tcpdump mailing list archives
Re: Retrieving payload
From: Peter Moody <peter () ucsc edu>
Date: 15 Jul 2003 10:13:09 -0700
On Tue, 2003-07-15 at 02:03, Justin Robinson wrote:
I'm using the pcap library to write the code, and I was under the impression that you could retrieve the payload from the captured packets?
You can, I've done something similar. What I had to do was look at some of the print-*.c code and the linux layer7 filtering patch (a 2.5 patch). Whe way I understand it is like this: you've essentially got some some semi-arbitrary length section of memory, the first 14 bytes is the ethernet header, the next 20 bytes is the ip header, and the next 20 bytes is the tcp header. After that, you've got the tcp data (well, according to the tcp/ip illustrated manual, you've got options if any and then the data). So when your handler is given a complete packet by pcap_loop, assuming it's a tcp packet, you've got jump ahead at least 54 bytes, and then look to see if what you've got is an http packet. I had a problem printing that information for a while, since the packets often contained '\0' characters, so you obviously just can't pass packet[54] to to printf (). But it isn't too hard, using the length field from the pcap_pkthdr to string those characters out. -Peter -- Peter Moody <peter () ucsc edu> Information Security Administrator 831/459.5409 Communications and Technology Services. http://mustard.ucsc.edu/pubkey UC, Santa Cruz. :wq
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Retrieving payload Justin Robinson (Jul 14)
- Re: Retrieving payload Yuchung Cheng (Jul 15)
- Re: Retrieving payload Justin Robinson (Jul 15)
- Re: Retrieving payload Peter Moody (Jul 15)
- Re: Retrieving payload Justin Robinson (Jul 15)
- Re: Retrieving payload Yuchung Cheng (Jul 15)