Solved

Wireshark and Web Proxy settings

Posted on 2012-12-29
7
5,063 Views
Last Modified: 2013-01-27
Hi

In our organisation, we have an HTTP proxy for web traffic: proxy.mycompany.com that operates on port 8080.

Without the proxy set in IE, I ran a Wireshark whilst attempting to browse to www.google.com - CAPTURE_A

I then set the proxy, and ran a Wireshark trace whilst attempting to browse to www.google.com - CAPTURE_B

Capture_A I can see:

i. Server queries DNS for proxy.mycompany.com
ii. All traffic related to www.google.com is then via the web proxy

For Capture_B

i. Server queries DNS for www.google.com
ii. Server then attempts to make a connection directly to www.google.com
iii. I can see three SYN packets to google., but no responses

Does this sound about right?

I had some questions:

i. When searching for any traffic related to www.google.com, is it possible to enter a display filter for any packets with the word "google" in the INFO section?

ii. It's a bit ardous to filter for DNS traffic first, grab the packet number, and then remove the filter so I can see all traffic around that time, is it not possible to try and see the conversation related to google ONLY?

iii. I used a display filter of HTTP, but this doesn't capture the SYN packets as they are TCP, how would i be able to do this?

I'm new to Wireshark so any comments would be welcome :)
0
Comment
Question by:neil4933
7 Comments
 
LVL 21

Expert Comment

by:Rick_O_Shay
Comment Utility
I think you can filter based on a word in text but I don't use that often enough to know it off the top of my head and I am not at my desk where I may have documented the steps to do that. I searched through the wireshark user guide or help screens to find it.

If you filter on the IP of the google server you are hitting that should get you the packets from the conversation you want. There is also a "follow this TCP session" feature you can use to see what is going on for a particular flow.

The issue with looking at the SYNs and DNS you have to assume that if you are getting to the point of HTTP the SYN and DNS had to work first. If not then you'll have to track back to that point before to debug it.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
Comment Utility
Could be that your firewall is configured only to allow web traffic to/from the proxy server.

Once you have done the capture you can use the following as a display filter:

     frame contains 'google'

This will only show frames that contain the text "google', I believe this is case sensitive.

You can limit what traffic in one of two ways.  Either a capture filter or a display filter.  Display filters are easier, unless you have a ton of traffic that you don't want to see.  Once you have done the capture you can put the following in the display filter box:

     ip.addr eq x.x.x.x

where x.x.x.x is the IP address of the host you want to watch.  For a capture filter you can code "ip host www.google.com" and only packets to/from the IP address wireshark resolves for that host will be captured.  Of course if you are going to a proxy, neither of these will work since the traffic is not to/from Google, but to/from your proyx.
0
 
LVL 35

Expert Comment

by:mccarl
Comment Utility
Does this sound about right?
Yes, EXCEPT it sounds like you may have just written the above the wrong way around?? Can you confirm that you have described Capture A & B correctly above?

What the other experts have said regarding capture vs display filters is quite valid, however I have only ever really used capture filters, so that is where my experience lies. For this particular case (and I quite often do similar captures at work as we have a similar setup), I would use a capture filter or tcp port 80 or tcp port 8080 to get either direct to internet traffic OR proxy traffic all in one capture!
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:neil4933
Comment Utility
Thanks- yes, sorry, CaptureA and B are the wrong way around :)

So here is a question - with the web proxy configured in IE, I ran a WS trace whilst browsing to www.google.com

The only packets I see are, as I'd expect, to the proxy  device and back (with the HTTP filter on).

If I had lots of HTTP traffic going on with this server, how could i isolate the traffic to www.google.com to see if there was a problem with it? How would i know which packets were related to the www.google.com activity?
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
You would have to the the capture either from the proxy server or by mirroring the switch port it uses to get to the Internet.

You would would need to know every IP address that google uses for www.google.com and then setup a capture filter for those.

Where I live I get back the following addresses for www.google.com.

          173.194.75.147
          173.194.75.105
          173.194.75.104
          173.194.75.99
          173.194.75.103
          173.194.75.106

So the capture filter would be something like:

(host 173.194.75.00 or host 173.75.103 or host 173.194.75.104 or host 173.75.105 or host 173.94.75.106) and (port 80)

I added the port 80 because you really don't care about HTTPS, its encrypted and you so you can see anything anyway.
0
 

Author Comment

by:neil4933
Comment Utility
So there is no way to check this using the Wireshark capture taken from the server itself?
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Which server?  The proxy server?  Yes, re-read the 1st sentence of my last post.

If you mean some other server, I need to know which other server.
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Join & Write a Comment

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now