[Winpcap-users] Re: filtering traffic using payload contents

Chris Boebel cboebel at gmail.com
Mon Apr 24 21:28:39 GMT 2006 

What are you looking for, exactly? If it's the same protocol each time, that
would help matters.

Chris


On 4/19/06, shauli.rozen at gmail.com <shauli.rozen at gmail.com> wrote:
>
>  you might also want to assemble the TCP stream.
> You can do that using the source/dest IP addresses and ports.
> and hold a  list of all connections.
>
> I think you can also use libnids for that.
>
>
>  On 4/19/06, Ramiro Polla <ramiro86 at hotmail.com > wrote:
> >
> > Hello,
> >
> > First you must remember that the string you're looking for might be
> > divided
> > between packets, because winpcap does not reconstruct streams.
> >
> > After you have a packet (probably with pcap_next_ex), look at the
> > examples
> > in winpcap's documentation that show how to get the TCP or UDP
> > information,
> > and pass that data to a function that searches what you're looking for.
> > If
> > the string is found, capture it.
> >
> > That function might be something like:
> >
> > int look_for_string( char* data, int len )
> > {
> > int i;
> > char search_string = "look for this string";
> > if( len < sizeof(search_string) )
> > return FALSE;
> > for( i = 0 ; i < ( len - sizeof(search_string) ) ; i++ )
> > {
> > if( !strcmp( buf+i, search_string ) )
> >   return TRUE;
> > }
> > return FALSE;
> > }
> >
> > >From: joe kibz < chikabanga2005 at yahoo.com>
> > >Reply-To: winpcap-users at winpcap.org
> > >To: winpcap-users at winpcap.org
> > >Subject: [Winpcap-users] Re: filtering traffic using payload contents
> > >Date: Wed, 19 Apr 2006 06:59:02 -0700 (PDT)
> > >
> > >Hi, i gotta problem ;
> > >
> > >   My application needs to :
> > >                                    -capture traffic
> > >                                    -look for given string in payload
> > >contents*
> > >                                    -capture packets that have given
> > string
> > >in payload
> > >
> > >   My question is how do you -** look for given string in payload
> > >contents** ?
> > >
> > >
> > >   joe
> > >
> > >
> > >---------------------------------
> > >How low will we go? Check out Yahoo! Messenger's low  PC-to-Phone call
> > >rates.
> >
> >
> > >_______________________________________________
> > >Winpcap-users mailing list
> > > Winpcap-users at winpcap.org
> > >https://www.winpcap.org/mailman/listinfo/winpcap-users
> >
> >
> > _______________________________________________
> > Winpcap-users mailing list
> > Winpcap-users at winpcap.org
> > https://www.winpcap.org/mailman/listinfo/winpcap-users
> >
>
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20060424/cf59eec3/attachment.htm

More information about the Winpcap-users mailing list