If you need to trace the HTTP request and response headers by capturing the related packets, you can use tcpdump in this way:

 tcpdump -i ens192 -A -s 10240 'tcp port 80' | grep -v IP | egrep --line-buffered "..(GET |\.HTTP\/|POST |HEAD )|^[A-Za-z0-9-]+: " |sed -r 's/..(GET |HTTP\/|POST |HEAD )/\n\n\1/g'

For example, filtering tcp port 80 and 192.168.10.100 IP address:


tcpdump -i ens192 -A -s 10240 'host 192.168.10.100 and tcp port 80' | grep -v IP | egrep --line-buffered "..(GET |\.HTTP\/|POST |HEAD )|^[A-Za-z0-9-]+: " |sed -r 's/..(GET |HTTP\/|POST |HEAD )/\n\n\1/g'


e2l...P..l..w.TP..

GET /icingaweb2/dashboard HTTP/1.1
Host: icinga.mydomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: Icingaweb2=jko9fehnt50nc5hblkqfrlgf9gaq96lf; icingaweb2-tzo=7200-1
Upgrade-Insecure-Requests: 1
..*.P...w.T..nuP..

HTTP/1.1 302 Found
Date: Mon, 13 May 2019 12:56:56 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: /icingaweb2/authentication/login?redirect=dashboard
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
e2l...P..nu.w..P..

GET /icingaweb2/authentication/login?redirect=dashboard HTTP/1.1
Host: icinga.mydomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: _chc=1; Icingaweb2=jko9fehnt50nc5hblkqfrlgf9gaq96lf; icingaweb2-tzo=7200-1
Upgrade-Insecure-Requests: 1
..*.P...w....pHP..

HTTP/1.1 200 OK
Date: Mon, 13 May 2019 12:56:56 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1962
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
e2l...P..pH.w..P..

GET /icingaweb2/css/icinga.min.css HTTP/1.1
Host: icinga.mydomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.101.50.108/icingaweb2/authentication/login?redirect=dashboard
Connection: keep-alive
Cookie: Icingaweb2=jko9fehnt50nc5hblkqfrlgf9gaq96lf; icingaweb2-tzo=7200-1
e2l...Px4Q./j.TP..

GET /icingaweb2/js/icinga.min.js HTTP/1.1
Host: icinga.mydomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.101.50.108/icingaweb2/authentication/login?redirect=dashboard
Connection: keep-alive
Cookie: Icingaweb2=jko9fehnt50nc5hblkqfrlgf9gaq96lf; icingaweb2-tzo=7200-1
..*.P...w....q.P..

HTTP/1.1 200 OK
Date: Mon, 13 May 2019 12:56:56 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: public
Pragma: no-cache
Etag: f452ab11-1339c7d4-ce195513
Vary: Accept-Encoding
Content-Encoding: gzip
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/css;charset=UTF-8
..*.P../j.Tx4R.P..

HTTP/1.1 200 OK
Date: Mon, 13 May 2019 12:56:56 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: public
Pragma: no-cache
ETag: "4a2953cd-a7a2f318-8c5ad1c6-gzip"
Vary: Accept-Encoding
Content-Encoding: gzip
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/javascript