I have a linux box acting as a router between many clients and the internet, and i need to pull some statistics on usage: I need to log which internal IPs access which addresses externally.
I use this to check which internal IPs access which external IPs:
tcpdump -n -i any port 80 or port 443 and src net 192.168.101.0/24
(I use -n and do the lookups later)
However, this also shows me a lot of extras relating to TCP handshaking and windowing. Is it possible to only show the actual HTTP request?
I have found a few approaches, most of which involve grepping for GET\|POST, butthat strips away the IPs, which is primarily what i care about.
Edit:
- I do not have the luxury of using anything else than tcp + standard linux and bash commands (hence why i'm limited to tcpdump and grep/strings/awk/sed
- Would including the filter
tcp[13] & 2!=0'help, as i understand that would only show the initial SYN?
If you are just limited to native tools Id think youd have perl available. Perhaps you could use this perl script. called chaosreader
otherwise you could capture the traffic and parse it with the perl script on another system
In short, yes. Use
httpry(and here). It's open source and it is based onlibpcapand comes very close to exactly what you need, so would require only little adjustment.You could use wiresharks tshark console capture tool here are some capture examples one specifically is to capture just http gets
Personally Id use urlsnarf from the dsniff tools found here
(note with either of those tools though youll only get http ...https will be secured unless you are doing some man in the middle decrypting. youll still see the hosts that clients are talking to but not the complete url they are accessing)
You may also want to look into a tool called ntop it gives very granular traffic reporting abilities