Menu
I would like to capture all incoming HTTP packets of my machine. To do that I'm using SharpPcap which is a WinPcap wrapper.
SharpPcap works very well but it captures TCP packets and this is too low level to do what I want. Does anyone know how can I easly get full HTTP requests/responses from all these TCP packets ?
Thanks
308
SharpPcap is already able to capture packets in the same manner that wireshark does (just in code rather than a GUI). And you can either parse them directly or you can dump them to the drive in the common .pcap file format.
The steps to parse a capture are:
If you're reading .pcap dump files the process is almost the same except you call an offline capture reader, don't need to pick an interface, and don't need to set promiscuous mode. All of the standard filters that wireshark, tcpdump, and most other Pcap frameworks use are supported in SharpPcap. For a reference to these check the tcpdump man.
Currently there is no support for parsing HTTP directly but parsing TCP packets is really easy.
When you receive the raw packet (non parsed) do this:
TCPPacket packet = TCPPacket.GetEncapsulated(rawPacket);
The Packet.Net (A separate and included component of SharpPcap) parser is capable of pulling out the TCP portion directly even if the communication is encapsulated by VPN, PPoE, or PPP.
Once you have the TCPPacket parsed just grab packet.PayloadBytes for the payload in a byte array that should contain the HTTP header in raw bytes that can be converted to the proper text format (I'm not really sure if HTTP headers use UTF-8 or ASCII encoding on that level). There should be plenty of freely available tools/libraries to parse HTTP headers.
To extract the HTTP packet from TCP:
You need to collect the tcp packets of the connection as they come in and if the data is fragmented (greater than 1500 bytes) you need to re-assemble the parts in memory. To discover which parts go in what order you need to carefully track the sequence/acknowledgement numbers.
This is a non-trivial thing to accomplish with SharpPcap because you're working with a much lower part of the stack and re-assembling the connection manually.
Wireshark has an interesting article on how to accomplish this in C.
As of right now, SharpPcap doesn't support TCP payload parsing.
If you're looking for easy-to-follow examples of how to use SharpPcap download the source tree and look at the example projects included. There is also a tutorial for SharpPcap on codeproject.
If you have more questions and/or you want to make any feature requests to the project, feel free to post on the SourceForge project. It is far from dead and continues to be under active development.
Note: Chris Morgan is the project lead and I'm one of the developers for SharpPcap/Packet.Net.
Update: The tutorial project on code project is now up-to-date to match the current API.
154
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
