christian kreibich
Download
Skip this Video
Download Presentation
Christian Kreibich

Loading in 2 Seconds...

play fullscreen
1 / 34

Christian Kreibich - PowerPoint PPT Presentation


  • 78 Views
  • Uploaded on

A Framework for Packet Trace Manipulation. Christian Kreibich. Motivation. Say you need to solve a problem that involves manipulating network traffic: complex filtering (e.g. data analysis) fine-grained editing (e.g. header field bitflips) large-scale editing (e.g. anonymization)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Christian Kreibich' - manchu


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
motivation
Motivation
  • Say you need to solve a problem that involves manipulating network traffic:
    • complex filtering (e.g. data analysis)
    • fine-grained editing (e.g. header field bitflips)
    • large-scale editing (e.g. anonymization)
    • visualization (e.g. behavioural analysis)
  • What do you do?
motivation ii
Motivation II
  • Find a tool that does it
    • where? does it build? maintained?
    • If so, lucky you!
motivation ii1
Motivation II
  • Find a tool that does it
    • where? does it build? maintained?
    • If so, lucky you!
  • Mhmm ... write your own.
    • Okay, pcap.
    • Now you typically need infrastructure:
      • data types conn.state tracking protocol header lookup
    • Lots of duplicated effort
    • Cut’n’paste is bad
motivation iii
Motivation III
  • Current practice:
introducing
Introducing ...
  • Netdude — NETwork DUmp Data Editor
  • Framework for packet inspection and manipulation
  • Multiple usage paradigms: GUI + command line
  • Scales to arbitrary trace sizes
  • Reusable at all levels
  • Extensible
libpcapnav
libpcapnav
  • Enables random packet access
  • Jump to arbitrary timestamps and fractional offsets
  • Thin wrapper around pcap
  • Based on Vern Paxson‘s tcpslice tool
    • Uses heuristics to get in sync with packet stream
  • Slightly more robust algorithm
    • Harder to fool  Tolerates packets not in temporal order
  • Nasty accidental test case: trace of NFS-copied trace
libnetdude
libnetdude
  • Packet manipulation back-end
  • Transparent handling of arbitrarily large traces
  • High-level data types
  • Extensible through plugin mechanism
    • connection tables, flow demuxer, flow reassembly, TCP connection filter, importers/exporters,...
  • Structured packet content: easy header access, protocol plugins provide the knowledge
  • Provides per-packet tcpdump output
  • Observer/observee API to be informed of updates
handling big trace files

Area 1

Area 3

Area 2

1

2

3

n-1

n

Handling big trace files
  • Always limit the number of packets in memory
  • Can‘t just mmap() if you want to insert/delete
  • Edit at granularity of trace areas — libpcapnav helps
  • Modified trace areas become layered trace parts
handling big trace files1
Handling big trace files
  • Always limit the number of packets in memory
  • Can‘t just mmap() if you want to insert/delete
  • Edit at granularity of trace areas — libpcapnav helps
  • Modified trace areas become layered trace parts
handling big trace files2
Handling big trace files
  • Always limit the number of packets in memory
  • Can‘t just mmap() if you want to insert/delete
  • Edit at granularity of trace areas — libpcapnav helps
  • Modified trace areas become layered trace parts
handling big trace files ii
Handling big trace files II
  • Always limit the number of packets in memory
  • Can‘t just mmap() if you want to insert/delete
  • Edit at granularity of trace areas — libpcapnav helps
  • Modified trace areas become layered trace parts
handling big trace files ii1
Handling big trace files II
  • Always limit the number of packets in memory
  • Can‘t just mmap() if you want to insert/delete
  • Edit at granularity of trace areas — libpcapnav helps
  • Modified trace areas become layered trace parts
handling big trace files ii2
Handling big trace files II
  • Always limit the number of packets in memory
  • Can‘t just mmap() if you want to insert/delete
  • Edit at granularity of trace areas — libpcapnav helps
  • Modified trace areas become layered trace parts
handling big trace files ii3
Handling big trace files II
  • Always limit the number of packets in memory
  • Can‘t just mmap() if you want to insert/delete
  • Edit at granularity of trace areas — libpcapnav helps
  • Modified trace areas become layered trace parts
handling big trace files iii
Handling big trace files III
  • Always limit the number of packets in memory
  • Can‘t just mmap() if you want to insert/delete
  • Edit at granularity of trace areas — libpcapnav helps
  • Modified trace areas become layered trace parts
handling big trace files iii1
Handling big trace files III
  • Always limit the number of packets in memory
  • Can‘t just mmap() if you want to insert/delete
  • Edit at granularity of trace areas — libpcapnav helps
  • Modified trace areas become layered trace parts
handling big trace files iii2
Handling big trace files III
  • Always limit the number of packets in memory
  • Can‘t just mmap() if you want to insert/delete
  • Edit at granularity of trace areas — libpcapnav helps
  • Modified trace areas become layered trace parts
handling big trace files iii3
Handling big trace files III
  • Always limit the number of packets in memory
  • Can‘t just mmap() if you want to insert/delete
  • Edit at granularity of trace areas — libpcapnav helps
  • Modified trace areas become layered trace parts
netdude gui
Netdude GUI
  • GTK-based front-end to libnetdude (sorry Matthias :-)
  • Extensible through protocol and feature plugins
    • Protocol plugins visualize header content
    • Feature plugins can essentially do anything
  • Uses libnetdude‘s observer API to update GUI
slide26
Demo
  • Fingers crossed, please.
experience
Experience
  • Fine-grained header field modifications:
    • M. Handley, C. Kreibich, V. Paxson: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, 9th USENIX Security Symposium, 2001
  • Large-scale filtering and reassembly:
    • A. Moore, J. Hall, C. Kreibich, E. Harris, I. Pratt: Architecture of a Network Monitor, PAM Workshop, 2003
  • Fine-grained payload editing:
    • C. Kreibich, J. Crowcroft: Honeycomb - Creating Intrusion Detection Signatures Using Honeypots, HotNets II, 2003
future work
Future Work

Progress Chart

Visual interpretation

0

1

Perceived length (normalized)

future work1
Future Work

Progress Chart

Visual interpretation

0

1

Perceived length (normalized)

future work2
Future Work

Progress Chart

Visual interpretation

0

1

Perceived length (normalized)

future work3
Future Work
  • Seriously, lots to do:
    • Packet resizing  Less coding  Scriptability
  • Help me out!

Progress Graph

Visual interpretation

0

1

Perceived length (normalized)

don t get me wrong
Don’t get me wrong ...

I

  • Well, mostly :-)
summary
Summary
  • Framework for packet trace manipulation
  • Can handle traces of arbitrary size
  • Multiple usage paradigms: GUI + command line
  • Reusable at all levels
    • libpcapnav for navigation
    • libnetdude for packet mangling
    • Netdude GUI for visualization
  • Extensible through protocol and feature plugins
thanks
Thanks!
  • Shoutouts to all contributors!
  • Debian packagers needed ...
  • Questions?

http://netdude.sf.net

ad