Howto capture HTTP GET and POST headers with tcpdump

For times when you want to inspect the HTTP traffic and troubleshoot a problem, tcpdump becomes a very powerful tool to do so.
This is useful when you need to verify what kind of payloads are reaching your server, for debugging or attack analysis. Create a traffic dump in a PCAP file, and use Wireshark to analyze.

What is tcpdump

tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. It uses libpcap as the base library for it’s functionality.

Use cases

Verify that all necessary HTTP headers are being sent to the service or application, for example:

X-Forwarded-For
X-Forwarded-Proto
X-Forwarded-Port
X-Forwarded-Host
Content-Type
Bash

Or you want to inspect the POST payload that is being sent to the server and verify that it is the correct one. Or you are getting an attack and you want to have a dump of sent requests for analysis to determine if there is something similar between the requests.

tcpdump all traffic from port 80

This example would work if your server is listening on port 80 and receiving traffic, usually works in private networks behind the main load balancer.

tcpdump -A -s 10240 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | egrep --line-buffered "^........(GET |HTTP\/|POST |HEAD )|^[A-Za-z0-9-]+: " | sed -r 's/^........(GET |HTTP\/|POST |HEAD )/\n\1/g'
Bash

And you can expect this kind of output:

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 09 Jul 2023 21:34:25 GMT
Content-Length: 0
Connection: close
vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block

HTTP/1.1 202 Accepted
Server: My-Service
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Permissions-Policy: interest-cohort=()
Referrer-Policy: same-origin
Content-Type: application/json
Cache-Control: no-cache
Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; form-action 'none'
X-Request-Id: a67891f6-b809-4594-b1c9-16014944e21s
X-Runtime: 0.040786
Strict-Transport-Security: max-age=63072000; includeSubDomains
Connection: close
Transfer-Encoding: chunked
Bash

tcpdump POST traffic

POST payloads are, in a way, bit more interesting as they carry the payload, which might be different from service to service.

tcpdump  -s 0 -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354'
Bash

Example view would be:

POST /post-endpoint HTTP/1.0
Host: some-domain.com
X-Real-IP: 1.1.1.1
X-Forwarded-For: 1.1.1.1
X-Forwarded-Proto: https
Connection: close
Content-Length: 1104
content-type: application/activity+json
date: Sun, 09 Jul 2023 21:38:51 GMT
accept: */*

{"some": "payload"}
Bash

Is there more?

Yes, you can do a lot of things with tcpdump, but these two have been most instrumental several times to analyze traffic, or just verify what kind of information has been sent to the server to be 100% sure everything is correct.

One other is to use tcpdump to create a PCAP file for Wireshark to read :

tcpdump -i <interface> -s 65535 -w <file>