Overview
wcap is a packet sniffer that displays URLs. It is is an application that
puts your ethernet interface in promiscuous
mode and listens for web requests, displaying a nicely formatted list of
URLs that have been requested. The information it obtains is not
magical and is the same sort of stuff you can get from running
tcpdump–it is just specifically parsed and formatted to make the
requested URLs available at a glance.
Caveats
There are a few things to know about this application:
- It will work best on wireless networks. On a wireless network, you
can see all of the traffic of your peers. It will also work well on a
wired network that uses hubs (as opposed to switches), as these
broadcast traffic out to everyone connected. It will not work on a
wired network that uses switches to route traffic, as these
specifically prevent you from seeing peer traffic. (The exception to
the switch rule is if you’re the administrator of a managed switch and
have a SPAN port available to direct traffic to… but if you are, then
you already know what you are doing and likely have plenty of network
security tools that are much more mature than this one.) - It must be run as root. You can either run it directly as root using
the “sudo” or root’s account or you can setuid on the app by running
“chmod +s wmap” and then (as root) “chown root wmap”. - It compiles, runs, and has been tested on OS X 10.4.8. It should
also work on Linux (although remains untested at present), but is not
going to work under Windows without a heck of a lot of work.
There is not a lot special about this app. There are plenty of similar ones
out there. Just put terms like “URL packet sniffer,” “URL snooper,” or “HTTP
sniffer” into Google. Mainly, this was written as a quick project to get me
reacquainted with libpcap, which I have not touched in years (and will probably
start needing to use for work.) For another, more original, HTTP protocol
applications, see also:
https://netninja.com/files/wmap/
Usage
wcap [-v] [-d] [interface] where: 'interface' is the ethernet port on which to sniff traffic, but defaults to en1/eth1 (example: en0 or en1 on OS X, eth0 or eth1 on Linux) -v increases verbosity (use multiple times for even more info) -d disable webdav verbs like PUT, DELETE, LOCK, etc.
Example
fibonacci:~/Code/workspace/wcap brian$ sudo ./wcap Scanning for HTTP verbs: GET POST HEAD PUT DELETE TRACE OPTIONS SUBSCRIBE COPY COPY MOVE LOCK UNLOCK MKCOL PROPFIND PROPPATCH Listening on network interface en1 2007-03-06 18:10:42.675 10.10.10.43 http://google.com/ 2007-03-06 18:10:45.760 10.10.10.43 http://www.google.com/ 2007-03-06 18:10:46.072 10.10.10.43 http://www.google.com/intl/en_ALL/images/logo.gif 2007-03-06 18:10:46.777 10.10.10.43 http://www.google.com/favicon.ico 2007-03-06 18:11:05.798 10.10.10.43 https://netninja.com/ 2007-03-06 18:11:08.789 10.10.10.43 https://netninja.com/images/woodbg.jpg 2007-03-06 18:11:09.290 10.10.10.43 https://netninja.com/images/netninja_title.png
Download
wcap-1.0.tgz – source code (4.5K)