Re: Email Content Extraction From payload

[Julian Mehnle <julian () mehnle net>]

Shameem Ahamed wrote:

> I have tried a small code with libnids in my ubuntu machine.
>
> I have modified the sample code provided by  Rafal Wojtczuk   in the
> libnids main page.
>
> In that one also,  i have tried to print the data part in a file using
> the callback function and all the data was in binary format.
>
> Also, libnids doesn't provide any  function to check the data in the
> payload ( higher OSI layer , possibly application layer for HTTP)
>
> I am done with "stripping TCP headers", and i am here with a payload,
> which contains all the higher level headers and data.  I want to strip
> the higher level data and get only the data.

If you register a TCP (not IP or UDP!) callback with libnids, it will just 
give you the payload data, no packet headers or anything.  If this is not 
what you're getting, you're doing something wrong and should reread the 
documentation.

If you need to analyze data not on the TCP level but on the HTTP or SMTP 
level, then libnids will NOT do that for you.  E.g., if you just want to 
get the "DATA" portion of an SMTP transaction, you could either parse the 
SMTP session yourself, wait for the "DATA" command, and then grab what 
the client sends (up to the final ".\x0d\x0a"), or you need to use some 
additional library.  But, really, parsing SMTP yourself is quite easy.

-Julian

Attachment: signature.asc
Description: This is a digitally signed message part.