ansaurus

Question

How do I modify a HTTP response packet with winpcap?

Answer 1

+1 A:

Decompress it with a GZIP decompresser.
Remove the Content-Encoding header and add a Content-Length header representing the new length in bytes.

That said, for a better answer you'll need to supply more context in the question. This is namely a smell. What is it you're trying to achieve and for which you think that modifying the HTTP response is the right solution?

BalusC 2010-05-10 11:47:44

I'm doing it for interest. Are you sure I don't need to change other header info like checksums in ethernet/tcp/ip/http layers?

httpinterpret 2010-05-10 11:52:05

The HTTP specification doesn't tell anything about headers with checksums. It are apparently custom headers. You should read the HTTP specification for interest as well :)

BalusC 2010-05-10 11:53:16

But there are checksums in tcp/ip layers. I'm afraid the packet will be invalid if I just change the content but not the checksums.

httpinterpret 2010-05-10 11:54:38

Ah, that way. You want to modify a TCP/IP packet which represents part of gzipped HTTP response? No, you cannot do it on a per TCP/IP packet basis. You'll have to buffer all packets representing the entire HTTP response, decompress its body and resend it with the changed headers.

BalusC 2010-05-10 12:18:56

Again, do I need to take care of the checksums mentioned?

httpinterpret 2010-05-10 13:04:28

Yes, certainly if there are already any checksums in the header. You need to recalculate them based on the new packet contents. But as @symcbean mentions: you'll really need to get all the material straight for yourself first. TCP/IP is a network protocol. HTTP is a data transfer protocol.

BalusC 2010-05-10 13:15:30

Whether you need to care about checksums depends on how you are going to implement your solution. How and where will you capture the packets ? Are you making a transparent proxy server, or are you just sniffing packets and intend to send them out again - in which case, how do you stop the original packet ?- you can't really send duplicates to the destination.

nos 2010-05-11 09:45:18

*how do you stop the original packet ?- * I'm also looking for the answer.

httpinterpret 2010-05-13 13:37:19

Answer 2

+3 A:

WinPcap doesn't allow you to change a packet that was already sent.

If the packet was sent, WinPcap won't prevent it from reaching its destination.

If you want to send another response - in addition to the response that was sent - I'm not sure what you're trying to achieve.

brickner 2010-05-14 06:38:58

Answer 3

+1 A:

libpcap is used for capturing. If you want to do modification and injection of network packets you need another library, such as libnet.

Michael Foukarakis 2010-05-19 10:20:09

But seems `libnet` can't be used for packet mangling either.

httpinterpret 2010-05-23 11:29:51

It can 1) do packet injection and 2) complete packet handling (even without automatic constructors). I don't see what else you need, besides some external routine for gzip decompression.

Michael Foukarakis 2010-05-28 13:33:01

Answer 4

+1 A:

winpcap is an odd way to try modifying a TCP stream - you don't explain why you are trying to do this, but you should probably be able to achieve this by writing your own HTTP proxy instead. That way, you get presented with a straight datastream you can intercept, log and modify to your heart's content. Once you do that, strip out Accept-Encoding from the request headers, then you'll never need to deal with gzipped responses in the first place.

There are no HTTP checksums, but the lower layers do have checksums; by operating on the application level as a proxy server, you let the network stack deal with all this for you.

2010-05-20 10:29:54

ansaurus

tags:

views:

answers:

How do I modify a HTTP response packet with winpcap?

related questions