Wireshark mailing list archives
Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC?
From: Sake Blok <sake () euronet nl>
Date: Mon, 16 Aug 2010 20:44:23 +0200
On 16 aug 2010, at 13:21, Greg Hauptmann wrote:
Would it be possible in fact on review of the packets captured to identify which traffic relates back to use of an internet proxy that was handed out by DNS versus any other internal traffic that is going on? I mean, if you didn't know what the alias names were for the proxy servers (i.e. you didn't that know that proxy3.zzz.aaa.mycompany.com was a proxy server) would there be a way using the packet content of this packet to tell for sure whether it is proxy traffic or not?
Proxied HTTP requests are different from normal HTTP requests in that the request URI starts with "http://<host>/" while a non-proxied request will start straight away with the requested object (ie "/index.html" for example). That can be used in a display filter by using something like: http.request.uri contains "http://"; If you want to build a capture filter for this, you can use something like: tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 and tcp[(((tcp[12:1] & 0xf0) >> 2) + 4):4] = 0x68747470 and tcp[(((tcp[12:1] & 0xf0) >> 2) + 8):4] & 0xffffff00 = 0x3a2f2f00 (that would capture all TCP packets in which the first 11 octets form the string "GET http://";, if you also want to capture HEAD and POST requests, you need to extend the filter, but I leave that as an exercise to the reader) The problem with these filters is that you only capture the http requests and not the responses, but you might need be interested in the responses ;-) Hope this helps, Cheers, Sake PS pre HTTP/1.0 requests will also match these filter, but I think you will not find those on your network ;-) ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 12)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 15)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 15)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Martin Visser (Aug 15)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 15)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Martin Visser (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Kevin Cullimore (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Kevin Cullimore (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Sake Blok (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Martin Visser (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Guy Harris (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 15)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 15)