Powerpoint Version - Unix Server Admin
Download
Report
Transcript Powerpoint Version - Unix Server Admin
IPAudit
Software for network monitoring.
Question: Why did you choose IPAudit for a
topic?
(Probably should have asked this earlier)
IPAudit – Three stories
Network Monitoring
Software Development
Open Source Project Management
What IPAudit is
Two parts
Binary
Sniffs network and periodically writes traffic summary to a
text file
Companion programs
I find these two program more generally useful – ipaudit is more
specialized.
ipstrings – like strings, but for IP packets.
total – reads text records, maintains counts, averages, etc. for
different fields values.
IPAudit-Web
Web accessible reports based on data collected by
binary.
Problem that IPAudit solves
IMS based DoS attack
1999 infected host in IMS was doing a DoS against
off-campus host.
Problem: No easy method of finding host.
Manual method: log into main switch, find busy interface,
consult network maps to find next switch/hub, log into it,
repeat ....
Solution
Monitor traffic by IP address. Find busiest IP address
directly.
Early Development: Ipaudit Binary
Monitored network with TCPDump and Perl
scripts
Worked on dual 333Mhz Pentium II with 50%
load when monitoring with 4.5mb connection.
Uconn had plans to upgrade to between 10 to
45mbs → Need faster system.
Replace with C program, the IPAudit binary
Learned: pcap library, packet structure, C select()
function.
Developed: new hash function.
Existing hash functions are like black magic.
Ipaudit Output
LOCAL-IP
|
|
|
|
|
|
|
|
|
|
|
TALKER
|
|
--------------137.099.089.110
137.099.089.110
137.099.089.110
137.099.089.110
137.099.089.110
137.099.089.110
137.099.089.110
137.099.089.110
137.099.089.110
REMOTE-IP
|
|
|
|
|
|
|
|
|
|
PROTOCOL
| LOCAL-PORT
| | REMOTE-PORT
| | |
INC-BYTES
| | |
|
OUT-BYTES
| | |
|
|
INC-PKT
| | |
|
|
|
OUT-PKT
| | |
|
|
|
|
FIRST-TIME
| | |
|
|
|
|
| (sort)
| | |
|
|
|
|
|
LAST-TIME
|
FIRST-
|
|
--------------212.045.068.018
212.045.068.018
212.045.068.018
212.045.068.018
212.045.068.018
212.045.068.018
212.045.068.018
212.045.068.018
212.045.068.018
|
|
6
6
6
6
6
6
6
6
6
|
|
------------09:51:19.1243
09:51:21.6822
09:59:57.4130
09:51:30.0712
09:51:31.0847
09:51:30.9838
09:59:59.8142
09:59:59.9341
10:00:00.5380
|
|
2
2
1
2
2
2
1
1
1
|
|
-21
21
20
21
21
21
20
20
20
|
|
---1317
1321
1324
1325
1326
1327
1328
1330
1329
|
|
----278
842
46120
847
794
794
47632
35698
33700
|
|
-----353
3389
712706
2316
2386
2209
709310
536114
527624
|
|
--5
13
854
13
12
12
882
661
624
|
|
---4
16
1261
15
15
13
1255
949
934
|
|
------------09:51:08.0524
09:51:08.7673
09:51:20.4735
09:51:21.5128
09:51:22.0193
09:51:22.5151
09:51:28.5105
09:51:29.2214
09:51:29.6458
LAST-TALK
|
2
2
2
2
2
2
1
1
1
IPStrings
Command line program to inspect IP string data
> ipstrings -f "port 25" -pit -s 256 eth0
137.099.025.234 137.099.080.033 6 25 55956 11:41:43.3353 220
mta1.uits.uconn.edu ESMTP Postfix (Debian/GNU)
137.099.080.033 137.099.025.234 6 55956
uconn.edu
137.099.025.234 137.099.080.033 6
mta1.uits.uconn.edu
25 55956 11:41:45.5777 250
137.099.080.033 137.099.025.234 6 55956
[email protected]
137.099.025.234 137.099.080.033 6
Ok
25 11:41:45.5772 helo
25 11:41:49.9272 mail from:
25 55956 11:41:49.9280 250 2.1.0
Total
> cat total.in
Ford Focus White 20
Ford Taurus White 31
Ford Taurus Red 15
Chevy Aero White 17
Honda Accord Red 12
> total -s1 1 4 total.in
Ford 66
Chevy 17
Honda 12
> total 1,3 4 total.in
Chevy White 17
Ford White 51
Honda Red 12
Ford Red 15
Web based reporting: Ipaudit-Web
Web graphics and table based reports of ipaudit
data.
Graph design inspired by Edward R. Tufte's
“The Visual Display of Quantitative Information”
My interpretation: “Present as much raw data as
possible in a way the view can recognize
meaningful patterns.”
Ipaudit Graph
Live Demo
Uconn's IPAudit system
Password protected
Managed by Network Security group.
The IPAudit Project
Hosted on Sourceforge
since 2001
http://sourceforge.net/projects/ipaudit
About 50,000 downloads.
Other Project Admins
jh8 – initial tar ball packaging
j4_gongloo (a couple of one-time Uconn students) –
Ipaudit web site
Contributors
Charles Green – ipaudit search binary