3. Free HTTP Sniffer
If you want a simple to use packet sniffing tool to capture file URL’s then Free HTTP Sniffer is a useful program to look at. There are no advanced options which means it doesn’t clutter up the window with useless information. One or two minor issues are the donate nag on start and the WinPcap driver included is out of date for newer versions of Windows, so you will need the latest installer from WinPcap.org or there will be an error on launch. Usage is very easy:
1. Start Free HTTP Sniffer, click Options and select “Only addresses sent by any computer” for the Sniffer Mode. This step isn’t strictly necessary but will cut down the useless information in the window even further.
2. Press the Start button and launch the web installer or executable etc. When the file you’re looking for has downloaded, click Stop and look in the main window for the file that looks like the correct one.
3. Then you can double click on it to try the file in a browser or go to the File menu and save all the URL’s in the window to a text file. As you can see in the screenshot above, it was very easy to find the Adobe Flash Player full executable we also found in URLSnooper. The network adapter can be changed from the File menu.
4. Socket Sniffer
Socket Sniffer is another very easy to use tool to sniff a URL from a web installer or webpage. While getting the program running and capturing packets takes no effort at all, interpreting the results is slightly more tricky because it mixes in UDP and ICMP protocols as well as TCP which will be where you find any file URL’s, so it takes a tiny bit more searching of the results.
1. Socket Sniffer is portable so you simply run the standalone executable. It appears to run using raw sockets as no third party drivers are required. Select the IP address of the current network adapter from the top left drop down menu and then click the Start Sniffing button.
2. After running the web installer or setup file etc, stop the sniffing and browse through the TCP protocol entries by clicking on them and looking at the results in the lower pane.
3. You should find an entry with a GET that appears to be the path and file name of the full installer. To get the full URL to the file you have to take the Host name and append the GET path, so the above would be:
Socket Sniffer requires the .NET Framework 2 or above to run.
PacketViewer is another portable tool to sniff out TCP packets from the TCP, UDP or ICMP protocols. It also has a few options to help narrow things down such as an IP address and port filter for both incoming and outgoing packets, and the most important filtering option of entering a string to filter the packet messages. Using this we can filter out everything apart from executable URL messages.
1. Run the portable PacketViewer.exe and go to Options. Untick Message Filter > No Filter and put .exe into the text box, then click Apply and Close.
2. Then after clicking Start run the web or setup installer and then stop capturing after the main file has downloaded.
3. Looking through the captured entries should be easy because only packet messages containing .exe will be displayed, then you need to append the GET path details to the Host address like the Socket Sniffer tool above. PacketViewer can also automatically save every capture session to a log file.