how do i read the data in the packet that i have captured after packet capture?

gajaykrishnan · 02-21-2005, 12:19 PM

i am using libpcap for packet capture.
i am at present working on a mini project where i am studying methods to prevent email harvesters.
for that i am using packet capturing techniques. i need to read the data that is sent in the packets. i was successfull in reading the headers , ip headers but when i tried to read the data using calculating the offset i could so not see anything when i printed it on the screen.

please help me...
thanx in advance...
awaiting a reply.....

Mara · 02-21-2005, 03:51 PM

Are you sure you're capturing whole packets, not only headers? Check it.

gajaykrishnan · 02-22-2005, 04:01 AM

what do you mean?? how do i know whether i am capturing whole packets or only headers ??

i am simply using libpcap for capturing packets. i get the packet from pcap_next() and then i find the offset as packet + sizeof(struct ether_header) + ip->ip_len

Is there something like two different ways of capturing packets....
Please tell me something about this....

awaiting a reply..
thanx in advance...

Mara · 02-23-2005, 01:53 PM

How do you run pcap_open_live before? Second argument is the number of bytes from each packet to capture.

gajaykrishnan · 02-23-2005, 10:47 PM

so you mean to say that since i have to specify the size from the packet that i capture i cannot capture the whole packet ?? is it something like that...

well what i did was what i learnt from a tutorial and there they just did BUFSIZ as an argument for pcap_open_live() and i dont know the value of BUFSIZ... i think it is there in some header file... i didnt define it.

But does that mean that i should know the size of the packet before i capture it..
But how is that possible........All packets are not of fixed size... are they ??

And what happens if the size i specify is more or less than the actual size of the packet.??

Thanx in advance...
awaiting a reply.....

Mara · 02-24-2005, 03:13 PM

You don't need to know the size. You can use one fixed, big value like 65535. If packet is shorter it still works and there's no problem. The packet will be just captured with its real size.

gajaykrishnan · 02-27-2005, 10:39 PM

will the packets that i receive will be in the same order OR
the packets can come from different sources at the same time.

I have actually read in networks theories that the packets at this level do not usually arrive in correct order. it is basically a datagram.

i.e will a packet from a new source come before the message that the first source wanted to send me is not fully sent ??

So will i have to join the packets and re-create the message that the source wanted to send ??

awaiting a reply.....
Thanx for the response...

Mara · 03-02-2005, 07:39 AM

Packets can come at any order. Higher layers take care to rebuild the orginal message from pieces. In your case you probably need to do it yourself.

gajaykrishnan · 03-03-2005, 12:15 AM

so do i have to rebuild the data using the sequence numbers, offset and flags??

Is doing that not daunting task??

Mara · 03-03-2005, 10:36 AM

If you don't have a method to make the OS actually rebuild them, you need to handle the problem yourself (and rewrite TCP/IP stack, in fact). But...if you just want to scan the mail on a machine that's receiving it (mailserver), you can connect to the server software.

gajaykrishnan · 03-09-2005, 05:53 AM

Thanx mara but the situation is somewhat like this.

i want to run the program on a machine that is hosting a web server. This program must be able to keep a log of all the pages in the site that have been accessed by some one else. How do i do this using packet capture or is there any other way out if it is not possible for me to read the log files of the web server.

Please show me a method..
bye.....
awaiting a reply.............

Mara · 03-09-2005, 12:21 PM

This task is easier, because you don't need to rebuild the packages. You just scan for GET, HEAD or POST inside (they're at the beginning, so the info you need should be not fragmented) and get the page address from it.

gajaykrishnan · 03-10-2005, 02:10 AM

thanx a lot...
so i have to just the first package and get the HEAD or GET is it so....
Are u sure that the size of the package is sufficient enough to get the request fully....??

Thats great........
thanx...
bye..........

Mara · 03-10-2005, 02:07 PM

There's a probability that it may be not enough - but it's very very low (chance to get it fragmented because of very low MTU of one of the networks in the way). HEAD or GET should be just at the beginning of data, so if the address is not very long, it'll be all in one packet.

gajaykrishnan · 03-11-2005, 11:08 AM

i tried out to get the data using the following offset
ptr+sizeof(ether_header)+"sizeof ip header". Is this right....??
When i print the data i am able to see it on the console...
but then i have read in network theory classes that there is also a tcp header after the ip header.......Why is that i am not able to see it.....
Should i not jump over that header also........??

Awaiting a reply.........
thanx mara................