On Wednesday 16 February 2005 04:18 pm, Jon Passki wrote:
> Hello,
>
> While doing off-line analysis of some HTTP traffic, I would like to
> reconstruct the results back into a webpage. I understand the GUI
> has the TCP reassembly [1,2,3], plus the HTTP dissector understands
> data such as JPEGs. What I'd like to do is feed a pcap session
> into tethereal, reconstruct an HTTP session, and have the HTTP
> dissector magically spit out a web page.
>
> To do this seems non-trivial to me, since there might be multiple
> TCP sessions for one web page (e.g. a JPEG download). So, I'd
> assume a state machine of some sort. Example: the initial page had
> some image src, so the state machine would check to see if there
> were any HTTP requests for the link. Then this has the added
> difficulty that time would be the only thing to separate multiple
> downloads of the same file (JPEG Session 1 was 10 seconds later,
> JPEG Session 2 was 60 seconds later, JPEG Session 3 was 120 seconds
> later - use JPEG Session 1).
>
> So, does this functionality exist? If so, what did I miss in
> reading up on reassembly? If not, I'd like to put this up on the
> Wishlist.
>
> TIA,
>
You might wish to investigate chaosreader.
http://chaosreader.sourceforge.net/
It is a perl script that will read the pcap file and present you with all of
the parts you are asking about, and put them in a form that you can view with
a web browser. A little bit of hacking in the code may be able to produce
your desired output.
Just a thought.
> Jon
>
> [1] http://wiki.ethereal.com/TCP_20Reassembly
> [2]
> http://www.ethereal.com/docs/user-guide/ChAdvFollowTCPSection.html
> [3] http://www.ethereal.com/docs/user-guide/ChAdvReassemblySection.html
>
>
>
> __________________________________
> Do you Yahoo!?
> Read only the mail you want - Yahoo! Mail SpamGuard.
> http://promotions.yahoo.com/new_mail
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
--
Mark Grigsby
Network Operations Manager
PCI (Preferred Communications Inc.)
P.O. Box E Lakeside, OR. 97449
Voice: 800-787-3806
Fax: 1-541-759-3126