Get all GET and POST requests using tshark

Tags: tshark rest http get post

Browsers have made browsing insanely easy. Toolbar fetches webpage magically. However, under the hood, lots of requests are exchanged. These requests are based on REST architecture.

What is REST? REST is REpresentational State Transfer. Loosely speaking it defines how resources are exchanged based on item of request. Two most common HTTP Request Methods are POST and GET. Using tshark, we can see the headers exchange as you browse the web.

Check your network interface by typing (Mac or Linux)

$ ifconfig

Capture all GET and POST request using tshark on the network interface & save it to the file ~/out.ncap.

$ tshark -i en1 -f 'port 80 and 
(tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354 or 
tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)' -w ~/out.ncap   

The above commands looks gibberish, however if you analyze closely, its plain easy. Lets read it line by line

tshark
- Network Protocol Analyzer
-i
- Interface
en1
- Name of the interface
80
- Default http port number
(tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354
- Take the upper 4 bits of the 12th octet in the tcp header ( tcp[12:1] & 0xf0 )
- multiply it by four ((tcp[12:1] & 0xf0)>>2) which should give the tcp header length
- Take Four octets from the tcp stream, starting at that offset (tcp[(((tcp[12:1] & 0xf0) >> 2)):4])
- Lastly, verify that they are equal to POST which is 0x504F5354 in hex.
tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)
- Like POST command, it checks for GET request.
-w
- Dumps the output
~/out.ncap
- The output file

Now start surfing the web & see the POST & GET request by typing

$ tail -f ~/out.ncap