Wireshark-users: Re: [Wireshark-users] How to see HTTP hosts visited

From: Andreas Fink <afink@xxxxxxxxxxxxx>
Date: Tue, 13 Nov 2007 09:47:37 +0100
the two switches are not forwarding packets to your PC as the destination of the packets are not meant to receive it You need to do the tracing on the WRTG54G itself (if it runs some linux for example) or it should forward packets. I dont think even without the two switches you will see the packets as they come/go from DSL and WLAN. So the WRT will not forward it to you because it knows (or thinks) you are not looking for those packets.


On 12.11.2007, at 22:34, Gary Fritz wrote:

From: Stephen Fisher <stephentfisher@xxxxxxxxx>
What does your network setup look like? Do you have separate wireless
AP, router, cable/dsl modem?  Or which parts are combined into one?

Our home network looks something like this (sorry for the ASCII graphics):

Linksys
WRT54G -------- switch -------- switch ---- my PC
(wifi hub)
    |
    |
other PCs

The Linksys is acting as a "DSL" modem (although my broadband
connection is actually wireless), router, and wireless AP.

So I have 2 switches between the router and my PC. Could that be part of
the problem?

You could monitor the wifi through another wifi connection only if your operating system & wireless driver support promiscuous mode, which is not
common (especially on Windows).

Hm.  And I am running on Windows -- XP Home & Pro.  The promiscuous-
mode option is checked in the "Capture Options" dialog.

Ideally you would monitor his machine by installing Wireshark on his
machine, but that may give away what you're trying to do :).

Yeah, that's not ideal for me.  :-)

Since the initial sites visited are typically the only time HTML is
loaded (the accesses to other sites are usually graphics), this display
filter should help narrow it down:

ip.addr == 192.168.1.106 && http && http.content_type contains
"text/html"

Hm, no, I'm still seeing requests for googleadservices.com,
pagead.l.google.com, rcm.amazon,com, some gifs and jpgs, etc. A lot of the
sites I'm seeing are requesting p3p.xml files or similar.

And it doesn't seem to be capturing all the actual browse requests. E.g. if I browse to www.dogpile.com (my son's favorite search engine), nothing gets
through the filter.

It's definitely better than I had come up with before. The statistics report I was using before doesn't work with that filter, but the filtered output is better than the stat report was anyway. If it just included all the hosts I browsed to,
it would be "good enough" for now.

Except... I've just discovered that display filters and capture filters don't use the same syntax, sigh. These packets pile up quickly without a filter. I tried "port 80 and src <<my IP>>" and that helps, but I'm sure it's not optimal. Can you capture basically the same set of packets that the display filter
shows?

Thanks for the start!
Gary

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users