port 443 ( Apache/NGINX)
tcpdump -i any -s 0 -A 'tcp dst port 443 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

How to capture only HTTP POST calls Incoming to port 443 ( Apache/NGINX)
tcpdump -i any -s 0 -A 'tcp dst port 443 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354'

How to capture both HTTP GET (or) POST  Incoming calls to port 80 (or) 443 ( Apache/NGINX) Originating from 192.168.10.1 Host
tcpdump -i any -s 0 -A 'tcp dst port 80 or tcp dst port 443 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354' and host 192.168.10.1

How to capture a Complete HTTP Transmission, incoming and outgoing Including both HTTP Request and Response.  Associated with a Single Client  along with HTML page data ( GET & POST ) on port 80 
tcpdump -i any -s 0 -A 'tcp dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x3C21444F and host 192.168.10.1'
( 0x3C21444F represents the ASCII value of  '<' 'D' 'O' 'C' this is to capture the outgoing HTML file
0x48545450 represents the ASCII value of 'H' 'T' 'T' 'P' this is to capture the outgoing HTTP traffic (HTTP response) )


How to monitor all the incoming HTTP Request URL’s (POST or GET)
tcpdump -i any -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"

How to capture the Cookies from Server and from Client ( Request & Response)
tcpdump -i any -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'

How to Filter HTTP User Agents
tcpdump -vvAls0 | grep 'User-Agent:'

How to capture a Complete HTTP Transmission, incoming and outgoing Including both HTTP Request and Response.  Associated with a Single Client along with HTML data ( GET & POST ) on port 18001 
tcpdump -i any -s 0 -A 'tcp dst port 18001 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x3C21444F and host 192.168.60.1'

tcpdump -i any -vvAls0 | grep 'GET'

-X : Show the packet’s contents in both hex and ASCII.
-XX : Same as -X, but also shows the ethernet header.
-D : Show the list of available interfaces
-l : Line-readable output (for viewing as you save, or sending to other commands)
-q : Be less verbose (more quiet) with your output.
-t : Give human-readable timestamp output.
-tttt : Give maximally human-readable timestamp output.
-i eth0 : Listen on the eth0 interface.
-vv : Verbose output (more v’s gives more output).
-c : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.
It’s All About the Combinations

tcpdump -i any -ttnnvvS
tcpdump -i any -ttnnvvS | grep 'x-username'

for file in /root/dumps/*.pcap.gz; do sudo tshark -r "$file" -Y "frame contains "sumbit""; done