Discussion:
libnids tcp reassembly
muhammad alqama
2004-10-11 15:57:23 UTC
Permalink
hi
i m using libnids for tcp reassembly. i m trying to sniff multiple tcp
session simultaneously and want to save each tcp stream completely in
separate file .

can someone tell me HOW TO DO THAT.


waiting for reply

regards
alqama
Graeme Connell
2004-10-11 17:02:05 UTC
Permalink
If you want to use Ethereal, you can hit the capture button to capture
tcp traffic, then click on any packet, go to the "Analyze" menu, and
click "Follow TCP Stream". This will display only the current TCP
stream (the one dealing with the packet you just clicked), and will
allow multiple options to save that stream to a file, including C arrays
and hex dumps.

--Graeme Connell
Post by muhammad alqama
hi
i m using libnids for tcp reassembly. i m trying to sniff multiple tcp
session simultaneously and want to save each tcp stream completely in
separate file .
can someone tell me HOW TO DO THAT.
waiting for reply
regards
alqama
Jose Nazario
2004-10-11 16:50:55 UTC
Permalink
Post by muhammad alqama
i m using libnids for tcp reassembly. i m trying to sniff multiple tcp
session simultaneously and want to save each tcp stream completely in
separate file .
when your TCP sesion hits a closing state (one of NIDS_CLOSE,
NIDS_TIMEDOUT or NIDS_RESET) save the stream data to a file. in a nutshell
the code will look like this (where monitor_tcp() is your tcp callback
registered in the nids setup routines):

void
monitor_tcp(struct tcp_stream *stream, void *unused)
{
switch (nids_state) {
case 'NIDS_CLOSE':
case 'NIDS_TIMEDOUT':
case 'NIDS_RESET':
char clientfile[80], serverfile[80];
time_t now;
FILE *output;

now - time(NULL);

/* data from client first */
snprintf(clientfile, sizeof(clientfile), "%s-%s-%s-%s-%s",
stream->addr.saddr, stream->addr.source,
stream->addr.daddr, stream->addr.dest, now);
output = fopen(clientfile, "w");
fprintf(output, stream->client.data);
fclose(output);

/* data from server now */
snprintf(serverfile, sizeof(serverfile), "%s-%s-%s-%s-%s",
stream->addr.daddr, stream->addr.dest,
stream->addr.saddr, stream->addr.source, now);
output = fopen(serverfile, "w");
fprintf(output, stream->server.data);
fclose(output);
}
}


i think i may have the client/server data backwards for the addresses, and
you will want to pretty print the IP addresss (ie make them print as
dotted quads), but you get the idea. since you have access to the client
and server data streams, you can basically fopen() a file that describes
them in some fashion (in this case it's srcip-sport-destip-dport-time) and
dump the data into them using fprintf(). bugs most certainly exist in the
above code sample, but it should help you start with what to do.

________
jose nazario, ph.d. ***@monkey.org
http://monkey.org/~jose/ http://infosecdaily.net/
Jose Nazario
2004-10-11 16:54:59 UTC
Permalink
don't forget to set stream->client.collect = 1, and stream->server.collect
= 1 in your TCP callback when the state NIDS_JUST_ESTABLISHED is set.
without it you'll have no data to speak of.

i introduced libnids this past week in malaysia at HitB 2004. slides are
here, you guys get a sneak peak:

http://monkey.org/~jose/presentations/hitb04-tools.d/

talk covered libdnet, libpcap, libnids and libevent. ie packet mastering
...

________
jose nazario, ph.d. ***@monkey.org
http://monkey.org/~jose/ http://infosecdaily.net/
Aaron Turner
2004-10-11 17:00:52 UTC
Permalink
Muhammad,

Well this is the libnet mailing list, not the libnids mailing list, but
I'm sure some people here would be willing to help you if you provided
more information on the problem.

Basically, nobody here is going to write your program for you (and there
are programs which do this already such as tcpflow), but if you want
help, you need to be a lot more specific in your request.

Regards,
Aaron
Post by muhammad alqama
hi
i m using libnids for tcp reassembly. i m trying to sniff multiple tcp
session simultaneously and want to save each tcp stream completely in
separate file .
can someone tell me HOW TO DO THAT.
waiting for reply
regards
alqama
--
Aaron Turner <aturner at pobox.com|synfin.net> http://synfin.net/
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin
All emails are PGP signed; a lack of a signature indicates a forgery.
muhammad alqama
2004-10-12 05:02:22 UTC
Permalink
hi ppl
thanx for replying and extending ur help

i would like to comment on Aaron's arguments. i know this is libnet
mailing list not libnids' but i could not find an appropriate mailing
list for libnids also not so much information is available about
libnids ( or atleast i cant find)

also i dont intend to get my code programmed from someone else .. i
just wanted the idea ..

thanx to Greame Connell and Jose Nazario for their help.

hoping to find ppl here helpful in future as well

regards
alqama
Post by Aaron Turner
Muhammad,
Well this is the libnet mailing list, not the libnids mailing list, but
I'm sure some people here would be willing to help you if you provided
more information on the problem.
Basically, nobody here is going to write your program for you (and there
are programs which do this already such as tcpflow), but if you want
help, you need to be a lot more specific in your request.
Regards,
Aaron
Post by muhammad alqama
hi
i m using libnids for tcp reassembly. i m trying to sniff multiple tcp
session simultaneously and want to save each tcp stream completely in
separate file .
can someone tell me HOW TO DO THAT.
waiting for reply
regards
alqama
--
Aaron Turner <aturner at pobox.com|synfin.net> http://synfin.net/
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin
All emails are PGP signed; a lack of a signature indicates a forgery.
Loading...