Friday, March 6, 2009

One Liner: Spy HTTP URLs Accessed on A Specific Netwrok Interface

Run this as root to list HTTP URLs being accessed from your machine via a specific network interface (ppp0 in this example), using tcpdump:
tcpdump -n -s 0 -i ppp0 -vvv -A "tcp" | strings | \
gawk '($0 ~ /GET.*HTTP/){path=$2} ($1=="Host:"){print "http://" $2 path;}'

You may want to filter the packets being captured, by replacing "tcp" with "tcp port 80", or maybe even a more restrictive filter, depending on what you already know about the URL you're looking for and the process that's accessing it. Consult the tcpdump manual page for more info.

2 comments:

  1. I just run urlsnarf, which is part of dsniff.

    ReplyDelete
  2. Now this looks like a useful tool! Thanks!

    ReplyDelete