On Tue, 2003-07-15 at 02:03, Justin Robinson wrote: > I'm using the pcap library to write the code, and I was under the impression > that you could retrieve the payload from the captured packets? >
You can, I've done something similar. What I had to do was look at some of the print-*.c code and the linux layer7 filtering patch (a 2.5 patch). Whe way I understand it is like this: you've essentially got some some semi-arbitrary length section of memory, the first 14 bytes is the ethernet header, the next 20 bytes is the ip header, and the next 20 bytes is the tcp header. After that, you've got the tcp data (well, according to the tcp/ip illustrated manual, you've got options if any and then the data). So when your handler is given a complete packet by pcap_loop, assuming it's a tcp packet, you've got jump ahead at least 54 bytes, and then look to see if what you've got is an http packet. I had a problem printing that information for a while, since the packets often contained '\0' characters, so you obviously just can't pass packet[54] to to printf (). But it isn't too hard, using the length field from the pcap_pkthdr to string those characters out. -Peter -- Peter Moody <[EMAIL PROTECTED]> Information Security Administrator 831/459.5409 Communications and Technology Services. http://mustard.ucsc.edu/pubkey UC, Santa Cruz. :wq
signature.asc
Description: This is a digitally signed message part
