Professional Documents
Culture Documents
“Nertwork sniffer”
Abstract—In this project we propose a network sniffer that can act significant level of investment protection can be achieved
as a detection system and an efficient provider of informatios. The by leveraging existing data sources where available and
use of the TCP session logger as a network sniffer is necessary adding advanced instrumentation where greater levels of
when there is a need to analyse traffic on the network. TCPSL detail and application visibility are required – particularly
makes use of its features to sniff, document and issue alarms for
the incoming and outgoing traffic of the local machine.
for the most costly and highest utilized network segments.
Coverage of a broad range of topologies: Today's global
Keywords - sniffer, protocol, TCP, monitoring, detetion. networks are built from diverse network topologies in the
core, distribution, access and storage areas of the network.
I. INTRODUCTION To ensure consistent visibility throughout the enterprise, the
performance management solution should support a full
The TCP session logger is a software application that range of topologies, including those in the WAN and LAN,
detects different issues in your tcp traffic by obtaining, and those that will be grown into or migrated to, such as
manipulating and interpreting data from open tcp sessions. MPLS or 10Gigabit Ethernet.
Tcp session logger listens on an interface and tracks all TCP
Visibility into encrypted networks: While technologies
sessions it sees. Normally, only general information is
such as VPNs and MPLS are being used for security, among
carried forward (seq#/ack#, negotiated SYN/ACK features,
etc). Whenever an anomaly happens - that is a duplicate other purposes, the challenge is that it also obscures the
ACK, SACK response, out-of-order segment, retransmission detailed data most network professionals require for
or others; it captures those packets into a tcpdump file for troubleshooting and traffic engineering. The performance
later deep inspection. This tool is to be deployed on live management product must have a solution for seeing the
hosts and passive monitors to collect reliable condensed data details, including the applications that are traversing these
about real-world behavior of TCP on the global Internet. secure links.
Complexity and heterogeneity are hallmarks of network Visibility into QoS and other complex network
services today, such as switched networks, load-balanced configurations: Network configurations are becoming
configurations, redundant segments, virtual circuits, and increasingly complex. Deployments such as Quality of
technology improvements to achieve higher speed delivery Service implementations, redundant WAN links for fault
transport, e.g. 10Gigabit Ethernet or OC-48. A solution that tolerance, and Fast EtherChannel and Gigabit EtherChannel
provides comprehensive support throughout such mixed configurations for load balancing have been introduced to
environments, regardless of topology, across the core, help improve network efficiency. A performance
distribution, and access areas of the network is essential. management solution must transparently measure and report
Monitoring solutions must profile traffic in a manner that upon the network activity in aggregate across such
reflects not only the physical network but also the logical configurations while also retaining the detail of what traffic,
flows of applications as they utilize these services. i.e., applications, is flowing across each individual link or
Best practices in network monitoring must include the service class.
following: Visibility into virtual networks: Most networks today
Incorporation of multiple intelligent data source types: use some form of virtual network technology, typically seen
Performance data can be retrieved from a wide array of as VLANs in the LAN, PVCs or DLCIs in the WAN, and
sources, each offering a different level of granularity (see subnets or VRFs in MPLS networks. A performance
“Data Sources”). Rather than individual management management solution must quantify traffic by virtual
solutions to handle each data source type, a performance network and should provide a full set of application and
management solution should incorporate all types, taking volume performance statistics for each virtual segment.
advantage of the strengths of each to provide an overall
picture of the network and its applications. In doing so, a
Continuous 24x7 monitoring that supports real-time and congestion to reduce the occurrence of the other problems.
historical analysis: The performance management solution Once the TCP receiver has reassembled the sequence of
must continuously monitor, collect, display and store octets originally transmitted, it passes them to the
information in multiple time frames to meet the needs of the application program.
key performance management tasks. Real-time information TCP is optimized for accurate delivery rather than timely
is required for status monitoring and troubleshooting, while delivery, and therefore, TCP sometimes incurs relatively
longer-term historical metrics are stored for capacity long delays (in the order of seconds) while waiting for out-
planning, trend analysis, baselining, and forecasting. of-order messages or retransmissions of lost messages.
B. Packet analyzer
A. Transmission Control Protocol
A packet analyzer (also known as a network
The TCP provides the service of exchanging data analyzer, protocol analyzer or sniffer) is a computer
directly between two hosts on the same network, whereas IP program (or a piece of computer hardware) that can
handles addressing and routing message across one or more intercept and log traffic passing over a digital network or
networks. part of a network. As data streams flow across the network,
A packet is a sequence of octets and consists of a header the sniffer captures each packet and, if needed, decodes and
followed by a body. The header describes the packet's analyzes its content.
destination and, optionally, the routers to use for forwarding The captured information is decoded from raw
until it arrives at its destination while the body contains the digital form into a human-readable format that permits users
data IP is transmitting. of the protocol analyzer to easily review the exchanged
Transmission Control Protocol accepts data from a data information.
stream, into chunks, and adds a TCP header creating a TCP A packet sniffer, which intercepts TCP traffic on a
segment. The segment is then encapsulated into an IP network link, can be useful in debugging networks, network
packet. stacks and applications that use TCP by showing the user
TCP also uses the notion of port numbers to identify what packets are passing through a link. Some networking
sending and receiving application end-points on a host, or
stacks support the SO_DEBUG socket option, which can be
Internet sockets. Each side of a TCP connection has an
enabled on the socket using setsockopt. That option dumps
associated 16-bit unsigned port number (0-65535) reserved
by the sending or receiving application. all the packets, TCP states, and events on that socket, which
Arriving TCP data packets are identified as belonging to is helpful in debugging.
a specific TCP connection by its sockets, that is, the PCAP (packet capture) consists of an application
programming interface (API) for capturing network traffic.
combination of source host address, source port, destination
libpcap provide the packet-capture and filtering engines of
host address, and destination port. This means that a server
many open source and commercial network tools, including
computer can provide several clients with several services packet sniffers (protocol analyzers), network monitors,
simultaneously, as long as a client takes care of initiating network intrusion detection systems, traffic-generators and
any simultaneous connections to one destination port from network-testers.
different source ports.
Port numbers are categorized into three basic categories: C. Libpcap
well-known, registered, and dynamic or private. The well- Libpcap is an open source library that provides a
known ports are assigned by the Internet Assigned Numbers high level interface to network packet capture systems. It
Authority (IANA) and are typically used by system-level or was created in 1994 by McCanne, Leres and Jacobson –
root processes. Well-known applications running as servers researchers at the Lawrence Berkeley National Laboratory
and passively listening for connections typically use these from University of California, at Berkeley as part of a
ports. Some examples include: FTP (21), SSH (22), research project to investigate and improve TCP and
TELNET (23), SMTP (25) and HTTP (80). Registered ports internet gateway performance.
are typically used by end user applications as ephemeral Libpcap authors main objective was to create a
source ports when contacting servers, but they can also platform-independent API to eliminate the need for system
identify named services that have been registered by a third dependent packet capture modules in each aplication, as
party. Dynamic/private ports can also be used by end user virtually evrey OS vendor implements its own capture
applications, but are less commonly so. Dynamic/private mechanisms.
ports do not contain any meaning outside of any particular The libpcap API is designed to be used for C and
TCP connection. C++. However, there are many wappers that allow its use
Due to network congestion, traffic load balancing, or from languages like Pearl, Python, Java, C# or
other unpredictable network behavior, IP packets can be Ruby.Libpcap runs on most UNIX-like operating systems.
lost, duplicated, or delivered out of order. TCP detects these Today, libpcap is maintained by the Tcpdump Group.
problems, requests retransmission of lost data, rearranges libpcap also support saving captured packets to a
out-of-order data, and even helps minimize network file, and reading files containing saved packets; applications
can be written, using libpcap or WinPcap, to be able to This are three of the primary and most useful packet
capture network traffic and analyze it, or to read a saved sniffers are TCPdump, Ngrep and Snoop.
capture and analyze it, using the same analysis code. A
capture file saved in the format that libpcap and WinPcap 1) TCPdump is the most common network debugging
use can be read by applications that understand that format, and packet monitoring tool that runs under the command
such as tcpdump, Wireshark, CA NetMaster, or Microsoft line. It allows the user to intercept and display TCP/IP and
Network Monitor 3.x. other packets being transmitted or received over a network
to which the computer is attached. TCPdump works on most
II. RELATED WORK Unix-like operating systems: Linux, Solaris, BSD, Mac OS
X, HP-UX and AIX among others. In those systems,
Packet sniffing began with the need to obtain raw packets
tcpdump uses the libpcap library to capture packets. The
across the several layers beneath the application protocol.
user may optionally apply a BPF-based filter to limit the
Normally the packets or data frames are stripped of their
number of packets seen by tcpdump; this renders the output
headers and are passed to the upper layers. However in
more usable on networks with a high volume of traffic.
promiscuous mode raw packets of lower layers can directly
Tcpdump is frequently used to debug applications that
be obtained alongside their headers. These samples are quite
generate or receive network traffic. It can also be used for
useful to obtain the data flow patterns across the network.
debugging the network setup itself, by determining whether
This can also be used for network monitoring and
all necessary routing is occurring properly, allowing the user
management.
to further isolate the source of a problem.
Much of the idea behind packet sniffing began with the
use of BSD packet filters (BPF) . Because network monitors 2) Ngrep strives to provide most of GNU grep's
run as user-level processes, packets must be copied across common features, applying them to the network layer.
the kernel/user-space protection boundary. This copying can Ngrep is a pcap-aware tool that will allow you to specify
be minimized by deploying a kernel agent called a packet extended regular or hexadecimal expressions to match
filter, which discards unwanted packets as early as possible. against data payloads of packets. It currently recognizes
The BSD Packet Filter (BPF) uses a redesigned, register IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across
based filter evaluator that can be implemented efficiently on Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces,
today’s register based RISC CPU. BPF uses a simple, non- and understands BPF filter logic in the same fashion as
shared buffer model made possible by today’s larger address more common packet sniffing tools, such as tcpdump and
spaces. snoop.
There are many types of network sniffers. That’s why It Ngrep may simply feed the output of libpcap (or
is necessary to consider the properties of an ideal packet tcpdump) into the regular expression parse, where the
sniffer. These can be summarized as shown below: expressions come from a file on the disk. Some even
• View detailed IP or MAC connections statistics: IP simpler systems don't even use regular expressions and
addresses, ports, sessions, etc. simply compare packets with well-known byte patterns.
• Display TCP sessions. Ngrep has traditionally been used to debug plain text
• Map packets to the application that is sending or protocol interactions such as HTTP, SMTP, FTP, etc.
receiving them. 3) Snoop is a very flexible command line packet
• View application protocols distribution, bandwidth sniffer included as part of Sun Microsystems' Solaris
utilization, and network nodes charts and tables. Operating System. It is pretty cable sniffer equal or better
• Ability to monitor traffic in real time as well as then TCPdump.
analyze traffic reports offline Snoop displays packets in a single-line summary form or in
• Ability to browse captured and decoded packets in real verbose multi-line forms. It can display packets as soon as
time. they are received or saved to a file. When snoop writes to an
• Ability to search for strings or hex data in captured intermediate file, packet loss under busy trace conditions is
packet contents. unlikely. Snoop itself can be used read and interpret the file
• Ability to import and export packets in hex and text e.g - print summary expended summary and full packets
formats from other sniffers dumps.
• Ability to configure alarms that can notify about The only disadvantage being that since it is tightly
important events, such as suspicious packets, high integrated within the Solaris kernel, its use is largely limited
bandwidth utilization, unknown addresses, etc. to Sun based systems. Though there have been hacks to port
• Ability to create custom plug-ins for decoding any it to other kernels like FreeBSD and Linux, most of them
protocol. have been fairly limited by number.
• Ability to exchange data with other application over
TCP/IP.
III. ARHITECTURE 5) Steps 2,3 and 4 are actually basic steps which can
In this section we provide details of the design and the be found in most sniffer implementations. The TCP
implementation of our program. The TCP Session Logger is Session Logger adds a new block which is
basically a C written sniffer that is concentrated on sniffing responsible for making several decisions. This
TCP packets and is capable of taking best practice decisions decisions determine two new features, making use
based on what data it has gathered over time. of the best practice actions that can be taken when
dealing with networking.
A. Design 6) The first one is relatively simple, but may prove
The main logic of the program can be easily followed on the itself very useful. TCPSL documents the data that
graph below (Fig 1): it sniffs in different formats for future data
analysis. A statistical representation of the network
1) First, we use the packet generator software to insert data may not be very useful to an end-user system,
several TCP packets over the Ethernet channel. but it is critical when dealing with different kind of
This way we can simulate a scenario where the servers, that need a proficient management of their
Linux guest is sustaining multiple connections that connections.
run over the TCP protocol. 7) The second feature consists of several decisions that
2) Meanwhile our sniffer will be in listen mode, are to be taken based on the information the sniffer
which basically means it will constantly monitor is gathering. One example could be limiting the
the ethernet channel for any new packets. number of connections initiated or accepted by the
The sniffer does not need to know whether the server when there is high network load. Also,
packets are TCP packets or not because we use the introducing several Qos techniques for various
generator to send TCP packets only. Of course, if traffic could be reasonable actions.
we would have needed to send other type of Besides taking decisions, TCPSL could also issue
packets we could have introduced an additional different kind of alarms to the administrator (by email, sms
filter inside the sniffer, for reading TCP only. This or by using monitoring tools). For example, when the sniffer
implementation would be needed for real scenario receives a lot of NACK packets it could send a mail to the
human administrator warning of a possible connection
purposes.
problem or too high traffic load.
3) While cruising the ethernet channel, packets are
The ability to identify a network fault and react to it, is a
taken one by one by the sniffer. Afterwards the
also function of our aplication. The Tcp session logger
sniffer will read the data inside and will provide the
focuses on a more proactive approach to managing faults by
Layer 2/3 fields necessary for further use.
continuously monitoring for conditions that indicate an
4) After reading the data filters are applied. These
emerging problem or degradation. This proactive approach
filters have the role to select only the TCP packets
is essential to reducing mean-time-to-repair and rectifying
we are really interested in. (e.g. ACK and NACK
potential issues before end users ever notice. To support
packets may be filtered out if they do not
best practices in accelerated fault detection, our solutions
contribute in any way to our desired analysis).
include the following:
off = ntohs(ip->ip_off);
We are following the tcpdump method of handling the if((off & 0x1fff) == 0 )/* aka no 1's in first 13 bits */
version and header length in Fig.5-6. {/* print SOURCE DESTINATION hlen version len offset */
fprintf(stdout,"IP source: ");
fprintf(stdout,"%s ;\n",
struct my_ip inet_ntoa(ip->ip_src));
u_int8_t ip_vhl; /* header length, version*/ fprintf(stdout,"IP destination: %s ;\n header lenght: %d ;\n
#define IP_V(ip) (((ip)->ip_vhl & 0xf0) >> 4) version: %d ;\n lenght: %d ;\n offset: %d\n",
#define IP_HL(ip) ((ip)->ip_vhl & 0x0f) inet_ntoa(ip->ip_dst),
u_int8_t ip_tos; /* type of service */ hlen,version,len,off);
u_int16_t ip_len; /* total length */ fprintf(stdout,"Time to Live: %d ;\n", ntohs(ip->ip_ttl)/256);
u_int16_t ip_id; /* identification*/ fprintf(stdout,"Protocol: %d ;\n", ip->ip_p);
u_int16_t ip_off; /* fragment offset field */ fprintf(stdout,"Checksum: %d ;\n", ip->ip_sum);
#define IP_DF 0x4000 /* dont fragment flag */ }
#define IP_MF 0x2000 /* more fragments flag */ return NULL;
#define IP_OFFMASK 0x1fff /* mask for }
fragmenting bits */ Fig. 6
u_int8_t ip_ttl; /* time to live */
u_int8_t ip_p; /* protocol */
u_int16_t ip_sum; /* checksum */
struct in_addr ip_src,ip_dst; /* source and dest address */
};
Fig. 5
IV. RESULTS Future work may extend the functionality or the concept
The results we have with our application are not very of such an application to all kinds of traffic. Also a GUI/CL
elaborate, and the application still needs some final interface could be implemented in order to allow the users
debugging and testing. The results we will present are only to constantly adapt the application's behavior to their own
base test results. needs.
The functionality testing of our sniffer is shown in Fig. 7: By using statistical data, decisions about upgrading or
adding new servers could be made more exact. Also, the
Opening device eth0 business owner could have a better picture about how much
ethernet header source: 0:c:29:81:29:3c more traffic can the server sustain in good conditions.
destination: 0:50:56:fb:e0:d (IP) VI. REFERENCES
IP source: 192.168.79.138 ;
IP destination: 192.168.79.2 ; [1] http://elf.cs.pub.ro/so2/
header lenght: 5 ; [2] http://elf.cs.pub.ro/so/
version: 4 ; [3]http://recursos.aldabaknocking.com/libpcapHakin9LuisM
lenght: 77 ; artinGarcia.pdf
offset: 16384 [4]http://www.programmingpcap.aldabaknocking.com/code
Time to Live: 64 ; samples.html
Protocol: 17 ;
[5]http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
Checksum: 44446 ;
Grabbed packet of length 91 [6] http://www.tcpdump.org/#
Recieved at ..... Sat Jan 8 16:08:55 2011 [7] Vinton G. Cerf, Robert E. Kahn, A Protocol for Packet
Network Intercommunication, IEEE Transactions on
Ethernet address length is 14 Communications, Vol. 22, No. 5,May 1974.
Ethernet type hex:800 dec:2048 is an IP packet [8] Comer, Douglas E. (2006). Internetworking with TCP/
Destination Address: 0:50:56:fb:e0:d IP:Principles, Protocols, and Architecture. 1 (5th ed.).
Source Address: 0:c:29:81:29:3c [9] http://www.iana.org/assignments/tcp-parameters/
ethernet header source: 0:c:29:81:29:3c [10]http://citeseer.ist.psu.edu/stone00when.html
destination: 0:50:56:fb:e0:d (IP) [11] http://lwn.net/Articles/92727/
IP source: 192.168.79.138 ; [12] Peterson, Larry (2003). Computer Networks. Morgan
IP destination: 192.168.79.2 ; Kaufmann..
header lenght: 5 ; [13]Tanenbaum, Andrew S. (2003-03-17). Computer
version: 4 ; Networks (Fourth ed.).
lenght: 75 ; [14]http://www.gont.com.ar/talks/hacklu2009/fgont-
offset: 16384 hacklu2009-tcp-security.pdf
Time to Live: 64 ; [15] Business Wire (2007-12-06). "Solera Networks
Protocol: 17 ; Announces Advanced Deep Packet Inspection and Capture
Checksum: 44958 ; Solution for Full 10Gbps Speeds".
Grabbed packet of length 89 [16] Erik Hjelmvik (2008). "Passive Network Security
Recieved at ..... Sat Jan 8 16:08:55 2011 Analysis with NetworkMiner".
[17] Helman, Paul, Liepins, Gunar, and Richards, Wynette,
Fig. 7 "Foundations of Intrusion Detection," The IEEE Computer
Security Foundations Workshop V, 1992.
All the information is stored and used by our fault [18] Steven McCanne and Van Jacobso “ The BSD Packet
detection system, which analysis the information and take Filter: A New Architecture for User-level Packet Capture”
action based on the problems found. Lawrence Berkeley Laboratory 1992.
[19] Ashish Chaurasia “Network packet capturing for Linux
V. CONCLUSIONS AND FUTURE WORK “, IBM Corp.
A good implementation of a TCPSL application could be [20] Naveed Afzal “Host Fingerprinting and Firewalking
very useful in the case of servers that suffer of high load, With hping”.
and their uptime is essential for the business. Additional [21] Anderson, Ross (2001). Security Engineering: A Guide
servers or load balancing can, of course, be a solution, but to Building Dependable Distributed Systems. New York:
the additional costs may not be always affordable by the John Wiley & Sons. pp. 387–388.
business owner. One efficiently configured TCPSL may [22] Anderson, James P., "Computer Security Threat
well manage the existing load and may protect the server Monitoring and Surveillance," Washing, PA, James P.
from unwanted downtime periods. Anderson Co., 1980.
[23] Denning, Dorothy E., "An Intrusion Detection Model," Jonkman Marty, Raffael, and Poor, Mike, "Snort IDS and
Proceedings of the Seventh IEEE Symposium on Security IPS Toolkit," Syngress, 2007.
and Privacy, May 1986, pages 119–131 .
[24] Lunt, Teresa F., "IDES: An Intelligent System for
Detecting Intruders," Proceedings of the Symposium on
Computer Security; Threats, and Countermeasures; Rome,
Italy, November 22–23, 1990, pages 110–121.
[25] Lunt, Teresa F., "Detecting Intruders in Computer
Systems," 1993 Conference on Auditing and Computer
Technology, SRI International .
[26] Sebring, Michael M., and Whitehurst, R. Alan., "Expert
Systems in Intrusion Detection: A Case Study," The 11th
National Computer Security Conference, October, 1988
[27] Smaha, Stephen E., "Haystack: An Intrusion Detection
System," The Fourth Aerospace Computer Security
Applications Conference, Orlando, FL, December, 1988 .
[28] Vaccaro, H.S., and Liepins, G.E., "Detection of
Anomalous Computer Session Activity," The 1989 IEEE
Symposium on Security and Privacy, May, 1989 .
[29] Teng, Henry S., Chen, Kaihu, and Lu, Stephen C-Y,
"Adaptive Real-time Anomaly Detection Using Inductively
Generated Sequential Patterns," 1990 IEEE Symposium on
Security and Privacy .
[30] Heberlein, L. Todd, Dias, Gihan V., Levitt, Karl N.,
Mukherjee, Biswanath, Wood, Jeff, and Wolber, David, "A
Network Security Monitor," 1990 Symposium on Research
in Security and Privacy, Oakland, CA, pages 296–304
[31] Winkeler, J.R., "A UNIX Prototype for Intrusion and
Anomaly Detection in Secure Networks," The Thirteenth
National Computer Security Conference, Washington, DC.,
pages 115–124, 1990.
[32] Dowell, Cheri, and Ramstedt, Paul, "The
ComputerWatch Data Reduction Tool," Proceedings of the
13th National Computer Security Conference, Washington,
D.C., 1990 .
[33] Snapp, Steven R, Brentano, James, Dias, Gihan V.,
Goan, Terrance L., Heberlein, L. Todd, Ho, Che-Lin, Levitt,
Karl N., Mukherjee, Biswanath, Smaha, Stephen E., Grance,
Tim, Teal, Daniel M. and Mansur, Doug, "DIDS
(Distributed Intrusion Detection System) -- Motivation,
Architecture, and An Early Prototype," The 14th National
Computer Security Conference, October, 1991, pages 167–
176.
[34] Jackson, Kathleen, DuBois, David H., and Stallings,
Cathy A., "A Phased Approach to Network Intrusion
Detection," 14th National Computing Security Conference,
1991 .
[35] Paxson, Vern, "Bro: A System for Detecting Network
Intruders in Real-Time," Proceedings of The 7th USENIX
Security Symposium, San Antonio, TX, 1998 .
[36] Amoroso, Edward, "Intrusion Detection: An
Introduction to Internet Surveillance, Correlation, Trace
Back, Traps, and Response," Intrusion.Net Books, Sparta,
New Jersey, 1999.
[37] Kohlenberg, Toby (Ed.), Alder, Raven, Carter, Dr.
Everett F. (Skip), Jr., Esler, Joel., Foster, James C.,