tcpdump

[David G. Miller]

Aly Dharshi <aly.dharshi at telus.net> wrote:

> Hello Kaushal, I hope that you are well. tcpdump -i ethX port 80 Where 
> X would be a number so eth0 or eth1, you can also refine this with 
> "src port" and "dst port" expressions, have you tried using wireshark 
> instead if you are using an X system ? Cheers, Aly. Kaushal Shriyan 
> wrote:
>> > Hi
>> > 
>> > How do i capture http request and response using tcpdump
>> > 
>> > Thanks and Regards
>> > 
>> > Kaushal
>> > 
This approach only captures the HTTP requests.  It will not capture the 
response since the response will not be through port 80; the response to 
a request will be to some randomly assigned, non-privileged port.

If you assume that most inbound traffic to non-privileged ports consists 
of HTTP responses, you could just filter out all inbound traffic to 
privileged ports (port # < 1024).  Depending on what you allow users to 
do, you may also get some chat/instant messenger traffic, P2P file 
sharing, etc.  This may also be of interest depending on what you're 
looking for.

If you specifically need to match HTTP requests with the response, you 
may need to look into one of the commercial network monitoring 
applications.  These work by capturing all traffic and matching the 
half-sessions to recreate the complete dialog.  This is a much harder 
problem but these products allow the user who made a particular request 
to be identified and associated with the response.

Cheers,
Dave

-- 
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce