这里大概介绍下基本的,常见的HTTP包头格式。
POST /report/getComment.jsp HTTP/1.1 Host: yeeg.com Connection: keep-alive Content-Length: 161 Origin: http://www.1g1g.com User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.77 Safari/535.7 content-type: application/x-www-form-urlencoded Accept: */* Referer: http://www.1g1g.com/player/loader.swf?uid=0.8106261373031884 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=C3F105F72E3602D6292D3E4561E8E400
上面是一个POST包的包头,其中Content-Length字段里面的值就是POST包数据段的长度。可以用
wireshark抓取POST包,会发现,post包是把报文头和数据内容分开来发的,会被TCP分片,然后重组。
具体这里不详细讨论。
GET /enclosure/2010-09-10T02_51_05-07_00.mp3 HTTP/1.1 Host: 805665086.podomatic.com Connection: keep-alive User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.77 Safari/535.7 Accept: */* Referer: http://www.1g1g.com/player/loader.swf?uid=0.8106261373031884 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
上面是一个GET包,GET包请求的资源都是在URL里面的,所以数据段也就没有了,可以通过抓包分析。
HTTP/1.1 200 OK Date: Tue, 10 Jul 2012 09:12:52 GMT Server: Apache/2.2.14 (Ubuntu) Last-Modified: Thu, 23 Dec 2010 19:29:26 GMT ETag: "960fcf-4a6459-49818e3486374" Accept-Ranges: bytes Content-Length: 487 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: audio/mpeg