How to inspect outgoing HTTP requests of a single application?

networking

My application is sending HTTP requests to some server and I want to see the actual data that it is sending out. Some specifics I would like to see:

  • Request method (GET/POST/PUT, etc.)
  • Content-type
  • Body

What is the best and simple way to accomplish this?


Well, for all those tcpdump fans =)

RUN ALL THESE COMMANDS AS ROOT !!!

Obtain root in a terminal with

sudo -i

To capture the RAW packets ...

sudo tcpdump -i any -w /tmp/http.log &

This will capture all the raw packets, on all ports, on all interfaces and write them to a file, /tmp/http.log.

Run your application. It obviously helps if you do not run any other applications that use HTTP (web browsers).

Kill tcpdump

killall tcpdump

To read the log, use the -A flag and pipe the output toless:

tcpdump -A -r /tmp/http.log | less

The -A flag prints out the "payload" or ASCII text in the packets. This will send the output to less, you can page up and down. To exit less, type Q.

When I go to Google, I see (in the raw packets):

20:42:38.179759 IP ufbt.local.56852 > sea09s02-in-f3.1e100.net.www: Flags [P.], seq 1:587, ack 1, win 913, options [nop,nop,TS val 25523484 ecr 492333202], length 586
E..~.v@[email protected]......!#...P.(.gS.c..............u..Xh.GET /generate_204 HTTP/1.1
Host: clients1.google.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) rekonq Safari/534.34
Referer: http://www.google.com/
Accept: */*
Accept-Encoding: gzip, deflate, x-gzip, x-deflate
Accept-Charset: utf-8,*;q=0.5
Accept-Language: en-US, en-US; q=0.8, en; q=0.6
Cookie: PREF=ID=dd958d4544461998:FF=0:TM=1323842648:LM=1360205486:S=Fg_QCDsLMr4ZepIo; NID=67=OQJWjIDHG-B8r4EuM19F3g-nkaMcbvYwoY_CsOjzvYTOAxwqAos5kfzsk6Q14E70gIfJjHat8d8PuQIloB12BE-JuSHgsKHR2QSpgN12qSWoxeqhdcSQgzw5CHKtbR_a

tcpdump has a long set of options to refine data collection from specifying network interfaces to ports to source and destination IP addresses. It can NOT decrypt (so it will not work with HTTPS).

Once you know what you are interested in, you can use a number of options with tcpdump to record only the data of interest. The general strategy is to first record all the packets, review the raw data, and then capture only the packets of interest.

Some helpful flags (options):

-i Specify an interface
-i eth0

tcp port xx
tcp port 80

dst 1.2.3.4
specify a destination ip address

There is a learning curve, both to using tcpdump and learning how to analyze the data you collect. For further reading, I highly suggest Daniel Miessler's tcpdump Primer with Examples.


First install tcpflow from Ubuntu official repositories:

sudo apt-get install tcpflow

Then run this command to inspect all HTTP requests on standard port:

sudo tcpflow -p -c port 80

Related

How do I find packages to install via apt-get
What is the difference between "service restart" and "service reload"
How to Display Hidden Characters in vim?
How can I read and remove meta (exif) data from my photos using the command line?
When to use () vs. {} in bash?
How to remove lines from the text file containing specific words through terminal?
Reboot a Server from Command Line?
Terminal output scrolling is gone (Headless 11.10 Server, Upgraded from 10.10)
What is the path to the kernel headers so I can install vmware?
How do I read a variable from a file?
What is Snappy Ubuntu Core?
How can I tell what package requires a reboot of my system?