This is our old Q&A Site. Please post any new questions and answers at

There is a sporadic issue I'm troubleshooting and I'm somewhat new to detailed capture filtering. I ran a tcpdump on a loadbalancer, and analyzing the pcap file output produced, we are looking to find a forwarded request to servers in a pool from the load balancer. The end client is getting sporadic 404 not found errors, and they appear to be coming from the pool members, based on logs, but we need to prove that and find out why it's happening. We suspect it is because the forwarded URI is malformed leaving the load balancer going to the pool members, but I can't seem to filter properly to see if that's true or not. They are https requests, but should be unencrypted between the LB and pool hosts. I need to know how to find out what the URI looks like going to the pool members and anything about the 404 errors coming back. Can someone assist?

asked 07 Mar '17, 10:58

aj1's gravatar image

accept rate: 0%

You can try to filter for the response codes you're looking for, in your case 404:


If there are non-encrypted HTTP requests/replies in your capture you should be able to see them. After that you can use the popup menu on each of the resulting packets and "Follow TCP stream" to see a whole conversation, inclusing the HTTP request.

If the filter doesn't give you any results you can try


to check if there are any response codes in clear text at all. If not, you probably do not have HTTP connections in your capture.

permanent link

answered 07 Mar '17, 12:05

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 07 Mar '17, 10:58

question was seen: 7,635 times

last updated: 07 Mar '17, 12:05

p​o​w​e​r​e​d by O​S​Q​A