Posts: 2,051
Threads: 1,405
Joined: Jun 2011
[attachment=15207]
Introduction
The use of computers has rapidly increased in the last few decades. Computers can now exchange large volumes of information very fast. Coupled with this has been the exponential growth of the Internet, The Internet in all its various forms (the World Wide Web, email, chatrooms and many others) has opened up a whole new world to millions of us. Unfortunately, criminals have been just as quick to exploit its possibilities. They are increasingly relying on the net for communication and exchange of information pertaining to unlawful activity. Consequently the ability of law enforcement agencies to conduct lawful monitoring of the data flowing across the net can help detect and prevent crime. Such monitoring tools, therefore, have an important role in intelligence gathering. Companies can also use such tools to safe¬guard their information repositories and research efforts, in addition to preventing abuse of network facilities by employees. Thus there is a pressing need to monitor, detect and analyze undesirable network traffic.
However, the monitoring, detecting, and analysis of this traffic may be opposed to the goals of maintaining the privacy of individuals whose network communications are being monitored, PickPacket is a network monitoring tool that can address the conflicting issues of network monitoring and privacy through its judicious use. This tool has been developed as a part of the research project sponsored by the Ministry of Communication and Information Technology, New Delhi, The basic framework for this tool and design and implementation of application layer filter for Simple Mail
Transfer Protocol (SMTP) [11] and Telnet [18] has been discussed in Reference [10], The design and implementation of application layer filter for Hyper Text Transfer Protocol (HTTP) [6] and File Transfer Protocol (FTP) [19] has been discussed in Reference [15], The design and implementation of text string search in MIME- Encoded data has also been discussed in Reference [1], This thesis discusses the design and implementation of application layer filter for the Remote Authentication Dial In User Service (RADIUS) Protocol [24, 22, 23],
1.1 Sniffers
The word "sniffer" is a registered trademark of Network Associates referring to the "Sniffer® Network Analyzer", a product introduced by them in 1988, The term 'sniffer' is more popular in everyday usage than alternatives like "protocol analyzer" or "network analyzer". Sniffers can be used both for legitimate network management functions and for stealing information off a network. Recently, sniffers have also found use with law enforcement agencies for gathering intelligence and helping in crime prevention and detection.
The primary mechanism of sniffing in ethernet is by putting the ethernet hard¬ware into "promiscuous mode", Ethernet was built around a "shared" principle: all machines on a local network share the same wire. This implies that all machines are able to "see" all the traffic on the same wire, Ethernet card (the standard network interface card) is hard-wired with a particular MAC address and is always listening for packets on its interface. When it sees a packet whose MAC address matches either its own address or the page link layer broadcast address (i.e., FF:FF:FF:FF:FF:FF for Ethernet) it starts reading it into memory. It rejects all packets whose destina¬tion MAC addresses are different from that of the card. But, it is possible to turn off this filtering mechanism of the card and collect all the frames flowing through the network, independent of their MAC address. This is known as putting the card into promiscuous mode. Sniffers put the network card in promiscuous mode,
A simple sniffer that just captures all the data flowing across the network and dumps it to the disk soon fills up the entire disk especially if placed on busy segments of the network. Analysis of this data for different protocols and connections takes considerable time and resources. The privacy of individuals who are accessing and dispensing data which is not of user's interest is also compromised as all packets are being captured. It is therefore necessary to filter, on-line, the data gathered by the "promiscuous" network adapter.
There are three levels of filtering that can be applied on packets flowing across the network. The first level of filtering is based upon network parameters like IP addresses, protocols and port numbers. This level of filtering is generally supported by the kernel also. With in-kernel filtering several packets are rejected by the kernel itself and the overhead of copying these packets to application address space is avoided. This speeds up the filtering process. The second level of filtering is based on criteria specific to an application such as email-ids for the SMTP, user names for RADIUS etc. Since there is no support in the kernel for handling these parameters a user level application handles such filtering. The third level of filtering is based on the content present in the application pay load. For instance it may be desired to search for the presence of a text string in an e-mail sent during a SMTP session. Such filtering also needs to be handled by the user level application.
Sniffers dump captured data onto disk directly without any processing of this data. As such, this dump is not human-readable. Sniffers therefore come bundled with their own post-capture analysis and processing tools which extract information from the dump and present it in a human-readable form. In addition to just present¬ing the sniffed data, packet analyzers can be configured to provide different kinds of functionality like alerting network administrators if something has gone amiss.
Several commercially and freely available sniffers exist currently. Sniffers come in different flavors and capabilities for different Operating Systems, Ethereal [5] and WinDump [3] are two such popular tools for Windows, On UNIX sniffers are generally based upon libpcap and/or BPF [13] (Berkeley Packet Filter), Two popular sniffer tools on Unix are tcpdump [9] and Ethereal [5], WinDump is a version of tcpdump for Windows that uses a libpcap-compatible library called WinCap,
Carnivore [25, 7, 8] is a tool developed by the FBI, It can be thought of as a tool with the sole purpose of directed surveillance. This tool can capture packets based on a wide range of applieation-laver level based criteria. It functions through wire¬taps across gateways and ISPs, Carnivore is also capable of monitoring dynamic IP address based networks. The capabilities of string searches in application-level content seems limited in this package. It can only capture email messages to and from a specific user's account and all network traffic to and from a specific user or IP address. It can also capture headers for various protocols,
1.2 PickPacket
PickPacket, the focus of this thesis and also discussed in Reference [10, 15, 1] is a monitoring tool similar to Carnivore, PickPacket can filter packets based on IP and TCP/UDP level criteria as well as application level criteria for several application level protocols such as FTP, HTTP, SMTP and Telnet, It also supports real-time searching for text string in application and packet content.
In this work, we have added support for the RADIUS protocol to PickPacket, RADIUS is a protocol that is commonly used to authenticate users dialing into a network. Such users are usually assigned IP addresses dynamically using the Dynamic Host Configuration Protocol (DHCP) [4], Adding RADIUS support to PickPacket allows monitoring of the aetivites of a user whose RADIUS login name is known,
1.3 Organization of the Report
This thesis focuses in detail on filtering RADIUS data packets and using information in these packets to track dialup users. Chapter 2 describes the high level design and architecture of PickPacket, Chapter 3 briefly discusses the RADIUS protocol. Chapter 4 describe the design and implementation of the RADIUS filter, the post¬processing details of the captured RADIUS packets and the user inteface provided for viewing RADIUS packets information. Chapter 5 describes the setup used for testing the filter. The final chapter concludes the thesis with suggestions for further work.
