0

I'm working with pcap to monitor http requests and responses. I've setup pcap_loop and I'm getting packets in my callback function but I don't know how to read packets content. this is my callback function:

void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet)
{
     printf("%s\n", packet);
}

The output always looks likes series of a backslashe and three numbers after it

\200\205\300

I was wondering how can I make the content readable so I can find and process http request and responses?

UPDATE:

My goal is to read HTTP requests and responses is there any proper and neat way to do this?

Abcd Efg
  • 2,146
  • 23
  • 41

2 Answers2

4

This is because the output is raw binary data, not an ascii string, so printf outputs it only until the first 0 byte. To print all readable stuff in the packet, use something like:

for (int i = 0; i < header->caplen; ++i) {
    if (isascii(packet[i])) {
      putchar(packet[i]);
    } else {
      putchar('.');
    }
Jan Wrobel
  • 6,969
  • 3
  • 37
  • 53
2

Libpcap is going to give you a raw packet, including all headers. You'll need to extract out the data you need from it, I suggest by casting it to standard structs that represent the packet. Something like,

/* Start with the ether header */
ethernet = (struct ether_header *) packet;

/* Do a couple of checks to see what packet type we have */
if (ntohs (ethernet->ether_type) == ETHERTYPE_IP)
{
            // Cast it to an IP packet struct
    ip_hdr = (struct ip*)(packet + sizeof(struct ether_header));

    //If TCP...
    if(ip_hdr->ip_p == 6)
    {
               packet_info.tcp_hdr = *(struct tcphdr*)((char*)ip_hdr + sizeof(struct ip));
               // Work on extracting the actual data for HTTP stuff over here
PherricOxide
  • 15,493
  • 3
  • 28
  • 41