Capture packets and tomcat server header information

gaurav_s · 05-28-2015, 12:30 AM

I am using tcpdump command to retrieve tomcat server header information.
I am executing wget command from remote node.
node1:-

wget -S http://XXX.XXX.XXX.XXX:8093

node2:-

tcpdump -f "tcp src port 8093" -s0 -w /tmp/tomcat11.pcap

node2 is running tomcat server on port 8093

i am opening tomcat11.pcap in wireshark but i am not able to find server information i.e Apache Tomcat X.X .

nini09 · 05-28-2015, 02:40 PM

It might be in HTTP header.

gaurav_s · 05-28-2015, 11:57 PM

There are no http headers present in Wireshark. I amusing http.response as filter.

mralk3 · 05-29-2015, 12:08 AM

I googled it with search terms "tcpdump for tomcat" and found:

http://blog.2partsmagic.com/2011/01/...-http-headers/

Google is your friend!

gaurav_s · 05-29-2015, 01:29 AM

Now, i am able to get GET request ,but i want to see POST .

nini09 · 05-29-2015, 02:55 PM

Just capture port 8093 instead of src port 8093. You should see both direction packet.

gaurav_s · 06-01-2015, 12:45 AM

Still i am not getting POST data.I guess with wget command i can't get POST data.

mralk3 · 06-01-2015, 09:28 AM

Look at the man page of wget and you will see that you need to pass specific options to wget to execute a HTTP POST.

nini09 · 06-01-2015, 02:38 PM

Tool, wget, only use get request to download information. The put request is uploading information.
One tool, CURL, can do anyway you want, such as GET, POST, DELETE and so on.
http://curl.haxx.se/

mralk3 · 06-02-2015, 06:37 PM

Good point about curl. I was not thinking in terms of receiving data , rather submitting data to a service.

The curl command will do what you need.

joec@home · 06-07-2015, 05:07 PM

Been a while, but looking through my old notes I used to prefer to search by IP address to get a larger scope of data. Try playing around with the different flags, removing and adding different flags to check for different results, switching between the IP address of both the sender and the receiver. Also try switching between "0" and "1500" in the -s flag. Just print to screen at first while you fine tune then start grabbing to a file.

tcpdump -x -v -s 1500 host 12.34.56.78 -l -n

joec@home · 06-07-2015, 05:28 PM

Another thing you might try is to run a tail on the module being used by tomcat to get a psudo'ish strace.

tail -f /proc/(PID of Tomcat)/map_files/(module being called by tomcat) | od -a

Different od flags for translation:

From
http://unixhelp.ed.ac.uk/CGI/man-cgi?od

-a same as -t a, select named characters
-b same as -t o1, select octal bytes
-c same as -t c, select ASCII characters or backslash escapes
-d same as -t u2, select unsigned decimal 2-byte units
-f same as -t fF, select floats
-i same as -t dI, select decimal ints
-l same as -t dL, select decimal longs
-o same as -t o2, select octal 2-byte units
-s same as -t d2, select decimal 2-byte units
-x same as -t x2, select hexadecimal 2-byte units