Download Internet Traffic Monitoring and Analysis : Methods and

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
Document related concepts
no text concepts found
Transcript 
Programming with Libpcap
Internet Traffic Monitoring and Analysis:
Methods and Applications
(1)
POSTECH
DP&NM Lab.
Contents
 Introduction
 Basic Concept of Packet Capturing
 Programming with Libpcap





Device & Network Related APIs
Initializing Packet Capturing APIs
TCP, IP, Ethernet Structures
Packet Read Related APIs
Filtering Related APIs
 Software based on Libpcap
 Reference
Internet Traffic Monitoring and Analysis:
Methods and Applications
(2)
POSTECH
DP&NM Lab.
Introduction
 Libpcap: Portable Packet Capturing Library




Operating system independent
Provide general-purpose APIs
Simple and powerful user-level library
Compatible with Unix like System
 Other packet capturing tools
 SOCK_PACKET, LSF, SNOOP, SINT and etc.
 Operating System defendant
 TCPDUMP is implemented with Libpcap
 Many of commercial IDS systems utilize Libpcap to
analyze packet data
 Installation
 Unix/Linux: http://www.tcpdump.org/#latest-release
 Windows: http://www.winpcap.org/default.htm
 Solaris: http://www.sunfreeware.com
Internet Traffic Monitoring and Analysis:
Methods and Applications
(3)
POSTECH
DP&NM Lab.
Basic Concept of Packet Capturing
 Packet capturing (sniffing) does not affects to data
transfer
 The packet captured by libpcap is called raw packet and
demultiplexing is required to analyze the packet
Internet Traffic Monitoring and Analysis:
Methods and Applications
(4)
POSTECH
DP&NM Lab.
Programming with Libpcap
- Programming APIs-
Internet Traffic Monitoring and Analysis:
Methods and Applications
(5)
POSTECH
DP&NM Lab.
Device & Network Related APIs (1/2)
 char *pcap_lookupdev(char *errbuf)
 return a pointer to a network device suitable for use with pcap_op
en_live() and pcap_lookupnet()
 return NULL indicates an error
 reference: lookupdev.c
 int pcap_lookupnet(
const char *device, bpf_u_int32 *netp, bpf_u_int32 *mask
p, char *errbuf)
 determine the network number and mask associated with the net
work device
 return -1 indicates an error
 reference: lookupnet.c
Internet Traffic Monitoring and Analysis:
Methods and Applications
(6)
POSTECH
DP&NM Lab.
Device & Network Related APIs (2/2)
 What if there are multiple devices?
 int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf)
 constructs a list of network devices that can be opened with
pcap_create() and pcap_activate() or with pcap_open_live()
 alldevsp: list of network devides
 returns 0 on success and -1 on failure.
 The list of devices must be freed with pcap_freealldevs()
 Structure of pcap_if_t
 next: if not NULL, a pointer to the next element in the list
 name: a pointer to a string giving a name for the device to pass to
pcap_open_live()
 description: if not NULL, a pointer to a string giving a humanread- able description of the device
 addresses: a pointer to the first element of a list of addresses
 flags: interface flags - PCAP_IF_LOOPBACK set if the interface
is a loopback interface
Internet Traffic Monitoring and Analysis:
Methods and Applications
(7)
POSTECH
DP&NM Lab.
Example #1
Output:
DEV: eth0
NET: 192.168.xx.x
MASK: 255.255.xxx.xxx
*Compile: gcc [source] –lpcap –I/usr/include/pcap
Internet Traffic Monitoring and Analysis:
Methods and Applications
(8)
POSTECH
DP&NM Lab.
Initializing Packet Capturing APIs (1/2)
 File descriptor == Packet capture descriptor
 Packet capture descriptor: pcap_t *
 pcap_t *pcap_open_live(
const char *device, int snaplen,
int promisc, int to_ms, char *errbuf)
 obtain a packet capture descriptor to look at packets on the netw
ork
 snaplen: maximum number of bytes to capture
 promisc: true, set the interface into promiscuous mode; false, onl
y bring packets intended for you
 to_ms: read timeout in milliseconds; zero, cause a read to wait for
ever to allow enough packets to arrive
 return NULL indicates an error
Internet Traffic Monitoring and Analysis:
Methods and Applications
(9)
POSTECH
DP&NM Lab.
Initializing Packet Capturing APIs (2/2)
 pcap_t *pcap_open_offline(const char *fname, char
*errbuf);
 open a “savefile” for reading
 fname: the name of the file to open
 return a pcap_t * on success and NULL on failure
Internet Traffic Monitoring and Analysis:
Methods and Applications
(10)
POSTECH
DP&NM Lab.
TCP, IP, Ethernet Structures (1/3)
 IP and TCP headers: /usr/include/netinet
 Ethernet header: /usr/include/linux/if_ether.h
 Ethernet header
Internet Traffic Monitoring and Analysis:
Methods and Applications
(11)
POSTECH
DP&NM Lab.
TCP, IP, Ethernet Structures (2/3)
 IP header
Internet Traffic Monitoring and Analysis:
Methods and Applications
(12)
POSTECH
DP&NM Lab.
TCP, IP, Ethernet Structures (3/3)
 TCP header
Internet Traffic Monitoring and Analysis:
Methods and Applications
(13)
POSTECH
DP&NM Lab.
Packet Read Related APIs
 const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *
h)




read the next packet
return NULL indicates an error
pcap_next.c
timestamp.c
 int pcap_loop(pcap_t *p, int cnt, pcap_handler callback,
u_char *user)
 processes packets from a live capture or “savefile‘” until cnt
packets are processed
 A value of -1 or 0 for cnt is equivalent to infinity
 callback specifies a routine to be called
Internet Traffic Monitoring and Analysis:
Methods and Applications
(14)
POSTECH
DP&NM Lab.
Filtering Related APIs
 int pcap_compile(pcap_t *p,
struct bpf_program *fp, char *str,
int optimize, bpf_u_int32 netmask)





compile the str into a filter program
str: filter string
optimize: 1, optimization on the resulting code is performed
netmask: specify network on which packets are being captured
returns 0 on success and -1 on failure
 int pcap_setfilter(pcap_t *p,
struct bpf_program *fp)
 specify a filter program (after compiling filter)
 return -1 indicates an error
 pcap_filter.c
Internet Traffic Monitoring and Analysis:
Methods and Applications
(15)
POSTECH
DP&NM Lab.
Example #2
 http://dpnm.postech.ac.kr/cs702/pcap_example/pcap_example.c
 http://dpnm.postech.ac.kr/cs702/pcap_example/readfile.c
 http://dpnm.postech.ac.kr/cs702/pcap_example/savedump.c
Internet Traffic Monitoring and Analysis:
Methods and Applications
(16)
POSTECH
DP&NM Lab.
Software based on Libpcap
 ntop - network top
 a network traffic probe that shows the network usage
 sort network traffic according to many protocols
 http://www.ntop.org/overview.html
 snort
 intrusion prevention and detection system
 sniff every packet and differentiate general and intrusion by again
st rules
 http://www.snort.org/
 ethereal
 network protocol analyzer
 http://www.ethereal.com/
 wireshark
 http://www.wireshark.org/
Internet Traffic Monitoring and Analysis:
Methods and Applications
(17)
POSTECH
DP&NM Lab.
Reference
 TCPDump
 http://www.tcpdump.org/pcap.html
 The Sniffer's Guide to Raw Traffic
 http://yuba.stanford.edu/~casado/pcap/section1.html
Internet Traffic Monitoring and Analysis:
Methods and Applications
(18)
POSTECH
DP&NM Lab.
Related documents
see Jose`s poster
see Jose`s poster
幻灯片 1 - University of New South Wales
幻灯片 1 - University of New South Wales
The Portable Object Adapter
The Portable Object Adapter
NetGrok A Visualization Tool for Network Administrators
NetGrok A Visualization Tool for Network Administrators
Document
Document
fever
fever
Mining Large Scale Data from National Educational
Mining Large Scale Data from National Educational
11 Further Reading Although the tool used primarily in this book is
11 Further Reading Although the tool used primarily in this book is
31012030r1 TR30_3_Liaison_to_ITU
31012030r1 TR30_3_Liaison_to_ITU
H37-R38 - Uplift Mighty Prep
H37-R38 - Uplift Mighty Prep