Home  »  Software  »  HTTP Packet Capturing to debug Apache

by 4 comments

This article is a quick and easy HowTo detailing the use of Wireshark or another network sniffing program to debug your Apache .htaccess or httpd.conf files.

First some shell based tools.

wget -S --spider URLlynx -head -dump URLcurl -I URLHEAD URLGET -de URLw3m -dump_head URLsiege -g URL

Set Your Capture-filter to tcp port 80 and then start capturing. Use any of the following display filters to view the data you want.

Display Filters

HTTP Display Filter Options

  • http.accept String Accept
  • http.accept_encoding String Accept Encoding
  • http.accept_language String Accept-Language
  • http.authbasic String Credentials
  • http.authorization String Authorization
  • http.cache_control String Cache-Control
  • http.connection String Connection
  • http.content_encoding String Content-Encoding
  • http.content_length Unsigned 32-bit integer Content-Length
  • http.content_type String Content-Type
  • http.cookie String Cookie
  • String Date
  • String Host
  • http.last_modified String Last-Modified
  • http.location String Location
  • http.notification Boolean Notification
  • http.proxy_authenticate String Proxy-Authenticate
  • http.proxy_authorization String Proxy-Authorization
  • http.referer String Referer
  • http.request Boolean Request
  • http.request.method String Request Method
  • http.request.uri String Request URI
  • http.request.version String Request Version
  • http.response Boolean Response
  • http.response.code Unsigned 16-bit integer Response Code
  • http.server String Server
  • http.set_cookie String Set-Cookie
  • http.transfer_encoding String Transfer-Encoding
  • http.user_agent String User-Agent
  • http.www_authenticate String WWW-Authenticate
  • http.x_forwarded_for String X-Forwarded-For

View All HTTP trafic


View all flash video stuff

http.request.uri contains "flv" or http.request.uri contains "swf" or http.content_type contains "flash" or http.content_type contains "video"

Show non-google cache-control

http.cache_control != "private, x-gzip-ok="""
(((((http.cache_control != "private, x-gzip-ok=""") && !(http.cache_control == "no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private")) && !(http.cache_control == "max-age=0, no-store")) && !(http.cache_control == "private")) && !(http.cache_control == "no-cache")) && !(http.cache_control == "no-transform")

Show only certain responses

#404: page not found
http.response.code == 404
#200: OK
http.response.code == 200

Show only certain HTTP methods

http.request.method == "POST" || http.request.method == "PUT"

Show only filetypes that begin with "text"

http.content_type[0:4] == "text"

Show only javascript

http.content_type contains "javascript"

Show all http with content-type="image/(gif|jpeg|png|etc)"

http.content_type[0:5] == "image"

Show all http with content-type="image/gif"

http.content_type == "image/gif"

Do not show content http, only headers

http.response !=0 || http.request.method != "TRACE"

Setting HTTP Preferences

Reassemble HTTP headers spanning multiple TCP segments:

When this preference is enabled, then the HTTP dissector will reassemble the HTTP header if it has been transmitted over more than one TCP segment. Although it is unusual for headers span multiple segments, it's not impossible, and this should be checked if you expect to view the contents of the HTTP conversation.

Reassemble HTTP bodies spanning multiple TCP segments:

When this preference is enabled, then the HTTP dissector will reassemble the HTTP body if it has been transmitted over more than one TCP segment. All but the smallest of responses will span multiple segments, so this preference should be checked if you expect to view the contents of the HTTP conversation.See TCP Reassembly for an example on how to use this to extract JPEG images from a capture.

Reassemble chunked transfer-coded bodies:

When this preference is enabled, any chunked transfer-coding response spanning multiple segments will be decoded and the payload (the body of the response) will be added to the protocol tree. This happens automatically for one segment responses.

Uncompress entity bodies:

Enable this preference if gzip or deflate encoded (compressed) HTTP entities should be decoded. This allows the visualisation of the compressed data, and possibly the dissection of it.


January 23rd, 2007

Comments Welcome

Popular Articles
My Online Tools

Related Articles
Newest Posts

  • @askapache · Jul 21
    Magic spells for sending thoughts across time? Books
  • @askapache · Jul 20
    TV is just a relic of the previous generation. We just don't know it yet.
  • @askapache · Jul 20
    I will never go back on my ideals, no matter the cost. I'll never let the economic vultures steal my dreams. I'd rather give up the ghost
  • @askapache · Jul 18
    I don't want a better seat, I want control of the engine
  • @askapache · Jul 14
    No matter how good u r, there will always be someone 2x, 5x, 100x better. This is true for me and everyone. No direction but forward.
  • @askapache · Jul 12
    Heads up, I'll DDoS the f out of askapache next week, to see how resilient it really is :) - will try to overflow disk, net, and ip stack
  • RUN GCC! This is a typical shirt I wear, from the  shop. A clerk at the LQ recognized it! 
  • Merlin the Magician 
  • ROGUE CODE - Latest novel from @markrussinovich 
  • RTFM - surprisingly very helpful and way more comprehensive than it looks! @redteamfieldman #pwnAllTheThings 
  • Dear Hacker - Letters to the Editor of 2600, from Emmanuel Goldstein 
  • The Mythical Man-Month - Essays on Software Engineering, by Frederick P. Brooks, Jr. 
  • "where wizards stay up late" - The Origins of the Internet. Favorite book detailing the birth of the net and IMPs 
  • ZERO DAY - read before Trojan horse 
  • Trojan Horse, a novel! 
  • The Hacker Playbook - very nice high level overview of attacks 
  • Clean Code - A Handbook of Agile Software Craftsmanship 
  • Secrets of the JavaScript Ninja - By my absolute favorite JS hacker John Resig! 
  • Hacking Exposed 7: Network Security Secrets & SolutionsMy all time favorite, basic but thorough and accurate. 
  • Empty words will be no surrogate for cold resolve. Pain is nothing. 

Hacking and Hackers

The use of "hacker" to mean "security breaker" is a confusion on the part of the mass media. We hackers refuse to recognize that meaning, and continue using the word to mean someone who loves to program, someone who enjoys playful cleverness, or the combination of the two. See my article, On Hacking.
-- Richard M. Stallman


It's very simple - you read the protocol and write the code. -Bill Joy

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. NCSA HTTPd.
UNIX ® is a registered Trademark of The Open Group. POSIX ® is a registered Trademark of The IEEE.

| Google+ | askapache

Site Map | Contact Webmaster | License and Disclaimer | Terms of Service

↑ TOPMain