Monitor All HTTP Requests (like TCPdump) On a Linux Server with httpry

Profile image of Mattias Geniar

Mattias Geniar, August 06, 2015

Follow me on Twitter as @mattiasgeniar

Wouldn’t it be really cool if you could run a tool like tcpdump and see all HTTP requests flowing over the network, in a readable form?

Because let’s be honest, something like this is far from readable.

$ tcpdump -i eth0 port 80 -A
20:56:08.793822 IP 172.28.128.1.49781 > 172.28.128.3.http: Flags [S], seq 1641176060, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1225415667 ecr 0,sackOK,eol], length 0
E..@V.@.@............u.Pa.[..........-.............
...

It tells you that something is flowing over the wire, but you sure as hell can’t read what is going over it. You recognise keywords, but that’s it.

There are tools out there that do a better job, like httpry.

It’s been around long enough to be present in most repositories on Linux servers by now. Install it via your package manager of choice.

$ yum install httpry
$ apt-get install httpry

After you have it installed, you can run it on your server and sniff for HTTP calls.

$ httpry -i eth0
172.28.128.1  172.28.128.3  >  HEAD  ma.ttias.be  /  HTTP/1.1  -    -
172.28.128.3  172.28.128.1  <  -     -            -  HTTP/1.1  301  Moved Permanently

To output above is the result of the following HTTP call.

$ curl -I 172.28.128.3 -H "Host: ma.ttias.be"

It did a HEAD request (-I) and got a 301 HTTP redirect back.

Want to see how many HTTP requests are flowing through per second and which vhost is the most active? Start httpry with the -s parameter.

$ httpry -i eth0 -s
...
2015-08-06 21:06:56	infinite-download.ma.ttias.be	19 rps
2015-08-06 21:06:56	enginehack.ma.ttias.be	61 rps
2015-08-06 21:06:56	totals	30.69 rps
2015-08-06 21:07:01	infinite-download.ma.ttias.be	21 rps
2015-08-06 21:07:01	enginehack.ma.ttias.be	56 rps
2015-08-06 21:07:01	totals	32.41 rps

Every 5 seconds, the output shows the requests made in that last interval. It shows the Host: headers used in that request and the amount of requests that were received.

While it doesn’t work on HTTPS requests, it is a useful tool to have in your arsenal.



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.