Is it possible to dump entire HTTP requests by apache? I need to track all HTTP headers of incomming requests. How to do that?
5 Answers
I think what you want instead of Apache might be a packet analyzer, Also known as a packet sniffer. Two of the most popular ones are probably TCPDump and Wireshark, both of which are free and have versions for Windows and *nix operating systems. These will show you all traffic coming in on an interface, not just what Apache sees. But you can use filters to restrict to a specified port, such as 80 for http.
tcpdump:
The following command run from the server will show you all packets destined for port 80:
sudo tcpdump -s 0 -X 'tcp dst port 80'
The capital X switch dumps the payload in hex and ASCII. The s switch with 0 means to get the whole packet. 'tcp dst port 80' means to filter and only show packets destined for port 80 in the tcp header.
Wireshark:
For the more user friendly version, if you have a GUI running, consider wireshark (formally known as ethereal).
- 82,107
- 71
- 302
- 444
-
1Thanks Kyle, how do I extract HTTP header information from tcpdump's uoutput? – Alex Aug 07 '09 at 12:37
-
1Alex: You know what, Wireshark will make that a lot easier. You can use the -r *filename* to save the dump to a file, and then open it with wireshark on your desktop. – Kyle Brandt Aug 07 '09 at 12:39
-
Oh, and drop the 'dst' if you want the replies as well. – Kyle Brandt Aug 07 '09 at 12:48
-
1`-A` for text-only (no hex dump): `sudo tcpdump -A -s 0 'tcp dst port 80'` – Brent Faust Jan 20 '15 at 22:35
maybe dumping of cookies ? otherwise - look at mod_dumpio.
-
1mod_dumpio sounds cool! Probably the easier way to dump the information if using SSL ( although wirehsark can do that too). +1 :-) – Kyle Brandt Aug 07 '09 at 12:36
Basic packet sniffing is easy with ngrep a hybrid of tcpdump and grep.
In certain scenarios if you are desirous to see how web browsers communicate with web servers, and to inspect the HTTP headers.
In this example, run an ngrep on a webserver like this:
$ ngrep port 80
you can also choose to filter the http request to the "GET /" request to port 80 by :
$ ngrep -q '^GET .* HTTP/1.[01]'
Client side, there are a useful tool named Tamper Data it is a Firefox Extension which gives you the power to view, record and even modify outgoing HTTP requests.
You can find more information here
- 3,810
- 2
- 23
- 36
Rather than using tcpdump or wireshark, use tcpflow. It is a drop in replacement for tcpdump, but creates a file for each side of every connection, so you don't have to attempt to decode the stream yourself.
- 23,151
- 2
- 41
- 71
-
Thanks for this. I'm using mod_negotiate and my curl() picked up .bak files in preference to .php while browsers found the .php. A hard nut to crack. – mckenzm May 05 '16 at 08:06
Apache has that functionality built in; just increase the log level to trace7
or trace8
:
LogLevel trace8
Note that this will dump a lot of data. You have been warned.
- 418
- 3
- 8