于 2010年10月26日 14:13, Guy Harris 写道:
On Oct 25, 2010, at 8:46 PM, 刘昆 wrote:
In fact ,all I need to print is just the URL or IP address in the
payload.I think the URL or IP address should be printable?
The URL should be printable.
The IP address, if you mean the IP address in the IP header, is *NOT* printable; in an IP datagram, it's encoded as 4 octets for an IPv4 address and 16 octets for an IPv6 address. If, instead, you mean the host name in the URL or in the Host: header, that is printable.
So can I fetch the URL to print? And how?
What *exactly* is it that you're trying to do? You might be able to do what you want with TShark and the "-e" option - the URI in a request is the field named "http.request.uri". The IP source address is the field named "ip.src" or "ipv6.src", and the IP destination address is the field named "ip.dst" or "ipv6.dst". The host name in the "Host:" header is the field named "http.host" (*IF* the packet has a "Host:" header).
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
I'm sorry .I think I didn't express my meaning correctly.
In fact,I want to program to filter some certain URL or IP address in
the packet but not the header just as when we use proxy to
access a web ,the real URL is not in the header,but in the packet.
And when I find the tvb->real_data maybe the payload,and I use gdb
to print (command:"print tvb->real_data") ,then I get a string
showed on the terminal
"const guint8 *) 0x8b53042 "GET http://www.baidu.com/
HTTP/1.1\r\nHost:
www.baidu.com\r\nUser-Agent:
Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.9.2.11) Gecko/20101013 Linux Mint/9 (Isadora)
Firefox/3.6.11\r\nAccept: text/html,applic"...
We can see the "www.baidu.com" displayed. And the string
"www.baidu.com" is just I need,I mean by programming.As long as I get
the string "www.baidu.com",then I can program to do some matching work
with some data in the database.
At first,I thought "tvb->real_data" is just a string.So I want to
print this string to do a test if I can get the result as the gdb print
by using "printf("%s/n",tvb->real_data);" in the function
dissect_http . But I failed.
So now,I don't know how to use tvb->real_data to get the URL just as
gdb print "GET http://www.baidu.com........".But now that gdb can print
"tvb->real_data" as a string or a printabe text on the terminal,I
think I should fetch the data in "tvb->real_data" just as the gdb
print.As long as I get the string just as the gdb print "GET
http://www.baidu.com ...................." I can filter the URL
"www.baidu.com" then do the matching work with the data in the database.
I think I express my meaning clearly.
So what should I do to fetch the data in the "tvb->real_data" by
programming just as the gdb print like a string .And then I can do the
filtering and matching work.
Thank you very much
|