Wireshark-users: Re: [Wireshark-users] How to see HTTP hosts visited
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: "Gary Fritz" <fritz@xxxxxxxx>
Date: Mon, 12 Nov 2007 15:34:16 -0600
From: Stephen Fisher <stephentfisher@xxxxxxxxx> 
> What does your network setup look like?  Do you have separate wireless
> AP, router, cable/dsl modem?  Or which parts are combined into one? 

Our home network looks something like this (sorry for the ASCII graphics): 

Linksys
WRT54G -------- switch -------- switch ---- my PC
(wifi hub)
     |
     |
other PCs

The Linksys is acting as a "DSL" modem (although my broadband 
connection is actually wireless), router, and wireless AP.

So I have 2 switches between the router and my PC.  Could that be part of 
the problem?

> You could monitor the wifi through another wifi connection only if your
> operating system & wireless driver support promiscuous mode, which is not
> common (especially on Windows).

Hm.  And I am running on Windows -- XP Home & Pro.  The promiscuous-
mode option is checked in the "Capture Options" dialog.

> Ideally you would monitor his machine by installing Wireshark on his
> machine, but that may give away what you're trying to do :).

Yeah, that's not ideal for me.  :-)

> Since the initial sites visited are typically the only time HTML is
> loaded (the accesses to other sites are usually graphics), this display
> filter should help narrow it down:
> 
>  ip.addr == 192.168.1.106 && http && http.content_type contains
>  "text/html"

Hm, no, I'm still seeing requests for googleadservices.com, 
pagead.l.google.com, rcm.amazon,com, some gifs and jpgs, etc.  A lot of the 
sites I'm seeing are requesting p3p.xml files or similar.  

And it doesn't seem to be capturing all the actual browse requests.  E.g. if I 
browse to www.dogpile.com (my son's favorite search engine), nothing gets 
through the filter.

It's definitely better than I had come up with before.  The statistics report I 
was using before doesn't work with that filter, but the filtered output is better 
than the stat report was anyway.  If it just included all the hosts I browsed to, 
it would be "good enough" for now.

Except... I've just discovered that display filters and capture filters don't use 
the same syntax, sigh.  These packets pile up quickly without a filter.  I tried 
"port 80 and src <<my IP>>" and that helps, but I'm sure it's not optimal.  
Can you capture basically the same set of packets that the display filter 
shows?

Thanks for the start!
Gary