Is there a way to view what website was visited with either of these protocols? asked 25 Nov '13, 16:16  Brad6547884 |
One Answer:
If a 'website' is something on the internet for you, then the answer is: NO, as you need DNS (in most environments) to resolve the name of a server on the internet. Your systems may however resolve names of internal web sites with NBNS and/or LLMNR. In that case the answer is: YES In either way, it would be better to look for HTTP traffic in the capture file, because just the fact that a system resolved the name for a system does not mean it also connected to it via HTTP. Regards answered 26 Nov '13, 04:57  Kurt Knochner ♦ And if you're specifically trying to see which Web sites are being "found" (in the sense of the host name in the URL being translated to an IP address) using NBNS or LLMNR rather than DNS, capture NBNS, LLMNR, DNS, and HTTP traffic, look at the capture, and see which type of name request preceded an HTTP connection. (No, there's no simple automated way to do that; you'll probably have to examine the traffic manually.) Note also that the name resolver might be caching the results of a name lookup, so there might not be any name lookup before the HTTP connection, in which case you'd have to hope that you captured whatever earlier name lookup mapped the name to an IP address. (26 Nov '13, 14:44) Guy Harris ♦♦
or look at the Host: header of the HTTP request.... (26 Nov '13, 16:24) Kurt Knochner ♦
But will that tell you which protocol was used when the system translated the host name in the Host: header to the IP address to which the request was sent? (26 Nov '13, 16:32) Guy Harris ♦♦ No, but the OP want's to know 'what website was visited', which can be answered by looking at the Host: header. (26 Nov '13, 16:36) Kurt Knochner ♦ I guess it's a question of how to interpret "Is there a way to view what website was visited with either of these protocols?" I interpreted it as meaning "find out for which web sites the IP address was resolved with NBNS or LLMNR"; it sounds as if you're interpreting it as "given that a given Web site had its IP address resolved with NBNS or LLMNR, find out what Web site that was" (i.e., what its host name was). Either interpretation could be correct. For the first interpretation, you'd need to watch traffic for those protocols; for the second interpretation, the Host: header (at least for HTTP 1.1) would suffice even if the host had its IP address resolved with DNS. (28 Nov '13, 13:52) Guy Harris ♦♦
I agree and I believe we will never know, as it seems that @Brad6547884 lost interest in the questions he asked .... (29 Nov '13, 06:27) Kurt Knochner ♦ showing 5 of 6 show 1 more comments |
"view what website was visited with either of these protocols?" in what sense?
As per my comment below, there are a couple of different ways to interpret that, with different answers.