[squid-users] Dumping sslbump'd decrytped http using icap protocol

Scott 3m9n51s2ewut at thismonkey.com
Mon May 25 11:39:56 UTC 2020


On Mon, May 25, 2020 at 06:34:19PM +1200, Amos Jeffries wrote:
> On 25/05/20 12:56 am, Scott wrote:
> > Hi,
> > 
> > Can someone recommend an ICAP application that will allow me to dump the HTTP 
> > of a client-server conversation?
> > 
> > I am doing some forensics on an app - I have sslbump configured correctly and 
> > I can get the traffic to c-icap (for example).
> > 
> > I'd like to dump this to a text file.
> > 
> > Is there a dump option for c-icap?  I couldn't find one.
> > 
> 
> FYI; this action is illegal in a lot of places. Even answering your
> question can be quite risky.
> 
> 
> To perform traffic forensics you can use the Squid cache.log directly
> and not involve any insecure third-party software or communication
> dumps. See <https://wiki.squid-cache.org/KnowledgeBase/DebugSections>
> for more details.
> 
> "debug_Options 11,2" is probably all you need.
> 
> 
> Amos
> 
Thanks,

I'm inspecting my own data between my own endpoints as part of a some 
proving-of-concept, so there's no illegality here, but I appreciate the 
caution.

Using the cache.log and debug provided me with too much data.  With ICAP I'm 
able to apply ACLs to limit the traffic sent to the ICAP server.

Am I right in saying that it is possible to do, I just need the right ICAP 
server?  I'm happy to write one myself, I'm just surprised that it's not been 
done before.  I thought perhaps I was missing an option, say in c-icap or 
some other server.



More information about the squid-users mailing list