Bro是适合您的用例的合适工具。它会自动重新组装TCP流,并在顶层运行应用层(例如HTTP)解析器。 Bro在Linux上运行良好,已经在网络测量和网络安全领域得到广泛应用。
在你的情况下,运行的兄弟如下:
bro -C -r <trace>
,并检查所产生的http.log
。它应该看起来有点像这个(修剪右端):
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path http
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1258535653.087137 an7i43AgB5h 192.168.1.104 1191 65.54.95.64 80 1 HEAD download.windowsupdate.com /v9/windowsupdate/redir/muv4wuredir.cab?0911180916 - Windows-Update-Agent 0 0
1258535655.525107 qPXo2uv96I5 192.168.1.104 1192 65.55.184.16 80 1 HEAD www.update.microsoft.com /v9/windowsupdate/selfupdate/wuident.cab?0911180916 - Windows-Update-Agent 0 0
1258535656.495997 9vr3tgviuu6 192.168.1.104 1193 65.54.95.64 80 1 HEAD download.windowsupdate.com /v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?0911180916 - Windows-Update
附带的工具bro-cut
可以让你减少输出到您所需要的领域,如:
bro-cut id.orig_h id.resp_h method host uri < http.log | head
一些示例输出:
192.168.1.104 65.54.95.64 HEAD download.windowsupdate.com /v9/windowsupdate/redir/muv4wuredir.cab?0911180916192.168.1.104 65.55.184.16 HEAD www.update.microsoft.com /v9/windowsupdate/selfupdate/wuident.cab?0911180916
192.168.1.104 65.54.95.64 HEAD download.windowsupdate.com /v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?0911180916192.168.1.104 65.54.95.64 GET download.windowsupdate.com /v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?0911180916
192.168.1.104 65.54.95.64 HEAD download.windowsupdate.com /v9/windowsupdate/redir/muv4wuredir.cab?0911180916192.168.1.104 65.54.95.64 HEAD download.windowsupdate.com /v9/windowsupdate/redir/muv4wuredir.cab?0911180916
192.168.1.102 212.227.97.133 POST 212.227.97.133 /rpc.html?e=bl
192.168.1.102 87.106.1.47 POST 87.106.1.47 /rpc.html?e=bl
192.168.1.102 87.106.1.89 POST 87.106.1.89 /rpc.html?e=bl
192.168.1.102 87.106.12.47 POST 87.106.12.47 /rpc.html?e=bl
[Fiddler2](https://fiddler2.com/fiddler2/)是一个很棒的工具。 – 2012-07-06 13:53:12
@CoreyOgburn提琴手看起来不错!它看起来不是嗅探,而是需要实际配置客户端以将其用作代理权限?另一个问题是它只能在Windows上运行 – Miquel 2012-07-06 13:56:44
Fiddler会自动将其自身设置为代理,只要将它安装在发出请求的计算机上,就无需启动拦截Web请求的配置。小提琴看起来是用.Net编写的,所以你可以用Mono或Wine来运行它,尽管我还没有尝试过。 – 2012-07-06 14:29:39