At a Glance: HTTP Proxy Packets vs. Normal HTTP Packets

I am currently in touch with a few HTTP proxy installations. As every time when troubleshooting network issues, I am looking with Wireshark on the network and trying to understand the different packets.

Here is a short overview of the differences between HTTP requests that are sent directly to the destination and HTTP requests that are sent via a proxy.

Proxy Traffic vs. Normal Traffic

Following is the main figure for this article. It shows the two different packet types:

  1. Direct HTTP requests: Destination IP is the HTTP server and the requested URI shows only the path behind the domain.
  2. HTTP proxy requests: First packet is sent to the proxy. The requested URI shows the complete URL (host + path). The second packet is sent from the proxy to the final destination. And since it is a “real” proxy, both packets are inside its own TCP connection with different source addresses as well.

In both scenarios, the “Host” value in the HTTP request is set to the requested domain. In the case of a proxy, the HTTP X-Forwarded-For header with the client IP address might be inserted.

Note that the arrows in the figure show only the first HTTP packet flow, though it is a bi-directional communication in which the returning packets have the inverse order of source/destination IPs and ports.

At a Glance - Proxy

Wireshark Screenshots

As an example, I opened my What-is-my-IP script at http://ip.webernetz.net two times: The first one without a proxy and the second one with a proxy on port 3128. (Note that the proxy server can run on different ports, e.g., 80, 8080, 3128.) The proxy IP came from a free proxy list (link below).

Links

 

6 thoughts on “At a Glance: HTTP Proxy Packets vs. Normal HTTP Packets

Leave a Reply

Your email address will not be published. Required fields are marked *