A multi-threading tool to sniff HTTP header records beyond TCP flow statistics.
MIT licensed.
- Live network interface and offline PCAP file capture
- Multi-threading for high-performance traffic analysis
- TCP flow statistics export
- HTTP request/response pair extraction
- JSON and CSV output formats
# Install dependencies
sudo apt-get install cmake libpcap-dev libjson-c-dev build-essential # Ubuntu/Debian
brew install cmake libpcap json-c # macOS
# Build and run
make
./bin/http-sniffer -i <interface>make # Standard build
make debug # Debug build
make nfm # With NFM support
make clean-build # Clean then build
make test # Run unit tests
make test-debug # Build debug and run tests# Live capture
./bin/http-sniffer -i en0
# PCAP file analysis
./bin/http-sniffer -r capture.pcap
# Save to JSON
./bin/http-sniffer -i en0 -o output.json[20120921 16:40:09]10.187.179.28:53196-->180.149.134.229:80 1335164797.208360 0.0 0.0 167 5/3 0/0 0 0
{
"t_r": "2025-07-10T11:25:05",
"sa": "1.2.3.4",
"da": "4.3.2.1",
"sp": 54180,
"dp": 80,
"synt": 1752117904.8173649,
"fbt": 1752117904.830142,
"lbt": 1752117904.8638189,
"rtt": 162,
"spkts": 9,
"dpkts": 24,
"spl": 52,
"dpl": 30028,
"fc": 0,
"pcnt": 1,
"pairs": [
{
"req": {
"fbt": 1752117904.830142,
"lbt": 1752117904.830142,
"totlen": 52,
"bdylen": 0,
"ver": 1,
"mth": "GET",
"host": "www.baidu.com",
"uri": "\/",
"accept": "*\/*"
},
"res": {
"fbt": 1752117904.8458209,
"lbt": 1752117904.863394,
"totlen": 30497,
"bdylen": 29506,
"ver": 1,
"sta": 200,
"server": "BWS\/1.1",
"dat": "Thu, 10 Jul 2025 03:25:04 GMT",
"accept_ranges": "bytes",
"contyp": "text\/html",
"conlen": "29506"
}
}
]
}- libpcap - Packet capture
- json-c - JSON parsing
- CMake - Build system
- Google Test - Unit testing (optional)
Note: If you encounter json-c unused params errors on Linux, try the alternative version.
Xiaming Chen [email protected]
SJTU, Shanghai, China
2012-04-01