0

I am trying to construct HTTP content from packet sniffing using C. Right now, I am able to save all of the packets in a file but I want to get rid of the headers in the first packet. The headers are also being saved because they are a part of the TCP payload. The actual body after the header starts after a double "CR, LF" or "\r\n\r\n" in the HTTP response.

How do I detect "\r\n" so that I can save only the part of the buffer that follows it? The buffer is u_char type. I can't figure out the command. I looked on Google and other places, but I mostly find C# commands - nothing in C.

i am using this function

void strtofcntnt(const u_char * Biffer, int size)
{
unsigned short iphdrlen;
struct iphdr *iph = (struct iphdr *)(Buffer + sizeof(struct ethhdr));
iphdrlen = iph->ihl*4;

struct tcphdr *tcph = (struct tcphdr*)(Buffer + iphdrlen + sizeof(struct ethhdr));

char data[] = *(Buffer);
char rdata[] = strstr(data, "\r\n\r\n");
unsigned int i;
for (i=0;i<=sizeof(data);i++)
{
fprintf(logfile,"%c",(unsigned int)data[i]);
}}

but it gives error in the chara data[] and char rdata[] lines during compiling. error says invalid initializer.

aDi Adam
  • 93
  • 1
  • 1
  • 4
  • Did you even *read* my answer? `strstr` is not going to work on binary data that includes null bytes. Also, use `char* data`. – Jonathon Reinhart Jun 25 '13 at 05:28
  • "I looked on Google" -- Google can help you get an education, but it isn't a substitute for one. Learn a programming language, then write programs in that language, not the other way around (other than programs used as course material). – Jim Balter Jun 25 '13 at 06:25

1 Answers1

6

u_char is not a standard datatype. You should look in the header the defines it, but certainly it is just an unsigned char.

Since the data can have null bytes embedded in it, strstr will not work to find the "\r\n\r\n". You'll have to write some sort of search method:

const char* memsearch(const char* haystack, size_t haystack_len,
                const char* needle, size_t needle_len)
{
    const char* p;

    for (p = haystack; p < (haystack + haystack_len - needle_len); p++) {
        if (memcmp(p, needle, needle_len) == 0)
            return p;
    }
    return NULL;
}
Community
  • 1
  • 1
Jonathon Reinhart
  • 132,704
  • 33
  • 254
  • 328
  • now the problem is when i compile it with gcc it gives error in char data[] line and char rdata[] line as error : invalid initializer – aDi Adam Jun 25 '13 at 05:19
  • Sorry, I can't hold your hand through the entire development process. You asked how to find `"\r\n\r\n"` in binary data, and I provided a solution. I'm not trying to be harsh, that's just the way this site works: clear, concise questions get clear, concise answers. If you have another problem, that you can't solve *after doing research on your own*, then please post another question. – Jonathon Reinhart Jun 25 '13 at 05:22
  • memmem() migh actualy work what i was actually lookin for. Thank u!! – aDi Adam Jun 25 '13 at 09:18