tcpdump mailing list archives
Re: Capturing a "clean" TCP stream
From: "Aaron Turner" <synfinatic () gmail com>
Date: Sun, 20 May 2007 11:24:49 -0700
On 5/18/07, Guy Harris <guy () alum mit edu> wrote:
On May 18, 2007, at 7:09 AM, Alexandros Karypidis wrote: > I am writing a program that is intended to monitor the requests made > to > a server from various clients. I am using libpcap to capture all > packets directed to the server's IP and need to parse the _payload_ of > the TCP stream (i.e. isolate the application protocol messages, > discarding TCP retransmissions). I am currently parsing the TCP header > using sequence/ack fields to detect retransmissions and extract > payload. Could one suggest a better approach to this? Perhaps I'm missing something, but I can't think of a better approach, other than "use a library that does that work for you, if it exists" (or steal code from an application that does it). I have the impression that a library of that sort might exist, but I don't remember what it might be
You're probably thinking of libnids. Basically follows the Linux 2.2 kernel method of doing IP defragmentation and TCP stream reassembly. http://libnids.sourceforge.net/ I can't say how well it works... I looked at using it once, but found a variety of limitations in the API which made it a non-starter for me. YMMV. -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Capturing a "clean" TCP stream Alexandros Karypidis (May 18)
- Re: Capturing a "clean" TCP stream Guy Harris (May 18)
- Re: Capturing a "clean" TCP stream Gregor Maier (May 19)
- Re: Capturing a "clean" TCP stream Aaron Turner (May 20)
- Re: Capturing a "clean" TCP stream Sivakumar Ramagopal (May 19)
- Re: Capturing a "clean" TCP stream Guy Harris (May 18)