tcpdump and http

09-11-2008, 10:35 AM

Hi guys

I don't expert in TCP/IP and i'm sorry for my mistake and for bad english

my question is:
is possible understand the type of traffic, reading a file created with -w
option of tcpdump?

my interest is capture http traffic.

when i open the file with wireshark, it write in a colon HTTP, but i don't
know if it write HTTP because the port is 80 or because it understand is
very http traffic indipendent of number of port

thank in advance

--
Riccardo (http://termitano.myminicity.com, visitate e se volete partecipate
sul http://www.iltermitano.it/)

A computer is like an air conditioner,
it stops working when you open Windows.
Registered Linux user #457776

09-13-2008, 07:42 AM

Maxwell Lol wrote:

> Yes. Make sure the slice is set to the maximum packet size otherwise
> the packet will be truncated.

yes, I know, I do it in this mode

but my question is: how wireshark understand the packet is HTTP?

if I open the file with java, which field i do read for say: this packet
payload is HTTP traffic?

thanks a lot

--
Riccardo (http://termitano.myminicity.com, visitate e se volete partecipate
sul http://www.iltermitano.it/)

A computer is like an air conditioner,
it stops working when you open Windows.
Registered Linux user #457776

09-17-2008, 01:23 PM

RicK_Murphy wrote:
> Maxwell Lol wrote:
>
>
>> Yes. Make sure the slice is set to the maximum packet size otherwise
>> the packet will be truncated.
>
> yes, I know, I do it in this mode
>
> but my question is: how wireshark understand the packet is HTTP?
>
> if I open the file with java, which field i do read for say: this packet
> payload is HTTP traffic?
>
>
> thanks a lot
>

wireshark's http/web dissectors parse the layer 5 protocol
if there is a GET,HEAD or POST request and the port is 80 or 443
it's probably http

http://www.codeproject.com/KB/IP/custom_dissector.aspx

with http this is easy since HTTP is a standard and defined
in its rfc http://www.faqs.org/rfcs/rfc2616.html

09-17-2008, 03:47 PM

> wireshark's http/web dissectors parse the layer 5 protocol
> if there is a GET,HEAD or POST request and the port is 80 or 443
> it's probably http
>
> http://www.codeproject.com/KB/IP/custom_dissector.aspx
>
> with http this is easy since HTTP is a standard and defined
> in its rfc http://www.faqs.org/rfcs/rfc2616.html

thanks

--
Riccardo (http://termitano.myminicity.com, visitate e se volete partecipate
sul http://www.iltermitano.it/)

A computer is like an air conditioner,
it stops working when you open Windows.
Registered Linux user #457776

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Any http proxy to accelerate http GET method?	Trent.Zhou@gmail.com	Linux Networking	7	11-23-2007 05:16 AM
forward http://p2p.mydomain.com to http://mydomainIP:50001/gui/index.html, is that possible?	aticatac	Network Routers	1	11-13-2007 12:00 AM
tcpdump	lekkie.aydot@gmail.com	Linux Networking	1	05-20-2005 07:16 AM
Apache problem: Can see http://localhost/ but not http://ipaddress/	Andrew	Linux Networking	4	02-13-2005 12:26 PM
Free Broadband Comedy Channel http://Yuks.TV Groucho, Benny, Chaplin, Marilyn, more http://Yuks.TV		Broadband Hardware	0	01-15-2005 04:57 PM