I was trying to use Libnids library for TCP reassembly. So I wanted to check first that the payload is printed correctly compared to Wireshark. But, when I run the following code:
#include <stdio.h>
#include <nids.h>
void tcp_callback(struct tcp_stream *tcp, void **arg) {
if (tcp->nids_state == NIDS_JUST_EST) {
printf("Connection established\n");
tcp->server.collect++; // and by a server, too
} else if (tcp->nids_state == NIDS_DATA) {
printf("Packet Payload: %.*s\n", tcp->server.count, tcp->server.data);
}
}
int main() {
nids_params.device = "wlo1";
nids_params.pcap_filter = "host 174.143.201.208";
if (!nids_init()) {
fprintf(stderr, "nids_init() failed\n");
return -1;
}
nids_register_tcp(tcp_callback);
nids_run();
return 0;
}
The printed payload seems to be corrupted:
Packet Payload: yω!
nT$ܫO�Q�F�:��V
� k=�� g����.�ۅb|}퓈LOy�(�vr��8�S[@���p���CC
�P����у+3rj����7�,��t�+��,YH+�y�b�z����}vx�%�xb��K6��^�����F�,��(���)d����r
r.�Y`��@*e.���s��V���ho1�c?V_P����C��'ɯ�/�wt�v��
when I compare the output to Wireshark packets, it seems like that the characters, which does not appear like “�”, are right. but others are special characters.
I have made a guess that it is because payload data is represented in libnids as a Char pointer data type. But I don't actually know whether it is the true problem.
So, does anyone know why this happens, or how could I get the original payload?
The problem were the way I print the data. when I printed it using the following code in hex:
It was printed correctly!