Hi, Quoting Junginger, Jeremy (jjungingerat_private): > I need to write a filter rule for ethereal that tracks all access to > a specific URL (not ip address). Is this possible, and if so, how? > Thanks! You need to use a 'read filter' expression, matching something in the 'http.request' field. I would use a combination of 'ip.dst' matchers (for the destination IP, to let the pcap layer do some of the preliminary filtering), probably a 'tcp.port == 80' match as well, and a 'http.request eq http://somesite.com/pr0n'-ish filter. I'm not sure on how to do partial matching or regexp-like matching (as a matter of fact, i think that's not possible with ethereal). You might want to consider looking into different tools for the job, like 'ngrep' or even 'urlsnarf' - the latter, coming from the 'dsniff' package, will accept a tcpdump-like expression on the commandline, and return all urls it sees in http requests from/to hosts matching that expression. Just grep on the output of that.. Greets, Robert -- Linux Generation encrypted mail preferred. finger rvdmat_private for my GnuPG/PGP key. Laat je in ieder geval nooit imponeren door een hard blaffende advocaat.
This archive was generated by hypermail 2b30 : Fri Sep 14 2001 - 12:26:20 PDT