This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

visited sites filter

0

I need to see the sites visited by a particular ip... m giving that in the filter but it gives me all sort of queries. I hv stared using your product recently and that's why I am a little unclear on the kinds of filters to pass. so far i just want to see the sites they visited, what did they searched for and what domain names were resolved along with their ip addresses.

asked 05 Mar '11, 07:51

Jiya%20Khan's gravatar image

Jiya Khan
1112
accept rate: 0%


One Answer:

3

This is all achievable with Wireshark, but Wireshark is not the most intuitive tool for this. Really, you would usually use a web content filter for these types of tasks. If you want to do this with Wireshark, you will first need to add some columns to the display. The columns I would recommend are as follows:

Host From from the HTTP Get Method URI From the HTTP Get method

To do this, I would first make sure that you are running at least version 1.4. Then you need to capture some www traffic. Then do a display filter for "http.host". This will display only http requests with host headers. (Note: this is not a perfect method due to the fact that host headers might not be used in obscure cases).

Now that we have some packets displayed we need to look for the host field and the uri field. To do this, highlight a packet in the top pane. Then in the middle pane, "Hypertext Transport Protocol", then expand "GET". Right click "Host" and choose "Add as column". Do the same for Request URI. Now in the top pane you should see the host and the path "URI".

Now we can filter based on the IP address that you are looking at.

So to look at www traffic from 192.168.1.124, I might use a filter like: ip.addr==192.168.1.124 && http.host

Again, Wireshark is a very granular tool. However it is not a drop in replacement for something like a Barracuda Web Filter or Websense.

answered 05 Mar '11, 11:55

Paul%20Stewart's gravatar image

Paul Stewart
3018
accept rate: 6%

Thank you so much Paul. Can you please guide me a little more about how do we see resolved domain names in a trace file using wireshark? I'll be really grateful.

(07 Mar '11, 12:19) Jiya Khan

When you do the capture you can enable network level name resolutions. This is in Edit > Preferences > Name Resolution "Enable network name resolution". You can also do this in the capture settings. Be aware though that this is a simple PTR lookup. Therefore, if you are looking at web sites, it might make more sense to look at the host header in the get request.

(07 Mar '11, 12:46) Paul Stewart

This is very nice, is it possible to skip repeating hosts?

(11 Jun '12, 03:40) besomuk