How to sniff HTTP traffic under Linux

Sometimes you want to sniff HTTP traffic for some kind of need, so how do you sniff HTTP traffic under Linux? The following small series will introduce you to the tool for sniffing HTTP traffic under Linux system ——httpry, let's get to know it.

httpry captures real-time HTTP packets on the network and displays content at the HTTP protocol level in a human-readable format. In this tutorial we will look at how to use httpry to sniff HTTP traffic

Suppose you want to sniff real-time HTTP web traffic (such as HTTP requests and responses) on the network for some reason. For example, you might be testing the experimental features of a web server, or debugging a web application or taking advantage of REST services, or you want to troubleshoot a PAC (proxy auto-configuration) or check for a sneak download from a website. Any malware files. Sniffing HTTP traffic can help for whatever reason, for system administrators, developers, and even end users.

While packet sniffing tools such as tcpdump are widely used for real-time packet dumps, you still need to establish a reasonable filtering mechanism to capture only HTTP traffic; even then, usually not easily in the HTTP protocol. Interpret their original output. Real-time web server log analysis tools such as ngxtop provide human-readable traces of real-time website traffic, but only if full access to real-time web server logs is available.

Although it has a good sniffing tool like tcpdump, it is only for HTTP traffic. In fact, httpry is exactly what we need for an HTTP packet sniffing tool. Httpry captures real-time HTTP packets on the network and displays content at the HTTP protocol level in a human-readable format. In this tutorial we will look at how to use httpry to sniff HTTP traffic.

Installing httpry on Linux

On Debian-based systems (Ubuntu or Linux Mint), httpry does not appear in the base software library. Therefore, to use the source code to build it:

___ FCKpd ___ 0nbsp; sudo apt-get install gcc make git libpcap0.8-dev ___ FCKpd ___ 0nbsp; git https://github.com/jbittel/httpry.git ___FCKpd___0nbsp clone; Cd httpry ___FCKpd___0nbsp;make ___FCKpd___0nbsp;sudo make install

On Fedora, CentOS or RHEL, you can use yum to install httpry as shown below. On CentOS/RHEL, first enable the EPEL software library and then run yum.

___FCKpd___1nbsp;sudo yum install httpry

If you still want to build httpry using source code on an RPM-based system, it's easy to do this, as long as:

___ FCKpd ___ 2nbsp; sudo yum install gcc make git libpcap-devel ___ FCKpd ___ 2nbsp; git clone https://github.com/jbittel/httpry.git ___ FCKpd ___ 2nbsp; cd httpry ___ FCKpd ___ 2nbsp; make ___ FCKpd ___ 2nbsp; sudo make install

httpry basic usage

The basic usage of httpry is as follows:

___FCKpd___3nbsp;sudo httpry -i "network-interface"

httpry then listens to a specific network interface and displays it in real time. Captured HTTP request/response.

However, in most cases, due to the large number of packets in and out, you'll see the output fast scrolling. So, you should save the captured HTTP packets for offline analysis. To do this, use the “-b” or “-o” option. The “-b” option allows you to save the original HTTP packet to a binary file and then use httpry to play back the HTTP packet. On the other hand, the “-o” option saves httpry human-readable output to a text file.

want to save the original HTTP data packets into a binary file:

___ FCKpd ___ 4nbsp; sudo httpry -i eth0 -b output.dump

Saved playback HTTP packet :

___FCKpd___5nbsp;httpry -r output.dump

Please note: When you use the “-r” option to read the dump file, you do not need root privileges.

httpry want to save the output to a text file:

___ FCKpd ___ 6nbsp; sudo httpry -i eth0 -o output.txt

httpry of advanced usage

If you only want to monitor specific HTTP methods (such as GET, POST, PUT, HEAD and CONNECT, etc.), you can use the & ldquo; -m & rdquo; option:

___ FCKpd ___ 7nbsp; sudo httpry -i eth0 -m get , head

If you downloaded the httpry source code, you'll notice that the source code that comes with a series of help to analyze the output of httpry Perl script. These scripts are located in the httpry/scripts/plugins directory. If you want to write a custom script to analyze the output of httpry, these scripts are good examples for reference. Some of these features are as follows:

•hostnames: Displays a list of unique host names and number of hosts.

•find_proxies: Detecting website proxy systems.

•search_terms: Find and count the search terms entered in the search service.

•content_analysis: Find URLs with specific keywords.

•xml_output: Converts the output to XML format.

•log_summary: Generate a log summary.

•db_dump: Dump log file data to a MySQL database.

Before using these scripts, run httpry for a while using the “-o” option. Once you get the output file, use the following command to run a script:

___ FCKpd ___ 8nbsp; cd httpry /scripts ___ FCKpd ___ 8nbsp; perl parse_log.pl -d. /plugins "httpry-output-file"

You may encounter warnings for several plugins. For example, if you didn't create a MySQL database with a DBI interface, the db_dump plugin might go wrong. If a plugin fails to initialize, it is automatically disabled. So you can ignore the warning messages.

After parse_log.pl is completed, you will see many analysis results (*.txt/xml) in the httpry/scripts directory. For example, log_summary.txt looks like this:

All in all, if you need to meet real-time interpretation of HTTP packets, httpry help you get on the lot. Ordinary Linux users may not interpret real-time HTTP packets infrequently, but it is not a bad thing to prevent them.

The above is an introduction to sniffing HTTP traffic using the httpry tool under Linux. In addition to being able to sniff HTTP traffic, the httpry tool can also capture real-time HTTP packets. Is it very practical? Give it a try.