0
votes

Greeting,

how is possible to determine from captured packets using sharppcap if the packet is http packet or not?

and can we determine frpm TCP packets if the packet is HTTP or not?

3

3 Answers

3
votes

According to rfc2616 - Hypertext Transfer Protocol -- HTTP/1.1:

The version of an HTTP message is indicated by an HTTP-Version field in the first line of the message

So, you could inspect packets and scan for the HTTP version text in message headers, and/or other known fields of the HTTP protocol. Although this method may not be 100% accurate if a message is broken up into multiple packets, it would probably be good enough, at least as a first cut.

2
votes

I am the author/maintainer of sharppcap/packet.net.

I have a few classes that perform tcp reassembly and http parsing that are in use in a complex network monitoring app to identify and follow http sessions. These are fully unit tested and well commented.

They are available for licensing either at the binary or source level.

Edit: Why vote this down? It took hundreds of hours to develop the code and tests and it's a drop in solution that has been reused. It's certainly worth considering before re-implementing the same functionality.

1
votes

It sounds like you're looking at a single TCP fragment. If that came from the beginning of a message, it will have an HTTP version in the first line, but if you're just pulling random packets off the network and hoping to be able to tell they're HTTP you're out of luck - there is nothing in the TCP fragments which indicates what is in them. The only way to know would be to look at the whole conversation.