vbNewbie vbNewbie - 2 months ago 15
reST (reStructuredText) Question

capturing incoming RESTAPI traffic on apache server using tshark

Is it possible to capture incoming REST API requests to an tomcat server, in order to validate whether external clients are using proper credentials. 401 responses are produced but we need to prove that the REST API is not the problem but rather the requests.

I successfully installed wireshark and based on suggestions used tshark to try and capture incoming packets.

tshark -D
1. usbmon1 (USB bus number 1)
2. eth2
3. any (Pseudo-device that captures on all interfaces)
4. lo


I would assume http requests would be 'tcp'? correct? Then why does it not show here? I tried the following command found online:

tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -R 'http.request.method == "GET" || http.request.method == "HEAD"'


But this results in an error;

That string isn't a valid capture filter (USB link-layer type filtering
not implemented).
See the User's Guide for a description of the capture filter syntax.
0 packets captured


I know the specific incoming requests url I am expecting and thought I could filter with that https://xxxxxxxxxxxxxxxx/termAPI/list
Really appreciate some help here.

EDIT:

Tried and tested the following:

tshark -i 2 -f 'port 80'


then ran a sample API Request and got the following captured:

Capturing on eth2
0.000000000 192.1xx.xxx -> 192.168.cc.xxxx TCP 66 49330 > http [SYN]
Seq=0 Win=8192 Len=0 MSS=1400 WS=4 SACK_PERM=1
0.000146849 192.168.cc.xxxx -> 192.1xx.xxx TCP 66 http > 49330 [SYN, ACK]
Seq=0 Ack=1 Win=14100 Len=0 MSS=1410 SACK_PERM=1 WS=128
0.005808528 192.1xx.xxx -> 192.168.cc.xxxx TCP 54 49330 > http [ACK]
Seq=1 Ack=1 Win=65800 Len=0
0.031745954 192.1xx.xxx -> 192.168.cc.xxxx HTTP 220
GET /termsapi/google/search/main/rules/active HTTP/1.1
0.031845414 192.168.cc.xxxx -> 192.1xx.xxx TCP 54 http > 49330 [ACK] Seq=1
Ack=167 Win=15232 Len=0
0.063554179 192.168.cc.xxxx -> 192.1xx.xxx TCP 2854 [TCP segment of a
reassembled PDU]
0.063568626 192.168.cc.xxxx -> 192.1xx.xxx TCP 2854 [TCP segment of a
reassembled PDU]
0.063572832 192.168.cc.xxxx -> 192.1xx.xxx HTTP 695 HTTP/1.1 200
OK (application/json)
0.064066260 192.168.cc.xxxx -> 192.1xx.xxx TCP 54 http > 49330 [FIN, ACK]
Seq=6242 Ack=167 Win=15232 Len=0
0.075055934 192.1xx.xxx -> 192.168.cc.xxxx TCP 54 49330 > http [ACK]
Seq=167 Ack=2801 Win=65800 Len=0
0.075067927 192.1xx.xxx -> 192.168.cc.xxxx TCP 54 49330 > http [ACK]
Seq=167 Ack=6243 Win=65800 Len=0
0.075095146 192.1xx.xxx -> 192.168.cc.xxxx TCP 54 49330 > http [FIN, ACK]
Seq=167 Ack=6243 Win=65800 Len=0
0.075098758 192.168.cc.xxxx -> 192.1xx.xxx TCP 54 http > 49330 [ACK]
Seq=6243 Ack=168 Win=15232 Len=0


but I cannot see credentials

Answer

According to the man page tshark -D

Print a list of the interfaces on which TShark can capture, and exit.

You then have to choose one. For your case, you probably want to listen to eth2.

You can listen all traffic on eth2 with:

tshark -ieth2

If you want to capture only GET requests, you can use a capture filter expression, from the documentation :

tshark -ieth2 "port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420"

You will then see all GET requests coming to your server.

== Edit

If you want to see all details (credentials,...) of your packets, you can ask tshark to output packets in Packet Details Markup Language by adding the -T pdml option.