tcpdump mailing list archives

Re: reconstruct HTTP requests in custom sniffer

From: Andrej van der Zee <andrejvanderzee () gmail com>
Date: Sun, 9 Jan 2011 14:19:53 +0900

Hi Cedric,

TCP reordering, IP fragmentation and buffering of stream is not present on
github
yet but is implemented and is being reviewed. I can push on github if you
want to
have a look. Concerning HTTP, for now we only fetch hostname and URL but
were
asked to capture the whole request including POST parameters so this is
going
to be done in a way or another.


Is there anything to say about a rough time-schedule? If we decide to use
junkie, it would be nice to step in *after* the review. Then my experiences
could serve to test the reviewed code, rather than pre-mature code.

Though, in some of
our side-projects we need to follow TCP streams with truncated packets

and

libnids is not designed for this.


Junkie tolerate a certain amount of truncation, but any complex parser will
certainly fail in this situation.


In some of our projects, we are only interested in the length of HTTP
requests and responses therefor reassembling the whole requests would be
overkill, as the segment lengths can be read from the TCP headers of packets
in a TCP stream, obviously. In other projects, we definitely have to access
the POST data need full-reassembly. Depending on the project, a different
parsing-behavior is wanted. Will such behavior be configurable without
having to write my own patches against junkie?

It would be nice to use one solution for
all our projects, and maybe junkie could solve this.


Honestly I can't recommend one over the other. Junkie has certainly more
bugs
since it's younger, but in other hand it's backed by a company so you have
at least 1 coder full time on it so the bugs can disapear pretty fast :-)


I do not mind a few bugs and get my hands in the mud :)

One last concern is the licensing constraints. Suppose my company decides to
use junkie and I will participate in bug fixes, real-life testing and who
knows to what extend, then what are the constraints? Obviously we will be
using junkie for our own sake, and the software build on top of junkie
cannot be open-source, unfortunately. Moreover, I am not very familiar with
licensing, but can we build our own software on top of junkie without
financial obligations?

Thank you,
Andrej
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Re: reconstruct HTTP requests in custom sniffer Cedric Cellier (Jan 07)
- Re: reconstruct HTTP requests in custom sniffer Andrej van der Zee (Jan 07)
  - Re: reconstruct HTTP requests in custom sniffer rixed (Jan 08)
    - Re: reconstruct HTTP requests in custom sniffer Andrej van der Zee (Jan 08)
    - Re: reconstruct HTTP requests in custom sniffer Cedric Cellier (Jan 10)
    - Re: reconstruct HTTP requests in custom sniffer Andrej van der Zee (Jan 10)