#2 Allow libnids to capture TCP streams without handshaking

[Queen Of The Sea]

There should be an option for libnids to capture TCP streams that have already been established. The attached patch have converted libnids to C++ with classes to make the code more manageable and thread safe, as well as an initial implementation of the aforementioned feature.

Does anyone know why I must increase
rcv->seq, snd->seq, rcv->first_data_seq, and snd->first_data_seq by 2 in order for the other methods to recognize the sequence number? Shouldn't sequence number increase by 1 instead of 2 everything?

[Queen Of The Sea]

To capture already established streams

[Queen Of The Sea]

Nevermind. Apparently, the next seq number isn't merely last seq + 1 these days, but seq + data_len. After making the following changes in process_tcp, it works fine. I also have to add a timeout so that it wouldn't free my stream immediately when it is halfway established.

rcv->seq += diff; //to make sequence number recogizable
initialize_connection(a_tcp,this_tcphdr);
snd->seq += diff + datalen; //the next sequence number
rcv->first_data_seq += diff;
snd->first_data_seq += diff + datalen; //the next sequence number