tcpdump and http - Networking

This is a discussion on tcpdump and http - Networking ; Hi guys I don't expert in TCP/IP and i'm sorry for my mistake and for bad english my question is: is possible understand the type of traffic, reading a file created with -w option of tcpdump? my interest is capture ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: tcpdump and http

  1. tcpdump and http

    Hi guys

    I don't expert in TCP/IP and i'm sorry for my mistake and for bad english

    my question is:
    is possible understand the type of traffic, reading a file created with -w
    option of tcpdump?

    my interest is capture http traffic.

    when i open the file with wireshark, it write in a colon HTTP, but i don't
    know if it write HTTP because the port is 80 or because it understand is
    very http traffic indipendent of number of port

    thank in advance

    --
    Riccardo (http://termitano.myminicity.com, visitate e se volete partecipate
    sul http://www.iltermitano.it/)

    A computer is like an air conditioner,
    it stops working when you open Windows.
    Registered Linux user #457776

  2. Re: tcpdump and http

    RicK_Murphy writes:

    > Hi guys
    >
    > I don't expert in TCP/IP and i'm sorry for my mistake and for bad english
    >
    > my question is:
    > is possible understand the type of traffic, reading a file created with -w
    > option of tcpdump?


    Yes. Make sure the slice is set to the maximum packet size otherwise
    the packet will be truncated.

    tcpdump -i ie0 -w data.tcp -s0

    and to read - something like

    tcpdump -vvv -X -r data.tcp

    Wireshark will do it as well.


  3. Re: tcpdump and http

    Maxwell Lol wrote:


    > Yes. Make sure the slice is set to the maximum packet size otherwise
    > the packet will be truncated.


    yes, I know, I do it in this mode

    but my question is: how wireshark understand the packet is HTTP?

    if I open the file with java, which field i do read for say: this packet
    payload is HTTP traffic?


    thanks a lot

    --
    Riccardo (http://termitano.myminicity.com, visitate e se volete partecipate
    sul http://www.iltermitano.it/)

    A computer is like an air conditioner,
    it stops working when you open Windows.
    Registered Linux user #457776

  4. Re: tcpdump and http

    RicK_Murphy writes:

    > but my question is: how wireshark understand the packet is HTTP?


    Usually it uses the port number. If it's port 80, it's http.

    I have modified the source of tcpdump to force it to treat certain
    ports as specific protocols, if it's doing it wrong. Say - if I want
    to make port 8080 be http instead of 80.

    > if I open the file with java, which field i do read for say: this packet
    > payload is HTTP traffic?


    Why are you opening the with with java?

    I usually either use the wireshark GUI, or I use a program that reads
    the libpcap formatted binary, and outputs in ASCII, and parse it with
    a perl or awk program

    like
    tcpdump -r dumpfile.tcp -v -X port 80 | grep '.....'

    You can also use tshark as it generates ASCII like tcpdump. Frankly,
    I'm not much of a wireshark expert, so I use tcpdump.

    You can specify a filter to be - say - only port 80, and the
    documentation says how to do this. I have used tcpdump for years, and
    it has a very complete parser and language you can specify on the
    command line. So you can say complex (untested) expressions like:


    tcpdump -r dumpfile port 80 and dst host server123 and src host \
    client456 and greater 50 and (tcp-syn|tcp-fin) != 0

    Here's an example from the man page:

    To print all IPv4 HTTP packets to and from port 80, i.e. print only
    packets that contain data, not, for example, SYN and FIN packets and
    ACK-only packets. (IPv6 is left as an exercise for the reader.)
    tcpdump ’tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - \
    ((tcp[12]&0xf0)>>2)) != 0)’



    So in general, I capture everything to a binary file, and then read
    form that file and I filter the results when I analyze it.

  5. Re: tcpdump and http

    RicK_Murphy wrote:
    > Maxwell Lol wrote:
    >
    >
    >> Yes. Make sure the slice is set to the maximum packet size otherwise
    >> the packet will be truncated.

    >
    > yes, I know, I do it in this mode
    >
    > but my question is: how wireshark understand the packet is HTTP?
    >
    > if I open the file with java, which field i do read for say: this packet
    > payload is HTTP traffic?
    >
    >
    > thanks a lot
    >


    wireshark's http/web dissectors parse the layer 5 protocol
    if there is a GET,HEAD or POST request and the port is 80 or 443
    it's probably http

    http://www.codeproject.com/KB/IP/custom_dissector.aspx

    with http this is easy since HTTP is a standard and defined
    in its rfc http://www.faqs.org/rfcs/rfc2616.html

  6. Re: tcpdump and http


    > wireshark's http/web dissectors parse the layer 5 protocol
    > if there is a GET,HEAD or POST request and the port is 80 or 443
    > it's probably http
    >
    > http://www.codeproject.com/KB/IP/custom_dissector.aspx
    >
    > with http this is easy since HTTP is a standard and defined
    > in its rfc http://www.faqs.org/rfcs/rfc2616.html


    thanks

    --
    Riccardo (http://termitano.myminicity.com, visitate e se volete partecipate
    sul http://www.iltermitano.it/)

    A computer is like an air conditioner,
    it stops working when you open Windows.
    Registered Linux user #457776

+ Reply to Thread