Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 01-30-2004, 11:50 PM   #1
LQ Newbie
Registered: Jan 2004
Location: Banglore
Posts: 3

Rep: Reputation: 0
Program to capture all Http requests in a Network

I am woking on Fedora ,the requirement for me is i want to capture all the HTTP requests that are being taken place in a Network .I tried with tcpdump ,but it shows me all the requests that comming in and going out. I want it only for HTTP. Is there any way to achive this.It is very usrgent any help or suggestion will be greatly appreciated.
Old 01-31-2004, 08:08 AM   #2
Registered: Sep 2003
Location: Canada
Distribution: Slackware 9
Posts: 243

Rep: Reputation: 30
What you can do is look at the system logs for Apache. There is a system log viewer in my menu in redhat, I would assume it is also there on Fedora. That will show you all http requests to that computer. If you have multiple servers, you can do the same thing for each one, or try to set the computers up so that one handles the http transaction and the rest just hold the files.
Old 01-31-2004, 08:40 AM   #3
Registered: Sep 2003
Location: Somerville, MA
Distribution: Fedora/RHEL currently. Red Hat, Slackware, Debian, SuSe and Mandrake at other times
Posts: 104

Rep: Reputation: 15
If you just need to see who is requesting what, the above comment should do the trick. However, if you need to capture actual, complete packets then a traffic analyzer like tcpdump is probably still your best bet. When you have tcpdump writing to the screen, it only shows you a summary of each packet. However, if you write to a file it will store the entire contents. You can also limit tcpdump to only list packets destined to port 80, which should be all http packets (anything destined for port 80 that's not http you probably want to know about anyway). Try something like this:

tcpdump port 80 -w port80.dump &

This will start a background process that logs all packets that hit port 80 (on eth0 by default) in their entirety. Nothing is printed to the screen. Instead all data will be stored in a file called 'port80.dump'. The next thing you'll need to do is get a tool for actually reading this data. I recommend Ethereal, which is available in the ethereal and ethereal-gnome packages (install both). Start up ethereal, open up your port80.dump file (make sure to terminate tcpdump before doing this) and there you'll have it! Within ethereal you can even further filter the packets to specific types of http requests.

In fact, you could do the entire exercise described above using ethereal. If you click capture->start, it has a place where you can type tcpdump-style filering options (ie port 80). I recommend using tcpdump if you plan to capture over a long period of time because it's less bulky and easier to background.

Actuall, come to think of it, ethereal can operate in console-only mode just like tcpdump. Whatever. I "grew up" with tcpdump, so that's what I use. Either way, you have plenty of options.


Last edited by usernamenumber; 01-31-2004 at 08:42 AM.
Old 02-02-2004, 01:10 AM   #4
LQ Newbie
Registered: Jan 2004
Location: Banglore
Posts: 3

Original Poster
Rep: Reputation: 0
Ya i tried with ethereal , it woks to some extent but not full. I am able to get all the http requets that are going from my loca pc. But i want to monitor all the http requests in a network. the filter i used is port 80 .then it is showiing all the http requests comming to that particular server. But all our out going http requests are handled through proxy ,on a port 3128 .So any body can tell me how can i get all the http requests in a network before they reach the proxy
Old 02-02-2004, 02:00 AM   #5
Senior Member
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
You would need to have a sniffer (such as tcpdump) running on a host that "sees" all the traffic ingressing/egressing your network. Usually such a thing is accomplished by plugging a box into the "spanning port" of a switch, which is a special port that can be configured to see the traffic from other ports. Another approach would be to place a box "in-line" on your Internet connection and have it sniff all traffic passing through (usually accomplished by placing a dual-NIC box in bridging mode). Still another approach would be to use "cable taps" that divert cable into a sniffer box. The last, and least attractive way would be to plug your main network connection into a hub, rather than a switch. This would effectively make all ports on the hub see all traffic, so you could plug a sniffer into any of them. This last step would cause a serious degradation of your network performance.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't get my http server to respond to requests... garydamm Linux - Networking 9 01-16-2005 10:00 AM
Help! (I'm getting flooded with http requests) rknoesel Mandriva 6 11-14-2004 05:57 PM
capture http requests at squid ssharma_02 Linux - Networking 1 09-26-2004 09:04 AM
Need to capture 24h program and make HTTP link to it different times salmjuh Linux - Software 1 08-31-2004 07:46 AM
log full, raw http requests chr15t0 Linux - General 0 01-03-2003 04:35 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:30 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration