/*
   Traces requests to HTTP server and parses them.
   Outputs <host><url> for urls which ends up by html, htm, php or empty extension.
   Can distinguish parameters in url after ?.

   Runs as
      anettest -d eth0#0 -f this_file.fws

*/

INCLUDE tcp

// creates variables

int v1 = 0
int v2 = 0

// defines fields (their position and size will be recalculated for each packet)

.host ''
.url ''
.extension ''

// describes the packet which will be expected

filter 0 "tcp" // low-level fast filter
clearmask
//dstport = http // will be faster if uncomment but will trace only 80 port

   towait   // adds the packet to waitable ones	

// base configuration

precisewait
copyrec
quiet

// the main cycle

cyc inf {

   // waits for packet

   waitall     	
	
   // some packet has been received, processing it

	if ip.hlen == 5 {

		// packet has standard header

      /* example:
                  GET /portalHelp2/ohw?topic=pobpgcr1_htm&locale=ru HTTP/1.1
                  User-Agent: Opera/9.10 (Windows NT 5.1; U; en)
                  Host: www3.imperial.ac.uk
      */

		// searches GET word
		
		pos = data
		v1 = curpos
		v1 += 4
		goto ('GET', v1)
		if gotores = 1 {

			// word GET found

			// searches Host word

         pos = data
         goto ('Host:', 250)
         if gotores = 1 {

		      // 'Host' string is found
            // configures host field (Host: www.mail.ru\r\n)

		      goto (' ', 250)
		      pass 1
		      setpos (host, curpos)
            v1 = curpos
            goto ('\r')
            v2 = curpos
            v2 -= v1
			   setsize (host, v2)

				// searches the beginning of URL

				pos data
				goto(' ')
				pass 1
				int urlStartPos = curpos
				
				setpos(url, urlStartPos)

				// searches the end of URL
				
				goto (' HTTP')
				if (gotores = 1) {

					// the end of URL found

					// configures the URL field

					int urlEndPos = curpos
					
					int size = curpos  // the end of url
					size -= urlStartPos
					setsize (url, size)					

					// searches the ? symbol in URL (page path before it)

					pos = urlStartPos
					int pagePathEnd = urlEndPos
					goto ('?', urlEndPos)
					if (gotores = 1) {
						// ? not found
						pagePathEnd = curpos
					}
					
					pos = pagePathEnd					
					// now position is on ? or on the end of url
															
					// searches for last slash in page path
					gotob ('/', urlStartPos)					
					int slashPos = 0
					if (gotores = 1) {
						slashPos = curpos
					}					
					
					// searches the . at the end of url or before ?
					pos = pagePathEnd
					gotob ('.', slashPos)
					if (gotores = 1) {

                  // . is found
						// configures the extension field

						pass 1
						setpos extension curpos						
						int size = pagePathEnd
						size -= curpos
						setsize extension size

						if (extension = 'html') {

							print '$host$$url$\n'
						}
						if (extension = 'htm') {

							print '$host$$url$\n'
						}
						if (extension = 'php') {

							print '$host$$url$\n'
						}
					}
					else {
						print '$host$$url$\n'						
					}					
				}
			}
		}
	}

   unfix
}