Can I use PHP to look for http requests and response in a '.pcap' file that was generated by Tcpdump?

3
votes

I have '.pcap' files that were generated by Tcpdump. I have been looking for a way with PHP to read data in the files. I have tried several methods available, but the only thing I was able to see was that there were some number of packets with a timestamp against each packet. I tried to read further but it was all in some binary.

Just wanted to ask if anyone out there has experience with packet capture. Would be great help.

I have tried these methods so far: https://github.com/zobo/php-pcap https://code.google.com/a/eclipselabs.org/p/php-pcap-analyzer/ and http://systemsarchitect.net/parsing-binary-data-in-php-on-an-example-with-the-pcap-format/ http://systemsarchitect.net/

Thanks in advance :)

1
pcaptcpdump
It is not clear what you are trying to achieve. Do you want simply access to a IP or TCP or UDP payload, want to follow TCP streams or want to extract application information?Steffen Ullrich
Hi Steffen, I am trying to read what was communicated over the internet by any computer or mobile which has internet access. The communication goes through the device which has Tcpdump. I can assume that the output was captured by Tcpdump, it is because the size of output changes when I myself surf internet on any device.Ankit Vij
Just to add more info I used PHP's unpack function and now I can see the packets in the form of '.raw' and '.seq' filesAnkit Vij
tcpdump captures data from various network layers. If you want to have the raw data just stripping the pcap-container is probably enough. But then you are confronted with IP, UDP, TCP, ICMP... packets, that is all binary stuff you complain about. If you don't want this you have to ask a more specific question which includes what kind of information you exactly want to have.Steffen Ullrich
Can I know from the packets that what was sent as a request and what was recieved as response? For example if I can see which urls were hit. And if I can see an encrypted password.Ankit Vij

1 Answers

1
votes

I was able to see http requests from my client machine to internet by using PHP's unpack() function and fread() combined. The libraries mentioned above are also useful to retrieve other information for example the ip addresses of client and server machines with timestamps

But I wasn't able read the responses. That is because the data returned from internet servers to remote client is encrypted and PHP is not a good technology to retrieve this data.