http://www.slashroot.in/network-traffic-analysis-linux-tools
http://systembash.com/content/simple-sysadmin-trick-using-tcpdump-to-sniff-web-server-traffic/
tcpdump -X -n -l -s 1024 -A -i eth0 -c 500 dst 10.5.105.253 and port 80
Sometimes, you just have to look into the raw data to see what your web server is doing. The logs might not show you enough detail or you suspect something is going on which is just not shown in the log files. Or, as in my case, logging is turned off because of too much activity.
The excellent tcpdump utiliy comes to the rescue here. I recommend you get more familiar with the tcpdump man page. Here is the command you can use, in a nutshell:
| 1 |
tcpdump -nl -w - -i eth1 -c 500 port 80|strings
|
or alternatively with just tcpdump (Thanks Chris!):
| 1 |
tcpdump -nl -s 0 -A -i eth1 -c 500 port 80
|
Your command line will print out all traffic exiting your server from port 80, headers and all. Lets look at the options in more detail.
- -n: Don’t convert addresses (i.e., host addresses, port numbers, etc.) to names.
- -l: Make stdout line buffered. Useful if you want to see the data while capturing it.
- -w: Write the raw packets to file rather than parsing and printing them out. (Sent to stdout)
- -i: Interface you want to sniff on, usually eth0 or eth1, but depends on your system.
- -c: Number of packets to capture
- port: port 80, duh :)
- -A: Print each packet (minus its link level header) in ASCII.
- -s: size
Now, depending on your web server configuration, you will probably have gzipped content which comes out as garbled characters. To strip all that out, just pipe it through strings.
The output will look something like this:
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
GET /about/comment-page-1 HTTP/1.0
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* User-Agent: Mozilla/2.0 (compatible; MSIE 3.02; Windows CE; 240x320) Referer: http://quittingsoda.com/about/comment-page-1#comment-6637 Host: quittingsoda.com Cookie: comment_author_xxx=sakyjartory; comment_author_email_26e707905b5fd6e7139333eb1dab208f=olfaexxxx; comment_author_url_26e707905b5fd6e7139333eb1dab208xxx HTTP/1.1 200 OK Date: Wed, 03 Oct 2012 01:49:19 GMT Server: Apache/2 X-Powered-By: PHP/5.2.17 X-Pingback: http://quittingsoda.com/xmlrpc.php Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=UTF-8 < !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> < html xmlns="http://www.w3.org/1999/xhtml" > < head profile="http://gmpg.org/xfn/11"> < meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> < title>About This Site | Quitting Soda</title> |
Let me know if you have any suggestions for improving this simple command line program for sniffing your web server traffic! Netcat is an essential tool that every linux administrator should get to know better.
===============
-n 不进行IP地址到主机名的转换
-nn 不进行端口名称的转换
浙公网安备 33010602011771号