Human readable format for http headers with tcpdump

httphttp-headersrhel6tcpdump

I would like to view the HTTP headers sent from Apache (listening on port 80) to Tomcat (on port 4080) in a Linux machine.

According to Wikipedia,

Header fields are colon-separated name-value pairs in clear-text string format.

I've tried some variations of the following tcpdump command:

$ sudo tcpdump -lnX dst port 4080 -c 10

11:29:28.605894 IP SOME_IP.33273 > SOME_IP.4080: P 0:49(49) ack 1 win 23 <nop,nop,timestamp 1191760962 509391143>
    0x0000:  4500 0065 3a9f 4000 3f06 0084 628a 9ec4  E..e:.@.?...b...
    0x0010:  628a 9c97 81f9 0ff0 9e87 eee0 144b 90e1  b............K..
    0x0020:  8018 0017 fb43 0000 0101 080a 4708 d442  .....C......G..B
    0x0030:  1e5c b127 4845 4144 202f 6461 7070 6572  .\.'HEAD./dapper
    0x0040:  5f73 6572 7669 6e67 2f41 644d 6f6e 6b65  _serving/AdMonke
    0x0050:  793f                                     y?

The result was always the same – a strange mix of gibberish and English words (e.g. HEAD).

How can I view the headers in a human-readable format?

Best Answer

Here's a one-liner I came up with for displaying request and response HTTP headers using tcpdump (which should work for your case too):

sudo tcpdump -A -s 10240 'tcp port 4080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | egrep --line-buffered "^........(GET |HTTP\/|POST |HEAD )|^[A-Za-z0-9-]+: " | sed -r 's/^........(GET |HTTP\/|POST |HEAD )/\n\1/g'

It limits cuts the packet off at 10Kb and only knows GET, POST and HEAD commands, but that should be enough in the majority of cases.

EDIT: modified it to get rid of the buffers at every step to make it more responsive. Needs Perl and stdbuf now though, so use the original version if you don't have those: EDIT: Changed script port targets from 80 to 4080, to actually listen for traffic that went through apache already, instead of direct outside traffic arriving to port 80:

sudo stdbuf -oL -eL /usr/sbin/tcpdump -A -s 10240 "tcp port 4080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)" | egrep -a --line-buffered ".+(GET |HTTP\/|POST )|^[A-Za-z0-9-]+: " | perl -nle 'BEGIN{$|=1} { s/.*?(GET |HTTP\/[0-9.]* |POST )/\n$1/g; print }'

Some explanations:

sudo stdbuf -oL -eL makes tcpdump run line-buffered
the tcpdump magic filter is explained in detail here: https://stackoverflow.com/questions/11757477/understanding-tcpdump-filter-bit-masking
grep is looking for any lines with GET, HTTP/ or POST; or any lines that look like a header (letters and numbers followed by colon)
BEGIN{$|=1} causes perl to run line-buffered
s/.*?(GET |HTTP/[0-9.]* |POST )/\n$1/g adds a newline before the beginning of every new request or response

Related Solutions

Monitoring HTTP traffic using tcpdump

tcpdump prints complete packets. "Garbage" you see are actually TCP package headers.

you can certainly massage the output with i.e. a perl script, but why not use tshark, the textual version of wireshark instead?

tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

it takes the same arguments as tcpdump (same library) but since its an analyzer it can do deep packet inspection so you can refine your filters even more, i.e.

tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -R'http.request.method == "GET" || http.request.method == "HEAD"'

Linux – How to make tcpdump not print the tcp headers

As Josh suggests, tcpflow can print just the TCP packet data to a file or STDOUT. You can pipe tcpdump to tcpflow like this:

tcpdump -i lo -l -w - port 23 | tcpflow -C -r -

To only view one side of the conversation, you can use filters for tcpdump, e.g. dst port 23.

Best Answer

Related Solutions

Monitoring HTTP traffic using tcpdump

Linux – How to make tcpdump not print the tcp headers

Related Topic