I need to sniff packets from a very busy proxy server (both interfaces, internal and external). What is worse, I will need to sniff for a day, maybe several days. Because of this I need a very precise filter. As a display filter it would look like this: http contains someurl or ip.addr eq 1.2.3.0/24 or more slightly complex (ip.dst eq 10.0.0.1 and http contain someurl) or ip.addr eq 1.2.3.0/24 The problem is obviously the "http contains someurl" part. This part is vital, as it will change 50 Mbps of traffic to only, say, 20 MB per day. Any solution will do. Tshark, dumpcap, the GUI. I was thinking of something similar to this: ``From Jefferson Ogata via the tcpdump-workers mailing list. asked 27 Mar '14, 05:09  robstar |
One Answer:
You can't do that with a 'simple' capture filter. You can try to use the capture filter generator, but the resulting filter might not work in all cases!! Just take a look a the default sample and the generated capture filter. Duh.... Here is my suggestion: use ngrep
ngrep will write all frames that meet the search criteria to /var/tmp/http.pcap. It will not write the whole tcp stream, which is obvious! There is also a Windows version of ngrep (please google/bing it). Regards answered 27 Mar '14, 11:42  Kurt Knochner ♦ |
Obviously I tried changing the hex-value to what I want to search, but that doesn't work. My guess is that it's searching in a very narrow part of the packet.
But how do I make it work?