determining full url from wireshark - wireshark

i am watching a video stream from a proprietary app and i want to know the URL it's connecting to. note that in this case, i know the URL that it connects to but am curious how i'd determine it using wireshark.
i have wireshark open and i let it scan for a few seconds. i looked at the results, and all i was able to determine was the url and port of the site that's providing the stream. there's a series of URL parameters that are important as well. is there a way with wireshark to see the whole url that the app is connecting to?

A full URL is the concatenation of 'host' and 'path' ('path' is URI in wireshark's jargon).
The concatenation of these strings usually does not pass on wire - you will not see it in wireshark - and it is not required by HTTP.
Therefore, you have to concatenate them on you own, either manually or using some software as the one proposed by the writer of the lua dissector.
Example:
GET /path HTTP/1.1
Host: www.amazon.com
thus, the full URL is: www.amazon.com/path

There is no such thing as a "whole" url. An application may connect to many servers during it's lifetime.There could be different servers for authentication, configuration, logging, data, etc.
Wireshark is a low-level monitoring tool. You can choose to watch the packets of a specific osi-layer and add filters to limit the output. But I don't think it can aggregate all the incoming connections of a specific application.

Please, check out following custom dissector written in Lua, that helps showing full URL in wireshark HTTP captures
Feel free to ask any questions regarding it, upvoting is preferred as well ;)

Related

URI launching a program from site and getting information from link

I have searched here for answers but I only seen few links to Microsoft c++ codes but none for Delphi so just wondering if anyone has a working Delphi example on how to launch programs from URI and get data from it to maybe connect to a socket or load a resource within my program?
Thanks
am basically looking for away to launch my program from a web address URI c++ code am none the wiser what to post as I can not understand that to save my life
and am sorry about not being more clear but I do find spelling things little hard and putting across what I would like I like to use voice mostly ha
You must register URI scheme for your application. For example, you may create "myapp" scheme. After this, if you open url like "myapp:do_something&close" Windows will launch your application with single parameter equal to URL.
"C:\program file\Soft\MyApplication.exe" "myapp:do_something&close"
In your application, you can read first parameter (ParamStr(1)), parse it and decide what to do.
"do_something&close" in my example, may be any kind of data. But if you want to open your application from web site, you may use HTTP URL format, like "myapp:\cleandisk?drive=C&askuser=yes"
See more info what you must write into Windows Registry in order to register your own URI scheme.

How can http:// be changed to abc:// and can wireshark capture this traffic?

I've seen this before, but never knew how it is accomplished.
What is the http for? Does it direct my request? Is this related to MIME Types? How is it like saying ftp:// ?
http:// ftp:// file:// etc. are some of many URI Schemes
You're not mentioning any specific application so it's hard to answer your questions. Basicaly the URI scheme tells the application that handles to URI what is the URI for and what protocol should be used.
For example the web browsers support many protocols including HTTP, FTP, direct local file access etc. You can tell your browser to open file://path/to/local/file.html and it'll access the file from disk. You can also tell it to open ftp://server/path/to/file.html and it'll load the file from FTP server.
It's allowed to have any scheme you like in your application. For example a lot of mobile applications handle their URI schemes like fb:// for facebook or instagram:// for instagram.
Wireshark can capture any network traffic regardless of the URI scheme used. It works on low network layer and can capture even 'raw' wifi or ethernet traffic (that's huge simplification - please refer to the course mentioned in my profile bio)

Delphi how to avoid sniffers

I'm developing a project with Delphi 2010, at some point this project connects to internet and send some data to a php file via POST/IDHTTP, those parameters encrypted with aes and as you know there is no way to get source code of php files via browser. But when i use sniffer on my project sniffer software shows full path of php file and parameters. I was wondering is there any chance to hide path and parameters with IDHTTP. For example when i try on Skype sniffer only shows decimal characters on skype's transmission. Is it possible to do same or totally hide the traffic ?
Thanks in advance.
You can use HTTPS, it is supposed to be standard way to transmit HTTP traffic through SSL-protected channel. Example of code you can find for example here.
In addition to Andrei's answer, you can consider encrypting your traffic on-top of using HTTPS.
In other words,
1) Use HTTPS protocol.
2) Add your own layer of encryption to encrypt all data coming to and from your server.
In addition to HTTPs and encrypted data, you can also add security by using client certificates. See https://security.stackexchange.com/questions/3605/certificate-based-authentication-vs-username-and-password-authentication
The answers explain the advantages of using CBA, one of them is
certificate usage never involves revealing any secret data to the
peer, so an attacker impersonating the server cannot learn anything of
value that way

How to I access a SoundCloud public stream?

How do I play a track from a SoundCloud URL, which, for example, I got from the xml response from a query
<stream-url>https://api.soundcloud.com/tracks/31164607/stream</stream-url>
I should have thought that it would have been as easy as:
https://api.soundcloud.com/tracks/31164607/stream&client_id=my_client_id
yet I get
<error>401 - Unauthorized</error>
All I want to do is consume it in a Silverlight MediaElement, so all I need is set some url to the MediaElement's Source property.
I've checked an application that I wrote about 2 years ago, and THEN, accessing the stream url was as easy as this for a public track:
http://api.soundcloud.com/tracks/18163056/stream&consumer_key=MY_CONSUMER_KEY
however this no longer seems to work.
For example, all I had to do then in C# was:
MediaElement me = new MediaElement();
me.Source= new Url("http://api.soundcloud.com/tracks/18163056/stream&consumer_key=MY_CONSUMER_KEY");
me.Play();
Any hints would be appreciated.
I had a reply on a Microsoft forum that seems to imply that SoundCloud might not be possible to stream to Windows 8 Metro devices without consuming the whole stream before playback starts - which is quite worrying and would seem to imply that to make authentication possible, it would have to be done entirely in the url querystring insterad of using the header:
(The following reply is the answer to the following question: 'I am able to access an audio stream by http using the MediaElement, however I need to access it via https in which I need to add the oAuth info to the header of the initial request.
How is this done when using a MediaElement, and if it cannot be done, what is the workaround for consuming an audio feed in Metro 8 that requires header authentication to stream?')
"Direct access to the underlying network stream is not currently permitted by the MediaElement. Because of this there is currently no way to modify the header of the HTTP request to include any additional authentication information. That said, you do have control over the URL. You could theoretically setup an HTTP proxy service that translated the HTTP GET request parameters into the necessary oAuth credentials. Keep in mind that this is just a theoretical workaround. You may find different behavior in practice. Another theoretical workaround would be to handle the oAuth yourself via a raw stream socket and pass the retuned media data to the MediaElement via "Set Source" and a "Random Access Stream". Please keep in mind that this method has major limitations. in order to use a "Random Access Stream" with the ME you need to make sure all of the data is available before passing it to the ME."
The proxy service is not scalable for an application that is merely distributed for free as every stream would need to come via the proxy. And the raw stream socket, although getting around this, would mean that playback could not start until the whole file had downloaded - and this goes against all current UX (User Experience) guidelines.
So once again, if anyone has any tips, or info about how the whole authentication thing can be achieved in a querystring instead of using headers, I'd appreciate it!
I'm a little confused about whether you're referring to a public or a private track? If it's a public track, then you shouldn't need to send any authentication information, just your client id.
When I request https://api.soundcloud.com/tracks/31164607/stream?client_id=YOUR_CLIENT_ID then I get a 302 redirect to the proper mp3 stream.
Remember, adding parameters to a URL must start with a ? not &. This could (more than likely) be the reason why you are getting a 401 (SC is not picking up the client_id).
After authentication the link like this
http://api.soundcloud.com/tracks/103229681/stream?consumer_key=d61f17a08f86bfb1dea28539908bc9bf
is working fine. I am using Action Script.
I'm following up on Tom's reply because he calls attention to url character specificity. My HTTP requests randomly started failing today, and I was prefacing my client_Id with a ?. As soon as I changed that single ? to &, it started working. So in my case, SC wasn't picking up my client_Id because I used the wrong character. I think depending on where in the request we're talking about specifically, it's worth noting that differences between ? and & do make a difference.

Block specified URLs

I want to write an application in Delphi which filters requested URLs in the OS (not only web browsers) and if it matches - blocks it or changes the URL's content to blank. The problem is - I don't know where to start looking. Could you help me with some informations?
I think you're talking about a DNS service. usually, DNS services live outside, on your router, your ISP, or a 3rd-party like www.openDNS.org
But you could write your own, run it on your PC, and set your internet settings to use that as your DNS server.
I suspect that a lot of malware works like this....
Also, this sort of thing can be done with no programming at all - just edit your hosts file in C:\WINDOWS\system32\drivers\etc\hosts (it's a text file with no extension).
Anything in there should trump.
Also, before you start writing an application to do this, have a look at OpenDNS. If it's an app for personal use, you may find that you don't need it. If it's going to be a commercial offering, this is the bar for usability and usefulness that you need to meet or beat.
http://www.mail-archive.com/delphi-talk#elists.org/msg01558.html - text by Francois PIETTE quoted bellow(in case link will become unavailable):
"There are several way to achieve your goal. The two main I see are:
1) Write a LSP (Layered Service Provider)
2) Write a proxy server
The first is not possible with Delphi (At least I think so. If anyone know
how to write a LSP using Delphi, I would love to get the code).
The second - writing a proxy - is more or less easy with Delphi using ICS
components. See "usermade" link at ICS website (http://www.overbyte.be).
With this option, you have to configure IE to use the proxy: IE Menu / Tools
/ Internet options / Connections / Network parameters / Use a proxy and then
enter the IP address (127.0.0.1 if proxy run on the same computer) and port
number (pick anyone you like, for example 8080). Once IE is configured to
use a proxy, it will send all requests to the proxy. Then the proxy will
make the real request to the target server and return data back to IE. What
is important there is that you get all URL entered in IE or indirectly use
(clicking on links), and you can either really rely them to the target
server or forge and answer your self to say the page access is denied.
At ICS website, on the usermade page, you'll even find a HTTP proxy
component. If you need help with this component and/or the entire ICS,
please use ICS support mailing list (same server as this list). See
"support" link at ICS website for support details."
LE: it seems that this question is possible a duplicate
Using delphi to block websites
use GetExtendedTcpTable api locate if there are any connexions to the remote server you want to block on port 80 if there is a connection use SetTcpEntry to terminate that connexion is pretty simple

Resources