What tool can I use to sniff HTTP/HTTPS traffic?
Solution 1
Try mitmproxy.
mitmproxy is an SSL-capable man-in-the-middle proxy for HTTP. It provides a console interface that allows traffic flows to be inspected and edited on the fly.
mitmdump is the command-line version of mitmproxy, with the same functionality but without the user interface. Think tcpdump for HTTP.
Features
- Intercept HTTP requests and responses and modify them on the fly.
- Save complete HTTP conversations for later replay and analysis.
- Replay the client-side of an HTTP conversations.
- Replay HTTP responses of a previously recorded server.
- Reverse proxy mode to forward traffic to a specified server.
- Make scripted changes to HTTP traffic using Python.
- SSL certificates for interception are generated on the fly.
Screenshot
Example
I setup an example Jekyll Bootstrap app which is listening on port 4000 on my localhost. To intercept it's traffic I'd do the following:
% mitmproxy --mode reverse:http://localhost:4000 -p 4001
Then connect to my mitmproxy on port 4001 from my web browser (http://localhost:4001
), resulting in this in mitmproxy:
You can then select any of the GET
results to see the header info associated to that GET
:
References
Solution 2
mitmproxy
/mitmdump
Equalivant to tcpdump
for HTTPS is mitmdump
. Here are the steps:
- Install
mitmproxy
package (macOS:brew install mitmproxy
). -
Install mitmproxy CA certificate by the following commands:
$ mitmdump --mode reverse:http://mitm.it/ -p 8080 $ wget --content-disposition http://localhost:8080/cert/pem $ open mitmproxy-ca-cert.pem # Open, install and mark the certificate as trusted.
Now, here is the simple test on how to test reverse proxy:
- Run:
mitmdump --mode reverse:https://example.com/ -p 4433
. -
In another shell, run:
curl https://localhost:4433
.Now, you should see the page source and
mitmdump
command should produce the output like:Proxy server listening at http://*:4433 [::1]:49446: clientconnect [::1]:49446: GET https://example.com/ HTTP/2.0 << 200 1.24k [::1]:49446: clientdisconnect
For all traffic, just run: mitmdump
or mitmproxy
.
See: mitmproxy
docs page for more details.
Charles Proxy
If you're on macOS, there is also Charles Proxy app (GUI) which allows view all of the HTTP and SSL/HTTPS traffic between the hosts.
Solution 3
For some situations, you can use a proxy that accepts incoming HTTP requests and makes outgoing HTTPS requests. As an example, I wanted to capture the traffic between git
and github.com. I used mitmproxy:
mitmproxy -s httpser.py
where httpser.py
is:
def request(context, flow):
flow.request.scheme = 'https'
flow.request.port = 443
I then ran git
like so:
export http_proxy="http://127.0.0.1:8080/"
git clone http://github.com/oxplot/difftr
Now using wireshark
listening on localhost
, one can capture the plain traffic. Without the proxy, github would redirect git
to use HTTPS.
Related videos on Youtube
slm
Worked in the tech field for over 20+ years. Started out learning basic on an Apple IIe then on a TRS-80. Been interested in computer hardware and software my entire life. Consider myself lucky that my hobby as a kid/adult is what I get to do everyday earning a living. You can learn more about me here. ============================================================ Stolen from @Mokubai: First, please put down the chocolate-covered banana and step away from the European currency systems. You may consider how to ask a question.
Updated on September 18, 2022Comments
-
slm over 1 year
I'm looking for a command line tool that can intercept HTTP/HTTPS requests, extract information such as: (content, destination, etc.), perform various analysis tasks, and finally determine if the request should be dropped or not. Legal requests must than be forwarded to the application.
A tool that is similar in nature to
tcpdump
, Wireshark, or Snort, but operates at the HTTP level.References