new: http parser

caplets/local-sniffer.cap

@@ -5,5 +5,7 @@ events.stream on
 
 set net.sniffer.verbose false
 set net.sniffer.local true
+# http://biot.com/capstats/bpf.html
+# set net.sniffer.filter not arp and not udp port 53
 
 net.sniffer on

modules/net_sniff_http.go

@@ -0,0 +1,42 @@
+package modules
+
+import (
+	"fmt"
+
+	"github.com/evilsocket/bettercap-ng/core"
+	"regexp"
+
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+)
+
+var httpRe = regexp.MustCompile("(?s).*(GET|HEAD|POST|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH) (.+) HTTP/\\d\\.\\d.+Host: ([^\\s]+)")
+
+func httpParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
+	data := tcp.Payload
+	dataSize := len(data)
+
+	if dataSize < 20 {
+		return false
+	}
+
+	m := httpRe.FindSubmatch(data)
+	if len(m) != 4 {
+		return false
+	}
+
+	url := fmt.Sprintf("http://%s", string(m[3]))
+	if tcp.DstPort != 80 {
+		url += fmt.Sprintf(":%s", vPort(tcp.DstPort))
+	}
+	url += fmt.Sprintf("%s", string(m[2]))
+
+	fmt.Printf("[%s] %s %s %s %s\n",
+		vTime(pkt.Metadata().Timestamp),
+		core.W(core.BG_RED+core.FG_BLACK, "http"),
+		vIP(ip.SrcIP),
+		core.W(core.BG_LBLUE+core.FG_BLACK, vURL(string(m[1]))),
+		core.Yellow(url))
+
+	return true
+}

modules/net_sniff_parsers.go

@@ -15,6 +15,8 @@ func tcpParser(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) {
 
 	if sniParser(ip, pkt, tcp) {
 		return
+	} else if httpParser(ip, pkt, tcp) {
+		return
 	}
 
 	if verbose == true {

modules/net_sniff_views.go

@@ -48,3 +48,13 @@ func vPort(p interface{}) string {
 
 	return sp
 }
+
+var maxUrlSize = 40
+
+func vURL(u string) string {
+	ul := len(u)
+	if ul > maxUrlSize {
+		u = fmt.Sprintf("%s...", u[0:maxUrlSize-3])
+	}
+	return u
+}