[Winpcap-users] filter packets bound for company proxy server?
Greg Hauptmann
greg.hauptmann.ruby at gmail.com
Sun Aug 15 23:17:21 PDT 2010
Hi,
Can I ask if anyone has a good idea for how I could identify (filter
packets) that are transiting via a company proxy server [e.g.
proxy.mycompany.com]. The challenge here is that the DNS server will
issue any one of a number of IP addresses back to the browser to use,
associated with the range of physical separate proxy servers that you
might end up on.
I've tried using the filter "host <<proxy dns address>>" however this
doesn't seem to work. In fact some testing I did with wireshark to
provide an example of what I'm seeing is:
ASSUMPTIONS: First in terms of some assumptions for the sake of this example:
nslookup proxy.mycompany.com
Name: proxy.xxx..yyy.mycompany.com
Address: 10.10.1.10
Aliases: proxy.mycompany.com
nslookup 10.1.1.10
Name: proxy3.zzz.aaa.mycompany.com
Address: 10.10.1.10
WIRESHARK RESULTS FOR GIVEN CAPTURE FILTER:
a) "host proxy.mycompany.com" => Does not pickup the browser traffic
I created that transits the proxy. Again my goal is to find a way to
filter on this.
b) "host proxy3.zzz.aaa.mycompany.com" => Does pick up the traffic
BUT of course I've had to manually type in the actual proxy server.
I tested with the same browser straight after putting in the capture
filter so the proxy I was handed back obviously didn't change in that
small time (i.e. at other time I would be handed off to
proxy5.zzz.aaa.mycompany.com say for example)
So I'm running out of ideas re how I could identify whether, for a
given packet, whether it is one that has transited via the proxy
server....any ideas?
thanks
More information about the Winpcap-users
mailing list