Use a DNS proxy to redirect "hostnames of interest" traffic to local private IP Addresses corresponding to a proxy that captures the data of interest and then forwards it to the real destination IP Address that was saved by the DNS proxy. While thinking about this, one approach did come to mind which I'll share for fun. No other users would be affected by the MITM. To do so go to menu 'View > Name Resolution' And enable necessary options 'Resolve Addresses' (or just enable. To make host name filter work enable DNS resolution in settings. Note: Entirely my computers and my local network. The problem might be that Wireshark does not resolve IP addresses to host names and presence of host name filter does not enable this resolution automatically. For more advanced issues, you may need to capture traffic over time. 2) For HTTPS, consider the possibilities of setting up a MITM HTTPS proxy with similar logging capability. If you know what tcp port to capture, add a filter at the end to help limit the size of the capture: tcpdump -i -s 0 -w port 80 If unsure, leave off the filter.In addition to what we've been discussing, I'm also considering:Ä¡) For HTTP, route through an HTTP proxy that supports logging based on HTTP header pattern matching. You can then use tshark with a display filter to extract the packets of interest. Your best bet is to use dumpcap using the '-b filesize' option to split data accross files. So although I am hesitant to rule out any IP blocks, it indeed may prove useful to refine things once I have some sense of what they are. Capture filters cant work with wildcards nor can they handle re-assembly. I admire and acknowledge the benefits of iterative approaches :) The domains/systems of interest are large and dynamic (think global ad/content delivery networks).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |