Maybe ssldump can help you to some level.
On Feb 24, 2012 11:22 PM, "J LANCE WILKINSON" <jl...@psu.edu> wrote:
> Wow. Thanks. I'll share that w/ my network colleagues. One of them has
> wanted to use WireShark against this problem, but complained that since
> much of the dialog is SSL encrypted, WireShark has some issues with this
> apparently. Any guidance on that?
>
> --
> J.Lance Wilkinson ("Lance") InterNet: lance.wilkin...@psu.edu
> Systems Design Specialist - Lead Phone: (814) 865-4870
> Digital Library Technologies FAX: (814) 863-3560
> E3 Paterno Library
> Penn State University
> University Park, PA 16802
>
> ----- Original Message -----
> From: "Tom Evans" <tevans...@googlemail.com>
> To: users@httpd.apache.org
> Sent: Friday, February 24, 2012 7:17:11 AM
> Subject: Re: [users@httpd] Logging ALL cookies on requests from specific
> IP address range?
>
> On Thu, Feb 23, 2012 at 9:09 PM, J.Lance Wilkinson <jl...@psu.edu> wrote:
> > Apache 2.2.6 on Solaris.
> >
> > We've encountered an issue where cookies seem to be disappearing. We
> think
> > it has something to do with a Load Balancer the traffic is passing
> through.
> >
> > We want to log the cookies being received to try to find out what's going
> > on.
> >
> > I tried adding the following to my configuration to try to see if I
> *could*
> > capture all the cookies.
> >
> > LogFormat "%h %l %u %t \"%r\" %>s %b "%{the-cookie-name}C\"" cookies
> >
> > CustomLog cookies.log cookies
> >
> >
> > What's showing up in this log file is (<ip> & <tstamp> to save wrapping
> of
> > line) :
> >
> > <ip> - - [<tstamp>] "GET /images/twitter.jpg HTTP/1.0" 200 1014 "-"
> >
> > Does this mean the cookie named "the-cookie-name" did not appear in the
> > request?
>
> Yes.
>
> >
> > I tried getting ALL cookies by using %{*}C and got the same results. I'd
> > like to get ALL the cookies, since we don't know *exactly* what's being
> > dropped.
> >
>
> I wouldn't do it like that. Instead, I would use tcpdump to look at
> the request coming in to the balancer, the request going out of the
> balancer to the backend, the response coming from the backend back to
> the balancer, and the response from the balancer to the client.
>
> However...
>
> You can use the format %{FOO}i and %{FOO}o to examine input and output
> headers respectively, and use that to log the "Cookie" request header,
> and the "Set-Cookie" response header. The downside to this is that
> there are also Cookie2 and Set-Cookie2 headers, so you may need to
> check those also.
>
> Using tcpdump would allow you to generate a dump file which could be
> imported into wireshark, which would completely decode the packets and
> show you the requests and timeline in a clear and easy to understand
> format.
>
> Something like this would produce an appropriate dump in the file
> dump.pcap:
>
> tcpdump -s 0 -i eth0 -w dump.pcap 'tcp port 80 and (((ip[2:2] -
> ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
>
> If it is a busy server, you could filter further to just look at one
> client, check out tcpdump man page.
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> " from the digest: users-digest-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> " from the digest: users-digest-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
