maxpi
asked on
capture url's windows 7...
I'm setting up a whitelist for a firewall the hard way; I have to login to the remote servers and capture all the url's they use. I have Process Hacker and can see the url's but some are not up there long enough for me to use the info. One url is accessed just once a month for DRM checks and I can't afford to miss that. I need the ability to look at the record of all the url's. I'm guessing that windows 7 records them all but if not, perhaps there is software that does?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Your firewall configured to log all outbound connections to a SYSLOG server (filtered at a later date) is another approach.
If you want to use wireshark, here's a good filter.
(tcp.flags.syn == 1) && ip.dst != 172.16.0.0/16
or for HTTP/S
(tcp.flags.syn == 1) && ip.dst != 172.16.0.0/16 && tcp.dstport == 80 || tcp.dstport == 443
Where 172.16.0.0/16 represents the CIDR notation of your LAN.
Here's a modified version to capture all TCP SYN connections, where the dest ip addr is not on your LAN.
Sample output:
Syntax Highlighted Ref: http://pastebin.com/DhkNF8
Can be deployed via GPO to all relevant hosts.
If you want to use wireshark, here's a good filter.
(tcp.flags.syn == 1) && ip.dst != 172.16.0.0/16
or for HTTP/S
(tcp.flags.syn == 1) && ip.dst != 172.16.0.0/16 && tcp.dstport == 80 || tcp.dstport == 443
Where 172.16.0.0/16 represents the CIDR notation of your LAN.
Here's a modified version to capture all TCP SYN connections, where the dest ip addr is not on your LAN.
@echo off
setlocal enabledelayedexpansion
rem Requires WinDump @ http://www.winpcap.org/windump/install/
rem + WinPcap @ http://www.winpcap.org/install/default.htm
rem OR
rem TCPDUMP @ http://www.microolap.com/products/network/tcpdump/
echo TCP SYN monitor v1.0 by Giovanni
set app=windump
set output=\\?\UNC\127.0.0.1\c$\synmon.txt
rem modify to central share if desired (e.g. \\?\UNC\server.domain.local\share\path\synmon_%computername%.txt )
for /f "tokens=3,4" %%i in ('route print -4 0.*^|find "0.0.0.0"') do (
set gw=%%i
set ip=%%j
if not [!ip!]==[Default] (
for /f "tokens=3,4 delims=," %%s in ('wmic nicconfig get IPAddress^,SettingID^,IPSubnet /format:csv^|findstr "!ip!"') do (
set mask=%%s
set mask=!mask:~1,-4!
for /f %%n in ('route print -4^|find "!mask!"') do set net=%%n
echo ip: !ip!
echo network: !net!
echo mask: !mask!
echo gateway: !gw!
echo Begin TCP SYN capture on %date% at %time% from %computername% [!ip!/!mask!] as %userdomain%\%username%>>!output!
for /f "delims=." %%i in ('!app! -D^|findstr "%%t"') do (
!app! -i %%i -n "tcp[13] = 2 and not dst net !net! mask !mask!"
)>>!output!
)
)
)
if exist !output! type !output!Sample output:
Begin capture on Fri 11/15/2013 at 14:16:53.18 from GSTYLE [192.168.0.88/255.255.0.0]as gstyle\giovanni
14:05:40.807629 IP 192.168.0.88.13412 > 65.55.57.27.443: S 3069452311:3069452311(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.712707 IP 192.168.0.88.13413 > 23.7.198.235.443: S 2695754706:2695754706(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.740652 IP 192.168.0.88.13414 > 65.54.87.241.443: S 1559914944:1559914944(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.741716 IP 192.168.0.88.13415 > 65.54.87.241.443: S 2572514902:2572514902(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:42.195205 IP 192.168.0.88.13416 > 23.7.198.235.443: S 1813119667:1813119667(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
Syntax Highlighted Ref: http://pastebin.com/DhkNF8
Can be deployed via GPO to all relevant hosts.
ASKER
I probably have the skills to get up to speed with that...
Here's an example:
Open in new window