Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Reconstructing data from PCAP sniff

Tags:

http

sniffer

libpcap

defragmentation

I am trying to sniff HTTP data through libpcap and get all the http contents (header+payload) after processing the TCP payload.

As per my discussion at Writing an http sniffer (or any other application level sniffer) , I am facing problems due to fragmentation - I need to reconstruct the whole stream (or defragment it) to get a complete HTTP packet, and this is where I need some help.

Thanks in anticipation !!

like image 348
Ishi Avatar asked May 26 '10 20:05

Ishi

People also ask

Is TCP extract can be used to pull PCAP data?

This answer only works if packets are delivered in sequence and have no missing sequence numbers. The point of using TCP is for handling exceptions to those situations (which are common in the real world).

What can you do with a PCAP file?

These files contain packet data of a network and are used to analyze the network characteristics. They also contribute to controlling the network traffic and determining network status. Using PCAP files, teams can attend to detect network problems and resolve data communications using various programs.

How can I open Pcapng file without Wireshark?

To get them, visit the Wireshark Download page. pcap format was originally created for tcpdump, not Wireshark, so it's older than Wireshark. There are other programs, such as tcpdump and other programs that use libpcap to read files, and recent versions of Microsoft Network Monitor, that can read pcap files.

2 Answers

It's really pretty simple. Just take the ethernet frames that you get from pcap and extract the IP packets from them, reassembling any that were fragmented. Then, reorder the TCP segments from the IP packets, according to the sequence numbers, paying attention that you discard any duplicate data. Then, process the stream as an HTTP stream. Of course, HTTP doesn't come in packets; it is an application layer protocol, but I'm sure this will be obvious once you've done all this other work. Pay attention as you do all these things to checksum the IP headers and TCP segments, to ensure that your data is correct. Also, if pcap happens to miss any packets, make sure you deal with this appropriately.

To help you along the Linux TCP stack should provide a concise reference to this process as it occurs in the kernel.

like image 139
WhirlWind Avatar answered Oct 03 '22 15:10

WhirlWind

Rather than reassemble the streams youself, you can use tcptrace to reassemble the pcap file. I believe -e will do it.

Once you have the application-layer data in one piece, you can apply simple HTTP header parsing.... Perhps from a library such as http://github.com/ry/http-parser

like image 22
Joe Koberg Avatar answered Oct 03 '22 16:10

Joe Koberg
Sign in to Comment

Related questions

What does this error mean: HPE_INVALID_CONSTANT?
Detecting the http request type (GET, HEAD, etc) from a python cgi
can't get response header location using Java's URLConnection
multipart/form-data, what is the default charset for fields?
HTTP Json requests in Java?
Defining Idempotence
Getting the HTTP status code from the SOAP response
Nginx proxy_cache_key $request_body is ignored for large request body
Why does curl not work, but wget works?
Far future expire header and HTTP 304
What is the point of If-Unmodified-Since/If-Modified-Since? Aren't they superseded by ETags?
IE doesn't follow redirect, gives "Internet Explorer cannot display the webpage"
Node HTTP request for Restful api's that return JSONP
if connection is keep alive how to read until end of stream php
python parse http response (string)
HTTP could not register URL
Angular2 @ TypeScript Observable error
Create + Serve (over HTTP) a .ZIP file, without writing to disk?
Http status code for Exceptions
Progress notifications from HTTP/REST service

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!