LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Program to capture all Http requests in a Network (https://www.linuxquestions.org/questions/linux-security-4/program-to-capture-all-http-requests-in-a-network-140599/)

leninkoduru 01-30-2004 11:50 PM

Program to capture all Http requests in a Network
 
I am woking on Fedora ,the requirement for me is i want to capture all the HTTP requests that are being taken place in a Network .I tried with tcpdump ,but it shows me all the requests that comming in and going out. I want it only for HTTP. Is there any way to achive this.It is very usrgent any help or suggestion will be greatly appreciated.

LinuxBlackBox 01-31-2004 08:08 AM

What you can do is look at the system logs for Apache. There is a system log viewer in my menu in redhat, I would assume it is also there on Fedora. That will show you all http requests to that computer. If you have multiple servers, you can do the same thing for each one, or try to set the computers up so that one handles the http transaction and the rest just hold the files.

usernamenumber 01-31-2004 08:40 AM

If you just need to see who is requesting what, the above comment should do the trick. However, if you need to capture actual, complete packets then a traffic analyzer like tcpdump is probably still your best bet. When you have tcpdump writing to the screen, it only shows you a summary of each packet. However, if you write to a file it will store the entire contents. You can also limit tcpdump to only list packets destined to port 80, which should be all http packets (anything destined for port 80 that's not http you probably want to know about anyway). Try something like this:

tcpdump port 80 -w port80.dump &

This will start a background process that logs all packets that hit port 80 (on eth0 by default) in their entirety. Nothing is printed to the screen. Instead all data will be stored in a file called 'port80.dump'. The next thing you'll need to do is get a tool for actually reading this data. I recommend Ethereal, which is available in the ethereal and ethereal-gnome packages (install both). Start up ethereal, open up your port80.dump file (make sure to terminate tcpdump before doing this) and there you'll have it! Within ethereal you can even further filter the packets to specific types of http requests.

In fact, you could do the entire exercise described above using ethereal. If you click capture->start, it has a place where you can type tcpdump-style filering options (ie port 80). I recommend using tcpdump if you plan to capture over a long period of time because it's less bulky and easier to background.

Actuall, come to think of it, ethereal can operate in console-only mode just like tcpdump. Whatever. I "grew up" with tcpdump, so that's what I use. Either way, you have plenty of options.

Enjoy!

leninkoduru 02-02-2004 01:10 AM

Ya i tried with ethereal , it woks to some extent but not full. I am able to get all the http requets that are going from my loca pc. But i want to monitor all the http requests in a network. the filter i used is port 80 .then it is showiing all the http requests comming to that particular server. But all our out going http requests are handled through proxy ,on a port 3128 .So any body can tell me how can i get all the http requests in a network before they reach the proxy

chort 02-02-2004 02:00 AM

You would need to have a sniffer (such as tcpdump) running on a host that "sees" all the traffic ingressing/egressing your network. Usually such a thing is accomplished by plugging a box into the "spanning port" of a switch, which is a special port that can be configured to see the traffic from other ports. Another approach would be to place a box "in-line" on your Internet connection and have it sniff all traffic passing through (usually accomplished by placing a dual-NIC box in bridging mode). Still another approach would be to use "cable taps" that divert cable into a sniffer box. The last, and least attractive way would be to plug your main network connection into a hub, rather than a switch. This would effectively make all ports on the hub see all traffic, so you could plug a sniffer into any of them. This last step would cause a serious degradation of your network performance.


All times are GMT -5. The time now is 07:30 PM.