Use tcpdump to analyse HTTP POST data
Today it has been useful to look at POST data being sent to this webserver. A nice filter to do this at the console with tcpdump is:
tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)'
This will capture and output something similar to below:
[root@m00n ~]# tcpdump -s 0 -A 'tcp dst port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:33:59.746204 IP 192.168.1.1.38887 > m00nie.com.http: Flags [P.], seq 470573917:470574279, ack 4264459131, win 4356, length 362 E...r.@.q...){P...q...POST / HTTP/1.0 Host: www.m00nie.com Keep-Alive: 300 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0 Content-Type: application/x-www-form-urlencoded Content-Length: 82 Referer: www.m00nie.com log=nobhead&pwd=blahblah&redirect_to=www.m00nie.com%2F&testcookie=1 ^C 1 packets captured 1 packets received by filter 0 packets dropped by kernel
Thanks goes to paulz on stackoverflow.
m00nie :)