jueves, 12 de mayo de 2016

TCPDUMP como ver el referer en el Header del protocolo TCP-IP



http://allexit.blogspot.com.co/2015/03/tcpdump-headerrefereruser-agent.html

https://systembash.com/simple-sysadmin-trick-using-tcpdump-to-sniff-web-server-traffic/

Захотелось мне как-то сграбить эфир с сайта moskva.fm, почесав репу, решил наконец разобраться с утилитой tcpdump, потому что именно она нам и поможет.
Давайте возьмем прямой вывод tcpdump-а, например так:
tcpdump -i eth0 -nn -s0 -A -l > /var/log/lebnik-tcpdump.log
Eсли немного посмотреть на получившийся контент, то мы увидим непонятную кашу :) но можно заметить, что среди каши появляются параметры заголовков, например:
E..4Z.@.@.X....y...P...Po....'.....s.......
.G..|...
15:36:24.145034 IP 172.16.4.121.59049 > 185.17.30.80.80: Flags [P.], seq 1:390, ack 1, win 115, options [nop,nop,TS val 55034296 ecr 2094329990], length 389
E...Z.@.@.W>...y...P...Po....'.....s.......
.G..|...GET /stream/4002/1398186168?format=flv HTTP/1.1
Host: 185.17.30.80/stream/4002/1398186168?format=flv
Connection: keep-alive
Referer: http://css.moskva.fm/f/MoskvaPlayerDark.swf?20140627113228
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/34.0.1847.116 Chrome/34.0.1847.116 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,ru;q=0.6

15:36:24.147535 IP 185.17.30.80.80 > 172.16.4.121.59049: Flags [.], ack 390, win 122, options [nop,nop,TS val 2094329991 ecr 55034296], length 0
E..4~<@.9.;....P...y.P...'..o..2...z.K.....
|....G..
Согласен, набор букв, и я не предлагаю на это ориентироваться, но для себя выношу один момент, сначала мы видим GET-переменную, а потом Host. А дальше, давайте посмотрим, куда мы постоянно подключаемся:
tcpdump -i eth0 -nn -s0 -A -l|grep --line-buffered "Host: \|GET " -m 15
и получаем последних 15 обращений:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Host: smsdesign.com.ua
Host: www.moskva.fm
|...GET /stream/4002/1398188568?format=flv HTTP/1.1
Host: 185.17.30.80
Host: smsdesign.com.ua
.I..lv..GET /player_xml.html?startat=1398175200&rnd=0%2E5591348479501903&time=1398175200&delay=78301%2E502&type=full&station=4002&realtime=1398174168&v=3 HTTP/1.1
Host: www.moskva.fm
.I....S.GET /uimg/artists/72x72/cf/cf68c34167c27cddd013d1f5040ecf46.jpeg HTTP/1.1
Host: t1.moskva.fm
.I..|...GET /stream/4002/1398187452?format=flv HTTP/1.1
Host: 185.17.30.80
Host: smsdesign.com.ua
Host: www.moskva.fm
.I..|...GET /stream/4002/1398187272?format=flv HTTP/1.1
Host: 185.17.30.80
209 packets captured
212 packets received by filter
0 packets dropped by kernel

Для от фильтровки хидеров можно воспользоваться следующим фильтром:
tcpdump -i eth0 -nn -s0 -A -l |grep "Host: \|GET\|Referer: \|User-Agent: "
Eсли немного посмотреть на получившийся контент, то мы увидим непонятную кашу :) но можно заметить, что среди каши появляются параметры заголовков, например:
.G..|...GET /stream/4002/1398186168?format=flv HTTP/1.1
Host: 185.17.30.80/stream/4002/1398186168?format=flv
Referer: http://css.moskva.fm/f/MoskvaPlayerDark.swf?20140627113228
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko)


https://systembash.com/simple-sysadmin-trick-using-tcpdump-to-sniff-web-server-traffic/

Simple Sysadmin Trick: Using tcpdump To Sniff Web Server Traffic


October 2, 2012/1 Comment/in Linux, Shell, System Administration /by Dave

Sometimes, you just have to look into the raw data to see what your web server is doing. The logs might not show you enough detail or you suspect something is going on which is just not shown in the log files. Or, as in my case, logging is turned off because of too much activity.

The excellent tcpdump utiliy comes to the rescue here. I recommend you get more familiar with the tcpdump man page. Here is the command you can use, in a nutshell:
1
   
tcpdump -nl -w - -i eth1 -c 500 port 80|strings

or alternatively with just tcpdump (Thanks Chris!):
1
   
tcpdump -nl -s 0 -A -i eth1 -c 500 port 80

Your command line will print out all traffic exiting your server from port 80, headers and all. Lets look at the options in more detail.

    -n: Don’t convert addresses (i.e., host addresses, port numbers, etc.) to names.
    -l: Make stdout line buffered. Useful if you want to see the data while capturing it.
    -w: Write the raw packets to file rather than parsing and printing them out. (Sent to stdout)
    -i: Interface you want to sniff on, usually eth0 or eth1, but depends on your system.
    -c: Number of packets to capture
    port: port 80, duh :)
    -A: Print each packet (minus its link level header) in ASCII.
    -s: size

Now, depending on your web server configuration, you will probably have gzipped content which comes out as garbled characters. To strip all that out, just pipe it through strings.

The output will look something like this:
  
GET /about/comment-page-1 HTTP/1.0
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
User-Agent: Mozilla/2.0 (compatible; MSIE 3.02; Windows CE; 240x320)
Referer: http://quittingsoda.com/about/comment-page-1#comment-6637
Host: quittingsoda.com
Cookie: comment_author_xxx=sakyjartory; comment_author_email_26e707905b5fd6e7139333eb1dab208f=olfaexxxx; comment_author_url_26e707905b5fd6e7139333eb1dab208xxx
HTTP/1.1 200 OK
Date: Wed, 03 Oct 2012 01:49:19 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.17
X-Pingback: http://quittingsoda.com/xmlrpc.php
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>About This Site | Quitting Soda</title>

Let me know if you have any suggestions for improving this simple command line program for sniffing your web server traffic! Netcat is an essential tool that every linux administrator should get to know better.
- See more at: https://systembash.com/simple-sysadmin-trick-using-tcpdump-to-sniff-web-server-traffic/#sthash.Qsg9BdVh.dpuf

Simple Sysadmin Trick: Using tcpdump To Sniff Web Server Traffic



Sometimes, you just have to look into the raw data to see what your web server is doing. The logs might not show you enough detail or you suspect something is going on which is just not shown in the log files. Or, as in my case, logging is turned off because of too much activity.
The excellent tcpdump utiliy comes to the rescue here. I recommend you get more familiar with the tcpdump man page. Here is the command you can use, in a nutshell:
1
tcpdump -nl -w - -i eth1 -c 500 port 80|strings
or alternatively with just tcpdump (Thanks Chris!):
1
tcpdump -nl -s 0 -A -i eth1 -c 500 port 80
Your command line will print out all traffic exiting your server from port 80, headers and all. Lets look at the options in more detail.
  • -n: Don’t convert addresses (i.e., host addresses, port numbers, etc.) to names.
  • -l: Make stdout line buffered. Useful if you want to see the data while capturing it.
  • -w: Write the raw packets to file rather than parsing and printing them out. (Sent to stdout)
  • -i: Interface you want to sniff on, usually eth0 or eth1, but depends on your system.
  • -c: Number of packets to capture
  • port: port 80, duh :)
  • -A: Print each packet (minus its link level header) in ASCII.
  • -s: size
Now, depending on your web server configuration, you will probably have gzipped content which comes out as garbled characters. To strip all that out, just pipe it through strings.
The output will look something like this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
GET /about/comment-page-1 HTTP/1.0
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
User-Agent: Mozilla/2.0 (compatible; MSIE 3.02; Windows CE; 240x320)
Referer: http://quittingsoda.com/about/comment-page-1#comment-6637
Host: quittingsoda.com
Cookie: comment_author_xxx=sakyjartory; comment_author_email_26e707905b5fd6e7139333eb1dab208f=olfaexxxx; comment_author_url_26e707905b5fd6e7139333eb1dab208xxx
HTTP/1.1 200 OK
Date: Wed, 03 Oct 2012 01:49:19 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.17
X-Pingback: http://quittingsoda.com/xmlrpc.php
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>About This Site | Quitting Soda</title>
Let me know if you have any suggestions for improving this simple command line program for sniffing your web server traffic! Netcat is an essential tool that every linux administrator should get to know better.
- See more at: https://systembash.com/simple-sysadmin-trick-using-tcpdump-to-sniff-web-server-traffic/#sthash.Qsg9BdVh.dpuf

No hay comentarios:

Publicar un comentario