Wireshark mailing list archives
Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC?
From: Guy Harris <guy () alum mit edu>
Date: Mon, 16 Aug 2010 16:44:00 -0700
On Aug 16, 2010, at 4:11 PM, Greg Hauptmann wrote:
Hi Martin - I guess it's more turned out to be a challenge question for me. In fact the generalised questions probably are: a) Is it possible on a PC within a company network, to be able to identify traffic that is internet bound, without any additional information (e.g. proxy name)? [perhaps the answer to this question is no]
If "traffic that is internet-bound" includes traffic that is, for example, fetching a Web page from a server that's on the Internet (i.e., not on your company intranet), even though your browser is sending the request to a local proxy server on your company intranet with the expectation that the proxy server will cough up a cached copy of the page if it has one or fetch the page and feed it to your machine if it doesn't have one, then, if you want to identify it using *only* the source and destination IP addresses and ports of the packet, without knowing what IP addresses correspond to the proxy, the answer is, indeed, "no" - the packets containing the requests to that proxy will be TCP packets sent to an IP address on your company intranet, not to an IP address on the Internet.
b) Same question as above, but this time assume you know the main DNS name for the company proxy server. So with this knowledge is it possible in this case to be able to identify traffic that is internet bound? [which is what I've been asking about re logistics, but the generalized question is whether its possible at all]
If you know the IP address(es) of the proxy server(s), and the ports for which it's doing proxying (e.g., 80, and possibly other ports, for HTTP), then it should be possible to identify that traffic using the source and destination addresses and ports - traffic to one of those IP addresses and one of the ports for which it's doing proxying is presumably ultimately "internet-bound" (even if the traffic in question doesn't result in any Internet traffic, e.g. because the proxy is a caching proxy and you get a cache hit). As one of your questions was about a capture filter, the "source and destination IP addresses and ports" is relevant, as that's about all you can easily check with a capture filter. Whether you can get from the host name of the proxy to a list of one or more IP addresses for the proxy is another matter, as per
I've found that using for a capture filter "tcp and host <<PC IP ADDRESS>> and host proxy.mycompany.com", whilst is a valid filter, does NOT do the job I require. It seems to be the case the actual traffic flow will reflect an IP address that has a host name of one of the assigned proxy servers by the main DNS server (e.g. proxy4.domainx.mycompany.com) and hence I'm guessing due to this the filter does not work.
If, for example, a query for proxy.mycompany.com returns more than one IP address, libpcap/WinPcap will only return the
first of those IP addresses, so "host proxy.mycompany.com" will be equivalent to "host <first IP address for
proxy.mycompany.com>". In theory, libpcap/WinPcap could check for all IP addresses in that case (the filter language
supports an "or" operation, and the BPF machine language can implement that), but that would take some work to
implement.
If the query returns only one IP address, but if there's more than one proxy and multiple queries can return different
IP addresses, libpcap/WinPcap can't compensate for that.
If you can determine the set of IP addresses for all the proxies, you could do the "or"ing by yourself, e.g.
(host <proxy 1 ip> or host <proxy 2 ip> or ...) and host <my local host ip>
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC?, (continued)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 15)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Martin Visser (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Kevin Cullimore (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Kevin Cullimore (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Sake Blok (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Martin Visser (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Greg Hauptmann (Aug 16)
- Re: how can I filter on traffic that is (a) going in/out through the company internet proxy [e.g. proxy.mycompany.com] and (b) to/from my PC? Guy Harris (Aug 16)