tcpdump to only print urls

Question

Is there a way to do

tcpdump -i lo -A

and have it print all urls, any connections made?

I have done:

sudo tcpdump -i lo -A | grep Host:

which works great. But I was wondering if there are options to do the same in tcpdump

Finally, is there a way to do this in python without using a sys command or Popen/subprocess

tcpdump cannot filter using the content of the packages, you could improve your performance by only dumping those packages for `incoming TCP connections to your HTTP port`. — Dennis Guse, Jul 26 '13 at 11:16
Also, as HTTP doesn't transfer the URL requested in a straightforward manner, it will be slightly harder to pick out of a tcpdump feed - you have to combine the `Host` header and the `GET` or `POST` line to get the full URL... — Stobor, Jul 27 '13 at 12:04

score 4 · Answer 1 · edited Apr 13 '17 at 12:13

4

tcpdump cannot filter based upon the content of the packets (no deep packet inspection) as it only uses pcacp-filter. You could improve your performance by only dumping those packages for incoming TCP connections to your HTTP port.

tcpdump -i lo -A tcp port 80

TCPDUMP python: use Pcapy

Another option is to use tshark

edited Apr 13 '17 at 12:13

Community

1
1

answered Jul 26 '13 at 11:21

Dennis Guse

883
10
34

"tcpdump cannot filter based upon the content of the packets (no deep packet inspection)". Using `-vv` gets you pretty close. – The Onin May 22 '17 at 21:01

score 3 · Accepted Answer · answered Jul 22 '13 at 12:07

3

you can use scapy the sniff function and use regex or grep

import scapy
tcpdump = sniff(count=5,filter="host 64.233.167.99",prn=lambda x:x.summary())
print tcpdump

change the filter for your filter text :)

or maybe you want to save the traffic and see it in wireshark

wrpcap("temp.cap",pkts)

answered Jul 22 '13 at 12:07

raf10x

66
5

Is it possible to sniff for a period of time and not a given count.(start sniff) do stuff. (stop sniff) Also, it is important that we record everything on interface lo. – Cripto Jul 22 '13 at 13:09

score 1 · Answer 3 · answered Jul 28 '13 at 04:31

What you want to use is libpcap which is the packet capture library which tcpdump uses. There is a python wrapper for this which can be found here.

You can, in python, then build any filtering that you want on top of the filtering already provided by pcap/tcpdump. Then display this filtered output (or whatever it is you want to do in your python script).

tcpdump to only print urls

3 Answers3