Re: reconstruct HTTP requests in custom sniffer

[Jefferson Ogata <Jefferson.Ogata () noaa gov>]

On 2010-12-28 17:22, Andrej van der Zee wrote:
> I am asked to write a custom sniffer with libpcap on Linux that has to
> handle a load of 50.000 packets per second. The sniffer has to detect all
> HTTP requests and dump the URI with additional information, such as request
> size and possibly response time/size. The packets, destined for the
> load-balancer, are duplicated by the switch using port-mirroring to my own
> machine. It is important that our solution is 100% non-intrusive to the web
> application being monitored.
>
> Probably I need to access the POST data of certain HTTP requests. Because
> HTTP requests are, obviously, broken into multiple packets, is it feasible
> to reconstruct the whole HTTP request with POST data from multiple packets?
>
> Regarding the load of 50.000 packets a second, is this expected to be a
> problem?
>
> Any feedback is very appreciated!

See urlsnarf:

http://monkey.org/~dugsong/dsniff/

I don't think it does POST data but it may be a good starting point.

-- 
Jefferson Ogata <Jefferson.Ogata () noaa gov>
National Oceanographic Data Center
You can't step into the same river twice. -- Herakleitos
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.