<div>you might also want to assemble the TCP stream.</div>
<div>You can do that using the source/dest IP addresses and ports.</div>
<div>and hold a&nbsp; list of all connections.</div>
<div>&nbsp;</div>
<div>I think you can also use libnids for that.<br><br>&nbsp;</div>
<div><span class="gmail_quote">On 4/19/06, <b class="gmail_sendername">Ramiro Polla</b> &lt;<a href="mailto:ramiro86@hotmail.com">ramiro86@hotmail.com</a>&gt; wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hello,<br><br>First you must remember that the string you're looking for might be divided<br>between packets, because winpcap does not reconstruct streams.
<br><br>After you have a packet (probably with pcap_next_ex), look at the examples<br>in winpcap's documentation that show how to get the TCP or UDP information,<br>and pass that data to a function that searches what you're looking for. If
<br>the string is found, capture it.<br><br>That function might be something like:<br><br>int look_for_string( char* data, int len )<br>{<br>int i;<br>char search_string = &quot;look for this string&quot;;<br>if( len &lt; sizeof(search_string) )
<br>return FALSE;<br>for( i = 0 ; i &lt; ( len - sizeof(search_string) ) ; i++ )<br>{<br>if( !strcmp( buf+i, search_string ) )<br>&nbsp;&nbsp;return TRUE;<br>}<br>return FALSE;<br>}<br><br>&gt;From: joe kibz &lt;<a href="mailto:chikabanga2005@yahoo.com">
chikabanga2005@yahoo.com</a>&gt;<br>&gt;Reply-To: <a href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a><br>&gt;To: <a href="mailto:winpcap-users@winpcap.org">winpcap-users@winpcap.org</a><br>&gt;Subject: [Winpcap-users] Re: filtering traffic using payload contents
<br>&gt;Date: Wed, 19 Apr 2006 06:59:02 -0700 (PDT)<br>&gt;<br>&gt;Hi, i gotta problem ;<br>&gt;<br>&gt;&nbsp;&nbsp; My application needs to :<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-capture traffic<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-look for given string in payload
<br>&gt;contents*<br>&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-capture packets that have given string<br>&gt;in payload<br>&gt;<br>&gt;&nbsp;&nbsp; My question is how do you -** look for given string in payload<br>&gt;contents** ?<br>
&gt;<br>&gt;<br>&gt;&nbsp;&nbsp; joe<br>&gt;<br>&gt;<br>&gt;---------------------------------<br>&gt;How low will we go? Check out Yahoo! Messenger's low&nbsp;&nbsp;PC-to-Phone call<br>&gt;rates.<br><br><br>&gt;_______________________________________________
<br>&gt;Winpcap-users mailing list<br>&gt;<a href="mailto:Winpcap-users@winpcap.org">Winpcap-users@winpcap.org</a><br>&gt;<a href="https://www.winpcap.org/mailman/listinfo/winpcap-users">https://www.winpcap.org/mailman/listinfo/winpcap-users
</a><br><br><br>_______________________________________________<br>Winpcap-users mailing list<br><a href="mailto:Winpcap-users@winpcap.org">Winpcap-users@winpcap.org</a><br><a href="https://www.winpcap.org/mailman/listinfo/winpcap-users">
https://www.winpcap.org/mailman/listinfo/winpcap-users</a><br></blockquote></div><br>