On Wed, 20 Apr 2005, Roth, Kevin P. wrote:

> To answer your second question, yes, I've experimented with the -D option.
> Have you?
>
> By trying a couple of combinations, I'm seeing that -D will dump the
> response headers into a separate file (if "-D filename" is specified) or
> include them as part of stdout (if "-D -" is specified). But it doesn't
> appear to make the request headers available.

>Correct. I've always considered the outgoing (request-) headers to be >mainly
>for debugging and thus they are only displayed with -v or --trace.

>If we were to add the outgoing headers to the -i or -D output, how would >they
>be marked up? Just added without any notification of direction?

>I think it would make the least intrusion and breakage if -i got them, as I
>believe -D is used more widely to store incoming headers separately.

>I'm not 100% convinced yet that this is a good idea.

Curl is widely used in penetration testing. The feature of observing
the HTTP headers (requests and replys) is common practice in testing.
Ethereal have implemented this in the "Follow TCP stream" option.

It is imperitive to view the entire "TCP conversation" as a whole when
scripting. It is virtually impossible to match data when they are
spread over seperate files and the request submission is in the 100s
of line of text. The -i option is almost what is required bar the
missing HTTP request header option. You end up with only half the
headers. They don't need marking up. Just a blank line to seperate
them is sufficient. Anyone with HTTP knowledge can tell the direction
the request is comming from. Algain, the -D option doesn't store the
HTTP Request header, just the response header.

I know that this option has been previously requested by other users
and would be a welcome addition to an excellent tool.
Received on 2005-04-22