Re: Capture/Filter Squid Session

[Sake Blok <sake () euronet nl>]

On 11 jul 2010, at 03:28, David Alanis wrote:
> Quoting Patrick Preuss <patrick.preuss () googlemail com>:
>
> > what i what to do is following:
> >
> > client -- internal network -- squid proxy -- external network -- citrix
> > nfuse server
> >
> > client initiates a https session to a nfuse gatway over the squid proxy
> > and i want to capture only those sessions. i dont know when they occure
> > or which clients
> > are involved.
> >
> > so i whant to capture all session which do something like a http.uri
> > "connect nfuse.example.com" or "connect  ip.address.of.nfuse.gateway" or
> > something like this
> > as long the client initiates a session over the proxy to this name or ip
> > address.
> > is this possible and if so how would be the command line for tshark?
>
> So Patrick this is pretty straight forward. Prior to running this on  
> the actual network you want to narrow down the IP/Host names which you  
> want to filter. I would get some captures from any client preferably  
> on a network with low traffic and filter the results by typing dns in  
> your filter.

Actually, this is not as straightforward as it seems. All communication on the client side of the squid proxy will look 
like this at the IP layer:

ClientIP -> SquidIP

As Patrick mentions, the ClientIP is "random". The content to filter on is at the HTTP layer in the connection setup 
between the client and the Squid proxy. And only in the first message from the client to the Squidproxy. These messages 
could be filtered at capture time by a filter like:

tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x636f6e6e && tcp[(((tcp[12:1] & 0xf0) >> 2) + 4):4] = 0x65637420 && 
tcp[(((tcp[12:1] & 0xf0) >> 2) + 8):4] = 0x6e667573 && tcp[(((tcp[12:1] & 0xf0) >> 2) + 12):4] = 0x652e6578 && 
tcp[(((tcp[12:1] & 0xf0) >> 2) + 16):4] = 0x616d706c && tcp[(((tcp[12:1] & 0xf0) >> 2) + 20):4] = 0x652e636f && 
tcp[(((tcp[12:1] & 0xf0) >> 2) + 24):2] = 0x6d0a

But that would not give the whole session, just the setup packet.

The only thing you can do is capture all traffic to the squidproxy, look for the packets that contain the connection 
setup. Then build a filter that selects the tcp sessions that contain these packets and use that to filter out the 
specific sessions and save them to a new file. This whole process of course can be scripted.

Have a look at the presentation I gave at Sharkfest'10 to see how this can be done:
http://www.cacetech.com/sharkfest.10/A-6_Blok%20HANDS-ON%20LAB%3A%20Using%20Wireshark%20Command%20Line%20Tools%20and%20Scripting.zip

Hope this helps,
Cheers,


Sake

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe