tcpdump problem?
 

How to use tcpdump command to post file name of downloading ?

I want to record which IP address via port 80 to download file ;moreover
I am also to get what file be download.

For example:
The computer (192.168.1.1) from website to download file as swi.zip. I want to get a log file type such as 192.168.1.1 *** port 80 *** swi.zip.
How to use tcpdump to post this status or other command can generate this result .

Thanks a lot.

Nothing in life is easy. This is also true for linux. Most things are possible but not always the way you'd like them.

It's "possible" to get the info you need with something like:

tcpdump -vvvnnXs0 | grep -B 4 -A 5 GET | grep -B 4 -A 5 -i zip

This will snoop the default interface (normally eth0) and spit out some details on any get requests that also have zip associated with them.

This should give the ip of who is getting the zip, where they are getting it from, the time as well as what the file name is.

But.

This is a very simple filter that will also be triggered if somone were to say, do a google search with the word zip in the search.

You'll have to use better filters or even a brain to figure out if the get for a file is what you are looking for or not.

Also on a busy interface you'll likely drop packets. This isn't the most efficent way of doing business. But I figured you deserved some sort of answer even if it's not a good one.

-b