Solved

Wireshark and Web Proxy settings

Posted on 2012-12-29
7
5,688 Views
Last Modified: 2013-01-27
Hi

In our organisation, we have an HTTP proxy for web traffic: proxy.mycompany.com that operates on port 8080.

Without the proxy set in IE, I ran a Wireshark whilst attempting to browse to www.google.com - CAPTURE_A

I then set the proxy, and ran a Wireshark trace whilst attempting to browse to www.google.com - CAPTURE_B

Capture_A I can see:

i. Server queries DNS for proxy.mycompany.com
ii. All traffic related to www.google.com is then via the web proxy

For Capture_B

i. Server queries DNS for www.google.com
ii. Server then attempts to make a connection directly to www.google.com
iii. I can see three SYN packets to google., but no responses

Does this sound about right?

I had some questions:

i. When searching for any traffic related to www.google.com, is it possible to enter a display filter for any packets with the word "google" in the INFO section?

ii. It's a bit ardous to filter for DNS traffic first, grab the packet number, and then remove the filter so I can see all traffic around that time, is it not possible to try and see the conversation related to google ONLY?

iii. I used a display filter of HTTP, but this doesn't capture the SYN packets as they are TCP, how would i be able to do this?

I'm new to Wireshark so any comments would be welcome :)
0
Comment
Question by:neil4933
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 38729328
I think you can filter based on a word in text but I don't use that often enough to know it off the top of my head and I am not at my desk where I may have documented the steps to do that. I searched through the wireshark user guide or help screens to find it.

If you filter on the IP of the google server you are hitting that should get you the packets from the conversation you want. There is also a "follow this TCP session" feature you can use to see what is going on for a particular flow.

The issue with looking at the SYNs and DNS you have to assume that if you are getting to the point of HTTP the SYN and DNS had to work first. If not then you'll have to track back to that point before to debug it.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 38731027
Could be that your firewall is configured only to allow web traffic to/from the proxy server.

Once you have done the capture you can use the following as a display filter:

     frame contains 'google'

This will only show frames that contain the text "google', I believe this is case sensitive.

You can limit what traffic in one of two ways.  Either a capture filter or a display filter.  Display filters are easier, unless you have a ton of traffic that you don't want to see.  Once you have done the capture you can put the following in the display filter box:

     ip.addr eq x.x.x.x

where x.x.x.x is the IP address of the host you want to watch.  For a capture filter you can code "ip host www.google.com" and only packets to/from the IP address wireshark resolves for that host will be captured.  Of course if you are going to a proxy, neither of these will work since the traffic is not to/from Google, but to/from your proyx.
0
 
LVL 35

Expert Comment

by:mccarl
ID: 38735353
Does this sound about right?
Yes, EXCEPT it sounds like you may have just written the above the wrong way around?? Can you confirm that you have described Capture A & B correctly above?

What the other experts have said regarding capture vs display filters is quite valid, however I have only ever really used capture filters, so that is where my experience lies. For this particular case (and I quite often do similar captures at work as we have a similar setup), I would use a capture filter or tcp port 80 or tcp port 8080 to get either direct to internet traffic OR proxy traffic all in one capture!
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:neil4933
ID: 38747785
Thanks- yes, sorry, CaptureA and B are the wrong way around :)

So here is a question - with the web proxy configured in IE, I ran a WS trace whilst browsing to www.google.com

The only packets I see are, as I'd expect, to the proxy  device and back (with the HTTP filter on).

If I had lots of HTTP traffic going on with this server, how could i isolate the traffic to www.google.com to see if there was a problem with it? How would i know which packets were related to the www.google.com activity?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38748406
You would have to the the capture either from the proxy server or by mirroring the switch port it uses to get to the Internet.

You would would need to know every IP address that google uses for www.google.com and then setup a capture filter for those.

Where I live I get back the following addresses for www.google.com.

          173.194.75.147
          173.194.75.105
          173.194.75.104
          173.194.75.99
          173.194.75.103
          173.194.75.106

So the capture filter would be something like:

(host 173.194.75.00 or host 173.75.103 or host 173.194.75.104 or host 173.75.105 or host 173.94.75.106) and (port 80)

I added the port 80 because you really don't care about HTTPS, its encrypted and you so you can see anything anyway.
0
 

Author Comment

by:neil4933
ID: 38756543
So there is no way to check this using the Wireshark capture taken from the server itself?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38756577
Which server?  The proxy server?  Yes, re-read the 1st sentence of my last post.

If you mean some other server, I need to know which other server.
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question