受欢迎的博客标签

TCPDump Capture HTTP GET/POST requests

Published
Created: 2021年8月27日星期五 下午1:49:02 Latest updated:2021年9月4日星期六 上午3:18:54 views(1206)

Table of Content

Capturing TCP packet communication between myip and  Host(from client to nginx TCP )

 

install tcpdump

sudo apt install tcpdump

 

[root@mwiws01 ~]# tcpdump --version
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips 26 Jan 2017

 

Get the interface name of your IP(查看服务器的网卡名)

eth0

# ip a
or
#ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:16:3e:18:8b:ac brd ff:ff:ff:ff:ff:ff
    inet 182.19.23.189/20 brd 182.19.31.255 scope global dynamic eth0

https://www.middlewareinventory.com/blog/tcpdump-capture-http-get-post-requests-apache-weblogic-websphere/

Display all the available Interfaces for tcpdump

# tcpdump -D
1.eth0 [Up, Running]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.nflog (Linux netfilter log (NFLOG) interface)
5.nfqueue (Linux netfilter queue (NFQUEUE) interface)
6.usbmon1 (USB bus number 1)

 

X : Show the packet’s contents in both hex and ascii.
-XX : Same as -X, but also shows the ethernet header.
-D : Show the list of available interfaces
-l : Line-readable output (for viewing as you save, or sending to other commands)
-q : Be less verbose (more quiet) with your output.
-t : Give human-readable timestamp output.
-tttt : Give maximally human-readable timestamp output.
-i eth0 : Listen on the eth0 interface.
-vv : Verbose output (more v’s gives more output).
-c : Only get x number of packets and then stop.
-s : Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S : Print absolute sequence numbers.
-e : Get the ethernet header as well.
-q : Show less protocol information.
-E : Decrypt IPSEC traffic by providing an encryption key.

-i:监听哪个网卡
tcp:监听哪个协议包(tcp\udp\ssh\)
port:监听端口
and host:监听指定IP地址进入的数据包(入)
dst host :监听发给指定IP地址的数据包(出)
-c:监听多少个数据包
-n:显示IP地址
-vvv:显示详细信息
-w:将监听信息输出到文件

 

Interpret tcpdump command output

14:21:46.134249 IP 10.0.2.15.54000 > 104.16.168.35.443: Flags [.], ack 2915, win 63000, length 0

Here's how to interpret that line of data:

14:21:46.134249 - Timestamp of when the packet was captured.
IP 10.0.2.15.54000 - IP and port number of the source host.
104.16.168.35.443 - IP and port number of the destination host.
Flags [.] - TCP flags (SYN, ACK, PSH, etc). [.] means ACK.
ack 2915 - The acknowledgment number.
win 63000 - The window number (bytes in receiving buffer).
length 0 - The length of the payload data.

 

tcpdump -i eth0 -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

 

 

Capturing packets from a specific interface

Syntax :tcpdump -i {interface-name}

#tcpdump -i eth0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
06:43:22.905890 IP compute-0-1.example.com.ssh > 169.144.0.1.39374: Flags [P.], seq 21952160:21952540, ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205], length 380
06:43:22.906045 IP compute-0-1.example.com.ssh > 169.144.0.1.39374: Flags [P.], seq 21952540:21952760, ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205], length 220

 

 

Capturing specific number number of packet from a specific interface

Syntax :tcpdump -c {number} -i {interface-name}

# tcpdump -c 12 -i eth0

Capturing packets with human readable timestamp (-tttt option)

# tcpdump -c 8 -tttt -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
2018-08-25 23:23:36.954883 IP compute-0-1.example.com.ssh > 169.144.0.1.39406: Flags [P.], seq 1449206247:1449206435, ack 3062020950, win 291, options [nop,nop,TS val 86178422 ecr 21583714], length 188

Capturing TCP packet communication between two Hosts

 tcpdump  -i eth0 src 147.244.191.143 and port 443 and dst 116.115.193.134 and port 5999

 

Capturing TCP packet communication between myip and  Host(from client to nginx TCP )

tcpdump tcp -i any -nn port 8080 | grep "my ip"

or

tcpdump tcp -i eth0 -t -s 0 -c 100 and port 443 and host my ip

or

tcpdump tcp -i eth0 -t -s 0  and port 443

nginx

 

upstream sms-resp {
         server 192.168.5.216:8501;
         server 192.168.5.217:8501;
    }

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            #root   html;
            #index  index.html index.htm;
            proxy_pass  http://sms-resp;
            proxy_set_header host $host;
            proxy_set_header X-real-ip $remote_addr;
            proxy_set_header X-forwarded-for $proxy_add_x_forwarded_for;
        }

在172.28.146.109(client)上浏览器调用172.28.5.215(nginx server)的nginx代理的HTTP接口,nginx将请求分发到172.28.5.216(backend web server)上,这里nginx和后端API均配置双网卡(172.28.5.215\182.168.5.215\172.28.5.216\192.168.5.216),他们之间走的192.168网段。

在172.28.5.215的80端口上抓取从172.28.146.109过来的TCP包,同时nginx会将请求转发到192.168.5.216的8501端口上,同时也在172.28.5.216的8501端口上上抓取从192.168.5.215上过来的tcp包

1.from client to nginx TCP

在172.28.5.215上执行,run on nginx server

tcpdump -i eth0 tcp port 80 and host 172.28.146.109 -c 100 -n -vvv -w /opt/nginx-215.cap

2. upstream to backend server (incoming)

在172.28.5.216上执行(run on backend server )

tcpdump -i eth0 port 8501 and host 192.168.5.215 -c 100 -n -vvv -w /opt/nginx-216.cap

3.from nginx to backend server TCP (outing )

tcpdump -i eth0   dst port 5999