Tools for Tracking Server-to-Server Calls in SOA Architectures
Table of Contents
Summary
Provides general use notes for tracking down server-to-server calls when debugging SOA architectures.
Tools
tcpdump
The foundational packet capture tool available on virtually all Unix-like systems. Best for low-level network analysis and capturing raw traffic.
Basic Usage for HTTP Traffic
# Capture HTTP traffic on port 80 tcpdump -i any -A -s 0 'tcp port 80' # Monitor specific host communication tcpdump -i any -A -s 0 'host api.example.com and port 443' # Save capture for later analysis tcpdump -i any -w capture.pcap 'tcp port 8080' # Read from saved capture tcpdump -r capture.pcap -A
Filtering by Port and Host
# Multiple ports tcpdump -i any 'port 80 or port 443 or port 8080' # Specific source and destination tcpdump -i any 'src 10.0.1.5 and dst port 9000' # Exclude SSH traffic to reduce noise tcpdump -i any 'port 80 and not port 22' # Filter by network segment tcpdump -i any 'net 192.168.1.0/24 and port 80'
When to Use
- Need complete packet capture for deep inspection
- Troubleshooting connection-level issues (TCP handshakes, retransmissions)
- Creating captures for offline analysis with Wireshark
- Working on systems without specialized HTTP tools
ngrep
Network grep - pattern matching for packet payloads. Ideal for real-time monitoring of HTTP requests with familiar grep-like syntax.
Pattern Matching HTTP Requests
# Match specific API endpoint ngrep -q -W byline 'GET /api/users' port 80 # Case-insensitive search for POST requests ngrep -q -i 'POST' port 8080 # Match JSON payloads containing specific keys ngrep -q '"user_id"' port 3000 # Monitor authentication headers ngrep -q 'Authorization:' port 443
Real-Time Monitoring
# Monitor all HTTP traffic with clean output ngrep -d any -q -W byline port 80 # Track requests to specific service ngrep -d any -q 'Host: auth-service' port 80 # Watch for error responses ngrep -q '500 Internal Server Error' port 80 # Monitor API calls with timestamps ngrep -qt -W byline 'api' port 8080
When to Use
- Quick inspection of HTTP request/response content
- Searching for specific patterns in API calls
- Debugging authentication or header issues
- Real-time monitoring during load tests
httpry
HTTP-specific packet sniffer designed for logging and analyzing HTTP traffic. Provides structured output optimized for HTTP protocol.
HTTP-Specific Analysis
# Basic HTTP traffic logging httpry -i any # Monitor specific interface with formatted output httpry -i eth0 -o http.log # Filter by HTTP method httpry -m get,post -i any # Parse specific fields httpry -i any -f source-ip,dest-ip,request-uri,status-code
Request/Response Logging
# Log all requests with timestamps httpry -i any -t -o requests.log # Monitor POST requests only httpry -i any -m post -o post-traffic.log # Track API responses by status code httpry -i any -f timestamp,host,request-uri,status-code -o api-status.log # Follow specific host httpry -i any 'host api.internal.com'
When to Use
- Need HTTP-specific metrics and logging
- Analyzing API usage patterns
- Debugging REST API calls between services
- Creating structured logs for analysis
Modern Alternatives
Wireshark / tshark
GUI and CLI versions of the most powerful packet analyzer. Excellent for deep protocol analysis.
# Command-line equivalent tshark -i any -f "tcp port 80" -Y "http.request"
mitmproxy
Interactive HTTPS proxy with powerful inspection and modification capabilities.
# Transparent proxy mode mitmproxy --mode transparent --showhost
httpie + logging
For controlled API testing with human-readable output.
Docker container inspection
When debugging containerized SOA:
# Monitor container network traffic docker exec <container> tcpdump -i any -A port 80
Debugging Workflow
1. Identify the Problem Scope
- Which services are involved?
- What protocol (HTTP, HTTPS, gRPC)?
- Is this intermittent or consistent?
2. Choose Your Tool
- tcpdump: Connection issues, need raw packets, creating captures
- ngrep: Quick content inspection, pattern matching
- httpry: HTTP-specific analysis, structured logging
- mitmproxy: HTTPS inspection, request modification
- Wireshark: Complex protocol analysis, GUI needed
3. Capture Strategy
# Start broad, then narrow tcpdump -i any -w full-capture.pcap 'port 8080' # Filter to specific conversation tcpdump -i any 'host 10.0.1.5 and host 10.0.1.8' # Real-time monitoring with ngrep ngrep -q -W byline 'api' port 8080
4. Analysis Techniques
- Look for missing requests (expected calls not happening)
- Check response codes and timings
- Verify request headers (Authorization, Content-Type)
- Examine payload structure
- Identify network-level issues (retransmissions, resets)
5. Common SOA Issues
- Service discovery failures (wrong host/port)
- Authentication token expiry
- Timeout misconfigurations
- Load balancer routing problems
- API version mismatches