Linux Program
C program
#include |
|
#include |
|
#include |
|
#include"libpacketdump.h" |
|
#include |
|
#include |
|
|
|
DLLEXPORT voiddecode(int link_type UNUSED,constchar *packet,unsigned len) |
|
{ |
|
unsignedchar *pkt = NULL; |
|
unsignedchar type,optlen,*data; |
|
int plen, i; |
|
libtrace_tcp_t *tcp = (libtrace_tcp_t *)packet; |
|
printf(" TCP:"); |
|
if (SAFE(tcp, source)) { |
|
struct servent *ent=getservbyport(tcp->source,"tcp"); |
|
if(ent) { |
|
printf(" Source %i (%s)",htons(tcp->source),ent->s_name); |
|
} else { |
|
printf(" Source %i",htons(tcp->source)); |
|
} |
|
} |
|
else { |
|
printf("\n"); |
|
return; |
|
} |
|
if (SAFE(tcp, dest)) { |
|
struct servent *ent=getservbyport(tcp->dest,"tcp"); |
|
if(ent) { |
|
printf(" Dest %i (%s)",htons(tcp->dest),ent->s_name); |
|
} else { |
|
printf(" Dest %i",htons(tcp->dest)); |
|
} |
|
} |
|
else { |
|
printf("\n"); |
|
return; |
|
} |
|
printf("\n TCP:"); |
|
DISPLAYL(tcp, seq," Seq %u"); |
|
printf("\n TCP:"); |
|
DISPLAYL(tcp, ack_seq," Ack %u"); |
|
if ((char*)&tcp->window-(char *)tcp>len) { |
|
printf("\n"); |
|
return; |
|
} |
|
printf("\n TCP:"); |
|
printf(" DOFF %i",tcp->doff); |
|
printf(" Flags:"); |
|
if (tcp->ecn_ns) printf(" ECN_NS"); |
|
if (tcp->cwr) printf(" CWR"); |
|
if (tcp->ece) printf(" ECE"); |
|
if (tcp->fin) printf(" FIN"); |
|
if (tcp->syn) printf(" SYN"); |
|
if (tcp->rst) printf(" RST"); |
|
if (tcp->psh) printf(" PSH"); |
|
if (tcp->ack) printf(" ACK"); |
|
if (tcp->urg) printf(" URG"); |
|
DISPLAYS(tcp, window," Window %i"); |
|
printf("\n TCP:"); |
|
DISPLAYS(tcp, check," Checksum %i"); |
|
DISPLAYS(tcp, urg_ptr," Urgent %i"); |
|
pkt = (unsignedchar*)packet+sizeof(*tcp); |
|
plen = (len-sizeof *tcp) < (tcp->doff*4-sizeof(*tcp))?(len-sizeof(*tcp)):(tcp->doff*4-sizeof *tcp); |
|
while(trace_get_next_option(&pkt,&plen,&type,&optlen,&data)) { |
|
printf("\n TCP: "); |
|
switch(type) { |
|
case0: |
|
printf("End of options"); |
|
break; |
|
case1: |
|
printf("NOP"); |
|
break; |
|
case2: |
|
printf("MSS %i",htons(*(uint32_t *)(data))); |
|
break; |
|
case3: |
|
printf("Winscale %i",data[0]); |
|
break; |
|
case4: |
|
printf("SACK"); |
|
break; |
|
case5: |
|
printf("SACK Information"); |
|
i=0; |
|
while(i+8 |
|
printf("\n TCP: %u-%u", |
|
htonl(*(uint32_t*)&data[i]), |
|
htonl(*(uint32_t*)&data[i+4])); |
|
i+=8; |
|
} |
|
break; |
|
case8: |
|
printf("Timestamp %u %u", |
|
htonl(*(uint32_t *)&data[0]), |
|
htonl(*(uint32_t *)&data[4]) |
|
); |
|
break; |
|
default: |
|
printf("Unknown option %i",type); |
|
} |
|
} |
|
printf("\n"); |
|
if (htons(tcp->source) dest)) |
|
decode_next(packet+tcp->doff*4,len-tcp->doff*4,"tcp",htons(tcp->source)); |
|
else |
|
decode_next(packet+tcp->doff*4,len-tcp->doff*4,"tcp",htons(tcp->dest)); |
|
return; |
|
} |
2. Question and answer
- What does it mean when we say libtrace is ‘format-agnostic’? Why is this an important feature of libtrace?
Libtarce is the Linux based programs which helps in tracing the library files. With the term format- agnostic it represents the ability of independency of this program. As for the libtrace one can use the commands anywhere and the executed output file can be used freely.
- List two strengths of the ERF trace format when compared with the PCAP format and explain how these di?erences are relevant when performing network trace analysis.
Extensible record format represents the ability of the libtrace command where it holds the information about all the packets in a single folder. With comparing to the PCAP format and the it behaves slightly different as they have the data about the inextensible packets which hides some information’s or encapsulate while retrieving the data.
3. What is IP fragmentation and how can it cause problems when analysing packet traces?
IP fragmentation denotes the subnetting of IP and in other words one can say that it denoted the distribution of IP on the basis of their packet transfer and methods of masking.
4. Run the following command:
tracepktdump -c 1 -f "tcp port 80" 1000packets.erf.gz Why do you not get any output, even though there is de?nitely HTTP tra?c in the trace? What change is required to get successful output?
Frame 3: 573 bytes on wire (4584 bits), 50 bytes captured (400 bits) on interface 1
Extensible Record Format
Ethernet II, Src: Cisco_4d:bb:1b (00:0f:24:4d:bb:1b), Dst: Cisco_e9:0f:ff (00:0b:be:e9:0f:ff)
Destination: Cisco_e9:0f:ff (00:0b:be:e9:0f:ff)
Address: Cisco_e9:0f:ff (00:0b:be:e9:0f:ff)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Cisco_4d:bb:1b (00:0f:24:4d:bb:1b)
Address: Cisco_4d:bb:1b (00:0f:24:4d:bb:1b)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 2852
000. .... .... .... = Priority: Best Effort (default) (0)
...0 .... .... .... = DEI: Ineligible
.... 1011 0010 0100 = ID: 2852
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 172.141.85.107, Dst: 66.17.72.45
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 551
Identification: 0x1bf8 (7160)
Flags: 0x0000
0... .... .... .... = Reserved bit: Not set
.0.. .... .... .... = Don't fragment: Not set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 126
Protocol: UDP (17)
Header checksum: 0x0000 [validation disabled]
[Header checksum status: Unverified]
Source: 172.141.85.107
Destination: 66.17.72.45
User Datagram Protocol, Src Port: 30616, Dst Port: 13492
Source Port: 30616
Destination Port: 13492
Length: 531
[Checksum: [missing]]
[Checksum Status: Not present]
[Stream index: 0]
[Timestamps]
[Packet size limited during capture: WOL truncated]
5. Why do the trace ?les released by the University
Source code for Libtrace program :-
$ strace -e open ls
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/libselinux.so.1", O_RDONLY) = 3
open("/lib/librt.so.1", O_RDONLY) = 3
open("/lib/libacl.so.1", O_RDONLY) = 3
open("/lib/libc.so.6", O_RDONLY) = 3
open("/lib/libdl.so.2", O_RDONLY) = 3
open("/lib/libpthread.so.0", O_RDONLY) = 3
open("/lib/libattr.so.1", O_RDONLY) = 3
open("/proc/filesystems", O_RDONLY|O_LARGEFILE) = 3
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
open(".", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|O_CLOEXEC) = 3
2.
$ strace -e trace=open,read ls /home
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/libselinux.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\3\3\1\260G004"..., 512) = 512
open("/lib/librt.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\3\3\1\300\30004"..., 512) = 512
..
open("/lib/libattr.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\3\3\1\360\r004"..., 512) = 512
open("/proc/filesystems", O_RDONLY|O_LARGEFILE) = 3
read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tb"..., 1024) = 315
read(3, "", 1024) = 0
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
open("/home", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|O_CLOEXEC) = 3
bala
$ strace -o output.txt ls
Desktop Documents Downloads examples.desktop libflashplayer.so
Music output.txt Pictures Public Templates Ubuntu_OS Videos
$ cat output.txt
execve("/bin/ls", ["ls"], [/* 37 vars */]) = 0
brk(0) = 0x8637000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7860000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=67188, ...}) = 0
...
...
$ strace -t -e open ls /home
20:42:37 open("/etc/ld.so.cache", O_RDONLY) = 3
20:42:37 open("/lib/libselinux.so.1", O_RDONLY) = 3
20:42:37 open("/lib/librt.so.1", O_RDONLY) = 3
20:42:37 open("/lib/libacl.so.1", O_RDONLY) = 3
20:42:37 open("/lib/libc.so.6", O_RDONLY) = 3
20:42:37 open("/lib/libdl.so.2", O_RDONLY) = 3
20:42:37 open("/lib/libpthread.so.0", O_RDONLY) = 3
20:42:37 open("/lib/libattr.so.1", O_RDONLY) = 3
20:42:37 open("/proc/filesystems", O_RDONLY|O_LARGEFILE) = 3
20:42:37 open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
20:42:37 open("/home", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|O_CLOEXEC) = 3
bala
$ strace -c ls /home
bala
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ----------------
-nan 0.000000 0 9 read
-nan 0.000000 0 1 write
-nan 0.000000 0 11 open
-nan 0.000000 0 13 close
-nan 0.000000 0 1 execve
-nan 0.000000 0 9 9 access
-nan 0.000000 0 3 brk
-nan 0.000000 0 2 ioctl
-nan 0.000000 0 3 munmap
-nan 0.000000 0 1 uname
-nan 0.000000 0 11 mprotect
-nan 0.000000 0 2 rt_sigaction
-nan 0.000000 0 1 rt_sigprocmask
-nan 0.000000 0 1 getrlimit
-nan 0.000000 0 25 mmap2
-nan 0.000000 0 1 stat64
-nan 0.000000 0 11 fstat64
-nan 0.000000 0 2 getdents64
-nan 0.000000 0 1 fcntl64
-nan 0.000000 0 2 1 futex
-nan 0.000000 0 1 set_thread_area
-nan 0.000000 0 1 set_tid_address
-nan 0.000000 0 1 statfs64
-nan 0.000000 0 1 set_robust_list
------ ----------- ----------- --------- --------- ----------------
100.00 0.000000 114 10 total
$ strace -t -e open ls /home
20:42:37 open("/etc/ld.so.cache", O_RDONLY) = 3
20:42:37 open("/lib/libselinux.so.1", O_RDONLY) = 3
20:42:37 open("/lib/librt.so.1", O_RDONLY) = 3
20:42:37 open("/lib/libacl.so.1", O_RDONLY) = 3
20:42:37 open("/lib/libc.so.6", O_RDONLY) = 3
20:42:37 open("/lib/libdl.so.2", O_RDONLY) = 3
20:42:37 open("/lib/libpthread.so.0", O_RDONLY) = 3
20:42:37 open("/lib/libattr.so.1", O_RDONLY) = 3
20:42:37 open("/proc/filesystems", O_RDONLY|O_LARGEFILE) = 3
20:42:37 open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
20:42:37 open("/home", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|O_CLOEXEC) = 3
bala
References
Ganichev, I., Thakkar, P., Koponen, T. and Dong, M., Nicira Inc, 2016. Tracing network packets by a cluster of network controllers. U.S. Patent 9,344,349.
Pütz, C., Schlutow, M. and Klein, R., 2019. Initiation of ray tracing models: evolution of small-amplitude gravity wave packets in non-uniform background. Theoretical and Computational Fluid Dynamics, pp.1-27.
Tessmer, A. and Jianjun, S.H.E.N., Nicira Inc, 2016. Tracing host-originated logical network packets. U.S. Patent 9,264,330.