Forum Discussion

Piotr_Lewandows's avatar
Piotr_Lewandows
Icon for Altostratus rankAltostratus
Apr 13, 2016

Extract headers from TCP payload

Hi,

 

I have VS without http profile, but it can process http traffic.

 

When using TCP::collect I am getting something like that in TCP::payload

 

"GET /?ip=10.20.10.2 HTTP/1.1 Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, / Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; vWorkspace) Accept-Encoding: gzip, deflate Host: wpad.test.com Connection: Keep-Alive " - don't know why no \r\n here?

 

findstr $str "Host: " 6 - do not terminate on end of line, so it returns "wpad.test.com Connection: Keep-Alive " - obviously because how TCP::payload is presented as a string.

 

What could be used to reliably extract only host from Host header?

 

To retrieve method and URI scan [TCP::payload] {%[^ /]%s} method uri

 

seems to be working ok

 

Now the question is if findstr and scan methods are correct here, or it could be implemented more elegant/efficient?

 

Piotr

 

No RepliesBe the first to reply