A Framework for Packet Trace Manipulation - PowerPoint PPT Presentation

About This Presentation

Title:

A Framework for Packet Trace Manipulation

Description:

Say you need to solve a problem that involves manipulating network traffic: ... Shoutouts to all contributors! Debian packagers needed ... Questions? http: ... – PowerPoint PPT presentation

Number of Views:29

Avg rating:3.0/5.0

Slides: 35

Provided by: HomerS8

Learn more at: http://www.icir.org

Category:

more less

Transcript and Presenter's Notes

Title: A Framework for Packet Trace Manipulation

1
A Framework for Packet Trace Manipulation

Christian Kreibich

2
Motivation

Say you need to solve a problem that involves
manipulating network traffic
complex filtering (e.g. data analysis)
fine-grained editing (e.g. header field bitflips)
large-scale editing (e.g. anonymization)
visualization (e.g. behavioural analysis)
What do you do?

3
Motivation II

Find a tool that does it
where? ?does it build? ?maintained?
If so, lucky you!

4
Motivation II

Find a tool that does it
where? ?does it build? ?maintained?
If so, lucky you!
Mhmm ... write your own.
Okay, pcap.
Now you typically need infrastructure
data types ?conn. state tracking ?protocol
header lookup
Lots of duplicated effort
Cutnpaste is bad

5
Motivation III

Current practice

6
Introducing ...

Netdude NETwork DUmp Data Editor
Framework for packet inspection and manipulation
Multiple usage paradigms GUI command line
Scales to arbitrary trace sizes
Reusable at all levels
Extensible

7
Architecture
8
Architecture
9
Architecture
10
libpcapnav

Enables random packet access
Jump to arbitrary timestamps and fractional
offsets
Thin wrapper around pcap
Based on Vern Paxsons tcpslice tool
Uses heuristics to get in sync with packet stream
Slightly more robust algorithm
Harder to fool ? Tolerates packets not in
temporal order
Nasty accidental test case trace of NFS-copied
trace

11
Architecture
12
libnetdude

Packet manipulation back-end
Transparent handling of arbitrarily large traces
High-level data types
Extensible through plugin mechanism
connection tables, flow demuxer, flow reassembly,
TCP connection filter, importers/exporters,...
Structured packet content easy header access,
protocol plugins provide the knowledge
Provides per-packet tcpdump output
Observer/observee API to be informed of updates

13
Handling big trace files

Always limit the number of packets in memory
Cant just mmap() if you want to insert/delete
Edit at granularity of trace areas libpcapnav
helps
Modified trace areas become layered trace parts

14
Handling big trace files

Always limit the number of packets in memory
Cant just mmap() if you want to insert/delete
Edit at granularity of trace areas libpcapnav
helps
Modified trace areas become layered trace parts

15
Handling big trace files

Always limit the number of packets in memory
Cant just mmap() if you want to insert/delete
Edit at granularity of trace areas libpcapnav
helps
Modified trace areas become layered trace parts

16
Handling big trace files II

Always limit the number of packets in memory
Cant just mmap() if you want to insert/delete
Edit at granularity of trace areas libpcapnav
helps
Modified trace areas become layered trace parts

17
Handling big trace files II

Always limit the number of packets in memory
Cant just mmap() if you want to insert/delete
Edit at granularity of trace areas libpcapnav
helps
Modified trace areas become layered trace parts

18
Handling big trace files II

Always limit the number of packets in memory
Cant just mmap() if you want to insert/delete
Edit at granularity of trace areas libpcapnav
helps
Modified trace areas become layered trace parts

19
Handling big trace files II

Always limit the number of packets in memory
Cant just mmap() if you want to insert/delete
Edit at granularity of trace areas libpcapnav
helps
Modified trace areas become layered trace parts

20
Handling big trace files III

Always limit the number of packets in memory
Cant just mmap() if you want to insert/delete
Edit at granularity of trace areas libpcapnav
helps
Modified trace areas become layered trace parts

21
Handling big trace files III

Always limit the number of packets in memory
Cant just mmap() if you want to insert/delete
Edit at granularity of trace areas libpcapnav
helps
Modified trace areas become layered trace parts

22
Handling big trace files III

Always limit the number of packets in memory
Cant just mmap() if you want to insert/delete
Edit at granularity of trace areas libpcapnav
helps
Modified trace areas become layered trace parts

23
Handling big trace files III

Always limit the number of packets in memory
Cant just mmap() if you want to insert/delete
Edit at granularity of trace areas libpcapnav
helps
Modified trace areas become layered trace parts

24
Architecture
25
Netdude GUI

GTK-based front-end to libnetdude (sorry Matthias
-)
Extensible through protocol and feature plugins
Protocol plugins visualize header content
Feature plugins can essentially do anything
Uses libnetdudes observer API to update GUI

26
Demo

Fingers crossed, please.

27
Experience

Fine-grained header field modifications
M. Handley, C. Kreibich, V. Paxson Network
Intrusion Detection Evasion, Traffic
Normalization, and End-to-End Protocol Semantics,
9th USENIX Security Symposium, 2001
Large-scale filtering and reassembly
A. Moore, J. Hall, C. Kreibich, E. Harris, I.
Pratt Architecture of a Network Monitor, PAM
Workshop, 2003
Fine-grained payload editing
C. Kreibich, J. Crowcroft Honeycomb - Creating
Intrusion Detection Signatures Using Honeypots,
HotNets II, 2003

28
Future Work
Progress Chart
Visual interpretation
0
1
Perceived length (normalized)
29
Future Work
Progress Chart
Visual interpretation
0
1
Perceived length (normalized)
30
Future Work
Progress Chart
Visual interpretation
0
1
Perceived length (normalized)
31
Future Work
Progress Graph
Visual interpretation
0
1
Perceived length (normalized)