wireshark packet analysis from a bluecoat proxy

I have done a packet capture from my Bluecoat isolating the results from one IP.  It logged and saved to a CAP file.  I downloaded and installed Wireshark to view this file and see alot of detail.

There are lines that are highlighted black, gray, blue and pink. Oh yes and some read lines.  I cannot figure out what to do here.

Basically I need to prove that this Bluecoat proxy is or is not stopping HTTPS files from being served to Internet Explorer.
LVL 1
stowyoAmericas Regional IT ManagerAsked:
Who is Participating?
 
pmasottaCommented:
just follow the https client request and the corresponding server answers...
you can set a filter by protocol that will make things easier to read...

0
 
stowyoAmericas Regional IT ManagerAuthor Commented:
So what is up with the different line colors.  I am not sure what I am doing here and not sure what the error or successful pass of the packets would look like.  Guess I am about to learn...
0
 
pmasottaCommented:
the colors identify the different protocols, an sometimes some error conditions.
the first thing you have to do is to know how your particular protocol works...
but in a client-server environment it's very simple and all of them look somehow similar:
the client performs a request to the server that you can see on wireshark's screen and the server will provide an answer back that you'll also see on wireshark's screen..

You can identify the conversation by protocol and by source and destination IP, this way you identify if it is the server talking to the client or the other way arround... wireshark provides even more help depicting protocol nuances making our job easier.

in your case you can see downstream of you bluecoat if there is any https traffic coming from the bluecoat and going to some client, if that traffic is not visible the bluecoat is either not receiving any external https tfaffic or it is blocking it.....
0
 
EllushCommented:
colors are there to help you distinguish visually between different protocols
You should use Filter field to minimize amount of data to revew.
https.png shows traffic filtered using tcp.port==443
you can see more details if you right-click one of the packets and choose "follow tcp stream"
as in the attached png file.
pdf file with the most used options including http and https filters is attached
 Wireshark-Display-Filters.pdf


https.png
follow-tcp-stream.png
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.