Packet sniffing

940 views

Published on

Presented at Student Seminar Series_VIT University

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
940
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Packet sniffing

  1. 1. TANMAY SINHAB.TECH(Computer Science) IIIrd year
  2. 2. Agenda PART 1  Motivating Examples  Generic Architecture Design PART 2  Libraries you can work with PART 3  Loopholes and Improvements  Demos
  3. 3. Motivating Examples
  4. 4. (Sniffer and ID/PSMode)
  5. 5. Generic BPF Architecture
  6. 6. ??????
  7. 7. Libraries• Provisions that a packet filter can provide  1)Monitoring  2)Filtering  3)Specifying Verdict on packets Need some High Level API’s to provide an interface Popular Libraries –  Libipq()  Libpcap()/Winpcap()
  8. 8. Libpcap()
  9. 9. Requirement-Deep Filtering
  10. 10. Libipq()
  11. 11. Loopholes Dynamic Filtering Tasks Algorithmic Inefficiency(Many pre-processing phases) Architecture and Instruction Set(RISC) Frame Loss(Queue Overrun)
  12. 12. Solution Approaches Hardware level /Kernel Level/User Level Aim  Reducing the number of packets that are forwarded to the application to be only discarded later on.  Constant memory consumption regardless of the number of filters  A simpler computational model with fewer instructions -->Main aim is to achieve low filter update latency by avoiding filter recompilation  A modified implementation of the Netfilter ip_queue module with the goal of higher performance  Allowing packets on a single interface to be segmented across multiple threads/cores, allowing for more efficient packet processing
  13. 13. Technicalities To interrogate Queue status #ethtool -S ethX To increase Queue Length # ethtool --set-ring ethX [rx N] [tx N] To increase rate at which Queue Drains # vim /proc/sys/net/core/dev_weight Slow down i/p traffic by controlling size of receive buffers used in Sockets #sysctl -w net.core.rmem_default=N
  14. 14. Solution Approaches…contd BLOOM FILTERS  A probabilistic data structure that is used to test whether an element is a member of a set. False positives are possible, but False Negatives are not  Is space efficient , Insertion and Searching takes O(1) time , Deletion possible in Modified Bloom Filter
  15. 15. References http://tcpdump.org http://wireshark.org http://ntop.org http://snort.org http://openbsd.org http://technet.microsoft.com/en- us/network

×