I need to see the sites visited by a particular ip... m giving that in the filter but it gives me all sort of queries. I hv stared using your product recently and that's why I am a little unclear on the kinds of filters to pass. so far i just want to see the sites they visited, what did they searched for and what domain names were resolved along with their ip addresses.
asked 05 Mar '11, 07:51
This is all achievable with Wireshark, but Wireshark is not the most intuitive tool for this. Really, you would usually use a web content filter for these types of tasks. If you want to do this with Wireshark, you will first need to add some columns to the display. The columns I would recommend are as follows:
Host From from the HTTP Get Method URI From the HTTP Get method
To do this, I would first make sure that you are running at least version 1.4. Then you need to capture some www traffic. Then do a display filter for "http.host". This will display only http requests with host headers. (Note: this is not a perfect method due to the fact that host headers might not be used in obscure cases).
Now that we have some packets displayed we need to look for the host field and the uri field. To do this, highlight a packet in the top pane. Then in the middle pane, "Hypertext Transport Protocol", then expand "GET". Right click "Host" and choose "Add as column". Do the same for Request URI. Now in the top pane you should see the host and the path "URI".
Now we can filter based on the IP address that you are looking at.
So to look at www traffic from 192.168.1.124, I might use a filter like: ip.addr==192.168.1.124 && http.host
Again, Wireshark is a very granular tool. However it is not a drop in replacement for something like a Barracuda Web Filter or Websense.
answered 05 Mar '11, 11:55