We are tracking http usage(mainly for our intranet) and I've been able to track it using the the following on our OPENWRT router:
tcpdump -i wlan1 -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' | grep 'GET\|Host' >> /mnt/jlt/wlan1
This only outputs the Host and Request.
I can't figure out how to get the requesting IP, however.
For example if a system 192.168.1.5 is requesting our internal site I can only see the site requested and the path but not the requesting IP(192.168.1.5).
Is there a way to also show the IP that is requesting through tcpdump, I know this not really its design but is there another way if not possible through this?
For reference the TCP dump (without the grep) is similar to as follows:
17:09:15.637887 IP (router).10199 > (dataSource).80: Flags [P.], seq 2206:2687, ack 33836, win 68, length 481
E.. ..@....d...g..$.'..P.C. '3.jP..D....GET (Path) HTTP/1.1
Host: (requestDomain)
Connection: keep-alive
User-Agent: (user-agent)
Accept:(file data)
Referer: (referer)
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: (cookie)