Hi,
Currently, I have used pcap to capture the packets but need a way of filtering traffic by http or ftp. I will also need to to identify the user whom send/receive those packets (virtual hosting).
Any suggestions or resources that would help accomplish this task? Thanks.
Regards,
Supmeth
http://clusty.com/search?query=libpc...Mozilla-search
Can you add "filters" to the search?
If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
If at first you don't succeed, try writing your phone number on the exam paper.
Hi,
I've search filters but the resource I get doesn't seem useful. I have found results for "pcap-filter" but the only filter by type (host, networks, port, etc.), direction (destination, source) and protocol (tcp, udp, fddi, etc.).
I have thought about filtering by port 80 for http traffic but this isn't the best way as apache might be set to listen on other ports also. Also ftp uses port 21 for control and 20 for data (or random in passive mode).
So I need a way of filtering packets for certain applications regardless of port number. I just don't know where begin and need some guidence. Thanks.
Hi,
I've search filters but the resource I get doesn't seem useful. I have found results for "pcap-filter" but the only filter by type (host, networks, port, etc.), direction (destination, source) and protocol (tcp, udp, fddi, etc.).
I have thought about filtering by port 80 for http traffic but this isn't the best way as apache might be set to listen on other ports also. Also ftp uses port 21 for control and 20 for data (or random in passive mode).
So I need a way of filtering packets for certain applications regardless of port number. I just don't know where begin and need some guidence. Thanks.
I wouldn't bother using pcap's own filter.
I just wrote a packet sniffer using pcap and, once you have the ethernet/ip/tcp headers figured out, you can easily filter, as you say, by port, protocol, and ip. There really is not anything more to choose from as there is nothing in the headers which specificly indicates the packet involves HTTP.
BUT, if your concern is that http isn't necessarily on port 80 (if you watch some sniffing, you will realize that while your computer may not use it, internet servers always do, so at least one party will be on port 80 -- but anyway), you could always use the first word in the packet "body", which usually begins at an offset of 66 (14 for the ethernet header, 20 for the ip header, and 32 for the tcp header) for http related commands (like GET) or just scan the whole body for "HTTP". However, the packets which form the initial acknowledge/syncronize "handshake" with an http server do not have any content, they just communicate with tcp flags, so these packets are only 66 bytes long.
The point: HTTP is not actually part of the network layer in the OSI model, so saying you want to sort packets on the basis of "whether they involve HTTP" is exactly the same as saying you want to sort them on the basis of "whether they involve cars". The only certain evidence will be in the the message body.
The moral: In reality, you would just look for port 80.
C programming resources:
GNU C Function and Macro Index -- glibc reference manual
The C Book -- nice online learner guide
Current ISO draft standard
CCAN -- new CPAN like open source library repository
3 (different) GNU debugger tutorials: #1 -- #2 -- #3
cpwiki -- our wiki on sourceforge
Hi,
It's a bit of a problem with the ftp traffic though. Ports 21 and 20 are for active, but passive mode will be random.
Just with the filtering and ports, how does the OS know what to do with those. I've read some things about sockets, should I be looking into this direction?
Also, does http sends the html codes first, and then retrieve the images etc after? Thanks.
To look for a single type of packet, neither would I. But pcap's filters are useful when you are trying to organize many different kinds of packets, since they all compile down to a single "machine" that efficiently recognizes everything simultaneously.Originally Posted by MK27
Code://try //{ if (a) do { f( b); } while(1); else do { f(!b); } while(1); //}
Traditionally you would recieve the page and then your browser issues GET requests for stuff in it like images which are sent seperately with no garbage (you can retrieve them the same way with inet sockets).
C programming resources:
GNU C Function and Macro Index -- glibc reference manual
The C Book -- nice online learner guide
Current ISO draft standard
CCAN -- new CPAN like open source library repository
3 (different) GNU debugger tutorials: #1 -- #2 -- #3
cpwiki -- our wiki on sourceforge
Any recommendations for ways to filter by application layer protocols? Or what I should research for to achieve this task? Thanks.
Such things (such as they may be) are a different style of aniMal, because they are processed by whatever software it is that Exists that's managed to recieve something on some network port. TCP and all the layers below thaT are dealt with by the OS kernel, and so, I would guess, are tHe session and presentation layers, which probably can't and aren't directed by any specific package content. HTTP is actually considered application layer, so you are back where you started.
C programming resources:
GNU C Function and Macro Index -- glibc reference manual
The C Book -- nice online learner guide
Current ISO draft standard
CCAN -- new CPAN like open source library repository
3 (different) GNU debugger tutorials: #1 -- #2 -- #3
cpwiki -- our wiki on sourceforge
Guess I have to look into OS's in more detail .... Well I guess learnt something from seeing the packets coming in and out.
I found that ftp appears to have concurrent connections access with more files not the size of the file.
With http traffic, does anyone know how to make it have concurrent connection?
