How to get http requests details in a tcpdump?

Question

I am trying to get a tcpdump trace of some http requests.

Here is what I got so far (I replaced the real IP addresses with REMOTE and LOCAL):

C:\>Windump -na -i 3 ip host REMOTE and ip src LOCAL and tcp port 80 Windump: listening on \Device\NPF_{8056BE5E-BDBB-44E6-B492-9274B410AD66} 13:13:34.985460 IP LOCAL.4261 > REMOTE.80: . 1784894764:1784894765(1) ack 1268208398 win 65535 13:13:38.589175 IP LOCAL.4302 > REMOTE.80: F 3708464308:3708464308(0) ack 982485614 win 65535 13:13:38.589285 IP LOCAL.4303 > REMOTE.80: F 890175362:890175362(0) ack 2462862919 win 65535 13:13:38.589330 IP LOCAL.4304 > REMOTE.80: F 1838079178:1838079178(0) ack 156173959 win 65535 13:13:38.589374 IP LOCAL.4305 > REMOTE.80: F 3952718843:3952718843(0) ack 2209231545 win 65535 13:13:38.589413 IP LOCAL.4306 > REMOTE.80: F 446105750:446105750(0) ack 3141849979 win 65535 13:13:38.590265 IP LOCAL.4302 > REMOTE.80: . ack 2 win 65535 13:13:38.590403 IP LOCAL.4304 > REMOTE.80: . ack 2 win 65535 13:13:38.590429 IP LOCAL.4303 > REMOTE.80: . ack 2 win 65535 13:13:38.590484 IP LOCAL.4305 > REMOTE.80: . ack 2 win 65535 13:13:38.590514 IP LOCAL.4306 > REMOTE.80: . ack 2 win 65535 

But I do not get the following level of details:

Request URL:http://domain.com/index.php Request Method:POST Status Code:200 OK POST /index.php HTTP/1.1 Host: domain.com Connection: keep-alive Content-Length: 151 Cache-Control: max-age=0 etc

How can I get this level of data?

Answer 1

I'm not sure about the available options in Windump, but on tcpdump on Linux, you have:

 -A Print each packet (minus its link level header) in ASCII. Handy for capturing web pages. 

You may need to increase the snaplength with "-s" to fully show the packet, also. Something like "tcpdump -A -s 1500" with the filter options.

Answer 2

I prefer to capture everything in a file like this:

tcpdump -X -s0 -w /tmp/wtf capture_parameters_go_here 

and then load the /tmp/wtf file to Wireshark GUI so I can analyze everything in a more intuitive way.