I cannot share code samples around that but I am indeed using it. The callback takes 2 arguments:
- The IP header
- The TCP header (including the payload)
Those are just raw bytes (Python string object) that you have to parse yourself.
In a standard TCP session establishment, the server/client role is determined according to the handshake (the client is the one sending the first SYN packet). The resume callback returns a value to tell libnids who sent this packet (NIDS_TCP_RESUME_CLIENT or NIDS_TCP_RESUME_SERVER) to allow it the create HalfStream structures accordingly. Any other return value is assumed to be NIDS_TCP_RESUME_NONE and HalfStreams are not created.
I hope this is clear enough.
By the way, do not take into account the compilation warning telling to move to Python3. I haven’t tested that enough to be considered as stable :)