Re: Retrieving payload

[Peter Moody <peter () ucsc edu>]

On Tue, 2003-07-15 at 02:03, Justin Robinson wrote:
> I'm using the pcap library to write the code, and I was under the impression 
> that you could retrieve the payload from the captured packets?

You can, I've done something similar.

What I had to do was look at some of the print-*.c code and the linux
layer7 filtering patch (a 2.5 patch).

Whe way I understand it is like this:  you've essentially got some some
semi-arbitrary length section of memory, the first 14 bytes is the
ethernet header, the next 20 bytes is the ip header, and the next 20
bytes is the tcp header.  After that, you've got the tcp data (well,
according to the tcp/ip illustrated manual, you've got options if any
and then the data).  So when your handler is given a complete packet by
pcap_loop, assuming it's a tcp packet, you've got jump ahead at least 54
bytes, and then look to see if what you've got is an http packet.

I had a problem printing that information for a while, since the packets
often contained '\0' characters, so you obviously just can't pass
packet[54] to to printf ().  But it isn't too hard, using the length
field from the pcap_pkthdr to string those characters out.

-Peter

-- 
Peter Moody                             <peter () ucsc edu>
Information Security Administrator      831/459.5409
Communications and Technology Services. http://mustard.ucsc.edu/pubkey
UC, Santa Cruz.
:wq

Attachment: signature.asc
Description: This is a digitally signed message part