如何使用 tcpdump 捕获所有 HTTP 数据包

发布于 2025-01-04 19:22:36 字数 660 浏览 4 评论 0原文

我想使用一些参数运行 tcpdump(仍然不知道该使用什么),然后加载 stackoverflow.com 页面。

输出应该是 HTTP 通信。后来,我想将其用作 shell 脚本,因此每当我想检查站点 site.com 的 HTTP 通信时,我只需运行 script.sh site.com 即可。

HTTP 通信应该足够简单。像这样:

GET /questions/9241391/how-to-capture-all-the-http-communication-data-using-tcp-dump
Host: stackoverflow.com
... 
...

HTTP/1.1 200 OK
Cache-Control: public, max-age=60
Content-Length: 35061
Content-Type: text/html; charset=utf-8
Expires: Sat, 11 Feb 2012 15:36:46 GMT
Last-Modified: Sat, 11 Feb 2012 15:35:46 GMT
Vary: *
Date: Sat, 11 Feb 2012 15:35:45 GMT


....
decoded deflated data
....

现在,我应该使用 tcpdump 的哪些选项来捕获它?

I want to run tcpdump with some parameters (still don't know what to use), then load the stackoverflow.com page.

Output should be the HTTP communication. Later, I want to use it as a shell script, so whenever I want to check the HTTP communication of a site site.com, I just can run script.sh site.com.

The HTTP communication should be simple enough. Like this:

GET /questions/9241391/how-to-capture-all-the-http-communication-data-using-tcp-dump
Host: stackoverflow.com
... 
...

HTTP/1.1 200 OK
Cache-Control: public, max-age=60
Content-Length: 35061
Content-Type: text/html; charset=utf-8
Expires: Sat, 11 Feb 2012 15:36:46 GMT
Last-Modified: Sat, 11 Feb 2012 15:35:46 GMT
Vary: *
Date: Sat, 11 Feb 2012 15:35:45 GMT


....
decoded deflated data
....

Now, which options should I use with tcpdump to capture it?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

゛时过境迁 2025-01-11 19:22:36

可以通过ngrep来完成

ngrep -q -d eth1 -W byline host stackoverflow.com and port 80 
       ^  ^       ^         ^        
       |  |       |         |
       |  |       |         |
       |  |       |         v
       |  |       |         filter expression
       |  |       |         
       |  |       +-->  -W  is set the dump format ("normal", "byline", "single", "none")
       |  |
       |  +---------->  -d  is use specified device instead of the pcap default
       |
       +------------->  -q  is be quiet ("don't print packet reception hash marks")

It can be done by ngrep

ngrep -q -d eth1 -W byline host stackoverflow.com and port 80 
       ^  ^       ^         ^        
       |  |       |         |
       |  |       |         |
       |  |       |         v
       |  |       |         filter expression
       |  |       |         
       |  |       +-->  -W  is set the dump format ("normal", "byline", "single", "none")
       |  |
       |  +---------->  -d  is use specified device instead of the pcap default
       |
       +------------->  -q  is be quiet ("don't print packet reception hash marks")
再可℃爱ぅ一点好了 2025-01-11 19:22:36

根据您所提到的,ngrep(在 Unix 上)和 Fiddler(Windows)可能是更好/更简单的解决方案。

如果您绝对想使用 tcpdump,请尝试以下选项

tcpdump -A -vvv host destination_hostname

-A (ascii)
-vvv (verbose output)

Based on what you have mentioned, ngrep (on Unix) and Fiddler (Windows) might be better/easier solutions.

If you absolutely want to use tcpdump, try out the following options

tcpdump -A -vvv host destination_hostname

-A (ascii)
-vvv (verbose output)
睡美人的小仙女 2025-01-11 19:22:36
tcpdump -i eth0 -w dump3.pcap -v  'tcp and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

请参阅http://www.tcpdump.org/manpages/tcpdump.1.html

tcpdump -i eth0 -w dump3.pcap -v  'tcp and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

see http://www.tcpdump.org/manpages/tcpdump.1.html

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文