Capturing and assembling TCP streams with libnids

Question

Hello,

I've been writing a simple sniffer tool. I started out with libpcap, but then realized it would be useful to keep track of TCP stream information, so I began reading about and experimenting with libnids.

It's a great tool, however it does not create a new record in its internal hash table of streams if it does not witness the TCP handshake (SYN,SYN/ACK,ACK) of a certain stream. As a result I wouldn't be able to see a lot of data unless I started the sniffer before the handshake occurs. The documentation is a bit lacking. Does anyone know if it's possible to get around this limitation?

Answer 1

Okay, so after some deep googling I think I figured this out, for anyone who may be interested.

libnids was designed to emulate the Linux kernel's network stack, so looking at it from this perspective, it wouldn't make sense for it to make tables for traffic that hasn't handshaked. The only solution is to use something like tcpkill to force a new handshake.