Human readable format for http headers with tcpdump

Question

I would like to view the HTTP headers sent from Apache (listening on port 80) to Tomcat (on port 4080) in a Linux machine.

According to Wikipedia,

Header fields are colon-separated name-value pairs in clear-text string format.

I've tried some variations of the following tcpdump command:

$ sudo tcpdump -lnX dst port 4080 -c 10

11:29:28.605894 IP SOME_IP.33273 > SOME_IP.4080: P 0:49(49) ack 1 win 23 <nop,nop,timestamp 1191760962 509391143>
    0x0000:  4500 0065 3a9f 4000 3f06 0084 628a 9ec4  E..e:.@.?...b...
    0x0010:  628a 9c97 81f9 0ff0 9e87 eee0 144b 90e1  b............K..
    0x0020:  8018 0017 fb43 0000 0101 080a 4708 d442  .....C......G..B
    0x0030:  1e5c b127 4845 4144 202f 6461 7070 6572  .\.'HEAD./dapper
    0x0040:  5f73 6572 7669 6e67 2f41 644d 6f6e 6b65  _serving/AdMonke
    0x0050:  793f                                     y?

The result was always the same - a strange mix of gibberish and English words (e.g. HEAD).

How can I view the headers in a human-readable format?

Tcpdump shows the entire packet. This includes the IP, and TCP headers. AFAIK, you can't display just the TCP payload. — Zoredache, May 02 '13 at 15:29
Please also check https://www.fir3net.com/UNIX/Linux/how-to-display-http-headers-using-tcpdump.html I was missing — bladeWalker, Jan 21 '20 at 20:28

score 112 · Accepted Answer · edited May 23 '17 at 12:41

Here's a one-liner I came up with for displaying request and response HTTP headers using tcpdump (which should work for your case too):

sudo tcpdump -A -s 10240 'tcp port 4080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | egrep --line-buffered "^........(GET |HTTP\/|POST |HEAD )|^[A-Za-z0-9-]+: " | sed -r 's/^........(GET |HTTP\/|POST |HEAD )/\n\1/g'

It limits cuts the packet off at 10Kb and only knows GET, POST and HEAD commands, but that should be enough in the majority of cases.

EDIT: modified it to get rid of the buffers at every step to make it more responsive. Needs Perl and stdbuf now though, so use the original version if you don't have those: EDIT: Changed script port targets from 80 to 4080, to actually listen for traffic that went through apache already, instead of direct outside traffic arriving to port 80:

sudo stdbuf -oL -eL /usr/sbin/tcpdump -A -s 10240 "tcp port 4080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)" | egrep -a --line-buffered ".+(GET |HTTP\/|POST )|^[A-Za-z0-9-]+: " | perl -nle 'BEGIN{$|=1} { s/.*?(GET |HTTP\/[0-9.]* |POST )/\n$1/g; print }'

Some explanations:

sudo stdbuf -oL -eL makes tcpdump run line-buffered
the tcpdump magic filter is explained in detail here: https://stackoverflow.com/questions/11757477/understanding-tcpdump-filter-bit-masking
grep is looking for any lines with GET, HTTP/ or POST; or any lines that look like a header (letters and numbers followed by colon)
BEGIN{$|=1} causes perl to run line-buffered
s/.*?(GET |HTTP/[0-9.]* |POST )/\n$1/g adds a newline before the beginning of every new request or response

Works great. Could you please add more details on how that tcpdump expression work? — Vivek Thomas, Oct 04 '14 at 04:54
the 'ip' part in parens is explained here, for example: http://stackoverflow.com/questions/11757477/understanding-tcpdump-filter-bit-masking — Kibber, May 27 '15 at 01:11
Wow, I think `stdbuf | egrep | perl` just made WireShark obsolete awesome oneliner — conny, Mar 11 '20 at 10:58

score 23 · Answer 2 · answered May 02 '13 at 11:48

23

You can get something close to what you want by using -A, e.g.

E....c@.@...
.....Ng.d.P..Ch.).....s.......
.A...u.BHEAD / HTTP/1.1
User-Agent: curl/7.29.0
Host: www.google.com
Accept: */*

Remember to use -s 0 to make sure you get the whole packet.

Alternatively you could use wireshark to view the headers interactively.

answered May 02 '13 at 11:48

Flup

7,688
1
31
43

2

Tried `-A` and `-s 0`, got the same output. – Adam Matan May 02 '13 at 11:51
3

Try without `-X`. – Flup May 02 '13 at 11:52
`tcpdump -s 0 -A dst port 4080` gives `E..e..@.?.$bb...b....:......w........Q.....G..1.b..HEAD /dapper_serving/AdMonkey?ping=1 HTTP/1.0`. – Adam Matan May 02 '13 at 11:56
...which is something close to what you want. Read from 'HEAD' -- this is the HTTP payload. If you've definitely used `-s 0` and there's nothing after `HTTP/1.0`, there are no HTTP headers in the request. – Flup May 03 '13 at 07:00
thanks. Is there a way to print only the text headers, sans the binary payload? – Adam Matan May 03 '13 at 12:47

score 0 · Answer 3 · answered May 02 '13 at 11:51

0

Try to use http://justniffer.sourceforge.net/ It is better tool or Wireshark with "Follow TCP Flow" option, there are just many better options than tcpdump to see headers (requests/responses)

answered May 02 '13 at 11:51

Danila Ladner

5,241
21
30

4

Maybe add an example as well of how to get this working – vikas027 Mar 24 '18 at 05:09
Maybe you can read a man page? http://justniffer.sourceforge.net/#!/man_page – Danila Ladner Mar 25 '18 at 03:06

Human readable format for http headers with tcpdump

3 Answers3