I am trying my hands understanding PCAP libraries. I am able to apply a filter and get the TCP payload at port 80. But what next ? How can I read the HTTP data - suppose I want to know the "User Agent" field value in the http header..how should I proceed ? I have searched the website (and googled a lot too), and could find a related thread here : writing a http sniffer. But this doesn't help me anywhere...
Thanks !!
First, you should know that PCAP give you packets, and will not reconstruct the TCP stream so you won't be able to read full HTTP TCP streams without first reconstructing the data.
Assuming all the data is available in one packet try and look at my answer for a similar question. All you need to do different is to parse the HTTP header and get the user agent.
If you don't limit yourself to C, and if you can use Windows, you can write a .NET application and use Pcap.Net to parse Ethernet, IPv4 and TCP perfectly.
There is already a good Pcap wrapper for .net called Pcap.Net - here it is
"Pcap.Net is a .NET wrapper for WinPcap written in C++/CLI and C#. It Features almost all WinPcap features and includes a packet interpretation framework."
来源:https://stackoverflow.com/questions/2905430/writing-an-http-sniffer-or-any-other-application-level-sniffer