On Wed, Feb 20, 2002 at 06:42:23PM +0100, Christian Fleischer wrote:
> I've captured several HTTP streams and want to compare them - is there
> a tool around which supports this?
Nothing I know of that *directly* supports it (i.e., that compares
them), but tcpflow:
http://www.circlemud.org/~jelson/software/tcpflow/
*might* be helpful.
> Or - where can I get some documentation on the libpcap/Ethereal file
> format that is written by default, in order to build a tool that
> extracts TCP streams into separate text files?
It's not documented anywhere except in the source (and in mail messages
I've sent out in the past giving the format; I haven't saved them, but I
should probably write a pcap.{4,5} man page for libpcap giving the
format at some point).
However, if you want to write a program that reads libpcap files, you
can use, well, the libpcap library. "man pcap" documents the API on a
UNIX system with libpcap installed, and the page at
http://netgroup-serv.polito.it/winpcap/docs/pcapman.htm
also has the man page (for WinPcap, but if you ignore the
WinPcap-specific extensions, it also applies to libpcap).
Use "pcap_open_offline()" to open the file; write a routine to be called
for each packet, and use "pcap_loop()" to loop through the capture,
calling your routine for each packet.
A filter expression (with the standard tcpdump, and Ethereal capture
filter, syntax) would let you, for example, have "pcap_open_offline()"
only call your routine for packets with, for example, a TCP source or
destination port of 80 ("tcp port 80").
Note, however, that your routine gets handed raw packet data; you'd have
to parse the link-layer, IPv4/IPv6, and TCP headers yourself.