What's a good way to find/locate/identify cookie transactions in the capture? Both for http and https transactions? (I know https should be hidden but I ask/include just for any additional clarification.)
Any idea the general frame/packet size of a cookie, i.e., how often then may exceed a single packet (up to four are possible?)
Query Strings: As I understand query strings, they can serve nearly the same purpose of a cookie thereby replacing them, would there use prevent a sidejacking/hijacking or cookiemonster attack? And can both a query string and cookie be used simultaneously.
I'd like to identify either or both in entirety for a capture.
asked 30 Oct '10, 18:51
The HTTPS sessions should be encrypted (unless you have applied a decryption key) and therefore you won't be able to use Find or a display filter to locate packets with cookies set.
answered 30 Oct '10, 18:56
edited 30 Oct '10, 19:00
First some theoretical backgraound:
Both Cookies and Query Strings are completely independent of each other, but are widely used together. The way they are used depends on the way the web application has been written.
To filter all requests that contain a cookie, use:
To filter for query strings:
This of course only works with HTTP as HTTPS traffic is encrypted. However, if you do have access to the private key used on the HTTPS server, you are able to decrypt the HTTPS traffic which makes the HTTP traffic inside the HTTPS traffic visible.
answered 31 Oct '10, 02:25