1. To monitor HTTP traffic including request and response headers and message body:
tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
2. To monitor HTTP traffic including request and response headers and message body from a particular source:
tcpdump -A -s 0 'src example.com and tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
3. To monitor HTTP traffic including request and response headers and message body from local host to local host:
tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -i lo
4. To only include HTTP requests, modify “tcp port 80” to “tcp dst port 80” in above commands
5. Capture TCP packets from local host to local host
tcpdump -i lo
This is mostly just a reminder to myself about my preferred parameters to tcpdump on linux, so that I don't have to keep reading the man page.
tcpdump -c 20 -s 0 -i eth1 -A host 192.168.1.1 and tcp port http
- -c 20: Exit after capturing 20 packets.
- -s 0: Don't limit the amount of payload data that is printed out. Print it all.
- -i eth1: Capture packets on interface eth1
- -A: Print packets in ASCII.
- host 192.168.1.1: Only capture packets coming to or from 192.168.1.1.
- and tcp port http: Only capture HTTP packets.