Penetration Testing mailing list archives
Re: Ethereal Help
From: Robert van der Meulen <rvdm () cistron nl>
Date: Fri, 14 Sep 2001 08:34:50 -0700
Hi, Quoting Junginger, Jeremy (jjunginger () Calence com):
I need to write a filter rule for ethereal that tracks all access to a specific URL (not ip address). Is this possible, and if so, how? Thanks!
You need to use a 'read filter' expression, matching something in the 'http.request' field. I would use a combination of 'ip.dst' matchers (for the destination IP, to let the pcap layer do some of the preliminary filtering), probably a 'tcp.port == 80' match as well, and a 'http.request eq http://somesite.com/pr0n'-ish filter. I'm not sure on how to do partial matching or regexp-like matching (as a matter of fact, i think that's not possible with ethereal). You might want to consider looking into different tools for the job, like 'ngrep' or even 'urlsnarf' - the latter, coming from the 'dsniff' package, will accept a tcpdump-like expression on the commandline, and return all urls it sees in http requests from/to hosts matching that expression. Just grep on the output of that.. Greets, Robert -- Linux Generation encrypted mail preferred. finger rvdm () debian org for my GnuPG/PGP key. Laat je in ieder geval nooit imponeren door een hard blaffende advocaat.
Attachment:
_bin
Description:
Current thread:
- Ethereal Help Junginger, Jeremy (Sep 13)
- Re: Ethereal Help Dave Aitel (Sep 14)
- Re: Ethereal Help Don Faulkner (Sep 14)
- Re: Ethereal Help Robert van der Meulen (Sep 14)
- Re: Ethereal Help Chris Kuethe (Sep 16)
- <Possible follow-ups>
- RE: Ethereal Help Dell, Jeffrey (Sep 16)