Wireshark-users: Re: [Wireshark-users] how can I filter on traffic that is (a) going in/out throu

From: Kevin Cullimore <kcullimo@xxxxxxxxxx>
Date: Mon, 16 Aug 2010 08:41:44 -0400
On 8/16/2010 7:21 AM, Greg Hauptmann wrote:
@Martin - I guess it's becoming a bit of a challenge as I've tried to
solve it, i.e. a way to just have to specify the normal proxy hostname
that one normally does in the browser settings, and have that be
enough to capture on. Is it actually not possible using a Wireshark
capture filter then?  (seems like it may not be).   Would it be
possible in fact on review of the packets captured to identify which
traffic relates back to use of an internet proxy that was handed out
by DNS versus any other internal traffic that is going on?   I mean,
if you didn't know what the alias names were for the proxy servers
(i.e. you didn't that know that proxy3.zzz.aaa.mycompany.com was a
proxy server) would there be a way using the packet content of this
packet to tell for sure whether it is proxy traffic or not?

@Kevin - probably would work I guess, however I was looking for a way
to filter that didn't require each of the proxy server names (i.e.
just wanted to use the main one that is used to configure browsers,
and have it be dynamic)

The "normal proxy hostname that one normally does in the browser" is generally used to inflict end-user PCs with javascript that specifies the destination host address for browser traffic of varying types. Most organizations I've worked with generally separate the "normal proxy hostname" script-serving functionality from the actual proxy functionality. Within this scenario, you'd need to identify a filter that can capture the hostname or address returned via the pac file (or whatever format they're using these days) and initiate a capture using *THAT* address (as well as the originating host's address & relevant browser/protocol ports, if greater specificity is required). It's far from clear that such automatizational functionality is to be found within the confines of tcpdump/capture syntax, though I'd welcome any evidence to the contrary.
On 16 August 2010 21:18, Kevin Cullimore<kcullimo@xxxxxxxxxx>  wrote:
On 8/16/2010 2:01 AM, Greg Hauptmann wrote:
Hi Martin/all

I've done a little more testing with Wireshark and what I'm seeing is
as following.

ASSUMPTIONS
=========

First in terms of some assumptions for the sake of this example:

   nslookup proxy.mycompany.com
   Name:    proxy.xxx..yyy.mycompany.com
   Address:  10.10.1.10
   Aliases:  proxy.mycompany.com

   nslookup 10.1.1.10
   Name:    proxy3.zzz.aaa.mycompany.com
   Address:  10.10.1.10

WIRESHARK RESULTS FOR GIVEN CAPTURE FILTER
================================

a) "host proxy.mycompany.com" =>    Does not pickup the browser traffic I
created that transits the proxy.  Again my goal is to find a way to
filter on this.

b) "host proxy3.zzz.aaa.mycompany.com" =>    Does pick up the traffic BUT
of course I've had to manually type in the actual proxy server.   I
tested with the same browser straight after putting in the capture
filter so the proxy I was handed back obviously didn't change in that
small time (i.e. at other time I would be handed off to
proxy5.zzz.aaa.mycompany.com say for example)


Any ideas on how to get a capture filter working that I don't have to
change, but will filter on any traffic going through any of the proxy
servers that the main DNS server dishes out based on the main
"proxy.mycompany.com" name.

What happens when you conjoin all the aliases with alternation operators?
thanks

On 16 August 2010 13:08, Martin Visser<martinvisser99@xxxxxxxxx>    wrote:

Using hostnames in the capture filter will only work if your capturing PC
has DNS connectivity and/or an entry in an hosts file.
When you said it "does NOT do the job" is not capturing anything or
capturing everything or something else? Unfortunately it is difficult to
provide an answer without knowing what output you are seeing.
(If your proxy is a regular web proxy then your web traffic will almost
definitely this address as the source or destination - this is the main
function of the web proxy, to shield your client from the actual web
servers).
Regards, Martin

MartinVisser99@xxxxxxxxx


On Mon, Aug 16, 2010 at 11:40 AM, Greg Hauptmann
<greg.hauptmann.ruby@xxxxxxxxx>    wrote:

still stuck on this :(

I've found that using for a capture filter "tcp and host<<PC IP
ADDRESS>>    and host proxy.mycompany.com", whilst is a valid filter,
does NOT do the job I require.

It seems to be the case the actual traffic flow will reflect an IP
address that has a host name of one of the assigned proxy servers by
the main DNS server (e.g. proxy4.domainx.mycompany.com) and hence I'm
guessing due to this the filter does not work.

Any other ideas/suggestions here?

I'm kind of stuck for the moment. Again the challenge is how to
capture traffic only bound through the proxy servers, but for which
you don't really know which proxy server that DNS is going to allocate
to you based on the main DNS proxy name (proxy.mycompany.com).


On 15 August 2010 21:09, Greg Hauptmann<greg.hauptmann.ruby@xxxxxxxxx>
wrote:

in fact would a capture filter of "host proxy.mycompany.com and host
<my local host ip>" be enough to solve this?  i.e. would wireshark
then, irrespective of the actual proxy server my request gets assigned
to (noting there are several nominated under the one DNS name for
resiliency), just double check that the IP address for this proxy
server resolves to "proxy.mycompany.com" and then if it does put it in
scope?


On 13 August 2010 15:08, Greg Hauptmann<greg.hauptmann.ruby@xxxxxxxxx>
wrote:

Hi,

Can anyone advise how I could set up a filter that covered off only
traffic that is

(a) going in/out through the company internet proxy [e.g.
proxy.mycompany.com] - note here I want to be able to put the DNS name
for the proxy here [as there can be a number of different IP's that
DNS may issue back to give you your specific proxy server to use]

(b) to/from my PC that is running wireshark?


thanks



--
Greg
http://blog.gregnet.org/



--
Greg
http://blog.gregnet.org/

___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe




___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe