drop in libnids like api?

Juli Mallett juli at clockworksquid.com
Mon Dec 16 18:33:53 PST 2013 

On Mon, Dec 16, 2013 at 6:29 PM, Alfred Perlstein <alfred at freebsd.org>wrote:

>
> On 12/16/13, 4:28 PM, Juli Mallett wrote:
>
> Alfred,
>
>  It's probably the "libuinet" component you're looking for, but that's an
> active userland TCP stack, not a passive one.  That is, you can do full
> TCP/IP with libuinet pretty easily, but you can't just hand it packets and
> look at a stream you're intercepting.  It might be possible to make it
> provide two half-connections for each connection from the wire at some
> point, with data going into a socket and being readable, but that
> functionality isn't there now.  I know there's some interest in funding Pat
> Kelsey (who did the "libuinet" work) to do that, but I don't think there's
> any roadmap for it.  I may also be misunderstanding what you're using
> libnids to do.
>
>
> I think you're right on point.
>
> Basically what I need is the ability to write something like
> https://github.com/alfredperlstein/dsniff/blob/master/urlsnarf.c using
> wanproxy as a backend.
>
> Specifically have a look at line 164 of the file at  sniff_http_client(),
> this calls line 88 of that file (process_http_request()) each time a new
> packet comes in for a stream we are interested in.  It's relatively basic
> stuff to monitor streams.  Is it at all possible to do this using wanproxy
> libuinet?
>

Nope, not at this time, unless you're willing to actually be an inline
proxy instead, which is probably not worth it since libnids exists.


> If not is Pat available to chat about what needs to be done?
>

I've added him to the CC list explicitly, I'm sure he has some thoughts on
how possible it would be to adapt the FreeBSD stack to support passive
reception / read-only connections.


> thank you,
> -Alfred
>
>
>  Thanks,
> Juli.
>
>
> On Mon, Dec 16, 2013 at 2:16 PM, Alfred Perlstein <alfred at freebsd.org>wrote:
>
>> Hey a friend referred me to wanproxy as an alternative to libnids.
>>
>> I'm wondering is there overlap in the functionality such that I could
>> drop it in place for the backend for dsniff's suit of utils, specifically
>> urlsnarf.
>>
>> -Alfred
>> _______________________________________________
>> wanproxy mailing list
>> wanproxy at lists.wanproxy.org
>> http://lists.wanproxy.org/listinfo.cgi/wanproxy-wanproxy.org
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wanproxy.org/pipermail/wanproxy-wanproxy.org/attachments/20131216/329d7c6b/attachment-0003.htm>

More information about the wanproxy mailing list