Solved

capture url's windows 7...

Posted on 2013-11-15
4
680 Views
Last Modified: 2013-11-15
I'm setting up a whitelist for a firewall the hard way; I have to login to the remote servers and capture all the url's they use. I have Process Hacker and can see the url's but some are not up there long enough for me to use the info. One url is accessed just once a month for DRM checks and I can't afford to miss that. I need the ability to look at the record of all the url's. I'm guessing that windows 7 records them all but if not, perhaps there is software that does?
0
Comment
Question by:maxpi
  • 2
4 Comments
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39652086
You may use a protocol analyzer configured to filter on HTTP/S continuously, where the log file is stored to a centralized share.

Here's an example:
@echo off
setlocal enabledelayedexpansion
rem Requires WinDump @ http://www.winpcap.org/windump/install/
rem        + WinPcap @ http://www.winpcap.org/install/default.htm
rem   OR
rem          TCPDUMP @ http://www.microolap.com/products/network/tcpdump/
echo HTTP monitor v1.0 by Giovanni
set app=windump
set output=\\?\UNC\127.0.0.1\c$\HTTPID.txt
for /f "tokens=4" %%i in ('route print -4 0.*^|find "0.0.0.0"') do (
	if not [%%i]==[Default] (
		for /f "tokens=3 delims=," %%s in ('wmic nicconfig get IPAddress^,SettingID /format:csv^|findstr "%%i"') do (
			for /f "delims=." %%i in ('!app! -D^|findstr "%%s"') do (      
				!app! -i %%i -n dst port 80 or dst port 443
			)
		)>>!output!
	)
)
if exist !output! type !output!

Open in new window

0
 
LVL 13

Accepted Solution

by:
duncanb7 earned 500 total points
ID: 39652089
You need proxy server such as  Charles

http://www.charlesproxy.com/


in which there is a lot features you might need now  and in future
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39652106
Your firewall configured to log all outbound connections to a SYSLOG server (filtered at a later date) is another approach.

If you want to use wireshark, here's a good filter.

(tcp.flags.syn == 1) && ip.dst != 172.16.0.0/16
or for HTTP/S
(tcp.flags.syn == 1) && ip.dst != 172.16.0.0/16 && tcp.dstport == 80 || tcp.dstport == 443

Where 172.16.0.0/16 represents the CIDR notation of your LAN.

Here's a modified version to capture all TCP SYN connections, where the dest ip addr is not on your LAN.

@echo off
setlocal enabledelayedexpansion
rem Requires WinDump @ http://www.winpcap.org/windump/install/
rem        + WinPcap @ http://www.winpcap.org/install/default.htm
rem   OR
rem          TCPDUMP @ http://www.microolap.com/products/network/tcpdump/
echo TCP SYN monitor v1.0 by Giovanni
set app=windump
set output=\\?\UNC\127.0.0.1\c$\synmon.txt
rem modify to central share if desired (e.g. \\?\UNC\server.domain.local\share\path\synmon_%computername%.txt )
for /f "tokens=3,4" %%i in ('route print -4 0.*^|find "0.0.0.0"') do (
	set gw=%%i
	set ip=%%j
	if not [!ip!]==[Default] (
		for /f "tokens=3,4 delims=," %%s in ('wmic nicconfig get IPAddress^,SettingID^,IPSubnet /format:csv^|findstr "!ip!"') do (
			set mask=%%s
			set mask=!mask:~1,-4!
			for /f %%n in ('route print -4^|find "!mask!"') do set net=%%n
			echo ip: !ip!
			echo network: !net!
			echo mask: !mask!
			echo gateway: !gw!
			echo Begin TCP SYN capture on %date% at %time% from %computername% [!ip!/!mask!] as %userdomain%\%username%>>!output!
			for /f "delims=." %%i in ('!app! -D^|findstr "%%t"') do (      
				!app! -i %%i -n "tcp[13] = 2 and not dst net !net! mask !mask!"
			)>>!output!
		)
	)
)
if exist !output! type !output!

Open in new window


Sample output:
Begin capture on Fri 11/15/2013 at 14:16:53.18 from GSTYLE [192.168.0.88/255.255.0.0] as gstyle\giovanni
14:05:40.807629 IP 192.168.0.88.13412 > 65.55.57.27.443: S 3069452311:3069452311(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.712707 IP 192.168.0.88.13413 > 23.7.198.235.443: S 2695754706:2695754706(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.740652 IP 192.168.0.88.13414 > 65.54.87.241.443: S 1559914944:1559914944(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.741716 IP 192.168.0.88.13415 > 65.54.87.241.443: S 2572514902:2572514902(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:42.195205 IP 192.168.0.88.13416 > 23.7.198.235.443: S 1813119667:1813119667(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>

Syntax Highlighted Ref: http://pastebin.com/DhkNF8wy

Can be deployed via GPO to all relevant hosts.
0
 

Author Closing Comment

by:maxpi
ID: 39652812
I probably have the skills to get up to speed with that...
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Permission issue? 10 68
Assess most serious Linux privilege escalation bug 17 164
Office365 Restricted Admin to OU 4 58
MDT 2013 Sysprep and Capture 1 58
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question