tcpdump mailing list archives
Re: reconstruct HTTP requests in custom sniffer
From: rixed () happyleptic org
Date: Sat, 8 Jan 2011 12:32:05 +0100
-[ Sat, Jan 08, 2011 at 04:42:40PM +0900, Andrej van der Zee ]----
Hi Cedric,Looks very similar to : http://github.com/securactive/junkieIs the intention of junkie to follow TCP streams and reassemble complete HTTP requests/responses from the packets? How far is this implemented?
TCP reordering, IP fragmentation and buffering of stream is not present on github yet but is implemented and is being reviewed. I can push on github if you want to have a look. Concerning HTTP, for now we only fetch hostname and URL but were asked to capture the whole request including POST parameters so this is going to be done in a way or another.
Though, in some of our side-projects we need to follow TCP streams with truncated packets and libnids is not designed for this.
Junkie tolerate a certain amount of truncation, but any complex parser will certainly fail in this situation.
It would be nice to use one solution for all our projects, and maybe junkie could solve this.
Honestly I can't recommend one over the other. Junkie has certainly more bugs since it's younger, but in other hand it's backed by a company so you have at least 1 coder full time on it so the bugs can disapear pretty fast :-) - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Re: reconstruct HTTP requests in custom sniffer Cedric Cellier (Jan 07)
- Re: reconstruct HTTP requests in custom sniffer Andrej van der Zee (Jan 07)
- Re: reconstruct HTTP requests in custom sniffer rixed (Jan 08)
- Re: reconstruct HTTP requests in custom sniffer Andrej van der Zee (Jan 08)
- Re: reconstruct HTTP requests in custom sniffer Cedric Cellier (Jan 10)
- Re: reconstruct HTTP requests in custom sniffer Andrej van der Zee (Jan 10)
- Re: reconstruct HTTP requests in custom sniffer rixed (Jan 08)
- Re: reconstruct HTTP requests in custom sniffer Andrej van der Zee (Jan 07)