Igor Cicimov wrote: > Maybe ssldump can help you to some level. I'll pass that on. We're now past that, we know what may be causing the issues, and I've got another query in to this august community in the hopes I can get a solution -- mod_remoteip (retrofit to Apache 2.2) doesn't seem to be working properly, ignoring X-Forwarded-For headers when the forwarded address is a 172.16.0.0/12 network.
> > On Feb 24, 2012 11:22 PM, "J LANCE WILKINSON" <jl...@psu.edu > <mailto:jl...@psu.edu>> wrote: > > Wow. Thanks. I'll share that w/ my network colleagues. One of > them has wanted to use WireShark against this problem, but > complained that since much of the dialog is SSL encrypted, WireShark > has some issues with this apparently. Any guidance on that? > > -- > J.Lance Wilkinson ("Lance") InterNet: lance.wilkin...@psu.edu > <mailto:lance.wilkin...@psu.edu> > Systems Design Specialist - Lead Phone: (814) 865-4870 > <tel:%28814%29%20865-4870> > Digital Library Technologies FAX: (814) 863-3560 > <tel:%28814%29%20863-3560> > E3 Paterno Library > Penn State University > University Park, PA 16802 > > ----- Original Message ----- > From: "Tom Evans" <tevans...@googlemail.com > <mailto:tevans...@googlemail.com>> > To: users@httpd.apache.org <mailto:users@httpd.apache.org> > Sent: Friday, February 24, 2012 7:17:11 AM > Subject: Re: [users@httpd] Logging ALL cookies on requests from > specific IP address range? > > On Thu, Feb 23, 2012 at 9:09 PM, J.Lance Wilkinson <jl...@psu.edu > <mailto:jl...@psu.edu>> wrote: > > Apache 2.2.6 on Solaris. > > > > We've encountered an issue where cookies seem to be disappearing. > We think > > it has something to do with a Load Balancer the traffic is > passing through. > > > > We want to log the cookies being received to try to find out > what's going > > on. > > > > I tried adding the following to my configuration to try to see if > I *could* > > capture all the cookies. > > > > LogFormat "%h %l %u %t \"%r\" %>s %b "%{the-cookie-name}C\"" cookies > > > > CustomLog cookies.log cookies > > > > > > What's showing up in this log file is (<ip> & <tstamp> to save > wrapping of > > line) : > > > > <ip> - - [<tstamp>] "GET /images/twitter.jpg HTTP/1.0" 200 1014 "-" > > > > Does this mean the cookie named "the-cookie-name" did not appear > in the > > request? > > Yes. > > > > > I tried getting ALL cookies by using %{*}C and got the same > results. I'd > > like to get ALL the cookies, since we don't know *exactly* what's > being > > dropped. > > > > I wouldn't do it like that. Instead, I would use tcpdump to look at > the request coming in to the balancer, the request going out of the > balancer to the backend, the response coming from the backend back to > the balancer, and the response from the balancer to the client. > > However... > > You can use the format %{FOO}i and %{FOO}o to examine input and output > headers respectively, and use that to log the "Cookie" request header, > and the "Set-Cookie" response header. The downside to this is that > there are also Cookie2 and Set-Cookie2 headers, so you may need to > check those also. > > Using tcpdump would allow you to generate a dump file which could be > imported into wireshark, which would completely decode the packets and > show you the requests and timeline in a clear and easy to understand > format. > > Something like this would produce an appropriate dump in the file > dump.pcap: > > tcpdump -s 0 -i eth0 -w dump.pcap 'tcp port 80 and (((ip[2:2] - > ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' > > If it is a busy server, you could filter further to just look at one > client, check out tcpdump man page. > > Cheers > > Tom > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server > Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > <mailto:users-unsubscr...@httpd.apache.org> > " from the digest: users-digest-unsubscr...@httpd.apache.org > <mailto:users-digest-unsubscr...@httpd.apache.org> > For additional commands, e-mail: users-h...@httpd.apache.org > <mailto:users-h...@httpd.apache.org> > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server > Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > <mailto:users-unsubscr...@httpd.apache.org> > " from the digest: users-digest-unsubscr...@httpd.apache.org > <mailto:users-digest-unsubscr...@httpd.apache.org> > For additional commands, e-mail: users-h...@httpd.apache.org > <mailto:users-h...@httpd.apache.org> > -- J.Lance Wilkinson ("Lance") InterNet: lance.wilkin...@psu.edu Systems Design Specialist - Lead Phone: (814) 865-4870 Digital Library Technologies FAX: (814) 863-3560 E3 Paterno Library Penn State University University Park, PA 16802 --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org