Wireshark mailing list archives
Re: Capture/Filter Squid Session
From: David Alanis <canito () dalan us>
Date: Sat, 10 Jul 2010 20:28:47 -0500
Quoting Patrick Preuss <patrick.preuss () googlemail com>:
Hello David, what i what to do is following: client -- internal network -- squid proxy -- external network -- citrix nfuse server client initiates a https session to a nfuse gatway over the squid proxy and i want to capture only those sessions. i dont know when they occure or which clients are involved. so i whant to capture all session which do something like a http.uri "connect nfuse.example.com" or "connect ip.address.of.nfuse.gateway" or something like this as long the client initiates a session over the proxy to this name or ip address. is this possible and if so how would be the command line for tshark? Hope this makes the situation a little bit clearer. Cheers Patrick ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
So Patrick this is pretty straight forward. Prior to running this on the actual network you want to narrow down the IP/Host names which you want to filter. I would get some captures from any client preferably on a network with low traffic and filter the results by typing dns in your filter. Doing so you can quickly see which hosts its talking to and thus consider which host(s) to focus on. If you cannot run this on the proxy server but can tap into the network you will need to run a capture and make sure the hardware supports promiscuous mode. To decrypt the SSL traffic Wireshark will need to be able to see the whole SSL handshake and in order to capture the whole ssl negotiation, make sure you start your capture *before* you start to communicate with the server. When you use a browser, make sure you close it, then start the capture, then start the browser and open the URL. If anyone else can chime in and provide help with the commands needed for tshark decrypting SSL that would be great. http://wiki.wireshark.org/SSL On the bottom of the list are external links to docs that will guide you to decrypting SSL traffic if this is your ultimate goal. David ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Capture/Filter Squid Session Patrick Preuss (Jul 08)
- Re: Capture/Filter Squid Session David Alanis (Jul 08)
- Re: Capture/Filter Squid Session David Alanis (Jul 08)
- Re: Capture/Filter Squid Session Patrick Preuss (Jul 08)
- Re: Capture/Filter Squid Session David Alanis (Jul 08)
- Re: Capture/Filter Squid Session Patrick Preuss (Jul 10)
- Re: Capture/Filter Squid Session David Alanis (Jul 10)
- Re: Capture/Filter Squid Session Sake Blok (Jul 12)
- Re: Capture/Filter Squid Session David Alanis (Jul 08)
- Re: Capture/Filter Squid Session David Alanis (Jul 08)