Posts | Archive

pynids 0.5a Update Released

pynids is a python wrapper for libnids, a Network Intrusion Detection System (NIDS) library offering sniffing, IP defragmentation, TCP stream reassembly and port scan detection. This release is an update to Michael Pomraning's 0.5 release to allow control of libnid's checksumming options.

Checksum Control

Many modern NICs provide both TX and RX checksum offloading for TCP and other protocols. This offloading functionality may cause the BPF tap utilized by libnids to observe packets with incorrect checksums, and drop legitimate packets during their processing, believing them to be invalid due to the incorrect checksum.

Thankfully, libnids provides a configuration options to control the TCP checksum behavior for arbitrary source addresses. Unfortunately, the current version of the pynids wrapper interface does not expose this option and has not been updated since January 2005. After running into this issue when whipping up a one-off tool with pynids, I decided to release an updated version of the pynids wrapper, 0.5a, to address the limitation.

In addition to the new checksum control functionality, the bundled libnids library has been updated from 1.19 to 1.21. More information on the updated 0.5a release and the tarball download is available here.

External Links

Copyright © 2018 - Jon Oberheide