Wireshark-users: Re: [Wireshark-users] how can I filter on traffic that is (a) going in/out throu

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 16 Aug 2010 16:44:00 -0700
On Aug 16, 2010, at 4:11 PM, Greg Hauptmann wrote:

> Hi Martin - I guess it's more turned out to be a challenge question
> for me.  In fact the generalised questions probably are:
> 
> a) Is it possible on a PC within a company network, to be able to
> identify traffic that is internet bound, without any additional
> information (e.g. proxy name)?   [perhaps the answer to this question
> is no]

If "traffic that is internet-bound" includes traffic that is, for example, fetching a Web page from a server that's on the Internet (i.e., not on your company intranet), even though your browser is sending the request to a local proxy server on your company intranet with the expectation that the proxy server will cough up a cached copy of the page if it has one or fetch the page and feed it to your machine if it doesn't have one, then, if you want to identify it using *only* the source and destination IP addresses and ports of the packet, without knowing what IP addresses correspond to the proxy, the answer is, indeed, "no" - the packets containing the requests to that proxy will be TCP packets sent to an IP address on your company intranet, not to an IP address on the Internet.

> b) Same question as above, but this time assume you know the main DNS
> name for the company proxy server.  So with this knowledge is it
> possible in this case to be able to identify traffic that is internet
> bound?  [which is what I've been asking about re logistics, but the
> generalized question is whether its possible at all]

If you know the IP address(es) of the proxy server(s), and the ports for which it's doing proxying (e.g., 80, and possibly other ports, for HTTP), then it should be possible to identify that traffic using the source and destination addresses and ports - traffic to one of those IP addresses and one of the ports for which it's doing proxying is presumably ultimately "internet-bound" (even if the traffic in question doesn't result in any Internet traffic, e.g. because the proxy is a caching proxy and you get a cache hit).

As one of your questions was about a capture filter, the "source and destination IP addresses and ports" is relevant, as that's about all you can easily check with a capture filter.

Whether you can get from the host name of the proxy to a list of one or more IP addresses for the proxy is another matter, as per

> I've found that using for a capture filter "tcp and host <<PC IP
> ADDRESS>> and host proxy.mycompany.com", whilst is a valid filter,
> does NOT do the job I require.
> 
> It seems to be the case the actual traffic flow will reflect an IP
> address that has a host name of one of the assigned proxy servers by
> the main DNS server (e.g. proxy4.domainx.mycompany.com) and hence I'm
> guessing due to this the filter does not work.

If, for example, a query for proxy.mycompany.com returns more than one IP address, libpcap/WinPcap will only return the first of those IP addresses, so "host proxy.mycompany.com" will be equivalent to "host <first IP address for proxy.mycompany.com>".  In theory, libpcap/WinPcap could check for all IP addresses in that case (the filter language supports an "or" operation, and the BPF machine language can implement that), but that would take some work to implement.

If the query returns only one IP address, but if there's more than one proxy and multiple queries can return different IP addresses, libpcap/WinPcap can't compensate for that.

If you can determine the set of IP addresses for all the proxies, you could do the "or"ing by yourself, e.g.

	(host <proxy 1 ip> or host <proxy 2 ip> or ...) and host <my local host ip>