< back to blog

Decode Your HTTP Traffic with sysdig

Loris Degioanni
Loris Degioanni
@
Decode Your HTTP Traffic with sysdig
Published:
September 10, 2015
Table of contents
This is the block containing the component that will be injected inside the Rich Text. You can hide this block if you want.
This is the block containing the component that will be injected inside the Rich Text. You can hide this block if you want.

Sysdig goes application aware! Recently we've been adding little useful features to sysdig at a good pace, and one that is worth mentioning is HTTP decoding.

\r\r

Starting with sysdig 0.1.103, we have added two chisels, httplog and httptop, which provide insights into all HTTP traffic flowing on your server. They list the requests sent and received, and they can be used to find out what's exactly hitting a web server. This blog post presents them and show a couple of usage tricks to get the best out of them.

\r\r

But first, let's take a step back and talk about echoing network connections in sysdig.

\r\r

The Old Way: The echo_fds Chisel

\r\r

For quite a bit of time, sysdig has offered a chisel to inspect the activity of a given set of file descriptors. It's called echo_fds, and you can easily use it to troubleshoot network connections using the appropriate filter, for example:

\r\r# sysdig -A -pc -c echo_fds fd.port=80\r
\r
------ Read 81B from [http_server_1] [70d6e2d0d30c] 172.17.2.110:51742->172.17.2.107:4567 (ruby)\r
\r
GET /slow/1 HTTP/1.1\r
Host: server:4567\r
User-Agent: curl/7.42.1\r
Accept: */*\r
\r
\r
------ Write 282B to [http_server_1] [70d6e2d0d30c] 172.17.2.117:38503->172.17.2.107:4567 (ruby)\r
\r
HTTP/1.1 200 OK\r
Content-Type: text/html;charset=utf-8\r
Content-Length: 12\r
X-X\r
\r
\r\r

Echo_fds has the nice benefit of being able to display network connections established by any container. And, of course, its functionality is nicely integrated into the csysdig curses interface.

\r\r

The New Way: the httplog and httptop Chisels

\r\r

Httplog and httptop go one step further by implementing some basic decoding of the raw data that echo_fds shows. In particular, if the connection is carrying HTTP data, they extract information like the URL and the response time. You can think about this as a simple version of ngxtop, but web server agnostic and able to see inside containers. Httplog will print information about every request, in a way similar to a log:

\r\r# sysdig -pc -c httplog \r
2015-08-10 09:15:54.159173634 http_server_1 < method=GET url=server:4567/slow/3 response_code=200 latency=328ms size=12B\r
2015-08-10 09:15:54.166230840 http_server_1 < method=GET url=server:4567/slow/1 response_code=200 latency=130ms size=12B\r
2015-08-10 09:15:54.166256264 http_client_5 > method=GET url=server:4567/slow/1 response_code=200 latency=158ms size=12B\r
2015-08-10 09:15:54.166969191 http_client_1 > method=GET url=server:4567/slow/1 response_code=200 latency=159ms size=12B\r
2015-08-10 09:15:54.167024171 http_server_1 < method=GET url=server:4567/slow/1 response_code=200 latency=130ms size=12B\r
\r\r

Httptop, on the other hand, offers a `top-like` view of all the HTTP transactions:

\r\r# sysdig -pc -c httptop \r
ncalls method url\r
-------------------------------------------------------------------\r
182 GET server:4567/slow/2\r
182 GET server:4567/slow/3\r
171 GET server:4567/slow/1\r
\r\r

Filtering Fun

\r\r

As usual, leveraging sysdig's filtering engine in conjunction to chisels can make your experience more fun and rewarding.

\r\r

For example, you can observe the web requests of a particular container:

\r\r# sysdig -pc -c httplog container.name=wordpress\r
\r\r

or the ones of that were not served by an expected process:

\r\r# sysdig -pc -c httplog "process.name!=httpd"\r
\r\r

or that are coming from a specific client:

\r\r# sysdig -pc -c httplog fd.cip=192.168.0.1\r
\r\r

Wrapping Up

\r\r

The httplog and httptop chisels expand sysdig's swiss army knife capabilities, and are great to keep an eye on your containerized web servers. And if you need this functionality (and much more!) but for all the machines and containers in your infrastructure, try Sysdig Cloud for free for 14 days.

About the author

No items found.
featured resources

Test drive the right way to defend the cloud
with a security expert