2

For security purposes we want to list all POST requests URI's that are used in our applications (so we would disable POST through mod_security except for those URI's). The idea is to use tcpdump to capture these during a full regression test and then wireshark to get a distinct list of all URI's.

The problem is that we're failing to find the correct tcpdump arguments to only capture HTTP post requests (which is needed because a full tcpdump would quickly fill up the disk).

Following command works find but shows GET's, POSTS and some other packets (too many):

sudo tcpdump -A 'tcp port 9081 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

Following only capture POST request but in wireshark they show as TCP packets and we're not able to extract the URI from these (as we do for HTTP using custom value http.request.uri in wireshark):

sudo tcpdump -A 'tcp port 9081 tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

What tcpdump arguments should we use to capture HTTP POST requests (which show as HTTP packets in wireshark) or how can we extract the URI from those TCP packets (second command)?

Improve this question
9
  • Is wireshark/tcpdump a hard requirement here? Have you considered using urlsnarf instead? That will also show both GET and POST, but I suppose a grep -v ... will sort that out for you. Commented Nov 20, 2014 at 11:37
  • 3
    tcpdump cannot decrypt SSL/TLS (HTTPS). For this you have to use tools like ssldump or Wireshark. Additionally tcpdump and ssldump do not have filters for layers higher than L4. From Wireshark command line tools you can use tshark with very powerful read and display filters which operate up to L7. Commented Nov 20, 2014 at 11:58
  • @faker - urlsnarf looks interesting but unfortunately it is not installed on our server (nor do we have the rights to install it) Commented Nov 20, 2014 at 12:36
  • Ah I also missed the HTTPS part, with which it wouldn't work anyway. Commented Nov 20, 2014 at 12:44
  • @pabouk - I should have mentioned that the tcpdump is running on server where the reverse proxy is running; by then it's all http (which is also clear from the dump). We are monitoring the calls from the RP to the actual application server. Commented Nov 20, 2014 at 12:45

2 Answers 2

Reset to default
1

I also had a similar issue a while ago and I think this could be helpful if this ever comes up, or if someone needs some help with this.

Capture only HTTP POST requests Incoming to port 80 ( Apache/NGINX)

With this Tcpdump command:

tcpdump -i enp0s8 -s 0 -A 'tcp dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354'

Here 0x504F5354 represents the ASCII value of 'P' 'O' 'S' 'T'

This was the documentation I used, it worked fine for me

Improve this answer
0 
tcpflow -p -c -i bond0 port 9081 | grep -oE '(GET|POST|HEAD) .* HTTP/1.[01]|Host: .*'
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.