1 / 34

Christian Kreibich

A Framework for Packet Trace Manipulation. Christian Kreibich. Motivation. Say you need to solve a problem that involves manipulating network traffic: complex filtering (e.g. data analysis) fine-grained editing (e.g. header field bitflips) large-scale editing (e.g. anonymization)

manchu
Download Presentation

Christian Kreibich

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Framework for Packet Trace Manipulation Christian Kreibich christian.kreibich@cl.cam.ac.uk

  2. Motivation • Say you need to solve a problem that involves manipulating network traffic: • complex filtering (e.g. data analysis) • fine-grained editing (e.g. header field bitflips) • large-scale editing (e.g. anonymization) • visualization (e.g. behavioural analysis) • What do you do?

  3. Motivation II • Find a tool that does it • where? does it build? maintained? • If so, lucky you!

  4. Motivation II • Find a tool that does it • where? does it build? maintained? • If so, lucky you! • Mhmm ... write your own. • Okay, pcap. • Now you typically need infrastructure: • data types conn.state tracking protocol header lookup • Lots of duplicated effort • Cut’n’paste is bad

  5. Motivation III • Current practice:

  6. Introducing ... • Netdude — NETwork DUmp Data Editor • Framework for packet inspection and manipulation • Multiple usage paradigms: GUI + command line • Scales to arbitrary trace sizes • Reusable at all levels • Extensible

  7. Architecture

  8. Architecture

  9. Architecture

  10. libpcapnav • Enables random packet access • Jump to arbitrary timestamps and fractional offsets • Thin wrapper around pcap • Based on Vern Paxson‘s tcpslice tool • Uses heuristics to get in sync with packet stream • Slightly more robust algorithm • Harder to fool  Tolerates packets not in temporal order • Nasty accidental test case: trace of NFS-copied trace

  11. Architecture

  12. libnetdude • Packet manipulation back-end • Transparent handling of arbitrarily large traces • High-level data types • Extensible through plugin mechanism • connection tables, flow demuxer, flow reassembly, TCP connection filter, importers/exporters,... • Structured packet content: easy header access, protocol plugins provide the knowledge • Provides per-packet tcpdump output • Observer/observee API to be informed of updates

  13. Area 1 Area 3 Area 2 1 2 3 n-1 n Handling big trace files • Always limit the number of packets in memory • Can‘t just mmap() if you want to insert/delete • Edit at granularity of trace areas — libpcapnav helps • Modified trace areas become layered trace parts

  14. Handling big trace files • Always limit the number of packets in memory • Can‘t just mmap() if you want to insert/delete • Edit at granularity of trace areas — libpcapnav helps • Modified trace areas become layered trace parts

  15. Handling big trace files • Always limit the number of packets in memory • Can‘t just mmap() if you want to insert/delete • Edit at granularity of trace areas — libpcapnav helps • Modified trace areas become layered trace parts

  16. Handling big trace files II • Always limit the number of packets in memory • Can‘t just mmap() if you want to insert/delete • Edit at granularity of trace areas — libpcapnav helps • Modified trace areas become layered trace parts

  17. Handling big trace files II • Always limit the number of packets in memory • Can‘t just mmap() if you want to insert/delete • Edit at granularity of trace areas — libpcapnav helps • Modified trace areas become layered trace parts

  18. Handling big trace files II • Always limit the number of packets in memory • Can‘t just mmap() if you want to insert/delete • Edit at granularity of trace areas — libpcapnav helps • Modified trace areas become layered trace parts

  19. Handling big trace files II • Always limit the number of packets in memory • Can‘t just mmap() if you want to insert/delete • Edit at granularity of trace areas — libpcapnav helps • Modified trace areas become layered trace parts

  20. Handling big trace files III • Always limit the number of packets in memory • Can‘t just mmap() if you want to insert/delete • Edit at granularity of trace areas — libpcapnav helps • Modified trace areas become layered trace parts

  21. Handling big trace files III • Always limit the number of packets in memory • Can‘t just mmap() if you want to insert/delete • Edit at granularity of trace areas — libpcapnav helps • Modified trace areas become layered trace parts

  22. Handling big trace files III • Always limit the number of packets in memory • Can‘t just mmap() if you want to insert/delete • Edit at granularity of trace areas — libpcapnav helps • Modified trace areas become layered trace parts

  23. Handling big trace files III • Always limit the number of packets in memory • Can‘t just mmap() if you want to insert/delete • Edit at granularity of trace areas — libpcapnav helps • Modified trace areas become layered trace parts

  24. Architecture

  25. Netdude GUI • GTK-based front-end to libnetdude (sorry Matthias :-) • Extensible through protocol and feature plugins • Protocol plugins visualize header content • Feature plugins can essentially do anything • Uses libnetdude‘s observer API to update GUI

  26. Demo • Fingers crossed, please.

  27. Experience • Fine-grained header field modifications: • M. Handley, C. Kreibich, V. Paxson: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, 9th USENIX Security Symposium, 2001 • Large-scale filtering and reassembly: • A. Moore, J. Hall, C. Kreibich, E. Harris, I. Pratt: Architecture of a Network Monitor, PAM Workshop, 2003 • Fine-grained payload editing: • C. Kreibich, J. Crowcroft: Honeycomb - Creating Intrusion Detection Signatures Using Honeypots, HotNets II, 2003

  28. Future Work Progress Chart Visual interpretation 0 1 Perceived length (normalized)

  29. Future Work Progress Chart Visual interpretation 0 1 Perceived length (normalized)

  30. Future Work Progress Chart Visual interpretation 0 1 Perceived length (normalized)

  31. Future Work • Seriously, lots to do: • Packet resizing  Less coding  Scriptability • Help me out! Progress Graph Visual interpretation 0 1 Perceived length (normalized)

  32. Don’t get me wrong ...  I • Well, mostly :-)

  33. Summary • Framework for packet trace manipulation • Can handle traces of arbitrary size • Multiple usage paradigms: GUI + command line • Reusable at all levels • libpcapnav for navigation • libnetdude for packet mangling • Netdude GUI for visualization • Extensible through protocol and feature plugins

  34. Thanks! • Shoutouts to all contributors! • Debian packagers needed ... • Questions? http://netdude.sf.net

More Related