1

need to capture all incoming/outcoming http traffic of a unix machine, and then run a script on each http header/body.

I have found that tcpdump captures all the requests, but big ones end up being split into multiple frames and is not easy to patch them together with a script that uses libpcap.

tcpflow almost does what I need, but it puts the whole flow between the host/client in the same file, without a good token to separate them making it impossible to know when a request ended and other started automatically.

Wireshark has the "follow http" option, but I couldn't find a way to use tshark to export one file for each flow.

Any suggestions?

Jonas Flesch
  • 11
  • 3
  • 1
    I can't understand why tcpdump doesn't meet your goal. Would you explain better the first line of your post? Also take a look at this, you may be able to filter out everything is unneeded and a good fitering should make reassmbling easier: https://www.wains.be/pub/networking/tcpdump_advanced_filters.txt – Marco Mar 22 '17 at 23:56
  • You could always run suricata (or something like it) on your captures and then work with the relevant JSON file/objects. Suricata (and I suspect other IDSen) has a protocol parser for HTTP, and can provide much, if not all, of the info you might need. – iwaseatenbyagrue Apr 19 '17 at 16:13

0 Answers0