Jul 15, 2010 at 4:39 PM
Edited Jul 17, 2010 at 11:26 AM
First, there is no "protocol" field within TCP.
Usually, there are standard server ports for specific protocols (HTTP is on port 80 usually). The best way to identify HTTP streams over TCP is by looking on the port and by checking the first packet of the TCP stream and see whether it looks like the start
of an HTTP request or response.
In HTTP, the client sends a stream of requests and the servers responds with a stream of responses.
There is no fixed size of an HTTP request or response, but it is possible to parse the protocol and see where every request or response ends.
HTTP isn't a packet based protocol.
Every request and response can be on multiple packets and in order to handle HTTP you must first reconstruct the TCP stream out of the packets that make it and only then parse it.
Pcap.Net 0.7.0 doesn't parse HTTP at all.
The next version of Pcap.Net will be able to parse HTTP over TCP but only packet based, since it doesn't support TCP reconstruction.
So it would probably be useful only for parsing of the first packet in a stream (the first part of the first request or response in the TCP connection).
A future version might include TCP reconstruction (this feature can be found within the Issue Tracker).