How to inspect outgoing HTTP requests of a single application?
Well, for all those tcpdump fans =)
RUN ALL THESE COMMANDS AS ROOT !!!
Obtain root in a terminal with
sudo -i
To capture the RAW packets ...
sudo tcpdump -i any -w /tmp/http.log &
This will capture all the raw packets, on all ports, on all interfaces and write them to a file, /tmp/http.log.
Run your application. It obviously helps if you do not run any other applications that use HTTP (web browsers).
Kill tcpdump
killall tcpdump
To read the log, use the -A flag and pipe the output toless:
tcpdump -A -r /tmp/http.log | less
The -A flag prints out the "payload" or ASCII text in the packets. This will send the output to less, you can page up and down. To exit less, type Q.
When I go to Google, I see (in the raw packets):
20:42:38.179759 IP ufbt.local.56852 > sea09s02-in-f3.1e100.net.www: Flags [P.], seq 1:587, ack 1, win 913, options [nop,nop,TS val 25523484 ecr 492333202], length 586
E..~.v@[email protected]......!#...P.(.gS.c..............u..Xh.GET /generate_204 HTTP/1.1
Host: clients1.google.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) rekonq Safari/534.34
Referer: http://www.google.com/
Accept: */*
Accept-Encoding: gzip, deflate, x-gzip, x-deflate
Accept-Charset: utf-8,*;q=0.5
Accept-Language: en-US, en-US; q=0.8, en; q=0.6
Cookie: PREF=ID=dd958d4544461998:FF=0:TM=1323842648:LM=1360205486:S=Fg_QCDsLMr4ZepIo; NID=67=OQJWjIDHG-B8r4EuM19F3g-nkaMcbvYwoY_CsOjzvYTOAxwqAos5kfzsk6Q14E70gIfJjHat8d8PuQIloB12BE-JuSHgsKHR2QSpgN12qSWoxeqhdcSQgzw5CHKtbR_a
tcpdump has a long set of options to refine data collection from specifying network interfaces to ports to source and destination IP addresses. It can NOT decrypt (so it will not work with HTTPS).
Once you know what you are interested in, you can use a number of options with tcpdump to record only the data of interest. The general strategy is to first record all the packets, review the raw data, and then capture only the packets of interest.
Some helpful flags (options):
-i Specify an interface
-i eth0
tcp port xx
tcp port 80
dst 1.2.3.4
specify a destination ip address
There is a learning curve, both to using tcpdump and learning how to analyze the data you collect. For further reading, I highly suggest Daniel Miessler's tcpdump Primer with Examples.
First install tcpflow from Ubuntu official repositories:
sudo apt-get install tcpflow
Then run this command to inspect all HTTP requests on standard port:
sudo tcpflow -p -c port 80
I would suggest that you try Wireshark
Please note that Wireshark is quite advanced, and so may take a bit of getting used to. I have not used it for a few years, but it should still be perfect for what you are after - if not a bit too full of features.
Information about Wireshark and how to use it can be found at the Wireshark homepage.