I capture HTTP traffic and build Request/Response pairs.
I am using dumpcap and tshark.
I have a client (python script) that sends HTTP GET to one of 4 HTTP servers.
The client gets 200 OK as a response.
The client sends a 'special' HTTP request header having the name 'X-KINNERET'.
I have one version of BPF where I can "see" my client requests.
Below:
sudo dumpcap -i eno2 -f '(tcp && ((port 50003 && host 10.36.101.27) || (port 54017 && host 10.36.101.27) || (port 50003 && host 10.36.101.28) || (port 54017 && host 10.36.101.28)))' -B 100 -w - | tshark -r - -Y http -T json -e ip.dst -e tcp.dstport -e tcp.stream -e frame.time_epoch -e http.request -e http.request.method -e http.request.version -e http.request.full_uri -e http.request.uri -e http.request.line -e http.file_data -e http.response -e http.response.version -e http.response.code -e http.response.line | grep X-KINNERET
I have another version of BPF where I can NOT see my client requests.
Below:
sudo dumpcap -i eno2 -f '(tcp && ((src port 50003 && src host 10.36.101.27) || (dst port 50003 && dst host 10.36.101.27) || (src port 54017 && src host 10.36.101.27) || (dst port 54017 && dst host 10.36.101.27) || (src port 50003 && src host 10.36.101.28) || (dst port 50003 && dst host 10.36.101.28) || (src port 54017 && src host 10.36.101.28) || (dst port 54017 && dst host 10.36.101.28)))' -B 100 -w - | tshark -r - -Y http -T json -e ip.dst -e tcp.dstport -e tcp.stream -e frame.time_epoch -e http.request -e http.request.method -e http.request.version -e http.request.full_uri -e http.request.uri -e http.request.line -e http.file_data -e http.response -e http.response.version -e http.response.code -e http.response.line | grep X-KINNERET
The seconds BPF does capture traffic but not the traffic coming from my python script.
Any idea why the second 'strict' BPF does not work?
Thanks