httpry

Save output to a file

$ httpry -o [path/to/file.log]

$ httpry [eth0] -b [path/to/file.pcap]

$ httpry -m [get|post|put|head|options|delete|trace|connect|patch]

$ httpry -r [path/to/file.log] '[host 192.168.5.25]'

$ httpry -d -o [path/to/file.log]

httpry [options] [expression]

-i <interface>
    Specifies the network interface to listen on, e.g., eth0, wlan0.

-f <filter>
    Applies a BPF (Berkeley Packet Filter) filter expression to capture only specific packets.

-o <file>
    Writes the parsed HTTP traffic to the specified output file.

-F <format>
    Sets the output format for file logging. Uses keywords for elements (e.g., common, combined, date time src_ip dst_ip method uri).

-e <elements>
    Specifies a comma-separated list of log elements to include in the output when using -o (e.g., date,time,src_ip,dst_ip,method,uri).

-l <level>
    Sets the console output log level (0=silent, 1=errors, 2=normal, 3=verbose). Default is 2.

-n
    Disables hostname resolution for IP addresses.

-t
    Adds a timestamp to the console output.

-b
    Prints both request and response headers (primarily for debugging).

-E
    Enables the display of empty HTTP Host headers.

-p
    Prevents placing the interface into promiscuous mode.

-q
    Suppresses non-critical messages, providing quieter operation.

-a
    Includes the User-Agent header in the console output.

-v
    Includes the Referer header in the console output.

-s
    Includes the Cookie header in the console output.

-S
    Includes the Set-Cookie header in the console output.

-c <limit>
    Exits after processing a specified limit number of HTTP connections.

-d <seconds>
    Exits after running for a specified number of seconds.

-u <user>
    Drops privileges to the specified user after opening the network device.

-x
    Excludes URL queries from being displayed in the output.

-r <file>
    Reads packets from the specified PCAP file instead of a live interface.

-V
    Displays the version information of httpry.

-h
    Displays the help message and exits.

httpry is a specialized HTTP packet sniffer and logging tool designed for network analysis and security auditing. It can operate in two primary modes: capturing live HTTP traffic directly from a network interface or processing existing packet capture (PCAP) files. The command parses HTTP/1.x requests and responses, extracting key information such as timestamps, source and destination IPs, HTTP methods, URIs, and various headers like User-Agent, Referer, and Cookies.

It provides flexible output options, allowing users to display parsed information to the console in real-time or log it to a file with customizable formats and elements. httpry supports Berkeley Packet Filter (BPF) expressions, enabling precise filtering of network traffic to focus only on relevant HTTP streams. This makes it a valuable tool for debugging web applications, monitoring network usage, detecting suspicious HTTP activity, or simply gaining insights into web communications on a network.

While powerful for HTTP/1.x analysis, it's important to note that httpry does not natively support HTTPS decryption.

• httpry primarily supports HTTP/1.x and does not inherently decrypt or parse HTTPS (encrypted) traffic.
• When capturing live network traffic, httpry typically requires root privileges to access network interfaces.
• On very busy networks, httpry can consume significant CPU and memory resources due to packet processing.
• The accuracy of parsing depends on the HTTP traffic conforming to standards; malformed packets might be ignored or misparsed.

httpry leverages the powerful Berkeley Packet Filter (BPF) syntax for filtering network traffic. This allows users to specify highly granular rules to capture only HTTP packets from or to specific IP addresses, ports, or networks, significantly reducing the amount of data processed and improving analysis efficiency. For example, 'host 192.168.1.1 and tcp port 80' could be used with the -f option.

One of httpry's strengths is its flexibility in output formatting, particularly when logging to a file using the -o option. Users can define custom log formats using the -e (elements) or -F (format) options. This allows tailoring the output to include only the necessary fields (e.g., date, time, source IP, destination IP, HTTP method, URI, response status) or to match existing log analysis pipelines, making it highly adaptable for various monitoring and auditing purposes.

httpry was developed as a lightweight, specialized tool to fill a niche between general-purpose packet sniffers (like tcpdump) and full web server logs. It provides real-time, human-readable output focused specifically on HTTP conversations, making it valuable for system administrators, network engineers, and security analysts needing quick insights into web traffic without the overhead of more complex GUI-based tools or deep protocol analysis. Its development focused on efficiency and ease of use for HTTP-specific monitoring tasks.

tcpdump(1), wireshark(1), tshark(1), ngrep(1)