Ask Question Forum:
Model Library:2025-02-08 Updated:A.I. model is online for auto reply question page
C
O
M
P
U
T
E
R
2
8
Show
#
ASK
RECENT
←
- Underline
- Bold
- Italic
- Indent
- Step
- Bullet
- Quote
- Cut
- Copy
- Paste
- Table
- Spelling
- Find & Replace
- Undo
- Redo
- Link
- Attach
- Clear
- Code
Below area will not be traslated by Google,you can input code or other languages
Hint:If find spelling error, You need to correct it,1 by 1 or ignore it (code area won't be checked).
X-position of the mouse cursor
Y-position of the mouse cursor
Y-position of the mouse cursor
Testcursor
caretPos
Attachment:===
Asked by maxpi
at 2024-11-15 11:06:08
ModifyPoint:500 Replies:4 POST_ID:828795USER_ID:11699
Topic:
Internet Protocols;Operating Systems Network Security;IT Administration
I'm setting up a whitelist for a firewall the hard way; I have to login to the remote servers and capture all the url's they use. I have Process Hacker and can see the url's but some are not up there long enough for me to use the info. One url is accessed just once a month for DRM checks and I can't afford to miss that. I need the ability to look at the record of all the url's. I'm guessing that windows 7 records them all but if not, perhaps there is software that does?
Author: maxpi replied at 2024-11-15 19:55:38
I probably have the skills to get up to speed with that...
Expert: Giovanni Heward replied at 2024-11-15 11:44:22
Your firewall configured to log all outbound connections to a SYSLOG server (filtered at a later date) is another approach.
If you want to use wireshark, here's a good filter.
(tcp.flags.syn == 1) && ip.dst != 172.16.0.0/16
or for HTTP/S
(tcp.flags.syn == 1) && ip.dst != 172.16.0.0/16 && tcp.dstport == 80 || tcp.dstport == 443
Where 172.16.0.0/16 represents the CIDR notation of your LAN.
Here's a modified version to capture all TCP SYN connections, where the dest ip addr is not on your LAN.
If you want to use wireshark, here's a good filter.
(tcp.flags.syn == 1) && ip.dst != 172.16.0.0/16
or for HTTP/S
(tcp.flags.syn == 1) && ip.dst != 172.16.0.0/16 && tcp.dstport == 80 || tcp.dstport == 443
Where 172.16.0.0/16 represents the CIDR notation of your LAN.
Here's a modified version to capture all TCP SYN connections, where the dest ip addr is not on your LAN.
@echo offsetlocal enabledelayedexpansionrem Requires WinDump @ http://www.winpcap.org/windump/install/rem + WinPcap @ http://www.winpcap.org/install/default.htmrem ORrem TCPDUMP @ http://www.microolap.com/products/network/tcpdump/echo TCP SYN monitor v1.0 by Giovanniset app=windumpset output=\?UNC127.0.0.1c$synmon.txtrem modify to central share if desired (e.g. \?UNCserver.domain.localsharepathsynmon_%computername%.txt )for /f "tokens=3,4" %%i in ('route print -4 0.*^|find "0.0.0.0"') do ( set gw=%%i set ip=%%j if not [!ip!]==[Default] ( for /f "tokens=3,4 delims=," %%s in ('wmic nicconfig get IPAddress^,SettingID^,IPSubnet /format:csv^|findstr "!ip!"') do ( set mask=%%s set mask=!mask:~1,-4! for /f %%n in ('route print -4^|find "!mask!"') do set net=%%n echo ip: !ip! echo network: !net! echo mask: !mask! echo gateway: !gw! echo Begin TCP SYN capture on %date% at %time% from %computername% [!ip!/!mask!] as %userdomain%\%username%>>!output! for /f "delims=." %%i in ('!app! -D^|findstr "%%t"') do ( !app! -i %%i -n "tcp[13] = 2 and not dst net !net! mask !mask!" )>>!output! ) ))if exist !output! type !output! 1:2:3:4:5:6:7:8:9:10:11:12:13:14:15:16:17:18:19:20:21:22:23:24:25:26:27:28:29:30:
Sample output:
Begin capture on Fri 11/15/2013 at 14:16:53.18 from GSTYLE [192.168.0.88/255.255.0.0] as gstylegiovanni
14:05:40.807629 IP 192.168.0.88.13412 > 65.55.57.27.443: S 3069452311:3069452311(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.712707 IP 192.168.0.88.13413 > 23.7.198.235.443: S 2695754706:2695754706(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.740652 IP 192.168.0.88.13414 > 65.54.87.241.443: S 1559914944:1559914944(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.741716 IP 192.168.0.88.13415 > 65.54.87.241.443: S 2572514902:2572514902(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:42.195205 IP 192.168.0.88.13416 > 23.7.198.235.443: S 1813119667:1813119667(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:40.807629 IP 192.168.0.88.13412 > 65.55.57.27.443: S 3069452311:3069452311(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.712707 IP 192.168.0.88.13413 > 23.7.198.235.443: S 2695754706:2695754706(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.740652 IP 192.168.0.88.13414 > 65.54.87.241.443: S 1559914944:1559914944(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:41.741716 IP 192.168.0.88.13415 > 65.54.87.241.443: S 2572514902:2572514902(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
14:05:42.195205 IP 192.168.0.88.13416 > 23.7.198.235.443: S 1813119667:1813119667(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
Syntax Highlighted Ref: http://pastebin.com/DhkNF8wy
Can be deployed via GPO to all relevant hosts.
Accepted Solution
Expert: duncanb7 replied at 2024-11-15 11:37:59
500 points EXCELLENT
You need proxy server such as Charles
http://www.charlesproxy.com/
in which there is a lot features you might need now and in future
http://www.charlesproxy.com/
in which there is a lot features you might need now and in future
Expert: Giovanni Heward replied at 2024-11-15 11:37:22
You may use a protocol analyzer configured to filter on HTTP/S continuously, where the log file is stored to a centralized share.
Here's an example:
Here's an example:
@echo offsetlocal enabledelayedexpansionrem Requires WinDump @ http://www.winpcap.org/windump/install/rem + WinPcap @ http://www.winpcap.org/install/default.htmrem ORrem TCPDUMP @ http://www.microolap.com/products/network/tcpdump/echo HTTP monitor v1.0 by Giovanniset app=windumpset output=\?UNC127.0.0.1c$HTTPID.txtfor /f "tokens=4" %%i in ('route print -4 0.*^|find "0.0.0.0"') do ( if not [%%i]==[Default] ( for /f "tokens=3 delims=," %%s in ('wmic nicconfig get IPAddress^,SettingID /format:csv^|findstr "%%i"') do ( for /f "delims=." %%i in ('!app! -D^|findstr "%%s"') do ( !app! -i %%i -n dst port 80 or dst port 443 ) )>>!output! ))if exist !output! type !output! 1:2:3:4:5:6:7:8:9:10:11:12:13:14:15:16:17:18:19:
