Authors Top

If you have a few years of experience in the Linux ecosystem, and you’re interested in sharing that experience with the community, have a look at our Contribution Guidelines.

1. Overview

System administrators and end-users can monitor HTTP requests on a network interface for many purposes (like debugging).

In this tutorial, we’ll discuss two programs we can use to monitor HTTP requests and responses on a network interface in real-time.

2. Using tcpflow

The first program that we can use is tcpflow.

2.1. Installing tcpflow

Many Linux distros have tcpflow in their repositories. So, we can install tcpflow using package managers:

# On Debian/Ubuntu/etc
$ sudo apt install tcpflow

# On Fedora/RedHat/CentOS/etc
$ sudo dnf install tcpflow

After that, let’s check if it’s actually installed:

$ tcpflow --version
TCPFLOW 1.5.1

We’ve successfully installed tcpflow.

2.2. Listing All Network Interfaces

Before monitoring, we should find the network interface that we want to monitor. So, let’s call ifconfig to list all network interfaces:

$ ifconfig -a
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
...
wlp0s20f3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.24  netmask 255.255.255.0  broadcast
...

Let’s monitor wlp0s20f3.

2.3. Monitoring a Network Interface

Now that we’ve found the interface, we can monitor it using tcpflow:

$ sudo tcpflow -p -c -i wlp0s20f3 port 80 | grep -oE '(GET|POST) .* HTTP/1.[01]|Host: .*'
reportfilename: ./report.xml
tcpflow: listening on wlp0s20f3
GET /alexlarsson/flatpak/ubuntu/dists/focal/InRelease HTTP/1.1

GET /mirrors.txt HTTP/1.1

In the above command:

  • -p disables promiscuous mode
  • -c means only print the output to the console and don’t create files
  • -i specifies the network interface
  •  grep receives the output of tcpflow
  • -o means show only the matching parts of the lines that match the pattern
  • -E means the pattern is an extended regular expression (ERE)

We can see that tcpflow started listening on wlp0s20f3 and found two GET requests.

Moreover, we can add more HTTP methods (like HEAD, PUT, etc) to the grep pattern.

3. Using httpry

In addition, we can use httpry to monitor a network interface.

3.1. Installing httpry

To install httpry, we must build it from the source since it is not available in repositories:

$ git clone https://github.com/jbittel/httpry.git
$ cd httpry
$ make
$ sudo make install

After that, let’s check if it’s installed:

$ httpry -h
httpry version 0.1.8 -- HTTP logging and information retrieval tool
Copyright (c) 2005-2014 Jason Bittel <[email protected]>

We’ve successfully installed httpry from the source.

3.2. Monitoring a Network Interface

To monitor a network interface using httpry, we can run:

$ sudo httpry -i wlp0s20f3
httpry version 0.1.8 -- HTTP logging and information retrieval tool
Copyright (c) 2005-2014 Jason Bittel <[email protected]>
Starting capture on wlp0s20f3 interface
2022-06-22 16:38:12.166	192.168.1.24	172.217.17.238	>	GET	google.com	/	HTTP/1.1	-	-
2022-06-22 16:38:12.199	172.217.17.238	192.168.1.24	<	-	-	-	HTTP/1.0	400	Bad Request
2022-06-22 16:38:23.090	192.168.1.24	172.217.17.238	>	POST	google.com	/	HTTP/1.1	-	-
2022-06-22 16:38:23.163	172.217.17.238	192.168.1.24	<	-	-	-	HTTP/1.1	405	Method Not Allowed

Here, wlp0s20f3 is the network interface that we wanted to monitor. Further, we can see that httpry detected one GET request, one POST request, and two server responses.

3.3. Monitoring Particular HTTP Methods

We can also specify the HTTP request methods that we want to monitor:

$ sudo httpry -i wlp0s20f3 -m post
httpry version 0.1.8 -- HTTP logging and information retrieval tool
Copyright (c) 2005-2014 Jason Bittel <[email protected]>
Starting capture on wlp0s20f3 interface
2022-06-22 16:26:47.516	192.168.1.24	172.217.17.238	>	POST	google.com	/	HTTP/1.1	-	-
2022-06-22 16:26:47.582	172.217.17.238	192.168.1.24	<	-	-	-	HTTP/1.1	405	Method Not Allowed

This time, httpry detected one POST request and one server response.

3.4. Saving the Output

To save the captured packets in a human-readable format, we can add -o:

$ sudo httpry -i wlp0s20f3 -o human.txt

After that, human.txt will contain the captured packets.

Moreover, we can save the captured packets in a binary file that can be read by httpry later using the -b option:

$ sudo httpry -i wlp0s20f3 -b binary.o

After that, we can use httpry itself to read the output:

$ httpry -r binary.o
...
2022-06-19 05:23:21.771	192.168.1.24	91.189.90.8	>	GET	mirrors.ubuntu.com	/mirrors.txt	HTTP/1.1	-	-
2022-06-19 05:23:21.822	192.168.1.24	185.125.190.52	>	GET	ppa.launchpad.net	/alexlarsson/flatpak/ubuntu/dists/focal/InRelease	HTTP/1.1	-	-
2022-06-19 05:23:21.832	91.189.90.8	192.168.1.24	<	-	-	-	HTTP/1.1	416	Requested Range Not Satisfiable

httpry read the binary file and printed the captured packets on the screen.

4. Conclusion

Users may need to monitor a specific network interface for many reasons. Here, we learned how to use two programs that we can use to monitor network interfaces in real-time.

Authors Bottom

If you have a few years of experience in the Linux ecosystem, and you’re interested in sharing that experience with the community, have a look at our Contribution Guidelines.

Comments are closed on this article!