Presentation is loading. Please wait.

Presentation is loading. Please wait.

Paul Vixie, ISC with Duane Wessels, Measurement Factory July, 2007

Published byLaurence Ferguson Modified over 6 years ago

Similar presentations

Presentation on theme: "Paul Vixie, ISC with Duane Wessels, Measurement Factory July, 2007"— Presentation transcript:

1 Paul Vixie, ISC with Duane Wessels, Measurement Factory July, 2007
NCAP Paul Vixie, ISC with Duane Wessels, Measurement Factory July, 2007

2 PCAP Pros and Cons PCAP works at the packet (interface) level
lots of useless link-level drivel in *.pcap files every PCAP application has a big switch() new link formats are not backward compatible Impedance mismatch w/ WAN analysis: need IP (UDP) reassembly of large EDNS need TCP reassembly (ordering, duplicates)

3 IP (UDP) Reassembly Challenges:
IP fragments only include UDP headers in first fragment each user-mode reassembler has to ask BPF for all frags and then do flow isolation Dangers: bad guys wanting to evade trivial analysis and detection can force large-EDNS all known existing tools won't reassemble IP

4 TCP Reassembly Challenges:
TCP segments can arrive out of order and/or be duplicated Dangers: any transaction that falls back to TCP will probably be missed by all existing analysis tools

5 PCAP File Format Problems
Link level information When analyzing WAN data, the link level information is almost never interesting Most PCAP analyzers skip it altogether When combining PCAP streams, a unified output linktype has to be chosen Packet size problems snaplen and packet size are 16-bit fields DNS message length is also 16 bits DNS+UDP+IP can be larger than 16 bits

6 NCAP File Format Proposal
Universal format, no interface-specific data All fields are 32-bit network byte order Original wire-format headers (IP, UDP, TCP, etc) are simply discarded Enumerations network: IP, IP6 transport: UDP, TCP Payloads UDP: sport, dport, length, payload TCP: sport, dport, length, offset, payload

7 NCAP Library Proposal libncap would appear similar to libpcap
some evolution, fewer rough edges in the API libncap would probably be implemented using libpcap pass the filters across to the kernel grab the output from the kernel reassemble packets/segments, strip headers make and deliver ncap-format messages Challenges: event handling is still nonportable, so merging input from many interfaces will be tricky

8 NCAP Kernel Module Proposal
The kernel already has efficient packet and segment reassemblers An NCAP kernel module to tap into data as it passes into/outof the transport would be more efficient than doing it in user mode This would only work for locally sourced and locally destined traffic Use of the kernel module would be optional, and hidden behind the NCAP library API Not very compelling at the moment

9 Implications on Passive DNS
For OARC passive DNS, it's nec'y to be able to rebroadcast centrally the data that is collected in many places Raw IP/UDP and IP/TCP isn't a good format for this – fragments, segments, etc Raw PCAP isn't a good format either We need messages (NCAP) not packets (PCAP) for this

Download ppt "Paul Vixie, ISC with Duane Wessels, Measurement Factory July, 2007"

Similar presentations

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
Prentice HallHigh Performance TCP/IP Networking, Hassan-Jain Chapter 2 TCP/IP Fundamentals.

Prentice HallHigh Performance TCP/IP Networking, Hassan-Jain Chapter 2 TCP/IP Fundamentals.
Introduction1-1 message segment datagram frame source application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M destination application.

Introduction1-1 message segment datagram frame source application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M destination application.
Chapter 7 – Transport Layer Protocols

Chapter 7 – Transport Layer Protocols
Network Layer Packet Forwarding IS250 Spring 2010

Network Layer Packet Forwarding IS250 Spring 2010
UDP - User Datagram Protocol UDP – User Datagram Protocol Author : Nir Shafrir Reference The TCP/IP Guide - (http://www.TCPIPGuide.com) Version 3.0 - Version.

UDP - User Datagram Protocol UDP – User Datagram Protocol Author : Nir Shafrir Reference The TCP/IP Guide - ( Version Version.
1 Computer Networks IP: The Internet Protocol. 2 IP is a connection-less, unreliable network layer protocol IP provides best effort services in the sense.

1 Computer Networks IP: The Internet Protocol. 2 IP is a connection-less, unreliable network layer protocol IP provides best effort services in the sense.
CSCI 4550/8556 Computer Networks Comer, Chapter 21: IP Encapsulation, Fragmentation, and Reassembly.

CSCI 4550/8556 Computer Networks Comer, Chapter 21: IP Encapsulation, Fragmentation, and Reassembly.
IP Addressing: introduction

IP Addressing: introduction
Transport Layer TCP and UDP IS250 Spring 2010

Transport Layer TCP and UDP IS250 Spring 2010
Network Layer4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side,

Network Layer4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side,
Network Layer4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side,

Network Layer4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side,
1 Internet Control Message Protocol (ICMP) RIZWAN REHMAN CCS, DU.

1 Internet Control Message Protocol (ICMP) RIZWAN REHMAN CCS, DU.
IP-UDP-RTP Computer Networking (In Chap 3, 4, 7) 건국대학교 인터넷미디어공학부 임 창 훈.

IP-UDP-RTP Computer Networking (In Chap 3, 4, 7) 건국대학교 인터넷미디어공학부 임 창 훈.
A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.

A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.
Process-to-Process Delivery:

Process-to-Process Delivery:
Network Architecture and Protocol Concepts. Network Architectures (1) The network provides one or more communication services to applications –A service.

Network Architecture and Protocol Concepts. Network Architectures (1) The network provides one or more communication services to applications –A service.
Presentation on Osi & TCP/IP MODEL

Presentation on Osi & TCP/IP MODEL
Lecture 2 TCP/IP Protocol Suite Reference: TCP/IP Protocol Suite, 4 th Edition (chapter 2) 1.

Lecture 2 TCP/IP Protocol Suite Reference: TCP/IP Protocol Suite, 4 th Edition (chapter 2) 1.
What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.

What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.

Similar presentations

Ads by Google