Ethereal-users: Re: [Ethereal-users] HTTP Dissector & reassembler, tethereal, and mirroring a we

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Mark Grigsby <mark@xxxxxxxxxx>
Date: Thu, 17 Feb 2005 09:02:05 -0800
On Wednesday 16 February 2005 04:18 pm, Jon Passki wrote:
> Hello,
>
> While doing off-line analysis of some HTTP traffic, I would like to
> reconstruct the results back into a webpage.  I understand the GUI
> has the TCP reassembly [1,2,3], plus the HTTP dissector understands
> data such as JPEGs.  What I'd like to do is feed a pcap session
> into tethereal, reconstruct an HTTP session, and have the HTTP
> dissector magically spit out a web page.
>
> To do this seems non-trivial to me, since there might be multiple
> TCP sessions for one web page (e.g. a JPEG download).  So, I'd
> assume a state machine of some sort.  Example: the initial page had
> some image src, so the state machine would check to see if there
> were any HTTP requests for the link.  Then this has the added
> difficulty that time would be the only thing to separate multiple
> downloads of the same file (JPEG Session 1 was 10 seconds later,
> JPEG Session 2 was 60 seconds later, JPEG Session 3 was 120 seconds
> later - use JPEG Session 1).
>
> So, does this functionality exist?  If so, what did I miss in
> reading up on reassembly?  If not, I'd like to put this up on the
> Wishlist.
>
> TIA,
>
You might wish to investigate chaosreader.  
http://chaosreader.sourceforge.net/

It is a perl script that will read the pcap file and present you with all of 
the parts you are asking about, and put them in a form that you can view with 
a web browser.  A little bit of hacking in the code may be able to produce 
your desired output.   

Just a thought.

> Jon
>
> [1] http://wiki.ethereal.com/TCP_20Reassembly
> [2]
> http://www.ethereal.com/docs/user-guide/ChAdvFollowTCPSection.html
> [3] http://www.ethereal.com/docs/user-guide/ChAdvReassemblySection.html
>
>
>
> __________________________________
> Do you Yahoo!?
> Read only the mail you want - Yahoo! Mail SpamGuard.
> http://promotions.yahoo.com/new_mail
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users

-- 
Mark Grigsby
Network Operations Manager
PCI  (Preferred Communications Inc.)
P.O. Box E Lakeside, OR. 97449
Voice: 800-787-3806
Fax: 1-541-759-3126