Detect and examine HTTP packets. More...
Functions | |
bool | examine (Flow &flow, const Myra::PktInfo &info) |
Examine a packet for HTTP, and mark the flow if found. More... | |
bool | examine_port (Flow &flow, const Myra::PktInfo &info) |
Port based exam for HTTP and HTTPS. More... | |
Detect and examine HTTP packets.
bool Myra::Traffic::HTTP::examine | ( | Myra::Flow & | flow, |
const Myra::PktInfo & | info | ||
) |
Examine a packet for HTTP, and mark the flow if found.
true
if this exam needs to be called again for the given flow false
if this exam never needs to be called again Unlike most other traffic exams, this one will continue to be called even after the flow has been identified so it can continue to extract URLs from any keep-alive connections.
Plain text (usually port 80) HTTP requests look like this:
-> flow #2376685098650096535: Unknown+FlowStart+IP+IPv4+TCP: 10.0.1.3:57936->209.52.189.88:80 -> flow #2376685098650096535: TCP payload: number of bytes: 256 0: 47 45 54 20 2f 63 68 72 6f 6d 65 2f 70 72 6f 66 69 6c 65 5f 61 76 61 74 61 72 73 2f 61 76 61 74 - GET /chrome/profile_avatars/avat 20: 61 72 5f 67 65 6e 65 72 69 63 2e 70 6e 67 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 77 - ar_generic.png HTTP/1.1..Host: w 40: 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 - ww.gstatic.com..Connection: keep
bool Myra::Traffic::HTTP::examine_port | ( | Flow & | flow, |
const Myra::PktInfo & | info | ||
) |
Port based exam for HTTP and HTTPS.
This is a port-based exam. Look for ports 80, 8080, or 443.