POSTECH 1/17CSED702D: Internet Traffic Monitoring and Analysis

Internet Traffic Monitoring and Analysis:

Programming using Libpcap

James Won-Ki Hong

Department of Computer Science and Engineering

POSTECH, Korea

jwkhong@postech.ac.kr

POSTECH 2/17CSED702D: Internet Traffic Monitoring and Analysis

Outline

Introduction Basic Concept of Packet Capturing Programming with Libpcap Libpcap based Software Installation of Libpcap

POSTECH 3/17CSED702D: Internet Traffic Monitoring and Analysis

Introduction

Libpcap: Portable Packet Capturing Library Operating system independent Provide general-purpose APIs Simple and powerful user-level library Compatible with Unix like system Many of commercial IDS systems utilize Libpcap to analyze packet

data

Representative Programs Rely on Libpcap TCPDump, SAINT and etc.

Other Packet Capturing Tools SOCK_PACKET, LSF, SNOOP, SINT and etc. Operating system dependent

POSTECH 4/17CSED702D: Internet Traffic Monitoring and Analysis

Basic Concept of Packet Capturing

Packet Capturing Packet capturing (sniffing) does not affects to data transfer The packet captured by libpcap is called raw packet and de-multi-

plexing is required to analyze the packet

POSTECH 5/17CSED702D: Internet Traffic Monitoring and Analysis

Libpcap File Format

File Extension Normally has “.pcap” file extension

File Format General libpcap file format

• Contains some global information followed by zero or more records for each packet

• A captured packet in a capture file does not necessarily contain all the data• A captured file might contain at most first N bytes of each packet

Global Header

Global Header

Packet Header

Packet DataPacket Header

Packet DataPacket Header

Packet Data …

POSTECH 6/17CSED702D: Internet Traffic Monitoring and Analysis

Device & Network Related APIs (1/2)

Device & Network Lookup for Single Device char *pcap_lookupdev(char *errbuf)

• Return a pointer to a network device suitable for use with pcap_open_live() and pcap_lookupnet()

• Return NULL indicates an error • Reference: lookupdev.c

int pcap_lookupnet(const char *device, bpf_u_int32 *netp, bpf_u_int32 *maskp, char *errbuf)• Determine the network number and mask associated with the network device• Return -1 indicates an error• Reference: lookupnet.c

POSTECH 7/17CSED702D: Internet Traffic Monitoring and Analysis

Device & Network Related APIs (2/2)

Device & Network Lookup for Multiple Devices int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf)• Constructs a list of network devices that can be opened with pcap_create() and

pcap_activate() or with pcap_open_live()• alldevsp: list of network devides • Returns 0 on success and -1 on failure.• The list of devices must be freed with pcap_freealldevs()

Structure of pcap_if_t• next: if not NULL, a pointer to the next element in the list • name: a pointer to a string giving a name for the device to pass to

pcap_open_live()• description: if not NULL, a pointer to a string giving a human-read- able descrip-

tion of the device • addresses: a pointer to the first element of a list of addresses • flags: interface flags - PCAP_IF_LOOPBACK set if the interface is a loopback in-

terface

POSTECH 8/17CSED702D: Internet Traffic Monitoring and Analysis

Example of Device Loopup

Output:

DEV: eth0

NET: 192.168.xx.x

MASK: 255.255.xxx.xxx

POSTECH 9/17CSED702D: Internet Traffic Monitoring and Analysis

Initializing Packet Capturing APIs

Preparation of Packet Capturing File descriptor == Packet capture descriptor Packet capture descriptor: pcap_t * pcap_t *pcap_open_live(const char *device, int snaplen, int promisc, int to_ms, char *errbuf)• Parameters

• device: the device in which the packets are captured from

• snaplen: maximum number of bytes to capture

• promisc: true, set the interface into promiscuous mode; false, only bring packets intended for you

• to_ms: read timeout in milliseconds; zero, cause a read to wait forever to allow enough packets to arrive

• Return• A packet capture descriptor to look at packets on the network

• Return NULL indicates an error

pcap_t *pcap_open_offline(const char *fname, char *errbuf) • open a “savefile” for reading• fname: the name of the file to open• return a pcap_t * on success and NULL on failure

POSTECH 10/17CSED702D: Internet Traffic Monitoring and Analysis

TCP, IP, Ethernet Structures (1/4)

The path of TCP, IP and Ethernet Header Ethernet header: /usr/include/linux/if_ether.h IP header: /usr/include/netinet/ip.h TCP header: /usr/include/netinet/tcp.h

Packet Format

Ethernet

Trailer

14 bytes

Ethernet Frame

IP Header TCP HeaderApplication

Data

20 bytes 20 bytes

46 ~ 1500 bytes

Ethernet

Header

ICMP header : 8 byteUDP header : 8 byteARP header : 28 byte

POSTECH 11/17CSED702D: Internet Traffic Monitoring and Analysis

TCP, IP, Ethernet Structures (2/4)

Ethernet Header

PreambleDST. Ad-

dressSRC. Ad-

dressType Payload

Frame Check (CRC)

8 bytes 6 bytes 6 bytes 2 bytes n bytes 4 bytes

SFD

Ethernet Header

POSTECH 12/17CSED702D: Internet Traffic Monitoring and Analysis

TCP, IP, Ethernet Structures (3/4)

IP Header

Bit Offset 0 ~ 3 4 ~ 7 8 ~ 15 16 ~ 23 24 ~ 31

0 Version Header Length TOS Total Packet Length

32 Identifier Flags Fragment Offset

64 Time to Live (TTL) Protocol ID Header Checksum

96 Source IP Address

128 Destination IP Address

160 IP Header Options Padding

POSTECH 13/17CSED702D: Internet Traffic Monitoring and Analysis

TCP, IP, Ethernet Structures (4/4)

source port # dest port #

32 bits

sequence number

acknowledgement number

rcvr window size

ptr urgent datachecksum

FSRPAUheadlen

notused

Options (variable length)

TCP Header

POSTECH 14/17CSED702D: Internet Traffic Monitoring and Analysis

Packet Read Related APIs

Read Packet in Loop Manner const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h)• Read the next packet • Return NULL indicates an error• pcap_next.c• timestamp.c

int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user) • Processes packets from a live capture or “savefile‘” until cnt packets are

processed• A value of -1 or 0 for cnt is equivalent to infinity• callback specifies a routine to be called

POSTECH 15/17CSED702D: Internet Traffic Monitoring and Analysis

Filtering Related APIs

Filter int pcap_compile(pcap_t *p,struct bpf_program *fp, char *str,int optimize, bpf_u_int32 netmask)• Compile the str into a filter program • str: filter string• optimize: 1, optimization on the resulting code is performed• netmask: specify network on which packets are being captured• Returns 0 on success and -1 on failure

int pcap_setfilter(pcap_t *p,struct bpf_program *fp)• Specify a filter program (after compiling filter)• Return -1 indicates an error• pcap_filter.c

Sample Source http://dpnm.postech.ac.kr/cs702/src/test.c http://dpnm.postech.ac.kr/cs702/src/readfile.c

POSTECH 16/17CSED702D: Internet Traffic Monitoring and Analysis

How to Compile Libpcap Program?

Two Parameters Library path (e.g., -lpcap) Compilation flags (-I/usr/include.pcap)

Automate the Compilation Shell Scripting

• Create a compile.sh in executable mode, put follows and execute compile.sh gcc -o test test.c –lpcap -I/usr/include.pcap

Makefile• Create a Makefile, put follows and run make through CLI

CC=gccLIBS=-lpcapCFLAGS=-I/usr/include.pcapOBJ=test.oTARGET = testall: $(TARGET)$(TARGET): $(TARGET).c $(CC) -o $(TARGET) $(TARGET).c $(LIBS) $(CFLAGS)clean: $(RM) $(TARGET)

POSTECH 17/17CSED702D: Internet Traffic Monitoring and Analysis

Libpcap based Software

Libpcap based Software ntop - network top

• A network traffic probe that shows the network usage• Sort network traffic according to many protocols• http://www.ntop.org/overview.html

snort• Intrusion prevention and detection system• Sniff every packet and differentiate general and intrusion by against rules• http://www.snort.org/

ethereal• Network protocol analyzer• http://www.ethereal.com/

Wireshark• A free and open-source packet analyzer• Originally named Ethereal, after renamed as wireshark in May 2006, due to

trademark issues• http://www.wireshark.org/

POSTECH 18/17CSED702D: Internet Traffic Monitoring and Analysis

Q&A