Reconstructing data from PCAP sniff

Question

I am trying to sniff HTTP data through libpcap and get all the http contents (header+payload) after processing the TCP payload.

As per my discussion at Writing an http s

Answer 1

It's really pretty simple. Just take the ethernet frames that you get from pcap and extract the IP packets from them, reassembling any that were fragmented. Then, reorder the TCP segments from the IP packets, according to the sequence numbers, paying attention that you discard any duplicate data. Then, process the stream as an HTTP stream. Of course, HTTP doesn't come in packets; it is an application layer protocol, but I'm sure this will be obvious once you've done all this other work. Pay attention as you do all these things to checksum the IP headers and TCP segments, to ensure that your data is correct. Also, if pcap happens to miss any packets, make sure you deal with this appropriately.

To help you along the Linux TCP stack should provide a concise reference to this process as it occurs in the kernel.