[Winpcap-users] Which Packets Carry HTTP Info?

David Chang dchang at fsautomation.com
Fri Feb 19 10:29:18 PST 2010 

Joe,

Assuming your HTTP packets use the standard port (80), you should just be 
able to use a filter such as "tcp port 80" with pcap_compile() and 
pcap_setfilter().

Here's an example from the winpcap documentation: 
http://www.winpcap.org/docs/docs_411/html/group__wpcap__tut5.html

Once you get the packet, you need to re-assemble it.  That is, it could 
arrive out of sequence so you need to decode the TCP header to reassemble 
the data into the proper HTTP stream.  In order to do that, you need to 
decode the IP header.  See: 
http://www.networksorcery.com/enp/protocol/ip.htm.  Lastly, there is an 
ethernet header as well (usually 14 bytes).  Here's some C struct info that 
I use...

/*
** Ethernet header (static size: 14 bytes)
**
** FOR DOCUMENTATION PURPOSES ONLY -- DO NOT USE IN CODE
**
*/
struct sniff_ethernet_hdr
{
        u_char ether_dhost[6];  /* dest Ethernet address */
        u_char ether_shost[6];  /* source Ethernet address */
        u_char ether_type[2];   /* protocol (16-bit) */
};

/*
** IPv4 header
**
** FOR DOCUMENTATION PURPOSES ONLY -- DO NOT USE IN CODE
**
*/
struct sniff_ipv4_hdr
{
        u_char ip_hl;           /* version (4-bit), header length (4-bit) */
        u_char ip_tos;          /* type of service */
        u_char ip_len[2];       /* total length (16-bit) */
        u_char ip_id[2];        /* identification (16-bit) */
        u_char ip_off[2];       /* flags (3-bit), fragment offset (13-bit) 
*/
        u_char ip_ttl;          /* time to live */
        u_char ip_p;            /* protocol */
        u_char ip_sum[2];       /* checksum (16-bit) */
        u_char ip_src[4];       /* source address (32-bit) */
        u_char ip_dst[4];       /* destination address (32-bit) */
};

/*
**  TCP header
**
** FOR DOCUMENTATION PURPOSES ONLY -- DO NOT USE IN CODE
**
*/
struct sniff_tcp_hdr
{
        u_char th_sport[2];     /* source port (16-bit) */
        u_char th_dport[2];     /* destination port (16-bit) */
        u_char th_seq[4];       /* sequence number (32-bit) */
        u_char th_ack[4];       /* acknowledgement number (32-bit) */
        u_char th_off;          /* data offset (4-bit) + 4bits unused */
        u_char th_flags;        /* 2 bits unused + 6-bit control flags */
        u_char th_win[2];       /* window (16-bit) */
        u_char th_sum[2];       /* checksum (16-bit) */
        u_char th_urp[2];       /* urgent pointer (16-bit) */
};

DC

----- Original Message ----- 
From: "Joe Merchant" <joemerchant at gmail.com>
To: <winpcap-users at winpcap.org>
Sent: Friday, February 19, 2010 7:16 AM
Subject: [Winpcap-users] Which Packets Carry HTTP Info?


> I've been reviewing packet info, winpcap, and other related stuff.
> I'm overloaded and a bit confused.
> I need to sniff all http traffic.If a user visits a web page, I need
> to sniff that page's html.
> I've got something very basic that works on one windows xp computer.
> I need it to work on windows xp,vista, win7.
> I need it to work if a user is on a network, a wireless connection, a
> home broadband connection.  Basically, if a user visits a web page on
> their pc, i need that page's details.
> That being said, from sample code I've reviewed on the net, I've seen
> all types of packet types (tcp, pdp, 802.11, ARP, etc.).  The sample I
> have running is getting http details from tcp packets.  Enter my
> confusion.  Do certain packet types carry http details?  So do I have
> to check for valid http packets within 802.11 packets, arp packets,
> etc?  At first I thought it was only tcp packets but the more I read,
> the more I'm confused.
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>

More information about the Winpcap-users mailing list