tcpdump URL extraction
After I studied some of the low-level sniffing tools like DSniff, Wireshark, Ettercap and tcpdump, I noticed that the "webspy" tool of the dsniff package is a really cool thing to have.
But it's really difficult to use, it's just not like the usual network dumping tools!
So I wrote a bash script that runs tcpdump and processes the output - extracting the URLs that are visited through the interface (specified by -i
option) during the dump.
To use the script, save it as "URLsniffer", run chmod +x URLsniffer
and execute it:
sudo ./URLsniffer
It's important that it's ran as root
user, otherwise TCPdump won't function properly.
Here is the script:
#!/bin/bash # # reset variables myhost=""; myurl=""; tcpdump -s 0 -w - -l $@ | strings | while read line; do # filter GET requests myurl=`echo $line | grep GET | sed -r "s/GET (.*) HTTP.*/\1/"`; if [ "$myurl" == "" ]; then myurl=$myoldurl; fi # filter Host headers myhost=`echo $line | grep Host | sed -r "s/Host: (.*)/\1/"`; if [ "$myhost" == "" ]; then myhost=$myoldhost; fi # once we have a data pair, put them together and echo if [ "$myhost" != "" ] then url="http://$myhost$myurl"; echo $url; myhost=""; myurl=""; fi myoldurl=$myurl; myoldhost=$myhost; done
Attachment | Size |
---|---|
URLsniffer | 594 bytes |