tcpdump mailing list archives
filter packets bound for company proxy server? (libpcap)
From: Greg Hauptmann <greg.hauptmann.ruby () gmail com>
Date: Mon, 16 Aug 2010 16:21:24 +1000
Hi, Can I ask if anyone has a good idea for how I could identify (filter packets) that are transiting via a company proxy server [e.g. proxy.mycompany.com]. The challenge here is that the DNS server will issue any one of a number of IP addresses back to the browser to use, associated with the range of physical separate proxy servers that you might end up on. I've tried using the filter "host <<proxy dns address>>" however this doesn't seem to work. In fact some testing I did with wireshark to provide an example of what I'm seeing is: ASSUMPTIONS: First in terms of some assumptions for the sake of this example: nslookup proxy.mycompany.com Name: proxy.xxx..yyy.mycompany.com Address: 10.10.1.10 Aliases: proxy.mycompany.com nslookup 10.1.1.10 Name: proxy3.zzz.aaa.mycompany.com Address: 10.10.1.10 WIRESHARK RESULTS FOR GIVEN CAPTURE FILTER: a) "host proxy.mycompany.com" => Does not pickup the browser traffic I created that transits the proxy. Again my goal is to find a way to filter on this. b) "host proxy3.zzz.aaa.mycompany.com" => Does pick up the traffic BUT of course I've had to manually type in the actual proxy server. I tested with the same browser straight after putting in the capture filter so the proxy I was handed back obviously didn't change in that small time (i.e. at other time I would be handed off to proxy5.zzz.aaa.mycompany.com say for example) So I'm running out of ideas re how I could identify whether, for a given packet, whether it is one that has transited via the proxy server....any ideas? thanks - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- filter packets bound for company proxy server? (libpcap) Greg Hauptmann (Aug 15)