What events or notifications or ??? i need to monitor in ASOC to get all URLs visited by Safari? Thanks
I might be way off what you are asking but have you tried using the Developer utils in Safari? Web Inspector, Profiler? might this help? also if you expand Little Snitch it does give you a break down as to what is passing through it.
Also if you have your mac firewall on you will be able to view the log.
URL's translate to IP addresses and vice versa. Also if you look in the Utilities > 'Console' you will also see the little snitch network monitor log.
HTH...
You could use TCP dump:
tcpdump -n -A -s1514 src 1.2.3.4 and port 80 | grep "GET\|Host:"
Replace 1.2.3.4 with the IP address of your computer
You'll get stuff like:
ost: cdn.api.twitter.com
:.....ZQGET /uds/css/small-logo.png HTTP/1.1
Host: http://www.google.com
:.....].GET /uds/css/v2/search_box_icon.png HTTP/1.1
Unfortunately i get "tcpdump: no suitable device found"
Other thing is can i change it to monitor all ports, not just 80?
TCPDump is only particularly good at getting a snapshot at a specific point in time.
The only dynamic way I now of would be to use a 'hardcore' program like wireshark to intercept all IP traffic and then parse through it looking for whatever you're after. (you'll need Xwindows or something installed, I haven't used it for a while)
Slightly easier might be using 'iftop' from the command line, but you'll need to install it through MacPorts (and have Xcode), and very high throughput will crash it (like a 60+Mbps).
You mentioned Safari. What is wrong with using the built in developer tools->Insturments->Network Requests? (see screenshot)
You can generally see every url (full url on hover). and even see them happen in psudo real time.
Sorry i didn't explain it accurately in the first place. I can't use Safari developer tools, because i need text log file. Log don't need to be nice looking as long it logs.
http://www.quicomm.com/gurl_watcher_help_osx.html
"Have you tried TCPBlock"
No and it looks like it's overkill for my use and i think it don't log full URLs.
"Other thing is can i change it to monitor all ports, not just 80?
Yeah, snip off the "and port 80" part of the expression."
Cool.
"sudo tcpdump ..."
With sudo it works, but date and time stamp is still needed. And if possible, name of application which does this connection. I know nothing about grep.
I would like to also try iftop. What is easiest way to install MacPorts?
Thanks
#!/bin/bash
#
# reset variables
myhost="";
myurl="";
tcpdump -s 0 -w - -l $@ | strings |
while read line;
do
# filter GET requests
myurl=`echo $line | grep GET | sed -E "s/GET (.*) HTTP.*/\1/"`;
if [ "$myurl" == "" ]; then myurl=$myoldurl; fi
# filter Host headers
myhost=`echo $line | grep Host | sed -E "s/Host: (.*)/\1/"`;
if [ "$myhost" == "" ]; then myhost=$myoldhost; fi
# once we have a data pair, put them together and echo
if [ "$myhost" != "" ]
then
url="http://$myhost$myurl";
echo -n "$(date): "
echo $url;
myhost="";
myurl="";
fi
myoldurl=$myurl;
myoldhost=$myhost;
done
You could write up a script to parse tcpdump output, similar to this:
http://n3t.awardspace.us/content/tcpdump-url-extraction
It would have to be modified for OS X, and you want a timestamp:
Code:#!/bin/bash # # reset variables myhost=""; myurl=""; tcpdump -s 0 -w - -l $@ | strings | while read line; do # filter GET requests myurl=`echo $line | grep GET | sed -E "s/GET (.*) HTTP.*/\1/"`; if [ "$myurl" == "" ]; then myurl=$myoldurl; fi # filter Host headers myhost=`echo $line | grep Host | sed -E "s/Host: (.*)/\1/"`; if [ "$myhost" == "" ]; then myhost=$myoldhost; fi # once we have a data pair, put them together and echo if [ "$myhost" != "" ] then url="http://$myhost$myurl"; echo -n "$(date): " echo $url; myhost=""; myurl=""; fi myoldurl=$myurl; myoldhost=$myhost; done
Alternatively, just write out the packets to a file and analyze it later with whatever tool you want (tcpdump's -w flag, -r to read back packets from the file, ethereal/wireshark, etc).
Snort, the de-facto standard network intrusion tool will serve your needs. You can get it from http://www.snort.org but you have to build it from source. The other caveat is the learning curve. As with most high-power tools, it takes some good study time to make it do what you want.
Building and operation on Mountain Lion is without problems. Just make sure to build all the support libraries. And if you are snowed-in like me, then the included 249 pages documentation might help you pass the time.
Good luck and Happy New Year,
Manfred
Is snort or any other IDS tools available in homebrew?
Wireshark is what I use. Never required anything else, on OS X.
Just make sure, if you decide to use it, to get proficient (30 mins) on usage of filters, so you can filter out garbage you don't wanna "listen to".
Good tool, but the OP needs text (text file ?) output, not X11 screens....
I'm not sure (and tend to doubt it). I prefer to use the more traditional approach of "configure --> make --> make install". On Mountain Lion you might need to build autoconf and automake, as they are no longer in Xcode mad, but make sure NOT to replace libtool.