Amazon LinuxにtcpflowをインストールしてHTTPリクエスト&レスポンスをキャプチャして覗いてみる

http://apt.sw.be/redhat/el7/en/x86_64/rpmforge/RPMS/ からtcpflowの最新rpmパッケージを探してインストール

# yum install `curl -s http://apt.sw.be/redhat/el7/en/x86_64/rpmforge/RPMS/|grep -o '"tcpflow[^"]*'|sed 's|"|http://apt.sw.be/redhat/el7/en/x86_64/rpmforge/RPMS/|'`

Dependencies Resolved

 Package   Arch   Version    Repository      Size
 tcpflow   x86_64   0.21-1.2.el7.rf   /tcpflow-0.21-1.2.el7.rf.x86_64    61 k

Transaction Summary
Install  1 Package
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : tcpflow-0.21-1.2.el7.rf.x86_64             1/1 
  Verifying  : tcpflow-0.21-1.2.el7.rf.x86_64             1/1 

  tcpflow.x86_64 0:0.21-1.2.el7.rf                  



# tcpflow -cs -i eth0 port 80
tcpflow[6577]: listening on eth0 GET / HTTP/1.1
User-Agent: ELB-HealthChecker/1.0
Accept: */*
Connection: keep-alive HTTP/1.1 200 OK
Date: Mon, 08 Feb 2016 03:34:19 GMT
Server: Apache
Content-Type: text/plain;charset=ISO-8859-1
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive

# man tcpflow

       tcpflow - TCP flow recorder

       tcpflow [-chpsv] [-b max_bytes] [-d debug_level] [-f max_fds] [-i iface] [-r file] [expression]

       tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging.  A program like tcpdump(4) shows a summary of pack‐
       ets seen on the wire, but usually doesn't store the data that's actually being transmitted.  In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.  tcpflow
       understands TCP sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery.

       tcpflow stores all captured data in files that have names of the form
       where the contents of the above file would be data transmitted from host port 2345, to host port 45103.

       -b     Max bytes per flow.  Capture no more than max_bytes bytes per flow.  Any data captured for a flow beyond max_bytes from the first byte captured will be discarded.  The default is to store an unlimited number of bytes
       per flow.

       -c     Console print.  Print the contents of packets to stdout as they are received, without storing any captured data to files (implies -s ).

       -d     Debug level.  Set the level of debugging messages printed to stderr to debug_level.  Higher numbers produce more messages.  -d 0 causes completely silent operation.  -d 1 , the default, produces minimal status mes‐
       sages.  -d 10 produces verbose output equivalent to -v . Numbers higher than 10 can produce a large amount of debugging information useful only to developers.

       -f     Max file descriptors used.  Limit the number of file descriptors used by tcpflow to max_fds.  Higher numbers use more system resources, but usually perform better.  If the underlying operating system supports the
       setrlimit() system call, the OS will be asked to enforce the requested limit.  The default is for tcpflow to use the maximum number of file descriptors allowed by the OS.  The -v option will report how many file
       descriptors tcpflow is using.

       -h     Help.  Print usage information and exit.

       -i     Interface name.  Capture packets from the network interface named iface. If no interface is specified with -i , a reasonable default will be used by libpcap automatically.

       -p     No promiscuous mode.  Normally, tcpflow attempts to put the network interface into promiscuous mode before capturing packets.  The -p option tells tcpflow not to put the interface into promiscuous mode.  Note that it
       might already be in promiscuous mode for some other reason.

       -r     Read from file.  Read packets from file, which was created using the -w option of tcpdump(1).  Standard input is used if file is ``-''.  Note that for this option to be useful, tcpdump's -s option should be used to
       set the snaplen to the MTU of the interface (e.g., 1500) while capturing packets.

       -s     Strip non-printables.  Convert all non-printable characters to the "." character before printing packets to the console or storing them to a file.

       -v     Verbose operation.  Verbosely describe tcpflow's operation.  Equivalent to -d 10 .

0 件のコメント: