POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) Programming with Libpcap.

Slides:

Advertisements

Similar presentations

Ethical Hacking Module VII Sniffers.

Advertisements

Datalink Access.

Network Performance Measurement

Extending Wireshark For A New Protocol Varun NotiBala CISC 856 – University of Delaware 2 nd Dec 2008 Acknowledgements Dr. Paul Amer.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

TCPDUMP Network-Based Intrusion Detection. Description  Packet sniffing is the heart of intrusion detection and of understanding what is actually occurring.

1 libpcap Packet Sniffing for Security Alisa Neeman.

Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.

CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

POSIX: Files Introduction to Operating Systems: Discussion 1 Read Solaris System Interface Guide: Ch. 5.1 Basic File I/O.

Wireshark Presented By: Hiral Chhaya, Anvita Priyam.

Programming Multi-Core Processors based Embedded Systems A Hands-On Experience on Cavium Octeon based Platforms Lab Exercises.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

1 Ethereal.  Freeware sniffing tool.  Captures live network traffic.  The user interface separates it from other sniffers.

University of Calgary – CPSC 441.  Wireshark (originally named Ethereal)is a free and open-source packet analyzer.  It is used for network troubleshooting,

Penetration Testing Security Analysis and Advanced Tools: Snort.

CSCD433 Advanced Networks Fall 2011 Raw vs. Cooked Sockets.

TCP/IP Protocol Stack IP Device Drivers TCPUDP Application Sockets (Gate to network) TCP: –Establish connection –Maintain connection during the communication.

CPSC 441 Tutorial TA: Fang Wang The content of these slides are taken from CPSC 526 TUTORIAL by Nashd Safa (Extended and partially modified)

FORESEC Academy FORESEC Academy Security Essentials (III)

Agostinho L S Castro Telecommunications and Multimedia Unit BPF - BSD Packet Filter.

Overview LAN 1LAN 2 Summary 目的連接 LAN1 與 LAN2 Frame forwarding Frame filtering Hint Data link layer socket programming Library: libpcap libnet.

By Deepthi Reddy Ramya Balakumar Vandana Bhardwaj Simple Packet Filtering Firewall.

ACE Address Configuration Executive. Why ACE? ACE provides access to several address resolution protocols under a single API ACE is the only API available.

POSTECH 1/17 CSED702D: Internet Traffic Monitoring and Analysis James Won-Ki Hong Department of Computer Science and Engineering POSTECH, Korea

POSTECH DP&NM Lab 1 Remote Network Monitoring (RMON)

SNORT Feed the Pig Vicki Insixiengmay Jon Krieger.

Raw Sockets Vivek Ramachandran. A day in the life of Network Packet.

Linux Networking and Security

COP 4930 Computer Network Projects Summer C 2004 Prof. Roy B. Levow Lecture 3.

Lab 2: SSL Security Attack June 17, 2008 Hyun Jin Kim.

Introduction to Biometrics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #23 Biometrics Standards - II November 14, 2005.

Network Programming Eddie Aronovich mail:

Project Requirements (NetFlow Generator) 정승화 분산 처리 및 네트워크 관리 연구실 포항 공과 대학교

Sniffer, tcpdump, Ethereal, ntop

Network Analyzer :- Introduction to Wireshark. What is Wireshark ? Ethereal Formerly known as Ethereal GUINetwork Protocol Analyzer Wireshark is a GUI.

Programming Multi-Core Processors based Embedded Systems A Hands-On Experience on Cavium Octeon based Platforms Lab Exercises: Lab 5 (Deep Packet Inspection)

1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 4 Monitoring Network Activity.

0x440 Network Sniffing.

PLUS 내부 세미나 1/22 The Libnet Library 이병영 2004/05/06.

王子健 Overview LAN 1LAN 2.

GAME203 – C Files stdio.h C standard Input/Output “getchar()”

Department of Computer Science & Engineering 5. Acknowledgments 4. Conclusions 3. Evaluation2. Contribution 1. Introduction REU 2008-Packet Sniffer Jose.

COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016.

Programming Multi-Core Processors based Embedded Systems A Hands-On Experience on Cavium Octeon based Platforms Lab Exercises: Lab 4 (Network Packet Filtering)

 Students will write a network monitoring tool to supervise network traffic  Open source is one of the keywords in the industry  Students will be using.

Ethernet WireShark Utkarsh Mahajan Id: A1238. Download: Referance:

WIRESHARK Lab#3. Computer Network Monitoring  Port Scanning  Keystroke Monitoring  Packet sniffers  takes advantage of “friendly” nature of net. 

Mobile Packet Sniffer Ofer Borosh Vadim Lanzman Dr. Chen Avin

CSCD433/533 Advanced Networks Spring 2016 Lecture 15

1 Socket Interface. 2 Basic Sockets API Review Socket Library TCPUDP IP EthernetPPP ARP DHCP, Mail, WWW, TELNET, FTP... Network cardCom Layer 4 / Transport.

Lecture 3: Stateless Packet Filtering. 2 Agenda 1 1 Linux file system - networking sk_buff 2 2 Stateless packet filtering 3 3 About next assignment 4.

Packet Sniffing Hans Kokx

Lab 2: Packet Capture & Traffic Analysis with Wireshark

A Quick Guide to Ethereal/Wireshark

COMP2322 Lab 1 Wireshark Steven Lee Jan. 25, 2017.

Chapter 6 Network Performance Measurement

Advanced UNIX progamming

Wireshark Lab#3.

Traffic Analysis with Ethereal

Intro to Ethical Hacking

Intro to Ethical Hacking

Internet Protocol (IP)

Wireshark CSC8510 David Sivieri.

Network Analyzer :- Introduction to Wireshark

Network Analyzer :- Introduction to Wireshark

CSCD433/533 Advanced Networks Winter 2019 Lecture 13

Packet Sniffing and Spoofing

Presentation transcript:

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) Programming with Libpcap

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Contents  Introduction  Basic Concept of Packet Capturing  Programming with Libpcap  Device & Network Related APIs  Initializing Packet Capturing APIs  TCP, IP, Ethernet Structures  Packet Read Related APIs  Filtering Related APIs  Software based on Libpcap  Reference (2)

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Introduction  Libpcap: Portable Packet Capturing Library  Operating system independent  Provide general-purpose APIs  Simple and powerful user-level library  Compatible with Unix like System  Other packet capturing tools  SOCK_PACKET, LSF, SNOOP, SINT and etc.  Operating System defendant  TCPDUMP is implemented with Libpcap  Many of commercial IDS systems utilize Libpcap to analyze packet data  Installation  Unix/Linux:  Windows:  Solaris: (3)

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Basic Concept of Packet Capturing  Packet capturing (sniffing) does not affects to data transfer  The packet captured by libpcap is called raw packet and demultiplexing is required to analyze the packet (4)

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (5) Programming with Libpcap - Programming APIs-

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Device & Network Related APIs (1/2)  char *pcap_lookupdev(char *errbuf)  return a pointer to a network device suitable for use with pcap_op en_live() and pcap_lookupnet()  return NULL indicates an error  reference: lookupdev.c  int pcap_lookupnet( const char *device, bpf_u_int32 *netp, bpf_u_int32 *mask p, char *errbuf)  determine the network number and mask associated with the net work device  return -1 indicates an error  reference: lookupnet.c (6)

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Device & Network Related APIs (2/2)  What if there are multiple devices?  int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf)  constructs a list of network devices that can be opened with pcap_create() and pcap_activate() or with pcap_open_live()  alldevsp: list of network devides  returns 0 on success and -1 on failure.  The list of devices must be freed with pcap_freealldevs()  Structure of pcap_if_t  next: if not NULL, a pointer to the next element in the list  name: a pointer to a string giving a name for the device to pass to pcap_open_live()  description: if not NULL, a pointer to a string giving a human- read- able description of the device  addresses: a pointer to the first element of a list of addresses  flags: interface flags - PCAP_IF_LOOPBACK set if the interface is a loopback interface (7)

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Example #1 Output: DEV: eth0 NET: xx.x MASK: xxx.xxx (8) *Compile: gcc [source] –lpcap –I/usr/include/pcap

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Initializing Packet Capturing APIs (1/2)  File descriptor == Packet capture descriptor  Packet capture descriptor: pcap_t *  pcap_t *pcap_open_live( const char *device, int snaplen, int promisc, int to_ms, char *errbuf)  obtain a packet capture descriptor to look at packets on the netw ork  snaplen: maximum number of bytes to capture  promisc: true, set the interface into promiscuous mode; false, onl y bring packets intended for you  to_ms: read timeout in milliseconds; zero, cause a read to wait for ever to allow enough packets to arrive  return NULL indicates an error (9)

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Initializing Packet Capturing APIs (2/2)  pcap_t *pcap_open_offline(const char *fname, char *errbuf);  open a “savefile” for reading  fname: the name of the file to open  return a pcap_t * on success and NULL on failure (10)

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications TCP, IP, Ethernet Structures (1/3)  IP and TCP headers: /usr/include/netinet  Ethernet header: /usr/include/linux/if_ether.h  Ethernet header (11)

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications TCP, IP, Ethernet Structures (2/3)  IP header (12)

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications TCP, IP, Ethernet Structures (3/3)  TCP header (13)

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Packet Read Related APIs  const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr * h)  read the next packet  return NULL indicates an error  pcap_next.c  timestamp.c  int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user)  processes packets from a live capture or “savefile‘” until cnt packets are processed  A value of -1 or 0 for cnt is equivalent to infinity  callback specifies a routine to be called (14)

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Filtering Related APIs  int pcap_compile(pcap_t *p, struct bpf_program *fp, char *str, int optimize, bpf_u_int32 netmask)  compile the str into a filter program  str: filter string  optimize: 1, optimization on the resulting code is performed  netmask: specify network on which packets are being captured  returns 0 on success and -1 on failure  int pcap_setfilter(pcap_t *p, struct bpf_program *fp)  specify a filter program (after compiling filter)  return -1 indicates an error  pcap_filter.c (15)

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Example #2    (16)

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Software based on Libpcap  ntop - network top  a network traffic probe that shows the network usage  sort network traffic according to many protocols   snort  intrusion prevention and detection system  sniff every packet and differentiate general and intrusion by again st rules   ethereal  network protocol analyzer   wireshark  (17)

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Reference  TCPDump   The Sniffer's Guide to Raw Traffic  (18)