|
how do i read the data in the packet that i have captured after packet capture?
i am using libpcap for packet capture.
i am at present working on a mini project where i am studying methods to prevent email harvesters. for that i am using packet capturing techniques. i need to read the data that is sent in the packets. i was successfull in reading the headers , ip headers but when i tried to read the data using calculating the offset i could so not see anything when i printed it on the screen. please help me... thanx in advance... awaiting a reply..... |
Are you sure you're capturing whole packets, not only headers? Check it.
|
what do you mean?? how do i know whether i am capturing whole packets or only headers ??
i am simply using libpcap for capturing packets. i get the packet from pcap_next() and then i find the offset as packet + sizeof(struct ether_header) + ip->ip_len Is there something like two different ways of capturing packets.... Please tell me something about this.... awaiting a reply.. thanx in advance... |
How do you run pcap_open_live before? Second argument is the number of bytes from each packet to capture.
|
so you mean to say that since i have to specify the size from the packet that i capture i cannot capture the whole packet ?? is it something like that...
well what i did was what i learnt from a tutorial and there they just did BUFSIZ as an argument for pcap_open_live() and i dont know the value of BUFSIZ... i think it is there in some header file... i didnt define it. But does that mean that i should know the size of the packet before i capture it.. But how is that possible........All packets are not of fixed size... are they ?? And what happens if the size i specify is more or less than the actual size of the packet.?? Thanx in advance... awaiting a reply..... |
You don't need to know the size. You can use one fixed, big value like 65535. If packet is shorter it still works and there's no problem. The packet will be just captured with its real size.
|
will the packets that i receive will be in the same order OR
the packets can come from different sources at the same time. I have actually read in networks theories that the packets at this level do not usually arrive in correct order. it is basically a datagram. i.e will a packet from a new source come before the message that the first source wanted to send me is not fully sent ?? So will i have to join the packets and re-create the message that the source wanted to send ?? awaiting a reply..... Thanx for the response... |
Packets can come at any order. Higher layers take care to rebuild the orginal message from pieces. In your case you probably need to do it yourself.
|
so do i have to rebuild the data using the sequence numbers, offset and flags??
Is doing that not daunting task?? |
If you don't have a method to make the OS actually rebuild them, you need to handle the problem yourself (and rewrite TCP/IP stack, in fact). But...if you just want to scan the mail on a machine that's receiving it (mailserver), you can connect to the server software.
|
Thanx mara but the situation is somewhat like this.
i want to run the program on a machine that is hosting a web server. This program must be able to keep a log of all the pages in the site that have been accessed by some one else. How do i do this using packet capture or is there any other way out if it is not possible for me to read the log files of the web server. Please show me a method.. bye..... awaiting a reply............. |
This task is easier, because you don't need to rebuild the packages. You just scan for GET, HEAD or POST inside (they're at the beginning, so the info you need should be not fragmented) and get the page address from it.
|
thanx a lot...
so i have to just the first package and get the HEAD or GET is it so.... Are u sure that the size of the package is sufficient enough to get the request fully....?? Thats great........ thanx... bye.......... |
There's a probability that it may be not enough - but it's very very low (chance to get it fragmented because of very low MTU of one of the networks in the way). HEAD or GET should be just at the beginning of data, so if the address is not very long, it'll be all in one packet.
|
i tried out to get the data using the following offset
ptr+sizeof(ether_header)+"sizeof ip header". Is this right....?? When i print the data i am able to see it on the console... but then i have read in network theory classes that there is also a tcp header after the ip header.......Why is that i am not able to see it..... Should i not jump over that header also........?? Awaiting a reply......... thanx mara................ :) |
You need to count the TCP header, too. It can be variable size (because of options). I recommend you to get a packet analyzer (like ethreal), dump a number of packets and view them in the program. You will be able to see everything and you can check your pgoram this way.
|
so can i get the data using
(char*)(packet + sizeof(struct ether_header) + sizeof(struct tcphdr) + hlen*4 |
One ) is missing, but I think the formula is OK.
|
Hi again,
Thanx a lot everything is working fine now. I have written the code for capturing packets and filtering those that contain GET requests in them. Its compiling and working......... But when i combined it with other files of my project i gave the following compilation error "Syntax error before numerical constant" inside line 206 and 213 of pcap.h Have u ever experienced this.... Can u help me out...... Thanx .... awaiting a reply...... |
Nope. Look what's in that lines. It may be that you have a define of the same name as in the header file etc.
|
Thanx a lot.....
i finally figured it out............ it was a linking problem.............. The makefile did not contain the flags -lpthread and -lpcap that i needed......... Also i made the mistake of including the definition of functions of class inside the .h file itself so that it wouldn't compile and finally leading to function undeclared error. I then splitted them into .cpp and .h files.......... Hey ...... but i am still suspicious about the output...... the message printed for a particular packet sometimes contains the message of the previous packet at the end. So the latter packet is (message of new packet + message of older packet)...... Moreover each request is being catched twice........... I tested them on "loopback" and "eth0" same output........ Do you know why,.............. Awaiting a reply........ Bye............ |
All is catched twice? That's not good. But I think it's a problem with your code - quite many people write such sniffers and they usually work. Hard to help without the code.
|
hi krishnan,
hey i went through ur post i need to know how did u caputr the packets n how did u print them can u plz send me the code thanks in advance |
With TCP, which uses Path MTU discovery, you won't see that much fragmentation unless it's malicious traffic. Raw sockets on Linux may receive TCP packets (not necessarily true for other implementations). Quoting raw(7):
Quote:
Quote:
Quote:
Quote:
Quote:
|
| All times are GMT -5. The time now is 05:47 PM. |