Tuesday, November 27, 2007

Project Report Submission Deadline

Today was a "tentative" deadline to submit a project report to department.
I am pretty much done with that, not completely though.

The last thing Dr Ouyang told me was to GET THE RIGHT THING RIGHT!
I have to compare the performance of SNIPHER with Wireshark and tcpdump. Some perfect quantitative data having user understandable form !

I have got 'vmstat' at work and I will get it done tomorrow.
I need to measure Memory usage, CPU usage, and Network Latency, in the sense difference in the RTT.

Anything left is FINE TUNING THE CODE ! WE ARE GOING TO DO IT, TOGETHER " . . Thank you Father . . .
Posted by at 12:49 AM 0 comments
Labels:

Thursday, November 22, 2007

SNIFFING THE PARSED DATA

At this point of time SNIPHER is not an exact sniffer!! or I think so.
Regular expressions are specified for originating (IP_CT_NEW)connection and I track ONLY those ones.
Other connections will simply pass through.

I need to do something like

1) REGEXes on the NEW connection.

2) On matching connections, it will MARK that connection using conntrack (I dont know how, at this time
!!) and SNIFF all the data on marked connection only.

--> Some thoughts like Creating a HASHTABLE using 4 fields [src_ip, src_port, dst_ip, dst_port].
I believe it will give a unique value on some operation and storing the data in that hashtable !!

3) Once this is done, also look for the utilities online which let you QUANTIFY PERFORMANCE !!
Posted by at 10:42 AM 0 comments
Labels:

Monday, November 19, 2007

SNIPHER : 11_19_07

32. All these days I've been working on my Project Report and ya I was done with that REGEX thing.

I successfully wrote a REGEX for the http GET request, that was "GET .*HTTP/(0.9|1.0|1.1)"
I still have ftp, Telnet, ssh, SMTP regexes to write !!

OK, now after sticking on the same stuff for two days, I finally found (Thanks Master) why iptables wasn't working on the monitoring ports !! It wasn't able to track the data the data passing by for other machines ( I mean promiscuous mode)

YES, iptables DOESNT WORK IN PROMISCUOUS mode !! Want to know why ???

the data is delivered to the skb from ip_input.c --> ip_rcv(), which has a piece of code which looks like

/* When the interface is in promisc. mode, drop all the crap
* that it receives, do not try to analyse it.
*/
if (skb->pkt_type == PACKET_OTHERHOST)
goto drop;
.
.
.
drop:
kfree_skb(skb);

--> NO skb for the packets of other host !!

*** The next task is to make a change in the above function and make it accept all the packets and then test the code...
I am working on it, lets see how it goes!

And ya REPORT IS DUEEEEEE... !

33. include/linux/if_packet.h

/* Packet types */

#define PACKET_HOST 0 /* To us */
#define PACKET_BROADCAST 1 /* To all */
#define PACKET_MULTICAST 2 /* To group */
#define PACKET_OTHERHOST 3 /* To someone else */
#define PACKET_OUTGOING 4 /* Outgoing of any type */
/* These ones are invisible by user level */
#define PACKET_LOOPBACK 5 /* MC/BRD frame looped back */
#define PACKET_FASTROUTE 6 /* Fastrouted frame */


Packet is made to be one of these types by the Device Driver

11/19/07 || 04:35
Posted by at 4:33 AM 0 comments
Labels:

Thursday, November 01, 2007

SNIFFER_11_01_2007 Some Useful Data Structures

27. struct ip_conntrack

/usr/src/linux-2.4.18.2-34/include/linux/ip_conntrack.h

struct ip_conntrack
{
/* Usage count in here is 1 for hash table/destruct timer, 1 per skb,
plus 1 for any connection(s) we are `master' for */
struct nf_conntrack ct_general;

/* Have we seen traffic both ways yet? (bitset) */
unsigned long status;

/* Timer function; drops refcnt when it goes off. */
struct timer_list timeout;

#ifdef CONFIG_IP_NF_CT_ACCT
/* Accounting Information (same cache line as other written members) */
struct ip_conntrack_counter counters[IP_CT_DIR_MAX];
#endif
/* If we were expected by an expectation, this will be it */
struct ip_conntrack *master;

/* Current number of expected connections */
unsigned int expecting;

/* Unique ID that identifies this conntrack*/
unsigned int id;

/* Helper, if any. */
struct ip_conntrack_helper *helper;

/* Storage reserved for other modules: */
union ip_conntrack_proto proto;

union ip_conntrack_help help;
#ifdef CONFIG_IP_NF_NAT_NEEDED
struct {
struct ip_nat_info info;
union ip_conntrack_nat_help help;
#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \
defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
int masq_index;
#endif
} nat;
#endif /* CONFIG_IP_NF_NAT_NEEDED */

#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
u_int32_t mark;
#endif

#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
u_int32_t secmark;
#endif

/* Traversed often, so hopefully in different cacheline to top */
/* These are my tuples; original and reply */
struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];

#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
struct {
char * app_proto; /* e.g. "http". NULL before decision. "unknown" after decision if no match */
char * app_data; /* application layer data so far. NULL after match decision */
unsigned int app_data_len;
} layer7;
#endif

};


28. In ip_tables.h

#define ipt_match xt_match
#define ipt_target xt_target
#define ipt_table xt_table

29. Definition of struct ipt_match (i.e. xt_match) is in

/usr/src/linux-2.6.18.2-34/include/linux/netfilter/x_tables.h


struct xt_match
{
struct list_head list;

const char name[XT_FUNCTION_MAXNAMELEN-1];

/* Return true or false: return FALSE and set *hotdrop = 1 to
force immediate packet drop. */
/* Arguments changed since 2.6.9, as this must now handle
non-linear skb, using skb_header_pointer and
skb_ip_make_writable. */
int (*match)(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const struct xt_match *match,
const void *matchinfo,
int offset,
unsigned int protoff,
int *hotdrop);

/* Called when user tries to insert an entry of this type. */
/* Should return true or false. */
int (*checkentry)(const char *tablename,
const void *ip,
const struct xt_match *match,
void *matchinfo,
unsigned int matchinfosize,
unsigned int hook_mask);

/* Called when entry of this type deleted. */
void (*destroy)(const struct xt_match *match, void *matchinfo,
unsigned int matchinfosize);

--------------------------------------------------------------------------
/* Called when userspace align differs from kernel space one */
void (*compat_from_user)(void *dst, void *src);
int (*compat_to_user)(void __user *dst, void *src);
--------------------------------------------------------------------------

/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;

char *table;
unsigned int matchsize;
unsigned int compatsize;
unsigned int hooks;
unsigned short proto;

unsigned short family;
u_int8_t revision;
};

30. enum ip_conntrack_info

enum ip_conntrack_info
{
/* Part of an established connection (either direction). */
IP_CT_ESTABLISHED,

/* Like NEW, but related to an existing connection, or ICMP error
(in either direction). */
IP_CT_RELATED,

/* Started a new connection to track (only
IP_CT_DIR_ORIGINAL); may be a retransmission. */
IP_CT_NEW,

/* >= this indicates reply direction */
IP_CT_IS_REPLY,

/* Number of distinct IP_CT types (no NEW in reply dirn). */
IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
};
Posted by at 1:31 AM 0 comments
Labels: , ,

HOW TO DO REGEX on APP LAYER DATA 11_01_2007

SHARED HEADER FILE

struct ipt_sample {
---
---
char *proto;
char *pattern;
};

USER SPACE MODULE

--> iptables .... -m sample .... --proto [http|ftp] ...


--> switch(proto)
{
case http :
info->proto = http;
info->pattern = REGEX Pattern for http
break;
case ftp :
info->proto = ftp;
info->pattern = REGEX Pattern for ftp
break;
default :
info->proto = null;
info->pattern = null;
break;
}

KERNEL SPACE MODULE

--> COLLECT DATA
--> REGULAR EXPRESSION (proto and pattern)
--> if matches --> Print/Write the data to the file
else skip the packet
Posted by at 1:27 AM 0 comments
Subscribe to: Posts (Atom)