:My main reason for reassembling data is to find bad behaviour in our :networks. Most things can be filtered and read in ethereal or ngrep. But when :it comes to streaming media and transferred files it gets harder to tell :when something bad is happening. That data can be any of TCP or UDP.
Urrr, what is "bad" in this context? 'bad' in a network sense usually requires looking at the exact packets, not at the reassembled stream, as one is looking for oddities like packets that have an ACK without an initial SYN, or packets for which the checksum is wrong, or packets that have ip source routing specified.
If you are trying to detect people using P2P and so on, then you should be using an IDS such as 'snort' that wants the original packets.
If, on the other hand, what you are looking for is matters such as people sending trade secrets to competitors, or people sending personal email through a company machine, then you get into a moras of legal issues. In Canada and the USA, you can often get around those issues by having a written security policy that is literally signed off on by everyone... which works for -new- employees but can be a problem if an existing employee refuses to sign (unless you are an "at will" employer for US legal purposes; in that case, you just tell them outright that if they don't sign they will be fired, but if you aren't "at will" then you'll find that refusing to agree to an impose -change- in employment conditions is not considered adequate grounds for justifiable termination.)
In the EU, the EU privacy database policies are, I gather, interpreted different ways in different places. About a year ago or so, someone from, ummm Finland I think it was, posted indicating that in his country recording the content of employee data packets was a violation of employee privacy rights under the national implimentation of the EU database privacy directives. I do not have information about whether any particular national implimentation has exceptions; the implication of the posting was that it at least could not be
-routinely- done the way it often is in the USA.