This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Apache server shows multiple POST requests, Wireshark shows none. Why?

0

I have an Apache access log showing that multiple POST requests were sent to it and they all succeeded with a return code of 200. When I look at the Wireshark trace, I don't see anything except the certificate authentications. What am I missing here? Why don't I see the POST activity?

The Wireshark trace is at: http://cloudshark.org/captures/b97dc3a7b311?filter=ip.addr%20%3D%3D%20192.168.5.103

The Apache access log entries are:

192.168.5.103 - - [16/Jul/2012:11:07:31 -0700] "POST /support/electronic/itssdr/IESproxy.wss HTTP/1.0" 200 11290    
192.168.5.103 - - [16/Jul/2012:11:07:50 -0700] "POST /support/electronic/itssdr/IESproxy.wss HTTP/1.0" 200 11290    
192.168.5.103 - - [16/Jul/2012:11:07:55 -0700] "POST /support/electronic/itssdr/IESproxy.wss HTTP/1.0" 200 11290    
192.168.5.103 - - [16/Jul/2012:11:08:20 -0700] "POST /support/electronic/itssdr/IESproxy.wss HTTP/1.0" 200 11290    
192.168.5.103 - - [16/Jul/2012:11:08:25 -0700] "POST /support/electronic/itssdr/IESproxy.wss HTTP/1.0" 200 11290
192.168.5.103 - - [16/Jul/2012:11:08:51 -0700] "POST /support/electronic/itssdr/IESproxy.wss HTTP/1.0" 200 11290    
192.168.5.103 - - [16/Jul/2012:11:08:56 -0700] "POST /support/electronic/itssdr/IESproxy.wss HTTP/1.0" 200 11290    
192.168.5.103 - - [16/Jul/2012:11:09:21 -0700] "POST /support/electronic/itssdr/IESproxy.wss HTTP/1.0" 200 11290    
192.168.5.103 - - [16/Jul/2012:11:09:26 -0700] "POST /support/electronic/itssdr/IESproxy.wss HTTP/1.0" 200 11290

asked 16 Jul '12, 11:55

tcoder's gravatar image

tcoder
0568
accept rate: 0%

edited 16 Jul '12, 11:59


One Answer:

0

The timestamps in the capture file do not match those in the apache log.

minutes in the capture xx:23:xx
minutes in the logs xx:07:xx - xx:09:xx

So, either there is a time difference between the apache server and the capturing machine, or you are analyzing the wrong capture file.

I assume the later, as you can't see the POST requests (no TLS Application Data in the capture file).

Regards
Kurt

answered 16 Jul '12, 12:28

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 16 Jul '12, 12:29