Programming the Flowoid NetFlow v9 Exporter on Android



Similar documents
Ghost Process: a Sound Basis to Implement Process Duplication, Migration and Checkpoint/Restart in Linux Clusters

NetFlow, RMON and Cisco-NAM deployment

Introduction to Cisco IOS Flexible NetFlow

Configuring Flexible NetFlow

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

NetFlow/IPFIX Various Thoughts

PktFilter A Win32 service to control the IPv4 filtering driver of Windows 2000/XP/Server

Using Java to Teach Networking Concepts With a Programmable Network Sniffer

Configuring NetFlow. Information About NetFlow. Send document comments to CHAPTER

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

Generalised Socket Addresses for Unix Squeak

Computer Networks Practicum 2015

Configuring NetFlow Secure Event Logging (NSEL)

Interacting path systems for credit portfolios risk analysis

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

SSC - Communication and Networking Java Socket Programming (II)

StreamServe Persuasion SP4 Service Broker

Project 3, Fall 2001 Stateful Functionality in IP Layer Out: Thursday, November 1, 2001 Due: Tuesday, December 4, 2001

Performance Modeling of TCP/IP in a Wide-Area Network

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

Semester Thesis Traffic Monitoring in Sensor Networks

EE984 Laboratory Experiment 2: Protocol Analysis

Building a Multi-Threaded Web Server

The POSIX Socket API

A Monitoring and Visualization Tool and Its Application for a Network Enabled Server Platform

Question: 3 When using Application Intelligence, Server Time may be defined as.

Configuring NetFlow Secure Event Logging (NSEL)

Scalable Extraction, Aggregation, and Response to Network Intelligence

Firewall Implementation

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

The syslog-ng Premium Edition 5LTS

First Workshop on Open Source and Internet Technology for Scientific Environment: with case studies from Environmental Monitoring

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

his document discusses implementation of dynamic mobile network routing (DMNR) in the EN-4000.

Integrating VoltDB with Hadoop

SyncML Device Management

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

Chapter 3. Internet Applications and Network Programming

Transport Layer. Chapter 3.4. Think about

How do I get to

LogLogic Cisco NetFlow Log Configuration Guide

LogLogic Cisco NetFlow Log Configuration Guide

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

RMCS Installation Guide

Exam 1 Review Questions

Host Fingerprinting and Firewalking With hping

Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,

How to develop your own app

How To Monitor Network Traffic On A Cell Phone

Packet Sniffing with Wireshark and Tcpdump

3.5. cmsg Developer s Guide. Data Acquisition Group JEFFERSON LAB. Version

The syslog-ng Premium Edition 5F2

CIT 380: Securing Computer Systems

Secure use of iptables and connection tracking helpers

Cisco IOS Flexible NetFlow Command Reference

File Transfer And Access (FTP, TFTP, NFS) Chapter 25 By: Sang Oh Spencer Kam Atsuya Takagi

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC. Host based Analysis. {Himanshu Pareek,

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

There are numerous ways to access monitors:

Packetizer Framework. Hannes Mehnert. GPN5, 10. Juli 2006, Karlsruhe

Spring Design ScreenShare Service SDK Instructions

From traditional to alternative approach to storage and analysis of flow data. Petr Velan, Martin Zadnik

Flow Analysis Versus Packet Analysis. What Should You Choose?

Cisco IOS NetFlow Version 9 Flow-Record Format

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

Investigating Wired and Wireless Networks Using a Java-based Programmable Sniffer

Configuring Logging. Information About Logging CHAPTER

NetFlow v9 Export Format

Linux Networking Basics

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Transport Layer Protocols

Using TestLogServer for Web Security Troubleshooting

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

Mini-Challenge 3. Data Descriptions for Week 1

TCP Performance Management for Dummies

Configuring Health Monitoring

Innominate mguard Version 6

Voice over IP. Demonstration 1: VoIP Protocols. Network Environment

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

Design Notes for an Efficient Password-Authenticated Key Exchange Implementation Using Human-Memorable Passwords

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

Cisco Configuring Commonly Used IP ACLs

ERserver. iseries. TFTP server

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

TCP/IP Support Enhancements

and reporting Slavko Gajin

Solution of Exercise Sheet 5

Operating Systems Design 16. Networking: Sockets

Ethernet. Ethernet. Network Devices

Cisco IOS NetFlow Version 9 Flow-Record Format

Windows Quick Start Guide for syslog-ng Premium Edition 5 LTS

LogLogic Juniper Networks Intrusion Detection and Prevention (IDP) Log Configuration Guide

Certes Networks Layer 4 Encryption. Network Services Impact Test Results

Life of a Packet CS 640,

Transcription:

INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE Programming the Flowoid NetFlow v9 Exporter on Android Julien Vaubourg N 7003 April 2013 THÈME? apport technique ISSN 0249-0803

Programming the Flowoid NetFlow v9 Exporter on Android Julien Vaubourg Thème? (hors thème INRIA) Projet MADYNES Rapport technique n 7003 April 2013 12 pages Abstract: The RFC 3954 documents the NetFlow services export protocol Version 9. This project - associated to the Flowoid Projet - allows an Android program to listen the network traffic and send it to a remote NetFlow Collector using this standard. Thanks to an highly scalable design, any sort of template can be implemented and any kind of network can be exported as NetFlow. The data generator side uses the flexibility of Java (with the Android API) whereas the sniffer side uses the power of C (native code). This document explains how to configure the Exporter in order to export consistent information to the remote collector. Key-words: netflow, flowoid, network traffic, monitoring, security, android TELECOM Nancy (last year internship in MADYNES) Unité de recherche INRIA Lorraine LORIA, Technopôle de Nancy-Brabois, Campus scientifique, 615, rue du Jardin Botanique, BP 101, 54602 Villers-Lès-Nancy (France) Téléphone : +33 3 83 59 30 00 Télécopie : +33 3 83 27 83 19

Programmation de l exporteur NefFlow v9 du projet Flowoid sur Android Résumé : Ce document explique comment programmer l exporteur de NetFlow v9 sur Android : gestion des pilotes, définition des templates, génération des données et filtrage des paquets. Mots-clés : netflow, flowoid, trafic réseau, supervision, sécurité, android

Flowoid NetFlow v9 Exporter on Android 3 1 Design NetFlows are traveling between two sides: Exporter: Catches all network packets through Drivers (directly on the Android device), resumes network flows with the NetFlow format, generates some additional data to add into NetFlows and exports them to the remote Collector. Driver: Listens the traffic network on the Exporter side and transmits packets headers in live to the Exporter. Collector: On the other side (remote server), receives and treats NetFlows sent by the Exporter. In order to transmit NetFlows, an Exporter send one or more Export Packets to a remote Collector: Export Packet: Contains one or more Data FlowSets, and sometimes a Template FlowSet. Data FlowSet: Contains one or more Data Records. All of these are defined with the same Template Record and the Data FlowSet ID corresponds to the ID of this Template Record. Data Record: Contains one or more Data Fields. This kind of data corresponds to what is generally called a NetFlow. Data Field: Contains only one value (e.g. IP address, TCP port, timestamp). The Collector knows how parsing Export Packets because this one sends regularly a Template Flowset among the Data FlowSets: Template FlowSet: Contains one or more Template Records. inevitably zero. Template Record: Contains one or more Template Fields ordered. Its FlowSet ID is Template Field: Is defined with a Field Type Definition (i.e. an ID and a length in bytes). Field Type Definition: Described in RFC 3954 section 8. A Data Field associated with a Template Field should be interpreted by the remote Collector in the same manner as described in RFC. Some types have a fixed length. The Collector side needs to know all of the Field Type Definitions used by the Exporter especially if this one is out of standards. RT n 7003

4 Vaubourg 2 Environment and prerequisites Setting up your project: 1. The minimum SDK Version of your Android application must be at least 9. 2. Your device must be rooted. 3. Add madynes-flowoid-exporter.jar 1 to your Java Build Path. If you want to use the IP Driver, you could also add netutils-parse-v1.jar 2 for parsing headers. 4. Copy your Driver binary files 3 in your res/raw/ directory. 5. Your AndroidManifest file must contain at least these permissions: 1 <uses p e r m i s s i o n android : name= android. p e r m i s s i o n.access SUPERUSER /> 2 <uses p e r m i s s i o n android : name= android. p e r m i s s i o n.internet /> 3 <uses p e r m i s s i o n android : name= android. p e r m i s s i o n.read PHONE STATE /> 6. Create a new class extending ExporterService (e.g. Exporter.java): 1 import madynes. f l o w o i d. e x p o r t e r. ; 2 import madynes. f l o w o i d. e x p o r t e r. TemplateRecord. ; 3 import madynes. f l o w o i d. e x p o r t e r. TemplateField. InadequateLengthException ; 4 import madynes. f l o w o i d. e x p o r t e r. TemplateFlowSet. TemplateNotFoundException ; 5 6 public class Exporter extends E x p o r t e r S e r v i c e { 7 8 @Override 9 public void r e g i s t e r T e m p l a t e s ( ) throws AlreadyUsedIDException, InadequateIDException, InadequateLengthException { 10 11 } 12 13 @Override 14 public void p r o c e s s P a c k e t F i l t e r i n g ( byte [ ] headers ) throws TemplateNotFoundException { 15 16 } 17 18 @Override 19 public void onstart ( ) { 20 21 } 22 23 @Override 24 public void onstop ( ) { 1 TODO: Add web address 2 TODO: Add web address 3 TODO: Add web address INRIA

Flowoid NetFlow v9 Exporter on Android 5 25 26 } 27 } 7. In your AndroidManifest think to declare your Exporter Service (here your/package/- Exporter.java): 1 <s e r v i c e android : name= your. package. Exporter ></s e r v i c e > The next sections explain you how to implement your own Exporter. 3 Creating templates All templates are defined inside of the registertemplates() function. 1. Create all of the Template Fields you need, by creating TemplateField objects. The constructor needs an ID among those available in TemplateField.TypeDefinition.*. If the associated length is zero, you need to use the alternative constructor to specify a length in bytes. Example: TemplateField tcpportsrc = new TemplateField(TemplateField.TypeDefinition.L4 SRC PORT). 2. Create a new Template Record with your own ID. This one is unique and must be between 256 and 65535. Example: TemplateRecord ipv6tcptemplate = new TemplateRecord(257); 3. Add Template Fields to your Template Record with the addtemplatefield(templatefield) function. A same Template Field instance can be reused for many different Template Records. Example: ipv6tcptemplate.addtemplatefield(tcpportsrc); 4. Register your new Template Record with the registertemplaterecord(recordtemplate). Example: registertemplaterecord(ipv6tcptemplate); RT n 7003

6 Vaubourg 4 Defining how to fill your NetFlows Template Fields define how the data is represented and - for the standardized ones - what is it. Data Fields define how the value can be retrieved from the System. So each Template Field should have a corresponding Data Field. To create a Data Field, you have to add a new class extending DataField. Then you have to implement four functions: 1. oninit(byte[]): Called when a new NetFlow is created. The argument corresponds to the headers (depending of the Driver used) of the first packet received for this NetFlow. 2. onupdate(byte[]): Called when a packet is catching for an existent NetFlow. The argument corresponds to the new packet headers. 3. onexport(byte[]): Called just before the Export Packet is sent with this NetFlow (Data Record) inside. The argument corresponds to the last packet received. But if the Data Record was flagged ended (isended() condition met) it s the end packet. E.g. in the case of a TCP connection, if the record is ended it s the packet containing a FIN or RST flag. And not the least packet (final ACK). However in the case of an UDP connection, if the record is ended it s the least packet before the final time out. 4. getvalue(): Called when the Exporter creates the Export Packet. Please use the getbytebuffer() function to create a ByteBuffer. For instance, if this Data Field is associated to a Template Field with a length of 4 (bytes), you have to use the putint(int) function on your ByteBuffer before returning it. Example of implementation (FieldTCPPortSrc.java): 1 import java. nio. ByteBuffer ; 2 import edu. h u j i. c s. n e t u t i l s. p a r s e. TCPPacket ; 3 4 public class FieldTCPPortSrc extends DataField { 5 private short value ; 6 7 @Override 8 public void o n I n i t ( byte [ ] headers ) { 9 TCPPacket tcppacket = new TCPPacket ( headers ) ; 10 value = ( short ) tcppacket. getsourceport ( ) ; 11 } 12 13 @Override 14 public void onupdate ( byte [ ] headers ) {} 15 16 @Override 17 public void onexport ( byte [ ] headers ) {} 18 19 @Override INRIA

Flowoid NetFlow v9 Exporter on Android 7 20 public ByteBuffer getvalue ( ) { 21 ByteBuffer bytes = g e t B y t e B u f f e r ( ) ; 22 23 bytes. putshort ( value ) ; 24 25 return bytes ; 26 } 27 } 5 Condition to cut NetFlows A new NetFlow is created when the combination of these discriminant fields is not yet known. This point will be explained later in the section 6 page 7. Conditions to stop NetFlows are evaluated for every new packet. If conditions are met, the NetFlow is moved from the current NetFlows list to the Export Queue. So, for each Template Record you register, you have to create a Data Record extending the DataRecord class and override the isended(byte[]) function. The argument corresponds to the new packet headers added to the NetFlow. For instance (RecordTCP.java): 1 import madynes. f l o w o i d. e x p o r t e r. TemplateRecord ; 2 import edu. h u j i. c s. n e t u t i l s. p a r s e. TCPPacket ; 3 4 public class RecordTCP extends DataRecord { 5 6 public RecordTCP ( TemplateRecord template ) { 7 super ( template ) ; 8 } 9 10 @Override 11 public boolean isended ( byte [ ] headers ) { 12 TCPPacket tcppacket = new TCPPacket ( headers ) ; 13 14 return tcppacket. i s F i n ( ) tcppacket. i s R s t ( ) ; 15 } 16 17 } 6 Associating data with templates Your programming space for that is the processpacketfiltering(byte[]) function. 1. First choose a previously registred Template Record with a Template Record ID. RT n 7003

8 Vaubourg Example: TemplateRecord template = getregistredtemplaterecord(257); 2. Then create a Data Record with one of your previoulsy created class. Examples: record = new RecordTCP(template); 3. Associate Template Fields of your Data Record with Data Fields one by one. You must associate all of them and in the same order you added Template Fields in your Template Record. The boolean argument specify whether this Data Field is a part of the NetFlow Key (see below and the example section 7 page 8) or not. Example: record.associatetemplatewithdata(new FieldIPv6AddrSrc(), true); 4. Finally, request the packet processing with your record. Example: processpacket(record, headers); Your record - in fact only fields declared as NetFlow Key part - will be used to identify the NetFlow/record associated to the current packet. If the associated NetFlow/record already exists, the packet will be added to it. Otherwise your new record will be used as new NetFlow. 7 Filtering packets Every sniffed packet is sent to the processpacketfiltering(byte[]) packet. So before creating records, you have to parse and check headers. For instance: 1 @Override 2 public boolean p r o c e s s P a c k e t F i l t e r i n g ( byte [ ] headers ) throws TemplateNotFoundException { 3 LocationFinder l o c a t i o n F i n d e r = LocationFinder. g e t I n s t a n c e ( this ) ; 4 DataRecord r e c o r d = null ; 5 6 try { 7 // TCP / IPv6 8 i f ( EthernetFrame. s t a t I s I p v 6 P a c k e t ( headers ) 9 && IPFactory. istcppacket ( headers ) ) { 10 INRIA

Flowoid NetFlow v9 Exporter on Android 9 11 TemplateRecord template = getregistredtemplaterecord ( ipv6 tcp ) ; 12 r e c o r d = new RecordTCP ( template ) ; 13 14 // NetFlow Key Parts 15 r e c o r d. associatetemplatewithdata (new FieldIPv6AddrSrc ( ), true ) ; 16 r e c o r d. associatetemplatewithdata (new FieldIPv6AddrDst ( ), true ) ; 17 r e c o r d. associatetemplatewithdata (new FieldTCPPortSrc ( ), true ) ; 18 r e c o r d. associatetemplatewithdata (new FieldTCPPortDst ( ), true ) ; 19 20 // Others 21 r e c o r d. associatetemplatewithdata (new FieldIPv6Length ( ), f a l s e ) ; 22 } 23 24 // Other kind o f p a c k e t f o r o t h e r record t y p e 25 else i f (... ) { 26... 27 } 28 29 // Go! ( or not ) 30 i f ( r e c o r d!= null ) { 31 p r o c e s s P a c k e t ( record, headers ) ; 32 } 33 34 // Parser e r r o r 35 } catch (... ) { 36 return f a l s e ; 37 } 38 39 return true ; 40 } 8 New Driver Drivers are written in native code (C) in order to access to low functionnalities as sniffing network traffic. Your only constraint is sending every packet headers to the Java Exporter through a TCP socket (see section 9 page 10 to know the port) and creating templates on the Exporter side. You will need a Java parser for your headers. Put your sources in the jni/drivers/ directory and use the Makefile to build your Driver. This one will copy the binary in the res/raw/ directory. Then just after the Exporter Service starting, call Driver.useDriver with your Driver name resource and the network interface RT n 7003

10 Vaubourg to listen on. For instance: Driver.useDriver(this, R.raw.driver ip, "eth0");. Finaly just reinstall your Android application. 9 Preferences All of the below variables are available from your ExporterService implementation through classical getters and setters and you have to set them before using the Exporter Service: prefchecktoexportinterval: The Export Thread checks every N seconds if it can create and send an Export Packet. prefcollectoraddr: Collector address (IP address or hostname). prefcollectorport: UDP port to connect to for sending NetFlow to the remote Collector. prefdriversport: TCP port to listen on for receiving packets headers from drivers. prefcheckdriversinterval: The Drivers Thread checks every N seconds if all Drivers are still working and restarts them if necessary. prefmaxheaderssize: Max headers size in bytes authorized for a sniffed packet transmitted by a Driver. prefmaxnetflowstotrack: Max NetFlows/records to track simultaneous. prefminrecordsbyflowset: Don t send a FlowSet if there are less than N records into it. prefmaxexportpacketsize: In order to avoid fragmentation, cut Export Packets nearly N bytes. prefnetflowtimeout: After N seconds of life, a NetFlow/record is considered ended and is added to the Export Queue. This is useful for non-connected protocols (e.g. UDP) and long term connections (e.g. TCP streaming). prefpackettimeout: Even though prefminrecordsbyflowset is not reached, after N seconds, the Export Thread empties the Export Queue and sends an Export Packet. prefsendtemplateseverynpackets: Packet. Send the Template FlowSet every N Export preftimebeforenetflowend: Returns the life time remaining when a NetFlow is detected as ended. This is useful to catch the last ACK with a TCP three-way handshake avoiding to create a second NetFlow. INRIA

Flowoid NetFlow v9 Exporter on Android 11 10 Statistics All of the below getters are available from your ExporterService implementation: getstatactivenetflows(): Number of currently active NetFlows/records. getstatconnecteddrivers(): Number of currently connected Drivers. getstatexportednetflows(): Number of NetFlows/records sent from the Exporter to the Collector. getstatexportedpackets(): Number of Export Packets sent from the Exporter to the Collector. getstatfailedsniffedpackets(): Number of sniffed packets with which a parser error has occurred at the filtering step. getstatnetflowswaitingtobeexported(): Number of NetFlows/records currently waiting to be exported (Export Queue size). getstatrecognizedsniffedpackets(): Number of sniffed packets recognized by at least one parser at the filtering step. getstatrejectednetflows(): Number of NetFlows/record not created due to the prefmaxnetflowstotrack preference. getstatsniffedpackets(): Number of sniffed packets received by the Exporter from all Drivers. getstatunrecognizedsniffedpackets(): Number of sniffed packets unrecognized by any parser (statsniffedpackets - statrecognizedsniffedpackets - statfailedsniffedpackets). 11 Activity The minimal code for calling your Exporter is (with an IP driver, a network interface eth0 and your implementation Exporter.java): 1 import madynes. f l o w o i d. e x p o r t e r. E x p o r t e r S e r v i c e ; 2 3 public class MainActivity extends A c t i v i t y { 4 5 @Override 6 protected void oncreate ( Bundle s a v e d I n s t a n c e S t a t e ) { 7 super. oncreate ( s a v e d I n s t a n c e S t a t e ) ; 8 9 E x p o r t e r S e r v i c e. s t a r t ( this, Exporter. class ) ; 10 Driver. use ( this, R. raw. d r i v e r i p, eth0, tcp or udp ) ; 11 } RT n 7003

12 Vaubourg 12 } 13 14 The l a s t empty argument c o r r e s p o n d s to o p t i o n a l l i b c a p f i l t e r s. Contents 1 Design 3 2 Environment and prerequisites 4 3 Creating templates 5 4 Defining how to fill your NetFlows 6 5 Condition to cut NetFlows 7 6 Associating data with templates 7 7 Filtering packets 8 8 New Driver 9 9 Preferences 10 10 Statistics 11 11 Activity 11 INRIA

Unité de recherche INRIA Lorraine LORIA, Technopôle de Nancy-Brabois - Campus scientifique 615, rue du Jardin Botanique - BP 101-54602 Villers-lès-Nancy Cedex (France) Unité de recherche INRIA Rennes : IRISA, Campus universitaire de Beaulieu - 35042 Rennes Cedex (France) Unité de recherche INRIA Rhône-Alpes : 655, avenue de l Europe - 38330 Montbonnot-St-Martin (France) Unité de recherche INRIA Rocquencourt : Domaine de Voluceau - Rocquencourt - BP 105-78153 Le Chesnay Cedex (France) Unité de recherche INRIA Sophia Antipolis : 2004, route des Lucioles - BP 93-06902 Sophia Antipolis Cedex (France) Éditeur INRIA - Domaine de Voluceau - Rocquencourt, BP 105-78153 Le Chesnay Cedex (France) http://www.inria.fr ISSN 0249-0803

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information