Implementation, cont.

pcapd
log complete packets matching filter in tcpdump format
support scheduled rotation via newsyslog
synackd
forge SYN/ACK replies to 1/N SYNs matching filter
stateless - sender will retransmit until timeout (~9 minutes)
tcpflowd
reassemble TCP session matching filter, using libnids
save payloads to disk, log matching hits in iplog format