StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
11081321
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
4
CommunityOwnedDate
CreationDate
2012-06-18T10:52:08.360
FavoriteCount
0
LastActivityDate
2015-07-27T14:32:35.727
LastEditDate
2015-07-27T14:32:35.727
LastEditorUserId
1000630
OwnerUserId
1170277
ParentId
11071768
PostTypeId
2
Score
4
ViewCount
0
LastEditorDisplayName
text
Body
<p>While this may be doable with Wireshark, it is orders of magnitude easier with <a href="http://www.bro-ids.org" rel="nofollow">Bro</a>. </p> <h1>Extracting URIs</h1> <p>Simply run it with your trace file:</p> <pre><code>bro -r <trace> </code></pre> <p>This invocation generates a bunch of log files in the current directory. The one you are interested in is <code>http.log</code>. You can filter the output to obtain only the GET requests:</p> <pre><code>bro-cut id.orig_h id.resp_h method host uri < http.log | awk '$3 == "GET"' </code></pre> <p>Example output:</p> <pre><code>192.168.1.104 212.96.161.238 GET update.avg.com /softw/90/update/avg9infowin.ctf 192.168.1.104 77.67.44.206 GET backup.avg.cz /softw/90/update/u7avi1777u1705ff.bin 192.168.1.104 198.189.255.75 GET aa.avg.com /softw/90/update/u7iavi2511u2510ff.bin 192.168.1.104 77.67.44.206 GET backup.avg.cz /softw/90/update/x8xplsb2_118c8.bin </code></pre> <p>As you can see, the last two columns make up the full URL. To remove the space in-between, you could use awk to concatenate the last two fields.</p> <h1>Extracting Files</h1> <p>Note: the upcoming Bro 2.1 release will have major improvements for file extractions. Until then, you can extract all files from a HTTP stream by specifying the MIME type of the files to store:</p> <pre><code>bro -r <trace> 'HTTP::extract_file_type = /video\/avi/' </code></pre> <p>Bro sniffs the MIME type of a HTTP body and if it matches the regular expression <code>/video\/avi/</code>, it creates a file with the prefix <code>http-item</code>. You can change the prefix name by redefining the <code>HTTP::extraction_prefix</code> variable.</p>
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POExtract GET URIs or their responses from Wireshark capture to separate file(s)
  singulars
  PostTypePostTypeId
  PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USrunejuhl
UserOwnerUserId
1. USmavam
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
  singulars
  PostPostId
  PO
  UserUserId
  This table or related slice is empty.
  VoteTypeVoteTypeId
  VTDownMod
2. VO
  singulars
  PostPostId
  PO
  UserUserId
  This table or related slice is empty.
  VoteTypeVoteTypeId
  VTUpMod
3. VO
  singulars
  PostPostId
  PO
  UserUserId
  This table or related slice is empty.
  VoteTypeVoteTypeId
  VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.