joshdevins/tcpdump.bash

## tcpdump.bash
# everything
sudo tcpdump -i lo0 -A -n -s 0 'tcp dst port 9200 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

## tshark.bash
# POST only
sudo tshark -i lo0 -Y 'http.request.method == "POST"' -T fields -e http.request.uri -e http.file_data 'tcp dst port 9200' > dump.txt

# then look for search queries
cat dump.txt | grep search | sed -n 's/.*\\n\({\"query\":.*\)\\n/\1/p' | jq -C .
	# everything
	sudo tcpdump -i lo0 -A -n -s 0 'tcp dst port 9200 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
	# POST only
	sudo tshark -i lo0 -Y 'http.request.method == "POST"' -T fields -e http.request.uri -e http.file_data 'tcp dst port 9200' > dump.txt

	# then look for search queries
	cat dump.txt \| grep search \| sed -n 's/.\\n\({\"query\":.\)\\n/\1/p' \| jq -C .