This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how the function dissect_http works?

i want to do some data mining work on some key fields of the network packets, then I have downloaded the sourcecode of wireshark-1.6.4,and try to use tshark to analyze some packets.but i need to do some change or just define a new struct to store my own variables,i have to find out where is the field i need and copy their value to my own variables.

in the dissect_http function, there are two paths, one is for proxied connection, another is dissect_http_message, in the dissect_http_message, HTTP headers struct is defined, and assigned some initial value (such as 0 and etc) but i didn't see the assignment process from a real packet value, if i want to find the HTTP content-type of the packet, where is the final position from which i can copy value,could you give me some help?

there is a related question, if i want to get the HTTP content,where should i get it?

i am desperately need your answer.thank you!

dissect_http

This question is marked "community wiki".

asked 13 Nov '12, 02:36

rodman
1●3●3●2
accept rate: 0%

edited 13 Nov '12, 16:55

Guy Harris ♦♦
17.4k●3●35●196

One Answer:

in the dissect_http function, there are two paths, one is for proxied connection, another is dissect_http_message, in the dissect_http_message, HTTP headers struct is defined, and assigned some initial value (such as 0 and etc) but i didn't see the assignment process from a real packet value

dissect_http calls process_header, passing it a pointer to the header structure; process_header fills that structure in.

if i want to find the HTTP content-type of the packet, where is the final position from which i can copy value

The content_type member of the HTTP headers struct.

if i want to get the HTTP content,where should i get it?

You'd have to write your own code to handle that; it's not easy to get.

answered 13 Nov '12, 19:22

Guy Harris ♦♦
17.4k●3●35●196
accept rate: 19%

Infact, i have also noticed the process_header function,but in the code, there is a
if(is_request_or_reply){...} else{...process_header...} sentence,i wonder if the process_header maynot be called,then where to get the header info?

(13 Nov '12, 21:52) rodman

is_request_or_reply is a variable and it contains the return value of is_http_request_or_reply(), which just checks if there is a typical sign for a request (GET,POST,etc.) or a repsonse (200 OK) in the currently processed data. If there is none, that part of the HTTP request/response has already been processed and everything after that must be the HTTP headers. So for the first "line" of the HTTP request (e.g. "GET / HTTP/1.1") the first part of the if clause will be executed. For all remaining "lines" of the HTTP request (e.g. "Host: www.xxx.xxx", "Content-Type: text/html") the else part of the if clause will be executed, which calls process_header().

(14 Nov '12, 07:50) Kurt Knochner ♦