Analyzing Microsoft IIS Web Logs - Part 1

Wireshark's new TRANSUM plugin provides a great way to identify slow web site and web service transactions, but there's a problem. More often than not, web traffic is carried in SSL (TLS) encrypted messages, and so, although we can see slow response times, we can't see the detail. To prove the cause of a slow response time, ideally we want to see the URI, query strings and, in the case of a web service request, the SOAP Action value.

If we are very lucky, we may be able to get a copy of the private SSL keys and use Wireshark to decrypt the traffic, but what if that's not possible. The good news is that web logs have much of the information we need, and we can combine this with Wireshark network traces to get a more complete picture.

In this video we introduce the concept of web log analysis. We cover how to get the log, what it contains and matching it to Wireshark traces. In Part 2 of this mini series we will cover how to gain insight into SSL network traces using web log information.

In the video I open an IIS log with Wireshark using a standard Workbench feature called transformers. Transformers allow tools like Wireshark to read trace and log files in formats that are not normally supported; all with a simple drag and drop interface. You can still get a free copy of Workbench from the Downloads section of the TribeLab Community website - https://community.tribelab.com

The BDS dissector mentioned in the video is available from https://community.tribelab.com/course/view.php?id=32.

Best regards...Paul