Capturing and decoding POST data using tcpdump / wireshark
So I need to debug an application which posts xml to a 3rd party application, this was failing but being very unspecific as to why.
What I wanted to do was manually send the data, but I needed to capture it first, so after a bit of digging I came up blank with an easy way to get the infomation out of tcpdump, but…. I found a brilliant little perl script which does all the hard work – you just check it a tcpdump output file, and it does all the manipulation and outputs everything you need..
The script is called chaosreader0.94 see http://www.darknet.org.uk/2007/11/chaosreader-trace-tcpudp-sessions-from-tcpdump/
It worked like a treat, I did the following:
tcpdump host www.blah.com -s 9000 -w outputfile; perl chaosreader0.94 outputfile
it generated me a load of files, headed up by index.html, when you put these files into a web server, and open index.html you get a few options. See below.
Chaosreader Report
File: out1, Type: tcpdump, Created at: Thu May 21 11:56:59 2009
Image Report (Empty) – Click here for a report on captured images.
GET/POST Report – Click here for a report on HTTP GETs and POSTs.
HTTP Proxy Log – Click here for a generated proxy style HTTP log.
TCP/UDP/… Sessions
| 1. | Thu May 21 11:56:48 2009 | 5 s | 192.168.x.x:50624 -> 192.168.x.x:80 | http | 80515 bytes |
|
| 2. | Thu May 21 11:56:54 2009 | 0 s | 192.168.x.x:50633 -> 192.168.x.x:80 | http | 84451 bytes |
|
IP Count
| 192.168.x.x | 136 |
| 192.168.x.x | 86 |
TCP Port Count
| http | 221 |
UDP Port Count
IP Protocol Count
| TCP | 222 |
Ethernet Type Count
| 0800 | 222 |
Clicking the session links gave me all the information I needed.
