Wireshark-users: Re: [Wireshark-users] Capture/Filter Squid Session
From: Sake Blok <sake@xxxxxxxxxx>
Date: Mon, 12 Jul 2010 19:02:30 +0200
On 11 jul 2010, at 03:28, David Alanis wrote:
> Quoting Patrick Preuss <patrick.preuss@xxxxxxxxxxxxxx>:
> 
>> what i what to do is following:
>> 
>> client -- internal network -- squid proxy -- external network -- citrix
>> nfuse server
>> 
>> client initiates a https session to a nfuse gatway over the squid proxy
>> and i want to capture only those sessions. i dont know when they occure
>> or which clients
>> are involved.
>> 
>> so i whant to capture all session which do something like a http.uri
>> "connect nfuse.example.com" or "connect  ip.address.of.nfuse.gateway" or
>> something like this
>> as long the client initiates a session over the proxy to this name or ip
>> address.
>> is this possible and if so how would be the command line for tshark?
> 
> So Patrick this is pretty straight forward. Prior to running this on  
> the actual network you want to narrow down the IP/Host names which you  
> want to filter. I would get some captures from any client preferably  
> on a network with low traffic and filter the results by typing dns in  
> your filter.

Actually, this is not as straightforward as it seems. All communication on the client side of the squid proxy will look like this at the IP layer:

ClientIP -> SquidIP

As Patrick mentions, the ClientIP is "random". The content to filter on is at the HTTP layer in the connection setup between the client and the Squid proxy. And only in the first message from the client to the Squidproxy. These messages could be filtered at capture time by a filter like:

tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x636f6e6e && tcp[(((tcp[12:1] & 0xf0) >> 2) + 4):4] = 0x65637420 && tcp[(((tcp[12:1] & 0xf0) >> 2) + 8):4] = 0x6e667573 && tcp[(((tcp[12:1] & 0xf0) >> 2) + 12):4] = 0x652e6578 && tcp[(((tcp[12:1] & 0xf0) >> 2) + 16):4] = 0x616d706c && tcp[(((tcp[12:1] & 0xf0) >> 2) + 20):4] = 0x652e636f && tcp[(((tcp[12:1] & 0xf0) >> 2) + 24):2] = 0x6d0a

But that would not give the whole session, just the setup packet.

The only thing you can do is capture all traffic to the squidproxy, look for the packets that contain the connection setup. Then build a filter that selects the tcp sessions that contain these packets and use that to filter out the specific sessions and save them to a new file. This whole process of course can be scripted.

Have a look at the presentation I gave at Sharkfest'10 to see how this can be done:
http://www.cacetech.com/sharkfest.10/A-6_Blok%20HANDS-ON%20LAB%3A%20Using%20Wireshark%20Command%20Line%20Tools%20and%20Scripting.zip

Hope this helps,
Cheers,


Sake