Wireshark mailing list archives
Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC?
From: Greg Hauptmann <greg.hauptmann.ruby () gmail com>
Date: Mon, 16 Aug 2010 21:21:39 +1000
@Martin - I guess it's becoming a bit of a challenge as I've tried to solve it, i.e. a way to just have to specify the normal proxy hostname that one normally does in the browser settings, and have that be enough to capture on. Is it actually not possible using a Wireshark capture filter then? (seems like it may not be). Would it be possible in fact on review of the packets captured to identify which traffic relates back to use of an internet proxy that was handed out by DNS versus any other internal traffic that is going on? I mean, if you didn't know what the alias names were for the proxy servers (i.e. you didn't that know that proxy3.zzz.aaa.mycompany.com was a proxy server) would there be a way using the packet content of this packet to tell for sure whether it is proxy traffic or not? @Kevin - probably would work I guess, however I was looking for a way to filter that didn't require each of the proxy server names (i.e. just wanted to use the main one that is used to configure browsers, and have it be dynamic) On 16 August 2010 21:18, Kevin Cullimore <kcullimo () runbox com> wrote:
On 8/16/2010 2:01 AM, Greg Hauptmann wrote:Hi Martin/all I've done a little more testing with Wireshark and what I'm seeing is as following. ASSUMPTIONS ========= First in terms of some assumptions for the sake of this example: nslookup proxy.mycompany.com Name: proxy.xxx..yyy.mycompany.com Address: 10.10.1.10 Aliases: proxy.mycompany.com nslookup 10.1.1.10 Name: proxy3.zzz.aaa.mycompany.com Address: 10.10.1.10 WIRESHARK RESULTS FOR GIVEN CAPTURE FILTER ================================ a) "host proxy.mycompany.com" => Does not pickup the browser traffic I created that transits the proxy. Again my goal is to find a way to filter on this. b) "host proxy3.zzz.aaa.mycompany.com" => Does pick up the traffic BUT of course I've had to manually type in the actual proxy server. I tested with the same browser straight after putting in the capture filter so the proxy I was handed back obviously didn't change in that small time (i.e. at other time I would be handed off to proxy5.zzz.aaa.mycompany.com say for example) Any ideas on how to get a capture filter working that I don't have to change, but will filter on any traffic going through any of the proxy servers that the main DNS server dishes out based on the main "proxy.mycompany.com" name.What happens when you conjoin all the aliases with alternation operators?thanks On 16 August 2010 13:08, Martin Visser<martinvisser99 () gmail com> wrote:Using hostnames in the capture filter will only work if your capturing PC has DNS connectivity and/or an entry in an hosts file. When you said it "does NOT do the job" is not capturing anything or capturing everything or something else? Unfortunately it is difficult to provide an answer without knowing what output you are seeing. (If your proxy is a regular web proxy then your web traffic will almost definitely this address as the source or destination - this is the main function of the web proxy, to shield your client from the actual web servers). Regards, Martin MartinVisser99 () gmail com On Mon, Aug 16, 2010 at 11:40 AM, Greg Hauptmann <greg.hauptmann.ruby () gmail com> wrote:still stuck on this :( I've found that using for a capture filter "tcp and host<<PC IP ADDRESS>> and host proxy.mycompany.com", whilst is a valid filter, does NOT do the job I require. It seems to be the case the actual traffic flow will reflect an IP address that has a host name of one of the assigned proxy servers by the main DNS server (e.g. proxy4.domainx.mycompany.com) and hence I'm guessing due to this the filter does not work. Any other ideas/suggestions here? I'm kind of stuck for the moment. Again the challenge is how to capture traffic only bound through the proxy servers, but for which you don't really know which proxy server that DNS is going to allocate to you based on the main DNS proxy name (proxy.mycompany.com). On 15 August 2010 21:09, Greg Hauptmann<greg.hauptmann.ruby () gmail com> wrote:in fact would a capture filter of "host proxy.mycompany.com and host <my local host ip>" be enough to solve this? i.e. would wireshark then, irrespective of the actual proxy server my request gets assigned to (noting there are several nominated under the one DNS name for resiliency), just double check that the IP address for this proxy server resolves to "proxy.mycompany.com" and then if it does put it in scope? On 13 August 2010 15:08, Greg Hauptmann<greg.hauptmann.ruby () gmail com> wrote:Hi, Can anyone advise how I could set up a filter that covered off only traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] - note here I want to be able to put the DNS name for the proxy here [as there can be a number of different IP's that DNS may issue back to give you your specific proxy server to use] (b) to/from my PC that is running wireshark? thanks-- Greg http://blog.gregnet.org/-- Greg http://blog.gregnet.org/ ___________________________________________________________________________ Sent via: Wireshark-users mailing list<wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list<wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
-- Greg http://blog.gregnet.org/ ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 12)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 15)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 15)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Martin Visser (Aug 15)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 15)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Martin Visser (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Kevin Cullimore (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Kevin Cullimore (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Sake Blok (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Martin Visser (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Guy Harris (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 15)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 15)