How snoop Works

How snoop Works

The basic design of snoop is quite simple. If you understand how to use snoop in general, there is no special knowledge required or additional options for the LDAP specific case.

Depending on whether you're reading from a captured file or not, the main function either calls net_read() to begin processing packets off the network or cap_read() to begin processing them from a file. Upon completion of being passed to one of the above mentioned functions, the function passes the data to scan() .

The function scan() goes through each packet, and depending on whether you want to further interpret the packet or not, calls the process_pkt() , which in turn calls the appropriate protocol decoder function.

Interpreting and displaying each packet depends on what flags are set. The interpreters send the data piece of the packet (a pointer and the length) to the next level interpreter. Most of the actual work decoding the ldap context is done by decpdu which is called from decode_ldap after taking into account a hack to take care of multi-packet PDUs (with some restrictions). This ability to decode multipacket PDUs is the one feature that sets this module apart from most, if not all of the other snoop modules.