Monitoring HTTPS traffic using tcpflow

http-loggingmonitoringnetworking

I would like to use tcpflow to monitor https requests. I have read tutorials on how to monitor http traffic but when I connect to a host using https the output is garbled. I am using tcpflow in the following manner:

sudo tcpflow -s -c -i eth0 src or dst host api.linkedin.com

Best Answer

If you have a copy of the key you can use ssldump which uses a syntax almost identical to tcpdump.

It won't be quite as pretty as tcpflow, but you can get at the encrypted content.

Related Solutions

On-the-fly monitoring HTTP requests on a network interface

Try tcpflow:

tcpflow -p -c -i eth0 port 80 | grep -oE '(GET|POST|HEAD) .* HTTP/1.[01]|Host: .*'

Output is like this:

GET /search?q=stack+exchange&btnI=I%27m+Feeling+Lucky HTTP/1.1
Host: www.google.com

You can obviously add additional HTTP methods to the grep statement, and use sed to combine the two lines into a full URL.

Monitor outgoing web requests as they’re happening

You can use lsof and watch to do this, like so:

$ watch -n1 lsof -i TCP:80,443

Example output

dropbox    3280 saml   23u  IPv4 56015285      0t0  TCP greeneggs.qmetricstech.local:56003->snt-re3-6c.sjc.dropbox.com:http (ESTABLISHED)
thunderbi  3306 saml   60u  IPv4 56093767      0t0  TCP greeneggs.qmetricstech.local:34788->ord08s09-in-f20.1e100.net:https (ESTABLISHED)
mono       3322 saml   15u  IPv4 56012349      0t0  TCP greeneggs.qmetricstech.local:54018->204-62-14-135.static.6sync.net:https (ESTABLISHED)
chrome    11068 saml  175u  IPv4 56021419      0t0  TCP greeneggs.qmetricstech.local:42182->stackoverflow.com:http (ESTABLISHED)

Best Answer

Related Solutions

On-the-fly monitoring HTTP requests on a network interface

Monitor outgoing web requests as they’re happening

Example output

Related Question