-[ Sat, Jan 08, 2011 at 04:42:40PM +0900, Andrej van der Zee ]---- > Hi Cedric, > > > > Looks very similar to : > > > > http://github.com/securactive/junkie > > > > > Is the intention of junkie to follow TCP streams and reassemble complete > HTTP requests/responses from the packets? How far is this implemented?
TCP reordering, IP fragmentation and buffering of stream is not present on github yet but is implemented and is being reviewed. I can push on github if you want to have a look. Concerning HTTP, for now we only fetch hostname and URL but were asked to capture the whole request including POST parameters so this is going to be done in a way or another. > Though, in some of > our side-projects we need to follow TCP streams with truncated packets and > libnids is not designed for this. Junkie tolerate a certain amount of truncation, but any complex parser will certainly fail in this situation. > It would be nice to use one solution for > all our projects, and maybe junkie could solve this. Honestly I can't recommend one over the other. Junkie has certainly more bugs since it's younger, but in other hand it's backed by a company so you have at least 1 coder full time on it so the bugs can disapear pretty fast :-) - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
