Presentation is loading. Please wait.

Presentation is loading. Please wait.

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) Programming with Libpcap.

Published byAdelia Arnold Modified over 9 years ago

Similar presentations

Presentation on theme: "POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) Programming with Libpcap."— Presentation transcript:

1 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) Programming with Libpcap

2 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Contents  Introduction  Basic Concept of Packet Capturing  Programming with Libpcap  Device & Network Related APIs  Initializing Packet Capturing APIs  TCP, IP, Ethernet Structures  Packet Read Related APIs  Filtering Related APIs  Software based on Libpcap  Reference (2)

3 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Introduction  Libpcap: Portable Packet Capturing Library  Operating system independent  Provide general-purpose APIs  Simple and powerful user-level library  Compatible with Unix like System  Other packet capturing tools  SOCK_PACKET, LSF, SNOOP, SINT and etc.  Operating System defendant  TCPDUMP is implemented with Libpcap  Many of commercial IDS systems utilize Libpcap to analyze packet data  Installation  Unix/Linux: http://www.tcpdump.org/#latest-releasehttp://www.tcpdump.org/#latest-release  Windows: http://www.winpcap.org/default.htmhttp://www.winpcap.org/default.htm  Solaris: http://www.sunfreeware.comhttp://www.sunfreeware.com (3)

4 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Basic Concept of Packet Capturing  Packet capturing (sniffing) does not affects to data transfer  The packet captured by libpcap is called raw packet and demultiplexing is required to analyze the packet (4)

5 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (5) Programming with Libpcap - Programming APIs-

6 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Device & Network Related APIs (1/2)  char *pcap_lookupdev(char *errbuf)  return a pointer to a network device suitable for use with pcap_op en_live() and pcap_lookupnet()  return NULL indicates an error  reference: lookupdev.c  int pcap_lookupnet( const char *device, bpf_u_int32 *netp, bpf_u_int32 *mask p, char *errbuf)  determine the network number and mask associated with the net work device  return -1 indicates an error  reference: lookupnet.c (6)

7 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Device & Network Related APIs (2/2)  What if there are multiple devices?  int pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf)  constructs a list of network devices that can be opened with pcap_create() and pcap_activate() or with pcap_open_live()  alldevsp: list of network devides  returns 0 on success and -1 on failure.  The list of devices must be freed with pcap_freealldevs()  Structure of pcap_if_t  next: if not NULL, a pointer to the next element in the list  name: a pointer to a string giving a name for the device to pass to pcap_open_live()  description: if not NULL, a pointer to a string giving a human- read- able description of the device  addresses: a pointer to the first element of a list of addresses  flags: interface flags - PCAP_IF_LOOPBACK set if the interface is a loopback interface (7)

8 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Example #1 Output: DEV: eth0 NET: 192.168.xx.x MASK: 255.255.xxx.xxx (8) *Compile: gcc [source] –lpcap –I/usr/include/pcap

9 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Initializing Packet Capturing APIs (1/2)  File descriptor == Packet capture descriptor  Packet capture descriptor: pcap_t *  pcap_t *pcap_open_live( const char *device, int snaplen, int promisc, int to_ms, char *errbuf)  obtain a packet capture descriptor to look at packets on the netw ork  snaplen: maximum number of bytes to capture  promisc: true, set the interface into promiscuous mode; false, onl y bring packets intended for you  to_ms: read timeout in milliseconds; zero, cause a read to wait for ever to allow enough packets to arrive  return NULL indicates an error (9)

10 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Initializing Packet Capturing APIs (2/2)  pcap_t *pcap_open_offline(const char *fname, char *errbuf);  open a “savefile” for reading  fname: the name of the file to open  return a pcap_t * on success and NULL on failure (10)

11 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications TCP, IP, Ethernet Structures (1/3)  IP and TCP headers: /usr/include/netinet  Ethernet header: /usr/include/linux/if_ether.h  Ethernet header (11)

12 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications TCP, IP, Ethernet Structures (2/3)  IP header (12)

13 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications TCP, IP, Ethernet Structures (3/3)  TCP header (13)

14 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Packet Read Related APIs  const u_char *pcap_next(pcap_t *p, struct pcap_pkthdr * h)  read the next packet  return NULL indicates an error  pcap_next.c  timestamp.c  int pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user)  processes packets from a live capture or “savefile‘” until cnt packets are processed  A value of -1 or 0 for cnt is equivalent to infinity  callback specifies a routine to be called (14)

15 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Filtering Related APIs  int pcap_compile(pcap_t *p, struct bpf_program *fp, char *str, int optimize, bpf_u_int32 netmask)  compile the str into a filter program  str: filter string  optimize: 1, optimization on the resulting code is performed  netmask: specify network on which packets are being captured  returns 0 on success and -1 on failure  int pcap_setfilter(pcap_t *p, struct bpf_program *fp)  specify a filter program (after compiling filter)  return -1 indicates an error  pcap_filter.c (15)

16 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Example #2  http://dpnm.postech.ac.kr/cs702/pcap_example/pcap_example.c http://dpnm.postech.ac.kr/cs702/pcap_example/pcap_example.c  http://dpnm.postech.ac.kr/cs702/pcap_example/readfile.c http://dpnm.postech.ac.kr/cs702/pcap_example/readfile.c  http://dpnm.postech.ac.kr/cs702/pcap_example/savedump.c http://dpnm.postech.ac.kr/cs702/pcap_example/savedump.c (16)

17 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Software based on Libpcap  ntop - network top  a network traffic probe that shows the network usage  sort network traffic according to many protocols  http://www.ntop.org/overview.html http://www.ntop.org/overview.html  snort  intrusion prevention and detection system  sniff every packet and differentiate general and intrusion by again st rules  http://www.snort.org/ http://www.snort.org/  ethereal  network protocol analyzer  http://www.ethereal.com/ http://www.ethereal.com/  wireshark  http://www.wireshark.org/ http://www.wireshark.org/ (17)

18 POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications Reference  TCPDump  http://www.tcpdump.org/pcap.html  The Sniffer's Guide to Raw Traffic  http://yuba.stanford.edu/~casado/pcap/section1.html (18)

Download ppt "POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) Programming with Libpcap."

Similar presentations

Ethical Hacking Module VII Sniffers.

Ethical Hacking Module VII Sniffers.
Datalink Access.

Datalink Access.
Network Performance Measurement

Network Performance Measurement
Extending Wireshark For A New Protocol Varun NotiBala CISC 856 – University of Delaware 2 nd Dec 2008 Acknowledgements Dr. Paul Amer.

Extending Wireshark For A New Protocol Varun NotiBala CISC 856 – University of Delaware 2 nd Dec 2008 Acknowledgements Dr. Paul Amer.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
TCPDUMP Network-Based Intrusion Detection. Description  Packet sniffing is the heart of intrusion detection and of understanding what is actually occurring.

TCPDUMP Network-Based Intrusion Detection. Description  Packet sniffing is the heart of intrusion detection and of understanding what is actually occurring.
1 libpcap Packet Sniffing for Security Alisa Neeman.

1 libpcap Packet Sniffing for Security Alisa Neeman.
Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.

Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,
POSIX: Files Introduction to Operating Systems: Discussion 1 Read Solaris System Interface Guide: Ch. 5.1 Basic File I/O.

POSIX: Files Introduction to Operating Systems: Discussion 1 Read Solaris System Interface Guide: Ch. 5.1 Basic File I/O.
Wireshark Presented By: Hiral Chhaya, Anvita Priyam.

Wireshark Presented By: Hiral Chhaya, Anvita Priyam.
Programming Multi-Core Processors based Embedded Systems A Hands-On Experience on Cavium Octeon based Platforms Lab Exercises.

Programming Multi-Core Processors based Embedded Systems A Hands-On Experience on Cavium Octeon based Platforms Lab Exercises.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
1 Ethereal.  Freeware sniffing tool.  Captures live network traffic.  The user interface separates it from other sniffers.

1 Ethereal.  Freeware sniffing tool.  Captures live network traffic.  The user interface separates it from other sniffers.
University of Calgary – CPSC 441.  Wireshark (originally named Ethereal)is a free and open-source packet analyzer.  It is used for network troubleshooting,

University of Calgary – CPSC 441.  Wireshark (originally named Ethereal)is a free and open-source packet analyzer.  It is used for network troubleshooting,
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.
CSCD433 Advanced Networks Fall 2011 Raw vs. Cooked Sockets.

CSCD433 Advanced Networks Fall 2011 Raw vs. Cooked Sockets.
TCP/IP Protocol Stack IP Device Drivers TCPUDP Application Sockets (Gate to network) TCP: –Establish connection –Maintain connection during the communication.

TCP/IP Protocol Stack IP Device Drivers TCPUDP Application Sockets (Gate to network) TCP: –Establish connection –Maintain connection during the communication.
CPSC 441 Tutorial TA: Fang Wang The content of these slides are taken from CPSC 526 TUTORIAL by Nashd Safa (Extended and partially modified)

CPSC 441 Tutorial TA: Fang Wang The content of these slides are taken from CPSC 526 TUTORIAL by Nashd Safa (Extended and partially modified)
FORESEC Academy FORESEC Academy Security Essentials (III)

FORESEC Academy FORESEC Academy Security Essentials (III)

Similar presentations

Ads by Google