What direction should I go in(libraries, documents)?
UPDATE
Can someone illustrate how to use winpcap to do the job?
UPDATE 2
How do I verify whether a packet is an HTTP one?
Can you illustrate how to use it to achieve my goal?
Gtker
2010-05-04 04:17:40
A:
You may want to look at the source code of tcpdump to see how it works. tcpdump is a Linux command-line utility that monitors and prints network activity. You need root access to the machine to use it, though.
Joey Adams
2010-04-24 04:41:07
@Runner: If you're interested in Windows-only solutions, you can add a [windows] tag.
Roger Pate
2010-04-24 05:05:25
+1
A:
It may sound like overkill but the Web proxy/cache server Squid does exactly that. A few years ago my company used it and I had to tweak the code locally to provide some special warnings when certain URLs were accessed so I know it can do what you want. You just need to find the code you want and pull it out for your project. I used version 2.X and I see they're up to 3.X now but I suspect that aspect of the code hasn't changed much internally.
You didn't say if windows is a 'requirement' or a 'preference' but according to the site: http://www.squid-cache.org/ they can do both.
Hotei
2010-05-03 17:37:49
+4
A:
If by "hijack" you meant sniff the packets then what you should do to do it with WinPcap is the following:
Find the device you want to use - See WinPcap tutorial.
Open a device using
pcap_open// Open the device char errorBuffer[PCAP_ERRBUF_SIZE]; pcap_t *pcapDescriptor = pcap_open(source, // name of the device snapshotLength, // portion of the packet to capture // 65536 guarantees that the whole packet will be captured on all the link layers attributes, // 0 for no flags, 1 for promiscuous readTimeout, // read timeout NULL, // authentication on the remote machine errorBuffer); // error bufferUse a function that reads packets from the descriptor like
pcap_loopint result = pcap_loop(pcapDescriptor, count, functionPointer, NULL);This will loop until something wrong has happened or the loop was broken using a special method call. It will call the functionPointer for each packet.
In the function pointed implement something that parses the packets, it should look like a
pcap_handler:typedef void (*pcap_handler)(u_char *, const struct pcap_pkthdr *, const u_char *);Now all you have left is to parse the packets that their buffer is in the
const u_char*and their length is in thepcap_pkthdrstructurecaplenfield.Assuming you have HTTP GET over TCP over IPv4 over Ethernet packets, you can:
- Skip 14 bytes of the Ethernet header.
- Skip 20 bytes of the IPv4 header (assuming there are no IPv4 options, if you suspect that IPv4 options are possible, you can read the 5-8 bits of the IPv4 header, multiply that by 4 and this would be the number of bytes the IPv4 header takes).
- Skip 20 bytes of the TCP header (assuming there are no TCP options, if you suspect that TCP options are possible, you can read the 96-99 bits of the TCP header, multiply that by 4 and this would be the number of bytes the TCP header takes).
The rest of the packet should be the HTTP text. The text between the first and second space should be the URI. If it's too long you might need to do some TCP reconstruction, but most URIs are small enough to fit in one packet.
UPDATE: In code this would look like that (I wrote it without testing it):
int tcp_len, url_length; uchar *url, *end_url, *final_url, *tcp_payload; ... /* code in http://www.winpcap.org/docs/docs_40_2/html/group__wpcap__tut6.html */ /* retireve the position of the tcp header */ ip_len = (ih->ver_ihl & 0xf) * 4; /* retireve the position of the tcp payload */ tcp_len = (((uchar*)ih)[ip_len + 12] >> 4) * 4; tcpPayload = (uchar*)ih + ip_len + tcp_len; /* start of url - skip "GET " */ url = tcpPayload + 4; /* length of url - lookfor space */ end_url = strchr((char*)url, ' '); url_length = end_url - url; /* copy the url to a null terminated c string */ final_url = (uchar*)malloc(url_length + 1); strncpy((char*)final_url, (char*)url, url_length); final_url[url_length] = '\0';
You can also filter only HTTP traffic by using creating and setting a BPF. See WinPcap tutorial. You should probably use the filter "tcp and dst port 80" which would only give you the request your computer sends to the server.
If you don't mind using C#, you can try using Pcap.Net, which would do all that for you much more easily, including the parsing of Ethernet, IPv4 and TCP parts of the packet.
brickner
2010-05-04 20:26:34
Is it possible to automate the step 1 ? It seems the tutorial requires to specify one device manually.
Gtker
2010-05-04 20:29:34
Of course, you still have to choose one or simply do it for all the devices.Many times you will only have one device, so you can simply choose the first one. You can also automate the choice by using their properties (like their IP). See another part of the WinPcap tutorial:http://www.winpcap.org/docs/docs_411/html/group__wpcap__tut2.html
brickner
2010-05-04 20:39:29
@brickner,can you also elaborate how to verify whether a packet is an HTTP packet within `pcap_handler`?
Gtker
2010-05-05 17:05:27
The best way is first to verify the port.In order to filter requests (like HTTP GET) you should make sure the destination port is 80. This can easily be done using the filter (BPF) I've mentioned before, which also verifies it is TCP over IPv4 packet.If you don't use BPF, you can verify the destination port by looking at the TCP header. The 3rd and 4th Bytes of the TCP header represent the port number.In order to make sure the HTTP request is a GET, you can make sure that the bytes before the first space in the HTTP part (TCP payload) are the bytes that represent "GET" in ASCII encoding.
brickner
2010-05-05 19:36:38
Here is the demo on extract the address part,can you elaborate how to extract url based on this? http://www.winpcap.org/docs/docs_40_2/html/group__wpcap__tut6.html
Gtker
2010-05-06 06:26:12
I've updated the answer with a code example for extracting the URL. I hope this works (I haven't tested it).
brickner
2010-05-06 18:33:13
Seems it's not working? http://stackoverflow.com/questions/2787800/has-anyone-properly-interpreted-http-request-based-on-this-demo-of-winpcap
2010-05-07 12:41:10
Can you write what values you get for the variables in the code when you run it?
brickner
2010-05-07 15:50:41
Note, filtering on tcp port 80 will miss HTTP traffic on non-standard ports (e.g. http://igsrglib03.er.usgs.gov:8080/ ), or HTTP traffic which uses a proxy on common proxy ports like 8080 or 3128. This may or may not be a concern, depending on your reason for capturing this....
Stobor
2010-05-10 23:50:42