Sorry about the grammar mistakes. Fixed below.
2008/11/20 ropers <[EMAIL PROTECTED]>:
> 2008/11/20 Jeff Simmons <[EMAIL PROTECTED]>:
>> Anyone know of a text-based program that will dump http protocol packets?
>> Like tcpdump, but for http.
>
> I'm not an expert, but I here are my dimly and pseudo-educated guesses
> and hunches and 2 * n eurocents:
>
> - In order to selectively *only* capture HTTP packets, you have to
> *recognize* which TCP packets are/contain HTTP packets first.
>
> - Granted, a HTTP packet may not arrive via TCP, since according to Wikipedia:
>> HTTP is not constrained to using TCP/IP and its supporting layers, although
>> this is its most popular application on the Internet. Indeed HTTP can be
>> "implemented on top of any other protocol on the Internet, or on other
>> networks.
> HOWEVER, even when using another kind of networking stack, you still
> have to figure out which packets are HTTP packets and which aren't.
> Also, TCP/IP is ubiquitous, and
> J-Random-Hacker's-Own-Leet-Networking-Protocol isn't.
>
> - It is my understanding that with TCP/IP at least, pretty much the
> only way to determine whether what you've got at your hands is an HTTP
> packet is to actually look at it.
>
> - Thus, identifying all HTTP packets requires capturing each TCP
> packet, or at least capturing part of each TCP packet.
>
> - Even if we were to assume that it was possible to only capture part
> of each packet and then determine --in real time, while you're dumping
> TCP packets-- what the HTTP packets are and then only fully capture
> those, this would probably be needlessly complex and waste more
> resources than not capturing all of the packets in full might save.
>
> - For the above reasons, you're probably much better off just
> capturing all of your TCP packets on a given interface with tcpdump, and
> then selectively reassembling only what you want with tcpflow. Also for
> the above reasons, I am not convinced a dedicated "httpdump" tool
> would be particularly useful.
>
> Again, I don't really know what I'm talking about to a great extent in
> this area, but that's AFAIK.
>
> 'hope this helps,
> --ropers