June 30, 2013

Use tcpdump to analyse HTTP POST data

Today it has been useful to look at POST data being sent to this webserver. A nice filter to do this at the console with tcpdump is:

tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'

This will capture and output something similar to below:

[root@m00n ~]# tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:33:59.746204 IP > m00nie.com.http: Flags [P.], seq 470573917:470574279, ack 4264459131, win 4356, length 362
E...r.@.q...){P...q...POST / HTTP/1.0
Host: www.m00nie.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 82
Referer: www.m00nie.com


1 packets captured
1 packets received by filter
0 packets dropped by kernel

Thanks goes to paulz on stackoverflow.

m00nie :)