Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer
Motivation The increase in bandwidth of today’s networks requires a fast mechanism to monitor traffic and detect possible attacks. The purpose of this project is to develop a fast, hardware based monitoring device to intercept packets according to given criteria.
Possible Applications Intrusion Detection Systems (IDS) Surveillance Network traffic analysis
HW/SW Filtering of network packets Basic functionality - filter packets according to header fields: Protocol (ICMP,TCP, ARP...) Source/destination address (IP) Source/destination ports (TCP) Header flags (SYN,ACK…) Advanced filtering: Application specific data monitoring Project Goal
Block Diagram Driver NIC RAM DMA Controller Network FPGA Filter IP Control App Montavista™ Linux interrupt Advanced filtering: Further processing of packets & output generation DMA transaction Relevant Packet contents DMA buffer Notify FPGA Allocate new buffer for future DMA transactions interrupt Examine received packets and store relevant contents
System setup NIC configuration (Managed by driver) –Set promiscuous mode operation –Set up DMA controller with appropriate buffers; define buffer length etc –Modify interrupt handler to notify the FPGA Define Filter IP core parameters (Managed by Control App)
IP core operation The driver signals the core, passing the address of the DMA buffer The core extracts the packet from the buffer and starts the filter procedure If the packet is found relevant, its contents are put into a designated memory buffer The core informs the control app about the location and number of the filtered packets
Block Diagram Control Application FPGA Controller Advanced filtering module Application interface To user To FPGATo RAM Output file generator Produces an output file according to user specified criteria
Block Diagram – Filter core FPGA Application interface Filter Logic IPIF OPB Master/Slave interface DMA interface Interrupt Controller
IP interface - IPIF The IPIF defines the interface of the core to the RAM and control application. –DMA transactions –Interrupt handling –Parameter configuration space
ML310 bus connections
Current achievements Get familiar with: Network protocols Virtex II Pro and EDK Montavista ™ Linux development environment VHDL development process and tools
Schedule Set up a proper Linux kernel to support the NIC (26/6 – 22/7 exams) Driver modification –Configure the NIC to operate in promiscuous mode (1 week) –DMA configuration (set buffers address, size etc.) (1 week) –Add FPGA notification code to the interrupt handler (speedo_rx) (1 week) –Compile and load the modified driver into kernel (as a module) Implement a basic IP core to access RAM and communicate with control app. –Include IPIF interrupt control and DMA support modules (1 week) –Write a simple filter logic (1 week) –Interface logic with IPIC (2 weeks) 7/6/05 15/8/05 15/9/05
First semester objective Develop an application to test overall system operation and performance –Packet reception –Basic filter IP core –Interaction between IP core, RAM and application
Next semester Implement a full fledged hardware filter Design & implement the software application to orchestrate the entire process Optional: Develop a web based GUI interface to present the output to the user and allow remote configuration of the application (filter criteria etc)
Questions?