Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Libnids is an implementation of an E-component of Network Intrusion Detection System. It emulates the IP stack of Linux 2.0.x. Libnids offers IP defragmentation, TCP stream assembly and TCP port scan detection.
branch: master
Failed to load latest commit information.
samples Imporeted Mar 14, 2010: Version 1.24
CHANGES Imporeted Mar 14, 2010: Version 1.24
COPYING Imporeted Mar 14, 2010: Version 1.24
MISC Imporeted Mar 14, 2010: Version 1.24
aclocal.m4 Imporeted Mar 14, 2010: Version 1.24
config.guess Imporeted Mar 14, 2010: Version 1.24
config.sub Imporeted Mar 14, 2010: Version 1.24
configure Imporeted Mar 14, 2010: Version 1.24 Imporeted Mar 14, 2010: Version 1.24
install-sh Imporeted Mar 14, 2010: Version 1.24
mkinstalldirs Imporeted Mar 14, 2010: Version 1.24



1. What is libnids ?

	Libnids is a library that provides a functionality of one of NIDS 
(Network Intrusion Detection System) components, namely E-component. It means 
that libnids code watches all local network traffic, cooks received datagrams 
a bit (quite a bit ;)), and provides convenient information on them to 
analyzing modules of NIDS. Libnids performs:
a) assembly of TCP segments into TCP streams
b) IP defragmentation
c) TCP port scan detection 
More technical info can be found in MISC file.
	So, if you intend to develop a custom NIDS, you don't have to build
low-level network code. If you decide to use libnids, you have got
E-component ready - you can focus on implementing other parts of NIDS.

2. Why is libnids valuable ?

	On January 98, Thomas H. Ptacek and Timothy N. Newsham published an
excellent paper entitled "Eluding Network Intrusion Detection". It's a
must-read for all security concerned people, available from
In this paper one can find description of variety of attack against NIDS.
During libnids development a lot of effort was made to make libnids immune
to these attacks. During tests libnids performed TCP assembly and IP 
defragmentation in exactly the same way as Linux 2.0.36 hosts
(targets of test packets). For details, see file TESTS; here let's just 
mention two things:
a) libnids passed all tests implemented in fragrouter by Dug Song (see ). In fact, fragrouter's tests were
   fairly simple when compared with other, custom ones.
b) libnids IP defragmenting module contains slightly modified Linux 2.0.36 
   kernel source files ip_fragment.c and ip_options.c. It means that libnids IP
   defragmentation is as reliable as one implemented in Linux 2.0.36.
Libnids is easy to use and highly configurable - see API file for details.

3. On what platform does it run ?

Currently libnids will compile on Linux, Solaris, any *BSD. WIN32 port is
available at, but currently only
obsoleted versions are present there; newer ports may appear at (in "downloads" section).

4. Who is allowed to use it ?

Libnids is licensed under GPL. See the file COPYING for details.

5. Contact info ?

The primary libnids site is
Please send bug reports, comments, or questions about this software to
Something went wrong with that request. Please try again.