Ethereal-users: [Ethereal-users] POST payload filter

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Julio Cesar Ody <julioody@xxxxxxxxx>
Date: Wed, 18 May 2005 14:32:48 +1000
Hi all,

I'm trying to build a filter to capture HTTP POST payloads. So far,
what I did is look into the HTTP packet and check for the existance of
a string I KNOW it's going to be there. Here's what happens:

$ sudo tethereal -i eth0 -R 'http contains "username"'
Capturing on eth0
  4.182450 202.92.95.110 -> 192.168.0.249 HTTP Continuation or non-HTTP traffic
  4.182456 202.92.95.110 -> 192.168.0.249 HTTP Continuation or non-HTTP traffic
  4.182464 202.92.95.110 -> 192.168.0.249 HTTP Continuation or non-HTTP traffic
  4.182881 202.92.95.110 -> 192.168.0.249 HTTP Continuation or non-HTTP traffic
  4.408846 202.92.95.110 -> 192.168.0.249 HTTP Continuation or non-HTTP traffic
  4.408852 202.92.95.110 -> 192.168.0.249 HTTP Continuation or non-HTTP traffic
  4.408859 202.92.95.110 -> 192.168.0.249 HTTP Continuation or non-HTTP traffic
  4.409274 202.92.95.110 -> 192.168.0.249 HTTP Continuation or non-HTTP traffic
  6.317624 192.168.0.249 -> 202.92.95.110 HTTP Continuation or
non-HTTP traffic (application/x-www-form-urlencoded)


I can see it means that more than one packet is being used to transfer
what I'm looking for. So my question is: is there a way to display the
actual POST payload? How?


Thanks a lot.

-- 
Julio C. Ody
http://rootshell.be/~julioody