/*
   Traces requests to HTTP server and parses them.
   Outputs <host><url> for urls which ends up by html, htm, php or empty extension.
   Can distinguish parameters to scripts separated by ?.

   Runs as
      anettest -d eth0#0 -f this_file.fws

*/

INCLUDE tcp

// creates variables

var (v1 num 0)
var (v2 num 0)
var (v3 num 0)

// defines fields

.host ''
.url ''
.extension ''

// describes the packet which will be waited

filter 0 "tcp" // sets fast low-level filter

dstport = http

   or   // adds the packet to waited ones


precisewait
copyrec  // this command instructs that a recieved packet must be copied to the buffer of current packet (for its analysis)
quiet

// the main infinite cycle: recieving packets and analysing them

cyc inf {

   waitall // waits for a packet

   // some packet has been recieved
   // parsing it

   // correcting the position of tcp.data field (td) as TCP header may have not standart length

   pos = srcport
   v1 = curpos    // now v1 stores the beginning position of TCP header
   v2 = tcp.hlen
   mulvar v2, 4   // now v2 stores the lenght of TCP header (in bytes)
   v1 += v2
   setpos (td, v1)   // sets the new position of tcp.data (td) field

   printl v1

   /* example:
               GET /portalHelp2/ohw?topic=pobpgcr1_htm&locale=ru HTTP/1.1
               User-Agent: Opera/9.10 (Windows NT 5.1; U; en)
               Host: www3.imperial.ac.uk
   */

   // searches GET word

   pos = td
   v3 = curpos
   v3 += 4
   goto ('GET', v3)
   if gotores = 1 {

      // word GET found

      // searches Host word

      pos = td
      goto ('Host:')
      if gotores = 1 {

         // 'Host' string is found

         // configures host field (Host: www.mail.ru\r\n)

         goto (' ')
         pass 1
         setpos (host, curpos)
         v1 = curpos
         goto ('\r')
         v2 = curpos
         v2 -= v1
         setsize (host, v2)

         // searches the beginning of URL

         pos td
         goto(' ')
         pass 1
         setpos(url,curpos)

         // searches the end of URL

         v1 = curpos  // the start of url
         goto (' HTTP')
         if (gotores = 1) {

            // the end of URL found

            // configures the URL field

            v2 = curpos  // the end of url
            v2 -= v1
            setsize (url, v2)
            v2 += v1

            // searches the ? symbole in URL

            pos = v1
            goto ('?', v2)
            if (gotores = 0) {

               // ? not found

               pos = v2
            }

            // now position is on ? or on the end of url

            // searches the . at the end of url or before ?

            v3 = curpos
            v2 = curpos
            gotob ('.', v1)

            if (gotores = 1) {

               // . is found
               // configures the extension field

               pass 1
               setpos extension curpos
               v1 = curpos
               decvar v2 v1
               setsize extension v2


               if (extension = 'html') {

                  print '$host$$url$\n'
               }
               if (extension = 'htm') {

                  print '$host$$url$\n'
               }
               if (extension = 'php') {

                  print '$host$$url$\n'
               }
            }
            else {

               //syscall '\"c:\\Program Files\\Opera 9\\Opera.exe\" $host$$url$'
               print '$host$$url$\n'
            }

            pos = v3
            gotob ('/', v1)
            if (gotores = 1) {

               pass 1
               if (curpos == v3) {

                  // symbole / finishes the url

                  print '$host$$url$\n'
               }
            }
         }
      }
   }

   unfix
}