Development of network monitoring systems Keyword: Author: Text: The network is widely applied, followed by network management has become increasingly complex, relying solely on the limited tools and manual systems provided to manage the network is not enough . Therefore, it is necessary to develop network management tools. The network monitoring system is mainly providing some of the data required for network management, which is an important tool for maintaining the network. The main application of network monitoring systems in activity monitoring is to record all activities in the network, which is very useful for detecting network intrusion. Because now hackers are very familiar with the audit mechanisms of each system, generally modify the system's audit logs after intrusion system, so that their intrusion behavior is hidden, so develop their own network monitoring system to monitor all the activities of your network. Very necessary. This article describes the principles of network monitoring and use libpCAB. A to develop the main function of the network monitoring system and give a simple example. The principle of network monitoring system is used to record all things happening on the network and analyze them. It is now introduced to the Ethernet as an example. Figure 1 Ethernet Network Topology Ethernet works Ethernet begins to develop by Xerox, is a network based on CSMA / CD (Carrier Sense Multi-Access / Collismion Detection). It is a network of bus structure, and the topology is shown in Figure 1. When a site (eg H1) is to pass the data, it listened to the channel (bus), if the channel is not busy, send the data to the channel (bus), this data exclusive channel. Other sites on the network (eg H2, Hn, etc.) can receive the data. The general processing after receiving the data is to compare the destination address to which the data is transferred and its own address. If the data is sent to this site, the data is received, and the data is transferred to the upper system. If the data is not sent to this site, it will abandon it. The principle of monitoring system is the general working principle of Ethernet, and on actual systems, data transmission and reception is done by NIC (Network InterfaceCard, NIC), and NIC also provides some other services. Figure 2 Network Monitoring System Schematic Network Card There are four modes: ◆ Broadcasting method: The network card in this mode can receive broadcast information in the network. ◆ Multicast mode: The network card set in this mode can receive multicast data. ◆ Direct mode: In this mode, only the destination network card can receive the data. ◆ Mixed mode: Network card in this mode can receive everything through it, regardless of whether the data is transmitted. The network monitoring system is to work in mixed mode in mixed mode, where the network monitoring system can see all the data in the network. Its schematic diagram is shown in Figure 2. As we can see from the figure, the network monitoring system consists of three parts, namely network interface card (NIC), data capture system and data analysis and recording system. Network Interface Card (NIC) provides data in the network, and the data capture system completes data from the network interface and submits upwards. The data capture system is a difficult point in the development of network monitoring systems, which is different from different operating systems and complicated. This paper mainly discusses the development of the subsystem. The main task of data analysis and recording subsystem is to analyze the data from the data capture subsystem and make records. It records the contents of the data, the data of the data, and the data applied for the data. Under UNIX Systems Development Network Monitoring System UNIX System The data capture subsystem uses libpcap. A is developed.
LibPCAP. A is a general Unix system network interface package, currently supported operating systems include BSDunix, Solaris System, Sunos, Linux, and HP-UX. This library currently only supports operation of reading data for all network interfaces. System development we use the following functions: 1, PCAP-LookupDev (), Function: Find a network interface of a non-return activity and return its corresponding file name. 2, PCAP-LOOKUPNET (), Function: Get the network number and subnet mask of the specified network interface. 3, PCAP-OPEN-LIVE (), Function: Open the network interface and set the network interface according to the user's input parameters. 4, PCAP-Compile (), Function: Converting the descriptive filtering rules into system identification code. For example, in the UNIX system, the operation of files and devices is opened, and then shut down the process. This process is also followed using libpcap.a. Then it's the process is open, use and turn off the network interface. The process of operation is to open the device, perform the data, and then receive data, and then analyze the received data. A simple example is as follows, its function is to register the source and destination address of the data in this network. This program is successful on Solaris 2.7 system.