Sniffing network traffic in Python

Slides:



Advertisements
Similar presentations
Chapter 7 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain the need for the transport layer.  Identify.
Advertisements

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.
Network Services Networking for Home & Small Business.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Layer 7- Application Layer
CS490T Advanced Tablet Platform Applications Network Programming Evolution.
CS3771 Today: network programming with sockets  Previous class: network structures, protocols  Next: network programming Sockets (low-level API) TODAY!
TCP Splicing for URL-aware Redirection
Leon-Garcia & Widjaja: Communication Networks Copyright ©2000 The McGraw Hill Companies The user clicks on a link to indicate which document is to be retrieved.
Client Server Model The client machine (or the client process) makes the request for some resource or service, and the server machine (the server process)
John Degenhart Joseph Allen.  What is FTP?  Communication over Control connection  Communication over Data Connection  File Type  Data Structure.
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
TCP/IP Protocol Stack IP Device Drivers TCPUDP Application Sockets (Gate to network) TCP: –Establish connection –Maintain connection during the communication.
TCP/IP protocols Communication over Internet is mostly TCP/IP (Transmission Control Protocol over Internet Protocol) TCP/IP "stack" is software which allows.
Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.
FTP (File Transfer Protocol) & Telnet
1 ELEN602 Lecture 2 Review of Last Lecture Layering.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Network Services Networking for Home and Small Businesses – Chapter.
Chabot College ELEC Ports (Layer 4).
Introduction to Networking and TCP/IP J. H. Wang Jun. 8, 2005.
Network Services Networking for Home & Small Business.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.
Digital Multimedia, 2nd edition Nigel Chapman & Jenny Chapman Chapter 17 This presentation © 2004, MacAvon Media Productions Multimedia and Networks.
1 Introductory material. This module illustrates the interactions of the protocols of the TCP/IP protocol suite with the help of an example. The example.
Beginning Network Security Monitor and control flow into and out of the LAN Ingress Egress Only let in the good guys Only let out the corp. business.
Application Layer Khondaker Abdullah-Al-Mamun Lecturer, CSE Instructor, CNAP AUST.
Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.
Packet Mastering Hack in the Box, 2004 jose nazario.
Sniffer, tcpdump, Ethereal, ntop
1 Chapters 2 & 3 Computer Networking Review – The TCP/IP Protocol Architecture.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Firewalls Original slides prepared by Theo Benson.
Digital Multimedia, 2nd edition Nigel Chapman & Jenny Chapman Chapter 17 This presentation © 2004, MacAvon Media Productions Multimedia and Networks.
CSCI 330 UNIX and Network Programming Unit XV: Transmission Control Protocol.
Transmission Control Protocol (TCP) Internet Protocol (IP)
COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016.
Computer Network Architecture Lecture 6: OSI Model Layers Examples 1 20/12/2012.
1 Review – The Internet’s Protocol Architecture. Protocols, Internetworking & the Internet 2 Introduction Internet standards Internet standards Layered.
1 Introductory material. This module illustrates the interactions of the protocols of the TCP/IP protocol suite with the help of an example. The example.
COMPUTER NETWORKS Hwajung Lee. Image Source:
Cisco I Introduction to Networks Semester 1 Chapter 7 JEOPADY.
Lecture 4: Stateful Inspection, Advanced Protocols.
IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.
COMP2322 Lab 4 Socket Programming
Application Layer Functionality and Protocols Abdul Hadi Alaidi
Snort – IDS / IPS.
Chapter 5 Network and Transport Layers
Original slides prepared by Theo Benson
Instructor Materials Chapter 10: Application Layer
Paul Vixie, ISC with Duane Wessels, Measurement Factory July, 2007
Level 2 Diploma Unit 10 Setting up an IT Network
Sockets and Beginning Network Programming
Course Review 2015 Computer networks 赵振刚
COMP2322 Lab 1 Wireshark Steven Lee Jan. 25, 2017.
Networking for Home and Small Businesses – Chapter 6
How data travels through a network The Internet
Working at a Small-to-Medium Business or ISP – Chapter 7
TCP/IP Networking An Example
Networking for Home and Small Businesses – Chapter 6
Working at a Small-to-Medium Business or ISP – Chapter 7
The Internet and HTTP and DNS Examples
Working at a Small-to-Medium Business or ISP – Chapter 7
TCP/IP Protocol Suite: Review
CSCD 330 Network Programming
Networking for Home and Small Businesses – Chapter 6
Protocol Application TCP/IP Layer Model
Computer Networks Protocols
The TCP/IP Model.
Exceptions and networking
Presentation transcript:

Sniffing network traffic in Python Jose Nazario, Ph.D. <jose@monkey.org>

Why Python? Interpreted language Rapid development Bound to be slower than C Rapid development Easy data structure use Fewer LoC per tool Easy to manipulate strings http://www.python.org/

Marrying Python and Sniffing Librares in C Often SWIGged, exported to Python pcap, dnet, nids … Modules pypcap/pcappy – pcap for python dpkt – packet deconstruction library libdnet – packet construction library (has python bindings in the distribution) pynids – connection reassembly tool

libnids – reassemble IP streams NIDS “E” box (event generation box) Userland TCP/IP stack Based on Linux 2.0.36 IP stack Uses libpcap, libnet internally IP fragment reassembly

Userland Kernel IP stack

Userland Kernel IP stack Libnids IP stack

libnids Basics Initialize Register callbacks Run! React nids_init() nids_register_tcp() nids_regster_ip() nids_regiser_udp() Run! nids_run() React nids_kill_tcp()

nids_run() TCP callback UDP callback IP callback TCP stream object: - TCP state - client data - server data - source IP, port - dest IP, port - seq, ack, etc … UDP packet: - source IP, port - dest IP, port - UDP payload IP packet - struct IP packet - contains upper layers

libnids TCP states NIDS_JUST_ESTABLISHED NIDS_DATA New TCP connected state (3WHS) Must set stream->{client,server}.collect=1 to get stream payload collected NIDS_DATA Data within a known, established TCP connection NIDS_RESET, NIDS_CLOSE, NIDS_TIMED_OUT TCP connection is reset, closed gracefully, or was lost libnids doesn’t expose SYN_SENT, FIN_WAIT, etc …

pynids Basics Event driven interface (nids_run(), nids_next()) TCP stream reassembly TCP state exposure Creates a TCP object Holds addresses, data, etc UDP and IP packet reassembly

Basic pynids Steps Initialize Establish parameters Register callbacks nids_init() Establish parameters nids.param(“attribute”, value) Register callbacks nids.register_tcp(handleTcp) def handleTcp(tcp): … Go! nids_run() while 1: nids_next()

pynids Order of Operations Packets come in TCP? State exist? Create state or reuse state Append data Process based on state in callback UDP or IP? Use handler, pass packet in You process in callback

Code Example (Python) import nids <handleTcpStream> def main(): nids.param("scan_num_hosts", 0) if not nids.init(): print "error -", nids.errbuf() sys.exit(1) nids.register_tcp(handleTcpStream) try: nids.run() # loop forever except KeyboardInterrupt:

Code Example (Python) cont def handleTcpStream(tcp): if tcp.nids_state == nids.NIDS_JUST_EST: if dport in (80, 8000, 8080): tcp.client.collect = 1 tcp.server.collect = 1 elif tcp.nids_state == nids.NIDS_DATA: tcp.discard(0) elif tcp.nids_state in end_states: print "addr:", tcp.addr # may be binary print "To server:“, tcp.server.data print "To client:“, tcp.client.data

Code Example (C) int main(int argv, char *argv[]) { if (nids_init() == 0) err(1, “error, %s”, nids_errbuf); nids_register_tcp(handleTcp); nids_run(); exit(0); }

Code Example (C), cont int handleTcp(struct tcp_stream *tcp) { switch (tcp->nids_state) { case ‘NIDS_JUST_EST’: if ((tcp->addr.dest == 80) || (tcp->addr.dest == 8000) || (tcp->addr.dest == 8080) { tcp.server.collect = 1; tcp.client.collect = 1; } break; case ‘NIDS_DATA’: nids_discard(tcp, 0); case ‘NIDS_CLOSE’: case ‘NIDS_RESET’: case ‘NIDS_TIMED_OUT’: printf(“((%s, %d), (%s, %d))\n”, inet_ntoa(tcp->saddr), tcp.srce, inet_ntoa(tcp->daddr), tcp.dest); printf(“%s\n”, tcp->server.data); printf(“%s\n”, tcp->client.data); About the same LoC, until we start string manipulation

VersionDetect Small python tool Reports on headers Fully passive Support for: SSH (client, server), WWW (client, server), and SMTP clients Motivation: coordinate data collection with TCP stack fingerprinting 63.236.16.161 SymbianOS 6048 (on Nokia 7650?) www 80/tcp 63.236.16.161: 80: Microsoft-IIS/6.0

VersionDetect Output 192.168.1.7: 22: SSH-2.0-OpenSSH_3.5 192.168.1.101:http: Mozilla/5.0 (X11; U; OpenBSD i386; en- US; rv:1.5a) Gecko/20031030 Mozilla Firebird/0.6.1 168.75.65.85: 80: Microsoft-IIS/5.0 165.1.76.60: 80: Netscape-Enterprise/3.6 SP2 168.75.65.69: 80: Microsoft-IIS/5.0 168.75.65.87: 80: Microsoft-IIS/5.0 69.28.159.7: 80: ZEDO 3G 198.65.148.234: 80: Apache/1.3.29 (Unix) PHP/4.3.3 216.150.209.231: 80: Apache/1.3.31 (Unix) 212.187.153.30: 80: Apache/1.3.31 (Unix) 212.187.153.37: 80: Apache/1.3.31 (Unix) 212.187.153.32: 80: thttpd/2.25b 29dec2003 64.209.232.207: 80: Apache/1.3.27 (Unix) mod_perl/1.27 216.239.39.99: 80: CAFE/1.0

http-graph Small, passive python tool Examines HTTP request header: GET /blog/styles-site.css HTTP/1.1 Host: www.jackcheng.com User-Agent: Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.5a) Gecko/20031030 Mozilla Firebird/0.6.1Accept: text/css,*/*;q=0.1 Referer: http://www.jackcheng.com/blog/archives/2004/12/ipod_rumors.html

http-graph Directed graph history of browsing Reconstructs graph from referrer and URL in the header: Referrer Request Lets you view your history as you took it Shows natural “hubs” of information See also: http://www.uiweb.com.nyud.net:8090/issues/issue37.htm

Displaying http-graph Output Writes a small “dot” file “dot” part of “graphviz” tool Use “neato” to graph Output formats: SVG, PS, PDF, image map Can make fully interactive!

Example http-graph Output

Grabbing Data with pynids tcp.{server, client}.data and just strings Any string operations will work Searching if “HTTP/1.0” in tcp.client.data: Regular Expression searches if re.search(“HTTP/1.[10]”, tcp.client.data): Rewriting string.replace(req, “GET HTTP/1.0”, “”, 1)

More Fun! Privacy invasion Log conversations Steal files Snarf mail Log conversations IRC, AIM, etc … Steal files FTP, P2P apps, HTTP downloads … Disrupt sessions tcp.kill() New dsniff is written in Python …

flowgrep Marries sniffing with regular expressions A lot like ngrep, tcpkill, and dsniff Logs the whole connection, not just a packet Look for data in streams using regular expressions Log or kill selected streams Dirt cheap IDS or IPS Under 400 lines of code

Resources http://www.tcpdump.org/ http://www.packetfactory.net/projects/libnids/ http://monkey.org/~provos/libevent/ http://monkey.org/~dugsong/{dpkt, pycap} http://oss.coresecurity.com/projects/pcapy.html http://monkey.org/~jose/software/flowgrep/ http://pilcrow.madison.wi.us/pynids/

Additional Resources Stevens, TCP/IP Illustrated vols 1 and 2 Schiffman, Building Open Source Network Security Tools RFCs from the IETF

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.