从PCAP嗅探重建数据 [英] Reconstructing data from PCAP sniff

问题描述

我正在尝试通过libpcap嗅探HTTP数据并在处理TCP有效负载后获取所有http内容（标头+有效负载）。

I am trying to sniff HTTP data through libpcap and get all the http contents (header+payload) after processing the TCP payload.

根据我在< a href =https://stackoverflow.com/questions/2905430/writing-an-http-sniffer-or-any-other-application-level-sniffer>编写http嗅探器（或任何其他应用程序级嗅探器），我因为碎片而面临问题 - 我需要重建整个流（或对其进行碎片整理）以获得完整的HTTP数据包，这是我需要帮助的地方。

As per my discussion at Writing an http sniffer (or any other application level sniffer) , I am facing problems due to fragmentation - I need to reconstruct the whole stream (or defragment it) to get a complete HTTP packet, and this is where I need some help.

感谢您的期待!!

推荐答案

这真的非常简单。只需从pcap获取以太网帧并从中提取IP数据包，重新组合任何碎片。然后，根据序列号重新排序IP数据包中的TCP段，注意您丢弃任何重复数据。然后，将流处理为HTTP流。当然，HTTP不包含在数据包中;它是一个应用程序层协议，但我相信一旦你完成了所有这些其他工作，这将是显而易见的。在执行所有这些操作时要注意校验IP标头和TCP段，以确保您的数据正确无误。此外，如果pcap碰巧丢失了任何数据包，请确保您正确处理此问题。

It's really pretty simple. Just take the ethernet frames that you get from pcap and extract the IP packets from them, reassembling any that were fragmented. Then, reorder the TCP segments from the IP packets, according to the sequence numbers, paying attention that you discard any duplicate data. Then, process the stream as an HTTP stream. Of course, HTTP doesn't come in packets; it is an application layer protocol, but I'm sure this will be obvious once you've done all this other work. Pay attention as you do all these things to checksum the IP headers and TCP segments, to ensure that your data is correct. Also, if pcap happens to miss any packets, make sure you deal with this appropriately.

为了帮助您解决 Linux TCP堆栈应该在内核中提供对此过程的简明参考。

To help you along the Linux TCP stack should provide a concise reference to this process as it occurs in the kernel.

这篇关于从PCAP嗅探重建数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！