Download presentation
Presentation is loading. Please wait.
1
POSTECH 1/17 CSED702D: Internet Traffic Monitoring and Analysis James Won-Ki Hong Department of Computer Science and Engineering POSTECH, Korea jwkhong@postech.ac.kr
2
POSTECH 2/17 CSED702D: Internet Traffic Monitoring and Analysis Outline Introduction Basic Concept of Packet Capturing Programming with Libpcap Libpcap based Software Installation of Libpcap
3
POSTECH 3/17 CSED702D: Internet Traffic Monitoring and Analysis Introduction Libpcap: Portable Packet Capturing Library Operating system independent Provide general-purpose APIs Simple and powerful user-level library Compatible with Unix like system Many of commercial IDS systems utilize Libpcap to analyze packet data Representative Programs Rely on Libpcap TCPDump, SAINT and etc. Other Packet Capturing Tools SOCK_PACKET, LSF, SNOOP, SINT and etc. Operating system dependent
4
POSTECH 4/17 CSED702D: Internet Traffic Monitoring and Analysis Basic Concept of Packet Capturing Packet Capturing Packet capturing (sniffing) does not affects to data transfer The packet captured by libpcap is called raw packet and de- multiplexing is required to analyze the packet
5
POSTECH 5/17 CSED702D: Internet Traffic Monitoring and Analysis Libpcap File Format File Extension Normally has “.pcap” file extension File Format General libpcap file format Contains some global information followed by zero or more records for each packet A captured packet in a capture file does not necessarily contain all the data A captured file might contain at most first N bytes of each packet Global Header Global Header Packet Header Packet Data Packet Header Packet Data Packet Header Packet Data …
6
POSTECH 6/17 CSED702D: Internet Traffic Monitoring and Analysis Device & Network Related APIs (1/2) Device & Network Lookup for Single Device char *pcap_lookupdev(char *errbuf) Return a pointer to a network device suitable for use with pcap_open_live() and pcap_lookupnet() Return NULL indicates an error Reference: lookupdev.c int pcap_lookupnet( const char *device, bpf_u_int32 *netp, bpf_u_int32 *maskp, char *errbuf) Determine the network number and mask associated with the network device Return -1 indicates an error Reference: lookupnet.c
7
POSTECH 7/17 CSED702D: Internet Traffic Monitoring and Analysis Device & Network Related APIs (2/2) Device & Network Lookup for Multiple Devices int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf) Constructs a list of network devices that can be opened with pcap_create() and pcap_activate() or with pcap_open_live() alldevsp: list of network devides Returns 0 on success and -1 on failure. The list of devices must be freed with pcap_freealldevs() Structure of pcap_if_t next: if not NULL, a pointer to the next element in the list name: a pointer to a string giving a name for the device to pass to pcap_open_live() description: if not NULL, a pointer to a string giving a human-read- able description of the device addresses: a pointer to the first element of a list of addresses flags: interface flags - PCAP_IF_LOOPBACK set if the interface is a loopback interface
8
POSTECH 8/17 CSED702D: Internet Traffic Monitoring and Analysis Example of Device Loopup Output: DEV: eth0 NET: 192.168.xx.x MASK: 255.255.xxx.xxx
9
POSTECH 9/17 CSED702D: Internet Traffic Monitoring and Analysis Initializing Packet Capturing APIs Preparation of Packet Capturing File descriptor == Packet capture descriptor Packet capture descriptor: pcap_t * pcap_t *pcap_open_live( const char *device, int snaplen, int promisc, int to_ms, char *errbuf) Parameters device: the device in which the packets are captured from snaplen: maximum number of bytes to capture promisc: true, set the interface into promiscuous mode; false, only bring packets intended for you to_ms: read timeout in milliseconds; zero, cause a read to wait forever to allow enough packets to arrive Return A packet capture descriptor to look at packets on the network Return NULL indicates an error pcap_t *pcap_open_offline(const char *fname, char *errbuf) open a “savefile” for reading fname: the name of the file to open return a pcap_t * on success and NULL on failure
10
POSTECH 10/17 CSED702D: Internet Traffic Monitoring and Analysis TCP, IP, Ethernet Structures (1/4) The path of TCP, IP and Ethernet Header Ethernet header: /usr/include/linux/if_ether.h IP header: /usr/include/netinet/ip.h TCP header: /usr/include/netinet/tcp.h Packet Format Ethernet Trailer 14 bytes Ethernet Frame IP HeaderTCP Header Application Data 20 bytes 46 ~ 1500 bytes Ethernet Header ICMP header : 8 byte UDP header : 8 byte ARP header : 28 byte
11
POSTECH 11/17 CSED702D: Internet Traffic Monitoring and Analysis TCP, IP, Ethernet Structures (2/4) Ethernet Header Preamble DST. Address SRC. Address Type Payload Frame Check (CRC) 8 bytes6 bytes 2 bytesn bytes4 bytes SFDSFD Ethernet Header
12
POSTECH 12/17 CSED702D: Internet Traffic Monitoring and Analysis TCP, IP, Ethernet Structures (3/4) IP Header Bit Offset 0 ~ 34 ~ 78 ~ 1516 ~ 2324 ~ 31 0Version Header Length TOSTotal Packet Length 32IdentifierFlagsFragment Offset 64Time to Live (TTL) Protocol ID Header Checksum 96Source IP Address 128Destination IP Address 160IP Header OptionsPadding
13
POSTECH 13/17 CSED702D: Internet Traffic Monitoring and Analysis TCP, IP, Ethernet Structures (4/4) source port # dest port # 32 bits sequence number acknowledgement number rcvr window size ptr urgent data checksum F SR PAU head len not used Options (variable length) TCP Header
14
POSTECH 14/17 CSED702D: Internet Traffic Monitoring and Analysis Packet Read Related APIs Read Packet in Loop Manner const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h) Read the next packet Return NULL indicates an error pcap_next.c timestamp.c int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user) Processes packets from a live capture or “savefile‘” until cnt packets are processed A value of -1 or 0 for cnt is equivalent to infinity callback specifies a routine to be called
15
POSTECH 15/17 CSED702D: Internet Traffic Monitoring and Analysis Filtering Related APIs Filter int pcap_compile(pcap_t *p, struct bpf_program *fp, char *str, int optimize, bpf_u_int32 netmask) Compile the str into a filter program str: filter string optimize: 1, optimization on the resulting code is performed netmask: specify network on which packets are being captured Returns 0 on success and -1 on failure int pcap_setfilter(pcap_t *p, struct bpf_program *fp) Specify a filter program (after compiling filter) Return -1 indicates an error pcap_filter.c Sample Source http://dpnm.postech.ac.kr/cs702/src/test.c http://dpnm.postech.ac.kr/cs702/src/test.c http://dpnm.postech.ac.kr/cs702/src/readfile.c http://dpnm.postech.ac.kr/cs702/src/readfile.c
16
POSTECH 16/17 CSED702D: Internet Traffic Monitoring and Analysis How to Compile Libpcap Program? Two Parameters Library path (e.g., -lpcap) Compilation flags (-I/usr/include.pcap) Automate the Compilation Shell Scripting Create a compile.sh in executable mode, put follows and execute compile.sh gcc -o test test.c –lpcap -I/usr/include.pcap Makefile Create a Makefile, put follows and run make through CLI CC=gcc LIBS=-lpcap CFLAGS=-I/usr/include.pcap OBJ=test.o TARGET = test all: $(TARGET) $(TARGET): $(TARGET).c $(CC) -o $(TARGET) $(TARGET).c $(LIBS) $(CFLAGS) clean: $(RM) $(TARGET)
17
POSTECH 17/17 CSED702D: Internet Traffic Monitoring and Analysis Libpcap based Software Libpcap based Software ntop - network top A network traffic probe that shows the network usage Sort network traffic according to many protocols http://www.ntop.org/overview.html snort Intrusion prevention and detection system Sniff every packet and differentiate general and intrusion by against rules http://www.snort.org/ ethereal Network protocol analyzer http://www.ethereal.com/ Wireshark A free and open-source packet analyzer Originally named Ethereal, after renamed as wireshark in May 2006, due to trade mark issues http://www.wireshark.org/
18
POSTECH 18/17 CSED702D: Internet Traffic Monitoring and Analysis Q&A
Similar presentations
