Solved

capture url's windows 7...

Posted on 2013-11-15
4
686 Views
Last Modified: 2013-11-15
I'm setting up a whitelist for a firewall the hard way; I have to login to the remote servers and capture all the url's they use. I have Process Hacker and can see the url's but some are not up there long enough for me to use the info. One url is accessed just once a month for DRM checks and I can't afford to miss that. I need the ability to look at the record of all the url's. I'm guessing that windows 7 records them all but if not, perhaps there is software that does?
0
Comment
Question by:maxpi
  • 2
4 Comments
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39652086
You may use a protocol analyzer configured to filter on HTTP/S continuously, where the log file is stored to a centralized share.

Here's an example:
@echo off
setlocal enabledelayedexpansion
rem Requires WinDump @ http://www.winpcap.org/windump/install/
rem        + WinPcap @ http://www.winpcap.org/install/default.htm
rem   OR
rem          TCPDUMP @ http://www.microolap.com/products/network/tcpdump/
echo HTTP monitor v1.0 by Giovanni
set app=windump
set output=\\?\UNC\127.0.0.1\c$\HTTPID.txt
for /f "tokens=4" %%i in ('route print -4 0.*^|find "0.0.0.0"') do (
	if not [%%i]==[Default] (
		for /f "tokens=3 delims=," %%s in ('wmic nicconfig get IPAddress^,SettingID /format:csv^|findstr "%%i"') do (
			for /f "delims=." %%i in ('!app! -D^|findstr "%%s"') do (      
				!app! -i %%i -n dst port 80 or dst port 443
			)
		)>>!output!
	)
)
if exist !output! type !output!

Open in new window

0
 
LVL 13

Accepted Solution

by:
duncanb7 earned 500 total points
ID: 39652089
You need proxy server such as  Charles

http://www.charlesproxy.com/


in which there is a lot features you might need now  and in future
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39652106
Your firewall configured to log all outbound connections to a SYSLOG server (filtered at a later date) is another approach.

If you want to use wireshark, here's a good filter.

(tcp.flags.syn == 1) && ip.dst != 172.16.0.0/16
or for HTTP/S
(tcp.flags.syn == 1) && ip.dst != 172.16.0.0/16 && tcp.dstport == 80 || tcp.dstport == 443

Where 172.16.0.0/16 represents the CIDR notation of your LAN.

Here's a modified version to capture all TCP SYN connections, where the dest ip addr is not on your LAN.

@echo off
setlocal enabledelayedexpansion
rem Requires WinDump @ http://www.winpcap.org/windump/install/
rem        + WinPcap @ http://www.winpcap.org/install/default.htm
rem   OR
rem          TCPDUMP @ http://www.microolap.com/products/network/tcpdump/
echo TCP SYN monitor v1.0 by Giovanni
set app=windump
set output=\\?\UNC\127.0.0.1\c$\synmon.txt
rem modify to central share if desired (e.g. \\?\UNC\server.domain.local\share\path\synmon_%computername%.txt )
for /f "tokens=3,4" %%i in ('route print -4 0.*^|find "0.0.0.0"') do (
	set gw=%%i
	set ip=%%j
	if not [!ip!]==[Default] (
		for /f "tokens=3,4 delims=," %%s in ('wmic nicconfig get IPAddress^,SettingID^,IPSubnet /format:csv^|findstr "!ip!"') do (
			set mask=%%s
			set mask=!mask:~1,-4!
			for /f %%n in ('route print -4^|find "!mask!"') do set net=%%n
			echo ip: !ip!
			echo network: !net!
			echo mask: !mask!
			echo gateway: !gw!
			echo Begin TCP SYN capture on %date% at %time% from %computername% [!ip!/!mask!] as %userdomain%\%username%>>!output!
			for /f "delims=." %%i in ('!app! -D^|findstr "%%t"') do (      
				!app! -i %%i -n "tcp[13] = 2 and not dst net !net! mask !mask!"
			)>>!output!
		)
	)
)
if exist !output! type !output!

Open in new window


Sample output:
Begin capture on Fri 11/15/2013 at 14:16:53.18 from GSTYLE [192.168.0.88/255.255.0.0] as gstyle\giovanni
14:05:40.807629 IP 192.168.0.88.13412 > 65.55.57.27.443: S 3069452311:3069452311(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.712707 IP 192.168.0.88.13413 > 23.7.198.235.443: S 2695754706:2695754706(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.740652 IP 192.168.0.88.13414 > 65.54.87.241.443: S 1559914944:1559914944(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.741716 IP 192.168.0.88.13415 > 65.54.87.241.443: S 2572514902:2572514902(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:42.195205 IP 192.168.0.88.13416 > 23.7.198.235.443: S 1813119667:1813119667(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>

Syntax Highlighted Ref: http://pastebin.com/DhkNF8wy

Can be deployed via GPO to all relevant hosts.
0
 

Author Closing Comment

by:maxpi
ID: 39652812
I probably have the skills to get up to speed with that...
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario: Your operations manager has discovered an anomaly in your security system. The business will start to suffer within 15 minutes if it is a major IT incident. What should she do? We have 6 recommendations for managing major incidents (https:…
IT certifications are a concrete representation of continual learning on the part of the candidate.  Continual learning is necessary for the long term success of an IT professional, but are IT certifications the right path for you?
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question