Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

capture url's windows 7...

Posted on 2013-11-15
4
Medium Priority
?
718 Views
Last Modified: 2013-11-15
I'm setting up a whitelist for a firewall the hard way; I have to login to the remote servers and capture all the url's they use. I have Process Hacker and can see the url's but some are not up there long enough for me to use the info. One url is accessed just once a month for DRM checks and I can't afford to miss that. I need the ability to look at the record of all the url's. I'm guessing that windows 7 records them all but if not, perhaps there is software that does?
0
Comment
Question by:maxpi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39652086
You may use a protocol analyzer configured to filter on HTTP/S continuously, where the log file is stored to a centralized share.

Here's an example:
@echo off
setlocal enabledelayedexpansion
rem Requires WinDump @ http://www.winpcap.org/windump/install/
rem        + WinPcap @ http://www.winpcap.org/install/default.htm
rem   OR
rem          TCPDUMP @ http://www.microolap.com/products/network/tcpdump/
echo HTTP monitor v1.0 by Giovanni
set app=windump
set output=\\?\UNC\127.0.0.1\c$\HTTPID.txt
for /f "tokens=4" %%i in ('route print -4 0.*^|find "0.0.0.0"') do (
	if not [%%i]==[Default] (
		for /f "tokens=3 delims=," %%s in ('wmic nicconfig get IPAddress^,SettingID /format:csv^|findstr "%%i"') do (
			for /f "delims=." %%i in ('!app! -D^|findstr "%%s"') do (      
				!app! -i %%i -n dst port 80 or dst port 443
			)
		)>>!output!
	)
)
if exist !output! type !output!

Open in new window

0
 
LVL 13

Accepted Solution

by:
duncanb7 earned 2000 total points
ID: 39652089
You need proxy server such as  Charles

http://www.charlesproxy.com/


in which there is a lot features you might need now  and in future
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39652106
Your firewall configured to log all outbound connections to a SYSLOG server (filtered at a later date) is another approach.

If you want to use wireshark, here's a good filter.

(tcp.flags.syn == 1) && ip.dst != 172.16.0.0/16
or for HTTP/S
(tcp.flags.syn == 1) && ip.dst != 172.16.0.0/16 && tcp.dstport == 80 || tcp.dstport == 443

Where 172.16.0.0/16 represents the CIDR notation of your LAN.

Here's a modified version to capture all TCP SYN connections, where the dest ip addr is not on your LAN.

@echo off
setlocal enabledelayedexpansion
rem Requires WinDump @ http://www.winpcap.org/windump/install/
rem        + WinPcap @ http://www.winpcap.org/install/default.htm
rem   OR
rem          TCPDUMP @ http://www.microolap.com/products/network/tcpdump/
echo TCP SYN monitor v1.0 by Giovanni
set app=windump
set output=\\?\UNC\127.0.0.1\c$\synmon.txt
rem modify to central share if desired (e.g. \\?\UNC\server.domain.local\share\path\synmon_%computername%.txt )
for /f "tokens=3,4" %%i in ('route print -4 0.*^|find "0.0.0.0"') do (
	set gw=%%i
	set ip=%%j
	if not [!ip!]==[Default] (
		for /f "tokens=3,4 delims=," %%s in ('wmic nicconfig get IPAddress^,SettingID^,IPSubnet /format:csv^|findstr "!ip!"') do (
			set mask=%%s
			set mask=!mask:~1,-4!
			for /f %%n in ('route print -4^|find "!mask!"') do set net=%%n
			echo ip: !ip!
			echo network: !net!
			echo mask: !mask!
			echo gateway: !gw!
			echo Begin TCP SYN capture on %date% at %time% from %computername% [!ip!/!mask!] as %userdomain%\%username%>>!output!
			for /f "delims=." %%i in ('!app! -D^|findstr "%%t"') do (      
				!app! -i %%i -n "tcp[13] = 2 and not dst net !net! mask !mask!"
			)>>!output!
		)
	)
)
if exist !output! type !output!

Open in new window


Sample output:
Begin capture on Fri 11/15/2013 at 14:16:53.18 from GSTYLE [192.168.0.88/255.255.0.0] as gstyle\giovanni
14:05:40.807629 IP 192.168.0.88.13412 > 65.55.57.27.443: S 3069452311:3069452311(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.712707 IP 192.168.0.88.13413 > 23.7.198.235.443: S 2695754706:2695754706(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.740652 IP 192.168.0.88.13414 > 65.54.87.241.443: S 1559914944:1559914944(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.741716 IP 192.168.0.88.13415 > 65.54.87.241.443: S 2572514902:2572514902(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:42.195205 IP 192.168.0.88.13416 > 23.7.198.235.443: S 1813119667:1813119667(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>

Syntax Highlighted Ref: http://pastebin.com/DhkNF8wy

Can be deployed via GPO to all relevant hosts.
0
 

Author Closing Comment

by:maxpi
ID: 39652812
I probably have the skills to get up to speed with that...
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Postmortem reporting allow us to examine mistakes in a way that focuses on the situational aspects of a failure’s mechanism and the decision-making process of individuals proximate to the failure. Read our guide on how to handle IT post-mortem repor…
In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question