This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Blocked Port 80 URLs

0

When at a customers review my team did some captures for many users dispersed geographically. Some users tried accessing port 80 sites that were blocked by our network proxies. How can I find all requested HTTP URLs?

asked 08 Oct '13, 10:29

karl's gravatar image

karl
16225
accept rate: 0%

2 Answers:

0

Assuming you have a capture file, you can use tshark as follows:

tshark -Tfields -Yhttp.request.full_uri -ehttp.request.full_uri -r mycapture.pcap > websites.txt

That will write each requested http URI to the file websites.txt

answered 08 Oct '13, 12:28

beroset's gravatar image

beroset
2261213
accept rate: 33%

I have tshark v1.8.6. I used the -R instead of -Y.

(08 Oct '13, 14:17) karl

0

I recommend looking at the Proxy logs. Wireshark is a great tool, but sometimes there are other ways to get results faster.

If you don't have access to the proxy logs you could filter on "http.request.method or http.response.code = 403" (assuming your proxy returns a 403 when the site is blacklisted; replace with whatever code yours is returning). That will give you a list of all requests and response codes, but matching them can be tedious work.

answered 08 Oct '13, 12:24

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%