Sniffing the URL requested by an app

I have an app that is requesting content from various web servers.   (its spyware)  Its playing video advertisements at me all day.   Its locked out the controls that would let me check the clip status (and therefore get the URL)  It is using windows media player.

I would like an app that I can run and it would monitor connections and tell me the URL to any content it accesses.   what would you recommend?  I've used ethereal in the past but found it a little clunky for something so single purposed
LVL 1
hibbidijiAsked:
Who is Participating?
 
sciwriterCommented:
Here are some "free" ones yuo could look at --

Urlybird -- here -- http://www.5cup.com/sort2/Internet_Utilities-Tools___Utilities-122.html
packet sniffer -- http://www.packet-sniffer.net/
spy catcher -- http://www.tenebril.com/products/ghostsurf/newinspycatcher.html

Of course there is hijack this, http://www.greyknight17.com/spy/HijackThis.exe
but that really doesn't analyze much in the way of URLs, just reports the system state.
0
 
sciwriterCommented:
If you install Adaware SE or another spyware program like it, this software will detect most of the sypware on the system, and you can simply delete the registry keys.  But before you delete them, you can go into those registry keys and find the originating server it is polling directly -- as well as using a hex editor to view the contents of any EXEs that this spyware is calling.  In most cases of spyware, the URLs that are chosen are live generated each day, or each hour, sometimes, but a spy server site, and if you can find exactly what that site is, plus the attached query, you've got a realtime hook into all the spyware content that will be delivered from the server -- say  hhtp://153a.xtp1247.axu.net/143?ax=1&td=4c

The items after the query are key to what the URL will deliver, don't miss them.  This way you have the originating hook, which seems better to me than trying to track random URLs which can, and probably will be coming from a host of other sites simply spawned by the originating site, like a diversionary tactic.
0
 
hibbidijiAuthor Commented:
I'm aware of how these rats work...  I really just need a goot lead on some way to check the urls that are being called.  I can read the GETs and figure out affiliate id etc for clickthroughs.  I am not able to read the urls in the hex because they've all been (it looks like) b64 encoded or otherwise obfuscated just enough to make it difficult to see them...  any ideas on a good sniffing app?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
snerkelCommented:
I would install sygate http://smb.sygate.com/download_buy.htm as part of the firewall function it logs connections and shows the application making the connection, I find this the easiest way of quickly seeing what connects to where.

Another way would be TCPview from http://www.sysinternals.com this doesn't need installing and just monitors the TCP connections of all processes and programs, again this should show wmplayer.exe and the sites it is accessing.

Both programs are free
0
 
pseudocyberCommented:
Simply run Ethereal on your machine while you're surfing.  Then, you can stop the sniff, open it, and inspect the captures to see the IP addresses and the urls - assuming they're not encrypted.
0
 
fixnixCommented:
I agree with most of the above suggestions, but as a quick-n-dirty alternative without installing anything you can open a comand prompt next time the video ad starts playing and type "netstat -o" to see all active connections to ports on your computer...as well as the process ID, click the processes tab, then view/select columns, and tick the PID box.  Then you can match up what processes have what ports.

Personally, I'd rather use utils @ sysinternals.com like snerkel suggested, but I'm suggesting this as a "nothing to install" method.
0
 
fixnixCommented:
whoops...seems I accidently cut out a line above...

"to see all active connections to ports on your computer...as well as the process ID, click the processes tab, then view/select columns, and tick the PID box."

should have said:

"to see all active connections to ports on your computer...as well as the process ID, then hit <ctrl><alt><del>, open task manager, click the processes tab, then view/select columns, and tick the PID box."

sorry for any confusion.
0
 
arosboroCommented:
When the video plays, perhaps you could check the websites that your computer is connected to with netstat in the Command Promt. You'll have to find paterns such as the port that media player is using, or a url that stands out.  Do netstat > log1.txt etc to save text files to compare.  I know, this method is really crude.  In your situation I would be using a firewall or Ethereal like you mentioned.

www.analogx.com also has some lightweight apps that do netstats and packetmonitoring
0
 
hibbidijiAuthor Commented:
I'm begining to think that This is a program I should write :)   None of the apps have done exactily what I want. Sciwriter gets the  points.  I will post later once I've written the app.
0
 
sciwriterCommented:
Do it --  hibbidiji -- There is a lot of stuff like this that needs creative talent with a fresh perspective.  Let me know how it works out....
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.