[Winpcap-users] Full content-based filtering

Oren Becker orenbecker at bezeqint.net
Sat Jun 25 08:44:58 GMT 2005 

I understand.

Say - about flow reassembly:

I read that after the packet is in the kernel buffer, it can be copied to a 
user-space buffer via a function call.
If the application is to reassemble a consequtive buffer with the data in 
the tcp-packets, another copy will probably be needed.

Now, won't it save time if the application first gets a chance to read the 
packet from the kernel-buffer and decide whether it wants to "lock" it. Then 
the packet won't be deleted until the application knows exactly where it 
wants to copy the packet (or part of it) to?

Oren.

----- Original Message ----- 
From: "Loris Degioanni" <loris.degioanni at gmail.com>
To: <winpcap-users at winpcap.org>
Sent: Saturday, June 25, 2005 1:46 AM
Subject: Re: [Winpcap-users] Full content-based filtering


>I mean reconstructing the tcp flows from the packets transiting on the 
>network. This of course requires to reassemble IP fragments too.
>
> Loris
>
>
> Oren Becker wrote:
>> Thanks for the answer.
>>
>> When you say flow-reassembly, you mean putting the IP packets toghether 
>> in the order they were sent?
>>
>>
>> ----- Original Message ----- From: "Loris Degioanni" 
>> <loris.degioanni at gmail.com>
>> To: <winpcap-users at winpcap.org>
>> Sent: Thursday, June 23, 2005 9:11 AM
>> Subject: Re: [Winpcap-users] Full content-based filtering
>>
>>
>>> Oren Becker wrote:
>>>
>>>> Hi.
>>>>  Do you think it's possible, efficiency-wise, to run a multi-pattern 
>>>> string matching algorithm to filter packets according to their 
>>>> contents?
>>>> (search for many strings of various lengths)
>>>>  Have any efforts been done in this direction?
>>>
>>>
>>> Yes, a lot of efforts.
>>> First, you need a good flow reassembly engine, because matching patterns 
>>> on single packets is not of great use. This is not trivial at all.
>>> Second, you use one of the many multi-string search algorithms (I think 
>>> that variants of Aho/Corasick are still the most used).
>>> Two papers that I have handy and that you can start with:
>>>
>>> C. J. Coit, S. Staniford and J. McAlerney, Towards Faster String 
>>> Matching for Intrusion Detection or Exceeding the Speed of Snort, DARPA 
>>> Information Survivability Conference and Exposition (DISCEX II), August 
>>> 2001.
>>>
>>> M. Fisk and G. Varghese, An analysis of fast string matching applied to 
>>> content-based forwarding and intrusion detection, IEEE INFOCOM 2002.
>>>
>>> I think the authors of Snort worked quite heavily on the subject, so I'm 
>>> sure you can find a lot of information (including sources to study) at 
>>> www.snort.org.
>>>
>>> Loris
>>> _______________________________________________
>>> Winpcap-users mailing list
>>> Winpcap-users at winpcap.org
>>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>
>>
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users

More information about the Winpcap-users mailing list