tcpdump抓取http请求

通过tcpdump可以过滤HTTP请求：

过滤HTTP GET请求 (GET = 0x47, 0x45, 0x54, 0x20):

sudo tcpdump -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'

过滤HTTP POST请求 (POST = 0x50, 0x4f, 0x53, 0x54):

sudo tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'

过滤request和response

tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
tcpdump -X -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

其中后面的过滤规则可以通过String-Matching Capture Filter Generator 生成。

参考文档：

• Can I use tcpdump to get HTTP requests, response header and response body?