Skip to content

Instantly share code, notes, and snippets.

@yordanoweb

yordanoweb/tcpdump-filters.md

Last active August 8, 2022 12:40
Show Gist options
  • Save yordanoweb/f4068e527bc7c3ee989afcdc2cbcfade to your computer and use it in GitHub Desktop.
Save yordanoweb/f4068e527bc7c3ee989afcdc2cbcfade to your computer and use it in GitHub Desktop.
Download ZIP
Raw
tcpdump-filters.md

Capture outgoing connections and HTTP GET/POST requests

tcpdump -i wlan0 -w /tmp/wlan0.pcap -C 50 -A -n -K '(tcp[tcpflags] & (tcp-syn) != 0) \
        or ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420) and less 1024) \
        or ((tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354) and less 1024)' &

Notes

The TCP SYN thing

  • We are a facing an issue. Capturing all traffic demands huge amount of disk space. We do not have it. So, choose only every packet matching the start of a connection. This is the TCP SYN condition.

The TCP flags with 0x47455420

  • This is the equivalent to GET HTTP method. And capture only if less than 1 Kilobyte.

The TCP flags with 0x504F5354

  • This is the equivalent to POST HTTP method. And capture only if less than 1 Kilobyte.

References:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment