This is a static archive of our old Q&A Site. Please post any new questions and answers at

cookie and query strings



What's a good way to find/locate/identify cookie transactions in the capture? Both for http and https transactions? (I know https should be hidden but I ask/include just for any additional clarification.)

Any idea the general frame/packet size of a cookie, i.e., how often then may exceed a single packet (up to four are possible?)

Query Strings: As I understand query strings, they can serve nearly the same purpose of a cookie thereby replacing them, would there use prevent a sidejacking/hijacking or cookiemonster attack? And can both a query string and cookie be used simultaneously.

I'd like to identify either or both in entirety for a capture.


asked 30 Oct '10, 18:51

bit4byte's gravatar image

accept rate: 0%

2 Answers:


The HTTPS sessions should be encrypted (unless you have applied a decryption key) and therefore you won't be able to use Find or a display filter to locate packets with cookies set.

Try using frame contains "Cookie" as a display filter. You'll see all HTTP traffic that contains a Set-Cookie field. Use frame contains "GET" to locate all the HTTP Get requests.

answered 30 Oct '10, 18:56

lchappell's gravatar image

lchappell ♦
accept rate: 8%

edited 30 Oct '10, 19:00


First some theoretical backgraound:

  • Cookies: Cookies are a way for a HTTP server to store information on the client, which will be presented back to the server in following requests. The purpose is to have a way of maintaining information between the client and the server to simulate a session (http by itself has no notion of sessions, it's just a way to exchange objects).

  • Query Strings: A query string is a way for the client to submit (dynamic) data to the server. Mostly this is done by having a FORM on a webpage that can be filled in and when it's submitted the filled in values are transferred to the server in the "Query String". This can be done with the GET method, in which the query string will be added to the requested URL. Or it can be done with the POST method in which the query string will be sent as HTTP data, after the HTTP headers.

Both Cookies and Query Strings are completely independent of each other, but are widely used together. The way they are used depends on the way the web application has been written.

To filter all requests that contain a cookie, use:

http.cookie contains <cookiename>

To filter for query strings:

http.request.uri contains "?" or http.request.method=="POST"

This of course only works with HTTP as HTTPS traffic is encrypted. However, if you do have access to the private key used on the HTTPS server, you are able to decrypt the HTTPS traffic which makes the HTTP traffic inside the HTTPS traffic visible.

answered 31 Oct '10, 02:25

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%