ITIS 6167/8167: Network and Information Security. Project 1: Packet analyzer

Transcription

1 ITIS 6167/8167: Network and Information Security Overview Project 1: Packet analyzer Due: 6:29pm, March 15 th, 2012 Most of the ethernet frames that you will find in an ethernet are either ARP or IP packets. ARP (Address Resolution Protocol) is a protocol that is used to obtain mappings from IP addresses to hardware addresses. IP packets are the basic transfer unit on the TCP/IP internet. The ethernet type field in the ethernet frame is used to distinguish what kind of packet (ARP or IP) is encapsulated in the ethernet frame data area. Here are some assigned values for the ethernet type field: /* Some Assigned Ethernet Type Numbers */ #define EPT_IP 0x0800 /* type: Internet Protocol */ #define EPT_ARP 0x0806 /* type: ARP */ ICMP, UDP, and TCP are protocols that run on top of IP. This means that packets that belong to these protocols are encapsulated in the data section of IP packets. The ip_proto field in the IP header specifies the encapsulated protocol. Here are some assigned protocol numbers that you will find in the ip_proto field: /* Some Assigned Protocol Numbers */ #define IPT_ICMP 1 /* protocol type for ICMP packets */ #define IPT_TCP 6 /* protocol type for TCP packets */ #define IPT_UDP 17 /* protocol type for UDP packets */ ARP packets are encapsulated directly on the ethernet frame data area. Writing the analyze Command In this lab you will write a program analyze to decode IP, ICMP, UDP, TCP, and ARP datagrams. We do not have specific requirement on the programming language. The final deliverable is an executable function analyze. When we execute it, we will provide a file that contains a single Ethernet packet that we capture from the nextwork. % analyze filename analyze will print the different headers of the captured packet in the file filename in the following way: 1. It will print the ethernet header in the way indicated below. 2. If the ethernet frame contains an IP packet, then it prints the IP header, (the format of the output is described below). 1

2 1. If the IP packet encapsulates an ICMP packet, then it prints the ICMP header. 2. If the IP packet encapsulates an UDP packet, then it prints the UDP header and a few data bytes. 3. If the IP packet encapsulates a TCP header, then it prints the TCP header and a few data bytes. 3. If the ethernet frame contains an ARP packet, it prints the ARP header. The files ether.h, ip.h, arp.h, tcp.h, udp.h, and icmp.h include the structures that represent the headers for the packets for the different protocols. You do not have to use these herder files. They are just for your references. You will find also some example packets that you can use to test your program. When printing the TCP or UDP port numbers, also print the service the port is related to if any. For example, port 23/TCP is related to TELNET etc. You are only required to print the services related to the following services; on TCP: telnet, ftp, nfs, and http. on UDP: nfs. To find out what are the ports that correspond to these services, see the list of registered port numbers of the Internet Assigned Numbers Authority at Implementation Details The following description assumes that you are using standard C/C++ to implement the project. If you are using Java or other language, please design the program structure appropriately. Declare a local array (unsigned character buffer) with size 1518 bytes. Read the file and put the packet into the array. To decode the different fields first declare a pointer to an ethernet header and assign to it the beginning of the buffer. Do the same for IP and other encapsulated packets. main() {... unsigned char buffer[1518]; /* For the packet in the file */ Read in the frame; /* Decode ethernet header */ /* * Print ethernet header. * Print out the Ethernet source and destination addresses. */ /* * Windows and Unix machines handle the order of bytes differently. * It will be easier if you handle the data byte by byte. 2

3 */ printf("ethertype = %04x, the Ether type); /* Demultiplex ethernet type */ if ( the Ether type == EPT_IP ) { /* This is an IP packet. Decode IP header */ } /* print ip header fields */ Integer fields in the IP datagram that are longer than one byte must be converted from network byte order to host byte order. Example of output Ether Header Packet size = 210 bytes Destination = 8:0:20:1:3d:94, Source = 8:0:69:1:5f:e, Ethertype = 0800 (IP) IP Header Version = 4, header length = 20 bytes Type of service = = routine = normal delay = normal throughput = normal reliability Total length = 196 bytes Identification Flags = 0X = may fragment = more fragments Fragment offset = 0 bytes Time to live = 255 seconds/hops Protocol = 17 (UDP) Header checksum = 18DC Source address = , Destination address = , UDP: UDP Header UDP: UDP: Source port = 1023 UDP: Destination port = 2049 UDP: Length = 176 UDP: Checksum = 0 UDP: UDP: Data: First 64 bytes 3

4 ----- Ether Header Packet size = 210 bytes Destination = 0:c0:4f:79:ed:a2, Source = 0:0:c:b:47:64, Ethertype = 0800 (IP) IP Header Version = 4 Header length = 20 bytes Type of service = 0x00 xxx.... = 0 (precedence) = normal delay = normal throughput = normal reliability Total length = 196 bytes Identification = Flags = 0x = do not fragment = last fragment Fragment offset = 0 bytes Time to live = 254 seconds/hops Protocol = 6 (TCP) Header checksum = 4b14 Source address = Destination address = No options TCP: TCP Header TCP: TCP: Source port = TCP: Destination port = 23 (TELNET) TCP: Sequence number = TCP: Acknowledgement number = TCP: Data offset = 20 bytes TCP: Flags = 0x10 TCP: = No urgent pointer TCP: = Acknowledgement TCP: = No push TCP: = No reset TCP: = No Syn TCP: = No Fin TCP: Window = 8760 TCP: Checksum = 0x8080 TCP: Urgent pointer = 0 TCP: No options TCP: Data: (first 64 bytes) TCP: fffa dff f0ff fa TCP: 0d0a 0d0a e4f e 360d 0a0d TCP: e4f e 360d 0a0d TCP: fffb 01ff fd01 6c6f e3a 200d 0a0d TCP: 4

5 ----- Ether Header Packet size = 60 bytes Destination = ff:ff:ff:ff:ff:ff, (broadcast) Source = 0:aa:0:a2:ec:fa, Intel Ethertype = 0806 (ARP) ARP: ARP/RARP Frame ARP: ARP: Hardware type = 1 ARP: Protocol type = 0800 (IP) ARP: Length of hardware address = 6 bytes ARP: Length of protocol address = 4 bytes ARP: Opcode 1 (ARP Request) ARP: Sender's hardware address = 0:aa:0:a2:ec:fa ARP: Sender's protocol address = ARP: Target hardware address =? ARP: Target protocol address = ARP: Ether Header Packet size = 98 bytes Destination = 0:c0:4f:79:ed:af, Source = 0:0:c:b:47:64, Cisco Ethertype = 0800 (IP) IP Header Version = 4 Header length = 20 bytes Type of service = 0x00 xxx.... = 0 (precedence) = normal delay = normal throughput = normal reliability Total length = 84 bytes Identification = Flags = 0x = do not fragment = last fragment Fragment offset = 0 bytes Time to live = 254 seconds/hops Protocol = 1 (ICMP) Header checksum = 69e3 Source address = Destination address = No options ICMP: ICMP Header ICMP: ICMP: Type = 8 (Echo request) ICMP: Code = 0 ICMP: Checksum = 8dfd ICMP: 5

6 Q: What programming environment should I use? A: It does not matter. There are several things that I can recommend though. Both Eclipse and NetBeans support both C/C++ and Java. So you can download one of them and use it. If you are an old style Unix guy, Cygwin on Windows can be used. 6