POSTECH 1/17 CSED702D: Internet Traffic Monitoring and Analysis James Won-Ki Hong Department of Computer Science and Engineering POSTECH, Korea

POSTECH 2/17 CSED702D: Internet Traffic Monitoring and Analysis Outline  Introduction  Basic Concept of Packet Capturing  Programming with Libpcap  Libpcap based Software  Installation of Libpcap

POSTECH 3/17 CSED702D: Internet Traffic Monitoring and Analysis Introduction  Libpcap: Portable Packet Capturing Library  Operating system independent  Provide general-purpose APIs  Simple and powerful user-level library  Compatible with Unix like system  Many of commercial IDS systems utilize Libpcap to analyze packet data  Representative Programs Rely on Libpcap  TCPDump, SAINT and etc.  Other Packet Capturing Tools  SOCK_PACKET, LSF, SNOOP, SINT and etc.  Operating system dependent

POSTECH 4/17 CSED702D: Internet Traffic Monitoring and Analysis Basic Concept of Packet Capturing  Packet Capturing  Packet capturing (sniffing) does not affects to data transfer  The packet captured by libpcap is called raw packet and de- multiplexing is required to analyze the packet

POSTECH 5/17 CSED702D: Internet Traffic Monitoring and Analysis Libpcap File Format  File Extension  Normally has “.pcap” file extension  File Format  General libpcap file format Contains some global information followed by zero or more records for each packet A captured packet in a capture file does not necessarily contain all the data A captured file might contain at most first N bytes of each packet  Global Header Global Header Packet Header Packet Data Packet Header Packet Data Packet Header Packet Data …

POSTECH 6/17 CSED702D: Internet Traffic Monitoring and Analysis Device & Network Related APIs (1/2)  Device & Network Lookup for Single Device  char *pcap_lookupdev(char *errbuf) Return a pointer to a network device suitable for use with pcap_open_live() and pcap_lookupnet() Return NULL indicates an error Reference: lookupdev.c  int pcap_lookupnet( const char *device, bpf_u_int32 *netp, bpf_u_int32 *maskp, char *errbuf) Determine the network number and mask associated with the network device Return -1 indicates an error Reference: lookupnet.c

POSTECH 7/17 CSED702D: Internet Traffic Monitoring and Analysis Device & Network Related APIs (2/2)  Device & Network Lookup for Multiple Devices  int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf) Constructs a list of network devices that can be opened with pcap_create() and pcap_activate() or with pcap_open_live() alldevsp: list of network devides Returns 0 on success and -1 on failure. The list of devices must be freed with pcap_freealldevs()  Structure of pcap_if_t next: if not NULL, a pointer to the next element in the list name: a pointer to a string giving a name for the device to pass to pcap_open_live() description: if not NULL, a pointer to a string giving a human-read- able description of the device addresses: a pointer to the first element of a list of addresses flags: interface flags - PCAP_IF_LOOPBACK set if the interface is a loopback interface

POSTECH 8/17 CSED702D: Internet Traffic Monitoring and Analysis Example of Device Loopup Output: DEV: eth0 NET: xx.x MASK: xxx.xxx

POSTECH 9/17 CSED702D: Internet Traffic Monitoring and Analysis Initializing Packet Capturing APIs  Preparation of Packet Capturing  File descriptor == Packet capture descriptor  Packet capture descriptor: pcap_t *  pcap_t *pcap_open_live( const char *device, int snaplen, int promisc, int to_ms, char *errbuf) Parameters device: the device in which the packets are captured from snaplen: maximum number of bytes to capture promisc: true, set the interface into promiscuous mode; false, only bring packets intended for you to_ms: read timeout in milliseconds; zero, cause a read to wait forever to allow enough packets to arrive Return A packet capture descriptor to look at packets on the network Return NULL indicates an error  pcap_t *pcap_open_offline(const char *fname, char *errbuf) open a “savefile” for reading fname: the name of the file to open return a pcap_t * on success and NULL on failure

POSTECH 10/17 CSED702D: Internet Traffic Monitoring and Analysis TCP, IP, Ethernet Structures (1/4)  The path of TCP, IP and Ethernet Header  Ethernet header: /usr/include/linux/if_ether.h  IP header: /usr/include/netinet/ip.h  TCP header: /usr/include/netinet/tcp.h  Packet Format Ethernet Trailer 14 bytes Ethernet Frame IP HeaderTCP Header Application Data 20 bytes 46 ~ 1500 bytes Ethernet Header ICMP header : 8 byte UDP header : 8 byte ARP header : 28 byte

POSTECH 11/17 CSED702D: Internet Traffic Monitoring and Analysis TCP, IP, Ethernet Structures (2/4)  Ethernet Header Preamble DST. Address SRC. Address Type Payload Frame Check (CRC) 8 bytes6 bytes 2 bytesn bytes4 bytes SFDSFD Ethernet Header

POSTECH 12/17 CSED702D: Internet Traffic Monitoring and Analysis TCP, IP, Ethernet Structures (3/4)  IP Header Bit Offset 0 ~ 34 ~ 78 ~ 1516 ~ 2324 ~ 31 0Version Header Length TOSTotal Packet Length 32IdentifierFlagsFragment Offset 64Time to Live (TTL) Protocol ID Header Checksum 96Source IP Address 128Destination IP Address 160IP Header OptionsPadding

POSTECH 13/17 CSED702D: Internet Traffic Monitoring and Analysis TCP, IP, Ethernet Structures (4/4) source port # dest port # 32 bits sequence number acknowledgement number rcvr window size ptr urgent data checksum F SR PAU head len not used Options (variable length)  TCP Header

POSTECH 14/17 CSED702D: Internet Traffic Monitoring and Analysis Packet Read Related APIs  Read Packet in Loop Manner  const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr *h) Read the next packet Return NULL indicates an error pcap_next.c timestamp.c  int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user) Processes packets from a live capture or “savefile‘” until cnt packets are processed A value of -1 or 0 for cnt is equivalent to infinity callback specifies a routine to be called

POSTECH 15/17 CSED702D: Internet Traffic Monitoring and Analysis Filtering Related APIs  Filter  int pcap_compile(pcap_t *p, struct bpf_program *fp, char *str, int optimize, bpf_u_int32 netmask) Compile the str into a filter program str: filter string optimize: 1, optimization on the resulting code is performed netmask: specify network on which packets are being captured Returns 0 on success and -1 on failure  int pcap_setfilter(pcap_t *p, struct bpf_program *fp) Specify a filter program (after compiling filter) Return -1 indicates an error pcap_filter.c  Sample Source  

POSTECH 16/17 CSED702D: Internet Traffic Monitoring and Analysis How to Compile Libpcap Program?  Two Parameters  Library path (e.g., -lpcap)  Compilation flags (-I/usr/include.pcap)  Automate the Compilation  Shell Scripting Create a compile.sh in executable mode, put follows and execute compile.sh gcc -o test test.c –lpcap -I/usr/include.pcap  Makefile Create a Makefile, put follows and run make through CLI CC=gcc LIBS=-lpcap CFLAGS=-I/usr/include.pcap OBJ=test.o TARGET = test all: $(TARGET) $(TARGET): $(TARGET).c $(CC) -o $(TARGET) $(TARGET).c $(LIBS) $(CFLAGS) clean: $(RM) $(TARGET)

POSTECH 17/17 CSED702D: Internet Traffic Monitoring and Analysis Libpcap based Software  Libpcap based Software  ntop - network top A network traffic probe that shows the network usage Sort network traffic according to many protocols  snort Intrusion prevention and detection system Sniff every packet and differentiate general and intrusion by against rules  ethereal Network protocol analyzer  Wireshark A free and open-source packet analyzer Originally named Ethereal, after renamed as wireshark in May 2006, due to trade mark issues

POSTECH 18/17 CSED702D: Internet Traffic Monitoring and Analysis Q&A