This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using display filters

0

My use of wireshark is only to monitor what sites my family is going to (incognito or not). I have my suspicions that incognito is being used and so I would like to figure out how to filter and capture searches and all urls being accessed on the network. I know very very little about network analysis and I'm in over my head trying to figure it out by myself. I downloaded Wireshark 101 Pdf file and I'm reading it but its like a foreign language. I just want to know how to filter out only what I'm looking for.

asked 14 Jun '14, 12:52

Ashley%20Lynne%20Torgerson's gravatar image

Ashley Lynne...
5224
accept rate: 0%


One Answer:

1

Although this is a Wireshark QA site, you may want to look into OpenDNS and put the OpenDNS servers into your router. You can then view reports of all the url lookups from your ISP connection.

If wanting to view this information in Wireshark, just filter on DNS traffic. Display filter is "dns", and capture filter would be "tcp port 53 or udp port 53"

Travis

answered 14 Jun '14, 19:49

Rooster_50's gravatar image

Rooster_50
23891218
accept rate: 15%

Thank you!

(15 Jun '14, 10:23) Ashley Lynne...

Caution: If the goal is to track usage from users you don't necessarily trust, they could bypass your OpenDNS server and specify their own, or go to a site with direct IP info. It's a clever solution and is probably one of the easiest to deploy, but it's tricky because it is within the power of untrusted and presumably smart wrong-doers to bypass it.

(15 Jun '14, 14:08) Quadratic

Furthermore: DNS gives you insight into host names that have been accessed (www.xyz.com) - actually that have been resolved, not URLs that have been accessed (http://www.xyz.com/pictures/bad_stuff/xxxx.jpeg)! So, you might totally misinterpret what the users are doing, if you only look at DNS answers. And on the other side you might miss important things.

So, the best thing you could do to monitor the whole internet traffic is what @Quadratic suggested in the other question:

http://ask.wireshark.org/questions/33805/tracking-incognito-use/33846

Could have been the answer to this question ;-)

(15 Jun '14, 14:14) Kurt Knochner ♦

Clever people will always have a way to work around anything. If they want, they could purchase a VPN and then show the "Capture all Wireshark traffic" solution absolutely nothing but encrypted traffic.

Furthermore, most XXX material is not going to be at a "http://disney.com" domain, the domain will usually give you an insight to the type of traffic your users are looking for......i.e. "http://porn-tube-site-1.com, http://port-tube-site-of-the-month.com, etc".

(17 Jun '14, 03:41) Rooster_50

Clever people will always have a way to work around anything.

sure, but this question is not about those clever familiy members, it's about how to follow what sites (URLs, Content) users are accessing on the internet and looking at DNS replies is certainly not the ideal method for that.

Furthermore, most XXX material is not going to be at

XXX sites are using CDNs (content delivery networks) as well, so the 'real' content is not delivered from xxxtube.com, but from s76ushd-xxx-w76e-tube.sf.cdn.com. Hard to imagine, that an inexperienced Wireshark user will be able to draw the right conclusions if he/she sees DNS replies for the CDN host ;-)

Sure, you will see at least one DNS request to xxxtube.com, but that could have been an ad on another site as well, which is another reason why DNS replies will give you sub-optimal results.

(17 Jun '14, 08:53) Kurt Knochner ♦