Sniffing HTTP

Recently I spent a bit of time studying the effects of HTTP headers on different browsers. There was this issue with IE6 caching things too aggressively… but I digress. I crafted this command line for the command line version of Ethereal (WireShark). It continuously dumps HTTP request headers, response headers, and text responses. There is a 30-line limit on all three. Here is it, mainly for my memory but maybe someone else will benefit:

tethereal -i en1 -f 'host' -R 'http' -S -V -l | \
awk '/^[HL]/ {p=30} /^[^ HL]/ {p=0} /^ / {--p} {if (p>0) print}'

Replace en1 with the network adapter you are using (ifconfig). Replace with the IP of the destination machine. I used the awk command as a state machine to filter out unwanted output from tethereal and to impose the 30-line limit. The output looks like this:

Hypertext Transfer Protocol
    GET /style.css HTTP/1.1\r\n
        Request Method: GET
        Request URI: /style.css
        Request Version: HTTP/1.1
    User-Agent: Mozilla/5.0 [...] Firefox/3.0\r\n
    Accept: text/css,*/*;q=0.1\r\n
    Accept-Language: en-us,en;q=0.5\r\n
    Accept-Encoding: gzip,deflate\r\n
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
    Keep-Alive: 300\r\n
    Connection: keep-alive\r\n
    Cookie: wp_test=WP+Cookie+check\r\n

Hypertext Transfer Protocol
    HTTP/1.1 200 OK\r\n
        Request Version: HTTP/1.1
        Response Code: 200
    Date: Thu, 10 Jul 2008 20:37:45 GMT\r\n
    Server: LiteSpeed\r\n
    Accept-Ranges: bytes\r\n
    Connection: Keep-Alive\r\n
    Keep-Alive: timeout=5, max=100\r\n
    Cache-Control: max-age=604800\r\n
    Expires: Thu, 17 Jul 2008 20:37:45 GMT\r\n
    ETag: "461d-47e542a4-0"\r\n
    Last-Modified: Sat, 22 Mar 2008 17:32:20 GMT\r\n
    Content-Type: text/css\r\n
    Content-Length: 2400\r\n
    Content-Encoding: gzip\r\n
    Vary: Accept-Encoding\r\n
    Content-encoded entity body (gzip): 2400 bytes -> 17949 bytes
Line-based text data: text/css
    \tTheme Name: Example
    \tTheme URL: