Some days ago, i use tcpdump to analysis an connect problem on my Mac. i get http header by use the -vvv option. So today, when i want to do that again on the machine which is running online. It does’nt work. What’s wrong? After searching on google for some minutes, i found that was caused by the version difference. On my Mac the version of tcpdump is 4.7.3, but 4.6.2 of the online machine (it seems only work on 4.7.x). So here comes the quesion, how can i get the http header in 4.6.x or earlier?
As we all know, http use tcp as its Transport Layer protocel, so we can find everything in the tcp package. In the man page of tcpdump, i found -A can print those message. So we can execute the bellow command to monitor http traffic including request and response header and message body.
1 |
tcpdump -A tcp port 80 |
After run this i get so many packages, including SIN and FIN and ACK-only. How to avoid this?
1 |
tcpdump -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' |
This only print package that contain data. Because of the length of response message body, there will catch many response data package. If i only want two package, one contain the requset header, the other one contail the response header, what should i do? This will be help.
tcpdump -A 'tcp port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'
0x47455420 -> ‘GET ‘, 0x48545450 -> ‘HTTP’, 0x504f5354 -> ‘POST’
What dose ‘tcp[((tcp[12:1] & 0xf0) >> 2):4]’ mean? ‘((tcp[12:1] & 0xf0) >> 2)’ was the offset of tcp data field. ‘:4’ will pick first four bytes. Compare to the str on the right side of ‘=’, we can judge what the package is.
This is my first time to write technical article in English, there must be many mistakes. Feel free to contact me for comments, suggestions or for reporting mistakes 🙂
近期评论