On 2010-12-28 17:22, Andrej van der Zee wrote: > I am asked to write a custom sniffer with libpcap on Linux that has to > handle a load of 50.000 packets per second. The sniffer has to detect all > HTTP requests and dump the URI with additional information, such as request > size and possibly response time/size. The packets, destined for the > load-balancer, are duplicated by the switch using port-mirroring to my own > machine. It is important that our solution is 100% non-intrusive to the web > application being monitored. > > Probably I need to access the POST data of certain HTTP requests. Because > HTTP requests are, obviously, broken into multiple packets, is it feasible > to reconstruct the whole HTTP request with POST data from multiple packets? > > Regarding the load of 50.000 packets a second, is this expected to be a > problem? > > Any feedback is very appreciated!
See urlsnarf: http://monkey.org/~dugsong/dsniff/ I don't think it does POST data but it may be a good starting point. -- Jefferson Ogata <jefferson.og...@noaa.gov> National Oceanographic Data Center You can't step into the same river twice. -- Herakleitos - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
