How can i recognize Http packets within Tcp packets

Jun 2, 2011 at 10:47 PM

First i'd like to thank u guys for your great work, pcap.net is superb!

after finding your code i decided to try and build a sniffer in c# windows form application.

i'm trying to understand what is the best way to find out what is the packet application layer protocol, starting with http.

can i use Tcp.Http.IsRequest or IsResponse or IsValid to decide if its an http packet ?

if i understand correctly http data might be fragmented to several tcp packets, what than be these fields values ?

Thanx again!

eli

Coordinator
Jun 4, 2011 at 8:28 PM

Hi Eli,

 

Only the first packet of an HTTP request or response will be parsed.

The rest of the packets cannot be parsed since they can be any binary data (like a part of any file).

The only way you can identify that these are indeed HTTP packets is by reconstructing the TCP stream or guessing that they are according to the ports.

 

Boaz.

Jun 5, 2011 at 7:15 AM

Hi Boaz thanx for your reply,

is that why i receive tcp packets (port 80) with Http.Header = "{}" ? are these tcp (http) packets from the middle of the stream that has no header ?

is it 100% right to say if a packet has a destination or source port 80 its an http packet ?

eli

Coordinator
Jun 7, 2011 at 8:10 AM

No, it's not 100% right to say that.

The best way is to recognize the first packet and then use TCP reconstruction to be sure.

Note that you can use IsValid on an HttpDatagram.