tags:

views:

476

answers:

4

What direction should I go in(libraries, documents)?

UPDATE

Can someone illustrate how to use winpcap to do the job?

UPDATE 2

How do I verify whether a packet is an HTTP one?

+1  A: 

try http://www.winpcap.org/

arthurprs
Can you illustrate how to use it to achieve my goal?
Gtker
A: 

You may want to look at the source code of tcpdump to see how it works. tcpdump is a Linux command-line utility that monitors and prints network activity. You need root access to the machine to use it, though.

Joey Adams
Does it also work for windows?
Gtker
@Runner: If you're interested in Windows-only solutions, you can add a [windows] tag.
Roger Pate
Not windows only,but both windows and linux.
Gtker
+1  A: 

It may sound like overkill but the Web proxy/cache server Squid does exactly that. A few years ago my company used it and I had to tweak the code locally to provide some special warnings when certain URLs were accessed so I know it can do what you want. You just need to find the code you want and pull it out for your project. I used version 2.X and I see they're up to 3.X now but I suspect that aspect of the code hasn't changed much internally.

You didn't say if windows is a 'requirement' or a 'preference' but according to the site: http://www.squid-cache.org/ they can do both.

Hotei
No, I want to implement it myself.
Gtker
Don't want to start a flame war but the fact that you just asked someone else how to do it for you in the winpcap comment makes me wonder...
Hotei
+4  A: 

If by "hijack" you meant sniff the packets then what you should do to do it with WinPcap is the following:

  1. Find the device you want to use - See WinPcap tutorial.

  2. Open a device using pcap_open

    // Open the device
    char errorBuffer[PCAP_ERRBUF_SIZE];
    pcap_t *pcapDescriptor = pcap_open(source,                // name of the device
                                       snapshotLength,        // portion of the packet to capture
                                                              // 65536 guarantees that the whole packet will be captured on all the link layers
                                       attributes,            // 0 for no flags, 1 for promiscuous
                                       readTimeout,           // read timeout
                                       NULL,                  // authentication on the remote machine
                                       errorBuffer);          // error buffer
    
  3. Use a function that reads packets from the descriptor like pcap_loop

    int result = pcap_loop(pcapDescriptor, count, functionPointer, NULL);
    

    This will loop until something wrong has happened or the loop was broken using a special method call. It will call the functionPointer for each packet.

  4. In the function pointed implement something that parses the packets, it should look like a pcap_handler:

    typedef void (*pcap_handler)(u_char *, const struct pcap_pkthdr *,
             const u_char *);
    
  5. Now all you have left is to parse the packets that their buffer is in the const u_char* and their length is in the pcap_pkthdr structure caplen field.

    Assuming you have HTTP GET over TCP over IPv4 over Ethernet packets, you can:

    • Skip 14 bytes of the Ethernet header.
    • Skip 20 bytes of the IPv4 header (assuming there are no IPv4 options, if you suspect that IPv4 options are possible, you can read the 5-8 bits of the IPv4 header, multiply that by 4 and this would be the number of bytes the IPv4 header takes).
    • Skip 20 bytes of the TCP header (assuming there are no TCP options, if you suspect that TCP options are possible, you can read the 96-99 bits of the TCP header, multiply that by 4 and this would be the number of bytes the TCP header takes).
    • The rest of the packet should be the HTTP text. The text between the first and second space should be the URI. If it's too long you might need to do some TCP reconstruction, but most URIs are small enough to fit in one packet.

      UPDATE: In code this would look like that (I wrote it without testing it):

      int tcp_len, url_length;
      uchar *url, *end_url, *final_url, *tcp_payload;
      
      
      ... /* code in http://www.winpcap.org/docs/docs_40_2/html/group__wpcap__tut6.html */
      
      
      /* retireve the position of the tcp header */
      ip_len = (ih->ver_ihl & 0xf) * 4;
      
      
      /* retireve the position of the tcp payload */
      tcp_len = (((uchar*)ih)[ip_len + 12] >> 4) * 4;
      tcpPayload = (uchar*)ih + ip_len + tcp_len;
      
      
      /* start of url - skip "GET " */
      url = tcpPayload + 4;
      
      
      /* length of url - lookfor space */
      end_url = strchr((char*)url, ' ');
      url_length = end_url - url;
      
      
      /* copy the url to a null terminated c string */
      final_url = (uchar*)malloc(url_length + 1);
      strncpy((char*)final_url, (char*)url, url_length);
      final_url[url_length] = '\0';
      

You can also filter only HTTP traffic by using creating and setting a BPF. See WinPcap tutorial. You should probably use the filter "tcp and dst port 80" which would only give you the request your computer sends to the server.

If you don't mind using C#, you can try using Pcap.Net, which would do all that for you much more easily, including the parsing of Ethernet, IPv4 and TCP parts of the packet.

brickner
Is it possible to automate the step 1 ? It seems the tutorial requires to specify one device manually.
Gtker
Of course, you still have to choose one or simply do it for all the devices.Many times you will only have one device, so you can simply choose the first one. You can also automate the choice by using their properties (like their IP). See another part of the WinPcap tutorial:http://www.winpcap.org/docs/docs_411/html/group__wpcap__tut2.html
brickner
@brickner,can you also elaborate how to verify whether a packet is an HTTP packet within `pcap_handler`?
Gtker
The best way is first to verify the port.In order to filter requests (like HTTP GET) you should make sure the destination port is 80. This can easily be done using the filter (BPF) I've mentioned before, which also verifies it is TCP over IPv4 packet.If you don't use BPF, you can verify the destination port by looking at the TCP header. The 3rd and 4th Bytes of the TCP header represent the port number.In order to make sure the HTTP request is a GET, you can make sure that the bytes before the first space in the HTTP part (TCP payload) are the bytes that represent "GET" in ASCII encoding.
brickner
Here is the demo on extract the address part,can you elaborate how to extract url based on this? http://www.winpcap.org/docs/docs_40_2/html/group__wpcap__tut6.html
Gtker
I've updated the answer with a code example for extracting the URL. I hope this works (I haven't tested it).
brickner
Seems it's not working? http://stackoverflow.com/questions/2787800/has-anyone-properly-interpreted-http-request-based-on-this-demo-of-winpcap
Can you write what values you get for the variables in the code when you run it?
brickner
Note, filtering on tcp port 80 will miss HTTP traffic on non-standard ports (e.g. http://igsrglib03.er.usgs.gov:8080/ ), or HTTP traffic which uses a proxy on common proxy ports like 8080 or 3128. This may or may not be a concern, depending on your reason for capturing this....
Stobor
How can I modify the packets? `winpcap` is read-only...
httpinterpret