正名正實: How to use tcpdump to sniffer http header

2013年10月31日星期四

1.tcpdump -s 1024 -l -A dst www.cnn.com

2.

Type the following command at shell prompt:

# tcpdump -n -i eth0 -s 0 -w output.txt src or dst port 80

Where,

-n : Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
-i eth0 : Specify interface to capture data.
-s 0 : Snarf snaplen[snapshot length] bytes of data from each packet rather than the default of 68. Setting to 0 means use the required length to catch whole packets.
-w output.txt : Save data to output.txt file
src or dst port 80 : Capture port 80.

@Result

11:04:31.674686 IP 10.1.246.215.61709 > 157.166.248.11.http: Flags [.], ack 1478957458, win 65535, length 0

.....C...(....E..(k.@.@.9/

.P/.2.X'..P...TU..

11:04:31.674907 IP 10.1.246.215.61709 > 157.166.248.11.http: Flags [P.], seq 0:369, ack 1, win 65535, length 369

.....C...(....E.....@.@...

.P/.2.X'..P...u\..GET / HTTP/1.1

Host: www.cnn.com

Connection: keep-alive

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36

Accept-Encoding: gzip,deflate,sdch

Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.6,en;q=0.4

11:04:31.675385 IP 10.1.246.215.61710 > 157.166.248.11.http: Flags [.], ack 3228182788, win 65535, length 0

.....C...(....E..(2P@.@.q.

..........P..[?.j).P.......

11:04:32.087077 IP 10.1.246.215.61709 > 157.166.248.11.http: Flags [.], ack 426, win 65535, length 0

正名正實