HTTP Response Sniffer

HTTP Sniff allows to sniff HTTP responses from TCP/IP based networks and save contained files locally for later review.

Network access is performed using libpcap. Reading from dump files as produced by tcpdump, ethereal, kismet or any other software using pcap format is also possible.

As of version 0.3 libnids can be used instead of the builtin TCP/IP stack. httpsniff has only been tested with libnids-1.20 and may or may not work with older versions. 0.4 is the first version to work with libnids-1.22 and possibly newer.

Both stacks exist in parallel because the builtin one is more relaxed in what it accepts but libnids is a lot better tested. The builtin stack supports the following link layers

  • Ethernet
  • WLAN
  • Linux Cooked
  • Raw IP

Compile Info

There are two ways to compile httpsniff. Either with or without libnids support. For libnids support simply type:


To compile httpsniff without libnids and libnet issue:

make nonids


If launched with only a name as argument, httpsniff will first try to open a dump file by that name and if this fails it will treat the argument as name of a network interface. Additional options are:

httpsniff -h
Usage: httpsniff [<options>] <name> [<filter>]

Where <options> are:
    -i    force <name> to be treated as network interface
    -f    force <name> to be treated as dump file

    -x    use builtin relaxed tcp/ip stack instead of libnids
    -u    use URL based file/directory structure for saved files

    -v    verbose - additional v increase output further
    -q    quiet - additional q decrease output further
    -h    this help page

The optional <filter> can be any pcap filter program. See tcpdump man page for details.

Http responses are decoded but not uncompressed. Responses without content are discarded. The naming scheme depends on the selected options but defaults to simple numbering.


httpsniff -i eth0 "port 80"
Examine packets on eth0 going to and from port 80. This should catch almost all web traffic and prevent httpsniff from having to keep track of all other connection.

httpsniff -u -x -i eth0 "port 80"
As above but uses the relaxed internal stack and stores files by the names they were requested as neatly into separate directories for each server.

httpsniff example.dump
Examine packets contained in dump file example.dump. This will cause httpsniff to process the file and terminate when done.


Files found in the downloadable archives below are released under the GNU GPL.


All information on this page refers to the latest version available.

Attention! Experimental Code
This program is in experimental stage. It should only be used in safe environments. There are no memory usage limits, so specially crafted TCP packets may cause DoS.
Structured saving using "-u" is not secured against directory traversal attacks.

HTTP Sniff v0.4 - Source (2007-10-05)
HTTP Sniff v0.3 - Source (2005-12-04)
HTTP Sniff v0.2 - Source (2005-03-27)
HTTP Sniff v0.1 - Source (2004-10-25)