Hello fellow network adventurers,
I'm implementing a network attack, which ARP spoofs a gateway and a victim, filters the HTTP data and reassemble the web pages in my browser. Also known as webspy.
However, I'm having some issues with libpcap. When I receive the packets with TCP segments contaning the HTTP data, some of them are bigger than MTU! Like 1922, 2878 and even 4909 bytes.
At first, I thought that these were reassembled HTTP packets, given by the kernel. But, according with this post, libpcap doesn't reassemble packets, so it won't bring me a entire, well-formet packet with all the HTTP response from a given request.
For testing, I printed all these packet which are bigger than MTU. All of them contained normal data (CSS, JS, HTML, images, ...).
So what the hell is going on? What are these big guys? I'm struggling with this for a few days.
BONUS QUESTION: Do I'll really need to reassemble by myself all these HTTP data?
However, I'm having some issues with libpcap. When I receive the packets with TCP segments contaning the HTTP data, some of them are bigger than MTU! Like 1922, 2878 and even 4909 bytes.
Your network adapter may be acting as a TCP offload engine, reassembling multiple incoming TCP segments and handing one reassembled segment to the host. At least on Linux, the networking stack might be performing Large Receive Offload, and if that's done before handing packets to "taps" (the PF_PACKET sockets used by libpcap on Linux), you'd get the reassembled segments.
For your program, this shouldn't be an issue, given that...
Do I'll really need to reassemble by myself all these HTTP data?
...you will need to reassemble all the components of an HTTP request or reply yourself.