User Tools

Site Tools


pom-ng:getting_started

This is an old revision of the document!


Getting started

Before going into the configuration part, it is best to understand how pom-ng works.

Processing steps

1) Packets are read from an input

Packets can be read from multiple sources. In order to be able to read packets from various sources, pom-ng has a few input. The most common ones are the following :

  • Input pcap_file reads packets from a pcap file
  • Input pcap_interface reads packets from a network interface on your system
  • Input pcap_dir reads packets from a multiple files in a single directory
  • Input dvb_c reads MPEG-TS packets from a DVB-C card

You can configure multiple inputs and run them at the same time.

2) Packets are analyzed

At this step, pom-ng analyze the packets coming from the input. It finds out what protocol chain are inside the packets and decode the headers of each protocol that will be useful for later processing. It will also keep track of packets related to a single connection.
For higher layer protocol such as HTTP, events will be generated that contain information about a specific protocol event. For instance, the HTTP protocol has 2 events : http_query and http_response. The http_query event contains all the information about the query from the client. The http_response event contains all the information about the reply from the server.

3) Protocol events are processed by the analyzers

Most of the time, protocol events alone are not very useful. In the case of the http_query and http_request events, it is not easy to correlate a query with a request. This is why the http analyzer will listen for those two events and create a new event called http_request that will contain informations about a single HTTP transaction. It will contain both the info from the client and the server with additional informations that will be computed by correlating the two events.

4) Packets/protocol payloads are analyzed by the analyzers

pom-ng/getting_started.1349106960.txt.gz · Last modified: 2020/05/26 21:59 (external edit)