Internet Traffic Monitoring and Analysis : Methods and

Download Report

Transcript Internet Traffic Monitoring and Analysis : Methods and 

Programming with Libpcap
Internet Traffic Monitoring and Analysis:
Methods and Applications
(1)
POSTECH
DP&NM Lab.
Contents
 Introduction
 Basic Concept of Packet Capturing
 Programming with Libpcap





Device & Network Related APIs
Initializing Packet Capturing APIs
TCP, IP, Ethernet Structures
Packet Read Related APIs
Filtering Related APIs
 Software based on Libpcap
 Reference
Internet Traffic Monitoring and Analysis:
Methods and Applications
(2)
POSTECH
DP&NM Lab.
Introduction
 Libpcap: Portable Packet Capturing Library




Operating system independent
Provide general-purpose APIs
Simple and powerful user-level library
Compatible with Unix like System
 Other packet capturing tools
 SOCK_PACKET, LSF, SNOOP, SINT and etc.
 Operating System defendant
 TCPDUMP is implemented with Libpcap
 Many of commercial IDS systems utilize Libpcap to
analyze packet data
 Installation
 Unix/Linux: http://www.tcpdump.org/#latest-release
 Windows: http://www.winpcap.org/default.htm
 Solaris: http://www.sunfreeware.com
Internet Traffic Monitoring and Analysis:
Methods and Applications
(3)
POSTECH
DP&NM Lab.
Basic Concept of Packet Capturing
 Packet capturing (sniffing) does not affects to data
transfer
 The packet captured by libpcap is called raw packet and
demultiplexing is required to analyze the packet
Internet Traffic Monitoring and Analysis:
Methods and Applications
(4)
POSTECH
DP&NM Lab.
Programming with Libpcap
- Programming APIs-
Internet Traffic Monitoring and Analysis:
Methods and Applications
(5)
POSTECH
DP&NM Lab.
Device & Network Related APIs (1/2)
 char *pcap_lookupdev(char *errbuf)
 return a pointer to a network device suitable for use with pcap_op
en_live() and pcap_lookupnet()
 return NULL indicates an error
 reference: lookupdev.c
 int pcap_lookupnet(
const char *device, bpf_u_int32 *netp, bpf_u_int32 *mask
p, char *errbuf)
 determine the network number and mask associated with the net
work device
 return -1 indicates an error
 reference: lookupnet.c
Internet Traffic Monitoring and Analysis:
Methods and Applications
(6)
POSTECH
DP&NM Lab.
Device & Network Related APIs (2/2)
 What if there are multiple devices?
 int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf)
 constructs a list of network devices that can be opened with
pcap_create() and pcap_activate() or with pcap_open_live()
 alldevsp: list of network devides
 returns 0 on success and -1 on failure.
 The list of devices must be freed with pcap_freealldevs()
 Structure of pcap_if_t
 next: if not NULL, a pointer to the next element in the list
 name: a pointer to a string giving a name for the device to pass to
pcap_open_live()
 description: if not NULL, a pointer to a string giving a humanread- able description of the device
 addresses: a pointer to the first element of a list of addresses
 flags: interface flags - PCAP_IF_LOOPBACK set if the interface
is a loopback interface
Internet Traffic Monitoring and Analysis:
Methods and Applications
(7)
POSTECH
DP&NM Lab.
Example #1
Output:
DEV: eth0
NET: 192.168.xx.x
MASK: 255.255.xxx.xxx
*Compile: gcc [source] –lpcap –I/usr/include/pcap
Internet Traffic Monitoring and Analysis:
Methods and Applications
(8)
POSTECH
DP&NM Lab.
Initializing Packet Capturing APIs (1/2)
 File descriptor == Packet capture descriptor
 Packet capture descriptor: pcap_t *
 pcap_t *pcap_open_live(
const char *device, int snaplen,
int promisc, int to_ms, char *errbuf)
 obtain a packet capture descriptor to look at packets on the netw
ork
 snaplen: maximum number of bytes to capture
 promisc: true, set the interface into promiscuous mode; false, onl
y bring packets intended for you
 to_ms: read timeout in milliseconds; zero, cause a read to wait for
ever to allow enough packets to arrive
 return NULL indicates an error
Internet Traffic Monitoring and Analysis:
Methods and Applications
(9)
POSTECH
DP&NM Lab.
Initializing Packet Capturing APIs (2/2)
 pcap_t *pcap_open_offline(const char *fname, char
*errbuf);
 open a “savefile” for reading
 fname: the name of the file to open
 return a pcap_t * on success and NULL on failure
Internet Traffic Monitoring and Analysis:
Methods and Applications
(10)
POSTECH
DP&NM Lab.
TCP, IP, Ethernet Structures (1/3)
 IP and TCP headers: /usr/include/netinet
 Ethernet header: /usr/include/linux/if_ether.h
 Ethernet header
Internet Traffic Monitoring and Analysis:
Methods and Applications
(11)
POSTECH
DP&NM Lab.
TCP, IP, Ethernet Structures (2/3)
 IP header
Internet Traffic Monitoring and Analysis:
Methods and Applications
(12)
POSTECH
DP&NM Lab.
TCP, IP, Ethernet Structures (3/3)
 TCP header
Internet Traffic Monitoring and Analysis:
Methods and Applications
(13)
POSTECH
DP&NM Lab.
Packet Read Related APIs
 const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *
h)




read the next packet
return NULL indicates an error
pcap_next.c
timestamp.c
 int pcap_loop(pcap_t *p, int cnt, pcap_handler callback,
u_char *user)
 processes packets from a live capture or “savefile‘” until cnt
packets are processed
 A value of -1 or 0 for cnt is equivalent to infinity
 callback specifies a routine to be called
Internet Traffic Monitoring and Analysis:
Methods and Applications
(14)
POSTECH
DP&NM Lab.
Filtering Related APIs
 int pcap_compile(pcap_t *p,
struct bpf_program *fp, char *str,
int optimize, bpf_u_int32 netmask)





compile the str into a filter program
str: filter string
optimize: 1, optimization on the resulting code is performed
netmask: specify network on which packets are being captured
returns 0 on success and -1 on failure
 int pcap_setfilter(pcap_t *p,
struct bpf_program *fp)
 specify a filter program (after compiling filter)
 return -1 indicates an error
 pcap_filter.c
Internet Traffic Monitoring and Analysis:
Methods and Applications
(15)
POSTECH
DP&NM Lab.
Example #2
 http://dpnm.postech.ac.kr/cs702/pcap_example/pcap_example.c
 http://dpnm.postech.ac.kr/cs702/pcap_example/readfile.c
 http://dpnm.postech.ac.kr/cs702/pcap_example/savedump.c
Internet Traffic Monitoring and Analysis:
Methods and Applications
(16)
POSTECH
DP&NM Lab.
Software based on Libpcap
 ntop - network top
 a network traffic probe that shows the network usage
 sort network traffic according to many protocols
 http://www.ntop.org/overview.html
 snort
 intrusion prevention and detection system
 sniff every packet and differentiate general and intrusion by again
st rules
 http://www.snort.org/
 ethereal
 network protocol analyzer
 http://www.ethereal.com/
 wireshark
 http://www.wireshark.org/
Internet Traffic Monitoring and Analysis:
Methods and Applications
(17)
POSTECH
DP&NM Lab.
Reference
 TCPDump
 http://www.tcpdump.org/pcap.html
 The Sniffer's Guide to Raw Traffic
 http://yuba.stanford.edu/~casado/pcap/section1.html
Internet Traffic Monitoring and Analysis:
Methods and Applications
(18)
POSTECH
DP&NM Lab.