[Winpcap-users] Re: filtering traffic using payload contents

shauli.rozen at gmail.com shauli.rozen at gmail.com
Wed Apr 19 16:38:39 GMT 2006 

you might also want to assemble the TCP stream.
You can do that using the source/dest IP addresses and ports.
and hold a  list of all connections.

I think you can also use libnids for that.


On 4/19/06, Ramiro Polla <ramiro86 at hotmail.com> wrote:
>
> Hello,
>
> First you must remember that the string you're looking for might be
> divided
> between packets, because winpcap does not reconstruct streams.
>
> After you have a packet (probably with pcap_next_ex), look at the examples
> in winpcap's documentation that show how to get the TCP or UDP
> information,
> and pass that data to a function that searches what you're looking for. If
> the string is found, capture it.
>
> That function might be something like:
>
> int look_for_string( char* data, int len )
> {
> int i;
> char search_string = "look for this string";
> if( len < sizeof(search_string) )
> return FALSE;
> for( i = 0 ; i < ( len - sizeof(search_string) ) ; i++ )
> {
> if( !strcmp( buf+i, search_string ) )
>   return TRUE;
> }
> return FALSE;
> }
>
> >From: joe kibz <chikabanga2005 at yahoo.com>
> >Reply-To: winpcap-users at winpcap.org
> >To: winpcap-users at winpcap.org
> >Subject: [Winpcap-users] Re: filtering traffic using payload contents
> >Date: Wed, 19 Apr 2006 06:59:02 -0700 (PDT)
> >
> >Hi, i gotta problem ;
> >
> >   My application needs to :
> >                                    -capture traffic
> >                                    -look for given string in payload
> >contents*
> >                                    -capture packets that have given
> string
> >in payload
> >
> >   My question is how do you -** look for given string in payload
> >contents** ?
> >
> >
> >   joe
> >
> >
> >---------------------------------
> >How low will we go? Check out Yahoo! Messenger's low  PC-to-Phone call
> >rates.
>
>
> >_______________________________________________
> >Winpcap-users mailing list
> >Winpcap-users at winpcap.org
> >https://www.winpcap.org/mailman/listinfo/winpcap-users
>
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20060419/43b8069f/attachment.htm

More information about the Winpcap-users mailing list