Inspecting FastCGI Packets with Wireshark

Published: January 30, 2019

Tags:

Recently I needed to do some analysis on FastCGI packets being sent to PHP-FPM.

Wireshark has a page on their wiki titled FastCGI which shows a screenshot of a pcap in Wireshark with detailed FastCGI info.

Image from Wireshark FastCGI Wiki showing pcap with detailed FastCGI info

However, I couldn’t easily figure out from the wiki how to get the same details on my FastCGI pcap.

Screenshot showing a FastCGI pcap in Wireshark without proper FastCGI info

After reading, re-reading and clicking through Wireshark’s menus I was able to figure it out. Here’s what you need to do:

1. Set FastCGI as an “Enabled Protocol”

In my Wireshark installation this can be done by clicking “Enabled Protocols” under the “Analyze” menu.

Find “FCGI” and make sure it is checked.

Wireshark's Enabled Protocols menu

2. Configure the FCGI TCP Port

For me this can be done by clicking “Preferences” under the “Wireshark” menu.

Expand the “Protocols” list and scroll down to FCGI. Then set the value to the port your FastCGI service was running on (in my case 9000).

Wireshark's Enabled Protocols menu

Click “OK” and voila, your pcap should now show detailed FastCGI info.

FastCGI packets with FastCGI info in Wireshark

Max Chadwick Hi, I'm Max!

I'm a software developer who mainly works in PHP, but also dabbles in Ruby and Go. Technical topics that interest me are monitoring, security and performance.

During the day I solve challenging technical problems at Something Digital where I mainly work with the Magento platform. I also blog about tech, work on open source and hunt for bugs.

If you'd like to get in touch with me the best way is on Twitter.