Re: Ethereal Help

[Robert van der Meulen <rvdm () cistron nl>]

Hi,

Quoting Junginger, Jeremy (jjunginger () Calence com):
> I need to write a filter rule for ethereal that tracks all access to
> a specific URL (not ip address).  Is this possible, and if so, how? 
> Thanks!
You need to use a 'read filter' expression, matching something in the
'http.request' field.
I would use a combination of 'ip.dst' matchers (for the destination IP, to
let the pcap layer do some of the preliminary filtering), probably a
'tcp.port == 80' match as well, and a 'http.request eq
http://somesite.com/pr0n'-ish filter.
I'm not sure on how to do partial matching or regexp-like matching (as a
matter of fact, i think that's not possible with ethereal).

You might want to consider looking into different tools for the job, like
'ngrep' or even 'urlsnarf' - the latter, coming from the 'dsniff' package,
will accept a tcpdump-like expression on the commandline, and return all
urls it sees in http requests from/to hosts matching that expression. Just
grep on the output of that..

Greets,
        Robert
-- 
                              Linux Generation
   encrypted mail preferred. finger rvdm () debian org for my GnuPG/PGP key.
  Laat je in ieder geval nooit imponeren door een hard blaffende advocaat.

Attachment: _bin
Description: