Mar 092013
As I use nginx more and more, one of the things I miss is being able to see who is connecting to the server and the request they are making. This is often helpful in determining attacks. So, I basically wrote this script which does it.
#!/bin/bash
# By Ed Wiget
# This shows active GET and POSTS to port 80
# One of the things i hate about nginx is the lack of an apache style status page showing requests
# hence I wront this script....which does it at a network layer, using ngrep
# 20130308 - original script
## grep all HTTP GET or POST requests from network traffic on eth0 interface ##
# sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
if [ `which ngrep | head -1 | wc -l` == "0" ]; then
echo "missing ngrep....please install"
exit
fi
if [ $1 = "" ]; then
echo "You must pass the interface as an option, i.e. eth0 or eth1, etc"
read CIF
else
CIF=$1
fi
thing=1
until [ $thing = "0" ]; do
# uncomment top line if you dont need x-forward-for
#sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
# use the next line if you do need x-forward-for
#sudo ngrep -d eth1 -q 'X-Forwarded-For' tcp and port 80
ngrep -d ${CIF} -t '^(GET|POST) ' tcp and port 80
echo
sleep 1;
done
CHANGES
20130905 – added option to pass interface