2

For security purposes we want to list all POST requests URI's that are used in our applications (so we would disable POST through mod_security except for those URI's). The idea is to use tcpdump to capture these during a full regression test and then wireshark to get a distinct list of all URI's.

The problem is that we're failing to find the correct tcpdump arguments to only capture HTTP post requests (which is needed because a full tcpdump would quickly fill up the disk).

Following command works find but shows GET's, POSTS and some other packets (too many):

sudo tcpdump -A 'tcp port 9081 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

Following only capture POST request but in wireshark they show as TCP packets and we're not able to extract the URI from these (as we do for HTTP using custom value http.request.uri in wireshark):

sudo tcpdump -A 'tcp port 9081 tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'

What tcpdump arguments should we use to capture HTTP POST requests (which show as HTTP packets in wireshark) or how can we extract the URI from those TCP packets (second command)?

Stijn Geukens
  • 121
  • 1
  • 5
  • Is wireshark/tcpdump a hard requirement here? Have you considered using `urlsnarf` instead? That will also show both GET and POST, but I suppose a `grep -v ...` will sort that out for you. – faker Nov 20 '14 at 11:37
  • 3
    `tcpdump` cannot decrypt SSL/TLS (HTTPS). For this you have to use tools like [`ssldump`](http://linux.die.net/man/1/ssldump) or [Wireshark](https://www.wireshark.org/). Additionally `tcpdump` and `ssldump` do not have filters for layers higher than L4. From Wireshark command line tools you can use [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) with very powerful read and display filters which operate up to L7. – pabouk - Ukraine stay strong Nov 20 '14 at 11:58
  • @faker - urlsnarf looks interesting but unfortunately it is not installed on our server (nor do we have the rights to install it) – Stijn Geukens Nov 20 '14 at 12:36
  • Ah I also missed the HTTPS part, with which it wouldn't work anyway. – faker Nov 20 '14 at 12:44
  • @pabouk - I should have mentioned that the tcpdump is running on server where the reverse proxy is running; by then it's all http (which is also clear from the dump). We are monitoring the calls from the RP to the actual application server. – Stijn Geukens Nov 20 '14 at 12:45
  • Is there any reason to not simply use the logs from whatever webserver you're using? – Jenny D Nov 20 '14 at 13:39
  • @Jenny - thanks for the suggestion but it does not seem to be possible in WAS. We could do this using a custom HttpFilter and log the requests but since we have over 30 applications this is just not feasible. – Stijn Geukens Nov 20 '14 at 13:58
  • have you found a solution ? – Mostafa Hussein Feb 19 '17 at 13:12
  • Nope, never did. – Stijn Geukens Feb 19 '17 at 17:00

2 Answers2

0
tcpflow -p -c -i bond0 port 9081 | grep -oE '(GET|POST|HEAD) .* HTTP/1.[01]|Host: .*'
twalow
  • 101
0

I also had a similar issue a while ago and I think this could be helpful if this ever comes up, or if someone needs some help with this.

Capture only HTTP POST requests Incoming to port 80 ( Apache/NGINX)

With this Tcpdump command:

tcpdump -i enp0s8 -s 0 -A 'tcp dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354'

Here 0x504F5354 represents the ASCII value of 'P' 'O' 'S' 'T'

This was the documentation I used, it worked fine for me

Dave M
  • 4,514
  • 22
  • 31
  • 30
alrashid villanueva
  • 56
  • 6