Madhuri Kulkarni mkulkarni@wustl.edu
Subharthi Paul subharthipaul@gmail.com
Packet sniffing or packet capture software is extensively used as tools for protocol analysis and security. In protocol design research, such a tool comes handy in analyzing, debugging and testing of a new protocol implementation. In Security, as is true for any tools, it may be used both as a positive way to detect intrusions or attacks on a system as well as in the malicious way to hack for private and personal data of others. Even though use of upper layer encryption techniques make it difficult to gather data directly, yet these tools are important in learning about existing sessions, collecting encrypted data to launch offline attacks to generate the encryption key and any such attack limited only by ones imagination. Hence, packet sniffer software is one of the most essential tools required to get started to be able to perform any of the above mentioned activities. The goal of our project is to write a packet sniffer "Net Vigilant", capable of sniffing across wired and wireless interfaces and provide additional packet aggregation, filtering and analysis capabilities. The goal of the project is not to provide a novel approach towards sniffing on the network but rather to provide a basic understanding to the challenges involved in writing such a software and also to build up from the knowledge and experience gained to design more advanced security tools.
Security tools, Packet Sniffing, Protocol analyzers, Microsoft .NET, Visual Studio, winpcap, libpcap
Packet sniffing is an essential activity for network engineers as well as security experts. If, used in a positive way, it is the most essential tool for network analysis, protocol analysis, network troubleshooting, intrusion detection and hundreds of such other applications. The key challenge in writing such software is to collect raw packets directly from the interface cards and parsing them to reveal useful information. In normal network programming through sockets, a software module listens on a particular socket for packets intended for its use, hence for a module wanting to sniff for all packets, it shall have to listen on all the TCP ports so that TCP does not throw away packets on finding no module attached to the intended port number in the packet. Also, each protocol layer performs filtering of the traffic, for example, any TCP control packet will not be passes above the TCP layer, any IP control packet is consumed by the IP layer and so on. Moreover, the hardware network interface does an initial filtering of packets not intended for it. Hence, it is almost certain that the normal programming methods will not allow for the capabilities that we seek to capture in a packet sniffing software. The way out of this situation is to have some type of a software hook which can gather packets before it is passed through the protocol layer processing. Also, to be able to capture packets not intended for the current network interface, the software should set the interface to the "promiscuous mode" provided such a mode is supported by the hardware and the device driver of the network card.
The "software hook", that we mentioned above, exists, in UNIX as the PF_PACKET socket (libpcap library) and in Windows as the Winpcap library. In our work we make use of the Winpcap library to be able to capture raw packets from the interface. The story does not end at being able to capture raw packet. In fact, it is the most basic step. There are certain hurdles in being able to analyze correctly the raw packets which are nothing but a set of hexadecimal gibberish to the uninformed. There are challenges in being able to serialize the data coming in, in network byte order, for storage in the file systems. Also, a major task is to be able to provide an easy to use and elegant user interface for running the software as well as present the packet data in a more human readable form.
With all this in mind, we designed "Net Vigilant", a packet sniffer and analyzer tool for wired and wireless interfaces. "Net vigilant" has a state-of-the-art graphical user interface, designed on the .NET platform. All the code has been written in C# over the .NET platform to ensure interoperability across windows systems.
It may be argued, that such tools already exist in plenty and that a new endeavor may not be justified. However, "Net Vigilant" has been designed to be the stepping stone for further design of more complicated tools and also a learning experience for novice programmers to design and implement their own network software. It is basically the foundation bed for more advanced innovations in the future.
The project deliverables that were agreed upon were as follows:
The project will be implemented in Microsoft .NET technologies using C# language.
Following are some of the functionalities we will implement:
Basic Functionality:
1. Network Monitor [Basic packet capture] - This feature will provide the facility to capture network packets. These packets will be parsed and the packet header details will be listed in a table. The packets can be stored in XML (Extensible Markup Language) serialized formats. These packets can be retrieved later for viewing and analysis.
2. Packet Filtering - The packets can be filtered by protocol type TCP (Transmission Control Protocol), UDP (User Datagram Protocol), ARP (Address Resolution Protocol), ICMP (Internet Control Message Protocol) and IGMP (Internet Group Management Protocol).
3. Network Utilities [Ping, TCP Statistics, UDP Statistics]- The above mentioned utilities will be provided for network traffic analysis.
4. Packet Analysis - The detailed packet information is displayed.
5. Graphical Interface - We have implemented an easy to use Windows based graphical user interface.
Advanced Functionality:
1. Port Scanner - Port Scanner will provide basic functionality of searching a network host for open ports. This will be used by administrators to check the security of their networks.
2. Network Mapping - The network mapping functionality will map the network and provide a network map.
3. Client Configuration Monitor - Client configuration monitor will provide the list of processes, resources and the status of a node on the network.
Please note that the advanced functionality is not a part of the project and will be implemented only if time permits.
The Waterfall software process model was used for this project. The phases of this model are:
A. Requirement analysis - The requirements for this project were identified and analyzed.
B. Design/Select an Approach - Design and Implementation details were finalized.
C. Code Development - Code development was done in C#.NET
D. Testing - Unit testing and peer testing were done.
E. Deployment - The software was deployed and tested on various machines.
F. Maintenance - Depending on feedback further changes to software will be made.
Following tools were used for the development of the project:
1. NET framework 2.0
The .NET Framework is Microsoft's managed code programming model for building applications on Windows clients, servers, and mobile or embedded devices. Developers use .NET to build applications of many types: Web applications, server applications, smart client applications, console applications, database applications, and more.
To support this variety, the .NET Framework includes a broad set of supporting class libraries, including: Windows Presentation Foundation (WPF), for visually stunning user experiences on Windows clients; Windows Communication Foundation (WCF), enabling fast and flexible communications among applications across your enterprise; Windows Workflow Foundation (WF), allowing developers to build workflows into any application; ASP.NET, for high-performance and interactive Web-based applications; Libraries for handling XML, data, IO, cryptography, text-to-speech, and more.[1]
2. Microsoft Visual studio 2005
Microsoft Visual Studio 2005 Professional Edition is a complete environment for individual developers building Microsoft Windows, Web, or mobile solutions. It provides:
- Building high-performance solutions faster than ever.
- Easily create and deploy client applications. Automatically publish and maintain applications and their dependencies with integrated ClickOnce support.
- Build fast, interactive Web applications. Take advantage of more than 50 new controls and hundreds of built-in services for site security, personalization, look and feel, and more.
- Develop faster with enhanced visual designers and editors. Streamline development of all tiers of your application and improve XML editing and XSLT debugging with intuitive visual designers.
- Create dynamic, data-enabled applications. Quickly create data-driven applications using an integrated data access, design, and reporting environment.
- Provides a powerful, enterprise-class application platform.
- Easy Task development. Create robust applications using the Microsoft .NET Framework 2.0, the .NET Compact Framework 2.0, and native code, all supported by Microsoft Visual Studio 2005.
- Target high-performance computing architectures. Easily develop for 64-bit systems.[2]
3. DebugView
DebugView is an application that lets you monitor debug output on your local system, or any computer on the network that you can reach via TCP/IP. It is capable of displaying both kernel-mode and Win32 debug output, so you don't need a debugger to catch the debug output your applications or device drivers generate, nor do you need to modify your applications or drivers to use non-standard debug output APIs.
Use: Simply execute the DebugView program file (dbgview.exe) and DebugView will immediately start capturing debug output.[3]
4. SharpPcap V1.5
SharpPcap is a packet capture framework for the .NET environment, based on the famous WinPcap component. The purpose of this library is to provide an API for capturing, injecting, analyzing and building packets using any .NET language such as C# and VB.NET [4]. This library has been used for the functionality of packet capture and display. Other features of the software are implemented using C#.NET This dll can be downloaded from http://www.tamirgal.com/home/dev.aspx?Item=SharpPcap
5. WinPcap V4.0.1
WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.
WinPcap consists of a driver that extends the operating system to provide low-level network access, and a library that is used to easily access the low-level network layers.
Following tasks were identified:
a. Installation of .NET framework 2.0
b. Installation of Microsoft Visual Studio 2005
c. DebugView (optional)
d. Study of various .NET classes
e. Study of WinPcap, SharPcap.
f. Design and coding
g. Testing
Deliverables | Status |
Graphical Interface | Completed |
Network Monitor. [basic] | Completed |
Network Utilities [Ping, TCP Statistics, UDP Statistics] | Completed |
Packet Analysis | Completed |
Packet Filtering | Completed |
Testing | Completed |
Hardware Resources:
Software Resources:
Software Dependencies: Installation of .Net framework 2.0 and WinPcap is necessary for the software to work on the computer.
Hardware Constraints: Not all wireless network adaptor cards support packet capture. Make sure your wireless network interface card supports promiscuous mode for packet capture. Hence this software may not work on all wireless network interface cards. But it will capture packets on Ethernet networks.
The following risks were identified:
a) Many such applications available in market.
Contingency: Although many such applications are in market not all provide both functionalities of capturing data on wired and wireless network. Also these applications are not cost effective.
b) Wireless Network Interface Cards: Since not all cards support promiscuous mode this application may not work on all node
Contingency: The alternative to this risk is to write a device drive for the network interface card that does not support wireless packet capture or simply wait until existing drivers provide upgrades for this functionality.
Topic | Date | Status |
Feasibility study | 3rd Nov 2007 | Completed |
Network monitor | 20th Nov 2007 | Completed |
Network Utilities | 27th Nov 2007 | Completed |
Packet Display | 5th Dec 2007 | Completed |
Packet Filtering | 5th Dec 2007 | Completed |
Testing | 7th Dec 2007 | Completed |
This bare bone implementation of a network sniffer is the foundation towards development of better and more complicated security tools. The immediate future of the project is to realize the implementation of the advanced features of Port Scanning, Network Mapping and Client Configuration Monitoring capabilities. These features would render the project to be complete in the first phase. Later, in the future we plan to build on our sniffer, to build tools to construct whole sessions, collect data and launch offline attacks for WEP/WPA keys, indicate presence of rogue AP's in the vicinity and any such application limited only by one's imagination.
[1] http://msdn2.microsoft.com/en-us/netframework/default.aspx
[2] http://www.microsoft.com/education/facultyconnection/software/softwaredetails.aspx?cid=1&c1=en-us&c2=0
[3] http://www.microsoft.com/technet/sysinternals/utilities/debugview.mspx
[4] http://www.tamirgal.com/home/dev.aspx?Item=SharpPcap
UDP | User Datagram Protocol |
TCP | Transmission Control Protocol |
ARP | Address Resolution Protocol |
ICMP | Internet Control Message Protocol |
IGMP | Internet Group Message Protocol |
XML | Extensible Markup Language |
GB | Gigabytes |
MB | Megabytes |
RAM | Random Access Memory |
IP | Internet Protocol |
GUI | Graphical User Interface |
WCF | Windows Communication Foundation |
WPF | Windows Presentation Foundation |
WF | Workflow Foundation |
ASP | Active Server Pages |
Last Modified: Dec, 2007