drop in libnids like api?

Juli Mallett juli at clockworksquid.com
Mon Dec 16 18:33:53 PST 2013

On Mon, Dec 16, 2013 at 6:29 PM, Alfred Perlstein <alfred at freebsd.org>wrote:

> On 12/16/13, 4:28 PM, Juli Mallett wrote:
> Alfred,
>  It's probably the "libuinet" component you're looking for, but that's an
> active userland TCP stack, not a passive one.  That is, you can do full
> TCP/IP with libuinet pretty easily, but you can't just hand it packets and
> look at a stream you're intercepting.  It might be possible to make it
> provide two half-connections for each connection from the wire at some
> point, with data going into a socket and being readable, but that
> functionality isn't there now.  I know there's some interest in funding Pat
> Kelsey (who did the "libuinet" work) to do that, but I don't think there's
> any roadmap for it.  I may also be misunderstanding what you're using
> libnids to do.
> I think you're right on point.
> Basically what I need is the ability to write something like
> https://github.com/alfredperlstein/dsniff/blob/master/urlsnarf.c using
> wanproxy as a backend.
> Specifically have a look at line 164 of the file at  sniff_http_client(),
> this calls line 88 of that file (process_http_request()) each time a new
> packet comes in for a stream we are interested in.  It's relatively basic
> stuff to monitor streams.  Is it at all possible to do this using wanproxy
> libuinet?

Nope, not at this time, unless you're willing to actually be an inline
proxy instead, which is probably not worth it since libnids exists.

> If not is Pat available to chat about what needs to be done?

I've added him to the CC list explicitly, I'm sure he has some thoughts on
how possible it would be to adapt the FreeBSD stack to support passive
reception / read-only connections.

> thank you,
> -Alfred
>  Thanks,
> Juli.
> On Mon, Dec 16, 2013 at 2:16 PM, Alfred Perlstein <alfred at freebsd.org>wrote:
>> Hey a friend referred me to wanproxy as an alternative to libnids.
>> I'm wondering is there overlap in the functionality such that I could
>> drop it in place for the backend for dsniff's suit of utils, specifically
>> urlsnarf.
>> -Alfred
>> _______________________________________________
>> wanproxy mailing list
>> wanproxy at lists.wanproxy.org
>> http://lists.wanproxy.org/listinfo.cgi/wanproxy-wanproxy.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wanproxy.org/pipermail/wanproxy-wanproxy.org/attachments/20131216/329d7c6b/attachment-0003.htm>

More information about the wanproxy mailing list