_ _ _ | | | | | | | |__ | |_| |_ _ __ _ __ _ _ | '_ \| __| __| '_ \| '__| | | | | | | | |_| |_| |_) | | | |_| | |_| |_|\__|\__| .__/|_| \__, | | | __/ | |_| |___/ HTTP logging and information retrieval tool version 0.1.8 Copyright (c) 2005-2014 Jason Bittel <jason.bittel@gmail.com> For further information about the program, see: http://dumpsterventures.com/jason/httpry For modification and redistribution information, see COPYING file --{ ABOUT }-- httpry is a tool designed for displaying and logging HTTP traffic. It is not intended to perform analysis itself, but instead to capture, parse and/or log the traffic for later analysis. It can be run in real-time displaying the live traffic on the wire, or as a daemon process that logs to an output file. It is written to be as lightweight and flexible as possible, so that it can be easily adaptable to different applications. It does not display the raw HTTP data transferred, but instead focuses on parsing and displaying the request/response line along with associated header fields. "How is this tool useful?" you may ask. Here's just a few ideas: > See what users on your network are browsing online > Check for proper server configuration (or improper, as the case may be) > Research patterns in HTTP usage > Watch for dangerous downloaded files > Verify the enforcement of HTTP policy on your network > Extract HTTP statistics out of saved capture files > It's just plain fun to watch in realtime In addition to the core program, there are several Perl scripts included for processing httpry log files. They should be useful for a number of generic situations, and can serve as a useful starting point for your own log parsing toolset. More information about these scripts can be found in the doc/perl-tools file. --{ INSTALLATION }-- httpry should compile on almost any *nix based OS with a relatively recent version of libpcap (specifically tested against 1.1.1 and newer). To compile and install, run these commands in the base httpry directory: $ make # make install which compiles the program and copies the binary and man page to their appropriate locations. You can run the binary from the compilation directory if you don't want to install it. To uninstall the program, run: # make uninstall from the installation directory, or manually delete the executable and man page. --{ USAGE }-- Running httpry with no options will cause it to listen on the first network device and output to the console with some sane defaults. The -h switch will print out an abbreviated description of the available options to change the defaults. This section describes these options in greater detail. httpry [ -dFhpqs ] [ -b file ] [ -f format ] [ -i device ] [ -l threshold ] [ -m methods ] [ -n count ] [ -o file ] [ -P file ] [ -r file ] [ -S bytes ] [ -t seconds ] [ -u user ] [ 'expression' ] -b file Write all processed HTTP packets to a binary pcap dump file. Useful for further analysis of logged data. -d Run the program as a daemon process. All program status output will be sent to syslog. A pid file is created for the process in /var/run/httpry.pid by default. Requires an output file specified with -o. -f format Provide a comma-delimited string specifying the parsed HTTP data to output. See the doc/format-string file for further information regarding available options and syntax. -F Disable all output buffering. This may be helpful when piping httpry output into another program. -h Display a brief summary of these options. -i device Specify an ethernet interface for the program to listen on. If not specified, the program will poll the system for a list of interfaces and select the first one found. -l threshold Specify a requests per second rate threshold value when running in rate statistics mode (-s). Only hosts with a rps value greater than or equal to this number will be displayed. Defaults to 1. -m methods Provide a comma-delimited string that specifies the request methods to parse. The program defaults to parsing all of the standard RFC2616 method strings if this option is not set. See the doc/method-string file for more information. -n count Parse this number of HTTP packets and then exit. Defaults to 0, which means loop forever. -o file Specify an output file for writing parsed packet data. -p Do not put the NIC in promiscuous mode on startup. Note that the NIC could already be in that mode for another reason. -P file Specify a path and filename for creating the PID file in daemon mode. -q Suppress non-critical output (startup banner, statistics, etc.). -r file Provide an input capture file to read from instead of performing a live capture. This option does not require root privileges. -s Run httpry in an HTTP request per second display mode. This periodically displays the rate per active host and total rate at a specified interval. -S Specify a number of bytes to skip in the ethernet header. This allows for custom header offsets to be accounted for. -t seconds Specify the host statistics display interval in seconds when running in rate statistics mode (-s). Defaults to 5 seconds. -u user Specify an alternate user to take ownership of the process and any output files. You will need root privileges to do this; it will switch to the new user after initialization. 'expression' Specify a bpf-style capture filter, overriding the default. Here are a few basic examples, starting with the default filter: 'tcp port 80 or 8080' 'tcp dst port 80' 'tcp dst port 80 and src host 192.168.1.1' These filters will capture all web traffic both directions on two common ports, capture only requests made to port 80, and capture requests to port 80 by a particular host, respectively. See 'man tcpdump' for further information on the syntax and available primitives. --{ KNOWN ISSUES }-- It is worth noting that httpry is rather naive when it comes to parsing HTTP packets. It does not perform any reordering or reassembly of packets and simply searches the start of each packet for HTTP data and ignores the packet if it does not find valid data. HTTP packets that are fragmented within the request/response line will be parsed to the end of the packet and any header data present in subsequent packets will not be parsed.