tcpdump mailing list archives
Re: tcpdump filter for HTTP GET
From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Mon, 08 Nov 2004 12:34:57 -0500
Robert Lowe wrote:
Anyone have a filter that will capture just HTTP GET requests? I'm looking for something more specific than just "dst host X and tcp dst port 80", but I'm not worried about requests to non-standard ports. I would suspect I could reference tcp[N:3] = GET, but can N be an expression itself, e.g. the data offset in theTCP header??
Yes. tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 -- Jefferson Ogata <Jefferson.Ogata () noaa gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov> - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- tcpdump filter for HTTP GET Robert Lowe (Nov 08)
- Re: tcpdump filter for HTTP GET Jefferson Ogata (Nov 08)
- Re: tcpdump filter for HTTP GET Robert Lowe (Nov 08)
- Re: tcpdump filter for HTTP GET Guy Harris (Nov 08)
- Re: tcpdump filter for HTTP GET Jefferson Ogata (Nov 08)
- Re: tcpdump filter for HTTP GET Robert Lowe (Nov 08)
- Re: tcpdump filter for HTTP GET Robert Lowe (Nov 08)
- Re: tcpdump filter for HTTP GET Jefferson Ogata (Nov 08)