I filter it with "port 80" and start to catch using pcap_loop(phandle,-1,pcap_callback,NULL);
the pcap_callback function
void pcap_callback(u_char* user,const struct pcap_pkthdr* header, const u_char* pkt_data){
FILE *fp=fopen("1.html","a");
ether_header * eheader=(ether_header*)pkt_data;
if(eheader->ether_type==htons(ETHERTYPE_IP)){
ip_header* ih=(ip_header*)(pkt_data+14);
if(ih->proto==htons(TCP_PROTOCAL)){
int ip_len=ntohs(ih->tlen);
int find_http=false;
char* ip_pkt_data=(char*)ih;
int n=0;
char buffer[BUFFER_MAX_LENGTH];
int bufsize=0;
for(;n<ip_len;n++)
{
/* http get or post request */
if(!find_http && ((n+3<ip_len && strncmp(ip_pkt_data+n,"GET",strlen("GET")) ==0 )
|| (n+4<ip_len && strncmp(ip_pkt_data+n,"POST",strlen("POST")) == 0)) )
find_http = true;
/* http response */
if(!find_http && n+8<ip_len && strncmp(ip_pkt_data+n,"HTTP/1.1",strlen("HTTP/1.1"))==0)
find_http = true;
/* if http is found */
if(find_http)
{
buffer[bufsize] = ip_pkt_data[n]; /* copy http data to buffer */
bufsize ++;
}
}
/* print http content */
if(find_http) {
buffer[bufsize] = '\0';
printf("%s\n", buffer);
printf("\n**********************************************\n\n");
int i=0;
char c;
for(i=0;i<bufsize;i++)
{
c=buffer[i];
fputc(c,fp);
}
fclose(fp);
}
}
}
}
And i run it , and visit Google.com
It can only print the request/response headers at the screen, sometimes with one or two wired characters(a little box within four numbers(1 or 0)). So ,i store them to a html file, but it is still a mess. If cat 1.html at shell, the data after response headers would be multiple lines, some of them are show in a white background and stick together.
If open it in Emacs, it will display something like this ^@^@^S\234\252.If i paste them here, they would show difference.
I guess maybe it it the picture or other file like gif or something course the problem, because i sometimes the response headers show Content-Type: image/png.
But when it is Content-Type: text/html; charset=UTF-8, it is also a mess.
Why? And how to solve it?
Thanks!!
