HTTP抓包

1 概述

• wireshark：全平台抓包工具，需要圖形化界面，十分強大；
• httpry：http抓包插件，功能一般，操作簡單；
• tcpdump：強大的抓包插件，支持多種網絡協議。

2 httpry

（1）概述

• 安裝：apt-get install httpry

• 操作：

  httpry [ -dFhpqs ] [ -b file ] [ -f format ] [ -i device ] [ -l threshold ]
         [ -m methods ] [ -n count ] [ -o file ] [ -P file ] [ -r file ]
         [ -S bytes ] [ -t seconds ] [ -u user ] [ 'expression' ]
  -b file
  Write all processed HTTP packets to a binary pcap dump file. Useful for
  further analysis of logged data.
  
  # 守護進程
  -d 
  
  # 輸出格式
  -f format
  
  # 幫助 
  -h
  
  # 網卡 ifconfig查看
  -i device
  
  # POST GET等等
  -m methods
  
  # 抓包數量，默認為0代表循環抓取
  -n count
  
  # 輸出文件，不指定時直接打印
  -o file
  
  # 指定pid文件
  -P file
  
  # HTTP時間請求顯示模式
  -s
  
  # HTTP時間請求顯示模式下多少秒執行一次
  -t seconds
  
  # 指定linux用戶
  -u user
  
  # filter表達式，與tcpdump相同
  'expression'
  Specify a bpf-style capture filter, overriding the default. Here are a few
  basic examples, starting with the default filter:
   'tcp port 80 or 8080'
   'tcp dst port 80'
   'tcp dst port 80 and src host 192.168.1.1'
  See 'man tcpdump' for further information on the syntax and available primitives.
  

（2）demo

# timestamp,source-ip,dest-ip,direction,method,host,request-uri,http-version,status-code,reason-phrase
> sudo httpry tcp port 80 -i lo
httpry version 0.1.7 -- HTTP logging and information retrieval tool
Copyright (c) 2005-2012 Jason Bittel <jason.bittel@gmail.com>
----------------------------
Hash buckets:       64
Nodes inserted:     10
Buckets in use:     10
Hash collisions:    0
Longest hash chain: 1
----------------------------
Starting capture on lo interface
06/05/2006 15:32:31  192.168.0.15 66.102.7.104 > GET www.google.com / HTTP/1.1   -  -
06/05/2006 15:32:31 66.102.7.104  192.168.0.15 <  -        -        - HTTP/1.1  200 OK

github：https://github.com/jbittel/httpry

3 tcpdump

（1）概述

• linux系統自帶的抓包工具，通過命令行的方式，適合在線上服務器進行抓包操作。
• 支持針對網絡層、協議、主機、網絡或端口的過濾
• 可用於網絡分析和問題排查的首選工具
• 操作：

tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
		[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
		[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
		[ -Q in|out|inout ]
		[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
		[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
		[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
		[ -Z user ] [ expression ]

（2）demo

# 抓取lo設備 tcp協議 端口80的數據包
> sudo tcpdump -n -X tcp port 80 -s 0 -i lo

注：具體使用后面再補，現在用不到這么多，學了也容易忘記，先記住它能做到的事情即可。