I need to capture HTTP GET and POST requests to (responses from aren't of interest) any host that is within .example.com. This will be a long running capture and the machine is fairly heavily used, so I'm keenly interested in controlling what is captured rather than just what is displayed. There are probably hundreds of hosts within .example.com, some I won't even know about. So a wildcard is key. These requests may come from a browser or other type of application, so I need to use a lower level approach. My initial impression was that this isn't possible via a capture filter, but I thought I'd ping the experts before giving up. Is it possible with Wireshark at all?
Note: although I'm currently interested in just HTTP requests, if there is a way to do a similar thing without limiting it to HTTP (which conveniently provides the HOST header) or a specific direction, I would be interested in the more general case too :)
Thanks in advance!
asked 03 Apr '12, 10:13
Capture filters can't work with wildcards nor can they handle re-assembly. Your best bet is to use dumpcap using the "-b filesize" option to split data accross files. You can then use tshark with a display filter to extract the packets of interest.
answered 04 Apr '12, 12:52
Check out these examples from http://wiki.wireshark.org/CaptureFilters and tailor to your situation...
Capture traffic to a range of IP addresses: dst net 192.168.0.0/24 or dst net 192.168.0.0 mask 255.255.255.0
I haven't researched it, but I'm guessing 0/24 means all IPs ending ".0" up to and including ".24", but it might mean twentyfour IPs starting at 0 (ie, 0-23).
The mask should capture anything going to 192.168.0.* where * is from 0 to 255.
Also in the above capture examples: Capture HTTP GET requests. This looks for the bytes 'G', 'E', 'T', and ' ' (hex values 47, 45, 54, and 20) just after the TCP header. "tcp[12:1] & 0xf0) >> 2" figures out the TCP header length. (From Jefferson Ogata via the tcpdump-workers mailing list.)
So all you have to do is find your IPs for .example.com and combine that with the GET and POST filters.
answered 03 Apr '12, 11:41