[Martin Visser <martinvisser99@xxxxxxxxx>]

My guess is the problem is that proxy.mycompany.com is a CNAME (canonical name) that is an alias for  proxy3.zzz.aaa.mycompany.com  (etc), which is in turn an A record for the actual IP address. I am also guessing that Wireshark doesn't do the correct mapping through to all of the IP addresses when this occurs.

Why not just use something like "host  proxy1.zzz.aaa.mycompany.com or host proxy2.zzz.aaa.mycompany.com or proxy3.zzz.aaa.mycompany.com" for the capture filter?

Regards, Martin

MartinVisser99@xxxxxxxxx

On Mon, Aug 16, 2010 at 4:01 PM, Greg Hauptmann <greg.hauptmann.ruby@xxxxxxxxx> wrote:

Hi Martin/all

I've done a little more testing with Wireshark and what I'm seeing is
as following.

ASSUMPTIONS
=========

First in terms of some assumptions for the sake of this example:

 nslookup proxy.mycompany.com
 Name:    proxy.xxx..yyy.mycompany.com
 Address:  10.10.1.10
 Aliases:  proxy.mycompany.com

 nslookup 10.1.1.10
 Name:    proxy3.zzz.aaa.mycompany.com
 Address:  10.10.1.10

WIRESHARK RESULTS FOR GIVEN CAPTURE FILTER
================================

a) "host proxy.mycompany.com" => Does not pickup the browser traffic I
created that transits the proxy.  Again my goal is to find a way to
filter on this.

b) "host proxy3.zzz.aaa.mycompany.com" => Does pick up the traffic BUT
of course I've had to manually type in the actual proxy server.   I
tested with the same browser straight after putting in the capture
filter so the proxy I was handed back obviously didn't change in that
small time (i.e. at other time I would be handed off to
proxy5.zzz.aaa.mycompany.com say for example)


Any ideas on how to get a capture filter working that I don't have to
change, but will filter on any traffic going through any of the proxy
servers that the main DNS server dishes out based on the main
"proxy.mycompany.com" name.

thanks

On 16 August 2010 13:08, Martin Visser <martinvisser99@xxxxxxxxx> wrote:
> Using hostnames in the capture filter will only work if your capturing PC
> has DNS connectivity and/or an entry in an hosts file.
> When you said it "does NOT do the job" is not capturing anything or
> capturing everything or something else? Unfortunately it is difficult to
> provide an answer without knowing what output you are seeing.
> (If your proxy is a regular web proxy then your web traffic will almost
> definitely this address as the source or destination - this is the main
> function of the web proxy, to shield your client from the actual web
> servers).
> Regards, Martin
>
> MartinVisser99@xxxxxxxxx
>
>
> On Mon, Aug 16, 2010 at 11:40 AM, Greg Hauptmann
> <greg.hauptmann.ruby@xxxxxxxxx> wrote:
>>
>> still stuck on this :(
>>
>> I've found that using for a capture filter "tcp and host <<PC IP
>> ADDRESS>> and host proxy.mycompany.com", whilst is a valid filter,
>> does NOT do the job I require.
>>
>> It seems to be the case the actual traffic flow will reflect an IP
>> address that has a host name of one of the assigned proxy servers by
>> the main DNS server (e.g. proxy4.domainx.mycompany.com) and hence I'm
>> guessing due to this the filter does not work.
>>
>> Any other ideas/suggestions here?
>>
>> I'm kind of stuck for the moment. Again the challenge is how to
>> capture traffic only bound through the proxy servers, but for which
>> you don't really know which proxy server that DNS is going to allocate
>> to you based on the main DNS proxy name (proxy.mycompany.com).
>>
>>
>> On 15 August 2010 21:09, Greg Hauptmann <greg.hauptmann.ruby@xxxxxxxxx>
>> wrote:
>> > in fact would a capture filter of "host proxy.mycompany.com and host
>> > <my local host ip>" be enough to solve this?  i.e. would wireshark
>> > then, irrespective of the actual proxy server my request gets assigned
>> > to (noting there are several nominated under the one DNS name for
>> > resiliency), just double check that the IP address for this proxy
>> > server resolves to "proxy.mycompany.com" and then if it does put it in
>> > scope?
>> >
>> >
>> > On 13 August 2010 15:08, Greg Hauptmann <greg.hauptmann.ruby@xxxxxxxxx>
>> > wrote:
>> >> Hi,
>> >>
>> >> Can anyone advise how I could set up a filter that covered off only
>> >> traffic that is
>> >>
>> >> (a) going in/out through the company internet proxy [e.g.
>> >> proxy.mycompany.com] - note here I want to be able to put the DNS name
>> >> for the proxy here [as there can be a number of different IP's that
>> >> DNS may issue back to give you your specific proxy server to use]
>> >>
>> >> (b) to/from my PC that is running wireshark?
>> >>
>> >>
>> >> thanks
>> >>
>> >
>> >
>> >
>> > --
>> > Greg
>> > http://blog.gregnet.org/
>> >
>>
>>
>>
>> --
>> Greg
>> http://blog.gregnet.org/
>>
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>
>> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>

--

Greg
http://blog.gregnet.org/
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe