On Mon, 11 Oct 2004, muhammad alqama wrote:
i m using libnids for tcp reassembly. i m trying to sniff multiple tcp
session simultaneously and want to save each tcp stream completely in
separate file .
when your TCP sesion hits a closing state (one of NIDS_CLOSE,
NIDS_TIMEDOUT or NIDS_RESET) save the stream data to a file. in a nutshell
the code will look like this (where monitor_tcp() is your tcp callback
registered in the nids setup routines):
void
monitor_tcp(struct tcp_stream *stream, void *unused)
{
switch (nids_state) {
case 'NIDS_CLOSE':
case 'NIDS_TIMEDOUT':
case 'NIDS_RESET':
char clientfile[80], serverfile[80];
time_t now;
FILE *output;
now - time(NULL);
/* data from client first */
snprintf(clientfile, sizeof(clientfile), "%s-%s-%s-%s-%s",
stream->addr.saddr, stream->addr.source,
stream->addr.daddr, stream->addr.dest, now);
output = fopen(clientfile, "w");
fprintf(output, stream->client.data);
fclose(output);
/* data from server now */
snprintf(serverfile, sizeof(serverfile), "%s-%s-%s-%s-%s",
stream->addr.daddr, stream->addr.dest,
stream->addr.saddr, stream->addr.source, now);
output = fopen(serverfile, "w");
fprintf(output, stream->server.data);
fclose(output);
}
}
i think i may have the client/server data backwards for the addresses, and
you will want to pretty print the IP addresss (ie make them print as
dotted quads), but you get the idea. since you have access to the client
and server data streams, you can basically fopen() a file that describes
them in some fashion (in this case it's srcip-sport-destip-dport-time) and
dump the data into them using fprintf(). bugs most certainly exist in the
above code sample, but it should help you start with what to do.
________
jose nazario, ph.d. jose@monkey.org
http://monkey.org/~jose/ http://infosecdaily.net/
