分散式網路事件分析記錄系統之 研製 The Design and Implementation of Distributed Network Event Analyzing and Recording System Yi-Lei Chang Advisor: Dr. Kai-Wei Ke 2013/06/17 1
Outline Introduction Background System Design Compare to simulate system Demo Reference 2
Introduction Network Event An observable occurrence on network that can be recognize as a specific protocol activity or behavior (e.g., FTP Login, HTTP web browse). System Goals Record and analyze network event FTP HTTP VoIP Abnormal behavior Distributed system High flexibility and extensibility 3
Background - Jpcap Packages Jpcap JpcapCaptor PacketReceiver Jpcap.packet ARPPacket ICMPPacket IPPacket TCPPacket UDPPacket 4
Background - Jpcap 5
System Design 6
Interception System Capture packets Track relative connections Record supported network event 7
Packet Capture Receive packets from NIC in promiscuous mode Set basic packet filter IP ARP Not Interception System’s IP Add packets to PacketPool 8
Packet Pool Maintain all packets capture by PacketCapture Each ProtocolParser register to PacketPool have a random integer key to access it’s packet list iterator Remove useless packets when buffer full Synchronize needed 9
Protocol Parser Abstract class ProtocolParser implements Runnable Define basic steps for a standard protocol parser Implement Runnable.run() with 4 abstract function called in sequence isRelative() processPacket() isContinue() endProcess() The implementation of these abstraction function will change the use of class extends ProtocolParser(e.g., FTPProtocolParser). 10
Protocol Parser 11
Protocol Parser - FTP Relative: port 21 Process: Create a connection key “clientIP|clientPort|hostIP|hostPort” for identify every FTP command connection For every unhandled FTP connection create FTP command Parser Continue: always Ending process: unregister with PacketPool 12
Protocol Parser - FTP 13
Protocol Parser – FTP command Relative: specific connection represent by connection key Process: USER/PASS/230 – login event PORT/227 – tract data connection STOR/RETR – create FTP recorder to record transmitted file Continue: Connection not close Connection not idle Ending process: Unregister with PacketPool Remove handled state in FTP Parser 14
Protocol Parser – FTP command 15
Protocol Parser – FTP recorder Relative: specific connection and direction represent IP and Port Process: Put data packet to TCPReorderBuffer Set acknowledge number for TCPReorderBuffer to reference While buffer full flush data to file Continue: Connection not close Connection not idle Ending process: Unregister with PacketPool Flush all remain data in buffer to file Log file transmit event into DB 16
Protocol Parser – FTP recorder 17
TCPReordreBuffer A buffer can store jpcap.packet TCPPacket and reorder packet’s data by sequence Put: TCPPacket ack_number Get: in order packet TCP payload in byte array Missing part info 18
TCPReordreBuffer - put 19
TCPReordreBuffer - get 20
Protocol Parser - HTTP Relative: port 80 Process: Create a connection key “clientIP|clientPort|hostIP|hostPort” for identify every HTTP connection For every unhandled HTTP connection create HTTP recorder Continue: always Ending process: unregister with PacketPool 21
Protocol Parser – HTTP recorder Relative: specific connection specific connection represent by connection key Process: Put data packet to TCPReorderBuffer Set acknowledge number for TCPReorderBuffer to reference Cut HTTP header, record header information Log HTTP event into DB Store HTTP body into DB if its not too big Continue: Connection not close Connection not idle Ending process: Unregister with PacketPool Flush all remain data in buffer to file Log file transmit event into DB 22
Protocol Parser H.323 Relative: port 1719(H.323RAS), port 1720(Q.931/H.225) Process: Maintain device list using gatekeeper RAS message For every unhandled H245 connection create H245 Parser Continue: always Ending process: Unregister with PacketPool 23
Protocol Parser H.245 Relative: specific connection represent by connection key Process: While openlogicchannel message detected, create RTP recorder Continue: Disconnect message undetected Connection not idle Ending process: Unregister with PacketPool Log calling event into DB 24
Protocol Parser RTP Relative: specific UDP packet with specific source and destination Process: Record RTP content Real-time decode/play if needed Continue: Disconnect message undetected Connection not idle Ending process: Unregister with PacketPool 25
Protocol Parser - Abnormal behavior Relative: ICMP Packet, ARP Packet, TCP SYN packet Process: ICMP ping attack Count ICMP packet for both source and destination If > 3 ping packet/sec log ping attack event into DB ARP attack Record MAC/IP mappings If MAC/IP mappings changing > 10 times/min log ARP attack event into DB TCP SYN packet Record SYN request, remove when 3 way established If to many SYN request unestablished log SYN attack event into DB Continue: always Ending process: Unregister with PacketPool 26
Analyzing and Recording System HTML page recovery PCM decode File storage and presentation 27
Analyzing and Recording System - HTTP Analyzer Search http response with content-type text/html to get html page file Search [src=“”] pattern in html file Search relative http request in DB Recover/rename relative file and replace links in html file Cross match DB and html file to recover as much as possible 28
Improvement FTP active/passive mode, upload, download support HTTP absolute direct link resolve H.323 support Better program structure with higher flexibility and extendibility 29
Compare to other system 本系統 WiresharkClearSight Analyzer 系統特性比較 使用者介面簡易複雜 開放原始碼是是否 擴充性高高低 價格免費 昂貴 系統功能比較 網路協定量統計無有有 分散式架構有無無 儲存側錄檔案 支援檔案及 HTML 頁面還原 只針對封包內容儲存 語音即時監聽有無無 記憶體需求小大大 可分析之協定較少多 多 適合長時間之網路監測是否否 30
Demo 31
Reference [1] 林佑民 ,「 基於雲端運算之網路通訊監察分析系統之研製 」, 碩士論文 , 國立 台北科技大學資訊工程系碩士班 , 2012 [2] 黃威穎 ,「 H.323 網路電話音訊監控與錄製系統之研製 」, 碩士論文國立台北 科技大學資訊工程系碩士班 ,