- 论坛徽章:
- 1
|
本帖最后由 linuxchyu 于 2013-06-04 13:44 编辑
最近在做抓取Http请求报文分析的工作,先上抓取分析结果:(我是基于libpcap用C语言写的工具)- **** *****1: 21:11:27 cap len :1514 **** ****
- frag : 0x4000 //相应IP报文的标记字段
- data length :1460 //TCP数据段的数据长度 ,以下是数据字段对应的字符显示:
- POST /aj/mblog/add?_wv=5&__rnd=1370178687496 HTTP/1.1
- Host: weibo.com
- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20121121 Firefox/10.0.11
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-us,en;q=0.5
- Accept-Encoding: gzip, deflate
- Connection: keep-alive
- Content-Type: application/x-www-form-urlencoded; charset=UTF-8
- X-Requested-With: XMLHttpRequest
- Referer: http://weibo.com/u/2948108023?wvr=5&wvr=5&lf=reg
- Content-Length: 100
- Cookie: __utma=15428400.2100457009.1357316613.1357316613.1357316613.1; __utmz=15428400.1357316613.1.1.utmcsr=blog.sina.com.cn|utmccn=(referral)|utmcmd=referral|utmcct=/s/blog_86fe5b440100uni3.html; UOR=www.sina.com.cn,weibo.com,www.sina.com.cn; SINAGLOBAL=790171170880.6036.1370174363284; ULV=1370174363524:1:1:1:790171170880.6036.1370174363284:; ALF=1372766390; un=linuxchyu@sina.com; wvr=5; SinaRot_wb_r_topic=38; USRUG=usrmdins1540_24; _s_tentry=www.sina.com.cn; Apache=790171170880.6036.1370174363284; USRHAWB=usrmdins540_96; SUE=es%3Dc3adf336a31c0ee65023772a769a60cf%26ev%3Dv1%26es2%3D889111db824299fda73c6d0055de9600%26rs0%3DClD8mrOWsCZnFYSL8kTv2aVIVmRRV7xT2UWXM3uGgQPXtcP4P0LlhztuA5zBwLUUkQOVaBSJreyg6pLmHBjbZsN%252BdgREjcIAcUU0ozXyXHgmOA5DPbG2w5wb30jObcprOAS0AiZcWCkO75oS6eW1qm6F9lLd3SDWso8QEXu%252Fsfg%253D%26rv%3D0; SUP=cv%3D1%26bt%3D1370174391%26et%3D1370260791%26d%3Dc909%26i%3D5df2%26us%3D1%26vf%3D0%26vt%3D0%26ac%3D0%26st%3D0%26uid%3D2948108023%2
- **** *****2: 21:11:27 cap len :427 **** ****
- frag : 0x4000 //相应IP报文的标记字段
- data length :373 //TCP数据段的数据长度 ,以下是数据字段对应的字符显示: 6user%3Dlinuxchyu.%252A%252A%26ag%3D9%26name%3Dlinuxchyu%2540sina.com%26nick%3D%25E8%2583%259C%25E5%25AF%2592%26fmp%3D%26lcp%3D; SUS=SID-2948108023-1370174391-GZ-rufv3-d826802439e42d1599021a9c28e68649; SSOLoginState=1370174391
- Pragma: no-cache
- Cache-Control: no-cache
- text=6666666666666666&pic_id=&rank=0&rankid=&_surl=&hottopicid=628&location=home&module=stissue&_t=0
复制代码 通过分析以上两个报文可以知道,一个Http请求被拆分为两个报文发送,但是第一个报文的Ip MF字段又没有被标记,请问大家根据什么才能将以上两个报文的数据字段合并?也就是说怎么才能知道以上两个报文实际上是属于同一个Http请求的报文?又知道用wireshark抓取的以上同一个Http报文,发现抓取结果是合并后的报文。wireshark又是根据什么来合并以上两个分开的报文?
解决问题的方向找到了,其实就是TCP会话重组,下一步就是实现TCP会话重组了。 |
|