Transcription
High-Performance Packet Sniffingand Traffic MiningTillmann Werner, Senior Virus Analyst, Kaspersky LabHoneynet Workshop 2011, Public DayParis, 21 March, 2011
High Performance Packet SniffingmulticapPAGE 2 Honeynet Project Workshop, Public Day Paris, 21 March 2011
Packet SniffingNICKernelPAGE 3 Honeynet Project Workshop, Public Day Paris, 21 March 2011UserspaceFile
The Pcap File FormatStraight-Forward File FormatPortable library for packet sniffingConvenient API for programmers Live capturing Writing and reading dump filesOpen source, GPLv2Used by tools like tcpdump, wireshark, snort, Time resolution in microsecondsstruct pcap file header {bpf u int32 magic;u short version major;u short version minor;bpf int32 thiszone;bpf u int32 sigfigs;bpf u int32 snaplen;bpf u int32 linktype;};PAGE 4 Honeynet Project Workshop, Public Day Paris, 21 March 2011struct pcap pkthdr {struct timeval ts;bpf u int32 caplen;bpf u int32 len;};
Do Not Drop The PacketsPacket DropsSniffer too slow: packet dropsLost information cannot be recoveredMissing packets can render TCP streams unusableSniffing PerformanceAllocating, copying and freeing memory takes timeGetting the system time costs CPU cyclesReduce such calls as much as possiblePAGE 5 Honeynet Project Workshop, Public Day Paris, 21 March 2011
Designing multicapMinimize Memory AllocationsUse a PF PACKET socketAttach a user-space ring buffer with setsockopt(PACKET RX RING)This is Linux onlyNo System Calls To Get Packet TimesPF PACKET already stores the time stamp in the packet struct nano-second time resolution without further system callsNo need to call localtime() etc.Memory-mapped Dump Filesmmap() for increased dumpingPre-allocate multiples of page sizePAGE 6 Honeynet Project Workshop, Public Day Paris, 21 March 2011
Configuration Examplerotate "1d" // "h d G M"path ""file " tracker %Y%m%d.pcap"trackers {tcponly {enabled "true"interface "eth0"bpf "tcp"snaplen "0"rotate "10M"path "var/log/multicap/ tracker/%Y %m %d"file "%H:%M:%S.pcap"promisc "0"}}PAGE 7 Honeynet Project Workshop, Public Day Paris, 21 March 2011
multicap DemoPAGE 8 Honeynet Project Workshop, Public Day Paris, 21 March 2011
Packet Trace File ProcessingstreamsPAGE 9 Honeynet Project Workshop, Public Day Paris, 21 March 2011
Stream Reassembly11221155223333PAGE 10 Honeynet Project Workshop, Public Day Paris, 21 March 20114444556666
TCP Stream ReassemblyTCP StreamsStream: reliable, ordered stream of dataOS assembles segments in the right orderStream Reassembly ToolsWiresharktcpicktcpflowPAGE 11 Honeynet Project Workshop, Public Day Paris, 21 March 2011
TCP Stream ReassemblyTCP StreamsStream: reliable, ordered stream of dataOS assembles segments in the right orderStream Reassembly ToolsWiresharktcpicktcpflowPAGE 12 Honeynet Project Workshop, Public Day Paris, 21 March 2011
Designing streamsStreamIP addresses, port numbers, initial sequence numberStream Reassembly StrategyA SYN segment starts a new streamA RST or FIN segment terminates a streamAny segment gets copied at the right offset according to its sequence numberInteractive Command Line ToolListing, counting, filtering, selecting, streamsEasy integration of external toolsInsertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection http://insecure.org/stf/secnet ids/secnet ids.html PAGE 13 Honeynet Project Workshop, Public Day Paris, 21 March 2011
streams DemoPAGE 14 Honeynet Project Workshop, Public Day Paris, 21 March 2011
CodePAGE 15 Honeynet Project Workshop, Public Day Paris, 21 March 2011
Where To Get ThemPAGE 16 Honeynet Project Workshop, Public Day Paris, 21 March 2011
http://src.carnivore.itftp.carnivore.itPAGE 17 Honeynet Project Workshop, Public Day Paris, 21 March 2011
Thank YouHigh-Performance Packet Sniffingand Traffic MiningTillmann Werner, Senior Virus Analyst, Kaspersky LabHoneynet Workshop 2011, Public DayParis, 21 March, 2011
Sniffing Performance Allocating, copying and freeing memory takes time Getting the system time costs CPU cycles Reduce such calls as much as possible Packet Drops Sniffer too slow: packet drops Lost information cannot be recovered Missing packets can render TCP streams unusable PAGE 5 Honeynet Project Workshop, Public Day Paris, 21 March 2011
