Check if HTTP calls are gzipped


Assuming that I have an application server (Linux) running on port 80, how can I make sure (with tcpdump, I guess) that all incoming requests are gzipped and all responses are gzipped as well? Also, since the server itself makes calls to another server (Windows), how can I check for outgoing and incoming packages (if they are compressed, I mean) to and from this other server? Thanks


Posted 2013-07-18T07:15:59.183

Reputation: 343



tcpdump alone is not a great way to do this, technically you can determine the answer by inspecting packets, but it's not the best network layer to look at. The first problem is that you will need to deal with variable HTTP headers, the second problem is that with HTTP/1.1 and persistent connections you have to inspect every reply packet, or reassemble every request/response.

HTTP requests are very rarely compressed. It might be useful to inspect requests for the presence or absence of "gzip" or "deflate" in the Accept-Encoding: header though.

HTTP replies should have a Content-Encoding: header containing gzip or deflate when compression is used.

Things to note:

  • due to a large number of browser bugs, many web servers will have a default User-Agent list that they will not enable compression for
  • there is very likely a default set of file/URL patterns or MIME content types too, compressing PDFs and images is often not done
  • small files may not be compressed

In Apache, one way to record use of compression is to use mod_deflate's DeflateFilterNote and then amend your logging directives, I usually use at least the following in a custom LogFormat:

%>s %B %I %O %D %{instream}n/%{outstream}n/%{ratio}n%% %{Content-Type}o

which logs the total size in and out, compression details, and MIME type.

I've used httpry to watch HTTP requests, but it won't quite work here because it sadly lacks the feature to inspect and record response headers (it also doesn't reassemble packets or HTTP streams).

Two programs that should provide the required details are justsniffer and xplico (note though I've never used either as they're a little tricky to compile due to their dependencies, if you can get binary packages for your OS then you should be ok).


Posted 2013-07-18T07:15:59.183

Reputation: 2 163


You can check the header of the HTTP connection. If the header containg the field Content-Encoding: gzip the content is gzipped (see also wikipedia and W3C HTTP protocol).

Uwe Plonus

Posted 2013-07-18T07:15:59.183

Reputation: 1 354


Try using ngrep ---

Ideally you'll know the IP address the web server is talking to, else you'll need to catch most things so you can find the request and response.


David Goodwin

Posted 2013-07-18T07:15:59.183

Reputation: 171