filter packets bound for company proxy server?

Kevin Darcy kcd at chrysler.com
Mon Aug 16 16:02:17 UTC 2010


On 8/16/2010 8:10 AM, Greg Hauptmann wrote:
> Hi,
>
> Can I ask if anyone has a good idea for how I could identify (filter
> packets) that are transiting via a company proxy server [e.g.
> proxy.mycompany.com].   The challenge here is that the DNS server will
> issue any one of a number of IP addresses back to the browser to use,
> associated with the range of physical separate proxy servers that you
> might end up on.
>
> I've tried using the filter "host<<proxy dns address>>" however this
> doesn't seem to work.  In fact some testing I did with wireshark to
> provide an example of what I'm seeing is:
>
> ASSUMPTIONS:  First in terms of some assumptions for the sake of this example:
>
>   nslookup proxy.mycompany.com
>   Name:    proxy.xxx..yyy.mycompany.com
>   Address:  10.10.1.10
>   Aliases:  proxy.mycompany.com
>
>   nslookup 10.1.1.10
>   Name:    proxy3.zzz.aaa.mycompany.com
>   Address:  10.10.1.10
>
> WIRESHARK RESULTS FOR GIVEN CAPTURE FILTER:
>
>   a) "host proxy.mycompany.com" =>  Does not pickup the browser traffic
> I created that transits the proxy.  Again my goal is to find a way to
> filter on this.
>
>   b) "host proxy3.zzz.aaa.mycompany.com" =>  Does pick up the traffic
> BUT of course I've had to manually type in the actual proxy server. I
> tested with the same browser straight after putting in the capture
> filter so the proxy I was handed back obviously didn't change in that
> small time (i.e. at other time I would be handed off to
> proxy5.zzz.aaa.mycompany.com say for example)
>
>
> So I'm running out of ideas re how I could identify whether, for a
> given packet, whether it is one that has transited via the proxy
> server....any ideas?
>
> Would "dig" be a reliable way to get a list of all IP's associated
> with the main proxy DNS name? Would this be a possible solution re
> identifying them all perhaps?
>
>    
No it would not be a reliable way, because it's likely to be a 
load-balancer that's actually responding to the query for 
proxy.mycompany.com, and it'll return whatever it considers to be the 
"best" proxy at any given point in time.

You'd have to look at the load-balancer config to know for sure all of 
the *possible* answers it could give to that question.

An imperfect approach would be to query that name repeatedly over time 
and collect all of the IPs that you get in response, but with this 
approach you can't really know for sure that you got *all* of them.

                                                                         
                                                                         
                     - Kevin





More information about the bind-users mailing list