Bug ID: 14506
           Summary: PROXY protocol (v2) support (HAproxy) for TCP: skip
                    and maybe implement a full dissector
           Product: Wireshark
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: Enhancement
          Priority: Low
         Component: Dissection engine (libwireshark)
  Target Milestone: ---

Build Information:
Wireshark 2.4.4 (Git v2.4.4 packaged as 2.4.4-1~16.04.0)

Copyright 1998-2018 Gerald Combs <> and contributors.
License GPLv2+: GNU GPL version 2 or later
This is free software; see the source for copying conditions. There is NO

Compiled (64-bit) with Qt 5.5.1, with libpcap, with POSIX capabilities (Linux),
with libnl 3, with GLib 2.48.2, with zlib 1.2.8, with SMI 0.4.8, with c-ares
1.10.0, with Lua 5.2.4, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with MIT
Kerberos, with GeoIP, with nghttp2 1.7.1, with LZ4, with Snappy, with libxml2
2.9.3, with QtMultimedia, without AirPcap, with SBC, with SpanDSP.

Running on Linux 4.13.0-19-generic, with Intel(R) Core(TM) i5-6200U CPU @
2.30GHz (with SSE4.2), with 19947 MB of physical memory, with locale
de_DE.UTF-8, with libpcap version 1.7.4, with GnuTLS 3.4.10, with Gcrypt 1.6.5,
with zlib 1.2.8.

Built using gcc 5.4.0 20160609.
More and more servers implement support for the PROXY protocol v2, originally 
specified by HAproxy
( which allows a
TCP load-balancer or some sort of proxy to forward information on the original
connections (i.e. source / destination IP and ports, but also SSL client
certificates and others ...)

The spec document lists quite a few implementations ...

  - HTTP :
    - Apache 
    - Nginx 
    - lighttpd
    - thttpd 
    - mini-httpd
    - haproxy
    - Squid 3        
  - SSL :
    - stud
    - stunnel 
    - nginx 
  - FTP :
    - Pure-ftpd
    - vsftpd 
  - SMTP :
    - postfix 
    - exim 
  - POP :
    - dovecot 
  - IMAP :
    - dovecot 
  - LDAP :
    - openldap 
  - SSH :
    - openssh 
  - RDP :
    - Windows XP SP3
  - MQTT:
    - HiveMQ (

Wireshark or rather libwireshark is quite capable of dissecting all those
application layer protocols. Maybe I looked in the wrong places for a switch
but apparently when adding PROXY protocol data to the dissectors receive
"garbage" on the first bytes of a new connection.

The first step into improving here, would be to be able to "skip" those bytes
added by PROXY protocol before feeding it into the dissector to allow for a
clean decode of the "real" layer 7 protocol. The graphic
illustrates where those PROXY protocol bytes are added.

A really massive improvement would be, if dissecting the PROXY protocol itself
would be implemented, also providing those fields. Being able to filter on
"original IP" in a PCAP between load-balancer and app server would help
I myself found a dissector written in LUA, which works and decodes quite a few
fields already. It actually was part of a bug report:

Maybe this code helps to get started?

You are receiving this mail because:
You are watching all bug changes.
Sent via:    Wireshark-bugs mailing list <>

Reply via email to