Home / ubuntu / Questions / 252179
Accepted
megas
Asked: 2013-02-07 15:27:24 +0800 CST

How to inspect outgoing HTTP requests of a single application?

  • 772

My application is sending HTTP requests to some server and I want to see the actual data that it is sending out. Some specifics I would like to see:

  • Request method (GET/POST/PUT, etc.)
  • Content-type
  • Body

What is the best and simple way to accomplish this?

networking

4 Answers

  1. Best Answer

    Well, for all those tcpdump fans =)

    RUN ALL THESE COMMANDS AS ROOT !!!

    Obtain root in a terminal with

    sudo -i

    To capture the RAW packets ...

    sudo tcpdump -i any -w /tmp/http.log &

    This will capture all the raw packets, on all ports, on all interfaces and write them to a file, /tmp/http.log.

    Run your application. It obviously helps if you do not run any other applications that use HTTP (web browsers).

    Kill tcpdump

    killall tcpdump

    To read the log, use the -A flag and pipe the output toless:

    tcpdump -A -r /tmp/http.log | less

    The -A flag prints out the "payload" or ASCII text in the packets. This will send the output to less, you can page up and down. To exit less, type Q.

    When I go to Google, I see (in the raw packets):

    20:42:38.179759 IP ufbt.local.56852 > sea09s02-in-f3.1e100.net.www: Flags [P.], seq 1:587, ack 1, win 913, options [nop,nop,TS val 25523484 ecr 492333202], length 586
E..~.v@[email protected]......!#...P.(.gS.c..............u..Xh.GET /generate_204 HTTP/1.1
Host: clients1.google.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) rekonq Safari/534.34
Referer: http://www.google.com/
Accept: */*
Accept-Encoding: gzip, deflate, x-gzip, x-deflate
Accept-Charset: utf-8,*;q=0.5
Accept-Language: en-US, en-US; q=0.8, en; q=0.6
Cookie: PREF=ID=dd958d4544461998:FF=0:TM=1323842648:LM=1360205486:S=Fg_QCDsLMr4ZepIo; NID=67=OQJWjIDHG-B8r4EuM19F3g-nkaMcbvYwoY_CsOjzvYTOAxwqAos5kfzsk6Q14E70gIfJjHat8d8PuQIloB12BE-JuSHgsKHR2QSpgN12qSWoxeqhdcSQgzw5CHKtbR_a

    tcpdump has a long set of options to refine data collection from specifying network interfaces to ports to source and destination IP addresses. It can NOT decrypt (so it will not work with HTTPS).

    Once you know what you are interested in, you can use a number of options with tcpdump to record only the data of interest. The general strategy is to first record all the packets, review the raw data, and then capture only the packets of interest.

    Some helpful flags (options):

    -i Specify an interface
-i eth0

tcp port xx
tcp port 80

dst 1.2.3.4
specify a destination ip address

    There is a learning curve, both to using tcpdump and learning how to analyze the data you collect. For further reading, I highly suggest Daniel Miessler's tcpdump Primer with Examples.

    • 87

  2. First install tcpflow from Ubuntu official repositories:

    sudo apt-get install tcpflow

    Then run this command to inspect all HTTP requests on standard port:

    sudo tcpflow -p -c port 80
    • 28

  3. I would suggest that you try Wireshark Install Wireshark

    Please note that Wireshark is quite advanced, and so may take a bit of getting used to. I have not used it for a few years, but it should still be perfect for what you are after - if not a bit too full of features.

    Information about Wireshark and how to use it can be found at the Wireshark homepage.

    • 14

  4. Also possible with command, which gives tidy output, even for SSL:

    sudo tcpdump dst port 80
    • 7