Discussion:
tcp reassembly for multiple connections simultaneously help needed
muhammad alqama
2004-10-22 17:29:21 UTC
Permalink
hi all

i m trying to build and save (in separate files) tcp sessions for
multiple connections from sniffed data.
i have tried to save data after NIDS_CLOSE || NIDS_RESET option but it
does not work .. (i dont know why) .. it writes garbage in file . or
sometimes very small amount of data (perhaps buffer size has to b
increased but TCP->CLIENT.BUFSIZE does no good). ( i need
multithreaded like support). saving data at option NIDS_DATA is no
helpful as i need to save data for each connection in multiple files.
any suggestions regarding solution of the problem...

waiting for the reply ..

regards
alqama
muhammad alqama
2004-10-24 11:03:41 UTC
Permalink
hi all

i m trying to build and save (in separate files) tcp sessions for
multiple connections from sniffed data.
i have tried to save data after NIDS_CLOSE || NIDS_RESET option but it
does not work .. (i dont know why) .. it writes garbage in file . or
sometimes very small amount of data (perhaps buffer size has to b
increased but TCP->CLIENT.BUFSIZE does no good). ( i need
multithreaded like support). saving data at option NIDS_DATA is no
helpful as i need to save data for each connection in multiple files.
any suggestions regarding solution of the problem...

waiting for the reply ..

regards
alqama
Jose Nazario
2004-10-25 01:21:44 UTC
Permalink
Post by muhammad alqama
i m trying to build and save (in separate files) tcp sessions for
multiple connections from sniffed data. i have tried to save data after
NIDS_CLOSE || NIDS_RESET option but it does not work .. (i dont know
why) .. it writes garbage in file . or sometimes very small amount of
data (perhaps buffer size has to b increased but TCP->CLIENT.BUFSIZE
does no good). ( i need multithreaded like support). saving data at
option NIDS_DATA is no helpful as i need to save data for each
connection in multiple files. any suggestions regarding solution of the
problem...
are you calling nids_discard() in the state NIDS_DATA? in your TCP
calback, check for the state NIDS_DATA and, when you see it, call
"nids_discard(tcp, 0)" where "tcp" is the tcp stream object in your
callback; change the name as needed.

from the manpage:

nids_discard() may be called from the TCP callback func-
tion to specify the number of bytes to discard from the
beginning of the data buffer (updating the offset value
accordingly) after the TCP callback function exists. Oth-
erwise, the new data (totalling count_new bytes) will be
discarded by default.


sounds like you're discarding the new data.

________
jose nazario, ph.d. ***@monkey.org
http://monkey.org/~jose/ http://infosecdaily.net/

Loading...