In the packet capture framework Moloch, there are a large variety of keywords you can use to grep through packets, such as http.uri. An http.uri query would look something like this:
http.uri == "misc.php?v=4112&js=js" That's a powerful tool, but what if you wanted to just see all packets with an URI in the last hour? http.uri and other search fields require a boolean, (==, >=) and then a search string. The simple way to change the functionality of the search is just to wildcard the search string.
http.uri == * will show you all the packets that contain an URI in the timeframe specified. Easy way to expand the functionality of the search when you're not sure exactly what you're searching for.
Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.