wcap

Overview

wcap is a packet sniffer that displays URLs. It is is an application that
puts your ethernet interface in promiscuous
mode and listens for web requests, displaying a nicely formatted list of
URLs that have been requested. The information it obtains is not
magical and is the same sort of stuff you can get from running
tcpdump–it is just specifically parsed and formatted to make the
requested URLs available at a glance.

Caveats

There are a few things to know about this application:

  • It will work best on wireless networks. On a wireless network, you
    can see all of the traffic of your peers. It will also work well on a
    wired network that uses hubs (as opposed to switches), as these
    broadcast traffic out to everyone connected. It will not work on a
    wired network that uses switches to route traffic, as these
    specifically prevent you from seeing peer traffic. (The exception to
    the switch rule is if you’re the administrator of a managed switch and
    have a SPAN port available to direct traffic to… but if you are, then
    you already know what you are doing and likely have plenty of network
    security tools that are much more mature than this one.)
  • It must be run as root. You can either run it directly as root using
    the “sudo” or root’s account or you can setuid on the app by running
    “chmod +s wmap” and then (as root) “chown root wmap”.
  • It compiles, runs, and has been tested on OS X 10.4.8. It should
    also work on Linux (although remains untested at present), but is not
    going to work under Windows without a heck of a lot of work.

There is not a lot special about this app. There are plenty of similar ones
out there. Just put terms like “URL packet sniffer,” “URL snooper,” or “HTTP
sniffer” into Google. Mainly, this was written as a quick project to get me
reacquainted with libpcap, which I have not touched in years (and will probably
start needing to use for work.) For another, more original, HTTP protocol
applications, see also:
https://netninja.com/files/wmap/

Usage

wcap [-v] [-d] [interface]
where:
'interface' is the ethernet port on which to sniff traffic, but
 defaults to en1/eth1
 (example: en0 or en1 on OS X, eth0 or eth1 on Linux)
-v increases verbosity (use multiple times for even more info)
-d disable webdav verbs like PUT, DELETE, LOCK, etc.

Example

fibonacci:~/Code/workspace/wcap brian$ sudo ./wcap
Scanning for HTTP verbs: GET POST HEAD PUT DELETE TRACE OPTIONS SUBSCRIBE COPY COPY MOVE LOCK UNLOCK MKCOL PROPFIND PROPPATCH
Listening on network interface en1
2007-03-06 18:10:42.675 10.10.10.43     http://google.com/
2007-03-06 18:10:45.760 10.10.10.43     http://www.google.com/
2007-03-06 18:10:46.072 10.10.10.43     http://www.google.com/intl/en_ALL/images/logo.gif
2007-03-06 18:10:46.777 10.10.10.43     http://www.google.com/favicon.ico
2007-03-06 18:11:05.798 10.10.10.43     https://netninja.com/
2007-03-06 18:11:08.789 10.10.10.43     https://netninja.com/images/woodbg.jpg
2007-03-06 18:11:09.290 10.10.10.43     https://netninja.com/images/netninja_title.png

Download

wcap-1.0.tgz – source code (4.5K)

Leave a Reply

Your email address will not be published. Required fields are marked *