So depending on how fool-proof your tool must be, this could be a simple solution to your problem. Any packet that have the same pattern at the start of the packet will be seen as URL (think of a webpage containing an example of a http request).URL's that are too large to fit one TCP segment will not be extracted.URL's in requests that do not start at a packet boundery will not be extracted.In short, anything between "GET " and " HTTP/1.", "POST " and " HTTP/1." or "HEAD " and " HTTP/1." (watch the spaces) will be your URL and should be quite easy to extract. Finally, will be "1.0" or "1.1" currently.
The should always start with "/" and will not contain spaces. Look for the methods in which you're interested.
When parsing the payload, look for a pattern like " HTTP/" at the start of each TCP payload. If you're just interested in the URL's and you assume that each HTTP request is generating a new TCP packet (which usually is true, but the nature of TCP does not make this a necessity) and you assume that the requested URL will fit in one TCP segment (which is not true for networks with small MTU's and large request URL's), then you can skip all reassembly and just parse each TCP packet on it's own. As has said, there is a lot of work being done by different parts of Wireshark before the URL is extracted.
0 kommentar(er)
