Never Ending Security

It starts all here

HTTPry – HTTP logging and information retrieval tool

Command Line HTTP Sniff

In the life of a system administrator catching live traffic is a standard everyday operation. Catching packets can be very useful when you are troubleshooting certain network problems, when you test your web applications or generally just maintaining your network security.  It is also an essential part of every penetration testing procedure.

To do this kind of thing we use all available tools that we can find out there, in the wild. Tools like wireshark or tcpdump. In order to capture live HTTP traffic we need to set up proper filtering but in some cases even that filtering is not ‘natural’ enough. One can use tools like ngxtop po parse server logs but in order to do that you would need full server access.

So in order to overcome this problems and provide quick and  easy to use solution, we can instead use httpry.

httpry is designed to sniff HTTP packets directly from the wire and presents results in human readable format.


httpry is a tool designed for displaying and logging HTTP traffic. It is not intended to perform analysis itself, but instead to capture, parse and/or log the traffic for later analysis. It can be run in real-time displaying the live traffic on the wire, or as a daemon process that logs to an output file. It is written to be as lightweight and flexible as possible, so that it can be easily adaptable to different applications. It does not display the raw HTTP data transferred, but instead focuses on parsing and displaying the request/response line along with associated header fields.

What can you do with it?

  • See what users on your network are browsing online
  • Check for proper server configuration (or improper, as the case may be)
  • Research patterns in HTTP usage
  • Watch for dangerous downloaded files
  • Verify the enforcement of HTTP policy on your network
  • Extract HTTP statistics out of saved capture files
  • It’s just plain fun to watch in realtime

In addition to the core program, there are several Perl scripts included for processing httpry log files. They should be useful for a number of generic situations, and can serve as a useful starting point for your own log parsing toolset.

Some of their capabilities are:

  • hostnames: Display a list of unique host names with counts.
  • find_proxies: Detect web proxies.
  • search_terms: Find and count search terms entered in search services.
  • content_analysis: Find URIs which contain specific keywords.
  • xml_output: Convert output into XML format.
  • log_summary: Generate a summary of log.
  • db_dump: Dump log file data into a MySQL database.

Before using these scripts, first run httpry with ‘-o’ option for some time. Once you obtained the output file, run the scripts on it at once by using this command:

$ cd httpry/scripts
$ perl -d ./plugins <httpry-output-file>

Install httpry on Linux

On Debian-based systems (Ubuntu or Linux Mint), httpry is not available in base repositories. So build it from the source:

$ sudo apt-get install gcc make git libpcap0.8-dev
$ git clone
$ cd httpry
$ make
$ sudo make install

On Fedora, CentOS or RHEL, you can install httpry with yum as follows. On CentOS/RHEL, enable EPEL repo before runningyum.

$ sudo yum install httpry

If you still want to build httpry from the source on RPM-based systems, you can easily do that by:

$ sudo yum install gcc make git libpcap-devel
$ git clone
$ cd httpry
$ make
$ sudo make install

Basic Usage

The basic use case of httpry is as follows.

$ sudo httpry -i <network-interface>

httpry then listens on a specified network interface, and displays captured HTTP requests/responses in real time.

In most cases, however, you will be swamped with the fast scrolling output as packets are coming in and out. So you want to save captured HTTP packets for offline analysis. For that, use either ‘-b’ or ‘-o’ options. The ‘-b’ option allows you to save rawHTTP packets into a binary file as is, which then can be replayed with httpry later. On the other hand, ‘-o’ option saves human-readable output of httpry into a text file.

To save raw HTTP packets into a binary file:

$ sudo httpry -i eth0 -b output.dump

To replay saved HTTP packets:

$ httpry -r output.dump

Note that when you read a dump file with ‘-r’ option, you don’t need root privilege.

To save httpry’s output to a text file:

$ sudo httpry -i eth0 -o output.txt

Advanced Usage of httpry

If you want to monitor only specific HTTP methods (e.g., GET, POST, PUT, HEAD, CONNECT, etc), use ‘-m’ option:

$ sudo httpry -i eth0 -m get,head

More information can be found at: and at:

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s