How to inspect HTTP traffic with tcpdump and ngrep

Tagged tcpdump, http, ngrep  Languages bash

ngrep

ngrep is one alternative to tcpdump:

$ sudo ngrep -q -d lo0 -W byline host localhost and dst port 3002

The command will listen to interface lo0 and print all traffic destined for localhost port 3002.

tcpdump

Write traffic on port 80 (HTTP) to a file. Rotate log file after 10Mb. Keep 5 files.

$ sudo tcpdump port 80 -n -i any -w /tmp/traffic -p -C 10 -W 5 -s 1500

This gist shows how to monitor HTTP requests.

On OSX remember to install tcpdump with brew:

$ brew install tcpdump