1 / 27

Developing Academic Protocol Analysis tools with VB.NET

Developing Academic Protocol Analysis tools with VB.NET. April 28th, 2004 Mt San Antonio College John Blyzka. SecureIT Presentation. What is RISSC? Who is RISSC? What is a Protocol Analyzer (Sniffer)? Components of a “Sniffer” Existing protocol analysis tools

sydney
Download Presentation

Developing Academic Protocol Analysis tools with VB.NET

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Developing Academic Protocol Analysis tools with VB.NET April 28th, 2004 Mt San Antonio College John Blyzka

  2. SecureIT Presentation • What is RISSC? Who is RISSC? • What is a Protocol Analyzer (Sniffer)? • Components of a “Sniffer” • Existing protocol analysis tools • Why develop a protocol analysis tool? • Tools • WinPCap • PacketX • Visual Basic.NET • Code examples

  3. What is RISSC? • Regional Information Systems Security Center • National Science Foundation Funded Project • Advanced Technological Education grant • Project’s main focus is in developing new Information Systems Security (ISS) curriculum at the 2-year and 4-year colleges • New courses • Network Analysis and NIDS • Network Security Firewalls • Network Vulnerabilities and Countermeasures • Computer Forensics • Internet Security

  4. Who is RISSC? • Consortium of two colleges • Mt San Antonio College – Walnut, CA • PI – John Blyzka • Co-PI Jaishri Mehta • Jim Gau • California Polytechnic University, Pomona • Co-PI – Dr. Dan Manson • Fred Gallegos

  5. What is a Protocol Analyzer • What is a "packet sniffer“ or Protocol Analyzer? • A packet sniffer is a wire-tap devices that plugs into computer networks and eavesdrops on the network traffic. Like a telephone wiretap allows the FBI to listen in on other people's conversations, a "sniffing" program lets someone listen in on computer conversations. However, computer conversations consist of apparently random binary data. Therefore, network wiretap programs also come with a feature known as "protocol analysis", which allow them to "decode" the computer traffic and make sense of it. • Sniffing also has one advantage over telephone wiretaps: many networks use "shared media". This means that you don't need to break into a wiring closet to install your wiretap, you can do it from almost any network connection to eavesdrop on your neighbors. This is called a "promiscuous mode" sniffer. However, "switched" technology does not make using “shared media” possible, which means you will have to actually hack into the router.

  6. Components of a “Sniffer” • The hardware • Most products work from standard network adapters. • Capture driver • This is the most important part. It captures the network traffic from the wire, filters it for the particular traffic you want, then stores the data in a buffer. • Buffer • Once they frames are captured from the network, they are stored in a buffer. • Real-time analysis • This feature does some minor bit of analysis of the frames as they come off the wire. This is able to find network performance issues and faults while capturing. Many vendors have started to add minimal capabilities along this line to their products. Network intrusion detection systems do this, but they sift the traffic for signs of hacker activity rather than fault/performance issues. • Decode • This displays the contents of network traffic with descriptive text so that you can figure out what is going on. • Packet editing/transmission • Some products contain features that allow you to edit your own network packets and transmit them onto the network.

  7. Existing Protocol Analyzers • Sniffer • Network Associates • $20,000 • EtherPeek • WildPackets • $3,500 • Ethereal • Open Source – Ethereal.com • Free

  8. NAI Sniffer • Capturing and sending packets

  9. NAI Sniffer Packet editor for NAI’s Sniffer

  10. NAI Sniffer Animation of NAI’s Packet generator

  11. EtherPeek • Capturing and sending packets

  12. EtherPeek • Editing packets

  13. EtherPeek Animation of EtherPeek’s Packet generator

  14. Ethereal • Ethereal – great teaching tool! • Simple interface • No sending capability • Open Source • Built with many different languages • Python • Perl • ANSI-C • Free

  15. Ethereal

  16. Why develop a Protocol Analyzer? • Best way to learn packet decoding (for the developer) • Your tool can be modularized for your curriculum – turn on features when your class is ready • Cost • Free if WinPCap CLI is used • Slight cost if PacketX is used

  17. Tools • WinPCap • Win32 Call Level Interface • PacketX • COM Interface • Object oriented, Event driven • Visual Basic.NET • Development language for your “Sniffer” • Object oriented, Event driven • .NET CLR

  18. WinPCap • WinPCap is an architecture for packet capture and network analysis for the Win32 platforms. • WinPCap has a call level interface – you must include or declare all functions and data structures to use • WinPCap is implemented as a protocol, therefore it is able to capture packets, but it can't be used to drop them.

  19. WinPCap WinPCap includes a kernel-level packet filter, a low-level dynamic link library (packet.dll), and a high-level and system-independent library (wpcap.dll).

  20. PacketX • PacketX is designed to provide an easy to use COM interface to WinPCap packet capture library from development environments supporting Microsoft COM technology. • PacketX can be used with Microsoft Visual Basic, Visual C++, VBScript, Borland C++ Builder, Delfi, and Microsoft .NET CLR. • Requirements are Microsoft Windows and WinPCap • PacketX is not Free - $49.95 • There is a royalty-free right to reproduce and distribute the object code version of any portion of PacketX • http://www.beesync.com

  21. PacketX Classes

  22. Visual Basic.NET • Microsoft’s newest version of Visual Basic • .NET Common Language Runtime • PacketX is a COM – Component Object Model • Visual Basic creates a .NET wrapper for the PacketX COM object

  23. RISSC Sniffer Visual Interface

  24. RISSC Sniffer Visual Interface

  25. RISSC Sniffer VB .NET Components • System.Windows.Forms.Form • System.Windows.Forms.ComboBox • System.Windows.Forms.ListView • System.Windows.Forms.ColumnHeader • System.Windows.Forms.ListViewItem • System.Windows.Forms.Button • System.Windows.Forms.Label • System.Windows.Forms.TextBox • System.Windows.Forms.Splitter

  26. Is Sniffing “Legal” • On your own network? • On the school’s network? • On your company’s network? • On the Internet?

  27. More information • RISSC – http://rissc.mtsac.edu • WinPCap - http://winpcap.polito.it/ • PacketX – http://www.beesync.com • VB.NET - http://www.microsoft.com/net/ • Sniffer® - http://www.nai.com • EtherPeek™ - http://www.wildpackets.com • Ethereal – http://www.ethereal.com • Sniffing FAQ - http://www.robertgraham.com/pubs/

More Related