There is a sporadic issue I'm troubleshooting and I'm somewhat new to detailed capture filtering. I ran a tcpdump on a loadbalancer, and analyzing the pcap file output produced, we are looking to find a forwarded request to servers in a pool from the load balancer. The end client is getting sporadic 404 not found errors, and they appear to be coming from the pool members, based on logs, but we need to prove that and find out why it's happening. We suspect it is because the forwarded URI is malformed leaving the load balancer going to the pool members, but I can't seem to filter properly to see if that's true or not. They are https requests, but should be unencrypted between the LB and pool hosts. I need to know how to find out what the URI looks like going to the pool members and anything about the 404 errors coming back. Can someone assist? asked 07 Mar '17, 10:58 aj1 |
One Answer:
You can try to filter for the response codes you're looking for, in your case 404:
If there are non-encrypted HTTP requests/replies in your capture you should be able to see them. After that you can use the popup menu on each of the resulting packets and "Follow TCP stream" to see a whole conversation, inclusing the HTTP request. If the filter doesn't give you any results you can try
to check if there are any response codes in clear text at all. If not, you probably do not have HTTP connections in your capture. answered 07 Mar '17, 12:05 Jasper ♦♦ |