Posts: 2,051
Threads: 1,405
Joined: Jun 2011
[attachment=15200]
Introduction
Usage of Internet for electronic transfer of both business and personal information is quite popular. As a result, Internet has become a key resource of information. But the same Internet can be and has been used by terrorists, criminals and others to communicate information about unlawful activities. This necessiates highly cus¬tomizable network monitoring tools to capture suspected communications over the network and to analyze them later.
Companies too have to protect their intellectual property from falling into the hands of their competitors. Therefore, they resort to intelligence gathering over the network to check if any employee is sending such information illegally. Hence, there is a pressing need for development of tools that can monitor and detect undesirable communications over the network.
Monitoring tools perform their task by sniffing packets from the network and filtering them on the basis of user specified rules. The tools that provide the fa¬cility of specifying simple rules for filtering packets are called Packet filters. They use fixed offset packet information like IP addresses and port numbers for filtering. Tools that filter packets based on the complex rules and perform post-capture anal¬ysis of collected traffic are termed as Network monitoring tools. They understand applications, and can search through packet application data. The following section describes working of network monitoring tools in general and also mentions vari¬ous commercial and non-commercial tools available publicly. However, electronic surveillance conflicts with the rights of privacy, free speech and association. Sec¬tion 1,2 explains how PickPacket, a network monitoring tool, works and how it addresses the conflicting requirements of privacy preservation and intelligence gath¬ering, Section 1,3 gives the motivation for providing support for Chat protocols in PickPacket, Last section deals with the organisational flow of this report,
1.1 Sniffers
Network monitoring tools are also called Sniffers, Network sniffers are named after a product called Sniffer Network Analyzer, introduced in 1988 by Network General Corporation (now Network Associates incorporated). Network sniffers are software applications often bundled with hardware devices and are used for eavesdropping on the network. Akin to a telephone wire-tap that allows a person to listen in on to other person's communication, a sniffing program lets someone listen in on other computer conversations.
Generally sniffers work by putting the ethernet hardware (the standard network adapter) into promiscous mode. The chip in the ethernet card, that is meant to ignore all the traffic not intended to this hardware, gets disabled in the promiscous mode. This enables ethernet, and the sniffer consequently, to listen to all packets on that section of the network,
A simple sniffer just writes all the packets in the network onto disk. These sniffers will immediately fill up the entire disk space, if placed on the traffic bound segment of the network. Analysis of such a large database consumes considerable amount of resources. Also, such sniffers dump data belonging to the untargeted users who happened to access and transfer data through the network during the sniffing time. This may violate the privacy of users. Considering the above two issuses, currently available sniffers are coming with three levels of filtering mechanisms. The first level of filtering is based upon network parameters like IP addresses, protocols and port numbers present in the packet. This level of filtering is generally supported at the kernel level also. The second level of filtering is based on application specific criteria like email id for SMTP, hostname for HTTP etc. The third level of filtering is based on the content present in the application pay load. Sniffers also come bundled with their own post-capture analysis and processing tools which extract meta information from the dump and present it in a user interactive manner.
Sniffers come in different flavors and capabilities for different Operating systems, WinDump [1] is a version of tcpdump [6] for Windows that uses WinCap, a library compatible to libpcap. This tool can filter packets based on the rules formed using network parameters. Also, it allows to make some statistical analysis out of the captured packets. Ethereal [2] is a UNIX-based sniffer program that also runs on Windows, This tool has equal filtering capability as that of tcpdump. It provides graphical interface for viewing captured data, EtherPeek NX [3] gives ability to troubleshoot and monitor network traffic quickly and effectively. Network Associates Incorporated [9] have a range of sniffers including VOIP sniffers. Carnivore [13] is a network monitoring tool developed by FBI with the sole purpose of directed surveillance. This tool can capture packets based on wide range of application-layer based criteria along with text strings match criteria. Carnivore is also capable of monitoring dynamic-IP address based networks, A more detailed survey on the currently available sniffer products can be found in [10],
1.2 PickPacket
PickPacket is a network monitoring tool, developed at IIT Kanpur [10, 7], Its functionality is similar to that of Carnivore, PickPacket is a passive tool in the sense that it neither injects any packet into the network nor delays any packet to its destination. It supports various levels of packet filtering mechanisms while sniffing the packets. It can capture packets based on the network level parameters like IP-addresses, port numbers and protocols. It also supports filtering rules that are specific to certain application-layer protocols like SMTP, FTP, HTTP and Telnet, For example, a user can configure the filter to capture mails from or to certain users in SMTP sessions. Once the packets have been found based on the filtering criteria they are written on to the disk storage,
PickPacket addresses the conflicting issues of privacy preservation and network monitoring in two ways. One, it has a rich set of configuration paramters which makes it easier to target very specific communication. Two, it provides two modes of packet capturing, "PEN" mode and "FULL" mode. In the "PEN" mode of operation, it only establishes occurrence of events based on the filtering criteria given, while in the "FULL" mode of operation it captures all the packets matching the criteria. Judiciously using these features can help in protecting the privacy of untargeted users,
PickPacket comprises of four components. Configuration-File-Generator is a JAVA based user interface for specifying the values of filtering paramters. Filter is an online component which selects the connections based on the criteria specified in configuration file, PostProcessor is an offline post-capture analysis tool that extracts per application protocol metadata information from the outputfile generated by Filter component, DataViewer is a webbased application to render the metadata generated by PostProcessor in a user interactive manner,
1.3 Need for Chat protocols support in PickPacket
The aim of PickPacket is to concentrate on those application layer protocols which form significant portion of the Internet traffic and are used to communicate informa¬tion among users. In this view, earlier implementation of PickPacket had support for four application protocols named FTP, HTTP, SMTP and Telnet,
Chat protocols, by which a group of users form a network to communicate infor¬mation among themselves, have gained popularity in the last few years. Chat proto¬cols are generally used to establish collaboration among geographically distributed development teams. Active use of these protocols on the Internet motivated the need for support of chatting protocols in PickPacket,
As a step towards giving support for chatting protcols in PickPacket, we have considered two most popular protocols named IRC and Yahoo messenger, Internet Relay Chat (IRC) was one of the first chat protocols, and quickly gained the status of being the most popular one on the net, Yahoo messenger is another popular chat protocol which is proprietary.
My contribution includes extension of PickPacket for two chatting protocols (IRC and Yahoo Messenger), All components of the PickPacket have been upgraded for the support of new protocols, PickPacket has been tested for correctness and performance measurement,
