Linux – tcpdump filter according to http header content

linuxtcpdump

using tcpdump i would like to filter the responses that comes back from a squid cache server to only the responses that came back from the cache.
that means that i need to filter according to the X-CACHE header value, if it's value is HIT, i should show it, otherwise the response is not from the cache.
any idea what should my tcpdump filter be ?

Best Answer

Have you considered using ngrep instead of tcpdump?

Related Solutions

Wireshark http POST

There's no guarantee that all of the posted data will be in the same packet as the POST command string itself. In fact, if the posted data is more than about 1500 bytes (probably a little less due to the presence of other HTTP headers), you're practically guaranteed it won't all be in the same packet. So for best results you'll need a filtering method that understands multi-packet HTTP transaction, and libpcap's filter language (which is what tcpdump uses and what wireshark uses for capture filters) ain't it.

Linux – using tcpdump to display XML API requests without headers or ack packets

How about this:

$ while read stream; do \
tshark -qz follow,tcp,ascii,$stream -r soap.pcap; done \
< <(tshark -R "xml" -T fields -e tcp.stream -r soap.pcap | sort | uniq)

Source: http://ask.wireshark.org/questions/18046/extracting-segmented-soap-xml-payload

Best Answer

Related Solutions

Wireshark http POST

Linux – using tcpdump to display XML API requests without headers or ack packets

Related Topic