Solved

capture url's windows 7...

Posted on 2013-11-15
4
705 Views
Last Modified: 2013-11-15
I'm setting up a whitelist for a firewall the hard way; I have to login to the remote servers and capture all the url's they use. I have Process Hacker and can see the url's but some are not up there long enough for me to use the info. One url is accessed just once a month for DRM checks and I can't afford to miss that. I need the ability to look at the record of all the url's. I'm guessing that windows 7 records them all but if not, perhaps there is software that does?
0
Comment
Question by:maxpi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39652086
You may use a protocol analyzer configured to filter on HTTP/S continuously, where the log file is stored to a centralized share.

Here's an example:
@echo off
setlocal enabledelayedexpansion
rem Requires WinDump @ http://www.winpcap.org/windump/install/
rem        + WinPcap @ http://www.winpcap.org/install/default.htm
rem   OR
rem          TCPDUMP @ http://www.microolap.com/products/network/tcpdump/
echo HTTP monitor v1.0 by Giovanni
set app=windump
set output=\\?\UNC\127.0.0.1\c$\HTTPID.txt
for /f "tokens=4" %%i in ('route print -4 0.*^|find "0.0.0.0"') do (
	if not [%%i]==[Default] (
		for /f "tokens=3 delims=," %%s in ('wmic nicconfig get IPAddress^,SettingID /format:csv^|findstr "%%i"') do (
			for /f "delims=." %%i in ('!app! -D^|findstr "%%s"') do (      
				!app! -i %%i -n dst port 80 or dst port 443
			)
		)>>!output!
	)
)
if exist !output! type !output!

Open in new window

0
 
LVL 13

Accepted Solution

by:
duncanb7 earned 500 total points
ID: 39652089
You need proxy server such as  Charles

http://www.charlesproxy.com/


in which there is a lot features you might need now  and in future
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39652106
Your firewall configured to log all outbound connections to a SYSLOG server (filtered at a later date) is another approach.

If you want to use wireshark, here's a good filter.

(tcp.flags.syn == 1) && ip.dst != 172.16.0.0/16
or for HTTP/S
(tcp.flags.syn == 1) && ip.dst != 172.16.0.0/16 && tcp.dstport == 80 || tcp.dstport == 443

Where 172.16.0.0/16 represents the CIDR notation of your LAN.

Here's a modified version to capture all TCP SYN connections, where the dest ip addr is not on your LAN.

@echo off
setlocal enabledelayedexpansion
rem Requires WinDump @ http://www.winpcap.org/windump/install/
rem        + WinPcap @ http://www.winpcap.org/install/default.htm
rem   OR
rem          TCPDUMP @ http://www.microolap.com/products/network/tcpdump/
echo TCP SYN monitor v1.0 by Giovanni
set app=windump
set output=\\?\UNC\127.0.0.1\c$\synmon.txt
rem modify to central share if desired (e.g. \\?\UNC\server.domain.local\share\path\synmon_%computername%.txt )
for /f "tokens=3,4" %%i in ('route print -4 0.*^|find "0.0.0.0"') do (
	set gw=%%i
	set ip=%%j
	if not [!ip!]==[Default] (
		for /f "tokens=3,4 delims=," %%s in ('wmic nicconfig get IPAddress^,SettingID^,IPSubnet /format:csv^|findstr "!ip!"') do (
			set mask=%%s
			set mask=!mask:~1,-4!
			for /f %%n in ('route print -4^|find "!mask!"') do set net=%%n
			echo ip: !ip!
			echo network: !net!
			echo mask: !mask!
			echo gateway: !gw!
			echo Begin TCP SYN capture on %date% at %time% from %computername% [!ip!/!mask!] as %userdomain%\%username%>>!output!
			for /f "delims=." %%i in ('!app! -D^|findstr "%%t"') do (      
				!app! -i %%i -n "tcp[13] = 2 and not dst net !net! mask !mask!"
			)>>!output!
		)
	)
)
if exist !output! type !output!

Open in new window


Sample output:
Begin capture on Fri 11/15/2013 at 14:16:53.18 from GSTYLE [192.168.0.88/255.255.0.0] as gstyle\giovanni
14:05:40.807629 IP 192.168.0.88.13412 > 65.55.57.27.443: S 3069452311:3069452311(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.712707 IP 192.168.0.88.13413 > 23.7.198.235.443: S 2695754706:2695754706(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.740652 IP 192.168.0.88.13414 > 65.54.87.241.443: S 1559914944:1559914944(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.741716 IP 192.168.0.88.13415 > 65.54.87.241.443: S 2572514902:2572514902(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:42.195205 IP 192.168.0.88.13416 > 23.7.198.235.443: S 1813119667:1813119667(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>

Syntax Highlighted Ref: http://pastebin.com/DhkNF8wy

Can be deployed via GPO to all relevant hosts.
0
 

Author Closing Comment

by:maxpi
ID: 39652812
I probably have the skills to get up to speed with that...
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article was originally published on Monitis Blog, you can check it here .   Some years back, I worked as the CTO.  During my tenure, I had a head of IT support reporting to me.  He did his job quite well and had a commendable sense of duty …
Dramatic changes are revolutionizing how we build and use technology. Every company is automating, digitizing, and modernizing operations. We need a better, more connected way to work together as teams so we can harness the insights from our system…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question