Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Wireshark and Web Proxy settings

Posted on 2012-12-29
7
Medium Priority
?
6,733 Views
Last Modified: 2013-01-27
Hi

In our organisation, we have an HTTP proxy for web traffic: proxy.mycompany.com that operates on port 8080.

Without the proxy set in IE, I ran a Wireshark whilst attempting to browse to www.google.com - CAPTURE_A

I then set the proxy, and ran a Wireshark trace whilst attempting to browse to www.google.com - CAPTURE_B

Capture_A I can see:

i. Server queries DNS for proxy.mycompany.com
ii. All traffic related to www.google.com is then via the web proxy

For Capture_B

i. Server queries DNS for www.google.com
ii. Server then attempts to make a connection directly to www.google.com
iii. I can see three SYN packets to google., but no responses

Does this sound about right?

I had some questions:

i. When searching for any traffic related to www.google.com, is it possible to enter a display filter for any packets with the word "google" in the INFO section?

ii. It's a bit ardous to filter for DNS traffic first, grab the packet number, and then remove the filter so I can see all traffic around that time, is it not possible to try and see the conversation related to google ONLY?

iii. I used a display filter of HTTP, but this doesn't capture the SYN packets as they are TCP, how would i be able to do this?

I'm new to Wireshark so any comments would be welcome :)
0
Comment
Question by:neil4933
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 38729328
I think you can filter based on a word in text but I don't use that often enough to know it off the top of my head and I am not at my desk where I may have documented the steps to do that. I searched through the wireshark user guide or help screens to find it.

If you filter on the IP of the google server you are hitting that should get you the packets from the conversation you want. There is also a "follow this TCP session" feature you can use to see what is going on for a particular flow.

The issue with looking at the SYNs and DNS you have to assume that if you are getting to the point of HTTP the SYN and DNS had to work first. If not then you'll have to track back to that point before to debug it.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 2000 total points
ID: 38731027
Could be that your firewall is configured only to allow web traffic to/from the proxy server.

Once you have done the capture you can use the following as a display filter:

     frame contains 'google'

This will only show frames that contain the text "google', I believe this is case sensitive.

You can limit what traffic in one of two ways.  Either a capture filter or a display filter.  Display filters are easier, unless you have a ton of traffic that you don't want to see.  Once you have done the capture you can put the following in the display filter box:

     ip.addr eq x.x.x.x

where x.x.x.x is the IP address of the host you want to watch.  For a capture filter you can code "ip host www.google.com" and only packets to/from the IP address wireshark resolves for that host will be captured.  Of course if you are going to a proxy, neither of these will work since the traffic is not to/from Google, but to/from your proyx.
0
 
LVL 36

Expert Comment

by:mccarl
ID: 38735353
Does this sound about right?
Yes, EXCEPT it sounds like you may have just written the above the wrong way around?? Can you confirm that you have described Capture A & B correctly above?

What the other experts have said regarding capture vs display filters is quite valid, however I have only ever really used capture filters, so that is where my experience lies. For this particular case (and I quite often do similar captures at work as we have a similar setup), I would use a capture filter or tcp port 80 or tcp port 8080 to get either direct to internet traffic OR proxy traffic all in one capture!
0
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

 

Author Comment

by:neil4933
ID: 38747785
Thanks- yes, sorry, CaptureA and B are the wrong way around :)

So here is a question - with the web proxy configured in IE, I ran a WS trace whilst browsing to www.google.com

The only packets I see are, as I'd expect, to the proxy  device and back (with the HTTP filter on).

If I had lots of HTTP traffic going on with this server, how could i isolate the traffic to www.google.com to see if there was a problem with it? How would i know which packets were related to the www.google.com activity?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38748406
You would have to the the capture either from the proxy server or by mirroring the switch port it uses to get to the Internet.

You would would need to know every IP address that google uses for www.google.com and then setup a capture filter for those.

Where I live I get back the following addresses for www.google.com.

          173.194.75.147
          173.194.75.105
          173.194.75.104
          173.194.75.99
          173.194.75.103
          173.194.75.106

So the capture filter would be something like:

(host 173.194.75.00 or host 173.75.103 or host 173.194.75.104 or host 173.75.105 or host 173.94.75.106) and (port 80)

I added the port 80 because you really don't care about HTTPS, its encrypted and you so you can see anything anyway.
0
 

Author Comment

by:neil4933
ID: 38756543
So there is no way to check this using the Wireshark capture taken from the server itself?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38756577
Which server?  The proxy server?  Yes, re-read the 1st sentence of my last post.

If you mean some other server, I need to know which other server.
0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question