wireshark http POST

Question

I would like to have a http POST request method CAPTURE filter.

I know it is easy to do it by display filter http.request.method==POST but I need tcpdump compatible.

I wrote tcp dst port 80 and (tcp[13] = 0x18)
But it is not perfect...

tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)
works better, but... packages are not treated as a http packages, so I can not do my further display filters...

And is there any way to not display frame, tcp, ip and http header information, only data-text-lines field value (content of POST)?

Or same thing in tcpdump, only dumping of POSTed html form content?

I want to see only http POST packets in tcpdump – Apr 08 '10 at 11:49 — , Apr 08 '10 at 11:49

score 4 · Answer 1 · answered Mar 29 '10 at 01:26

There's no guarantee that all of the posted data will be in the same packet as the POST command string itself. In fact, if the posted data is more than about 1500 bytes (probably a little less due to the presence of other HTTP headers), you're practically guaranteed it won't all be in the same packet. So for best results you'll need a filtering method that understands multi-packet HTTP transaction, and libpcap's filter language (which is what tcpdump uses and what wireshark uses for capture filters) ain't it.

score 1 · Answer 2 · answered Mar 29 '10 at 01:29

What operating system?

If it's linux you can use tcpdump -s 0 -A -i <if> port 80 along with what ever other filters you need to capture and print the http packets you're interested in, and then pipe it to a perl/bash/awk/whatever script to filter that content from there.

score 1 · Answer 3 · answered Apr 07 '10 at 16:01

1

Its hard to understand what your asking but my guess is that you just need to find the packet in your Wireshark capture, right click on it, and choose "Follow Stream" from the menu . Its just a guess... just trying to help?

answered Apr 07 '10 at 16:01

djangofan

4,182
10
46
59

wireshark http POST

3 Answers3