Re: reconstruct HTTP requests in custom sniffer

[Andrej van der Zee <andrejvanderzee () gmail com>]

Hi Cedric,


> Support for TCP segmentation as well as new parsers that use this
> feature should be pushed before end of week. Concerning the capture of
> POST messages we should probably start working on this in february (this
> is a small company so no schedule is ever definitive, so no promise).

I guess we just have to wait awhile then and see how things develop. We are
a small company too, and the projects concerning POST re-assembly need some
time to take off. After TCP segmentation is pushed, I will make some time to
get a first feel of junkie.


> > In some of our projects, we are only interested in the length of HTTP
> > requests and responses therefor reassembling the whole requests would be
> > overkill, as the segment lengths can be read from the TCP headers of
> packets
> > in a TCP stream, obviously.
>
> Yes, in theory we could follow the sizes associated with each request quite
> precisely even with truncated packets as long as the "Content-length"
> header lines are present.


Another way is too follow the TCP stream and summarize the payload lengths
in the TCP headers instead of using HTTP headers, ignoring retransmitted
packets.


> To be honest, truncated packets were
> introduced very recently and were not tested much (since we do not
> require this feature), thus I'm not certain junkie is very robust in this
> regard ; but I'm going to check.

Nice test-case for us would be to check if one could get the HTTP
request/response lengths as described above.

Cheers,
Andrej
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.