?
Solved

wireshark packet analysis from a bluecoat proxy

Posted on 2011-05-11
4
Medium Priority
?
1,817 Views
Last Modified: 2012-05-11
I have done a packet capture from my Bluecoat isolating the results from one IP.  It logged and saved to a CAP file.  I downloaded and installed Wireshark to view this file and see alot of detail.

There are lines that are highlighted black, gray, blue and pink. Oh yes and some read lines.  I cannot figure out what to do here.

Basically I need to prove that this Bluecoat proxy is or is not stopping HTTPS files from being served to Internet Explorer.
0
Comment
Question by:stowyo
  • 2
4 Comments
 
LVL 11

Accepted Solution

by:
pmasotta earned 1336 total points
ID: 35744006
just follow the https client request and the corresponding server answers...
you can set a filter by protocol that will make things easier to read...

0
 
LVL 1

Author Comment

by:stowyo
ID: 35746052
So what is up with the different line colors.  I am not sure what I am doing here and not sure what the error or successful pass of the packets would look like.  Guess I am about to learn...
0
 
LVL 11

Assisted Solution

by:pmasotta
pmasotta earned 1336 total points
ID: 35746455
the colors identify the different protocols, an sometimes some error conditions.
the first thing you have to do is to know how your particular protocol works...
but in a client-server environment it's very simple and all of them look somehow similar:
the client performs a request to the server that you can see on wireshark's screen and the server will provide an answer back that you'll also see on wireshark's screen..

You can identify the conversation by protocol and by source and destination IP, this way you identify if it is the server talking to the client or the other way arround... wireshark provides even more help depicting protocol nuances making our job easier.

in your case you can see downstream of you bluecoat if there is any https traffic coming from the bluecoat and going to some client, if that traffic is not visible the bluecoat is either not receiving any external https tfaffic or it is blocking it.....
0
 
LVL 2

Assisted Solution

by:Ellush
Ellush earned 664 total points
ID: 35747422
colors are there to help you distinguish visually between different protocols
You should use Filter field to minimize amount of data to revew.
https.png shows traffic filtered using tcp.port==443
you can see more details if you right-click one of the packets and choose "follow tcp stream"
as in the attached png file.
pdf file with the most used options including http and https filters is attached
 Wireshark-Display-Filters.pdf


https.png
follow-tcp-stream.png
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question