dump network cap from remote

remote network dump by nc

# windows installed Wireshark and cygwin
# open cygwin
nc -l 11233 | /c/Program\ Files/Wireshark/Wireshark -k -S -i -

# on reomote Linux box 
tcpdump -i eth0 -n -s 0 not port 11233 or 22 -w -|nc <your windows ip> 11233

remote network dump by plink

# windows installed Wireshark and cygwin and putty
# open cygwin
mkfifo remote.cap
plink.exe root@192.168.1.1 "sudo /usr/sbin/tcpdump -s 0 -U -n -w - -i eth0 not port 22" > remote.cap
# open Wireshark, click Options->Interface, and import remote.cap


# or
# on Linux box
echo "tcpdump -s0 -w - -i eth0 not port 22" > command.txt
# windows cygwin
plink.exe -ssh -pw yourpasswd root@192.168.1.1 -m commands.txt | /c/Program\ Files/Wireshark/Wireshark -k -i –

# if you use a Linux
ssh root@192.168.1.1 "tcpdump -w - host 192.168.5.219" | wireshark -k -i -

remote network dump by rpcap

# windows
# Go to « Capture Options » and specify remote host : rpcap://192.168.1.1/eth0


# Linux box
tcpdump -s0 -w - -i eth0 not port 22

tcp http dump

tcpdump -i eth0 -n -s 0 -w - | grep -a -o -E \
"GET.*|POST.*|PUT.*|DELETE.*|Accept.*|Authorization:.*|Cache-Control:.*|Cookie:.*|Content-.*|Date:.*Host.*|User-Agent.*"

1. To monitor HTTP traffic including request and response headers and message body:
```
tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
```
2. To monitor HTTP traffic including request and response headers and message body from a particular source:

tcpdump -A -s 0 'src example.com and tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

3. To monitor HTTP traffic including request and response headers and message body from local host to local host:

tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -i lo