Databases
StackOverflow2013
Postsdbo
POHow to parse TCP packet payload
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow to parse TCP packet payload
    text
    copied!<p>I'm using pcap to capture TCP packets for which I would like to parse the payload. My strategy is as follows:</p> <ol> <li>Get the ethernet header and check if it has type <code>ETHERTYPE_IP</code> (IP packet)</li> <li>Check if the IP packet has protocol <code>IPPROTO_TCP</code> (TCP packet)</li> <li><p>Check for payload size > 0 <code>(size = ntohs(ip_header->total_length - ip->header_length*4 - sizeof(struct tcp_header))</code>.</p></li> <li><p>parse payload (grab the host url)</p></li> </ol> <p>I haven't begun parsing the payload yet because I am getting discrepancies. Below is a printout of the payload of 10 captured TCP packets, using filter <code>"host = www.google.com"</code>.</p> <p><strong>packet number: 3</strong> : TCP Packet: Source Port: 80 Dest Port: 58723 No Data in packet</p> <p><strong>packet number: 4</strong> : TCP Packet: Source Port: 58723 Dest Port: 80 No Data in packet</p> <p><strong>packet number: 5</strong> : TCP Packet: Source Port: 58723 Dest Port: 80 <strong>Payload :</strong> GET / HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-us) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,<em>/</em>;q=0.5 Accept-Language: en-us Accept-Encoding: gzip, deflate Cookie: THICNT=25; SID=DQAAAKIAAAB2ktMrEftADifGm05WkZmlHQsiy1Z2v- Connection: keep-alive</p> <p><strong>packet number: 6</strong> : TCP Packet: Source Port: 80 Dest Port: 58723 No Data in packet</p> <p><strong>packet number: 7</strong> : TCP Packet: Source Port: 80 Dest Port: 58723 <strong>Payload:</strong> \272نu\243\255\375\375}\336H\221\227\206\312~\322\317N\236\255A\343#\226\370֤\245[\327`\306ըnE\263\204\313\356\3268 )p\344\301_Y\255\267\240\222x\364</p> <p><strong>packet number: 8</strong> : TCP Packet: Source Port: 58723 Dest Port: 80 No Data in packet</p> <p><strong>packet number: 9</strong> : TCP Packet: Source Port: 80 Dest Port: 58723 <strong>Payload:</strong> HTTP/1.1 200 OK Date: Mon, 29 Nov 2010 10:11:36 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Content-Encoding: gzip Server: gws Content-Length: 8806 X-XSS-Protection: 1; mode=block \213</p> <p>Why is there a discrepancy in the payloads and the ports? Ideally I would like to only parse packets like packet 5. How do I ignore packets like 7 and 9?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload