wireshark packet analysis from a bluecoat proxy

Posted on 2011-05-11
Last Modified: 2012-05-11
I have done a packet capture from my Bluecoat isolating the results from one IP.  It logged and saved to a CAP file.  I downloaded and installed Wireshark to view this file and see alot of detail.

There are lines that are highlighted black, gray, blue and pink. Oh yes and some read lines.  I cannot figure out what to do here.

Basically I need to prove that this Bluecoat proxy is or is not stopping HTTPS files from being served to Internet Explorer.
Question by:stowyo
    LVL 11

    Accepted Solution

    just follow the https client request and the corresponding server answers...
    you can set a filter by protocol that will make things easier to read...

    LVL 1

    Author Comment

    So what is up with the different line colors.  I am not sure what I am doing here and not sure what the error or successful pass of the packets would look like.  Guess I am about to learn...
    LVL 11

    Assisted Solution

    the colors identify the different protocols, an sometimes some error conditions.
    the first thing you have to do is to know how your particular protocol works...
    but in a client-server environment it's very simple and all of them look somehow similar:
    the client performs a request to the server that you can see on wireshark's screen and the server will provide an answer back that you'll also see on wireshark's screen..

    You can identify the conversation by protocol and by source and destination IP, this way you identify if it is the server talking to the client or the other way arround... wireshark provides even more help depicting protocol nuances making our job easier.

    in your case you can see downstream of you bluecoat if there is any https traffic coming from the bluecoat and going to some client, if that traffic is not visible the bluecoat is either not receiving any external https tfaffic or it is blocking it.....
    LVL 2

    Assisted Solution

    colors are there to help you distinguish visually between different protocols
    You should use Filter field to minimize amount of data to revew.
    https.png shows traffic filtered using tcp.port==443
    you can see more details if you right-click one of the packets and choose "follow tcp stream"
    as in the attached png file.
    pdf file with the most used options including http and https filters is attached


    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now