For security purposes we want to list all POST requests URI's that are used in our applications (so we would disable POST through mod_security except for those URI's). The idea is to use tcpdump to capture these during a full regression test and then wireshark to get a distinct list of all URI's.
The problem is that we're failing to find the correct tcpdump arguments to only capture HTTP post requests (which is needed because a full tcpdump would quickly fill up the disk).
Following command works find but shows GET's, POSTS and some other packets (too many):
sudo tcpdump -A 'tcp port 9081 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
Following only capture POST request but in wireshark they show as TCP packets and we're not able to extract the URI from these (as we do for HTTP using custom value http.request.uri in wireshark):
sudo tcpdump -A 'tcp port 9081 tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'
What tcpdump arguments should we use to capture HTTP POST requests (which show as HTTP packets in wireshark) or how can we extract the URI from those TCP packets (second command)?
Best Answer