tcpdump mailing list archives
Re: reconstruct HTTP requests in custom sniffer
From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Tue, 28 Dec 2010 18:56:25 +0000
On 2010-12-28 17:22, Andrej van der Zee wrote:
I am asked to write a custom sniffer with libpcap on Linux that has to handle a load of 50.000 packets per second. The sniffer has to detect all HTTP requests and dump the URI with additional information, such as request size and possibly response time/size. The packets, destined for the load-balancer, are duplicated by the switch using port-mirroring to my own machine. It is important that our solution is 100% non-intrusive to the web application being monitored. Probably I need to access the POST data of certain HTTP requests. Because HTTP requests are, obviously, broken into multiple packets, is it feasible to reconstruct the whole HTTP request with POST data from multiple packets? Regarding the load of 50.000 packets a second, is this expected to be a problem? Any feedback is very appreciated!
See urlsnarf: http://monkey.org/~dugsong/dsniff/ I don't think it does POST data but it may be a good starting point. -- Jefferson Ogata <Jefferson.Ogata () noaa gov> National Oceanographic Data Center You can't step into the same river twice. -- Herakleitos - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- reconstruct HTTP requests in custom sniffer Andrej van der Zee (Dec 28)
- Re: reconstruct HTTP requests in custom sniffer Jefferson Ogata (Dec 28)
- Re: reconstruct HTTP requests in custom sniffer Andrej van der Zee (Dec 28)
- Re: reconstruct HTTP requests in custom sniffer kay (Dec 28)
- Re: reconstruct HTTP requests in custom sniffer Andrej van der Zee (Dec 28)
- Re: reconstruct HTTP requests in custom sniffer Jefferson Ogata (Dec 28)