see Jose`s poster - Computer Science and Engineering

Download Report

Transcript see Jose`s poster - Computer Science and Engineering

REU 2008-Packet Sniffer
Jose Gelpi, Mentors: Dr. Miguel A. Labrador and Cesar D. Guerrero
A packet sniffer is an application that intercepts network
packets traveling in a communication channel. They usually
create a log file with information about the packet headers.
The motivation for this work is the need of a new network
sniffer able to perform calculations based on data from the
captured packets and to filter irrelevant information that
current sniffers print by default.
The objective of this research is to develop a network
sniffer to calculate bandwidth based on the amount of bits
transmitted at the IP layer (IP packet length) during the time
between two consecutive packets. That is,
BW 
L pck _ 1
t pck _ 2  t pck _1
2.2. Sniffer
start
Two end hosts communicated in a LAN and one machine
in the middle sniffing the connection is used to test the
sniffer. Cross traffic is generated using the MultiGenerator MGEN. It generates synthetic traffic with
variable amount and distribution.
7000000
6600000
open NIC
(pcap_open_live)
Capture a packet
(pcap_loop
hdr<- pcap_next)
Calculate BW:
hdr.len/(hdr.ts2-hdr.ts1)
6000000
5800000
5600000
5000000
0
Print
Time BW
The sniffer was evaluated in the testbed by inserting 30% and 60% of periodic cross traffic in a
10Mbps capacity link for a 10 second period. That is, inserting 3 and 6 Mbps of cross traffic to be
sniffed by the tool. The traffic generation was performed with MGEN by sending 381 and 782
packets of 1024 bytes every second.
An average relative error was calculated by
comparing the real traffic rate given by the traffic
generator with the value provided by the tool:
Bandwidth
error 
2800000
2600000
2400000
2200000
2000000
0
1
2
3
4
5
Seconds
6
7
8
9
10
3
4
5
6
7
8
9
10
Additional packets shown in the graphs are due to
control traffic generated between hosts.
• The more packets to be captured per unit time, the
higher the relative error. One reason for that is
excessive load in the operating system.
• The developed sniffer could be implemented in
intermediate routers to better select network routes
based on their congestion level.
• Additional packet processing in the tool can be easily
performed by manipulating the information in the
packet headers. For example, using source and
destination IP addresses to determine the traffic load
for each host in the network.
5. Acknowledgments
3400000
3000000
2
Seconds
3600000
3200000
1
4. Conclusions
3. Evaluation
3800000
6200000
5200000
• By using that structure, the packet timestamp and
length is used to calculate the bandwidth.
• Finally, the time at which each packet is captured, its
size, and the calculated bandwidth is printed out.
4000000
6400000
5400000
struct pcap_pkthdr {
struct timeval ts; /* time stamp */
…
bpf_u_int32 len; /* length this packet */
}
Bandwidth for 3 Mbps Periodic Cross
Traffic
6800000
NIC
• After reading the Network Interface Card (NIC) name,
the pcap_open_live function opens it in promiscuous
mode.
• Then pcap_loop sniff the channel and captures every
packet seen by the NIC.
• pcap_next stores the packet header following this
structure:
2. Contribution
2.1. Testbed
Bandwidth for 6 Mbps Periodic Cross
Traffic
The application is developed in C language using a
network capturing library called PCAP.
Bandwidth
1. Introduction
x

100%
The average relative error in the case of 3 Mbps
was 1.83% and in the case of 6 Mbps was
3.75%.
I want to thank to César D. Guerrero and Dr. Miguel A.
Labrador for their orientations and the National Science
Foundation for supporting this project.
Department of Computer Science & Engineering