tcpdump mailing list archives
Re: reconstruct HTTP requests in custom sniffer
From: Andrej van der Zee <andrejvanderzee () gmail com>
Date: Wed, 29 Dec 2010 15:53:33 +0900
Hi, I have implemented a HTTP parser one year ago. I remembered that when the
parser calculate the request-response latency, inspect the interested fields but do not record or dump them, the speed will reach about 2Gbps on a single core, and 8 Gbps on 6 cores. I think a 0.05Mpps parser is an easy work.
Thanks, that sounds promising.
However, as you said you had to reconstruct the whole HTTP request with POST data, that will be a different story. You need to store the previous packets and do a memcpy() operation to concatenate them when latter packets are received. In my experience, the cost is huge, especially the memcpy operation. It depends on how many packets are such kind of cross-packet POST requests. Usual GET requests do not have this issue.
Hopefully libnids can do this for me efficiently... Cheers, Andrej - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- reconstruct HTTP requests in custom sniffer Andrej van der Zee (Dec 28)
- Re: reconstruct HTTP requests in custom sniffer Jefferson Ogata (Dec 28)
- Re: reconstruct HTTP requests in custom sniffer Andrej van der Zee (Dec 28)
- Re: reconstruct HTTP requests in custom sniffer kay (Dec 28)
- Re: reconstruct HTTP requests in custom sniffer Andrej van der Zee (Dec 28)
- Re: reconstruct HTTP requests in custom sniffer Jefferson Ogata (Dec 28)