1

I'm trying to reconstruct tcp sessions from my pcap files which have network packets captured using winpcap. I have a project which splits the packets to sessions. So far I can read from pcap files and group packets according to their sessions.

What I want to learn is what should I do after this operations. I think in order to get data from these sessions I have to order these packets according to their sequence numbers. Am I right? Do I need extra operations to construct tcp session data. How can I know which data is image, html or javascript? Any suggestion for a good resource will be much appreciated.

By the way, I'm using SharpPcap and Pcap.Net for splitting packets to tcp sessions. Is these libraries enough for tcp session reconstruction?

Matt Tester
  • 4,663
  • 4
  • 29
  • 32
varstas
  • 335
  • 10
  • 19

2 Answers2

2

Pcap.Net already has an HTTP parser, which would probably be enhanced with more features if people would request them.

Regarding TCP reconstruction, you're welcome to vote for this requested feature, I hope to do it in one of the next versions.

TCP reconstruction isn't that trivial, but it would mostly work once you group packet to TCP sessions, order them and remove duplicates. There are still corner cases that need to be handled, which also depend on the quality of the line you receive the packets from.

Once you have a reconstructed stream, you can use the Pcap.Net's HttpDatagram to parse it.

Nasreddine
  • 36,610
  • 17
  • 75
  • 94
brickner
  • 6,595
  • 3
  • 41
  • 54
  • "Once you have a reconstructed stream, you can use the Pcap.Net's HttpDatagram to parse it." I couldnt understand this. For example an image is segmented into 3 packets in a tcp session can i get the image from these 3 packets by the help of pcap.net's http diagram? I did resconstruct the stream so can i use your wrapper to get an image or html file from a tcp session by using just your wrapper? – varstas Nov 02 '11 at 09:08
  • Actually, you should create a new packet with the reconstructed stream as the TCP payload. Then you can do packet.Ethernet.IpV4.Tcp.Http to parse it. – brickner Nov 02 '11 at 18:07
  • I wonder one more thing "Tcp.HttpCollection" property. I dont understand how a tcp packet can have more than 1 http message. Is it for reconstructed tcp stream? Can i use this property to extract image,html,css etc? Can i create a TcpDatagram from multiple tcp packets and than create http datagrams using HttpCollection? Can you explain this property a little. Thank you so much for your help. – varstas Nov 03 '11 at 09:59
-1

You basically need to reimplement a tcp/ip stack and a http session parser.

Tcp packets need to be reordered and duplicates/invalids removed.

Those packets need to be processed to identify http sessions. Decompression of data and header processing will let you identIfy the mime type.

Sharppcap or pcapdotnet alone should work for a foundation of what you want to do. I'm positive sharppcap can since I'm the author.

I have a commercial product that works with sharppcap to do both tcp following and http parsing, chmorgan@gmail.com if you are interested in something that has been unit tested and used in other commercial products.

Chris Morgan
  • 1,277
  • 1
  • 13
  • 33
  • thank you so much for your offer and infos but i dont think i have an option like buying a product. After reordering and removing duplicates/invalids, is it so much hard work left? Is getting data from these sessions require so much knowledge and time? or have i done most of the work? Hope you answer. Btw thank you so much for SharpPcap. – varstas Nov 01 '11 at 15:45
  • I think it took me three weeks of work to get everything working well and tested. You still have to implement a http session parser, deflate/gzip decompression etc. If this is for a commercial related product it probably makes sense to leverage an existing developed product. It was a significant amount of work to get it working well. – Chris Morgan Nov 01 '11 at 16:07