Can I ask if anyone has a good idea for how I could identify (filter packets) that are transiting via a company proxy server [e.g. proxy.mycompany.com]. The challenge here is that the DNS server will issue any one of a number of IP addresses
back to the browser to use, associated with the range of physical separate proxy servers that you might end up on.
I've tried using the filter "host <<proxy dns address>>" however this doesn't seem to work. In fact some testing I did with wireshark to provide an example of what I'm seeing is:
ASSUMPTIONS: First in terms of some assumptions for the sake of this example:
WIRESHARK RESULTS FOR GIVEN CAPTURE FILTER:
a) "host proxy.mycompany.com" => Does not pickup the browser traffic I created that transits the proxy. Again my goal is to find a way to filter on this.
b) "host proxy3.zzz.aaa.mycompany.com" => Does pick up the traffic BUT of course I've had to manually type in the actual proxy server. I tested with the same browser straight after putting in the capture filter so the proxy
I was handed back obviously didn't change in that small time (i.e. at other time I would be handed off to proxy5.zzz.aaa.mycompany.com say for example)
So I'm running out of ideas re how I could identify whether, for a given packet, whether it is one that has transited via the proxy server....any ideas?