#!/usr/bin/perl

$LIMIT = shift || 5000;

$|=1;
open (STDIN,"/usr/sbin/tcpdump -lnx -s 1024 dst port 80 |");
while (<>) {
    if (/^\S/) {
	last unless $LIMIT--;
	while ($packet=~/(GET|POST|WWW-Authenticate|Authorization).+/g)  {
	    print "$client -> $host\t$&\n";
	}
	undef $client; undef $host; undef $packet;
	($client,$host) = /(\d+\.\d+\.\d+\.\d+).+ > (\d+\.\d+\.\d+\.\d+)/
	    if /P \d+:\d+\((\d+)\)/ && $1 > 0;
    }
    next unless $client && $host;
    s/\s+//;
    s/([0-9a-f]{2})\s?/chr(hex($1))/eg;
    tr/\x1F-\x7E\r\n//cd;
    $packet .= $_;
}

##</code><code>##

root@iceblue:~# perl sn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1024 bytes
192.168.0.249 -> 209.197.123.153        GET /ind P.......GET./ind
192.168.0.249 -> 209.197.123.153        GET /ind P...`...GET./ind
192.168.0.249 -> 209.197.123.153        GET /ind P...X...GET./ind
192.168.0.249 -> 209.197.123.153        GET /ima P.......GET./ima
192.168.0.249 -> 209.197.79.97          GET /i/p P.......GET./i/p
192.168.0.249 -> 66.39.54.27            GET /ima P...;...GET./ima