On Sun, 16 Sep 2007 18:07:45 -0000, Zach wrote:
Unless it's really vital real time isn't needed.
Get rid of the malware then you don't need to worry about what it's
connecting to.
That contradicts what you said earlier, - all of the websites against
don't want a tool ... and monitor websites entered.
Simple method is running a web browser proxy, you change you browser
settings to run through the proxy, which logs requests from the browser.
There are quite a few, try any of the often posted shareware / freeware
sites mentioned in 24HSHD, search from
http://groups.google.com/group/24hou...elpdesk/topics
or
www.google.com
for
windows xp proxy server
http monitor
No you don't, you need a good AV, antispyware, FW that looks after all
this for you.
Look for ntop, various http monitors, simple sniffers, stuff from
snapfiles.com , iptraf , network probe lite (if still available)
For traffic, see http://www.wireshark.org/
Picking a random URL from bookmarks and running the above generates 217
frames of data when clicking the homepage button (to mozilla home). It's
very unlikely you need that. It is possible to setup filters of course.
For a simple GET a URL , the request looks like,
No. Time Source Destination Protocol
Info
1 0.000000 192.168.0.5 63.245.213.12 HTTP
GET /projects/seamonkey/ HTTP/1.1
Frame 1 (358 bytes on wire, 358 bytes captured)
Arrival Time: Sep 16, 2007 22:15:25.508634000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 358 bytes
Capture Length: 358 bytes
Protocols in frame: eth:ip:tcp:http
Coloring Rule Name: Checksum Errors
Coloring Rule String: edp.checksum_bad==1 || ip.checksum_bad==1 ||
tcp.checksum_bad || udp.checksum_bad
Ethernet II, Src: 00:0e:0c:9c:6e:fb (00:0e:0c:9c:6e:fb), Dst:
00:a0:c5:e4:e9:c4 (00:a0:c5:e4:e9:c4)
Destination: 00:a0:c5:e4:e9:c4 (00:a0:c5:e4:e9:c4)
Address: 00:a0:c5:e4:e9:c4 (00:a0:c5:e4:e9:c4)
.... ...0 .... .... .... .... = Multicast: This is a UNICAST
frame
.... ..0. .... .... .... .... = Locally Administrated Address:
This is a FACTORY DEFAULT address
Source: 00:0e:0c:9c:6e:fb (00:0e:0c:9c:6e:fb)
Address: 00:0e:0c:9c:6e:fb (00:0e:0c:9c:6e:fb)
.... ...0 .... .... .... .... = Multicast: This is a UNICAST
frame
.... ..0. .... .... .... .... = Locally Administrated Address:
This is a FACTORY DEFAULT address
Type: IP (0x0800)
Internet Protocol, Src: 192.168.0.5 (192.168.0.5), Dst: 63.245.213.12
(63.245.213.12)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 344
Identification: 0x9782 (38786)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x0000 [incorrect, should be 0x8c6e]
Good: False
Bad : True
Source: 192.168.0.5 (192.168.0.5)
Destination: 63.245.213.12 (63.245.213.12)
Transmission Control Protocol, Src Port: 9725 (9725), Dst Port: 80 (80),
Seq: 0, Ack: 0, Len: 304
Source port: 9725 (9725)
Destination port: 80 (80)
Sequence number: 0 (relative sequence number)
Next sequence number: 304 (relative sequence number)
Acknowledgement number: 0 (relative ack number)
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65535
Checksum: 0xd6f9 [incorrect, should be 0xf9f5]
Hypertext Transfer Protocol
GET /projects/seamonkey/ HTTP/1.1\r\n
Request Method: GET
Request URI: /projects/seamonkey/
Request Version: HTTP/1.1
Host: www.mozilla.org\r\n
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4\r\n
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
Accept-Language: en-us,en;q=0.5\r\n
Me
