I am writing a simple sniffer tool. I started with libpcap, but then I realized that it would be useful to keep track of TCP flow information, so I started reading and experimenting with libnids.
This is a great tool, but it does not create a new entry in the internal stream hash table unless it indicates the TCP handshake (SYN, SYN / ACK, ACK) of a specific stream. As a result, I would not be able to see a lot of data if I had not started the sniffer before the handshake occurs. The documentation is a bit lacking. Does anyone know if this limitation can be circumvented?
source
share