You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+16-11Lines changed: 16 additions & 11 deletions
Original file line number
Diff line number
Diff line change
@@ -10,16 +10,14 @@
10
10
</p>
11
11
<br>
12
12
13
-
View the HTTP and HTTPS requests made by any linux program by running `httptap -- <command>`. For example, the following runs curl on "monasticacademy.org", which results in an HTTP status of 308 (Redirect):
13
+
View the HTTP and HTTPS requests made by a linux program:
14
14
15
15
```shell
16
16
$ httptap -- curl https://monasticacademy.org
17
17
---> GET https://monasticacademy.org/
18
18
<--- 308 https://monasticacademy.org/ (15 bytes)
19
19
```
20
20
21
-
Now let's try the same thing with an HTTP request from python. This time we see that python follows the redirect and gets a 200 OK response:
To run `httptap` you do not need to be the root user. You do not need to set up any kind of daemon or make any system-wide changes to your system. It will not create any iptables rules or change your routing table, and generally will not affect any other processes running on the same system. The `httptap` executable is a static Go binary that runs without dependencies.
29
+
Httptap runs the requested command in an isolated network namespace, injecting a certificate authority created on-the-fly in order to decrypt HTTPS traffic. If you can run `<command>` on your shell, you can likely also run `httptap -- <command>`. You do not need to be the root user, nor set up any kind of daemon, nor make any system-wide changes to your system. The `httptap` executable is a static Go binary that runs without dependencies. You can install it with:
30
+
31
+
```shell
32
+
go install github.com/monasticacademy/httptap@latest
33
+
```
34
+
35
+
or download a pre-built release with:
36
+
37
+
```shell
38
+
curl -L https://github.com/monasticacademy/httptap/releases/download/v0.0.3/httptap_Linux_x86_64.tar.gz | tar xzf -
39
+
```
32
40
33
41
Httptap is linux-only. It makes extensive use of linux-specific system calls and is unlikely to be ported to other operating systems.
34
42
@@ -71,7 +79,7 @@ Now we can see that after receiving the 302 redirect, curl made an additional HT
71
79
Let's see what HTTP endpoints the Google Cloud command line interface uses to list compute resources (this requires that you have gcloud installed and are signed in):
---> GET https://compute.googleapis.com/compute/v1/projects/maple-public-website/aggregated/instances?alt=json&includeAllScopes=True&maxResults=500&returnPartialSuccess=True
@@ -111,7 +119,7 @@ $ httptap --https 443 6443 -- kubectl get all --insecure-skip-tls-verify
111
119
112
120
In the above, `--insecure-skip-tls-verify` is necessary because kubectl doesn't use the httptap-generated certificate authority, and `--https 443 6443` says to treat TCP connections on ports 443 and 6443 as HTTPS connections, which is needed because my cluter's API endpoint uses port 6443.
113
121
114
-
Let's see how DNS-over-HTTP works when you use `--doh-url` with curl:
What happened here is that we told `curl` to request the url "https://buddhismforai.sutra.co", using the cloudflare DNS-over-HTTP service at `cloudflare-dns.com`. In the output we see that `curl` made 4 HTTP requests in total; the first two were DNS lookups, and then the second two were the ordinary HTTP requests for buddhismforai.sutra.co.
136
+
What happened here is that we told `curl` to request the url "https://buddhismforai.sutra.co", using the cloudflare DNS-over-HTTP service for DNS queries. In the output we see that `curl` made 4 HTTP requests in total; the first two were DNS lookups, and then the second two were the HTTP requests for buddhismforai.sutra.co, making use of the IP addresses obtained in the DNS queries.
129
137
130
-
Let's print the contents of the DNS-over-HTTP payloads look:
@@ -153,8 +161,6 @@ Here the `--head` option tells httptap to print the HTTP headers, and `--body` t
153
161
154
162
# How it works
155
163
156
-
When you run `httptap -- <command>`, httptap runs `<command>` in an isolated network namespace, injecting a certificate authority created on-the-fly in order to decrypt HTTPS traffic. Here is the process in detail:
157
-
158
164
In linux, there is a kernel API for creating and configuring network interfaces. Conventionally, a network interface would be a physical ethernet or WiFi controller in your computer, but it is possible to create a special kind of network interface called a TUN device. A TUN device shows up to the system in the way that any network interface shows up, but any traffic written to it will be delivered to a file descriptor held by the process that created it. Httptap creates a TUN device and runs the subprocess in an environment in which all network traffic is routed through that device.
159
165
160
166
There is also a kernel API in linux for creating network namespaces. A network namespace is a list of network interfaces and routing rules. When a process is started in linux, it can be run in a specified network namespace. By default, processes run in a root network namespace that we do not want to make chagnes to because doing so would affect all network traffic on the system. Instead, we create a network namespace in which there are only two network interfaces: a loopback device (127.0.0.1) and a TUN device that delivers traffic to us. Then we run the subprocess in that namespace.
@@ -171,4 +177,3 @@ When httptap starts, it creates a certificate authority (actually a private key
171
177
172
178
- The process cannot listen for incoming network connections
173
179
- You need access to `/dev/net/tun`
174
-
- All ICMP echo requests will be echoed without sending any ICMP packets out to the real network
0 commit comments