I asked similar question at StackOverflow. I want to write an application layer sniffer (SMTP/ftp/http). Based on my searchs, first (and perhaps hardest!) step is to reassemble the tcp stream of the sniffed connections. Indeed, what I need is something like the "follow TCP stream" option of wireshark, but I need a tool which do it on live interface and automatically. As I know, Tshark can extract TCP streams data from the saved pcap files automatically (link) but not from live interfaces. Can Tshark do it on live interfaces??? As I know, TCPflow can do exactly what I want, however, it can not handle IP defragmentation and SSL connections (I want to analyse the SSL content in the case I have the server private key). Any suggestion about mentioned tools or any other useful tool is welcome. Thanks in advance, Dan. asked 05 Jan '14, 05:03  Dani-- |
2 Answers:
As you want to write your own sniffer, the best you can do is to look at other code and learn from it. AFIAK tcpick is able to do TCP reassembly (not sure about IP defragmentation). or take a look at or search google for 'libpcap IP defragmentation' for sample code how to do that ;-) Now, IP defragmentation and TCP reassembly is the 'easy' part.
Decrypting SSL/TLS is not that easy and there are only few open source tools available that can do it. Obviously Wireshark can do it, but the code of Wireshark is pretty complex. Take a look at the code of ssldump. That's (probably) much easier to understand than Wireshark ;-) Now it's up to you to take all those examples and create your own http sniffer. Good luck ! Regards answered 09 Jan '14, 06:08  Kurt Knochner ♦ |
Regarding HTTP - maybe fiddler can do the trick? Fiddler website answered 05 Jan '14, 07:59  Boaz Galil Thanks Boaz, But I want to sniff http traffic to many server not from my host! (08 Jan '14, 21:41) Dani-- |
TCPflow does not need to handle IP fragmentation because IP fragmentation should not happen for TCP. It is only used for UDP and ICMP, but not TCP since TCP has it's own segmentation mechanisms.