Transcript pcap

James Won-Ki Hong
Department of Computer Science and Engineering
POSTECH, Korea
[email protected]
POSTECH
CSED702D: Internet Traffic Monitoring and Analysis
1/17
Outline





Introduction
Basic Concept of Packet Capturing
Programming with Libpcap
Libpcap based Software
Installation of Libpcap
POSTECH
CSED702D: Internet Traffic Monitoring and Analysis
2/17
Introduction
 Libpcap: Portable Packet Capturing Library





Operating system independent
Provide general-purpose APIs
Simple and powerful user-level library
Compatible with Unix like system
Many of commercial IDS systems utilize Libpcap to analyze packet
data
 Representative Programs Rely on Libpcap
 TCPDump, SAINT and etc.
 Other Packet Capturing Tools
 SOCK_PACKET, LSF, SNOOP, SINT and etc.
 Operating system dependent
POSTECH
CSED702D: Internet Traffic Monitoring and Analysis
3/17
Basic Concept of Packet Capturing
 Packet Capturing
 Packet capturing (sniffing) does not affects to data transfer
 The packet captured by libpcap is called raw packet and demultiplexing is required to analyze the packet
POSTECH
CSED702D: Internet Traffic Monitoring and Analysis
4/17
Libpcap File Format
 File Extension
 Normally has “.pcap” file extension
 File Format
 General libpcap file format
• Contains some global information followed by zero or more records for each packet
Global
Header
Packet
Header
Packet Data
Packet
Header
Packet Data
Packet
Header
Packet Data
…
• A captured packet in a capture file does not necessarily contain all the data
• A captured file might contain at most first N bytes of each packet
 Global Header
POSTECH
CSED702D: Internet Traffic Monitoring and Analysis
5/17
Device & Network Related APIs (1/2)
 Device & Network Lookup for Single Device
 char *pcap_lookupdev(char *errbuf)
• Return a pointer to a network device suitable for use with pcap_open_live() and
pcap_lookupnet()
• Return NULL indicates an error
• Reference: lookupdev.c
 int pcap_lookupnet(
const char *device, bpf_u_int32 *netp,
bpf_u_int32 *maskp, char *errbuf)
• Determine the network number and mask associated with the network device
• Return -1 indicates an error
• Reference: lookupnet.c
POSTECH
CSED702D: Internet Traffic Monitoring and Analysis
6/17
Device & Network Related APIs (2/2)
 Device & Network Lookup for Multiple Devices
 int pcap_findalldevs(pcap_if_t **alldevsp, char
*errbuf)
• Constructs a list of network devices that can be opened with pcap_create() and
pcap_activate() or with pcap_open_live()
• alldevsp: list of network devides
• Returns 0 on success and -1 on failure.
• The list of devices must be freed with pcap_freealldevs()
 Structure of pcap_if_t
• next: if not NULL, a pointer to the next element in the list
• name: a pointer to a string giving a name for the device to pass to
pcap_open_live()
• description: if not NULL, a pointer to a string giving a human-read- able
description of the device
• addresses: a pointer to the first element of a list of addresses
• flags: interface flags - PCAP_IF_LOOPBACK set if the interface is a loopback
interface
POSTECH
CSED702D: Internet Traffic Monitoring and Analysis
7/17
Example of Device Loopup
Output:
DEV: eth0
NET: 192.168.xx.x
MASK:
255.255.xxx.xxx
POSTECH
CSED702D: Internet Traffic Monitoring and Analysis
8/17
Initializing Packet Capturing APIs
 Preparation of Packet Capturing
 File descriptor == Packet capture descriptor
 Packet capture descriptor: pcap_t *
 pcap_t *pcap_open_live(
const char *device, int snaplen,
int promisc, int to_ms, char *errbuf)
• Parameters
• device: the device in which the packets are captured from
• snaplen: maximum number of bytes to capture
• promisc: true, set the interface into promiscuous mode; false, only bring packets intended
for you
• to_ms: read timeout in milliseconds; zero, cause a read to wait forever to allow enough
packets to arrive
• Return
• A packet capture descriptor to look at packets on the network
• Return NULL indicates an error
 pcap_t *pcap_open_offline(const char *fname, char
*errbuf)
• open a “savefile” for reading
• fname: the name of the file to open
• return a pcap_t * on success and NULL on failure
POSTECH
CSED702D: Internet Traffic Monitoring and Analysis
9/17
TCP, IP, Ethernet Structures (1/4)
 The path of TCP, IP and Ethernet Header
 Ethernet header: /usr/include/linux/if_ether.h
 IP header: /usr/include/netinet/ip.h
 TCP header: /usr/include/netinet/tcp.h
 Packet Format
Ethernet Frame
46 ~ 1500 bytes
Ethernet
Header
14 bytes
IP Header
20 bytes
TCP Header
Application
Ethernet
Data
Trailer
20 bytes
ICMP header : 8 byte
UDP header : 8 byte
ARP header : 28 byte
POSTECH
CSED702D: Internet Traffic Monitoring and Analysis
10/17
TCP, IP, Ethernet Structures (2/4)
 Ethernet Header
Ethernet Header
POSTECH
S
Preamble F
D
DST.
Address
8 bytes
6 bytes
SRC.
Address
Type
Payload
6 bytes 2 bytes
n bytes
Frame
Check (CRC)
CSED702D: Internet Traffic Monitoring and Analysis
4 bytes
11/17
TCP, IP, Ethernet Structures (3/4)
 IP Header
Bit
Offset
0~3
4~7
8 ~ 15
0
Version
Header
Length
TOS
32
64
Identifier
Time to Live (TTL)
16 ~ 23
Total Packet Length
Flags
Protocol
ID
Source IP Address
128
Destination IP Address
POSTECH
IP Header Options
Fragment Offset
Header Checksum
96
160
24 ~ 31
Padding
CSED702D: Internet Traffic Monitoring and Analysis
12/17
TCP, IP, Ethernet Structures (4/4)
 TCP Header
32 bits
source port #
dest port #
sequence number
acknowledgement number
head not
U A P R S F rcvr window size
len used
checksum
ptr urgent data
Options (variable length)
POSTECH
CSED702D: Internet Traffic Monitoring and Analysis
13/17
Packet Read Related APIs
 Read Packet in Loop Manner
 const u_char *pcap_next(pcap_t *p, struct
pcap_pkthdr *h)
•
•
•
•
Read the next packet
Return NULL indicates an error
pcap_next.c
timestamp.c
 int pcap_loop(pcap_t *p, int cnt, pcap_handler
callback, u_char *user)
• Processes packets from a live capture or “savefile‘” until cnt packets are
processed
• A value of -1 or 0 for cnt is equivalent to infinity
• callback specifies a routine to be called
POSTECH
CSED702D: Internet Traffic Monitoring and Analysis
14/17
Filtering Related APIs
 Filter
 int pcap_compile(pcap_t *p,
struct bpf_program *fp, char *str,
int optimize, bpf_u_int32 netmask)
•
•
•
•
•
Compile the str into a filter program
str: filter string
optimize: 1, optimization on the resulting code is performed
netmask: specify network on which packets are being captured
Returns 0 on success and -1 on failure
 int pcap_setfilter(pcap_t *p,
struct bpf_program *fp)
• Specify a filter program (after compiling filter)
• Return -1 indicates an error
• pcap_filter.c
 Sample Source
 http://dpnm.postech.ac.kr/cs702/src/test.c
 http://dpnm.postech.ac.kr/cs702/src/readfile.c
POSTECH
CSED702D: Internet Traffic Monitoring and Analysis
15/17
How to Compile Libpcap Program?
 Two Parameters
 Library path (e.g., -lpcap)
 Compilation flags (-I/usr/include.pcap)
 Automate the Compilation
 Shell Scripting
• Create a compile.sh in executable mode, put follows and execute compile.sh
gcc -o test test.c –lpcap -I/usr/include.pcap
 Makefile
• Create a Makefile, put follows and run make through CLI
CC=gcc
LIBS=-lpcap
CFLAGS=-I/usr/include.pcap
OBJ=test.o
TARGET = test
all: $(TARGET)
$(TARGET): $(TARGET).c
$(CC) -o $(TARGET) $(TARGET).c $(LIBS) $(CFLAGS)
clean:
$(RM) $(TARGET)
POSTECH
CSED702D: Internet Traffic Monitoring and Analysis
16/17
Libpcap based Software
 Libpcap based Software
 ntop - network top
• A network traffic probe that shows the network usage
• Sort network traffic according to many protocols
• http://www.ntop.org/overview.html
 snort
• Intrusion prevention and detection system
• Sniff every packet and differentiate general and intrusion by against rules
• http://www.snort.org/
 ethereal
• Network protocol analyzer
• http://www.ethereal.com/
 Wireshark
• A free and open-source packet analyzer
• Originally named Ethereal, after renamed as wireshark in May 2006, due to trade
mark issues
• http://www.wireshark.org/
POSTECH
CSED702D: Internet Traffic Monitoring and Analysis
17/17
Q&A
POSTECH
CSED702D: Internet Traffic Monitoring and Analysis
18/17