Wireshark-users: Re: [Wireshark-users] Capture/Filter Squid Session

From: David Alanis <canito@xxxxxxxx>
Date: Sat, 10 Jul 2010 20:28:47 -0500
Quoting Patrick Preuss <patrick.preuss@xxxxxxxxxxxxxx>:

  Hello David,

what i what to do is following:

client -- internal network -- squid proxy -- external network -- citrix
nfuse server

client initiates a https session to a nfuse gatway over the squid proxy
and i want to capture only those sessions. i dont know when they occure
or which clients
are involved.

so i whant to capture all session which do something like a http.uri
"connect nfuse.example.com" or "connect  ip.address.of.nfuse.gateway" or
something like this
as long the client initiates a session over the proxy to this name or ip
address.
is this possible and if so how would be the command line for tshark?

Hope this makes the situation a little bit clearer.

Cheers
Patrick
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


So Patrick this is pretty straight forward. Prior to running this on the actual network you want to narrow down the IP/Host names which you want to filter. I would get some captures from any client preferably on a network with low traffic and filter the results by typing dns in your filter.

Doing so you can quickly see which hosts its talking to and thus consider which host(s) to focus on. If you cannot run this on the proxy server but can tap into the network you will need to run a capture and make sure the hardware supports promiscuous mode.

To decrypt the SSL traffic Wireshark will need to be able to see the whole SSL handshake and in order to capture the whole ssl negotiation, make sure you start your capture *before* you start to communicate with the server. When you use a browser, make sure you close it, then start the capture, then start the browser and open the URL.

If anyone else can chime in and provide help with the commands needed for tshark decrypting SSL that would be great.

http://wiki.wireshark.org/SSL

On the bottom of the list are external links to docs that will guide you to decrypting SSL traffic if this is your ultimate goal.

David




----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.