Packetizer Framework. Hannes Mehnert. GPN5, 10. Juli 2006, Karlsruhe

Similar documents

Secure networking. Andreas Bogk Hannes Mehnert August 2, 2006

Figure 1. Wireshark Menu Bar

Customer Tips. Network Packet Analyzer Tips. for the user. Purpose. Introduction to Packet Capture. Xerox Multifunction Devices.

Network Security: Workshop

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

Modern snoop lab lite version

Introduction to Network Security Lab 1 - Wireshark

Cisco Configuring Commonly Used IP ACLs

BASIC ANALYSIS OF TCP/IP NETWORKS

Introduction to IP v6

Packet Sniffing and Spoofing Lab

Network Layer IPv4. Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS. School of Computing, UNF

Configuring Flexible NetFlow

Packet Sniffers. * Windows and Linux - Wireshark

Lab VI Capturing and monitoring the network traffic

6. INTRODUCTION TO THE LABORATORY: SOFTWARE TOOLS

Install MS SQL Server 2012 Express Edition

NetFlow/IPFIX Various Thoughts

Lab - Observing DNS Resolution

Chapter 9. IP Secure

ni6 v1.3 manual pages

Internetworking. Problem: There is more than one network (heterogeneity & scale)

Ethereal: Getting Started

Network Packet Analysis and Scapy Introduction

Lab 1: Packet Sniffing and Wireshark

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

Introduction to Network Security. Topics

NfSen Plugin Supporting The Virtual Network Monitoring

Monitoring Load-Balancing Services

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

Large-Scale TCP Packet Flow Analysis for Common Protocols Using Apache Hadoop

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

Programming the Flowoid NetFlow v9 Exporter on Android

Network Configuration Example

Lab - Using Wireshark to View Network Traffic

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

EITF25 Internet Techniques and Applications L5: Wide Area Networks (WAN) Stefan Höst

EE984 Laboratory Experiment 2: Protocol Analysis

How To Gather Log Files On A Pulse Secure Server On A Pc Or Ipad (For A Free Download) On A Network Or Ipa (For Free) On An Ipa Or Ipv (For An Ubuntu) On Your Pc

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Snoopy. Objective: Equipment Needed. Background. Procedure. Due Date: Nov 1 Points: 25 Points

Extracting a Print Capture From a Network Packet Capture Using Wireshark White Paper

IP Addressing. IP Addresses. Introductory material.

Guideline for setting up a functional VPN

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Analyzing SMB/SMB2 with Network Monitor 3. Storage Developer Conference Insert Copyright information here. All rights reserved.

Introduction to Network. Topics

Scapy. On-the-fly Packet Generation by Dienstag, 10. Januar 12

Network-Oriented Software Development. Course: CSc4360/CSc6360 Instructor: Dr. Beyah Sessions: M-W, 3:00 4:40pm Lecture 2

Ethernet. Ethernet. Network Devices

IP Filter/Firewall Setup

Introduction to Wireshark Network Analysis

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Personal Firewall Default Rules and Components

Administrator Guide. CA Multi-Port Monitor. Version 10.2

Linux Network Security

z/os V1R11 Communications Server system management and monitoring

Setting Up Scan to SMB on TaskALFA series MFP s.

Why use Scapy? Blue Team. Red Team. Test IDS/IPS Test Firewall Learn more about TCP/IP (down and dirty) Application response(fuzzing)

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Network Connect Performance Logs on MAC OS

Mobile Routing. When a host moves, its point of attachment in the network changes. This is called a handoff.

VisuSniff: A Tool For The Visualization Of Network Traffic

Cisco Collaboration with Microsoft Interoperability

Network Traffic Evolution. Prof. Anja Feldmann, Ph.D. Dr. Steve Uhlig

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

Network Security TCP/IP Refresher

EXPLORER. TFT Filter CONFIGURATION

Configuring Class Maps and Policy Maps

NAT TCP SIP ALG Support

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

Introduction to Passive Network Traffic Monitoring

IP Addressing Introductory material.

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Practical Network Forensics

Transport and Network Layer

Packet Monitor in SonicOS 5.8

Wireshark Tutorial. Figure 1: Packet sniffer structure

Exam 1 Review Questions

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

Firewall Design Principles Firewall Characteristics Types of Firewalls

Slide 1 Introduction cnds@napier 1 Lecture 6 (Network Layer)

Host Configuration (Linux)

Understanding Slow Start

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Network layer: Overview. Network layer functions IP Routing and forwarding

Lecture 15. IP address space managed by Internet Assigned Numbers Authority (IANA)

Computer Networks/DV2 Lab

Introduction. Interoperability & Tools Group. Existing Network Packet Capture Tools. Challenges for existing tools. Microsoft Message Analyzer

CS 43: Computer Networks IP. Kevin Webb Swarthmore College November 5, 2013

Network Connect & Junos Pulse Performance Logs on Windows

Attacking the TCP Reassembly Plane of Network Forensics Tools

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Visio Enabled Solution: One-Click Switched Network Vision

Configuring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to CHAPTER

Lab 1: Network Devices and Technologies - Capturing Network Traffic

Introduction to Cisco IOS Flexible NetFlow

EKT 332/4 COMPUTER NETWORK

Transcription:

Packetizer Framework Hannes Mehnert GPN5, 10. Juli 2006, Karlsruhe

Packetizer inspired by scapy goal: domain specific language for describing byte-protocols examples: network protocols (IP, TCP, ethernet,...), filesystems, elf-header describe protocol once, get a high-performance, secure (bounds checked) parser and generator use as little C code as possible (too many bugs ;)

Example protocol definition define protocol ethernet-frame (header-frame) field destination-address :: <mac-address>; field source-address :: <mac-address>; field type-code :: <2byte-big-endian-unsigned-integer>; variably-typed-field payload, type-function: select (frame.type-code) #x800 => <ipv4-frame>; #x806 => <arp-frame>; otherwise <raw-frame>;

fields

frames leaf frames: <mac-address>, <ipv4-address>, <13bit-unsigned-integer> container frames: <dns-header>, <arp-frame> header frames: <ipv4-frame>, <ethernet-frame>

dns-frames

parse and assemble functions parse-frame (<frame-type>, <byte-vector>) => (<frame>) assemble-frame (<frame>) => (<byte-vector>)

<mac-address> define n-byte-vector(mac-address, 6) define method read-frame (type == <mac-address>, string :: <string>) => (res) let fields = split(string, : ); make(<mac-address>, data: map-as(<byte-vector>, rcurry(string-to-integer, base: 16), fields)); define method as (class == <string>, frame :: <mac-address>) => (string :: <string>); reduce1(method(a, b) concatenate(a, ":", b) end, map-as(<stretchy-vector>, rcurry(integer-to-string, base: 16, size: 2), frame.data))

<ethernet-frame> protocol definition define protocol ethernet-frame (header-frame) field destination-address :: <mac-address>; field source-address :: <mac-address>; field type-code :: <2byte-big-endian-unsigned-integer>; variably-typed-field payload, type-function: select (frame.type-code) #x800 => <ipv4-frame>; #x806 => <arp-frame>; otherwise <raw-frame>;

protocol definition generates class definitions <ethernet-frame> <unparsed-ethernet-frame> <ethernet-frame-cache> <decoded-ethernet-frame> for each field, getters and setters are generated destination-address source-address type-code payload

dynamic start define protocol dynamic-test (header-frame) field length :: <unsigned-byte>; field payload :: <raw-frame>, start: frame.length * 8;

self-delimited repeated field define protocol repeated-test (container-frame) repeated field bar :: <unsigned-byte>, reached-end?: method (frame) frame = 0

externally delimited repeated field define protocol repeated-test (container-frame) field length :: <unsigned-byte>; repeated field bar :: <unsigned-byte>; field after :: <unsigned-byte>, start: frame.length * 8;

count repeated field define protocol count-repeated-test (container-frame) field count :: <unsigned-byte>; repeated field fragments :: <unsigned-byte>, count: frame.count;

default values define protocol foo (container-frame) field foobar :: <unsigned-byte> = 23;

fixup functions define protocol foo (header-frame) field length :: <unsigned-byte>, fixup: byte-offset(frame-size(frame.payload)); field payload :: <raw-frame>, length: frame.length * 8;

<domain-name> define protocol domain-name (container-frame) repeated field fragment :: <domain-name-fragment>, reached-end?: method(frame :: <domain-name-fragment>) frame.type-code = 3 frame.length = 0 define protocol domain-name-fragment (container-frame) field type-code :: <2bit-unsigned-integer>; define protocol label-offset (domain-name-fragment) field offset :: <14bit-unsigned-integer>; define protocol label (domain-name-fragment) field length :: <6bit-unsigned-integer>; field raw-data :: <externally-delimited-string>, length: frame.length * 8;

custom parse-frame for <domain-name> define method parse-frame (frame-type == <domain-name-fragment>, packet :: <byte-sequence>, #key start :: <integer> = 0, parent :: false-or(<container-frame>) = #f) => (value :: <domain-name-fragment>, next-unparsed :: false-or(<integer>)) let domain-name = make(unparsed-class(<domain-name-fragment>), packet: subsequence(packet, start: byte-offset(start))); let label-frame-type = select (domain-name.type-code) 0 => <label>; 3 => <label-offset>; otherwise => signal(make(<malformed-packet-error>)) parse-frame(label-frame-type, packet, start: start, parent: parent);

filter language inspired by ethereal and tcpdump operators: & rules: presence of frame-type ( ipv4, tcp, dns ) value of field ( ipv4.destination-address = 23.23.23.1 ) (udp.source-port = 53) (udp.destination-port = 53)

flow & network-flow inspired by click and netgraph nodes have push or pull in- and outputs decapsulator, demultiplexer, ethernet-interface, pcap-file-reader/writer, summary-printer, verbose-printer, fan-in, fan-out,...

pcap file reader define class <pcap-file-reader> (<single-push-output-node>) slot file-stream :: <stream>, init-keyword: stream:; define method toplevel (reader :: <pcap-file-reader>) let file = as(<byte-vector>, stream-contents(reader.file-stream)); let pcap-file = parse-frame(<pcap-file>, file); for(frame in pcap-file.packets) push-data(reader.the-output, frame.payload) end

simple sniffer let source = make(<ethernet-interface>, name: "eth0"); connect(source, make(<summary-printer>, stream: *standard-output*)); toplevel(source);

sniffer & gui-sniffer inspired by tcpdump and ethereal support for reading and writing pcap files listen on raw network interfaces

proof of concept implementations traffic accounting icmp responder connection tracking filtering bridge

roadmap protocol layer implementation support for more protocols configuration management forwarding engine routing engine shell (eval) full operating system

links Source http://www.opendylan.org/cgi-bin/viewcvs. cgi/trunk/libraries/ or via subversion svn co svn://svn.gwydiondylan.org/scm/svn/dylan/trunk/libraries Genera (lisp machine) defstorage macro Click http://www.read.cs.ucla.edu/click/ Netgraph http://www.freebsd.org/cgi/man.cgi?query= netgraph&sektion=4 Scapy http://www.secdev.org/projects/scapy/ Ethereal http://www.ethereal.com tcpdump http://www.tcpdump.org