Christian kreibich
Download
1 / 34

Christian Kreibich - PowerPoint PPT Presentation


  • 78 Views
  • Uploaded on

A Framework for Packet Trace Manipulation. Christian Kreibich. Motivation. Say you need to solve a problem that involves manipulating network traffic: complex filtering (e.g. data analysis) fine-grained editing (e.g. header field bitflips) large-scale editing (e.g. anonymization)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Christian Kreibich' - manchu


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Christian kreibich

A Framework for Packet Trace Manipulation

Christian Kreibich

christian.kreibich@cl.cam.ac.uk


Motivation
Motivation

  • Say you need to solve a problem that involves manipulating network traffic:

    • complex filtering (e.g. data analysis)

    • fine-grained editing (e.g. header field bitflips)

    • large-scale editing (e.g. anonymization)

    • visualization (e.g. behavioural analysis)

  • What do you do?


Motivation ii
Motivation II

  • Find a tool that does it

    • where? does it build? maintained?

    • If so, lucky you!


Motivation ii1
Motivation II

  • Find a tool that does it

    • where? does it build? maintained?

    • If so, lucky you!

  • Mhmm ... write your own.

    • Okay, pcap.

    • Now you typically need infrastructure:

      • data types conn.state tracking protocol header lookup

    • Lots of duplicated effort

    • Cut’n’paste is bad


Motivation iii
Motivation III

  • Current practice:


Introducing
Introducing ...

  • Netdude — NETwork DUmp Data Editor

  • Framework for packet inspection and manipulation

  • Multiple usage paradigms: GUI + command line

  • Scales to arbitrary trace sizes

  • Reusable at all levels

  • Extensible





Libpcapnav
libpcapnav

  • Enables random packet access

  • Jump to arbitrary timestamps and fractional offsets

  • Thin wrapper around pcap

  • Based on Vern Paxson‘s tcpslice tool

    • Uses heuristics to get in sync with packet stream

  • Slightly more robust algorithm

    • Harder to fool  Tolerates packets not in temporal order

  • Nasty accidental test case: trace of NFS-copied trace



Libnetdude
libnetdude

  • Packet manipulation back-end

  • Transparent handling of arbitrarily large traces

  • High-level data types

  • Extensible through plugin mechanism

    • connection tables, flow demuxer, flow reassembly, TCP connection filter, importers/exporters,...

  • Structured packet content: easy header access, protocol plugins provide the knowledge

  • Provides per-packet tcpdump output

  • Observer/observee API to be informed of updates


Handling big trace files

Area 1

Area 3

Area 2

1

2

3

n-1

n

Handling big trace files

  • Always limit the number of packets in memory

  • Can‘t just mmap() if you want to insert/delete

  • Edit at granularity of trace areas — libpcapnav helps

  • Modified trace areas become layered trace parts


Handling big trace files1
Handling big trace files

  • Always limit the number of packets in memory

  • Can‘t just mmap() if you want to insert/delete

  • Edit at granularity of trace areas — libpcapnav helps

  • Modified trace areas become layered trace parts


Handling big trace files2
Handling big trace files

  • Always limit the number of packets in memory

  • Can‘t just mmap() if you want to insert/delete

  • Edit at granularity of trace areas — libpcapnav helps

  • Modified trace areas become layered trace parts


Handling big trace files ii
Handling big trace files II

  • Always limit the number of packets in memory

  • Can‘t just mmap() if you want to insert/delete

  • Edit at granularity of trace areas — libpcapnav helps

  • Modified trace areas become layered trace parts


Handling big trace files ii1
Handling big trace files II

  • Always limit the number of packets in memory

  • Can‘t just mmap() if you want to insert/delete

  • Edit at granularity of trace areas — libpcapnav helps

  • Modified trace areas become layered trace parts


Handling big trace files ii2
Handling big trace files II

  • Always limit the number of packets in memory

  • Can‘t just mmap() if you want to insert/delete

  • Edit at granularity of trace areas — libpcapnav helps

  • Modified trace areas become layered trace parts


Handling big trace files ii3
Handling big trace files II

  • Always limit the number of packets in memory

  • Can‘t just mmap() if you want to insert/delete

  • Edit at granularity of trace areas — libpcapnav helps

  • Modified trace areas become layered trace parts


Handling big trace files iii
Handling big trace files III

  • Always limit the number of packets in memory

  • Can‘t just mmap() if you want to insert/delete

  • Edit at granularity of trace areas — libpcapnav helps

  • Modified trace areas become layered trace parts


Handling big trace files iii1
Handling big trace files III

  • Always limit the number of packets in memory

  • Can‘t just mmap() if you want to insert/delete

  • Edit at granularity of trace areas — libpcapnav helps

  • Modified trace areas become layered trace parts


Handling big trace files iii2
Handling big trace files III

  • Always limit the number of packets in memory

  • Can‘t just mmap() if you want to insert/delete

  • Edit at granularity of trace areas — libpcapnav helps

  • Modified trace areas become layered trace parts


Handling big trace files iii3
Handling big trace files III

  • Always limit the number of packets in memory

  • Can‘t just mmap() if you want to insert/delete

  • Edit at granularity of trace areas — libpcapnav helps

  • Modified trace areas become layered trace parts



Netdude gui
Netdude GUI

  • GTK-based front-end to libnetdude (sorry Matthias :-)

  • Extensible through protocol and feature plugins

    • Protocol plugins visualize header content

    • Feature plugins can essentially do anything

  • Uses libnetdude‘s observer API to update GUI


Demo

  • Fingers crossed, please.


Experience
Experience

  • Fine-grained header field modifications:

    • M. Handley, C. Kreibich, V. Paxson: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, 9th USENIX Security Symposium, 2001

  • Large-scale filtering and reassembly:

    • A. Moore, J. Hall, C. Kreibich, E. Harris, I. Pratt: Architecture of a Network Monitor, PAM Workshop, 2003

  • Fine-grained payload editing:

    • C. Kreibich, J. Crowcroft: Honeycomb - Creating Intrusion Detection Signatures Using Honeypots, HotNets II, 2003


Future work
Future Work

Progress Chart

Visual interpretation

0

1

Perceived length (normalized)


Future work1
Future Work

Progress Chart

Visual interpretation

0

1

Perceived length (normalized)


Future work2
Future Work

Progress Chart

Visual interpretation

0

1

Perceived length (normalized)


Future work3
Future Work

  • Seriously, lots to do:

    • Packet resizing  Less coding  Scriptability

  • Help me out!

Progress Graph

Visual interpretation

0

1

Perceived length (normalized)


Don t get me wrong
Don’t get me wrong ...

I

  • Well, mostly :-)


Summary
Summary

  • Framework for packet trace manipulation

  • Can handle traces of arbitrary size

  • Multiple usage paradigms: GUI + command line

  • Reusable at all levels

    • libpcapnav for navigation

    • libnetdude for packet mangling

    • Netdude GUI for visualization

  • Extensible through protocol and feature plugins


Thanks
Thanks!

  • Shoutouts to all contributors!

  • Debian packagers needed ...

  • Questions?

    http://netdude.sf.net


ad