How to inspect outgoing HTTP requests of a single application?

My application is sending HTTP requests to some server and I want to see the actual data that it is sending out. Some specifics I would like to see:

  • Request method (GET/POST/PUT, etc.)
  • Content-type
  • Body

What is the best and simple way to accomplish this?


Well, for all those tcpdump fans =)

RUN ALL THESE COMMANDS AS ROOT !!!

Obtain root in a terminal with

sudo -i

To capture the RAW packets ...

sudo tcpdump -i any -w /tmp/http.log &

This will capture all the raw packets, on all ports, on all interfaces and write them to a file, /tmp/http.log.

Run your application. It obviously helps if you do not run any other applications that use HTTP (web browsers).

Kill tcpdump

killall tcpdump

To read the log, use the -A flag and pipe the output toless:

tcpdump -A -r /tmp/http.log | less

The -A flag prints out the "payload" or ASCII text in the packets. This will send the output to less, you can page up and down. To exit less, type Q.

When I go to Google, I see (in the raw packets):

20:42:38.179759 IP ufbt.local.56852 > sea09s02-in-f3.1e100.net.www: Flags [P.], seq 1:587, ack 1, win 913, options [nop,nop,TS val 25523484 ecr 492333202], length 586
E..~.v@[email protected]......!#...P.(.gS.c..............u..Xh.GET /generate_204 HTTP/1.1
Host: clients1.google.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) rekonq Safari/534.34
Referer: http://www.google.com/
Accept: */*
Accept-Encoding: gzip, deflate, x-gzip, x-deflate
Accept-Charset: utf-8,*;q=0.5
Accept-Language: en-US, en-US; q=0.8, en; q=0.6
Cookie: PREF=ID=dd958d4544461998:FF=0:TM=1323842648:LM=1360205486:S=Fg_QCDsLMr4ZepIo; NID=67=OQJWjIDHG-B8r4EuM19F3g-nkaMcbvYwoY_CsOjzvYTOAxwqAos5kfzsk6Q14E70gIfJjHat8d8PuQIloB12BE-JuSHgsKHR2QSpgN12qSWoxeqhdcSQgzw5CHKtbR_a

tcpdump has a long set of options to refine data collection from specifying network interfaces to ports to source and destination IP addresses. It can NOT decrypt (so it will not work with HTTPS).

Once you know what you are interested in, you can use a number of options with tcpdump to record only the data of interest. The general strategy is to first record all the packets, review the raw data, and then capture only the packets of interest.

Some helpful flags (options):

-i Specify an interface
-i eth0

tcp port xx
tcp port 80

dst 1.2.3.4
specify a destination ip address

There is a learning curve, both to using tcpdump and learning how to analyze the data you collect. For further reading, I highly suggest Daniel Miessler's tcpdump Primer with Examples.


First install tcpflow from Ubuntu official repositories:

sudo apt-get install tcpflow

Then run this command to inspect all HTTP requests on standard port:

sudo tcpflow -p -c port 80