strange characters in packets

2019-07-24 15:45发布

问题:

I'm writing a sniffer for http packets with libpcap. Sometimes printing the content of the http payload I get strange characters.. do you know what could they be?

*xNT:���3�@�"P#1u`��$%S{M��

or

�~�tsE��}>a�����}/���`�▒�A�y

Thanks, for the answers.

If the header is in plain text so the problem is my code.

Anyway, can a POST request be coded in base64?

回答1:

In utils_http.c you have the following function:

static int handle_tcp(const struct tcphdr *tcp, int len)
{
  char buf[PCAP_SNAPLEN];
  memcpy(buf, tcp + 1, len - sizeof(*tcp));
  DEBUG("DANY TCPDs tcp string: %s",buf);
  if (0 == handle_http(buf, len - sizeof(*tcp)))
    return 0;
  return 1;
}

This is making the assumption that the TCP payload always starts 20 bytes after the beginning of the TCP header (always 20 because sizeof(*tcp) == 20). This doesn't take into account any TCP options. If you receive a packet with TCP options (which are very common), handle_http() will have the binary-encoded TCP options at the beginning of its buffer which might be what you're seeing.

Try something like this instead:

static int handle_tcp(const struct tcphdr *tcp, int len)
{
  char buf[PCAP_SNAPLEN];
  memcpy(buf, (void*)tcp + tcp->doff*4, len - tcp->doff*4);
  DEBUG("DANY TCPDs tcp string: %s",buf);
  if (0 == handle_http(buf, len - tcp->doff*4))
    return 0;
  return 1;
}

Or better yet, I have no idea why you're constantly making dozens of copies of your buffer every chance you get. You can just pass pointers around unless I'm missing something:

static int handle_tcp(const struct tcphdr *tcp, int len) {
  return handle_http((void*)tcp + tcp->doff*4, len - tcp->doff*4);
}


回答2:

This is probably binary data that your display font has no characters for. HTTP does not necessarily transport text, it could be images or any other form of raw binary the client requested. Hard to say without seeing the rest of the TCP package.



回答3:

The HTTP header Content-Type should tell you the type of payload. The HTTP headers should also say whether compression is used.

Compare what you get with http://web-sniffer.net/ or use something like Wireshark