Posts: 2,051
Threads: 1,405
Joined: Jun 2011
[attachment=15204]
Introduction
There has been a tremendous growth in the amount of information being transferred between computers with the advent of Internet, Internet has now become the major medium of communication for people all over the world. Unfortunately, criminals are just as quick to exploit new technologies as any other section of the people. They are increasingly relying on the Internet for communication and exchange of informa¬tion pertaining to unlawful activity. Consequently law enforcement agencies need to monitor the data flowing across the net to detect and prevent such activities. Com¬panies that want to safeguard their recent developments and research from falling into the hands of their competitors also resort to intelligence gathering. Monitoring tools are also useful in evaluating and diagnosing performance problems of servers and network components. Monitoring tools should however, not compromise the privacy of individuals whose network communications are being monitored.
With the increase in use of computers and networks, the bandwidth at network backbones and Internet Service Providers is also increasing rapidly. For monitoring traffic at such busy segments of the network, there is a need for monitoring tools that can work at gigabit speeds without losing any relevant information. Such tools are also useful for monitoring Gigabit Ethernet LANs,
1.1 Sniffers
Network sniffers are software applications that are often bundled with hardware devices and are used for eavesdropping on network traffic. Sniffers usually provide some form of protocol-level analysis that allows them to decode the data flowing across the network according to the needs of the user, A sniffer may be used to understand and fix problems in network traffic or to detect abnormal activities, and unfortunately one may also be used by an attacker to steal critical information.
Sniffers on a LAN often means monitoring the traffic on the Ethernet, Ethernet was built around a shared principle: all machines on a local network share the same wire, Ethernet card (the standard network adapter) is hard-wired with a particular MAC address and ignores all traffic not intended for that address. The primary mechanism of sniffing in Ethernet is by putting the Ethernet hardware into "promiscuous mode" that turns off the filtering mechanism of the hardware chip on the network adapter and causes it to collect all frames irrespective of the destination MAC address. In a switched network, all machines do not receive all the packets as the switch sends a packet on only one outgoing port depending on the destination MAC address of the packet , Most switches allow "port mirroring" where a port can be configured as a "monitor" or "span" port that will get a copy of some or all of the traffic going across the switch. These ports can be used by sniffers. Alternatively, Ethernet taps can be used that allow us to examine network traffic without causing any data stream interference.
The amount of information that flows across the network is very high, A simple sniffer that just captures all the data flowing across the network and dumps it to the disk soon fills up the entire disk if placed on a busy segment of the network. Analysis of this data for different protocols and connections also takes considerable time and resources. Moreover, it would be desirable to gather data so that the privacy of individuals who are accessing and dispensing data through the network is not compromised. It is therefore necessary to filter, on-line, the data gathered by the sniffer.
Current day sniffers often come coupled with a filter that can filter packets based on various criteria. Three levels of filtering can be applied on these packets. The first level of filtering is based upon network parameters like IP addresses, protocols and port numbers. This level of filtering is generally supported at the kernel level also. The second level of filtering is based on application specific criteria like email- id for SMTP, hostname for HTTP etc. The third level of filtering is based on the content present in the application pay load. Sniffers also come bundled with their own post-capture analysis and processing tools which extract information from the dump and present it in a human-readable form.
Several commercially and freely available sniffers exist currently. Sniffers come in different flavors and capabilities for different Operating Systems, Ethereal [4] and WinDump [2] are two such popular tools for Windows, On UNIX sniffers are generally based upon libpcap and/or BPF [10] (Berkeley Packet Filter), Libpcap is a standard packet capture library used to store packets on the disk. Many com¬mercial and free post-processing and rendering tools are available that can analyze the packets stored by sniffers in the pcap format, BPF is an in-kernel packet filter that filters packets based on a directed acyclic Control Flow Graph method, BPF uses an interpreter for executing the filter code that assumes a pseudo machine with simple functionality akin to assembly language. Two popular sniffer tools on Unix are tcpdump [7] and Ethereal [4], Tcpdump is based on libpcap and BPF filters, WinDump is a version of tcpdump for Windows that uses a libpcap-compatible library called WinCap,
Carnivore [5, 6, 14] is a network monitoring tool developed by FBI, It can be thought of as a tool with the sole purpose of directed surveillance. This tool can capture packets based on a wide range of application-layer based criteria. It func¬tions through wire-taps across gateways and ISPs, Carnivore is also capable of monitoring dynamic IP address based networks. The capabilities of string searches in application-level content seems limited in this package. It can only capture email messages to and from a specific user's account and all network traffic to and from a specific user or IP address. It can also capture headers for various protocols,
PickPacket is a network monitoring tool that can address the conflicting issues of network monitoring and privacy through its judicial use. This tool has been devel¬oped as a part of the research project sponsored by the Department of Information
Technology, MCIT, New Delhi, The basic frame work for this tool and design and implementation of application layer filter for Simple Mail Transfer Protocol (SMTP) and Telnet has been discussed in Reference [9], The design and implementation of application layer filter for Hyper Text Transfer Protocol (HTTP) and File Transfer Protocol (FTP) has been discussed in Reference [12], The design and implementa¬tion of text string search in MIME-Eneoded data has been discussed in Reference [1], The design and implementation of application layer filter for the Remote Authenti¬cation Dial In User Service (RADIUS) Protocol has been discussed in Reference
1.2 Need for Gigabit Sniffers
In the past few decades, use of computer networks for information exchange has increased rapidly. Also the number of users and the amount of information being transferred across the network have increased proportionately. With this surging demand for data, the bandwidth at the network backbones and Internet Service Providers has also increased. Bandwidth growth has been explosive in the Local area networks also, propelled by the availability and deployment of Gigabit Ethernet,
With this increase in bandwidth, a need for sniffers, that can monitor traffic at such high speeds, arises, A simple sniffer that captures all the data flowing across the network and dumps it to the disk soon fills up the entire disk especially if placed on a busy segment of the network. Moreover, it would be desirable to gather data flowing across the network so that the privacy of individuals who are accessing data through the network is not compromised. Thus it is necessary to filter on-line the data using various criteria. Filtering packets using complex criteria at very high speeds results in packet drops as packets arrive much faster at the interface card than they are handled by the sniffer. Once the buffers get filled, packets will be dropped at various levels starting from application to interface card. Thus there is a need for fast sniffers that can monitor traffic at high speeds based on complex set of criteria without dropping any packets.
Several commercial sniffers exist that claim to handle gigabit traffic. Sniffer Portable [15] by Network Associates and Unispeed Netlogger [17] are two such tools developed for Windows, Reference [3] describes ring sockets, that can be used to improve the passive packet capture performance in Linux, nProbe/nFlow [11] is recently released for Linux that uses the technology described in Reference [3] to handle near gigabit sniffing. It provides accounting and performance information of a network by storing samples of traffic information in a standard flow format. Sniffing at gigabit speed on Linux is still not a matured technology.
In this work we have developed Gigabit PickPacket, a new version of PickPacket that can effectively use multiprocessor machines, cluster of machines and their com¬bination to monitor gigabit traffic. Instead of just providing performance and ac¬counting information of a network, Gigabit PickPacket can reconstruct the whole connection of interest without sacrificing the features provided in the original Pick- Packet,
