Presentation is loading. Please wait.

Presentation is loading. Please wait.

28/09/2016 Passive Network Analysis Using Libtrace Shane Alcock.

Published byErik Fletcher Modified over 8 years ago

Similar presentations

Presentation on theme: "28/09/2016 Passive Network Analysis Using Libtrace Shane Alcock."— Presentation transcript:

1 28/09/2016 Passive Network Analysis Using Libtrace Shane Alcock

2 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 2 Outline Introduction and Basics The Libtrace Tools Simple Libtrace Programming Advanced Topics

3 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 3 Part Four Advanced Topics Advanced protocol analysis A practical example Overview of projects using libtrace Network visualisation with BSOD The future of libtrace Question time

4 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 4 Protocol Analysis Libtrace provides functions to jump directly to the header at a particular layer Metadata layer, e.g. RadioTap, Prism, Linux SLL Layer 2 (aka link layer), e.g. Ethernet, 802.11 Layer 3 (aka IP layer), e.g. IP, IPv6 Transport layer, e.g. TCP, UDP, ICMP

5 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 5 Protocol Analysis void *trace_get_packet_meta(libtrace_packet_t *packet, libtrace_linktype_t *linktype, uint32_t *remaining); void *trace_get_layer2(libtrace_packet_t *packet, libtrace_linktype_t *linktype, uint32_t *remaining); void *trace_get_layer3(libtrace_packet_t *packet, uint16_t *ethertype, uint32_t *remaining); void *trace_get_transport(libtrace_packet_t *packet, uint8_t *proto, uint32_t *remaining);

6 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 6 Protocol Analysis Each function returns a void pointer to the header If no header is present at that layer, NULL is returned Cast the pointer to the appropriate header based on type The second parameter is set to signify the protocol type

7 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 7 Protocol Analysis Libtrace defines structures for most common headers IP – libtrace_ip_t IPv6 – libtrace_ip6_t TCP – libtrace_tcp_t UDP – libtrace_udp_t ICMP – libtrace_icmp_t Ethernet – libtrace_ether_t VLAN – libtrace_8021q_t 802.11 – libtrace_80211_t Many others as well – check out libtrace.h for a full list

8 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 8 Protocol Analysis Third parameter: remaining Set by the protocol analysis function to contain the number of bytes between the start of the header and the end of the packet Other analysis functions require a correct remaining value Example: remaining after calling trace_get_layer3 PCAP Ethernet IP TCP TCP Payload remaining

9 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 9 Protocol Analysis Example - httpcount.c Rewriting our HTTP counter using the protocol analysis API

10 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 10 Advanced Protocol Analysis Remember our MPLS packet from earlier? MPLS IP TCP Ethernet ERF / PCAP

11 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 11 Advanced Protocol Analysis We can't jump directly to the MPLS headers trace_get_layer2() will give us the Ethernet header trace_get_layer3() will give us the IP header

12 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 12 Advanced Protocol Analysis void *trace_get_payload_from_layer2(void *l2, libtrace_linktype_t linktype, uint16_t *ethertype, uint32_t *remaining); Returns a pointer to the first header after the given layer 2 header Returns NULL if the layer 2 header was incomplete linktype must be set to the type of the layer 2 header ethertype will be set to indicate the type of the returned header remaining will be decremented by the size of the skipped header Check the value of remaining upon return!

13 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 13 Advanced Protocol Analysis Example - mplscount.c Counting MPLS packets

14 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 14 Advanced Protocol Analysis void *trace_get_payload_from_mpls(void *mpls, uint16_t *type, uint32_t *remaining); Returns a pointer to the first header after the given MPLS header Returns NULL if an MPLS header is not passed in Returns NULL if the MPLS header is incomplete type must be set to the type of the header passed in type will be updated to indicate the type of the returned header remaining will be decremented by the size of the skipped header Check the value of remaining upon return!

15 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 15 Advanced Protocol Analysis Example - mplstag.c Printing all the MPLS tags in a packet

16 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 16 Advanced Protocol Analysis void *trace_get_payload_from_vlan(void *vlan, uint16_t *type, uint32_t *remaining); Returns a pointer to the first header after the given VLAN header Returns NULL if the header passed in is not a VLAN header Returns NULL if the VLAN header is incomplete type must be set to the type of the header passed in type will be updated to indicate the type of the returned header remaining will be decremented by the size of the skipped header Check the value of remaining upon return!

17 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 17 Advanced Protocol Analysis void *trace_get_payload_from_pppoe(void *pppoe, uint16_t *type, uint32_t *remaining); Returns a pointer to the first header after the given PPPoE header Also skips the subsequent PPP header Returns NULL if the PPPoE or PPP header is incomplete type will be updated to indicate the type of the returned header remaining will be decremented by the size of the skipped header Check the value of remaining upon return!

18 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 18 Advanced Protocol Analysis void *trace_get_payload_from_ip(libtrace_ip_t *ip, uint8_t *proto, uint32_t *remaining); void *trace_get_payload_from_ip6(libtrace_ip6_t *ip, uint8_t *proto, uint32_t *remaining); Returns a pointer to the first header after the given IP header Returns NULL if the IP header is incomplete proto is set to indicate the protocol of the returned header remaining operates just as with the previous functions

19 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 19 Advanced Protocol Analysis void *trace_get_payload_from_tcp(libtrace_tcp_t *tcp, uint32_t *remaining); void *trace_get_payload_from_udp(libtrace_udp_t *udp, uint32_t *remaining); void *trace_get_payload_from_icmp(libtrace_icmp_t *icmp, uint32_t *remaining); Returns a pointer to the data after the given transport header Returns NULL if the header is incomplete remaining operates just as with the previous functions No indication is given as to the protocol of the returned data

20 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 20 A Practical Example Determining the amount of header overhead Step through each of the headers to calculate total for a packet Include link and meta-data layers Therefore, I can't jump straight to the IP header Also calculate post-transport payload size to compare against Produce statistics for both TCP and UDP traffic Periodically output stats so we can create a pretty graph End result: headerdemo.c

21 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 21 Ruby Libtrace Written by Nevil Brownlee (University of Auckland) Combine the features of ruby with libtrace Exception handling Iterators Garbage collection Other languages Python bindings suffered from poor performance Implementations from libtrace users are most welcome

22 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 22 Libtrace Projects WDCap http://research.wand.net.nz/software/wdcap.php Tool for capturing and writing traces Driving force behind much of the early libtrace development Modular components allow capture to be customised Packet snapping and anonymisation Output trace file rotation Direction tagging Exporting of captured packets over a network

23 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 23 Libtrace Projects Maji – an implementation of an IPFIX meter http://research.wand.net.nz/software/maji.php Packets are read using libtrace Many information elements are extracted using libtrace functions i.e. any elements that can be found in a protocol header Hoping for a release before the end of 2008 More information about IPFIX (including links to RFCs) http://www.ietf.org/html.charters/ipfix-charter.html

24 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 24 Libtrace Projects Nettest http://nettest.wand.net.nz/ Passive network performance measurement applet Collects performance statistics from NZ broadband users Measurements are all done using libtrace Compare results ISPs Service plans Cities

25 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 25 Libtrace Projects TCP object extraction Determine application-level objects using only packet headers Search for non-MSS sized packets to find object boundaries Paper published at ATNAC 2007 http://www.wand.net.nz/pubDetail.php?id=224

26 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 26 Libtrace Projects BSOD http://research.wand.net.nz/software/visualisation.php Real-time 3D graphical view of network traffic Input can be any libtrace-supported format Especially live capture formats! BSOD server processes the trace or live capture BSOD client displays the 3D visualisation

27 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 27 Libtrace Projects BSOD demonstration

28 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 28 The Future Enhancements planned for upcoming libtrace releases New IO system enabling (de)compression in a separate thread Revamp of the tool UI to fix inconsistencies Support for new protocols and trace formats General performance enhancements Further suggestions are also welcome!

29 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 29 The End Any final questions?

30 © THE UNIVERSITY OF WAIKATO TE WHARE WANANGA O WAIKATO 30 WAND Network Research Group Department of Computer Science The University of Waikato Private Bag 3105 Hamilton, New Zealand www.crc.net.nz www.wand.net.nz www.waikato.ac.nz

Download ppt "28/09/2016 Passive Network Analysis Using Libtrace Shane Alcock."

Similar presentations

Multiplexing/Demux. CPSC 441 - Transport Layer 3-2 Multiplexing/demultiplexing application transport network link physical P1 application transport network.

Multiplexing/Demux. CPSC Transport Layer 3-2 Multiplexing/demultiplexing application transport network link physical P1 application transport network.
Chapter 17 Networking Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E William.

Chapter 17 Networking Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E William.
Final Presentation Liat Ben-Ami Yonathan Perez Instructor: Roy Mitrany.

Final Presentation Liat Ben-Ami Yonathan Perez Instructor: Roy Mitrany.
Data Communication and Networks Lecture 2 ADTs in Protocol Design (Ring Buffer, Queue, FSM) September 16, 2004 Joseph Conron Computer Science Department.

Data Communication and Networks Lecture 2 ADTs in Protocol Design (Ring Buffer, Queue, FSM) September 16, 2004 Joseph Conron Computer Science Department.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Introduction To Networking

Introduction To Networking
Introduction to Management Information Systems Chapter 5 Data Communications and Internet Technology HTM 304 Fall 07.

Introduction to Management Information Systems Chapter 5 Data Communications and Internet Technology HTM 304 Fall 07.
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
Chapter Overview TCP/IP Protocols IP Addressing.

Chapter Overview TCP/IP Protocols IP Addressing.
Evolved from ARPANET (Advanced Research Projects Agency of the U.S. Department of Defense) Was the first operational packet-switching network Began.

Evolved from ARPANET (Advanced Research Projects Agency of the U.S. Department of Defense) Was the first operational packet-switching network Began.
CH07: Writing the Programs Does not teach you how to program, but point out some software engineering practices that you should should keep in mind as.

CH07: Writing the Programs Does not teach you how to program, but point out some software engineering practices that you should should keep in mind as.
Module 1: Reviewing the Suite of TCP/IP Protocols.

Module 1: Reviewing the Suite of TCP/IP Protocols.
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.
Chapter 17 Networking Dave Bremer Otago Polytechnic, N.Z. ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E William Stallings.

Chapter 17 Networking Dave Bremer Otago Polytechnic, N.Z. ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E William Stallings.
Fraunhofer FOKUSCompetence Center NET T. Zseby, CC NET1 IPFIX – IP Flow Information Export Overview Tanja Zseby Fraunhofer FOKUS, Network Research.

Fraunhofer FOKUSCompetence Center NET T. Zseby, CC NET1 IPFIX – IP Flow Information Export Overview Tanja Zseby Fraunhofer FOKUS, Network Research.
Chapter 1: Introduction to Web Applications. This chapter gives an overview of the Internet, and where the World Wide Web fits in. It then outlines the.

Chapter 1: Introduction to Web Applications. This chapter gives an overview of the Internet, and where the World Wide Web fits in. It then outlines the.
CS 424/524: Introduction to Java Programming Lecture 25 Spring 2002 Department of Computer Science University of Alabama Joel Jones.

CS 424/524: Introduction to Java Programming Lecture 25 Spring 2002 Department of Computer Science University of Alabama Joel Jones.
3 April 2010 The RIPE NCC Internet Measurement Data Repository Shane Alcock.

3 April 2010 The RIPE NCC Internet Measurement Data Repository Shane Alcock.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Unicast Routing Protocols.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Unicast Routing Protocols.
1 Networking Chapter 12. 2 Distributed Capabilities Communications architectures –Software that supports a group of networked computers Network operating.

1 Networking Chapter Distributed Capabilities Communications architectures –Software that supports a group of networked computers Network operating.

Similar presentations

Ads by Google