[patch] Minor changes to http.py, and a error check in pcap.py
Andrew Brampton
I've created three patches that enabled me to decode multiple HTTP
packets in a single TCP stream, including those HTTP packets that are
broken across multiple packets.
[1] The first patch adds a simple validation check to ensure that each
packet within a pcap file is no longer than the declared snaplen. This
was useful for me to figure out I had an invalid pcap file.
[2] The second patch changes the way len(http) works. I had TCP
connections that contained multiple HTTP requests, so I needed to know
accurately how long each HTTP request was, so I modified http to
report this. There might have been a better way of doing this, for
example, parsing a file object into the HTTP unpack, but I didn't want
to change the API too much.
[3] The final patch changes the HTTP class to uncompress gzip encoded
data. This was the reason I started to use dpkt, because I wanted a
"Follow TCP Stream" style view of my connections in plain text (ie not
compressed).
I've also released my little program which outputs the HTTP flows[4].
I hope these patches can be of use. BTW Thanks for creating dpkt, it
has been quite useful!
Andrew
[1] http://me.bramp.net/patches/dpkt-pcap-snaplen.patch
[2] http://me.bramp.net/patches/dpkt-http-len.patch
[3] http://me.bramp.net/patches/dpkt-http-gz.patch
[4] http://bramp.net/blog/follow-http-stream-with-decompression