Re: Capturing a "clean" TCP stream

["Aaron Turner" <synfinatic () gmail com>]

On 5/18/07, Guy Harris <guy () alum mit edu> wrote:
> On May 18, 2007, at 7:09 AM, Alexandros Karypidis wrote:
>
> > I am writing a program that is intended to monitor the requests made
> > to
> > a server from various clients. I am using libpcap to capture all
> > packets directed to the server's IP and need to parse the _payload_ of
> > the TCP stream (i.e. isolate the application protocol messages,
> > discarding TCP retransmissions). I am currently parsing the TCP header
> > using sequence/ack fields to detect retransmissions and extract
> > payload. Could one suggest a better approach to this?
>
> Perhaps I'm missing something, but I can't think of a better approach,
> other than "use a library that does that work for you, if it
> exists" (or steal code from an application that does it).  I have the
> impression that a library of that sort might exist, but I don't
> remember what it might be

You're probably thinking of libnids.  Basically follows the Linux 2.2
kernel method of doing IP defragmentation and TCP stream reassembly.

http://libnids.sourceforge.net/

I can't say how well it works... I looked at using it once, but found
a variety of limitations in the API which made it a non-starter for
me.  YMMV.

--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.