[attachment=15193]
Introduction
The use of computers has rapidly increased in the last few decades. Coupled with this has been the exponential growth of the Internet, Computers can now exchange large volumes of information. This has resulted in an ever increasing need for effective tools that can monitor the network.
Such monitoring tools help network administrators in evaluating and diagnosing performance problems with servers, the network wire, hubs and applications. Since machines cannot distinguish personalities and content, they can also be used for communication and exchange of information pertaining to unlawful activity. This is why law enforcing agencies have shown increased interest in network monitoring tools. It is felt that careful and judicious monitoring of data flowing across the net can help detect and prevent crime. Such monitoring tools, therefore, have an important role in intelligence gathering. Companies that want to safeguard their recent developments and research from falling into the hand of their competitors also resort to intelligence gathering. Thus there is a pressing need to monitor, detect and analyze undesirable network traffic.
However, the monitoring, detecting, and analysis of this traffic may be opposed to the goals of maintaining the privacy of individuals whose network communications are being monitored. This thesis describes PickPacket - a Network Monitoring Tool - that can address the conflicting issues of network monitoring and privacy through its judicious use. This tool was developed as a part of a research project sponsored by the Ministry of Communications and Information Technology, New Delhi, The basic framework for this tool has also been discussed in Reference [23],
1.1 Sniffers
Network monitoring tools are also called sniffers. Network sniffers are named after a product called Sniffer Network Analyzer introduced in 1988 by Network General Corporation (now Network Associates Incorporated) who have also trademarked the word sniffer. However this word continues to be in popular use for lack of other convenient synonyms.
Several tools exist that can monitor network traffic. Usually such tools will put the network card of a computer into the promiscuous mode. This enables the computer to listen to the entire traffic on that section of the network. There can be an additional level of filtering of these packets based on the IP related header data present in the packet. Usually such filtering specifies simple criteria for the IP addresses and ports present in the packet. Filtered packets are written on to the disk. Post capture analysis is done on these packets to gather the required information from these packets.
However, this simplistic model of packet sniffing and filtering has its drawbacks. First, as only a minimal amount of filtering of packets received is carried out, the amount of data for post processing becomes enormous. Second, no filtering is done on the basis of the content of the packet pavload. Third, as the entire data is dumped to the disk the privacy of innocent individuals who may be communicating during the time of monitoring the network may be violated. This motivates the design and implementation of PickPacket,
1.2 PickPacket
The purpose of PickPacket, like the simple filter discussed above is to monitor net¬work traffic and to copy only selected packets for further analysis. However, the scope and complexity of criteria that can be specified for selecting packets is greatly increased. The criteria for selecting packets can be specified at several layers of the protocol stack. Thus there can be criteria for the Network Layer - IP addresses, Transport Layer - Port numbers and Application Layer - Application dependent such as file names, email ids, URLs, text string searches etc. The filtering compo¬nent of this tool does not inject any packets onto the network. Once the packets have been selected based on these criteria they are dumped to permanent storage, A special provision has been made in the tool for two modes of capturing packets depending on the amount of granularity with which data has to be captured. These are the "PEN" mode and the "FULL" mode of operations. In the first mode it is only established that a packet corresponding to a particular criterion specified by the user was encountered and minimal information required for detailed investigation is captured. In the second mode the data of such a packet is also captured. Judiciously using these features can help protect the privacy of innocent users.
The packets dumped to the disk are analyzed in the off-line mode. Post dump analysis makes available to the investigator separate files for different connections. The tool provides a summary of all the connections and also provides an interface to view recorded traffic. This interface extensively uses existing software to render the captured data to the investigator. For instance, when rendering e-mail Outlook may be used through the interface provided, A GUI for generating the rules input to the filter is also provided,
1.3 Organization of the Report
This thesis focuses in detail on filtering data packets belonging to applications based on the File Transfer Protocol (FTP) [38] and the Hypertext Transfer Pro¬tocol (HTTP) [17], Chapter 2 and Chapter 3 prepare the background that will help understand sniffers and PickPacket in general. Chapter 2 discuses sniffers in greater detail. Chapter 3 describes the high level design of PickPacket, Chapter 4 discusses the design and implementation details of filtering based on FTP and Chapter 5 dis¬cusses the same for HTTP, The rest of the thesis describes testing strategies. The final chapter concludes the thesis with suggestions for further work.