From owner-freebsd-hackers@FreeBSD.ORG Sat Apr 12 14:50:59 2008 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7EFA1065671 for ; Sat, 12 Apr 2008 14:50:59 +0000 (UTC) (envelope-from anishbabu.m@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.248]) by mx1.freebsd.org (Postfix) with ESMTP id 949AE8FC1A for ; Sat, 12 Apr 2008 14:50:59 +0000 (UTC) (envelope-from anishbabu.m@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so246560anc.13 for ; Sat, 12 Apr 2008 07:50:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=lIaULRLQrIC1v2NoA3jBynmkioLNwruGjyr9vr1rCVM=; b=h+P6OIa4UMMkJXIVXhwxotXO1hdJ1sNc4hQR6UNPnnylVJHioQx/Dl0ae7oZpPo96qitwAr4oGlTfXtP1BTiuMG3t1fuxZngA3y8D15STEwg3YWQARhmBOspi4mgzjtZNP64iTuE/VBaQDSOoBti15r9StZ1W9TnODwQwS+uGUk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=moyN1GWkh+fD6eEM09VvbQiZ/bXvfiMEDvuc3XinpGjKAtmWoj4AzU10SL27bRpJznSHsPF9VrYHJa+/Ck+8QXo1kpbiEt2Q0PQIa3uD0pFLBRjyy6WA/qr2h3hB50EShWWKbRVRHrD/51lddSSQLjHYwKa2ddswS3zfUJuHHFQ= Received: by 10.100.173.9 with SMTP id v9mr1254436ane.150.1208010207691; Sat, 12 Apr 2008 07:23:27 -0700 (PDT) Received: by 10.100.135.4 with HTTP; Sat, 12 Apr 2008 07:23:27 -0700 (PDT) Message-ID: <1a31da330804120723k35981ff4wfa86af826e67d5f4@mail.gmail.com> Date: Sat, 12 Apr 2008 09:23:27 -0500 From: "anish babu" To: hackers@freebsd.org In-Reply-To: <1a31da330804120721t3a4976c3hfe732fe8357cf2f8@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1a31da330804120721t3a4976c3hfe732fe8357cf2f8@mail.gmail.com> X-Mailman-Approved-At: Sat, 12 Apr 2008 16:02:36 +0000 Cc: Subject: Re: GSoc 2008 project proposal.. please suggest any uncovered details X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 14:50:59 -0000 Sorry for my multiple mails.. previous mail was sent acidentally with out complete details. Hi all, My name is Anish and I am a graduate student at Texas A&M University , college station. I made a proposal for GSoC 2008 and the description is as follows. Title: "Passive libpcap based TCP session anomaly detector" ----- Abstract: ----------- A daemon to listen on a network interface and logs the anomalies in connection is to be designed. If there are no anomalies, then normal session information like sequence numbers, acknowledgment numbers, SYN features etc, are logged to understand the behavior of connection. In case of anomalies, like duplicate packets, duplicate acknowledgments, SACK responses, out of order segments etc... then it logs the packet headers into the tcpdump file for later analysis by tools like wireshark. This tool helps in analyzing various TCP algorithms in real practice on internet instead of abstract theoretical explanations. Proposal: ----------- Steps to capture packets using lippcap library: 1) Open an interface 2) Open the device for capturing packets: 3)Apply filters to capture only TCP packets: 4)Collect a set of 'count' packets and apply a call back function for each of the pakcet. We now have the packet in the u_char* packet variable of the callback function. If we we are accessing TCP/IP packets on an Ethernet, then we have ethernet, IP. TCP headers in order at the start of packet. So, we have to strip ethernet headers and IP headers in order to access TCP headers. All of the main processing is done in call back function. Assumptions ( for the below solution): ------------------------------------------- 1)Before this, I have a few doubts regarding sliding window protocol working. Is there a any way to access the 'Last byte Read by application', 'Next Byte Expected', 'Last Byte received' values from our function? I assume that we can somehow know these values. 2)We are maintaining seperate statistics for each session indicated by (dest.port, dest.IP, Source.port, Source.IP) pair. However, if we are collecting statistics on a single machine, (dest.port, source.port) pair is enough to uniquely track each session. 3) That the transmit and receive side buffers are linear. however below ideas can be easily extended if they are circular. On Receiving side: a) Duplicate packets: Maintain a bit array of size ('Last Byte read' - 'Next Byte Expected'). If any packet with sequence numbers in this range is found , set the bit to 1 if already 0. Otherwise, increment the counter of duplicate packets. If any packet with sequence number less that 'Next byte Expected' is found, then just the increment the counter of duplicate packets. b) Out of order segments : For every packet, if the sequence number is less than the 'Last Byte Received' that means that this is an out of order packet. So increase the counter for this session. Sending side: c) Duplicate Acknowledgements: Use the 'Last Byte Acknowledged' pointer of sliding window to track until howmany bytes were acknowledged and check with this for all incoming ACK packets. Lesser ACK in new packet means this is duplicate ACk packet and increment the counter for this session. d) SACK responses: ( I think this is not necessary when we are maintaining statistic for out of order packets on receiving side. What you say? ) we can use the SACK packets ( if both sides agree to use SACK option) to track how many packets are reaching the receiver out of order. Use the log details stored in Header for the start and end of non-contiguous bytes reached to receiver. All of the above statistics are collected for each individual session. We can apped the details even if the session incarnates( begins again). Produce summarized results for easy understanding. More detailed description is can be found in my application in GSoC 2008. Please feel free to ask me for any further details. Thanks, Anish