I m new to Wireshark and have very limited knowledge on how proxy servers function. I ran Wireshark on a campus LAN where the PCs are configured with a proxy server (e.g. proxy.example.com and port 8000), and I am not sure about the type of proxy server used. All the packets captured show the destination IP address as that of the proxy server, not of the real destination (e.g. www.yahoo.com, www.google.com, etc). Is there any way I can figure out the real destination IP addresses from Wireshark's captures?? Similarly all the incoming packets carry the source IP address as that of the proxy server (not that of Yahoo, Google, etc). I wish to filter out packets from www.youtube.com. Is it possible? asked 09 Oct '12, 10:34 Aaks |
One Answer:
Your HTTP client normally uses the host name part of the URL to do a DNS lookup to connect to the requested host. Then is sends an HTTP GET of the rest of the URL. The host name is also included in that request. Now, if you've configured a HTTP proxy for your client it opens a connection to there and then sends the HTTP GET, with the complete URI, including the host name. The proxy then uses that information to setup its own connection with the intended host and forwards the HTTP GET. Any responses received are send back the the originating client. So what you need to look at is the TCP connection and the host name part of the GET requests. These requests are send forward, and the responses come back the same way. So your endpoint tracking has raised from the network level to the session level. answered 09 Oct '12, 13:54 Jaap ♦ |