How to Capture and Decode HTTP Headers in Human-Readable Format Using tcpdump on Linux


2 views

When debugging web applications that involve communication between servers (like Apache-to-Tomcat interactions), viewing raw HTTP headers is essential. The standard tcpdump output presents data in hexadecimal format mixed with ASCII fragments, making header analysis cumbersome.

For clear HTTP header inspection between ports 80 and 4080:

sudo tcpdump -A -s 0 'tcp port 4080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

This command combines several powerful features:

  • -A prints ASCII output (human-readable)
  • -s 0 captures full packets
  • BPF filter isolates HTTP traffic

For a more HTTP-focused tool:

sudo ngrep -d any -W byline port 4080

Sample output:

T 192.168.1.10:33273 -> 192.168.1.20:4080 [AP]
GET /api/v1/users HTTP/1.1
Host: example.com
User-Agent: curl/7.68.0
Accept: */*

For GUI users, capture with tcpdump then analyze in Wireshark:

sudo tcpdump -i eth0 -w http_capture.pcap port 4080
wireshark http_capture.pcap

Apply display filter: http.request or http.response

  • Add -c 100 to limit captured packets
  • Use -nn to disable DNS resolution for faster capture
  • Combine with grep for specific headers: tcpdump -A -s0 port 4080 | grep -i "User-Agent"

For HTTPS traffic between Apache and Tomcat:

sudo tcpdump -i lo -A -s 0 'tcp port 4080 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)'

When debugging web applications, viewing raw HTTP headers between services like Apache and Tomcat is essential. The default output from tcpdump often mixes hexadecimal dumps with fragmented ASCII representations, making header analysis difficult.

For clear HTTP header inspection between ports 80 and 4080:

sudo tcpdump -A -s 0 'tcp port 4080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

-A: Prints each packet in ASCII
-s 0: Captures full packets
The BPF filter isolates HTTP traffic by calculating payload size

For more structured output using tshark (Wireshark's CLI):

sudo tshark -i any -Y http -d tcp.port==4080,http -T fields -e http.host -e http.user_agent

1. Capture specific header fields:

sudo tcpdump -A -s 1500 'tcp port 4080 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' | grep -E "Host:|User-Agent:"

2. Persistent logging to file:

sudo tcpdump -w http_headers.pcap -s 0 'tcp port 4080'

The output will show complete request/response cycles with clear header formatting:

GET /api/v1/users HTTP/1.1
Host: example.com
User-Agent: curl/7.68.0
Accept: */*

Isolate specific HTTP methods:

sudo tcpdump -A -s 0 'tcp port 4080 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)'