findstr
2 TopicsExtract headers from TCP payload
Hi, I have VS without http profile, but it can process http traffic. When using TCP::collect I am getting something like that in TCP::payload "GET /?ip=10.20.10.2 HTTP/1.1 Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, / Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; vWorkspace) Accept-Encoding: gzip, deflate Host: wpad.test.com Connection: Keep-Alive " - don't know why no \r\n here? findstr $str "Host: " 6 - do not terminate on end of line, so it returns "wpad.test.com Connection: Keep-Alive " - obviously because how TCP::payload is presented as a string. What could be used to reliably extract only host from Host header? To retrieve method and URI scan [TCP::payload] {%[^ /]%s} method uri seems to be working ok Now the question is if findstr and scan methods are correct here, or it could be implemented more elegant/efficient? Piotr272Views0likes0CommentsExtract headers from TCP payload
Hi, I have VS without http profile, but it can process http traffic. When using TCP::collect I am getting something like that in TCP::payload "GET /?ip=10.20.10.2 HTTP/1.1 Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, / Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; vWorkspace) Accept-Encoding: gzip, deflate Host: wpad.test.com Connection: Keep-Alive " - don't know why no \r\n here? findstr $str "Host: " 6 - do not terminate on end of line, so it returns "wpad.test.com Connection: Keep-Alive " - obviously because how TCP::payload is presented as a string. What could be used to reliably extract only host from Host header? To retrieve method and URI scan [TCP::payload] {%[^ /]%s} method uri seems to be working ok Now the question is if findstr and scan methods are correct here, or it could be implemented more elegant/efficient? Piotr206Views0likes0Comments