monitoring proxied web traffic


Does your proxy also communicate with a content-inspection device, like for
anti-virus inspection of web content? If so, there may be a way to correlate.
The web proxy would use the Internet Content Adaptation Protocol (ICAP) to
encapsulate the HTTP/HTTPS traffic to send to the anti-virus server for
inspection. I wrote a protocol analyzer for ICAP. This protocol is very
similar in syntax to HTTP, and it contains header fields (supported by most
web proxy vendors) called "X-Client-IP" and "X-Server-IP" which correspond to
the original IP addresses of the local web client and the remote web server,
respectively. Please see my presentation from BroCon 2016, perhaps it



From where can we download the source code (ICAP analyzer)?

C. L. Martinez

Thank you Mark

Proxy itself is doing content inspection/etc so I won’t be able to capture it that way.