Skip to content


Repository files navigation

Parse and display http traffic from network device or pcap file. This is a go version of origin pcap-parser, thanks to gopacket project, this tool has simpler code base and is more efficient.

For original python implementation, refer to httpcap on pypi.

Note: This tool can not parse HTTPS/HTTP2 traffics.

Install & Requirement

Build httpdump requires libpcap-dev and cgo enabled.


for ubuntu/debian:

sudo apt install libpcap-dev

for centos/redhat/fedora:

sudo yum install libpcap-devel

for osx:

Libpcap and header files should be available in macOS already.


go get


httpdump can read from pcap file, or capture data from network interfaces. Usage:

Usage: httpdump 
    	Output an equivalent curl command for each http request
  -device string
    	Capture packet from network device. If is any, capture all interface traffics (default "any")
    	dump http request/response body to file
  -file string
    	Read from pcap file. If not set, will capture data from network device by default
    	Force print unknown content-type http body even if it seems not to be text content
  -host string
    	Filter by request host, using wildcard match(*, ?)
  -idle duration
    	Idle time to remove connection if no package received (default 4m0s)
  -ip string
    	Filter by ip, if either source or target ip is matched, the packet will be processed
  -level string
    	Output level, options are: url(only url) | header(http headers) | all(headers, and textuary http body) (default "header")
  -output string
    	Write result to file [output] instead of stdout
  -port uint
    	Filter by port, if either source or target port is matched, the packet will be processed.
    	Try to format and prettify json content
  -status string
    	Filter by response status code. Can use range. eg: 200, 200-300 or 200:300-400
  -uri string
    	Filter by request url path, using wildcard match(*, ?)


A simple capture:

$ httpdump  ----->
GET / HTTP/1.1
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: uuid_tt_dd=-7445280944848876972_20160309; _JQCMT_ifcookie=1; _JQCMT_browser=8cc6c51a0610de98f19cf86af0855a3e; lzstat_uv=24444940273412920400|2839507@3117794@3311294  <-----
HTTP/1.1 200 OK
Server: openresty
Date: Tue, 31 May 2016 02:40:14 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
Vary: Accept-Encoding
Vary: Accept-Encoding
Content-Encoding: gzip

{body size: 15482 , set level arg to all to display body content}


# parse pcap file
sudo tcpdump -wa.pcap tcp
httpdump -file a.pcap

# capture specified device:
httpdump -device eth0

# filter by ip and/or port
httpdump -port 80  # filter by port
httpdump -ip # filter by ip
httpdump -ip -port 80 # filter by ip and port