https://www.jianshu.com/p/3cca9a74927c
tcpdump installation
On Ubuntu/Debian systems, execute the following command to install the tcpdump tool:
sudo apt-get install tcpdump
On a CentOS system, run the following command to install the tcpdump tool:
sudo yum install tcpdump
After installing tcpdump, you can use the man command to view the documentation of tcpdump. If you want to see some usage examples of tcpdump directly, execute:
man tcpdump | less -Ip examples
tcpdump to view HTTP traffic
View HTTP GET requests
sudo tcpdump -s 0 -A 'tcp dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
View HTTP POST requests
sudo tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'
View HTTP request response headers and data
sudo tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
sudo tcpdump -X -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
afterword
To understand the bit manipulation in the above tcpdump filter, one needs to understand the construction of TCP packets. An example of an analysis is given in the references that follow.
The author has such an experience, took over a legacy software project, and found that each API interface parameter is not documented, and the comments in the code are outdated! When you take over this kind of project and start refactoring, you need to understand the code logic. If you can know what the API request parameters in actual online operation look like, it will be helpful to understand. The author has tried to modify the Nginx configuration file to record HTTP POST request information, but did not find a simple and effective solution. Using the above tcpdump command to capture HTTP POST requests is quite simple.