===================== HTTPREPLAY README.TXT ===================== Overview -------- HTTPREPLAY is a SOCKTRC plugin allowing to analyze and replay HTTP traffic from STRACE, Fiddler or WININET log. You can use this tool to "replay a web server" without needing to setup IIS. The main goal of this tool is to help building a repro scenario when customer can't provide one. System Requirements ------------------- Supported Operating Systems (32-Bit x86) : Windows XP, Windows Server 2003, Windows Vista Usage ----- Getting the LOG --------------- The most simple way to get a "replay trace" is to use the STRACE or Fiddler tool. With these tools, no special configuration is needed and you'll not need any special DLL build to get the log. Before getting the log, clear the Internet Explorer cache so that the log can hold all requested objects. HTTPREPLAY has limited support for WININETLOG. If you plan to replay a non full debug WININET log, the log must have been taken using a single connection (this is needed because the session/socket information is not present in non full debug WININET log). To configure Internet Explorer to use a single connection, create the following 2 registry keys : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "MaxConnectionsPer1_0Server"=Dword:00000001 "MaxConnectionsPerServer"=Dword:00000001 Replaying a LOG --------------- To replay a log, use the following command from the HTTPREPLAY directory : HTTPREPLAY.CMD logfilename Alternatively, you may use the following command : SOCKTRC.EXE /s:81 /e:HTTPREPLAY.DLL /LOG:logfilename To replay from a Fiddler log ("SAZ" file) : - rename the "SAZ" file to "ZIP" - extract the "raw" directory - run HTTPREPLAY.CMD passing the "raw" directory as the logfilename Once the parsing of the log is done, a report is displayed in IE with the list of URLs and detailled informion regarding all requests and responses. You'll then be able to access any URL listed after having configured your proxy to LOCALHOST:81. Optional arguments : /SETPROXY (set the Internet Explorer static proxy to localhost:port) When this flag is used, the Internet Explorer static proxy is set to the listening port specified in argument (/D). The proxy server is reset to its original value when HTTPREPLAY is exited. /RESPECTTIMINGS (respect timings when replaying - this option is only valid if STRACE log is replayed) When this flag is used, HTTPREPLAY will send the data back to the client using the timings found in the STRACE log. /IGNOREQS (Ignore the query string) Client side script or forms with method="GET" may prevent HTTPREPLAY to find the appropriate responsefor a specific request. When /IGNOREQS, the tool will try to serve a request whatever querystring is used. /RESPECTPOST (use data POSTed to serve URL) by default, HTTPREPLAY doesn't use POSTed data to serve a POST request. If this flag is used, HTTPREPLAY will try to serve request based on URL and POSTed content /XTRACT (extract "replayed" requests & responses in files) see "Replaying from files" section for details /XTRACTALL (extract *all* requests & responses in files)
see "Replaying from files" section for details /USEFILES (use response file instead of log) see "Replaying from files" section for details /SHOWIMAGES display thumbnail when content-type of response is image /QUICKDECRYPT This flag allows to speedup the decryption of encrypted BLOB but may prevent content to be fully decrypted (use with caution) /SHOWFULLRESPONSE Dump the full response if the content-type is text /D:port /H:host when HTTPREPLAY can't replay any response for a specific request, "route" this request to the proxy specified Replaying from files -------------------- The /XTRACT switch instructs HTTPREPLAY to extract requests & responses found in the log as individual files. An index file ("index.replay") is also created to associate each response file with the URL requested. To replay the HTTP content from response file, use the /USEFILES switch. The main benefit of replaying from response files is that the replayed content can be modified. If the content is modified, you'll need to adjust the Content-Length (or Chunk size) header. If you delete the content-length header, HTTP replay will FIN the HTTP connection once the response will be sent. This allows to signal the end of the response. The replay file can reference an external file using the "HTTPREPLAY-FILELINK:" syntax. Example : file response0001.replay --------------------------------------------- HTTP/1.1 200 OK Content-Type: text/html Server: Microsoft-IIS/6.0 HTTPREPLAY-FILELINK:common.js --------------------------------------------- Note that in the example above, the Content-Length header has been volontarily suppressed and you can now modify "common.js" without having any concerns regarding the Content-Length... You may "clean" the "index.replay" file so that it only keeps references to the file content that you plan to modify (when a requested URL in not found in the index, HTTPREPLAY will serve the URL from the log). Additional Information ---------------------- - the SENDFILE command line tool can be used to replay request(s) extracted from log. - HTTPREPLAY reads the log file using a single ReadFile operation. Therefore, the size of the LOG must match your memory configuration. - it is recommended to replay a trace on a machine using similar IE version & settings than the one used for the trace. In particular, ensure IE is using the same HTTP version on the replay box than the one where the trace was done. - you may consider using HTTP 1.0 to avoid dealing with HTTP compression and easily be able to search/modify data in *.replay files. You can also use the BUILDCONTENT.CMD command to retrieve uncompressed content from index.replay. - HTTPREPLAY first tries to sends back the largest HTTP 200 OK response found. If such response is not available, the tool will send back the first response found for the URL requested. This method allows to replay HTTP traffic even if 401 or 407 responses are used. - HTTPREPLAY is now able to replay STRACE log containing SSL (HTTPS) traffic. For example, you can get an STRACE log for HTTPS://WWW.VERISIGN.COM and you'll subsequently be able to replay it using HTTP. The tool will automatically convert HTTPS urls in pages to HTTP. - by associating HTTPREPLAY.CMD with the .LOG extention, you'll be able to replay any STRACE/WININET LOG file on the desktop using Right Click -> Open With Changelog --------- - December 2006 First release - June 2007 Tool available on microsoft.com - August 2007 Added support of other methods than GET & POST Added line number info in report Fixed a couple of bugs mostly in report view - September 2007 Added support for Fiddler raw files - October 2007 /XTRACT now extract requests and responses wrote the SENDFILE utility to replay from request file add proxy support to route unresolved requests to specific proxy