<div dir="ltr">Hi Anoop and Edward,<div><br></div><div>Thanks for the response. I find that the issue with a lot of the tcp reassembly libraries out there is that they throw out the reassembled stream if a packet is missing. For any form of security analysis, this isn't ideal because there could still be important information in the part of the stream that is collected. I'd like to find a library that maybe fills in missing packets with zeros, and times out if it doesn't get a FIN after a time period. I figure the assemblers for suricata, snort, and or Bro are likely more robust because they want to analyze the streams; however, they seem to be tightly coupled to their overall platforms which isn't useful when you want to build a lightweight application.</div><div><br></div><div>Edward, This is a good idea as libnids doesn't seem to have been supported in years. Libnids was built using the linux stack, which is good for reliability, but it doesn't always handle those cases that a security person would be interested in. Would be nice for a simple and robust API.</div><div><br></div><div>Cheers,</div><div><br></div><div>Teryl</div><div> </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jul 3, 2015 at 5:39 AM, Edward Fjellskål <span dir="ltr"><<a href="mailto:edwardfjellskaal@gmail.com" target="_blank">edwardfjellskaal@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
I was also hoping there would be something like this out there,<br>
like a updated version of libnids, but that also has IPv6.<br>
<br>
Ive for long dreamt of coding this my self, but failed my tries so<br>
far, and I dont have the time to spend on it.<br>
<br>
Maybe one could crowdsource someone to update libnids etc? or start over?<br>
<br>
E<br>
<span class=""><br>
<br>
On 07/02/2015 07:49 PM, Anoop Saldanha wrote:<br>
> On Sun, Jun 21, 2015 at 4:16 AM, Teryl Taylor<br>
> <<a href="mailto:teryl.taylor@gmail.com">teryl.taylor@gmail.com</a>> wrote:<br>
>> Hi everyone,<br>
>><br>
>> I'm looking for a stable and fairly reliable TCP reassembler.<br>
>> I've been playing around with libnids, libtins, and libntoh and<br>
>> all work well, but they don't seem to work on some of the pcaps<br>
>> I'm testing on, whereas wireshark does. I was curious if<br>
>> suricata's tcp reassembly is modular enough to use on it's own<br>
>> and, if so, is there any example code or test code, that would<br>
>> be good to look at to get a feel for how I could integrate it?<br>
>> Would the reassembly engine be a good option? Or does anyone have<br>
>> an alternative suggestion?<br>
>><br>
><br>
> What's the purpose? Want to use/convert it for termination, or<br>
> it's just for non-termination re-assembly?<br>
><br>
</span>-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1<br>
<br>
iQEcBAEBAgAGBQJVllhLAAoJEAf3kNGaI009eZ0H/ietKW9QDZZW8sSLIHaarc5K<br>
0JAjpS/P7JnWI1BgEQp64lqI3Oop6MoxGs8p5TTzlh9IXei1OrWaCI3PBYjBLA1e<br>
fz6q53DIR40k3dWFuRpaTvnjPkfAezA2Tv1FO150ZZP4G9/ZFkQVldGg9Oo290Au<br>
IE15OjZ3VlY265mWSOE1726hkrbhCHET34Qfr+9oz/OjOU0+n+xb284PJ8YFTRHF<br>
REUg1EoZu3JYEZ0p101/qVk6lqlCpvDelMeZ+sOPB8XCfu4CMaMY/kcHOF7WWX6k<br>
08vMMXoWIIrkjBZPlBDEnN6kSMLgS4awNSb71azhPYF1OkD6BswTb9x/hM7fP0A=<br>
=lLle<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" rel="noreferrer" target="_blank">http://suricata-ids.org/participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" rel="noreferrer" target="_blank">https://redmine.openinfosecfoundation.org/</a><br>
Developer Training in Copenhagen Sept 14-18: <a href="http://suricata-ids.org/training/" rel="noreferrer" target="_blank">http://suricata-ids.org/training/</a><br>
</blockquote></div><br></div>