noc ops wrote:
I'm looking for any help in detecting (if possible) *outgoing* client request (see below flow) header information for transparent proxies via some sort of pattern match. Maybe proxy connection tag? Is it doable? So far my search has turned up negative.
As noted in the Ethereal thread on this, if it's truly a transparent proxy, the client requests will not look any different from requests made directly to the server.
The request the proxy passes on to the Web server should have a "Via:" header added (see RFC 2616, which uses "MUST" rather than "SHOULD", although I'm not sure what police force enforces RFCs, so a misbehaving proxy might leave that header out).
That header doesn't necessarily have anything to indicate the flow to which it belongs (other than TCP endpoint information, i.e. address/port).
(And note that I sometimes use a browser called "telnet", which, for some reason, requires the user to supply all entity headers. :-) I tend to supply as few as possible, as I'm lazy. People tend to use that browser only when they're trying to debug something, however. :-))
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.