Wouldn’t it be really cool if you could run a tool like
tcpdump and see all HTTP requests flowing over the network, in a readable form?
Because let’s be honest, something like this is far from readable.
$ tcpdump -i eth0 port 80 -A 20:56:08.793822 IP 172.28.128.1.49781 > 172.28.128.3.http: Flags [S], seq 1641176060, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1225415667 ecr 0,sackOK,eol], length 0 E..@V.@.@............u.Pa.[..........-............. ...
It tells you that something is flowing over the wire, but you sure as hell can’t read what is going over it. You recognise keywords, but that’s it.
There are tools out there that do a better job, like httpry.
It’s been around long enough to be present in most repositories on Linux servers by now. Install it via your package manager of choice.
$ yum install httpry $ apt-get install httpry
After you have it installed, you can run it on your server and sniff for HTTP calls.
$ httpry -i eth0 172.28.128.1 172.28.128.3 > HEAD ma.ttias.be / HTTP/1.1 - - 172.28.128.3 172.28.128.1 < - - - HTTP/1.1 301 Moved Permanently
To output above is the result of the following HTTP call.
$ curl -I 172.28.128.3 -H "Host: ma.ttias.be"
It did a HEAD request (
-I) and got a 301 HTTP redirect back.
Want to see how many HTTP requests are flowing through per second and which vhost is the most active? Start
httpry with the
$ httpry -i eth0 -s ... 2015-08-06 21:06:56 infinite-download.ma.ttias.be 19 rps 2015-08-06 21:06:56 enginehack.ma.ttias.be 61 rps 2015-08-06 21:06:56 totals 30.69 rps 2015-08-06 21:07:01 infinite-download.ma.ttias.be 21 rps 2015-08-06 21:07:01 enginehack.ma.ttias.be 56 rps 2015-08-06 21:07:01 totals 32.41 rps
Every 5 seconds, the output shows the requests made in that last interval. It shows the
Host: headers used in that request and the amount of requests that were received.
While it doesn’t work on HTTPS requests, it is a useful tool to have in your arsenal.