Hi Chris,

I cannot share code samples around that but I am indeed using it. The callback takes 2 arguments:

• The IP header
• The TCP header (including the payload)

Those are just raw bytes (Python string object) that you have to parse yourself.

In a standard TCP session establishment, the server/client role is determined according to the handshake (the client is the one sending the first SYN packet). The resume callback returns a value to tell libnids who sent this packet (NIDS_TCP_RESUME_CLIENT or NIDS_TCP_RESUME_SERVER) to allow it the create HalfStream structures accordingly. Any other return value is assumed to be NIDS_TCP_RESUME_NONE and HalfStreams are not created.

I hope this is clear enough.

By the way, do not take into account the compilation warning telling to move to Python3. I haven’t tested that enough to be considered as stable :)