As architectures shift toward microservices, visibility becomes a primary challenge. Logging is often the first line of defense, yet traditional approaches frequently miss the mark during critical system moments.
The Challenge with REST APIs
When important data is tucked inside various headers and request bodies, logging every full exchange becomes far too verbose. Developers must constantly balance missing data against drowning in it.
That's why we need to capture traffic "just when needed". However, typical network sniffers won't help if you're looking for HTTP headers or SMTP commands. You need a tool that can reconstruct the TCP flow - not just capture fragmented packets.
We will introduce justniffer - a powerful tool that traces TCP traffic by rebuilding the stream flow. This gives us the flexibility to inspect application-layer protocols without struggling with post-processing TCP stream reconstruction.
Example: Tracing Application Content
Let's look at a few scenarios where a TCP sniffer proves useful, starting with capturing HTTP headers from a web application.
Capturing HTTP Headers
justniffer -i lo -p "port 8080" -l %request.header
Output (truncated for brevity):
GET /static/custom.css HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Origin: http://localhost:8080
sec-ch-ua-platform: "Linux"
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
...
Cookie: _gcl_au=...; token=eyJhbG...
If-None-Match: "0dfdc2d3d075cb813ea2bf73ed8854a8"
If-Modified-Since: Mon, 11 May 2026 10:43:01 GMT
Adding Connection Information
Now let's enhance the output with connection details: IP addresses and ports.
justniffer -i lo -p "port 8080" -u -l %request.timestamp %source.ip:%source.port %dest.ip:%dest.port %newline%request.header
Output:
2026-05-11 15:05:37.179793 127.0.0.1:56768 127.0.0.1:8080
GET /api/v1/chats/all/tags HTTP/1.1
Host: localhost:8080
authorization: Bearer eyJhbG...
Cookie: _gcl_au=...; token=...
...
Filtering for a Specific Header (e.g., Cookie)
You can pipe the output to grep to focus on a particular header:
justniffer -i lo -p "port 8080" -u -l INFO %request.timestamp %source.ip:%source.port %dest.ip:%dest.port %newline%request.header | grep -E "Cookie|INFO"
Output:
INFO 2026-05-11 15:17:38.819638 127.0.0.1:49308 127.0.0.1:8080
Cookie: _gcl_au=1.1.1932929889.1770841665; _ga=GA1.1.555273468.1770841666; ... token=eyJhbG...
INFO 2026-05-11 15:17:42.960283 127.0.0.1:49308 127.0.0.1:8080
Cookie: _gcl_au=1.1.1932929889.1770841665; _ga=GA1.1.555273468.1770841666; ... token=eyJhbG...
Logging Both Request and Response
To capture the full conversation (request headers + response headers and body), use %response:
justniffer -i lo -p "port 8080" -u -l INFO %request.timestamp %source.ip:%source.port %dest.ip:%dest.port %newline%response
Output (request part shown; response body may be binary):
INFO 2026-05-11 15:25:40.585069 127.0.0.1:54076 127.0.0.1:8080
GET /api/v1/functions/ HTTP/1.1.
Host: localhost:8080.
authorization: Bearer eyJhbG...
...
POST /api/v1/tasks/active/chats HTTP/1.1.
Content-Length: 2276.
...
{"chat_ids":["30022d80-0f5a-..."]}
INFO 2026-05-11 15:26:30.382447 127.0.0.1:54030 127.0.0.1:8080
..iE..[C....B/. # ← binary response body (e.g., gzipped or protobuf)
Note: Response bodies are often compressed or binary. For text responses (JSON, XML, plain text),
justnifferwill show them cleanly. For binary data, you'll see raw bytes - consider using%response.headeralone if you only need headers.
Why This Matters
With justniffer, you get application‑level insight without overwhelming log volumes. By selectively capturing headers, filtering with grep, or tracing full request-response pairs, you can debug tricky issues in microservices-like authentication failures, malformed payloads, without drowning in packet dumps.
Top comments (0)