Dumping rawdata for a host on a proxy using tcpdump

You may have a problem with different interfaces. By default tcpdump only listens on the first ethernet interface it finds. If you add "-i any" it will listen on every interface.

As someone has mentioned already, you will end up capturing all the traffic to a particular ip address, regardless of the dns name you want. You can reduce the amount of data you capture by restricting the filter further. You could add a port and specify a particular remote host or network.

# tcpdump host 12.34.56.78 and port 80 and net 78.65.43.21/24 

You may find that tcpflow is more useful to you. It will dump each side of a TCP connection into a separate file. You can either use it with the same filter you'd use with tcpdump, or you can load a pcap file in. To save a pcap file, run:

# tcpdump -s 0 -w /tmp/dump.pcap -i any host 12.34.56.78 and port 80

I'm going to try and say what LapTop006 said, but a little differently.

When you run that tcpdump -c10 host my.very.specific.host.com command, tcpdump is resolving "my.very.specific.host.com" to an IP address and filtering for traffic to that IP. If DNS returns multiple IP addresses for "my.very.specific.host.com", tcpdump is just going to take the first IP returned and filter for that IP.

If there are only a few IPs returned for ""my.very.specific.host.com", you could do:

tcpdump -c10 host 1.2.3.4 or host 2.3.4.5 or host 3.4.5.6

It would be easier to capture the traffic between the client and the proxy rather than between the remote web server and the proxy, since the client only has one IP address. (I suppose if what you're trying to see is interaction beteen the remote web server and the proxy, though, you'd need to capture that. Your post doesn't give me enough to go on...)

I would try the (internal) IP address as argument for HOST.

by the way here is a tutorial http://linux.byexamples.com/archives/283/simple-usage-of-tcpdump/ and a cheat sheet (PDF) with all the options.

tcpdump always works at the IP layer, even if you give it a DNS name it simply resolves it to an IP

You could use the client's address as the host to consider.

The next step is to start capturing full packets to a "pcap" file that wireshark can open for full analysis.

In addition to what the others have said - use IP, correct interface, dump to pcap.

I would advise you to get rid of the -c10 flag. That instructs tcpdump to exit after receiving exactly 10 packets and that may not be sufficient for what you want to see.

You want to run tcpdump on the machine serving the web pages. Do not use a host address; you will be capturing traffic only to that host anyway. You want to capture to a file everything on port 80, and you want to make sure you capture all of the data, without truncating it. The command you want is:

sudo tcpdump -w log.pcap -s 65535 port 80

If your machine has multiple ethernet interfaces, you might have to specify the one to use to capture the traffic. If you find yourlself capturing no traffic, use ifconfig -a to see the list of interfaces and their addresses, chose the appropriate one, and add the -i eth1 (or whatever interface) options to the command line.

Once you have a pcap file, you need to analyze it. For interactive use, Wireshark is an excellent tool. Copy the pcap file to your workstation and run wireshark -r log.pcap. You can use the filters to find the packets that have "Host: some.server.of.interest.com" headers; those are the ones for the virtual host of interest. Analyze / Follow TCP Stream will show you the entire HTTP conversation in a very readable format.

If you want to do automated analysis, you'll probably have to write some custom code. One option would be to use a tool such as tcpflow to dump all of the HTTP sessions to files, and then use a scripting language (or even grep) to select the files of interest and analyze them. It's also not difficult to read pcap files directly, but doing re-assembly of the TCP conversations is a lot more work.