Xplico.org
http://forum.xplico.org/

How to see HTTP headers?
http://forum.xplico.org/viewtopic.php?f=3&t=509
Page 1 of 1

Author:  dalton [ Wed Apr 04, 2012 3:31 pm ]
Post subject:  How to see HTTP headers?

Hello, new user here. I'm still trying to learn Xplico. What I need to do is feed it a pcap file and from that see every HTTP request and response that happened. The command that I used was:
./xplico -m pcap -fpcap1.cap
This created files under xdecode in a structure like this:
xdecode/172.18.0.203/http/dell.com/http_rs_body_1333469115_0x980e4d0_887
This filename appears to indicate an http response body, a timestamp (of what?), but what are the last 2 items in the filename?

This file has in it the http response, but I also need to see many of the request and response headers. How do I enable those to be logged?

xplico -i http shows this:
http: Hypertext Transfer Protocol
-----------------------------------------------------------
Pkt info:
http.user_agent: User-Agent
http.host: Host
http.content_type: Content-Type
http.content_range: Content-Range
http.content_encoding: Content-Encoding
-----------------------------------------------------------
Pei components type:
url: Uniform Resource Locator
client: Client
host: Host
content_type: Content Type
method: Method
status: Status response
req.header: Request header
req.body: Request body
res.header: Response header
res.body: Response body
boundary: Boundary contents

which has many of the items that I need. However, I don't understand how to use the PEI or Packet info items.

xplico version = 1.0.0
OS = Ubuntu 10.04

Please help.
Thank you.

Author:  gianluca.costa [ Mon Apr 09, 2012 11:22 am ]
Post subject:  Re: How to see HTTP headers?

Hi dalton,
you can develop your own version of cli dispatcher, where you can select the (file-)name and the location of every http (message) contents.
To start I have developed a cli version for you (view function DispHttp).
Attachment:
cli.c

The http data will be saved in ./xdecode/<ip>/http/ directory (like the original version) but, with this new version all data of http message will be saved and the files names will have form:
<http_message_id>_http_rq_hdr_xxxxx : http request header
<http_message_id>_http_rq_body_xxxxx : http request body (ie POST body)
<http_message_id>_http_rs_hdr_xxxxx : http response header
<http_message_id>_http_rs_body_xxxxx : http response body
An http message (http_message_id) is compose by an request and e response where the request is composed by and header (http_rq_hdr) and sometimes a body (http_rq_body), the response is composed by and header (http_rs_hdr) and a body (http_rs_body).

Ciao.
Gianluca

Page 1 of 1 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/