qsLI/tcpdump.md

## tcpdump.md

      
    Raw
  

              tcpdump.md
            
          
    HTTP Headers

tcpdump -A -s 10240 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | egrep --line-buffered "^........(GET |HTTP\/|POST |HEAD )|^[A-Za-z0-9-]+: " | sed -r 's/^........(GET |HTTP\/|POST |HEAD )/\n\1/g'

HTTP Headers and body, on a given interface to a certain dst

tcpdump -i ens4 -A -s 10240 'dst 172.21.43.252 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
Postgres Queries

sudo tcpdump -i lo -s0 -nl -w- dst port postgres | strings -n8

Redis

tcpdump -s 65535 -nl -w- tcp port 6379 -i eth0 | strings -n8

NSQ

sudo tcpdump -i eth0 -s0 -nl -w- dst port 4150 and dst net 192.168.16.138/32 | strings -n8

# Better format pcap

tcpdump -qns 0 -A -r /tmp/dump 

MQTT

tcpdump -s 65535 -nl -w- tcp port 1883 -i eth0 | strings -n8