July 2016

Get raw http requests from pcap file

Hi,
I need to do the following: load pcap file, read packets, retrieve HTTP requests and do something useful with it. I need pure HTTP without TCP and IP headers, and ofcourse I want to skip all this TCP/IP stuff as ACK,FIN etc.
my question is if the jnetpcap is up to this task? is there any tutorials/examples how I can achieve the above?

Unable to fetch payload from TCP packet featuring TCP Segmentation Offloading

Hello.

I have written some code to fetch payloads from TCP packets. This has worked fine for one PCAP recording, but it seems there is a problem when encountering packets featuring TCP Segmentation Offloading / Large Segment Offloading.

My problem sounds very similar to one raised 2 years ago on http://jnetpcap.com/?q=node/1225 but that thread was locked with a comment confirming the bug and the "promise" of a fix but nothing else. I just want to check if this is still a current issue, and/or if there are any potential workarounds.

I also tried to use the Payload class but setHeader() returns false.

Here's some cut down code:

Ip4 ip = new Ip4();
Tcp tcp = new Tcp();

Pcap pcap = Pcap.openOffline(pcapFile, errbuf);

PcapBpfProgram program = new PcapBpfProgram();
int optimize = 0;         // 0 = false  
int netmask = 0xFFFFFF00; // 255.255.255.0  

if (pcap.compile(program, filterExpression, optimize, netmask) != Pcap.OK) {  
	System.err.println(pcap.getErr());  
	return null;
}

if (pcap.setFilter(program) != Pcap.OK) {  
	System.err.println(pcap.getErr());  
	return null;         
}  

JPacketHandler handler = new JPacketHandler() {

	@Override
	public void nextPacket(JPacket packet, String str) {
		if (packet.hasHeader(ip)) {
			if (packet.hasHeader(tcp)) {
				// snipped packet handling code. This returns false, despite the packet containing TCP header + payload.
			}
		}

Not sure if it is related, but when debugging, the 'tcp' object's 'packet' is actually not the same as the one passed into nextPacket().