Detect HTTP sessions using tcpdump

Question

I have a tracefile and I want to ﬁnd all web servers that were successfully visited in the trace, contacted via HTTP.

I'm using:

tcpdump -r file.trace - tcp port 80

Maybe I have to search for a list of server IP that send response packets to me (I mean those that create HTTP sessions with me). Just servers, not other TCP connections. I mean, I need server IPs that answer to HTTP requests and send HTTP responses back.

What tools have you looked at to try filtering the dump file? What OS are you using? — Darth Android, Nov 19 '13 at 18:31

score 1 · Answer 1 · answered Nov 19 '13 at 18:47

The correct command is

  tcpdump -A -i eth0 -s0 host www.example.com and port 80

where you can leave out any of the above options:

  A resolve IP addresses 
  i bind to interface eth0
  s0 show full packet
  host is obvious
  port 80 show request and reply.

If you leave www.example.com out,

  tcpdump -A -i eth0 -s0 dst port 80

will show you all requests to port 80, like

  tcpdump -A -i eth0 src port 80

the replies. You may substitute -r file for -i eth0. Occasionally, remember you may have to use port 8080 instead.

Detect HTTP sessions using tcpdump

1 Answers1