Merge lp:~andrea.corbellini/beeseek/sniffer into lp:beeseek
Status: | Merged |
---|---|
Merged at revision: | 30 |
Proposed branch: | lp:~andrea.corbellini/beeseek/sniffer |
Merge into: | lp:beeseek |
Diff against target: |
581 lines (+528/-0) 10 files modified
.bzrignore (+1/-0) sniffer/Makefile (+15/-0) sniffer/include/handler.h (+22/-0) sniffer/include/parser.h (+14/-0) sniffer/include/sender.h (+16/-0) sniffer/include/sniffer.h (+8/-0) sniffer/src/app.c (+68/-0) sniffer/src/handler.c (+98/-0) sniffer/src/parser.c (+162/-0) sniffer/src/sender.c (+124/-0) |
To merge this branch: | bzr merge lp:~andrea.corbellini/beeseek/sniffer |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Lorenzo Allegrucci | Approve | ||
BeeSeek Team | Pending | ||
Review via email: mp+28393@code.launchpad.net |
Description of the change
This branch adds the TCP/IP packets sniffer. It's fully written in C, asynchronous and optimized for low memory usage and light CPU load; also privacy is respected.
First, a quick overview of what it does. Basically, every sniffed packet is checked to see if it looks like a HTTP request. If so, it sends the most important information of the request to the analyzer. Here's how you can test it:
* Build it with `make` or `make DEBUG=1`.
* Launch a script that emulates the analyzer: http://
* Launch `beeseek-sniffer` with two options: the Ethernet device (most likely eth0 or wlan0) and the IP/hostname of the analyzer (localhost).
* With the web browser, visit some pages.
* The script that emulates the analyzer should now display all the pages visited (plus CSS, Javascript and images, of course).
Here is a detailed description of how it works:
* The packets sniffed are just the ones with the destination port 80 (HTTP). [include/handler.h: Bf_PCAP_FILTER_EXP]
* When a packet is caught, a parser checks if it starts with "GET" or "HEAD" (we don't care about other methods such as POST or PUT). [src/parser.c: BfHTTPRequest_
* In case of a positive match, it assumes that the packet contains a HTTP request and looks for the URI.
* It then scans all headers looking for 'Host'. [src/parser.c: BfHTTPRequest_
* If both the URI and the Host have been found, it sends them to the analyzer. [src/sender.c: BfSender_SendReq]
This implementation has however some problems:
* The parser assumes that every HTTP request fits in just one packet. If, for example, the request line and the headers are in two different packets, the request is lost.
* The parser assumes also that for every packet there's just one request. If in a packet there are two or more requests, only the first one is considered.
* Finally, the parser assumes that every HTTP request starts at the beginning of a packet.
These problems may seem critical, however they're not so important. In fact every web browser I've used sends every request in a single packet. Also, fixing the problems above would slow down the application and sightly increase the memory usage.
Although the sniffer application is finished and may be used, it needs some tuning. In include/parser.h the two constants BfHTTPRequest_
The sniffer seems to work here, just increment the buffers for hostname and url to 64 and 2048 bytes, they are too strict.