Writing an http sniffer (or any other application level sniffer)

Ishi picture Ishi · May 25, 2010 · Viewed 8.1k times · Source

I am trying my hands understanding PCAP libraries. I am able to apply a filter and get the TCP payload at port 80. But what next ? How can I read the HTTP data - suppose I want to know the "User Agent" field value in the http header..how should I proceed ? I have searched the website (and googled a lot too), and could find a related thread here : writing a http sniffer. But this doesn't help me anywhere...

Thanks !!

Answer

brickner picture brickner · May 25, 2010

First, you should know that PCAP give you packets, and will not reconstruct the TCP stream so you won't be able to read full HTTP TCP streams without first reconstructing the data.

Assuming all the data is available in one packet try and look at my answer for a similar question. All you need to do different is to parse the HTTP header and get the user agent.

If you don't limit yourself to C, and if you can use Windows, you can write a .NET application and use Pcap.Net to parse Ethernet, IPv4 and TCP perfectly.