Wow. Thanks. I'll share that w/ my network colleagues. One of them has wanted to use WireShark against this problem, but complained that since much of the dialog is SSL encrypted, WireShark has some issues with this apparently. Any guidance on that?
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@xxxxxxx
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
----- Original Message -----
From: "Tom Evans" <tevans.uk@xxxxxxxxxxxxxx>
To: users@xxxxxxxxxxxxxxxx
Sent: Friday, February 24, 2012 7:17:11 AM
Subject: Re: Logging ALL cookies on requests from specific IP address range?
On Thu, Feb 23, 2012 at 9:09 PM, J.Lance Wilkinson <jlw12@xxxxxxx> wrote:
> Apache 2.2.6 on Solaris.
>
> We've encountered an issue where cookies seem to be disappearing. We think
> it has something to do with a Load Balancer the traffic is passing through.
>
> We want to log the cookies being received to try to find out what's going
> on.
>
> I tried adding the following to my configuration to try to see if I *could*
> capture all the cookies.
>
> LogFormat "%h %l %u %t \"%r\" %>s %b "%{the-cookie-name}C\"" cookies
>
> CustomLog cookies.log cookies
>
>
> What's showing up in this log file is (<ip> & <tstamp> to save wrapping of
> line) :
>
> <ip> - - [<tstamp>] "GET /images/twitter.jpg HTTP/1.0" 200 1014 "-"
>
> Does this mean the cookie named "the-cookie-name" did not appear in the
> request?
Yes.
>
> I tried getting ALL cookies by using %{*}C and got the same results. I'd
> like to get ALL the cookies, since we don't know *exactly* what's being
> dropped.
>
I wouldn't do it like that. Instead, I would use tcpdump to look at
the request coming in to the balancer, the request going out of the
balancer to the backend, the response coming from the backend back to
the balancer, and the response from the balancer to the client.
However...
You can use the format %{FOO}i and %{FOO}o to examine input and output
headers respectively, and use that to log the "Cookie" request header,
and the "Set-Cookie" response header. The downside to this is that
there are also Cookie2 and Set-Cookie2 headers, so you may need to
check those also.
Using tcpdump would allow you to generate a dump file which could be
imported into wireshark, which would completely decode the packets and
show you the requests and timeline in a clear and easy to understand
format.
Something like this would produce an appropriate dump in the file dump.pcap:
tcpdump -s 0 -i eth0 -w dump.pcap 'tcp port 80 and (((ip[2:2] -
((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
If it is a busy server, you could filter further to just look at one
client, check out tcpdump man page.
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|