The Ethereal Network Analyzer, or packet sniffer, is a marvelous tool for working with the web. A particular example of its usefulness is to watch the HTTP Requests and Responses go back and forth to observe cookies being set (or not) from the server and cookies being sent back with subsequent requests from the client (or not). If you're fighting with your code and with browser settings while trying to figure out if cookies are being set or not, then just follow the packets and you'll know with certainty exactly what's going on.

Assuming the application hosted on the server is intending to set cookies, then you should see an initial absense of cookies in the HTTP Request from the client followed by one or more Set-Cookie headers in the server's HTTP Response.

Note that Ethereal captures data between two endpoints, a client and a server for example. It can't be used to capture communications made to localhost/127.0.0.1.

Request 1

GET /blog/index.cfm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, ... */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: www.talkingtree.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 18 Feb 2005 17:02:37 GMT
Connection: close
Set-Cookie: CFID=10075634;expires=Sun, 11-Feb-2035 16:58:04 GMT;path=/
Set-Cookie: CFTOKEN=bfd36e6321a1f95d-266BBD21-.... ;expires=Sun, 11-Feb-2035 16:58:04 GMT;path=/
Set-Cookie: CFAUTHORIZATION_blog_TalkingTree.com=;expires=Wed, 18-Feb-2004 16:58:04 GMT;path=/
Set-Cookie: JSESSIONID=80303072001108746157355;path=/
Content-Language: en-US
Content-Type: text/html; charset=UTF-8


Notice in the above that the HTTP Request does not send any cookies upon the first request because it does not have any already set.

Then if the page is refreshed, you'll see that the HTTP Request from the client sends the cookies in the header with the request, and the subsequent server responses don't reset the CFID and the CFTOKEN cookies because the ColdFusion Application Framework is trying to maintain state with the client, but for this application in particular there is a HITS and CFAUTHORIZATION cookie which are set/updated on each HTTP Response.

Request 2
GET /blog/index.cfm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, ... */*
Referer: http://www.talkingtree.com/blog/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: www.talkingtree.com
Connection: Keep-Alive
Cookie: CFID=10075634; CFTOKEN=bfd36e6321a1f95d-266BBD21-... ; JSESSIONID=80303072001108746157355

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 18 Feb 2005 17:06:10 GMT
Connection: close
Set-Cookie: HITS=1;expires=Sun, 11-Feb-2035 16:01:24 GMT;path=/
Set-Cookie: CFAUTHORIZATION_blog_TalkingTree.com=;expires=Wed, 18-Feb-2004 16:01:24 GMT;path=/
Content-Language: en-US
Content-Type: text/html; charset=UTF-8




Examples of Using Ethereal
  1. Setting up a capture filter to record only a single host and port
  2. Viewing the captured frames that show the HTTP Request and Response
  3. Viewing the actual headers by following the TCP Stream
1. Setting up a capture filter to record only a single host and port
2. Viewing the captured frames that show the HTTP Request and Response
3. Viewing the actual headers by following the TCP Stream