如何找出数据包的HTTP头长度？ [英] How to find out the HTTP header length of a packet?

问题描述

我知道如何手动完成（通过查看十六进制转储）。我怎样才能自动获得相同的信息？我必须使用API​​吗？我有wireshark和Microsoft网络监视器。

I know how to do it manually (by looking at the hex dump). How can I obtain the same automatically? Do I have to use the APIs? I have both wireshark and Microsoft network monitor.

推荐答案

这可以通过 Lua解剖器，它将HTTP头字段添加到数据包树中，允许您对其进行过滤，如此屏幕截图所示：

This can be achieved simply with a Lua dissector that adds an HTTP header field to the packet tree, allowing you to filter for it, as shown in this screenshot:

将此Lua脚本复制到您的插件目录（例如， $ {WIRESHARK_HOME} /plugins/1.4.6/http_extra.lua ），然后重新启动Wireshark（如果已经在运行）。

Copy this Lua script into your plugins directory (e.g., ${WIRESHARK_HOME}/plugins/1.4.6/http_extra.lua), and restart Wireshark (if already running).

do
        local http_wrapper_proto = Proto("http_extra", "Extra analysis of the HTTP protocol");
        http_wrapper_proto.fields.hdr_len = ProtoField.uint32("http.hdr_len", "Header length (bytes)")

        -- HTTP frames that contain a header usually include the HTTP
        -- request method or HTTP response code, so declare those here
        -- so we can check for them later in the dissector.
        local f_req_meth    = Field.new("http.request.method")
        local f_resp_code   = Field.new("http.response.code")

        local original_http_dissector
        function http_wrapper_proto.dissector(tvbuffer, pinfo, treeitem)
                -- We've replaced the original http dissector in the dissector table,
                -- but we still want the original to run, especially because we need 
                -- to read its data. Let's wrap the call in a pcall in order to catch
                -- any unhandled exceptions. We'll ignore those errors.
                pcall(
                    function()
                        original_http_dissector:call(tvbuffer, pinfo, treeitem)
                    end
                )

                -- if the request method or response code is present,
                -- the header must be in this frame
                if f_req_meth() or f_resp_code() then

                        -- find the position of the header terminator (two new lines),
                        -- which indicates the length of the HTTP header, and then add
                        -- the field to the tree (allowing us to filter for it)
                        local hdr_str = tvbuffer():string()
                        local hdr_len = string.find(hdr_str, "\r\n\r\n") or string.find(hdr_str, "\n\n\n\n")
                        if hdr_len ~= nil then
                            treeitem:add(http_wrapper_proto.fields.hdr_len, hdr_len):set_generated()
                        end
                end
        end

        local tcp_dissector_table = DissectorTable.get("tcp.port")
        original_http_dissector = tcp_dissector_table:get_dissector(80) -- save the original dissector so we can still get to it
        tcp_dissector_table:add(80, http_wrapper_proto)                 -- and take its place in the dissector table
end

这篇关于如何找出数据包的HTTP头长度？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！