tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Email Content Extraction From payload

From: Shameem Ahamed <shameem.ahamed () hotmail com>
Date: Fri, 3 Apr 2009 18:53:58 +0530

Hello Julian,


Please see my reply below.


"If you register a TCP (not IP or UDP!) callback with libnids, it will just  give you the payload data, no packet 
headers or anything. If this is not  what you're getting, you're doing something wrong and should reread the  
documentation."

Yes, i am getting the payload. But the only thing is the payload is in binary format.  And that payload consists of all 
the http methods , protocol specific data and user data(e-mail content). I want the payload stripped and get only the 
user data(e-mail details).  Is there any other library, which helps to do this?.

I am trying to capture the webmail traffic, Like Yahoo!,  AOL Mail etc.


Regards,
Shameem 



From: julian () mehnle net
To: tcpdump-workers () lists tcpdump org
Subject: Re: [tcpdump-workers] Email Content Extraction From payload
Date: Fri, 3 Apr 2009 12:22:50 +0000

Shameem Ahamed wrote:


I have tried a small code with libnids in my ubuntu machine.

I have modified the sample code provided by  Rafal Wojtczuk   in the
libnids main page.

In that one also,  i have tried to print the data part in a file using
the callback function and all the data was in binary format.

Also, libnids doesn't provide any  function to check the data in the
payload ( higher OSI layer , possibly application layer for HTTP)

I am done with "stripping TCP headers", and i am here with a payload,
which contains all the higher level headers and data.  I want to strip
the higher level data and get only the data.


If you register a TCP (not IP or UDP!) callback with libnids, it will just 
give you the payload data, no packet headers or anything.  If this is not 
what you're getting, you're doing something wrong and should reread the 
documentation.

If you need to analyze data not on the TCP level but on the HTTP or SMTP 
level, then libnids will NOT do that for you.  E.g., if you just want to 
get the "DATA" portion of an SMTP transaction, you could either parse the 
SMTP session yourself, wait for the "DATA" command, and then grab what 
the client sends (up to the final ".\x0d\x0a"), or you need to use some 
additional library.  But, really, parsing SMTP yourself is quite easy.

-Julian


_________________________________________________________________
Windows Live Messenger. Multitasking at its finest.
http://www.microsoft.com/india/windows/windowslive/messenger.aspx-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: