tcpdump

[Guillermo Garron]

On 4/23/07, David G. Miller <dave at davenjudy.org> wrote:
> Aly Dharshi <aly.dharshi at telus.net> wrote:
>
> > Hello Kaushal, I hope that you are well. tcpdump -i ethX port 80 Where
> > X would be a number so eth0 or eth1, you can also refine this with
> > "src port" and "dst port" expressions, have you tried using wireshark
> > instead if you are using an X system ? Cheers, Aly. Kaushal Shriyan
> > wrote:
> >> > Hi
> >> >
> >> > How do i capture http request and response using tcpdump
> >> >
> >> > Thanks and Regards
> >> >
> >> > Kaushal
> >> >
> This approach only captures the HTTP requests.  It will not capture the
> response since the response will not be through port 80; the response to
> a request will be to some randomly assigned, non-privileged port.
>
> If you assume that most inbound traffic to non-privileged ports consists
> of HTTP responses, you could just filter out all inbound traffic to
> privileged ports (port # < 1024).  Depending on what you allow users to
> do, you may also get some chat/instant messenger traffic, P2P file
> sharing, etc.  This may also be of interest depending on what you're
> looking for.
>
> If you specifically need to match HTTP requests with the response, you
> may need to look into one of the commercial network monitoring
> applications.  These work by capturing all traffic and matching the
> half-sessions to recreate the complete dialog.  This is a much harder
> problem but these products allow the user who made a particular request
> to be identified and associated with the response.
>
> Cheers,
> Dave

He is rigth

maybe the best option is to capture everything dump it to a file and
then analyze that file with the filters of ethereal.

regards,

-- 
Guillermo Garron
"Linux IS user friendly... It's just selective about who its friends are."
(Using FC6, CentOS4.4 and Ubuntu 6.06)
http://feeds.feedburner.com/go2linux
http://www.go2linux.org