Re: Capture/Filter Squid Session

[David Alanis <canito () dalan us>]

Quoting Patrick Preuss <patrick.preuss () googlemail com>:

>   Hello David,
>
> what i what to do is following:
>
> client -- internal network -- squid proxy -- external network -- citrix
> nfuse server
>
> client initiates a https session to a nfuse gatway over the squid proxy
> and i want to capture only those sessions. i dont know when they occure
> or which clients
> are involved.
>
> so i whant to capture all session which do something like a http.uri
> "connect nfuse.example.com" or "connect  ip.address.of.nfuse.gateway" or
> something like this
> as long the client initiates a session over the proxy to this name or ip
> address.
> is this possible and if so how would be the command line for tshark?
>
> Hope this makes the situation a little bit clearer.
>
> Cheers
> Patrick
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request () wireshark org?subject=unsubscribe

So Patrick this is pretty straight forward. Prior to running this on  
the actual network you want to narrow down the IP/Host names which you  
want to filter. I would get some captures from any client preferably  
on a network with low traffic and filter the results by typing dns in  
your filter.

Doing so you can quickly see which hosts its talking to and thus  
consider which host(s) to focus on. If you cannot run this on the  
proxy server but can tap into the network you will need to run a  
capture and make sure the hardware supports promiscuous mode.

To decrypt the SSL traffic Wireshark will need to be able to see the  
whole SSL handshake and in order to capture the whole ssl negotiation,  
make sure you start your capture *before* you start to communicate  
with the server. When you use a browser, make sure you close it, then  
start the capture, then start the browser and open the URL.

If anyone else can chime in and provide help with the commands needed  
for tshark decrypting SSL that would be great.

http://wiki.wireshark.org/SSL

On the bottom of the list are external links to docs that will guide  
you to decrypting SSL traffic if this is your ultimate goal.

David




----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe