Thanks, Guy pal! If I have further question about libpcap, I will contact you. :-)
Have a nice day! George Ma ----- Original Message ----- From: Guy Harris To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Re: [tcpdump-workers] A limitation of libpcap? Sent: Thu May 16 16:52:17 CST 2002 > On Thu, May 16, 2002 at 04:33:03PM +0800, [EMAIL PROTECTED] wrote: > > My condition is as the following. I have a Squid proxy server > > whose address is 210.12.46.37:3128 and a windows client whose > > address is 210.12.46.39. > > > > I want to write a deamon process to check whether the windows > > client are visiting a specific www site. For example, www.yahoo.com. > > > > If so, I want to change some content, for example, change > > "Yahoo! Shopping" to "Shopping Yahoo!". :-) > > Hmm. > > That really sounds like a job for ICAP: > > http://www.i-cap.org/home.html > > ICAP is a protocol to let you perform, to use the ugly marketoon phrase > they invented, "content adaptation", which means "modifying stuff that > comes from Web sites before you show it to the user", e.g. to filter out > viruses, insert ads, and the like. > > It might be possible to have Squid send replies from "www.yahoo.com" to > an ICAP server which could rewrite the pages. > > A Google search for > > "squid icap" > > might find information on Squid and ICAP. > > This might be easier than trying to use a libpcap-based daemon. > > > Now I have used libpcap-0.7.1 to get the related HTTP package. I have > > also get the information that the origin package is sent from > > 210.12.46.37:3128 to 210.12.46.39:4116. > > > > I have also allocated a new memory space to copy the origin message > > and change the related content. > > > > Now I meet trobles, how to send the package? Which port should I use > > to send to message? I think I can not use port 3128 because Squid is > > using the port. But if I send the message from other port, will the > > windows client accept the message? > > Unless you send the package from the *same port* that it originally came > from, the client will not recognize it as a reply. > > Unfortunately, if the client has already seen the reply from Squid, > it'll then think that packet is a duplicate packet, and will discard it. > > I.e., unless I'm missing something, you can't make things work using > libpcap in that fashion - a libpcap-based application is passive, and > can't *actively* modify packets, unless it can, by some mechanism > *other* than libpcap, prevent Squid's packets from getting to the > client. > > > Another question, will the package > > be sent twice? (first, origin package; then, modified messge). > > Yes, as I said in my other message - and that's likely to be a problem, > as per my previous paragraphs. > > Again, I'd suggest you look at using ICAP (or directly modifying Squid) > instead. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe