What tool can I use to sniff HTTP/HTTPS traffic?
mitmproxy is an SSL-capable man-in-the-middle proxy for HTTP. It provides a console interface that allows traffic flows to be inspected and edited on the fly.
mitmdump is the command-line version of mitmproxy, with the same functionality but without the user interface. Think tcpdump for HTTP.
- Intercept HTTP requests and responses and modify them on the fly.
- Save complete HTTP conversations for later replay and analysis.
- Replay the client-side of an HTTP conversations.
- Replay HTTP responses of a previously recorded server.
- Reverse proxy mode to forward traffic to a specified server.
- Make scripted changes to HTTP traffic using Python.
- SSL certificates for interception are generated on the fly.
I setup an example Jekyll Bootstrap app which is listening on port 4000 on my localhost. To intercept it's traffic I'd do the following:
% mitmproxy --mode reverse:http://localhost:4000 -p 4001
Then connect to my mitmproxy on port 4001 from my web browser (
http://localhost:4001), resulting in this in mitmproxy:
You can then select any of the
GET results to see the header info associated to that
- mitmproxy documentation
- How mitmproxy works & Modes of Operation
For some situations, you can use a proxy that accepts incoming HTTP requests and makes outgoing HTTPS requests. As an example, I wanted to capture the traffic between
git and github.com. I used mitmproxy:
mitmproxy -s httpser.py
def request(context, flow): flow.request.scheme = 'https' flow.request.port = 443
I then ran
git like so:
export http_proxy="http://127.0.0.1:8080/" git clone http://github.com/oxplot/difftr
wireshark listening on
localhost, one can capture the plain traffic. Without the proxy, github would redirect
git to use HTTPS.
tcpdump for HTTPS is
mitmdump. Here are the steps:
brew install mitmproxy).
Install mitmproxy CA certificate by the following commands:
$ mitmdump --mode reverse:http://mitm.it/ -p 8080 $ wget --content-disposition http://localhost:8080/cert/pem $ open mitmproxy-ca-cert.pem # Open, install and mark the certificate as trusted.
Now, here is the simple test on how to test reverse proxy:
mitmdump --mode reverse:https://example.com/ -p 4433.
In another shell, run:
Now, you should see the page source and
mitmdumpcommand should produce the output like:
Proxy server listening at http://*:4433 [::1]:49446: clientconnect [::1]:49446: GET https://example.com/ HTTP/2.0 << 200 1.24k [::1]:49446: clientdisconnect
For all traffic, just run:
mitmproxy docs page for more details.
If you're on macOS, there is also Charles Proxy app (GUI) which allows view all of the HTTP and SSL/HTTPS traffic between the hosts.