tags:

views:

42

answers:

3

hi

can we in a network gateway write a program with libpcap to extract destination web address and other info like squid? in c language.

is any better way? if yo can give me some example and guide.

+1  A: 

libcap could not be used for realtime monitoring as it has big impact on network performance. I think it can perform at a maximum of 25% of the effective bandwidth. You can observe that by using wireshark (based on libpcap).

AmineK
A: 

Yes you can quite easily. Just capture packets on port 80, and look in the first one or two for the HTTP request. The HTTP request is easily parsed.

Please read the libpcap documentation and look at some of the examples for getting started.

bramp
keep in mind that extracting the HTTP request/responses is non trivial since it's above TCP. You only get IP packets from libpcap. A request/response might be split in middle, there might be many in one packet, etc.
nos
A: 

You can configure squid to be a transparent proxy. This can be done on Linux by editing the IPTable rules. This way all traffic goes via squid, which can then log or do whatever you want. Additionally no traffic is missed, but performance will be effected.

bramp
in my network users connect with openvpn, and squid do not log these activites.
haw3d