Skip to content

Instantly share code, notes, and snippets.

@liuyangc3
Last active November 19, 2019 04:14
Show Gist options
  • Save liuyangc3/3ffdbc6737c44a92097f to your computer and use it in GitHub Desktop.
Save liuyangc3/3ffdbc6737c44a92097f to your computer and use it in GitHub Desktop.
dump network cap from remote
# windows installed Wireshark and cygwin
# open cygwin
nc -l 11233 | /c/Program\ Files/Wireshark/Wireshark -k -S -i -
# on reomote Linux box
tcpdump -i eth0 -n -s 0 not port 11233 or 22 -w -|nc <your windows ip> 11233
# windows
# Go to « Capture Options » and specify remote host : rpcap://192.168.1.1/eth0
# Linux box
tcpdump -s0 -w - -i eth0 not port 22
tcpdump -i eth0 -n -s 0 -w - | grep -a -o -E \
"GET.*|POST.*|PUT.*|DELETE.*|Accept.*|Authorization:.*|Cache-Control:.*|Cookie:.*|Content-.*|Date:.*Host.*|User-Agent.*"
1. To monitor HTTP traffic including request and response headers and message body:
```
tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
```
2. To monitor HTTP traffic including request and response headers and message body from a particular source:
tcpdump -A -s 0 'src example.com and tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
3. To monitor HTTP traffic including request and response headers and message body from local host to local host:
tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -i lo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment