wcap

Overview

wcap is a packet snif­fer that dis­plays URLs. It is is an appli­ca­tion that
puts your eth­er­net inter­face in promis­cu­ous
mode and lis­tens for web requests, dis­play­ing a nicely for­mat­ted list of
URLs that have been requested. The infor­ma­tion it obtains is not
mag­i­cal and is the same sort of stuff you can get from run­ning
tcpdump–it is just specif­i­cally parsed and for­mat­ted to make the
requested URLs avail­able at a glance.

Caveats

There are a few things to know about this appli­ca­tion:

  • It will work best on wire­less net­works. On a wire­less net­work, you
    can see all of the traf­fic of your peers. It will also work well on a
    wired net­work that uses hubs (as opposed to switches), as these
    broad­cast traf­fic out to every­one con­nected. It will not work on a
    wired net­work that uses switches to route traf­fic, as these
    specif­i­cally pre­vent you from see­ing peer traf­fic. (The excep­tion to
    the switch rule is if you’re the admin­is­tra­tor of a man­aged switch and
    have a SPAN port avail­able to direct traf­fic to... but if you are, then
    you already know what you are doing and likely have plenty of net­work
    secu­rity tools that are much more mature than this one.)
  • It must be run as root. You can either run it directly as root using
    the “sudo” or root’s account or you can setuid on the app by run­ning
    “chmod +s wmap” and then (as root) “chown root wmap”.
  • It com­piles, runs, and has been tested on OS X 10.4.8. It should
    also work on Linux (although remains untested at present), but is not
    going to work under Windows with­out a heck of a lot of work.

There is not a lot spe­cial about this app. There are plenty of sim­i­lar ones
out there. Just put terms like “URL packet snif­fer,” “URL snooper,” or “HTTP
snif­fer” into Google. Mainly, this was writ­ten as a quick project to get me
reac­quainted with libp­cap, which I have not touched in years (and will prob­a­bly
start need­ing to use for work.) For another, more orig­i­nal, HTTP pro­to­col
appli­ca­tions, see also:
http://netninja.com/files/wmap/

Usage

wcap [-v] [-d] [interface]
where:
'interface' is the ethernet port on which to sniff traffic, but
 defaults to en1/eth1
 (example: en0 or en1 on OS X, eth0 or eth1 on Linux)
-v increases verbosity (use multiple times for even more info)
-d disable webdav verbs like PUT, DELETE, LOCK, etc.

Example

fibonacci:~/Code/workspace/wcap brian$ sudo ./wcap
Scanning for HTTP verbs: GET POST HEAD PUT DELETE TRACE OPTIONS SUBSCRIBE COPY COPY MOVE LOCK UNLOCK MKCOL PROPFIND PROPPATCH
Listening on network interface en1
2007-03-06 18:10:42.675 10.10.10.43     http://google.com/
2007-03-06 18:10:45.760 10.10.10.43     http://www.google.com/
2007-03-06 18:10:46.072 10.10.10.43     http://www.google.com/intl/en_ALL/images/logo.gif
2007-03-06 18:10:46.777 10.10.10.43     http://www.google.com/favicon.ico
2007-03-06 18:11:05.798 10.10.10.43     http://netninja.com/
2007-03-06 18:11:08.789 10.10.10.43     http://netninja.com/images/woodbg.jpg
2007-03-06 18:11:09.290 10.10.10.43     http://netninja.com/images/netninja_title.png

Download

wcap-1.0.tgz — source code (4.5K)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>