Sniffing HTTP packets



Jr. Member
Jr. Member

Posts: 50

Joined: Tue Feb 23, 2010 10:18 am

Post Mon Oct 04, 2010 9:04 am

Sniffing HTTP packets

I have been playing with Wireshark, listening to tutorials to try to learn and understand how i can begin using the tool at my job (i have authorization from the head honcho).

My task is to basically monitor HTTP traffic generated by our workstations to be able to track time that is spent being unproductive on websites instead of time spent working.

The problem:

I can track port 80 traffic when Wireshark is running on the workstation. However, is there a way to sniff packets coming in and out of the router itself?

The problem is that the internet traffic doesn't go through our server, therefore when i capture packets on the server, it captures all network traffic generated by our applications, but no HTTP traffic generated by the workstations. Is there a better way or a more centralized way to capture these packets from the workstations, where i can then filter them by IP address and analyze packets by workstation?


User avatar

Hero Member
Hero Member

Posts: 673

Joined: Tue Aug 17, 2010 9:49 am

Post Mon Oct 04, 2010 9:29 am

Re: Sniffing HTTP packets

Arp Spoof the entire network (with permission) so all the clients are going through your machine. (MAKE SURE it is capable of handling the amount of connections and that you're forwarding the traffic to the gateway so you won't experience a network wide DoS.)

You can also set up a new server as a router which uses perhaps an IDS to monitor the connections made and instead of possible intrusions it is configured to detect sites such as etc.

There is a third alternative and that is to use an enforced web proxy such as Squid.

Well, I hope it helped just a little bit  ;)
I'm an InterN0T'er



Posts: 1

Joined: Mon Oct 04, 2010 9:47 am

Post Mon Oct 04, 2010 11:00 am

Re: Sniffing HTTP packets

  If you have access to the routers, you might be able to set up a span port. On Cisco routers/switches they have a feature called span ports, that enable you to replicate all the traffic from one or more ports to another port. On Linksys they call it port mirroring. Either way, you could set up a system with an interface connected to this port, and the interface in promisc mode. The switch would replicate all traffic designated for a certain port to the port where you connected your system. You would then be able to listen in on all traffic going to and coming from the internet. Wireshark would then be able to report all unproductive web viewing. You would also be able to expand the systems capabilities by installing a IDS on that machine, and it could report any suspicious activities.
Hope this helps.



Posts: 1134

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Oct 04, 2010 1:38 pm

Re: Sniffing HTTP packets

Great advice so far.

Also, check out a tap (you can buy high-end ones, but it's easy to make your own too: http://09-f9-11-02-9d-74-e3-5b-d8-41-56 ... egory/diy/). A hub may work too, depending on the speed of the connection.
Last edited by dynamik on Mon Oct 04, 2010 1:41 pm, edited 1 time in total.
The day you stop learning is the day you start becoming obsolete.

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software