Maybe ssldump can help you to some level. On Feb 24, 2012 11:22 PM, "J LANCE WILKINSON" <jl...@psu.edu> wrote:
> Wow. Thanks. I'll share that w/ my network colleagues. One of them has > wanted to use WireShark against this problem, but complained that since > much of the dialog is SSL encrypted, WireShark has some issues with this > apparently. Any guidance on that? > > -- > J.Lance Wilkinson ("Lance") InterNet: lance.wilkin...@psu.edu > Systems Design Specialist - Lead Phone: (814) 865-4870 > Digital Library Technologies FAX: (814) 863-3560 > E3 Paterno Library > Penn State University > University Park, PA 16802 > > ----- Original Message ----- > From: "Tom Evans" <tevans...@googlemail.com> > To: users@httpd.apache.org > Sent: Friday, February 24, 2012 7:17:11 AM > Subject: Re: [users@httpd] Logging ALL cookies on requests from specific > IP address range? > > On Thu, Feb 23, 2012 at 9:09 PM, J.Lance Wilkinson <jl...@psu.edu> wrote: > > Apache 2.2.6 on Solaris. > > > > We've encountered an issue where cookies seem to be disappearing. We > think > > it has something to do with a Load Balancer the traffic is passing > through. > > > > We want to log the cookies being received to try to find out what's going > > on. > > > > I tried adding the following to my configuration to try to see if I > *could* > > capture all the cookies. > > > > LogFormat "%h %l %u %t \"%r\" %>s %b "%{the-cookie-name}C\"" cookies > > > > CustomLog cookies.log cookies > > > > > > What's showing up in this log file is (<ip> & <tstamp> to save wrapping > of > > line) : > > > > <ip> - - [<tstamp>] "GET /images/twitter.jpg HTTP/1.0" 200 1014 "-" > > > > Does this mean the cookie named "the-cookie-name" did not appear in the > > request? > > Yes. > > > > > I tried getting ALL cookies by using %{*}C and got the same results. I'd > > like to get ALL the cookies, since we don't know *exactly* what's being > > dropped. > > > > I wouldn't do it like that. Instead, I would use tcpdump to look at > the request coming in to the balancer, the request going out of the > balancer to the backend, the response coming from the backend back to > the balancer, and the response from the balancer to the client. > > However... > > You can use the format %{FOO}i and %{FOO}o to examine input and output > headers respectively, and use that to log the "Cookie" request header, > and the "Set-Cookie" response header. The downside to this is that > there are also Cookie2 and Set-Cookie2 headers, so you may need to > check those also. > > Using tcpdump would allow you to generate a dump file which could be > imported into wireshark, which would completely decode the packets and > show you the requests and timeline in a clear and easy to understand > format. > > Something like this would produce an appropriate dump in the file > dump.pcap: > > tcpdump -s 0 -i eth0 -w dump.pcap 'tcp port 80 and (((ip[2:2] - > ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' > > If it is a busy server, you could filter further to just look at one > client, check out tcpdump man page. > > Cheers > > Tom > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >