Scenario

You suspect the web service isn't receiving HTTP requests, and you need to confirm network traffic to port 80.

Task

Capture network packets destined for or originating from port 80 (HTTP traffic), limit the capture to the first 10 packets to avoid large files, save the captured packets to /tmp/http_traffic.pcap in pcap format, read the capture file and extract key information (source IP, destination IP with port, TCP flags), create a human-readable summary showing packet flow and TCP handshake details, and save the summary to /tmp/http_summary.txt in the format SOURCE_IP -> DEST_IP:PORT [FLAGS].

You may use tcpdump to capture and inspect packets.

Important

You can run script below to save http_summary.txt instead of manually filling the file since main goal is test troubleshooting.

cat <http_traffic_file> | awk '/Flags/ && /IP/ {
    # Skip IPv6 packets, only process IPv4
    if ($0 ~ /IP6/) next
    
    # Extract source and destination IPs WITH ports
    # Pattern: IP source.port > dest.port
    if (match($0, /IP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.([0-9]+) > ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.([0-9]+)/, parts)) {
        src_ip = parts[1]
        src_port = parts[2]
        dst_ip = parts[3]
        dst_port = parts[4]
        
        # Extract flags
        if (match($0, /Flags (\[[^\]]+\])/, flags)) {
            print src_ip ":" src_port " -> " dst_ip ":" dst_port " " flags[1]
        }
    }
}' > /tmp/http_summary.txt

Step 1: Capture 10 packets on port 80

tcpdump -i any -c 10 -w /tmp/http_traffic.pcap port 80

This captures the first 10 packets on port 80 and saves them to a pcap file. The command waits until 10 packets are captured.

Step 2: Read the captured packets to view details

tcpdump -r /tmp/http_traffic.pcap -n

Examine the output for source/destination IPs and TCP flags

Look for:

• IP addresses in the format source.port > destination.port
• TCP Flags in brackets: [S], [S.], [.], [P.], [F.], [R]

Step 3: Create the summary file

Option A: Automated extraction with awk

tcpdump -n -r /tmp/http_traffic.pcap >  file

cat file | awk '/Flags/ && /IP/ {
    # Skip IPv6 packets, only process IPv4
    if ($0 ~ /IP6/) next
    
    # Extract source and destination IPs WITH ports
    # Pattern: IP source.port > dest.port
    if (match($0, /IP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.([0-9]+) > ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.([0-9]+)/, parts)) {
        src_ip = parts[1]
        src_port = parts[2]
        dst_ip = parts[3]
        dst_port = parts[4]
        
        # Extract flags
        if (match($0, /Flags (\[[^\]]+\])/, flags)) {
            print src_ip ":" src_port " -> " dst_ip ":" dst_port " " flags[1]
        }
    }
}' > /tmp/http_summary.txt

This command automatically parses the pcap file and extracts source IPs, destination IPs, and TCP flags in the required format.

Option B: Manual extraction

Alternatively, you can manually extract the information from Step 2's output and create the summary:

echo "127.0.0.1:52764 -> 127.0.0.1:80 [S]" > /tmp/http_summary.txt
echo "127.0.0.1:80 -> 127.0.0.1:52764 [S.]" >> /tmp/http_summary.txt
echo "127.0.0.1:52764 -> 127.0.0.1:80 [.]" >> /tmp/http_summary.txt
echo "127.0.0.1:52764 -> 127.0.0.1:80 [P.]" >> /tmp/http_summary.txt
echo "127.0.0.1:80 -> 127.0.0.1:52764 [.]" >> /tmp/http_summary.txt
echo "127.0.0.1:80 -> 127.0.0.1:52764 [P.]" >> /tmp/http_summary.txt
echo "127.0.0.1:52764 -> 127.0.0.1:80 [.]" >> /tmp/http_summary.txt
echo "127.0.0.1:80 -> 127.0.0.1:52764 [P.]" >> /tmp/http_summary.txt

Replace the IPs and flags with values from your capture.

Step 4: View the summary

cat /tmp/http_summary.txt