Thanks, Guy pal!
I have read some documents of libnet. I find libnet can only
create ( called injection) packages and can not modify the
content of a TCP package.
Do you know some other ways on how to modify the content of a
TCP package?
Best regards,
George Ma
- Original Message -
From: Guy Harris
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Re: [tcpdump-workers] A limitation of libpcap?
Sent: Thu May 16 16:52:17 CST 2002
On Thu, May 16, 2002 at 04:33:03PM +0800, [EMAIL PROTECTED] wrote:
My condition is as the following. I have a Squid proxy server
whose address is 210.12.46.37:3128 and a windows client whose
address is 210.12.46.39.
I want to write a deamon process to check whether the windows
client are visiting a specific www site. For example, www.yahoo.com.
If so, I want to change some content, for example, change
Yahoo! Shopping to Shopping Yahoo!. :-)
Hmm.
That really sounds like a job for ICAP:
http://www.i-cap.org/home.html
ICAP is a protocol to let you perform, to use the ugly marketoon phrase
they invented, content adaptation, which means modifying stuff that
comes from Web sites before you show it to the user, e.g. to filter out
viruses, insert ads, and the like.
It might be possible to have Squid send replies from www.yahoo.com to
an ICAP server which could rewrite the pages.
A Google search for
squid icap
might find information on Squid and ICAP.
This might be easier than trying to use a libpcap-based daemon.
Now I have used libpcap-0.7.1 to get the related HTTP package. I have
also get the information that the origin package is sent from
210.12.46.37:3128 to 210.12.46.39:4116.
I have also allocated a new memory space to copy the origin message
and change the related content.
Now I meet trobles, how to send the package? Which port should I use
to send to message? I think I can not use port 3128 because Squid is
using the port. But if I send the message from other port, will the
windows client accept the message?
Unless you send the package from the *same port* that it originally came
from, the client will not recognize it as a reply.
Unfortunately, if the client has already seen the reply from Squid,
it'll then think that packet is a duplicate packet, and will discard it.
I.e., unless I'm missing something, you can't make things work using
libpcap in that fashion - a libpcap-based application is passive, and
can't *actively* modify packets, unless it can, by some mechanism
*other* than libpcap, prevent Squid's packets from getting to the
client.
Another question, will the package
be sent twice? (first, origin package; then, modified messge).
Yes, as I said in my other message - and that's likely to be a problem,
as per my previous paragraphs.
Again, I'd suggest you look at using ICAP (or directly modifying Squid)
instead.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
