wal.sh
home > research > api-call-debugging · Aug 11, 2024

Tools for Tracking Server-to-Server Calls in SOA Architectures

server-to-server callssoa architecturesdebuggingtcpdumpngrephttprynetwork analysis toolstroubleshooting

Tools for Tracking Server-to-Server Calls in SOA Architectures

Table of Contents

1. Summary

Provides general use notes for tracking down server-to-server calls when debugging SOA architectures.

2. Tools

2.1. tcpdump

The foundational packet capture tool available on virtually all Unix-like systems. Best for low-level network analysis and capturing raw traffic.

2.1.1. Basic Usage for HTTP Traffic

# Capture HTTP traffic on port 80
tcpdump -i any -A -s 0 'tcp port 80'

# Monitor specific host communication
tcpdump -i any -A -s 0 'host api.example.com and port 443'

# Save capture for later analysis
tcpdump -i any -w capture.pcap 'tcp port 8080'

# Read from saved capture
tcpdump -r capture.pcap -A

2.1.2. Filtering by Port and Host

# Multiple ports
tcpdump -i any 'port 80 or port 443 or port 8080'

# Specific source and destination
tcpdump -i any 'src 10.0.1.5 and dst port 9000'

# Exclude SSH traffic to reduce noise
tcpdump -i any 'port 80 and not port 22'

# Filter by network segment
tcpdump -i any 'net 192.168.1.0/24 and port 80'

2.1.3. When to Use

  • Need complete packet capture for deep inspection
  • Troubleshooting connection-level issues (TCP handshakes, retransmissions)
  • Creating captures for offline analysis with Wireshark
  • Working on systems without specialized HTTP tools

2.2. ngrep

Network grep - pattern matching for packet payloads. Ideal for real-time monitoring of HTTP requests with familiar grep-like syntax.

2.2.1. Pattern Matching HTTP Requests

# Match specific API endpoint
ngrep -q -W byline 'GET /api/users' port 80

# Case-insensitive search for POST requests
ngrep -q -i 'POST' port 8080

# Match JSON payloads containing specific keys
ngrep -q '"user_id"' port 3000

# Monitor authentication headers
ngrep -q 'Authorization:' port 443

2.2.2. Real-Time Monitoring

# Monitor all HTTP traffic with clean output
ngrep -d any -q -W byline port 80

# Track requests to specific service
ngrep -d any -q 'Host: auth-service' port 80

# Watch for error responses
ngrep -q '500 Internal Server Error' port 80

# Monitor API calls with timestamps
ngrep -qt -W byline 'api' port 8080

2.2.3. When to Use

  • Quick inspection of HTTP request/response content
  • Searching for specific patterns in API calls
  • Debugging authentication or header issues
  • Real-time monitoring during load tests

2.3. httpry

HTTP-specific packet sniffer designed for logging and analyzing HTTP traffic. Provides structured output optimized for HTTP protocol.

2.3.1. HTTP-Specific Analysis

# Basic HTTP traffic logging
httpry -i any

# Monitor specific interface with formatted output
httpry -i eth0 -o http.log

# Filter by HTTP method
httpry -m get,post -i any

# Parse specific fields
httpry -i any -f source-ip,dest-ip,request-uri,status-code

2.3.2. Request/Response Logging

# Log all requests with timestamps
httpry -i any -t -o requests.log

# Monitor POST requests only
httpry -i any -m post -o post-traffic.log

# Track API responses by status code
httpry -i any -f timestamp,host,request-uri,status-code -o api-status.log

# Follow specific host
httpry -i any 'host api.internal.com'

2.3.3. When to Use

  • Need HTTP-specific metrics and logging
  • Analyzing API usage patterns
  • Debugging REST API calls between services
  • Creating structured logs for analysis

3. Modern Alternatives

3.1. Wireshark / tshark

GUI and CLI versions of the most powerful packet analyzer. Excellent for deep protocol analysis. 

# Command-line equivalent
tshark -i any -f "tcp port 80" -Y "http.request"

3.2. mitmproxy

Interactive HTTPS proxy with powerful inspection and modification capabilities. 

# Transparent proxy mode
mitmproxy --mode transparent --showhost

3.3. httpie + logging

For controlled API testing with human-readable output.

3.4. Docker container inspection

When debugging containerized SOA: 

# Monitor container network traffic
docker exec <container> tcpdump -i any -A port 80

4. Debugging Workflow

4.1. 1. Identify the Problem Scope

  • Which services are involved?
  • What protocol (HTTP, HTTPS, gRPC)?
  • Is this intermittent or consistent?

4.2. 2. Choose Your Tool

  • tcpdump: Connection issues, need raw packets, creating captures
  • ngrep: Quick content inspection, pattern matching
  • httpry: HTTP-specific analysis, structured logging
  • mitmproxy: HTTPS inspection, request modification
  • Wireshark: Complex protocol analysis, GUI needed

4.3. 3. Capture Strategy

# Start broad, then narrow
tcpdump -i any -w full-capture.pcap 'port 8080'

# Filter to specific conversation
tcpdump -i any 'host 10.0.1.5 and host 10.0.1.8'

# Real-time monitoring with ngrep
ngrep -q -W byline 'api' port 8080

4.4. 4. Analysis Techniques

  • Look for missing requests (expected calls not happening)
  • Check response codes and timings
  • Verify request headers (Authorization, Content-Type)
  • Examine payload structure
  • Identify network-level issues (retransmissions, resets)

4.5. 5. Common SOA Issues

  • Service discovery failures (wrong host/port)
  • Authentication token expiry
  • Timeout misconfigurations
  • Load balancer routing problems
  • API version mismatches