How to collect tcp and decode http information in c code?
Previously hacked code driftnet, tcpflow, pcap, etc.
tcpflow can rebuild dumps, i.e. tcpdump. A "typical" work chain can be:
$ tcpdump -nnieth0 -w dump.raw
# dump dum dump
$ mkdir tmp && cd tmp
tmp/$ tcpflow -r ../dump.raw
# This joins the transfers into separate files
# Now one can investigate each transfere from those separate files
# Next join them to one:
tmp/$ cat * > ../dump.flow
tmp/$ cd ..
# Extract some data
$ foremost -i dump.flow
Trust me, you can find helpful lines in the source code for these.
Rest
: HTTP Parser Library: HTTP Parser
source to share
The easiest way to do this is to download the opencap file or open it. after that right click any package and go to "follow tcp stream" ... you will see your http details in the opened window.
If you want to create a program from scratch.
The pcap file structure for a tcp transaction looks something like this:
[Pcap_file_header]
for each packet
[pcap_packet] - this contains the len info package
[ip_header] ---- usually 20 or more
[tcp_header] - usually 20 or more
[package] - - len stored in the pcap packet header
Now, to read the information, first get the pcap file in the stream pointer.
Read packet file header (google for different structure type)
run loop
for each packet
read pcap_phdr from file or stream add ip_hdr length offset and tcp hdr length
, for example pointer = pointer + 20 (for ip) +20 (for tcp) the
pointer should point to your data so just give read pcap_phdr.caplen the number of bytes and print it character by character.
source to share