We help IT Professionals succeed at work.

Wireshark and Web Proxy settings

neil4933 used Ask the Experts™

In our organisation, we have an HTTP proxy for web traffic: proxy.mycompany.com that operates on port 8080.

Without the proxy set in IE, I ran a Wireshark whilst attempting to browse to www.google.com - CAPTURE_A

I then set the proxy, and ran a Wireshark trace whilst attempting to browse to www.google.com - CAPTURE_B

Capture_A I can see:

i. Server queries DNS for proxy.mycompany.com
ii. All traffic related to www.google.com is then via the web proxy

For Capture_B

i. Server queries DNS for www.google.com
ii. Server then attempts to make a connection directly to www.google.com
iii. I can see three SYN packets to google., but no responses

Does this sound about right?

I had some questions:

i. When searching for any traffic related to www.google.com, is it possible to enter a display filter for any packets with the word "google" in the INFO section?

ii. It's a bit ardous to filter for DNS traffic first, grab the packet number, and then remove the filter so I can see all traffic around that time, is it not possible to try and see the conversation related to google ONLY?

iii. I used a display filter of HTTP, but this doesn't capture the SYN packets as they are TCP, how would i be able to do this?

I'm new to Wireshark so any comments would be welcome :)
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I think you can filter based on a word in text but I don't use that often enough to know it off the top of my head and I am not at my desk where I may have documented the steps to do that. I searched through the wireshark user guide or help screens to find it.

If you filter on the IP of the google server you are hitting that should get you the packets from the conversation you want. There is also a "follow this TCP session" feature you can use to see what is going on for a particular flow.

The issue with looking at the SYNs and DNS you have to assume that if you are getting to the point of HTTP the SYN and DNS had to work first. If not then you'll have to track back to that point before to debug it.
Top Expert 2014
Could be that your firewall is configured only to allow web traffic to/from the proxy server.

Once you have done the capture you can use the following as a display filter:

     frame contains 'google'

This will only show frames that contain the text "google', I believe this is case sensitive.

You can limit what traffic in one of two ways.  Either a capture filter or a display filter.  Display filters are easier, unless you have a ton of traffic that you don't want to see.  Once you have done the capture you can put the following in the display filter box:

     ip.addr eq x.x.x.x

where x.x.x.x is the IP address of the host you want to watch.  For a capture filter you can code "ip host www.google.com" and only packets to/from the IP address wireshark resolves for that host will be captured.  Of course if you are going to a proxy, neither of these will work since the traffic is not to/from Google, but to/from your proyx.
mccarlIT Business Systems Analyst / Software Developer
Top Expert 2015

Does this sound about right?
Yes, EXCEPT it sounds like you may have just written the above the wrong way around?? Can you confirm that you have described Capture A & B correctly above?

What the other experts have said regarding capture vs display filters is quite valid, however I have only ever really used capture filters, so that is where my experience lies. For this particular case (and I quite often do similar captures at work as we have a similar setup), I would use a capture filter or tcp port 80 or tcp port 8080 to get either direct to internet traffic OR proxy traffic all in one capture!


Thanks- yes, sorry, CaptureA and B are the wrong way around :)

So here is a question - with the web proxy configured in IE, I ran a WS trace whilst browsing to www.google.com

The only packets I see are, as I'd expect, to the proxy  device and back (with the HTTP filter on).

If I had lots of HTTP traffic going on with this server, how could i isolate the traffic to www.google.com to see if there was a problem with it? How would i know which packets were related to the www.google.com activity?
Top Expert 2014

You would have to the the capture either from the proxy server or by mirroring the switch port it uses to get to the Internet.

You would would need to know every IP address that google uses for www.google.com and then setup a capture filter for those.

Where I live I get back the following addresses for www.google.com.

So the capture filter would be something like:

(host or host 173.75.103 or host or host 173.75.105 or host and (port 80)

I added the port 80 because you really don't care about HTTPS, its encrypted and you so you can see anything anyway.


So there is no way to check this using the Wireshark capture taken from the server itself?
Top Expert 2014

Which server?  The proxy server?  Yes, re-read the 1st sentence of my last post.

If you mean some other server, I need to know which other server.