截获所有采用 HTTP POST 方法上传上去的信息,也就是文字和文件。
使用wireshark非常方便,首先使用抓包时过滤器表达式(也就是libpcap过滤器)
tcp port 80 and src host 192.168.1.100
192.168.1.100是本机的IP,得到大批的数据包后,使用wireshark分析过滤器(wireshark过滤器)
tcp.stream eq 0
tcp.stream eq 1
tcp.stream eq 2
...
这样的过滤分析就可以得到一条tcp连接上我这边向对端发送的所有数据包,
如下面3条tcp连接
192.168.1.100:2544 <-> 113.108.225.6:80 (tcp.stream eq 0)
192.168.1.100:2545 <-> 113.108.225.6:80 (tcp.stream eq 1)
192.168.1.100:2556 <-> 220.181.15.149:80 (tcp.stream eq 2)
这个时候,可以使用 Follow Tcp Stream 功能就可以看到整合起来的完整的 HTTP POST 上去的内容。
非常方便。
现在需要在嵌入式板子上实现这样的功能,我不可能在板子上安装wireshark,然后键盘输入、鼠标点击查看。
libpcap可以移植到目标板上,也可以抓包。但是抓到这些包后怎么处理,就是问题所在。
有人能给出个敏捷开发的方法吗?
8 个解决方案
#1
1 ether解包
2 IP解包
3 TCP建控制块,记录当前连接,sequence number等等。
4 HTTP解析,记录POST的上传。
2 IP解包
3 TCP建控制块,记录当前连接,sequence number等等。
4 HTTP解析,记录POST的上传。
#2
嵌入式板子..好高深的操作系统。看他提供了哪些可以用来利用抓包的。
#3
有没有可以利用的库?你看现在世界上有这么多的软件。一定有哪个程序员已经写好的开源的软件。
我就是找不到。
我想应该可以不用重造*的。
我就是找不到。
我想应该可以不用重造*的。
#4
这个估计不好找,挣钱的东西啊!
#5
有没有人知道?
抓取HTTP POST的程序?
linux下的网络监控 程序 NTOP 不符合需求啊 。
抓取HTTP POST的程序?
linux下的网络监控 程序 NTOP 不符合需求啊 。
#6
wireshark 是开源的,就是不知道其中的 过滤器 模块在哪些文件里面。
也不知道 follow tcp stream 在哪个文件里面。
有没有人知道?
也不知道 follow tcp stream 在哪个文件里面。
有没有人知道?
#7
第一步:
抓包时过滤器表达式(也就是libpcap过滤器)
tcp port 80 and src host 192.168.1.100
保存文件。
第二步:
打开包文件 ,wireshark过滤表达式
http.request.method == "POST"
得到过滤后的POST流
第三步:
对每一列使用 Follow Tcp Stream 得到整合后的完整数据。
-----------------------------
我现在知道 wireshark内部分析是使用 tshark 程序完成的。
#tshark -help
TShark 1.6.0rc2 (SVN Rev Unknown from unknown)
Dump and analyze network traffic.
See http://www.wireshark.org for more information.
Copyright 1998-2011 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Usage: tshark [options] ...
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-I capture in monitor mode, if available
-B <buffer size> size of kernel buffer (def: 1MB)
-y <link type> link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r <infile> set the filename to read from (no pipes or stdin!)
Processing:
-R <read filter> packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mntC"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
Output:
-w <outfile|-> write packets to a pcap-format file named "outfile"
(or to the standard output for "-")
-C <config profile> start with specified configuration profile
-F <output file type> set the output file type, default is libpcap
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-O <protocols> Only show packet details of these protocols, comma
separated
-S display packets even when writing to a file
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|text|fields
format of text output (def: text)
-e <field> field to print if -Tfields selected (e.g. tcp.port);
this option can be repeated to print multiple fields
-E<fieldsoption>=<value> set options for output when -Tfields selected:
header=y|n switch headers on and off
separator=/t|/s|<char> select tab, space, printable character as separator
occurrence=f|l|a print first, last or all occurrences of each field
aggregator=,|/s|<char> select comma, space, printable character as
aggregator
quote=d|s|n select double, single, no quotes for values
-t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-X <key>:<value> eXtension options, see the man page for details
-z <statistics> various statistics, see the man page for details
Miscellaneous:
-h display this help and exit
-v display version info and exit
-o <name>:<value> ... override preference setting
-K <keytab> keytab file to use for kerberos decryption
-G [report] dump one of several available reports and exit
default report="fields"
use "-G ?" for more help
使用
-R "http.request.method == \"POST\"" 可以进行 POST 方法过滤。
就是不知道那个参数是Follow Tcp Stream 功能。
而且我发现 进行 -R "http.request.method == \"POST\"" 后保存的文件只有含有POST字符串的数据包,POST后面的 内容,看不到。在 wireshark下 使用Follow Tcp Stream 可以看到。
有人吗?
抓包时过滤器表达式(也就是libpcap过滤器)
tcp port 80 and src host 192.168.1.100
保存文件。
第二步:
打开包文件 ,wireshark过滤表达式
http.request.method == "POST"
得到过滤后的POST流
第三步:
对每一列使用 Follow Tcp Stream 得到整合后的完整数据。
-----------------------------
我现在知道 wireshark内部分析是使用 tshark 程序完成的。
#tshark -help
TShark 1.6.0rc2 (SVN Rev Unknown from unknown)
Dump and analyze network traffic.
See http://www.wireshark.org for more information.
Copyright 1998-2011 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Usage: tshark [options] ...
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-I capture in monitor mode, if available
-B <buffer size> size of kernel buffer (def: 1MB)
-y <link type> link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r <infile> set the filename to read from (no pipes or stdin!)
Processing:
-R <read filter> packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mntC"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
Output:
-w <outfile|-> write packets to a pcap-format file named "outfile"
(or to the standard output for "-")
-C <config profile> start with specified configuration profile
-F <output file type> set the output file type, default is libpcap
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-O <protocols> Only show packet details of these protocols, comma
separated
-S display packets even when writing to a file
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|text|fields
format of text output (def: text)
-e <field> field to print if -Tfields selected (e.g. tcp.port);
this option can be repeated to print multiple fields
-E<fieldsoption>=<value> set options for output when -Tfields selected:
header=y|n switch headers on and off
separator=/t|/s|<char> select tab, space, printable character as separator
occurrence=f|l|a print first, last or all occurrences of each field
aggregator=,|/s|<char> select comma, space, printable character as
aggregator
quote=d|s|n select double, single, no quotes for values
-t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-X <key>:<value> eXtension options, see the man page for details
-z <statistics> various statistics, see the man page for details
Miscellaneous:
-h display this help and exit
-v display version info and exit
-o <name>:<value> ... override preference setting
-K <keytab> keytab file to use for kerberos decryption
-G [report] dump one of several available reports and exit
default report="fields"
use "-G ?" for more help
使用
-R "http.request.method == \"POST\"" 可以进行 POST 方法过滤。
就是不知道那个参数是Follow Tcp Stream 功能。
而且我发现 进行 -R "http.request.method == \"POST\"" 后保存的文件只有含有POST字符串的数据包,POST后面的 内容,看不到。在 wireshark下 使用Follow Tcp Stream 可以看到。
有人吗?
#8
楼主的分析非常的精彩啊
#1
1 ether解包
2 IP解包
3 TCP建控制块,记录当前连接,sequence number等等。
4 HTTP解析,记录POST的上传。
2 IP解包
3 TCP建控制块,记录当前连接,sequence number等等。
4 HTTP解析,记录POST的上传。
#2
嵌入式板子..好高深的操作系统。看他提供了哪些可以用来利用抓包的。
#3
有没有可以利用的库?你看现在世界上有这么多的软件。一定有哪个程序员已经写好的开源的软件。
我就是找不到。
我想应该可以不用重造*的。
我就是找不到。
我想应该可以不用重造*的。
#4
这个估计不好找,挣钱的东西啊!
#5
有没有人知道?
抓取HTTP POST的程序?
linux下的网络监控 程序 NTOP 不符合需求啊 。
抓取HTTP POST的程序?
linux下的网络监控 程序 NTOP 不符合需求啊 。
#6
wireshark 是开源的,就是不知道其中的 过滤器 模块在哪些文件里面。
也不知道 follow tcp stream 在哪个文件里面。
有没有人知道?
也不知道 follow tcp stream 在哪个文件里面。
有没有人知道?
#7
第一步:
抓包时过滤器表达式(也就是libpcap过滤器)
tcp port 80 and src host 192.168.1.100
保存文件。
第二步:
打开包文件 ,wireshark过滤表达式
http.request.method == "POST"
得到过滤后的POST流
第三步:
对每一列使用 Follow Tcp Stream 得到整合后的完整数据。
-----------------------------
我现在知道 wireshark内部分析是使用 tshark 程序完成的。
#tshark -help
TShark 1.6.0rc2 (SVN Rev Unknown from unknown)
Dump and analyze network traffic.
See http://www.wireshark.org for more information.
Copyright 1998-2011 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Usage: tshark [options] ...
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-I capture in monitor mode, if available
-B <buffer size> size of kernel buffer (def: 1MB)
-y <link type> link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r <infile> set the filename to read from (no pipes or stdin!)
Processing:
-R <read filter> packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mntC"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
Output:
-w <outfile|-> write packets to a pcap-format file named "outfile"
(or to the standard output for "-")
-C <config profile> start with specified configuration profile
-F <output file type> set the output file type, default is libpcap
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-O <protocols> Only show packet details of these protocols, comma
separated
-S display packets even when writing to a file
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|text|fields
format of text output (def: text)
-e <field> field to print if -Tfields selected (e.g. tcp.port);
this option can be repeated to print multiple fields
-E<fieldsoption>=<value> set options for output when -Tfields selected:
header=y|n switch headers on and off
separator=/t|/s|<char> select tab, space, printable character as separator
occurrence=f|l|a print first, last or all occurrences of each field
aggregator=,|/s|<char> select comma, space, printable character as
aggregator
quote=d|s|n select double, single, no quotes for values
-t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-X <key>:<value> eXtension options, see the man page for details
-z <statistics> various statistics, see the man page for details
Miscellaneous:
-h display this help and exit
-v display version info and exit
-o <name>:<value> ... override preference setting
-K <keytab> keytab file to use for kerberos decryption
-G [report] dump one of several available reports and exit
default report="fields"
use "-G ?" for more help
使用
-R "http.request.method == \"POST\"" 可以进行 POST 方法过滤。
就是不知道那个参数是Follow Tcp Stream 功能。
而且我发现 进行 -R "http.request.method == \"POST\"" 后保存的文件只有含有POST字符串的数据包,POST后面的 内容,看不到。在 wireshark下 使用Follow Tcp Stream 可以看到。
有人吗?
抓包时过滤器表达式(也就是libpcap过滤器)
tcp port 80 and src host 192.168.1.100
保存文件。
第二步:
打开包文件 ,wireshark过滤表达式
http.request.method == "POST"
得到过滤后的POST流
第三步:
对每一列使用 Follow Tcp Stream 得到整合后的完整数据。
-----------------------------
我现在知道 wireshark内部分析是使用 tshark 程序完成的。
#tshark -help
TShark 1.6.0rc2 (SVN Rev Unknown from unknown)
Dump and analyze network traffic.
See http://www.wireshark.org for more information.
Copyright 1998-2011 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Usage: tshark [options] ...
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-I capture in monitor mode, if available
-B <buffer size> size of kernel buffer (def: 1MB)
-y <link type> link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r <infile> set the filename to read from (no pipes or stdin!)
Processing:
-R <read filter> packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mntC"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
Output:
-w <outfile|-> write packets to a pcap-format file named "outfile"
(or to the standard output for "-")
-C <config profile> start with specified configuration profile
-F <output file type> set the output file type, default is libpcap
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-O <protocols> Only show packet details of these protocols, comma
separated
-S display packets even when writing to a file
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|text|fields
format of text output (def: text)
-e <field> field to print if -Tfields selected (e.g. tcp.port);
this option can be repeated to print multiple fields
-E<fieldsoption>=<value> set options for output when -Tfields selected:
header=y|n switch headers on and off
separator=/t|/s|<char> select tab, space, printable character as separator
occurrence=f|l|a print first, last or all occurrences of each field
aggregator=,|/s|<char> select comma, space, printable character as
aggregator
quote=d|s|n select double, single, no quotes for values
-t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)
-u s|hms output format of seconds (def: s: seconds)
-l flush standard output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-X <key>:<value> eXtension options, see the man page for details
-z <statistics> various statistics, see the man page for details
Miscellaneous:
-h display this help and exit
-v display version info and exit
-o <name>:<value> ... override preference setting
-K <keytab> keytab file to use for kerberos decryption
-G [report] dump one of several available reports and exit
default report="fields"
use "-G ?" for more help
使用
-R "http.request.method == \"POST\"" 可以进行 POST 方法过滤。
就是不知道那个参数是Follow Tcp Stream 功能。
而且我发现 进行 -R "http.request.method == \"POST\"" 后保存的文件只有含有POST字符串的数据包,POST后面的 内容,看不到。在 wireshark下 使用Follow Tcp Stream 可以看到。
有人吗?
#8
楼主的分析非常的精彩啊