All geek questions in one place

Reconstructing a Tcp Session Using Winpcap

I am trying to restore tcp sessions from my pcap files that have network packets captured using winpcap. I have a project that breaks packages into sessions. So far, I can read pcap files and group packages according to their sessions.

What I want to know, what should I do after this operation. I think in order to get data from these sessions, I must order these packages according to their serial numbers. I'm right? Whether additional operations are needed to create tcp session data. How to find out what data is an image, html or javascript? Any suggestion on a good resource would be greatly appreciated.

By the way, I use SharpPcap and Pcap.Net to split packets into tcp sessions. Are these libraries enough to restore a tcp session?

+1
source share
2 answers

Pcap.Net already has an HTTP parser, which is likely to be expanded with more features if people request them.

Regarding TCP recovery, you can vote for this feature requested, I hope to do so in one of the next versions.

Reconstructing TCP is not so trivial, but it will mainly work after a group packet in TCP sessions, organizing and removing duplicates. There are also angular cases that need to be handled, which also depends on the quality of the line from which you receive the packets.

, Pcap.Net HttpDatagram .

+2

tcp/ip http.

Tcp /.

http-. mime.

Sharppcap pcapdotnet , . , , .

, sharppcap tcp http parsing, chmorgan@gmail.com, -, .

-1
source

Source: https://habr.com/ru/post/1784468/

More articles:


All Articles