Use tcpdump to view HTTP request responses

https://www.jianshu.com/p/3cca9a74927c

tcpdump installation

On Ubuntu/Debian systems, execute the following command to install the tcpdump tool:

sudo apt-get install tcpdump

On a CentOS system, run the following command to install the tcpdump tool:

sudo yum install tcpdump

After installing tcpdump, you can use the man command to view the documentation of tcpdump. If you want to see some usage examples of tcpdump directly, execute:

man tcpdump | less -Ip examples

tcpdump to view HTTP traffic

View HTTP GET requests

sudo tcpdump -s 0 -A 'tcp dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

View HTTP POST requests

sudo tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'

View HTTP request response headers and data

sudo tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
sudo tcpdump -X -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

afterword

To understand the bit manipulation in the above tcpdump filter, one needs to understand the construction of TCP packets. An example of an analysis is given in the references that follow.

The author has such an experience, took over a legacy software project, and found that each API interface parameter is not documented, and the comments in the code are outdated! When you take over this kind of project and start refactoring, you need to understand the code logic. If you can know what the API request parameters in actual online operation look like, it will be helpful to understand. The author has tried to modify the Nginx configuration file to record HTTP POST request information, but did not find a simple and effective solution. Using the above tcpdump command to capture HTTP POST requests is quite simple.

References


Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325507166&siteId=291194637