Re: reconstruct HTTP requests in custom sniffer

[rixed () happyleptic org]

-[ Sat, Jan 08, 2011 at 04:42:40PM +0900, Andrej van der Zee ]----
> Hi Cedric,
>
>
> > Looks very similar to :
> >
> > http://github.com/securactive/junkie
> Is the intention of junkie to follow TCP streams and reassemble complete
> HTTP requests/responses from the packets? How far is this implemented?

TCP reordering, IP fragmentation and buffering of stream is not present on github
yet but is implemented and is being reviewed. I can push on github if you want to
have a look. Concerning HTTP, for now we only fetch hostname and URL but were
asked to capture the whole request including POST parameters so this is going
to be done in a way or another.

> Though, in some of
> our side-projects we need to follow TCP streams with truncated packets and
> libnids is not designed for this.

Junkie tolerate a certain amount of truncation, but any complex parser will
certainly fail in this situation.

> It would be nice to use one solution for
> all our projects, and maybe junkie could solve this.

Honestly I can't recommend one over the other. Junkie has certainly more bugs
since it's younger, but in other hand it's backed by a company so you have
at least 1 coder full time on it so the bugs can disapear pretty fast :-)

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.