Inspecting FastCGI Packets with Wireshark
Published: January 30, 2019
Recently I needed to do some analysis on FastCGI packets being sent to PHP-FPM.
Wireshark has a page on their wiki titled FastCGI which shows a screenshot of a pcap in Wireshark with detailed FastCGI info.
However, I couldn’t easily figure out from the wiki how to get the same details on my FastCGI pcap.
After reading, re-reading and clicking through Wireshark’s menus I was able to figure it out. Here’s what you need to do:
1. Set FastCGI as an “Enabled Protocol”
In my Wireshark installation this can be done by clicking “Enabled Protocols” under the “Analyze” menu.
Find “FCGI” and make sure it is checked.
2. Configure the FCGI TCP Port
For me this can be done by clicking “Preferences” under the “Wireshark” menu.
Expand the “Protocols” list and scroll down to FCGI. Then set the value to the port your FastCGI service was running on (in my case 9000).
Click “OK” and voila, your pcap should now show detailed FastCGI info.