LinuxCommandLibrary

httpflow

Capture and reconstruct HTTP traffic

TLDR

Capture traffic on all interfaces

$ httpflow -i [any]
copy

Use a bpf-style capture to filter the results
$ httpflow [host httpbin.org or host baidu.com]
copy

Use a regex to filter requests by URLs
$ httpflow -u '[regex]'
copy

Read packets from PCAP format binary file
$ httpflow -r [out.cap]
copy

Write the output to a directory
$ httpflow -w [path/to/directory]
copy

SYNOPSIS

httpflow [-hV] [-i |-r |-f ] [-s] [-c] [-v] [-g] [-t] [-C ] [-d ] [-o ] []

PARAMETERS

-h
    Display help and exit

-V
    Display version information

-i
    Capture live from network interface

-r
    Read packets from PCAP file

-f
    Apply BPF filter expression

-s
    Server-side perspective (hide client details)

-c
    Client-side perspective (hide server details)

-v
    Verbose output

-g
    Generate Graphviz DOT output for flows

-t
    Print timing information

-C
    TLS certificate file for HTTPS decryption

-d
    Debug level (0-4)

-o
    Write output to file

DESCRIPTION

httpflow is a lightweight, command-line HTTP analyzer that dissects and reconstructs HTTP flows from PCAP files or live captures. It excels at extracting complete HTTP conversations, displaying requests and responses with methods, URIs, headers, status codes, and body previews in a concise, human-readable format. Designed for efficiency, it uses a cut-through approach to handle large captures without full reassembly, making it suitable for security analysis, debugging web traffic, and protocol reverse-engineering.

Unlike general-purpose tools, httpflow focuses solely on HTTP/1.x (including HTTP/2 partial support), ignoring non-HTTP traffic. Features include BPF filters for targeted analysis, verbose logging, Graphviz output for visualizing request-response graphs, and options for client/server perspectives. Output can be redirected to files for scripting or further processing.

Ideal for pentesters, SOC analysts, and network admins, it provides quick insights into web app behavior, API calls, and anomalies without the overhead of GUI tools. Supports both offline PCAP processing and real-time interface monitoring.

CAVEATS

Limited to HTTP/1.x and partial HTTP/2; no native HTTPS support without external decryption via -C; requires root for live captures; Graphviz output needs dot(1) for rendering.

INSTALLATION

Install via Go: go install github.com/Ne0nd0g/httpflow@latest
Or download binaries from GitHub releases.

EXAMPLE USAGE

Offline analysis: httpflow -r capture.pcap
Live with filter: httpflow -i eth0 -f "port 80"
Graph output: httpflow -r file.pcap -g > flows.dot

HISTORY

Developed by P. Lestang (Ne0nd0g), first released in 2021 as an open-source Go project on GitHub. Gained popularity for its speed and focus on HTTP flows in cybersecurity communities; actively maintained with updates for new PCAP formats and features.

SEE ALSO

tcpdump(1), tshark(1), wireshark(1), ngrep(1)

Copied to clipboard