1 | initial version |
Hi,
This is how I do it but there are probably other (better?) ways.
Capture all traffic when you are browsing to the website.
When you are done close your browser and then stop the capture.
You'll need to use display filters to all the information.
Use this display filter to find the DNS queries and answers for the domain:
dns contains www.yahoo.com
There are probably a lot of DNS for a site like Yahoo so if you want everything you need to make a note of every IP addresses in the answer field of every DNS packets.
You can now display all TCP SYN segment with this filter.
(tcp.flags.syn == 1) && (tcp.flags.ack == 0)
You need to find the TCP stream index where the destination IP address matches the IP address from the DNS answer.
You may build a more complex filter using the IP addresses you found to (somewhat) automate this process.
ip.dst in {1.2.3.4 5.6.7.8 9.0.1.2} && (tcp.flags.syn == 1) && (tcp.flags.ack == 0)
You can then find all the TCP stream indexes of all the Yahoo related TCP conversations.
This will include HTTP/HTTPS.
Display everything with a new display filter.
dns contains www.yahoo.com || tcp.stream in {10 20 30}
Hope this helps.
Cheers,
JF
2 | No.2 Revision |
Hi,
This is how I do it but there are probably other (better?) ways.
Capture all traffic when you are browsing to the website.
When you are done close your browser and then stop the capture.
You'll need to use display filters to all the information.
Use this display filter to find the DNS queries and answers for the domain:
dns.qry.name contains "www.yahoo.com
(Deprecated using dns contains www.yahoo.com after reading Jim's comment.)
There are probably a lot of DNS for a site like Yahoo so if you want everything you need to make a note of every IP addresses in the answer field of every DNS packets.
You can now display all TCP SYN segment with this filter.
(tcp.flags.syn == 1) && (tcp.flags.ack == 0)
You need to find the TCP stream index where the destination IP address matches the IP address from the DNS answer.
You may build a more complex filter using the IP addresses you found to (somewhat) automate this process.
ip.dst in {1.2.3.4 5.6.7.8 9.0.1.2} && (tcp.flags.syn == 1) && (tcp.flags.ack == 0)
You can then find all the TCP stream indexes of all the Yahoo related TCP conversations.
This will include HTTP/HTTPS.
Display everything with a new display filter.
dns contains www.yahoo.com || tcp.stream in {10 20 30}
Hope this helps.
Cheers,
JF