4

I've been writing a simple sniffer tool. I started out with libpcap, but then realized it would be useful to keep track of TCP stream information, so I began reading about and experimenting with libnids.

It's a great tool, however it does not create a new record in its internal hash table of streams if it does not witness the TCP handshake (SYN,SYN/ACK,ACK) of a certain stream. As a result I wouldn't be able to see a lot of data unless I started the sniffer before the handshake occurs. The documentation is a bit lacking. Does anyone know if it's possible to get around this limitation?

Caleb Hearon
  • 256
  • 4
  • 14
  • Hi Caleb, Im using pynids to grab streams from pcaps and network traffic. I have come across a situation where pynids/libnids fails to see tcp streams for pcaps containing half open streams. I was assuming this was fixed in libnids 1.21, but apparently not. http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=21;bug=420129 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=284937 Can you please elaborate how to tcpkill a connection if the tcp callback never gets triggered? – fimz May 10 '11 at 22:39
  • Hi fimz, FYI I think Stack Overflow encourages asking a new question rather than this. The TCP callback will only get called if a.) a TCP handshake was witnessed b.) data was sent on a TCP connection that you specified to track in (a), or c.) a TCP connection has closed that you specified to track in (a). I discovered that you can use tcpkill to break connections you want libnids to pick up-- so if you know what connection you want to kill, config tcpkill to kill it, and the connection should re-handshake, and from then on NIDS will pick it up. I used the tcpkill included with dsniff – Caleb Hearon May 11 '11 at 04:18
  • 2
    and actually, the latest libnids comes with a really good patch that lets you track unestablished TCP connections. You have to apply it and compile it yourself though. I think this would be the better solution – Caleb Hearon May 11 '11 at 04:19

1 Answers1

4

Okay, so after some deep googling I think I figured this out, for anyone who may be interested.

libnids was designed to emulate the Linux kernel's network stack, so looking at it from this perspective, it wouldn't make sense for it to make tables for traffic that hasn't handshaked. The only solution is to use something like tcpkill to force a new handshake.

Caleb Hearon
  • 256
  • 4
  • 14