I was able to capture raw request in Node.js using source below.

var http = require('http');
var express = require('express');

var remote = express();
remote.use(function(req, res, next) {
  req.socket.once('data', function(data) {
    console.log(data.toString());
  });
  next();
});

remote.use(function(req, res, next) {
  res.end('end');
});

http.createServer(remote).listen(8080);

But this source could capture raw request after(including) the second request because the first request was consumed before binding event handler. If a client do not use keep alive, I cannot capture any request.

How can I capture raw request including first request?

I was able to capture raw request in Node.js using source below.

var http = require('http');
var express = require('express');

var remote = express();
remote.use(function(req, res, next) {
  req.socket.once('data', function(data) {
    console.log(data.toString());
  });
  next();
});

remote.use(function(req, res, next) {
  res.end('end');
});

http.createServer(remote).listen(8080);

But this source could capture raw request after(including) the second request because the first request was consumed before binding event handler. If a client do not use keep alive, I cannot capture any request.

How can I capture raw request including first request?

• javascript
• node.js
• sockets
• express

• What are you actually trying to do? – Matt Harrison Commented Sep 1, 2015 at 20:36
• @MattHarrison I am making small IDS in Node.js importing snort rules. I made snort rule parser, but it makes my work harder. – user3703559 Commented Sep 1, 2015 at 20:47
• Your code as is looks fraught with problems. For us to help you, we need to understand more about what your end goal here is. What are you really trying to acplish? What does the data look like you're trying to process? Why are you using .once()? Start from scratch and describe the actual problem. I'm sure we can help you, but only if you describe in detail the problem you're trying to handle. – jfriend00 Commented Sep 1, 2015 at 20:58
• @jfriend00 I am making a small IDS that detects http requests. My goal is capturing a raw http request including the first one. Half of goal is acplished, since the source avobe can capture raw http requests excluding the first http request on a connection. This could be done by using event of socket in http.IningMessage. And I used .once() to bind event hadler, because using .on() binds surplus same event hadler on one socket. – user3703559 Commented Sep 1, 2015 at 21:33

2 Answers 2

I found a way using 'connection' event on http.Server.

var http = require('http');
var express = require('express');

var remote = express();
remote.use(function(req, res, next) {
  res.end('end');
});

var server = http.createServer(remote);
server.on('connection', function(socket) {
  socket.on('data', function(chunk) {
    console.log(chunk.toString());
  });
});
server.listen(8080);

Hey not sure if you're still having the problem. I recently had to solve this, and I played around with a lot of things and this is what I ended up with:

https://github./vincenzorm117/http-capture/blob/master/index.js

Here is the code just in case the link has any issues:

var PORT = process.env.PORT || 3000

const net = require('net')
const fs = require('fs')

if( !fs.existsSync('./payloads') ) {
    fs.mkdirSync('./payloads');
}

var server = net.createServer((sock) => {
    console.log(`Connected: ${sock.remoteAddress}`)
    let filename = FileName(sock);
    let wstream = fs.createWriteStream(`./payloads/${filename}`);


    sock.on('data', wstream.write.bind(wstream));
    sock.on('end', () => {
        wstream.end();
        delete wstream;
        console.log(`Disconnected: ${sock.remoteAddress}`)
    });

    setTimeout(() => {
        if( !sock.destroyed ) {
            sock.write('HTTP/1.1 200 OK\r\n');
            sock.end();
        }
    }, 3000);
});

server.listen(PORT, 'localhost');



function FileName() {
    var d = new Date(),
    year = d.getFullYear(),
    month = d.getMonth(),
    date = d.getDate();
    hour = d.getHours();
    minutes = d.getMinutes();
    seconds = d.getSeconds();
    if( month < 10 ) month = '0' + month;
    if( date < 10 ) date = '0' + date;
    if( hour < 10 ) hour = '0' + hour;
    if( minutes < 10 ) minutes = '0' + minutes;
    if( seconds < 10 ) seconds = '0' + seconds;
    return `request__${year}-${month}-${date}__${hour}-${minutes}-${seconds}.http`;
}

I was a bit lazy and set the server to kill the connection after 3 seconds instead of parsing the HTTP request. You can update it to 1 second and it should be fine though.