Amazon LinuxにtcpflowをインストールしてHTTPリクエスト＆レスポンスをキャプチャして覗いてみる

http://apt.sw.be/redhat/el7/en/x86_64/rpmforge/RPMS/ からtcpflowの最新rpmパッケージを探してインストール

1. # yum install `curl -s http://apt.sw.be/redhat/el7/en/x86_64/rpmforge/RPMS/|grep -o '"tcpflow[^"]*'|sed 's|"|http://apt.sw.be/redhat/el7/en/x86_64/rpmforge/RPMS/|'`  
2.   
3. Dependencies Resolved  
4.   
5. ======================================================================================================================================  
6.  Package   Arch   Version    Repository      Size  
7. ======================================================================================================================================  
8. Installing:  
9.  tcpflow   x86_64   0.21-1.2.el7.rf   /tcpflow-0.21-1.2.el7.rf.x86_64    61 k  
10.   
11. Transaction Summary  
12. ======================================================================================================================================  
13. Install  1 Package  
14. Is this ok [y/d/N]: y  
15. Downloading packages:  
16. Running transaction check  
17. Running transaction test  
18. Transaction test succeeded  
19. Running transaction  
20.   Installing : tcpflow-0.21-1.2.el7.rf.x86_64             1/1   
21.   Verifying  : tcpflow-0.21-1.2.el7.rf.x86_64             1/1   
22.   
23. Installed:  
24.   tcpflow.x86_64 0:0.21-1.2.el7.rf                    
25.   
26. Complete!  

# yum install `curl -s http://apt.sw.be/redhat/el7/en/x86_64/rpmforge/RPMS/|grep -o '"tcpflow[^"]*'|sed 's|"|http://apt.sw.be/redhat/el7/en/x86_64/rpmforge/RPMS/|'`

Dependencies Resolved

======================================================================================================================================
 Package   Arch   Version    Repository      Size
======================================================================================================================================
Installing:
 tcpflow   x86_64   0.21-1.2.el7.rf   /tcpflow-0.21-1.2.el7.rf.x86_64    61 k

Transaction Summary
======================================================================================================================================
Install  1 Package
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : tcpflow-0.21-1.2.el7.rf.x86_64             1/1 
  Verifying  : tcpflow-0.21-1.2.el7.rf.x86_64             1/1 

Installed:
  tcpflow.x86_64 0:0.21-1.2.el7.rf                  

Complete!

eth0の80番ポートのパケットを試しにキャプチャ
※-cでコンソール出力,-sで表示できない文字を.で表示
ELBからのヘルスチェックのリクエスト＆レスポンスが取得されました。

1. # tcpflow -cs -i eth0 port 80  
2. tcpflow[6577]: listening on eth0  
3. 010.000.012.250.26633-010.000.022.012.00080: GET / HTTP/1.1  
4. host: 10.0.22.12  
5. User-Agent: ELB-HealthChecker/1.0  
6. Accept: */*  
7. Connection: keep-alive  
8.   
9. 010.000.022.012.00080-010.000.012.250.26633: HTTP/1.1 200 OK  
10. Date: Mon, 08 Feb 2016 03:34:19 GMT  
11. Server: Apache  
12. Content-Type: text/plain;charset=ISO-8859-1  
13. Content-Length: 0  
14. Keep-Alive: timeout=5, max=100  
15. Connection: Keep-Alive  

# tcpflow -cs -i eth0 port 80
tcpflow[6577]: listening on eth0
010.000.012.250.26633-010.000.022.012.00080: GET / HTTP/1.1
host: 10.0.22.12
User-Agent: ELB-HealthChecker/1.0
Accept: */*
Connection: keep-alive

010.000.022.012.00080-010.000.012.250.26633: HTTP/1.1 200 OK
Date: Mon, 08 Feb 2016 03:34:19 GMT
Server: Apache
Content-Type: text/plain;charset=ISO-8859-1
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive

manpage

1. # man tcpflow  
2. tcpflow(1)  
3.   
4. NAME  
5.        tcpflow - TCP flow recorder  
6.   
7. SYNOPSIS  
8.        tcpflow [-chpsv] [-b max_bytes] [-d debug_level] [-f max_fds] [-i iface] [-r file] [expression]  
9.   
10. DESCRIPTION  
11.        tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging.  A program like tcpdump(4) shows a summary of pack‐  
12.        ets seen on the wire, but usually doesn't store the data that's actually being transmitted.  In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.  tcpflow  
13.        understands TCP sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery.  
14.   
15.        tcpflow stores all captured data in files that have names of the form  
16.      192.168.101.102.02345-010.011.012.013.45103  
17.        where the contents of the above file would be data transmitted from host 192.168.101.102 port 2345, to host 10.11.12.13 port 45103.  
18.   
19. OPTIONS  
20.        -b     Max bytes per flow.  Capture no more than max_bytes bytes per flow.  Any data captured for a flow beyond max_bytes from the first byte captured will be discarded.  The default is to store an unlimited number of bytes  
21.        per flow.  
22.   
23.        -c     Console print.  Print the contents of packets to stdout as they are received, without storing any captured data to files (implies -s ).  
24.   
25.        -d     Debug level.  Set the level of debugging messages printed to stderr to debug_level.  Higher numbers produce more messages.  -d 0 causes completely silent operation.  -d 1 , the default, produces minimal status mes‐  
26.        sages.  -d 10 produces verbose output equivalent to -v . Numbers higher than 10 can produce a large amount of debugging information useful only to developers.  
27.   
28.        -f     Max file descriptors used.  Limit the number of file descriptors used by tcpflow to max_fds.  Higher numbers use more system resources, but usually perform better.  If the underlying operating system supports the  
29.        setrlimit() system call, the OS will be asked to enforce the requested limit.  The default is for tcpflow to use the maximum number of file descriptors allowed by the OS.  The -v option will report how many file  
30.        descriptors tcpflow is using.  
31.   
32.        -h     Help.  Print usage information and exit.  
33.   
34.        -i     Interface name.  Capture packets from the network interface named iface. If no interface is specified with -i , a reasonable default will be used by libpcap automatically.  
35.   
36.        -p     No promiscuous mode.  Normally, tcpflow attempts to put the network interface into promiscuous mode before capturing packets.  The -p option tells tcpflow not to put the interface into promiscuous mode.  Note that it  
37.        might already be in promiscuous mode for some other reason.  
38.   
39.        -r     Read from file.  Read packets from file, which was created using the -w option of tcpdump(1).  Standard input is used if file is ``-''.  Note that for this option to be useful, tcpdump's -s option should be used to  
40.        set the snaplen to the MTU of the interface (e.g., 1500) while capturing packets.  
41.   
42.        -s     Strip non-printables.  Convert all non-printable characters to the "." character before printing packets to the console or storing them to a file.  
43.   
44.        -v     Verbose operation.  Verbosely describe tcpflow's operation.  Equivalent to -d 10 .  

# man tcpflow
tcpflow(1)

NAME
       tcpflow - TCP flow recorder

SYNOPSIS
       tcpflow [-chpsv] [-b max_bytes] [-d debug_level] [-f max_fds] [-i iface] [-r file] [expression]

DESCRIPTION
       tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging.  A program like tcpdump(4) shows a summary of pack‐
       ets seen on the wire, but usually doesn't store the data that's actually being transmitted.  In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.  tcpflow
       understands TCP sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery.

       tcpflow stores all captured data in files that have names of the form
     192.168.101.102.02345-010.011.012.013.45103
       where the contents of the above file would be data transmitted from host 192.168.101.102 port 2345, to host 10.11.12.13 port 45103.

OPTIONS
       -b     Max bytes per flow.  Capture no more than max_bytes bytes per flow.  Any data captured for a flow beyond max_bytes from the first byte captured will be discarded.  The default is to store an unlimited number of bytes
       per flow.

       -c     Console print.  Print the contents of packets to stdout as they are received, without storing any captured data to files (implies -s ).

       -d     Debug level.  Set the level of debugging messages printed to stderr to debug_level.  Higher numbers produce more messages.  -d 0 causes completely silent operation.  -d 1 , the default, produces minimal status mes‐
       sages.  -d 10 produces verbose output equivalent to -v . Numbers higher than 10 can produce a large amount of debugging information useful only to developers.

       -f     Max file descriptors used.  Limit the number of file descriptors used by tcpflow to max_fds.  Higher numbers use more system resources, but usually perform better.  If the underlying operating system supports the
       setrlimit() system call, the OS will be asked to enforce the requested limit.  The default is for tcpflow to use the maximum number of file descriptors allowed by the OS.  The -v option will report how many file
       descriptors tcpflow is using.

       -h     Help.  Print usage information and exit.

       -i     Interface name.  Capture packets from the network interface named iface. If no interface is specified with -i , a reasonable default will be used by libpcap automatically.

       -p     No promiscuous mode.  Normally, tcpflow attempts to put the network interface into promiscuous mode before capturing packets.  The -p option tells tcpflow not to put the interface into promiscuous mode.  Note that it
       might already be in promiscuous mode for some other reason.

       -r     Read from file.  Read packets from file, which was created using the -w option of tcpdump(1).  Standard input is used if file is ``-''.  Note that for this option to be useful, tcpdump's -s option should be used to
       set the snaplen to the MTU of the interface (e.g., 1500) while capturing packets.

       -s     Strip non-printables.  Convert all non-printable characters to the "." character before printing packets to the console or storing them to a file.

       -v     Verbose operation.  Verbosely describe tcpflow's operation.  Equivalent to -d 10 .