Low level networking operations

It uses the pcap library to listen in promiscuous mode on a network interface. It monitors TCP session and collect statistics on each. Using functags, it lets application do special processing on each session.

TCP packet sniffer with session management

Do some processing when a new TCP session is seen

New mean "Not seen since we start the sniffer", so the TCP session may not be completly new. Session ID so the application may classify it Basic information about the session such as TCP ports and addresses. A pointer used by the application to store private stuff. This data will be passed back to the other functag so the application can do "per TCP session" work. The component will delete the data once the TCP session is over. Set end to true if you want to end the tcpdump component. Set discard to true and this TCP session will be ignored. The other functags won't be called about it. Reverse the direction of the session. Used when we start spying an already connected socket and the first packet seen is coming from the server. The application obviously has a bias.

Called when a TCP session ends

We ahve seen the last TCP packet (fin and ack sequence). We won't be called for this TCP session from now on. Session ID Session details Private data defined by the newsession functag. Tell the component to end The client has closed the connection or the server

Some data was sent

THe functag is only called when some user data is available in a TCP packet. Other data less packet (ack) are not visible here. Session ID Session details Private data defined by newsession Set it to true to end the component. The packet was sent by the client (from==true) or by the server. When the sniffer is started after the TCP session, the client is identified by the first packet seen so we may be wrong. Statistics about the session. Application data in the packet Application data size

Return the number of TCP session known to the sniffer

Starts the sniffer on one or all network interface using an optional filter (same syntax as the tcpdump utility) Network device (eth0,...) or NULL for all Filter description, handled by the pcap library or NULL for all packets. For example: "port smtp and host server"

Called when an out of order packet is seen

Either the sniffer is too slow (missing packet) or something else is happening. the tcpdump component assume all packet are sent in proper order session ID packet out of order coming from the client or the server Application data (per session) Set to true to end the component Set to true to ignore all future packets from this TCP session expect sequence number received sequence number