-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 25 July 2004 03:03, you wrote: > El sáb, 24-07-2004 a las 18:22, [EMAIL PROTECTED] escribió: > > > Simple: use transparent proxy support of IPTables to get the stream > > > delivered to a chosen port on the gateway, analyze to your heart > > > content, and then open a socket and send it back to original > > > destination (using iptables NAT to mask the source to the original one, > > > of course).
A very good idea! But if going on netfilter, why not try the NetLink userspace queueing driver? [1,2] Than again, you have to deal with precisely the same packet handling issues like you did in the libnids approach, just from userspace. The advantage here is that you can hold packets untill all fragments are received, and than send them as a whole (if you need to). It gives userspace all the control over the network traffic of the host. If you combine that with a small monkey-in-the-middle application, you could successfully log any traffic on any port, despite the protocol. > > > > I have just looked at this. But I found one problem. When redirecting > > connection to some other IP address the original destination ip and port > > are lost. In case of http protocol it is not a problem because the html > > header has a "host" value. But what about general case. > > try ethereal. He wants to reconstruct traffic in real time, than save/analyze it (probably), all that on a gateway box. Point-n-click approach is not an option. ettercap could do that job too. Best regards, Alex [1] http://www.skyfree.org/linux/kernel_network/netlink.html [2] http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-4.html#ss4.3 and some more: http://www.linuxia.de/netfilter.en.html#userspace /usr/src/linux/net/ipv4/netfilter/ip_queue.c http://www.cs.princeton.edu/~nakao/libipq.htm - -- The difference between theory and practice, is that in theory, there is no difference between theory and practice. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBAwxHfDQ3s2iW3q0RAllpAJ9g4CCqMtufQBwCFDckFxx9BN8ZDgCfVEca ZTcf1UCTU/DYCLa4SdO8WIg= =sw6E -----END PGP SIGNATURE----- ================================================================To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
