Hello, Does Wireshark (1.8.8) have the ability to "discover" if an http proxy device (Websense) is being used? If so, which area of the packet might I find this information so that I can build a filter. We have multiple network segments and I'm not always sure which segments are using the proxy. We use WCCP to "see" the http packets and then send to the Websense appliances. We do have bypass ACL's for Websense, but again, I'm not always privy to that information. thanks, J asked 11 Jul '13, 04:01  JTech_17 |
2 Answers:
well, it depends where you capture the traffic. If it is near the client, see the answer of @Jasper. However, there is no guarantee, that the proxy adds any of those headers. ALTERNATIVE: You can send a bogus request from the client. Chances are good, that the proxy denies those request with an error message, and by doing so exposes it's existence ;-) A bogus request would be (use telnet www.xyz.com 80) Then see how the answer looks like. If you capture near the internet router/firewall, you will be able to detect proxy request simply by it's IP address. All requests going to the proxy via WCCP will show up with the proxy IP if you capture in front of the internet router/firewall (consider DMZ setups!). All unproxied requests (WCCP did not forward the traffic to the proxy) will show up with an IP address of a client. Regards answered 11 Jul '13, 05:11  Kurt Knochner ♦ |
You might see some additional headers like "X-Forwarded-For" that you can filter on, which is added by a proxy device. answered 11 Jul '13, 04:04  Jasper ♦♦ I'm not sure I'm going to be able to determine if the client is being http proxied when capturing from the client. After a little bit more research on wccp, I believe this filter will work if I'm upstream (capturing from the router/switch side). I've added this to my personal filters list for future use. thanks, J (11 Jul '13, 04:50) JTech_17 In addition to the "X-Forwarded-For" added by the proxy in the requests towards the server, you might also see the "Via:" header in the responses from the proxy back to the client. (11 Jul '13, 04:55) SYN-bit ♦♦ |
When the Proxy appliances begin to act up (high cpu, database corruption, etc.) it gives the user a poor experience when http browsing. I was hoping that I could determine a metric/filter (from the client side) that would help me detect when the appliances begin to crack...however, I have sense discovered the capture point I need. Fortunately the Proxy devices reside on one switch, to which I can use RSPAN and send a copy of the wccp forwarded packets back to my Cisco NAM. I'm very curious to see what type of info the packets contain when the Proxy begins to go tango-uniform (large delays, authen errors, etc.).
well wouldn't it be easier to monitor those problems on the websense server itself instead if trying to detect a possible problem by looking at the network response time? Even if you want to look at the response time, why not capturing on the server itself and then use some scripts to detect a possible crack-down of the proxy!?!
Yes, and a tech is watching for conditions that lead to the websense acting up, however, I've been tasked with determining if conditions from the client, sent/recieved packets, could help determine other parts, if any, could be the cause for poor performance.
Ah, I see. Any results?