Avatar of neil4933
neil4933
 asked on

Wireshark and Web Proxy settings

Hi

In our organisation, we have an HTTP proxy for web traffic: proxy.mycompany.com that operates on port 8080.

Without the proxy set in IE, I ran a Wireshark whilst attempting to browse to www.google.com - CAPTURE_A

I then set the proxy, and ran a Wireshark trace whilst attempting to browse to www.google.com - CAPTURE_B

Capture_A I can see:

i. Server queries DNS for proxy.mycompany.com
ii. All traffic related to www.google.com is then via the web proxy

For Capture_B

i. Server queries DNS for www.google.com
ii. Server then attempts to make a connection directly to www.google.com
iii. I can see three SYN packets to google., but no responses

Does this sound about right?

I had some questions:

i. When searching for any traffic related to www.google.com, is it possible to enter a display filter for any packets with the word "google" in the INFO section?

ii. It's a bit ardous to filter for DNS traffic first, grab the packet number, and then remove the filter so I can see all traffic around that time, is it not possible to try and see the conversation related to google ONLY?

iii. I used a display filter of HTTP, but this doesn't capture the SYN packets as they are TCP, how would i be able to do this?

I'm new to Wireshark so any comments would be welcome :)
Network AnalysisTCP/IPNetworking

Avatar of undefined
Last Comment
giltjr

8/22/2022 - Mon
Rick_O_Shay

I think you can filter based on a word in text but I don't use that often enough to know it off the top of my head and I am not at my desk where I may have documented the steps to do that. I searched through the wireshark user guide or help screens to find it.

If you filter on the IP of the google server you are hitting that should get you the packets from the conversation you want. There is also a "follow this TCP session" feature you can use to see what is going on for a particular flow.

The issue with looking at the SYNs and DNS you have to assume that if you are getting to the point of HTTP the SYN and DNS had to work first. If not then you'll have to track back to that point before to debug it.
ASKER CERTIFIED SOLUTION
giltjr

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
mccarl

Does this sound about right?
Yes, EXCEPT it sounds like you may have just written the above the wrong way around?? Can you confirm that you have described Capture A & B correctly above?

What the other experts have said regarding capture vs display filters is quite valid, however I have only ever really used capture filters, so that is where my experience lies. For this particular case (and I quite often do similar captures at work as we have a similar setup), I would use a capture filter or tcp port 80 or tcp port 8080 to get either direct to internet traffic OR proxy traffic all in one capture!
neil4933

ASKER
Thanks- yes, sorry, CaptureA and B are the wrong way around :)

So here is a question - with the web proxy configured in IE, I ran a WS trace whilst browsing to www.google.com

The only packets I see are, as I'd expect, to the proxy  device and back (with the HTTP filter on).

If I had lots of HTTP traffic going on with this server, how could i isolate the traffic to www.google.com to see if there was a problem with it? How would i know which packets were related to the www.google.com activity?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
giltjr

You would have to the the capture either from the proxy server or by mirroring the switch port it uses to get to the Internet.

You would would need to know every IP address that google uses for www.google.com and then setup a capture filter for those.

Where I live I get back the following addresses for www.google.com.

          173.194.75.147
          173.194.75.105
          173.194.75.104
          173.194.75.99
          173.194.75.103
          173.194.75.106

So the capture filter would be something like:

(host 173.194.75.00 or host 173.75.103 or host 173.194.75.104 or host 173.75.105 or host 173.94.75.106) and (port 80)

I added the port 80 because you really don't care about HTTPS, its encrypted and you so you can see anything anyway.
neil4933

ASKER
So there is no way to check this using the Wireshark capture taken from the server itself?
giltjr

Which server?  The proxy server?  Yes, re-read the 1st sentence of my last post.

If you mean some other server, I need to know which other server.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.