Tcp Session Reconstruction with Winpcap
https://stackoverflow.com/questions/7965943
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm trying to reconstruct tcp sessions from my pcap files which have network packets captured using winpcap. I have a project which splits the packets to sessions. So far I can read from pcap files and group packets according to their sessions.
What I want to learn is what should I do after this operations. I think in order to get data from these sessions I have to order these packets according to their sequence numbers. Am I right? Do I need extra operations to construct tcp session data. How can I know which data is image, html or javascript? Any suggestion for a good resource will be much appreciated.
By the way, I'm using SharpPcap and Pcap.Net for splitting packets to tcp sessions. Is these libraries enough for tcp session reconstruction?
Solution
Pcap.Net already has an HTTP parser, which would probably be enhanced with more features if people would request them.
Regarding TCP reconstruction, you're welcome to vote for this requested feature, I hope to do it in one of the next versions.
TCP reconstruction isn't that trivial, but it would mostly work once you group packet to TCP sessions, order them and remove duplicates. There are still corner cases that need to be handled, which also depend on the quality of the line you receive the packets from.
Once you have a reconstructed stream, you can use the Pcap.Net's HttpDatagram to parse it.
OTHER TIPS
You basically need to reimplement a tcp/ip stack and a http session parser.
Tcp packets need to be reordered and duplicates/invalids removed.
Those packets need to be processed to identify http sessions. Decompression of data and header processing will let you identIfy the mime type.
Sharppcap or pcapdotnet alone should work for a foundation of what you want to do. I'm positive sharppcap can since I'm the author.
I have a commercial product that works with sharppcap to do both tcp following and http parsing, chmorgan@gmail.com if you are interested in something that has been unit tested and used in other commercial products.
