WinPCap - how can I get protocol (e.g. HTTP) within TCP packet & HTTP fields?

Question

Hi,

As background I'm want to be able to, within a capture access:

• what is the protocol within the TCP packets, e.g. HTTP? (specifically I'm after filter on web traffic)
• what is the Length of the HTTP part

Q1 - Does WinPCap support getting this?

Q2 - If no, any recommendations re how to?

thanks

Answer 1

WinPcap can help you sniff packets.

In order to know the protocol under TCP you can check the TCP ports and assume that if the server's port is one of the standard servers' ports, the standard port's protocol is the protocol under TCP.

In order to see what is the TCP port you need to parse the TCP, IP (probably IPv4) and the link layer (probably Ethernet) in some level.

The length of the entire HTTP part is the total TCP connection payload. Each HTTP connection is build from requests and responses. Each request and response has a specific length but you have to parse the HTTP to figure it's specific length. If you want the entire HTTP length you can calculate the entire TCP payload length by looking at each TCP packet's sequence number and length.