How can I get the URL address for a TCP Packet?
-
Hello everyone, I am working on a HTTP Sniffer. So far I am able to get some information on a TCP received packet using the following code.
//Create MemoryStream out of the received bytes
MemoryStream ImemoryStream = new MemoryStream(byteBuffer, 0, nReceived);
//Next we create a BinaryReader out of the MemoryStream
BinaryReader IbinaryReader = new BinaryReader(ImemoryStream);//The first eight bits of the IP header contain the version and //header length so we read them byteVersionAndHeaderLength = IbinaryReader.ReadByte(); //The next eight bits contain the Differentiated services byteDifferentiatedServices = IbinaryReader.ReadByte(); //Next eight bits hold the total length of the datagram ushortTotalLength = (ushort)IPAddress.NetworkToHostOrder(IbinaryReader.ReadInt16()); //Next sixteen have the identification bytes ushortIdentification = (ushort)IPAddress.NetworkToHostOrder(IbinaryReader.ReadInt16()); //Next sixteen bits contain the flags and fragmentation offset ushortFlagsAndOffset = (ushort)IPAddress.NetworkToHostOrder(IbinaryReader.ReadInt16()); //Next eight bits have the TTL value byteTTL = IbinaryReader.ReadByte(); //Next eight represnts the protocol encapsulated in the datagram byteProtocol = IbinaryReader.ReadByte(); //Next sixteen bits contain the checksum of the header ushortChecksum = IPAddress.NetworkToHostOrder(IbinaryReader.ReadInt16()); //Next thirty two bits have the source IP address uintSourceIPAddress = (uint)(IbinaryReader.ReadInt32()); //Next thirty two hold the destination IP address uintDestinationIPAddress = (uint)(IbinaryReader.ReadInt32());I also need to get the URL address of where the packet are comming from. I have seen some comercial HTTP Sniffer being able to do that. The Sniffer80 available in http://www.codeproject.com/tools/sniffer80.asp[^] also can capture the URL address of the packet. Can someone tell me how I can get this done? Maybe I am looking for a URL address at the wrong pla
-
Hello everyone, I am working on a HTTP Sniffer. So far I am able to get some information on a TCP received packet using the following code.
//Create MemoryStream out of the received bytes
MemoryStream ImemoryStream = new MemoryStream(byteBuffer, 0, nReceived);
//Next we create a BinaryReader out of the MemoryStream
BinaryReader IbinaryReader = new BinaryReader(ImemoryStream);//The first eight bits of the IP header contain the version and //header length so we read them byteVersionAndHeaderLength = IbinaryReader.ReadByte(); //The next eight bits contain the Differentiated services byteDifferentiatedServices = IbinaryReader.ReadByte(); //Next eight bits hold the total length of the datagram ushortTotalLength = (ushort)IPAddress.NetworkToHostOrder(IbinaryReader.ReadInt16()); //Next sixteen have the identification bytes ushortIdentification = (ushort)IPAddress.NetworkToHostOrder(IbinaryReader.ReadInt16()); //Next sixteen bits contain the flags and fragmentation offset ushortFlagsAndOffset = (ushort)IPAddress.NetworkToHostOrder(IbinaryReader.ReadInt16()); //Next eight bits have the TTL value byteTTL = IbinaryReader.ReadByte(); //Next eight represnts the protocol encapsulated in the datagram byteProtocol = IbinaryReader.ReadByte(); //Next sixteen bits contain the checksum of the header ushortChecksum = IPAddress.NetworkToHostOrder(IbinaryReader.ReadInt16()); //Next thirty two bits have the source IP address uintSourceIPAddress = (uint)(IbinaryReader.ReadInt32()); //Next thirty two hold the destination IP address uintDestinationIPAddress = (uint)(IbinaryReader.ReadInt32());I also need to get the URL address of where the packet are comming from. I have seen some comercial HTTP Sniffer being able to do that. The Sniffer80 available in http://www.codeproject.com/tools/sniffer80.asp[^] also can capture the URL address of the packet. Can someone tell me how I can get this done? Maybe I am looking for a URL address at the wrong pla
Well, the only thing I can think of when RECEIVING UNSOLICITED packets is to use reverse DNS. However, since you are "sniffing" HTTP, then it is simply a matter of catching all of the HTTP GET request headers, and mapping (an associative array) the actual IP address:port to the requested URL from the HTTP GET request header. Then, as packets come in from that IP, you retreive the URL by looking up the IP in your array... The thing is, in order to GET a TCP packet (using HTTP), you have to have made a GET request at some point: no unsolicited pushing of files onto your computer here. Every image and other resource on an HTML page is the result of a separate GET request. By the way, Sniffer80 is a piece of crap. It is not a sniffer. It is a cheap facade using URLMon. It is tied directly into IE. The source code is unnavailable, probably out of shame due to it's lame-ness. You could do the same by writing an IE add-in that copies the contents of the address bar... Anyhow, if I am way off the mark here, let me know. It seems like a simple solution to me though, since you already have all the information at hand before the TCP packets even start flowing.