LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 02-21-2005, 12:19 PM   #1
gajaykrishnan
Member
 
Registered: Jul 2004
Posts: 65

Rep: Reputation: 15
how do i read the data in the packet that i have captured after packet capture?


i am using libpcap for packet capture.
i am at present working on a mini project where i am studying methods to prevent email harvesters.
for that i am using packet capturing techniques. i need to read the data that is sent in the packets. i was successfull in reading the headers , ip headers but when i tried to read the data using calculating the offset i could so not see anything when i printed it on the screen.

please help me...
thanx in advance...
awaiting a reply.....
 
Old 02-21-2005, 03:51 PM   #2
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,527

Rep: Reputation: 147Reputation: 147
Are you sure you're capturing whole packets, not only headers? Check it.
 
Old 02-22-2005, 04:01 AM   #3
gajaykrishnan
Member
 
Registered: Jul 2004
Posts: 65

Original Poster
Rep: Reputation: 15
what do you mean?? how do i know whether i am capturing whole packets or only headers ??

i am simply using libpcap for capturing packets. i get the packet from pcap_next() and then i find the offset as packet + sizeof(struct ether_header) + ip->ip_len

Is there something like two different ways of capturing packets....
Please tell me something about this....

awaiting a reply..
thanx in advance...
 
Old 02-23-2005, 01:53 PM   #4
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,527

Rep: Reputation: 147Reputation: 147
How do you run pcap_open_live before? Second argument is the number of bytes from each packet to capture.
 
Old 02-23-2005, 10:47 PM   #5
gajaykrishnan
Member
 
Registered: Jul 2004
Posts: 65

Original Poster
Rep: Reputation: 15
so you mean to say that since i have to specify the size from the packet that i capture i cannot capture the whole packet ?? is it something like that...

well what i did was what i learnt from a tutorial and there they just did BUFSIZ as an argument for pcap_open_live() and i dont know the value of BUFSIZ... i think it is there in some header file... i didnt define it.

But does that mean that i should know the size of the packet before i capture it..
But how is that possible........All packets are not of fixed size... are they ??

And what happens if the size i specify is more or less than the actual size of the packet.??

Thanx in advance...
awaiting a reply.....
 
Old 02-24-2005, 03:13 PM   #6
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,527

Rep: Reputation: 147Reputation: 147
You don't need to know the size. You can use one fixed, big value like 65535. If packet is shorter it still works and there's no problem. The packet will be just captured with its real size.
 
Old 02-27-2005, 10:39 PM   #7
gajaykrishnan
Member
 
Registered: Jul 2004
Posts: 65

Original Poster
Rep: Reputation: 15
will the packets that i receive will be in the same order OR
the packets can come from different sources at the same time.

I have actually read in networks theories that the packets at this level do not usually arrive in correct order. it is basically a datagram.

i.e will a packet from a new source come before the message that the first source wanted to send me is not fully sent ??

So will i have to join the packets and re-create the message that the source wanted to send ??

awaiting a reply.....
Thanx for the response...
 
Old 03-02-2005, 07:39 AM   #8
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,527

Rep: Reputation: 147Reputation: 147
Packets can come at any order. Higher layers take care to rebuild the orginal message from pieces. In your case you probably need to do it yourself.
 
Old 03-03-2005, 12:15 AM   #9
gajaykrishnan
Member
 
Registered: Jul 2004
Posts: 65

Original Poster
Rep: Reputation: 15
so do i have to rebuild the data using the sequence numbers, offset and flags??

Is doing that not daunting task??
 
Old 03-03-2005, 10:36 AM   #10
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,527

Rep: Reputation: 147Reputation: 147
If you don't have a method to make the OS actually rebuild them, you need to handle the problem yourself (and rewrite TCP/IP stack, in fact). But...if you just want to scan the mail on a machine that's receiving it (mailserver), you can connect to the server software.
 
Old 03-09-2005, 05:53 AM   #11
gajaykrishnan
Member
 
Registered: Jul 2004
Posts: 65

Original Poster
Rep: Reputation: 15
Thanx mara but the situation is somewhat like this.

i want to run the program on a machine that is hosting a web server. This program must be able to keep a log of all the pages in the site that have been accessed by some one else. How do i do this using packet capture or is there any other way out if it is not possible for me to read the log files of the web server.

Please show me a method..
bye.....
awaiting a reply.............
 
Old 03-09-2005, 12:21 PM   #12
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,527

Rep: Reputation: 147Reputation: 147
This task is easier, because you don't need to rebuild the packages. You just scan for GET, HEAD or POST inside (they're at the beginning, so the info you need should be not fragmented) and get the page address from it.
 
Old 03-10-2005, 02:10 AM   #13
gajaykrishnan
Member
 
Registered: Jul 2004
Posts: 65

Original Poster
Rep: Reputation: 15
thanx a lot...
so i have to just the first package and get the HEAD or GET is it so....
Are u sure that the size of the package is sufficient enough to get the request fully....??

Thats great........
thanx...
bye..........
 
Old 03-10-2005, 02:07 PM   #14
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,527

Rep: Reputation: 147Reputation: 147
There's a probability that it may be not enough - but it's very very low (chance to get it fragmented because of very low MTU of one of the networks in the way). HEAD or GET should be just at the beginning of data, so if the address is not very long, it'll be all in one packet.
 
Old 03-11-2005, 11:08 AM   #15
gajaykrishnan
Member
 
Registered: Jul 2004
Posts: 65

Original Poster
Rep: Reputation: 15
i tried out to get the data using the following offset
ptr+sizeof(ether_header)+"sizeof ip header". Is this right....??
When i print the data i am able to see it on the console...
but then i have read in network theory classes that there is also a tcp header after the ip header.......Why is that i am not able to see it.....
Should i not jump over that header also........??

Awaiting a reply.........
thanx mara................
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Ethereal Packet capture Help sucram2g Linux - Networking 2 07-20-2005 12:35 PM
Capture whole packet at once (in Perl) Barca Programming 5 02-09-2005 02:16 AM
captured packet in ethereal anubhuti_k Linux - Networking 1 01-14-2005 06:31 AM
ICMP Packet capture SaTaN Programming 1 01-19-2004 11:38 PM
Network packet capture avaya Linux - Newbie 2 10-14-2002 09:37 PM


All times are GMT -5. The time now is 03:07 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration