Write an eBPF application that parses HTTP packets and extracts (and prints on screen) the URL contained in the GET/POST request.
eBPF application that parses HTTP packets and extracts (and prints on screen) the URL contained in the GET/POST request.
[eBPF HTTP Filter - Short Presentation](https://github.com/iovisor/bpf-docs/blob/master/ebpf_http_filter.pdf)
[eBPF HTTP Filter - Short Presentation](https://github.com/iovisor/bpf-docs/blob/master/ebpf_http_filter.pdf)
#Usage Example
#Usage Example
```Shell
```Shell
$ sudo python http-parse-v2.py
$ sudo python http-parse-complete.py
GET /pipermail/iovisor-dev/ HTTP/1.1
GET /pipermail/iovisor-dev/ HTTP/1.1
HTTP/1.1 200 OK
HTTP/1.1 200 OK
GET /favicon.ico HTTP/1.1
GET /favicon.ico HTTP/1.1
...
@@ -27,14 +27,14 @@ Matching packets are forwarded to user space, others dropped by the filter.<br /
...
@@ -27,14 +27,14 @@ Matching packets are forwarded to user space, others dropped by the filter.<br /
<br/>
<br/>
Python script reads filtered raw packets from the socket, if necessary reassembles packets belonging to the same session, and prints on stdout the first line of the HTTP GET/POST request. <br/>
Python script reads filtered raw packets from the socket, if necessary reassembles packets belonging to the same session, and prints on stdout the first line of the HTTP GET/POST request. <br/>
#v1 vs v2
#simple vs complete
First version is the simple one: if the url is too long (splitted in more than one packet) is truncated. <br/>
simple version: if the url is too long (splitted in more than one packet) is truncated. <br/>
Second version is quite more complex: if necessary reassembles packets belonging to the same session and prints the complete url.
complete version: if necessary reassembles packets belonging to the same session and prints the complete url.