wireshark-dev October 2010 archive
Main Archive Page > Month Archives  > wireshark-dev archives
wireshark-dev: Re: [Wireshark-dev] I want to print the string tv

Re: [Wireshark-dev] I want to print the string tvb->real_data on the ubuntu terminal

From: 刘昆 <liukunmeister_at_nospam>
Date: Tue Oct 26 2010 - 14:43:38 GMT
To: Developer support list for Wireshark <wireshark-dev@wireshark.org>

于 2010年10月26日 14:13, Guy Harris 写道:
> On Oct 25, 2010, at 8:46 PM, 刘昆 wrote:
>> In fact ,all I need to print is just the URL or IP address in the
>> payload.I think the URL or IP address should be printable?
> The URL should be printable.
> The IP address, if you mean the IP address in the IP header, is *NOT* printable; in an IP datagram, it's encoded as 4 octets for an IPv4 address and 16 octets for an IPv6 address. If, instead, you mean the host name in the URL or in the Host: header, that is printable.
>> So can I fetch the URL to print? And how?
> What *exactly* is it that you're trying to do? You might be able to do what you want with TShark and the "-e" option - the URI in a request is the field named "http.request.uri". The IP source address is the field named "ip.src" or "ipv6.src", and the IP destination address is the field named "ip.dst" or "ipv6.dst". The host name in the "Host:" header is the field named "http.host" (*IF* the packet has a "Host:" header).
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list<wireshark-dev@wireshark.org>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe
I'm sorry .I think I didn't express my meaning correctly.
In fact,I want to program to filter some certain URL or IP address in
the packet but *not the header* just as when we use proxy to access a
web ,the real URL is not in the header,but in the packet.
And when I find the tvb->real_data maybe the payload,and I use gdb to
print (command:"print tvb->real_data") ,then I get a string showed on
the terminal

"const guint8 *) 0x8b53042 "GET http://www.baidu.com/ HTTP/1.1\r\nHost:
www.baidu.com\r\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
rv: Gecko/20101013 Linux Mint/9 (Isadora)
Firefox/3.6.11\r\nAccept: text/html,applic"...

We can see the "www.baidu.com" displayed. And the string "www.baidu.com"
is just I need,I mean by programming.As long as I get the string
"www.baidu.com",then I can program to do some matching work with some
data in the database.

At first,I thought "tvb->real_data" is just a string.So I want to print
this string to do a test if I can get the result as the gdb print by
using "printf("%s/n",tvb->real_data);" in the function dissect_http .
But I failed.

So now,I don't know how to use tvb->real_data to get the URL just as gdb
print "GET http://www.baidu.com........".But now that gdb can print
"tvb->real_data" as a string or a printabe text on the terminal,I think
I should fetch the data in "tvb->real_data" just as the gdb print.As
long as I get the string just as the gdb print "GET
http://www.baidu.com ...................." I can filter the URL
"www.baidu.com" then do the matching work with the data in the database.

I think I express my meaning clearly.

So what should I do to fetch the data in the "tvb->real_data" by
programming just as the gdb print like a string .And then I can do the
filtering and matching work.

                                                                                                                                                   Thank you very much

Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev