Inspecting FastCGI Packets with Wireshark

Published: January 30, 2019

Tags:
:pencil2: Improve this page on GitHub

Recently I needed to do some analysis on FastCGI packets being sent to PHP-FPM.

Wireshark has a page on their wiki titled FastCGI which shows a screenshot of a pcap in Wireshark with detailed FastCGI info.

Image from Wireshark FastCGI Wiki showing pcap with detailed FastCGI info

However, I couldn’t easily figure out from the wiki how to get the same details on my FastCGI pcap.

Screenshot showing a FastCGI pcap in Wireshark without proper FastCGI info

After reading, re-reading and clicking through Wireshark’s menus I was able to figure it out. Here’s what you need to do:

1. Set FastCGI as an “Enabled Protocol”

In my Wireshark installation this can be done by clicking “Enabled Protocols” under the “Analyze” menu.

Find “FCGI” and make sure it is checked.

Wireshark's Enabled Protocols menu

2. Configure the FCGI TCP Port

For me this can be done by clicking “Preferences” under the “Wireshark” menu.

Expand the “Protocols” list and scroll down to FCGI. Then set the value to the port your FastCGI service was running on (in my case 9000).

Wireshark's Enabled Protocols menu

Click “OK” and voila, your pcap should now show detailed FastCGI info.

FastCGI packets with FastCGI info in Wireshark

Max Chadwick Hi, I'm Max!

I'm a software developer who mainly works in PHP, but loves dabbling in other languages like Go and Ruby. Technical topics that interest me are monitoring, security and performance. I'm also a stickler for good documentation and clear technical writing.

During the day I lead a team of developers and solve challenging technical problems at Rightpoint where I mainly work with the Magento platform. I've also spoken at a number of events.

In my spare time I blog about tech, work on open source and participate in bug bounty programs.

If you'd like to get in contact, you can find me on Twitter and LinkedIn.