postech 1/17 csed702d: internet traffic monitoring and analysis james won-ki hong department of...
TRANSCRIPT
POSTECH 1/17CSED702D: Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and Analysis:
Programming using Libpcap
James Won-Ki Hong
Department of Computer Science and Engineering
POSTECH, Korea
POSTECH 2/17CSED702D: Internet Traffic Monitoring and Analysis
Outline
Introduction Basic Concept of Packet Capturing Programming with Libpcap Libpcap based Software Installation of Libpcap
POSTECH 3/17CSED702D: Internet Traffic Monitoring and Analysis
Introduction
Libpcap: Portable Packet Capturing Library Operating system independent Provide general-purpose APIs Simple and powerful user-level library Compatible with Unix like system Many of commercial IDS systems utilize Libpcap to analyze packet
data
Representative Programs Rely on Libpcap TCPDump, SAINT and etc.
Other Packet Capturing Tools SOCK_PACKET, LSF, SNOOP, SINT and etc. Operating system dependent
POSTECH 4/17CSED702D: Internet Traffic Monitoring and Analysis
Basic Concept of Packet Capturing
Packet Capturing Packet capturing (sniffing) does not affects to data transfer The packet captured by libpcap is called raw packet and de-multi-
plexing is required to analyze the packet
POSTECH 5/17CSED702D: Internet Traffic Monitoring and Analysis
Libpcap File Format
File Extension Normally has “.pcap” file extension
File Format General libpcap file format
• Contains some global information followed by zero or more records for each packet
• A captured packet in a capture file does not necessarily contain all the data• A captured file might contain at most first N bytes of each packet
Global Header
Global Header
Packet Header
Packet DataPacket Header
Packet DataPacket Header
Packet Data …
POSTECH 6/17CSED702D: Internet Traffic Monitoring and Analysis
Device & Network Related APIs (1/2)
Device & Network Lookup for Single Device char *pcap_lookupdev(char *errbuf)
• Return a pointer to a network device suitable for use with pcap_open_live() and pcap_lookupnet()
• Return NULL indicates an error • Reference: lookupdev.c
int pcap_lookupnet(const char *device, bpf_u_int32 *netp, bpf_u_int32 *maskp, char *errbuf)• Determine the network number and mask associated with the network device• Return -1 indicates an error• Reference: lookupnet.c
POSTECH 7/17CSED702D: Internet Traffic Monitoring and Analysis
Device & Network Related APIs (2/2)
Device & Network Lookup for Multiple Devices int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf)• Constructs a list of network devices that can be opened with pcap_create() and
pcap_activate() or with pcap_open_live()• alldevsp: list of network devides • Returns 0 on success and -1 on failure.• The list of devices must be freed with pcap_freealldevs()
Structure of pcap_if_t• next: if not NULL, a pointer to the next element in the list • name: a pointer to a string giving a name for the device to pass to
pcap_open_live()• description: if not NULL, a pointer to a string giving a human-read- able descrip-
tion of the device • addresses: a pointer to the first element of a list of addresses • flags: interface flags - PCAP_IF_LOOPBACK set if the interface is a loopback in-
terface
POSTECH 8/17CSED702D: Internet Traffic Monitoring and Analysis
Example of Device Loopup
Output:
DEV: eth0
NET: 192.168.xx.x
MASK: 255.255.xxx.xxx
POSTECH 9/17CSED702D: Internet Traffic Monitoring and Analysis
Initializing Packet Capturing APIs
Preparation of Packet Capturing File descriptor == Packet capture descriptor Packet capture descriptor: pcap_t * pcap_t *pcap_open_live(const char *device, int snaplen, int promisc, int to_ms, char *errbuf)• Parameters
• device: the device in which the packets are captured from
• snaplen: maximum number of bytes to capture
• promisc: true, set the interface into promiscuous mode; false, only bring packets intended for you
• to_ms: read timeout in milliseconds; zero, cause a read to wait forever to allow enough packets to arrive
• Return• A packet capture descriptor to look at packets on the network
• Return NULL indicates an error
pcap_t *pcap_open_offline(const char *fname, char *errbuf) • open a “savefile” for reading• fname: the name of the file to open• return a pcap_t * on success and NULL on failure
POSTECH 10/17CSED702D: Internet Traffic Monitoring and Analysis
TCP, IP, Ethernet Structures (1/4)
The path of TCP, IP and Ethernet Header Ethernet header: /usr/include/linux/if_ether.h IP header: /usr/include/netinet/ip.h TCP header: /usr/include/netinet/tcp.h
Packet Format
Ethernet
Trailer
14 bytes
Ethernet Frame
IP Header TCP HeaderApplication
Data
20 bytes 20 bytes
46 ~ 1500 bytes
Ethernet
Header
ICMP header : 8 byteUDP header : 8 byteARP header : 28 byte
POSTECH 11/17CSED702D: Internet Traffic Monitoring and Analysis
TCP, IP, Ethernet Structures (2/4)
Ethernet Header
PreambleDST. Ad-
dressSRC. Ad-
dressType Payload
Frame Check (CRC)
8 bytes 6 bytes 6 bytes 2 bytes n bytes 4 bytes
SFD
Ethernet Header
POSTECH 12/17CSED702D: Internet Traffic Monitoring and Analysis
TCP, IP, Ethernet Structures (3/4)
IP Header
Bit Offset 0 ~ 3 4 ~ 7 8 ~ 15 16 ~ 23 24 ~ 31
0 Version Header Length TOS Total Packet Length
32 Identifier Flags Fragment Offset
64 Time to Live (TTL) Protocol ID Header Checksum
96 Source IP Address
128 Destination IP Address
160 IP Header Options Padding
POSTECH 13/17CSED702D: Internet Traffic Monitoring and Analysis
TCP, IP, Ethernet Structures (4/4)
source port # dest port #
32 bits
sequence number
acknowledgement number
rcvr window size
ptr urgent datachecksum
FSRPAUheadlen
notused
Options (variable length)
TCP Header
POSTECH 14/17CSED702D: Internet Traffic Monitoring and Analysis
Packet Read Related APIs
Read Packet in Loop Manner const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h)• Read the next packet • Return NULL indicates an error• pcap_next.c• timestamp.c
int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user) • Processes packets from a live capture or “savefile‘” until cnt packets are
processed• A value of -1 or 0 for cnt is equivalent to infinity• callback specifies a routine to be called
POSTECH 15/17CSED702D: Internet Traffic Monitoring and Analysis
Filtering Related APIs
Filter int pcap_compile(pcap_t *p,struct bpf_program *fp, char *str,int optimize, bpf_u_int32 netmask)• Compile the str into a filter program • str: filter string• optimize: 1, optimization on the resulting code is performed• netmask: specify network on which packets are being captured• Returns 0 on success and -1 on failure
int pcap_setfilter(pcap_t *p,struct bpf_program *fp)• Specify a filter program (after compiling filter)• Return -1 indicates an error• pcap_filter.c
Sample Source http://dpnm.postech.ac.kr/cs702/src/test.c http://dpnm.postech.ac.kr/cs702/src/readfile.c
POSTECH 16/17CSED702D: Internet Traffic Monitoring and Analysis
How to Compile Libpcap Program?
Two Parameters Library path (e.g., -lpcap) Compilation flags (-I/usr/include.pcap)
Automate the Compilation Shell Scripting
• Create a compile.sh in executable mode, put follows and execute compile.sh gcc -o test test.c –lpcap -I/usr/include.pcap
Makefile• Create a Makefile, put follows and run make through CLI
CC=gccLIBS=-lpcapCFLAGS=-I/usr/include.pcapOBJ=test.oTARGET = testall: $(TARGET)$(TARGET): $(TARGET).c $(CC) -o $(TARGET) $(TARGET).c $(LIBS) $(CFLAGS)clean: $(RM) $(TARGET)
POSTECH 17/17CSED702D: Internet Traffic Monitoring and Analysis
Libpcap based Software
Libpcap based Software ntop - network top
• A network traffic probe that shows the network usage• Sort network traffic according to many protocols• http://www.ntop.org/overview.html
snort• Intrusion prevention and detection system• Sniff every packet and differentiate general and intrusion by against rules• http://www.snort.org/
ethereal• Network protocol analyzer• http://www.ethereal.com/
Wireshark• A free and open-source packet analyzer• Originally named Ethereal, after renamed as wireshark in May 2006, due to
trademark issues• http://www.wireshark.org/
POSTECH 18/17CSED702D: Internet Traffic Monitoring and Analysis
Q&A