Wireshark-users: Re: [Wireshark-users] How to see HTTP hosts visited

From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Date: Mon, 12 Nov 2007 10:46:37 -0700
On Mon, Nov 12, 2007 at 09:39:38AM -0600, Gary Fritz wrote:

> So anyway.  I've figured out how to monitor packets.  If I look at my
> own system, I can filter on my IP, and I can even do a Statistics
> report (filtering on "ip.addr == 192.168.1.106 and http") to find the
> HTTP hosts I'm hitting.  So far so good, if a bit manual.
> 
> Problems: I don't seem to get the http requests from his wifi
> connection on my hard-wired PC.  I get a few things like registration
> and ICMP requests, but I don't see HTTP requests.  Why some but not
> others?  Do I have to monitor his wifi connection from another wifi
> connection?

The packets you are seeing are broadcast or multicast, which in your
type of setup are sent to all machines on the network.  You're not
seeing his traffic because your wireless AP/(router?) is acting like a
switch instead of a hub.  Switches do not send traffic for one host out
to all ports.

What does your network setup look like?  Do you have separate wireless
AP, router, cable/dsl modem?  Or which parts are combined into one?

You could monitor the wifi through another wifi connection only if your
operating system & wireless driver support promiscuous mode, which is
not common (especially on Windows).

Ideally you would monitor his machine by installing Wireshark on his
machine, but that may give away what you're trying to do :).

> Also, the http Statistics report produces a lot more data than I want,
> no surprise.  E.g. if I browse to site A, which has graphics
> downloaded from sites B-Z, the report shows me requests for sites A-Z.
> 
> Is there any way to narrow the report down to ONLY the sites HE
> REQUESTS, either by typing in a URL or by clicking on a link?  And is
> there a better way to do this than the stumbling around I've done?

Since the initial sites visited are typically the only time HTML is
loaded (the accesses to other sites are usually graphics), this display
filter should help narrow it down:

 ip.addr == 192.168.1.106 && http && http.content_type contains "text/html"


Steve