Wireshark mailing list archives
Re: Capture/Filter Squid Session
From: Sake Blok <sake () euronet nl>
Date: Mon, 12 Jul 2010 19:02:30 +0200
On 11 jul 2010, at 03:28, David Alanis wrote:
Quoting Patrick Preuss <patrick.preuss () googlemail com>:what i what to do is following: client -- internal network -- squid proxy -- external network -- citrix nfuse server client initiates a https session to a nfuse gatway over the squid proxy and i want to capture only those sessions. i dont know when they occure or which clients are involved. so i whant to capture all session which do something like a http.uri "connect nfuse.example.com" or "connect ip.address.of.nfuse.gateway" or something like this as long the client initiates a session over the proxy to this name or ip address. is this possible and if so how would be the command line for tshark?So Patrick this is pretty straight forward. Prior to running this on the actual network you want to narrow down the IP/Host names which you want to filter. I would get some captures from any client preferably on a network with low traffic and filter the results by typing dns in your filter.
Actually, this is not as straightforward as it seems. All communication on the client side of the squid proxy will look like this at the IP layer: ClientIP -> SquidIP As Patrick mentions, the ClientIP is "random". The content to filter on is at the HTTP layer in the connection setup between the client and the Squid proxy. And only in the first message from the client to the Squidproxy. These messages could be filtered at capture time by a filter like: tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x636f6e6e && tcp[(((tcp[12:1] & 0xf0) >> 2) + 4):4] = 0x65637420 && tcp[(((tcp[12:1] & 0xf0) >> 2) + 8):4] = 0x6e667573 && tcp[(((tcp[12:1] & 0xf0) >> 2) + 12):4] = 0x652e6578 && tcp[(((tcp[12:1] & 0xf0) >> 2) + 16):4] = 0x616d706c && tcp[(((tcp[12:1] & 0xf0) >> 2) + 20):4] = 0x652e636f && tcp[(((tcp[12:1] & 0xf0) >> 2) + 24):2] = 0x6d0a But that would not give the whole session, just the setup packet. The only thing you can do is capture all traffic to the squidproxy, look for the packets that contain the connection setup. Then build a filter that selects the tcp sessions that contain these packets and use that to filter out the specific sessions and save them to a new file. This whole process of course can be scripted. Have a look at the presentation I gave at Sharkfest'10 to see how this can be done: http://www.cacetech.com/sharkfest.10/A-6_Blok%20HANDS-ON%20LAB%3A%20Using%20Wireshark%20Command%20Line%20Tools%20and%20Scripting.zip Hope this helps, Cheers, Sake ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Capture/Filter Squid Session Patrick Preuss (Jul 08)
- Re: Capture/Filter Squid Session David Alanis (Jul 08)
- Re: Capture/Filter Squid Session David Alanis (Jul 08)
- Re: Capture/Filter Squid Session Patrick Preuss (Jul 08)
- Re: Capture/Filter Squid Session David Alanis (Jul 08)
- Re: Capture/Filter Squid Session Patrick Preuss (Jul 10)
- Re: Capture/Filter Squid Session David Alanis (Jul 10)
- Re: Capture/Filter Squid Session Sake Blok (Jul 12)
- Re: Capture/Filter Squid Session David Alanis (Jul 08)
- Re: Capture/Filter Squid Session David Alanis (Jul 08)