Network Tools at Politecnico di Torino

1
Network Toolsat Politecnico di Torino

• Tools developed and maintained byNetGroup at
  Politecnico di Torino
• Fulvio Risso (fulvio.risso_at_polito.it)
• Mario Baldi (mario.baldi_at_polito.it)

2
Outline

• WinPcap
• A packet capture library (but not only)
• WinDump
• A command-line sniffing tool
• Analyzer
• A powerful, customizable and simple to use
  sniffer and network monitoring tool (but not only)

3
The WinPcap project

• Basically, WinPcap is libpcap for Windows
• Libpcap is the most used library for sniffing
  under UNIX
• However
• WinPcap goes faster
• WinPcap can send packets
• WinPcap has simple monitoring primitives
• WinPcap has new APIs that are simpler to use
• WinPcap supports remote capture

4
WinPcap goes faster
Hardware Via C3 533/Intel ee100 NIC/256 MB RAM
Tests independently done by Luca Deri
(www.ntop.org)
5
Remote Capture(1)

• Supported Platforms
• Win32, but it works on Linux and BSD as well
• Supported Apps
• Virtually every app based on libpcap/Winpcap can
  launch remote captures
• Analyzer, Ethereal, WinDump, tcpdump, snort, ntop

6
Remote Capture (2)
7
Remote Capture (3)

• Supports
• IPv4/IPv6 data transfer
• TCP/UDP transport
• Sampling (although rather primitive)
• Active Mode
• For getting data from sources behind NATs /FWs

Probe
Analyzer
Starts capture
Private Network
8
WinDump

• Is there anyone that does not use tcpdump?
• WinDump is the Win32 version of tcpdump
• Why is it called WinDump instead of tcpdump for
  Win32?
• Because tcpdump maintainers were not convinced
  about our capabilities
• So, they suggested to use another name in
  Windows to avoid confusion

9
The Analyzer project

• Started in 1995 as a DOS sniffer
• Moved to Windows in 1998
• Versions 2.x
• Re-written from scratch beginning in Jan 2002
• Still an alpha
• No longer a simple sniffer
• License BSD-like

10
Objectives

• Potentially cross-platform (although only the
  Win32 version exists right now)
• Simple to use and to install
• Suitable for small-size networks (not the best
  choice for ISP, NRENs, etc)
• Includes several modules that implement the most
  important features needed by a network
  administrator
• Each module looks like a limited version of some
  specialized tools available on the Internet

Easy to use!
11
KISS (Keep It Simple, Stupid)
Some of the tools needed by a network
administrator
Traffic monitoring
Host and services monitoring
Traffic sniffing
LAN monitoring
SNMP manager
ntop
Demarc
Ethereal
Ettercap
OpenView
Nagios
mping
12
What it does Network Sniffer
NetPDL decoding
13
What it does Customizable Protocol DB

• NetPDL language for describing protocol headers
• Simple and (rather) intuitive
• Supports advanced features (e.g. IPv6 Ext Hdr)
• Allows adding / modifying protocol definitions
  withouth recompiling the application

ltproto name"Ethernet"gt ltfieldsgt ltfixed
name"dst" size"byte" vector"6"/gt ltfixed
name"src" size"byte" vector"6"/gt ltfixed
name"type-length" size"short"/gt lt/fieldsgt  
ltnextprotogt ltswitch fieldref"type-length"gt
ltcase value"2048" protoref"IP"/gt
ltcase value"2054" protoref"ARP"/gt
lt/switchgt lt/nextprotogt lt/protogt
14
What it does Remote Capture

• Analyzer is the most complete tool for Remote
  Capture
• It is the only one that supports Remote Capture
  in Active Mode
• Support in
• Capture
• LAN Node Discovery

15
What it does End-to-end Monitor
16
What it does Events Logger
17
What it does LAN Node Discovery
18
What it does Flow Collector (experim.)

• Netflow-like
• Fields to be dumped for each sessions
  customizable
• Print traffic statistics out of the stored
  records
• Experimental code

19
What it does Data Miner (experim.)

• Processes data stored by the flow collector and
  retrieves the most important results
• Effective to see if the standard behaviour of
  the network changed over time
• It includes a compare against feature
• Interesting results in case of peer-to-peer
  applications

20
Status of the Analyzer project

• Currently 3.0 alpha 8
• Mainly bug fixing
• Still somewhat unstable
• What we would like to do next
• Better web export (e.g. E2E Monitoring, Events
  Logger)
• E.g. embedded web server
• Monitoring of application-level services
• HTTP, SNMP, DNS, FTP, Telnet, SSH
• Packet Injection
• Downloadable from
• http//analyzer.polito.it/30alpha/

21
Conclusions

• WinPcap
• State of the art library for custom tools that
  need to sniff packets / send raw packet on the
  net
• WinDump
• Simple and compact tool to sniff and see what
  happens on the net
• Analyzer
• Powerful and easy to use sniffing and network
  monitoring tools