I need a service-monitor-application that works by sniffing the traffic between a user and a server that offers a service.

The point is to detect a specific request to the server from the user, and then detect the related response from the server to the user. By this i should be possible to register the response-time of the server, without forcing unnecessary test-traffic on the server.

Do anyone know an application there would be able to do this?

Is the traffic TCP or UDP? Anyway, try any general packet sniffer, I use Wireshark and it is enough for your task (as you describe it). It will give you list of packets; you can first have only packets which go to the IP address of the server and have correct port number. If the protocol is known to Wireshark you can filter on its field, else "data contains .. " can help you further filtering. Then I hope it is reasonable to assume that you are in the place you need - you can now add filter on client port also and have the traffic of this conversation for inspection.

offhand i'm not aware of anythign tailor made for this purpose... well actually I do if you have $60,000 to spare... http://f5.com but in the GPL world, you can probably just use something like ngrep. this will let you watch packets and grep against the payload for whatever. i guess you could run two instances, each watching traffic in different directions for different strings and write th data to a log file for interpretation or such?

ngep could seem like a part of the solution to my problem. It seems like I would have to do some work to make it a solution to my challenge, but it might be possible.

The collected data would also have to be updated to a database in order to generate day/week/month statistics on the provided service.
Any ideas for a solution to this?

I think that Wireshark could be a help, but not a part of the solution since I need data-collection and not data-analysis.

The question is still open but for now thanks for your replies...

well it depends how you want to control this database... if you just want to store the events to a table rather than a file, then it's easy to pipe data from ngreap into the mysql or postgresql client... a slightly slicker developement would probably be to log the data to syslog and then use a decent syslog engine like syslog-ng to take care of putting the data into a database. what you then do with that data is your own business...

thinking about it now, instead of ngrep, you might prefer to look at the string module for iptables which will also give you the ability to notice strings of data as the fly through the box. just use the LOG target and instantly they're off to syslog, where, as above, you can push them wherever you want. http://www.securityfocus.com/infocus/1531