I am working on extract http data from pcap file. I have to reassemble the fragment, so I find nids lib. I install libnids 1.24 with homebrew in Mac os 10.9.5 64bits.
I try to run the printall sample . I modified the code a bit to suit my environment, such as changing "nids.h" to , add nids_params.filename = filename; to open offline file to analyze.
The sample is able to start. But the problem is it print nothing.
I add print to the first line of tcp_callback function. Again, nothing. That indicates the callback is never called.
To prove the problem is not relatted with my cap file
- I set it to capture live packet. After I open a webpage, I get nothing.
- I parse the pcap file with libpcap myself and get lots of tcp packet.
- the number of the packets is 70k+. It is unlikely there isn't a whole tcp connection with handshake.
It's such a pain to compile libnids with the sample and debug step by step. So can you give me some info about why the callback is not called?
Since no one answered me :( I have to choose the most painful way : compile libnids, then debug step by step to see wtf was going on.
I try turn off the -O2 compile options.
And see where the tcp callback should be called. I find that two facts:
the first one is verified by wireshark. And I see wireshark nofify me that
tcp checksum offload. I get the explaination from the wiki of wireshark:The second one is because libnids is able to reassemble the stream by the hand shake message.
All of a sudden, The idea come to my mind that combining these two fact result in the result output nothing.
Since most ACKs packet have wrong checksum. So the packet is skipped before it can be seen by the reassemble function.
After disable checksum, I finally get the output of tcp payload. Two days and I got it!