Network Data Acquisition Method Author: Hao Hai Gu Fan @ bbs.net130.com network data interception methods network packet interception mechanism is the basis of components of the network intrusion detection system. Generally referring to all information flows of the entire network, simply filtering out the uncomfortable data according to the information main machine, target host, service protocol port, etc., and then sends the data interested in users to the higher-level application. The flow charts are as follows: Figure 5.1? Network data intercept process Aspect, the network intercept module must ensure that the data packets intercepted on all networks, especially detecting the fragmentation data packets (this may contain attacks). On the other hand, it is also important that the data interception module intercepts the data packet. It directly affects the running speed of the entire intrusion detection system. 5.2 Various data flow interception method 5.2.1? The intercept technology that uses broadcast interception network data stream packets is dependent on the NIC. The NIC can listen to the data packet on the Ethernet network through the broadcast, which is the basis for the data package intercept technology. If you want to interceise your own data stream, you must bypass the mechanism of the system working properly, directly through the mixed mode of the NIC, so that the target address is not the packet of your own MAC address, directly access the data link layer, and data . 5.2.2 Each system intercepting the packet mechanism Linux system provides a user with a network card driver, a network card driver, an interface (also known as a socket) - Sockpacket This socket can directly intercept all link layer packets directly on the data link layer (which is the network cable). And UNIX is directly interacting with the kernel through the libpcap library, and implements network interception. Such as: LibPCAP, TCPDUMP, etc. Figure 5.2? UNIX system listening mechanism BSD? Packet? Filter (BPF) mechanism to intercept packets. BPF can be said to be the best interception mode in each system. Many open source snobs are based on it. The Windows system also has similar situations, such as: WIN series * .vxd? (VXD, VirtualDevicedrive) (packet * .svxd) (Packet * .sys (developed for NIC chips) to drive network card intercept packets. Figure 5.3? Windows System Listening Mechanism 5.2.3? BPF Filtering UNIX & Linux System There are two data link layers, which are BPF and Linux's socket_packets of the BSD series system (NetBSD, OpenBSD, FreeBSD, etc.). BPF filtering BPF is mainly composed of two parts: network head interface packet filter. The network head interface collects packet replication from the network device driver (before commit to the system protocol stack) and passed to an application that is intercepting the packet. The filter determines that a packet is accepted or rejected and if the data of the packet is being copied to the application. The BPF structure diagram is as follows: Figure 5.4? BPF Structure Schematic diagram such as tcpdump Note: (1),? LibPCAP,? Sniffer,? EEye, etc. In general, the NIC drives through the network card to convert the level signal on the network into a data packet, and then pass the intercepted data to the protocol stack that comes with the system, and then processes the system. This approach is different from the BPF under UNIX, which makes the NIC drive before submitting the data taken from the network to the system, copy a copy to the BPF, then determine if it meets the rules, does not match, and store Go to the memory designation area, wait for processing. Of course, BPF does not do any interference on the data packets of the NIC drive to the system protocol stack. Note 1: TCPDUMP is the van? Jacobson, Craig? Leres and Stenven® McCanne, which is the Berkeley Laboratory.
5.3 Universal Data Intercept Based on the libpcap library LibPCAP is a user-state data packet cut an API function interface, which has independent and movable implants. Initially, libpcap was written for powerful, robust Tcpdump. It supports BPF filtering mechanism. Snort is one of the programs that depends on the LibPCap library (Ethereal, EEYE, etc.). • Its advantage is that the packets can be intercepted from any UNIX kernel platform without considering what chip types of NICs and drivers. More importantly, it can make developers write their own decoding, display, and records. 5.2.2.1?libPCAP library Main function 1. Header file feature (PCAP.H) libpcap library (the structure of the data flow storage head file is defined as shown below). The first half is the data structure definition of the data stock file header. Figure 5.5 The header file (PCAP.H) Defines the semi-half of the screenshots to be the information clamp file data structure definition. 2. Open and read the device, set the filter section to deal with the most basic layer device. There are three functions: PCAP_READ ()? PCAP_OPEN_LIVE? And? PCAP_SETFILTER () 3. • Offline mode intercept data and read files stored on the camp. There are two PCAP_OPEN_OFFLINE () and PCAP_OFFLINE_READ (). 4. • Local Network Settings Sphycode Some main detection network settings have several functions, including PCAP_LOOKUPDEV ()? PCAP_LOOKUPNET (), etc. ? Because the previous mention, libpcap is portable. So the Socket excuses of various platforms are compatible. 5. The main program is in PCAP.C, which defines the unified interface function PCAP_NEXT () of the read data (), and calls this function to get the next packet. 5.4? Snort call libpcap When starting at Snort, Snort calls the libpcap library. When the libpcap function is called and initialize the interface, enter the cyclic module -PCAP loop intercepting the data. In this primary cycle -PCaploop (), when the network card receives data from the network media, PCAP_LOOP will process the acquisition of each packet processingPacket () function, if an error or the specified number of handles is exited. (The relevant code is as follows), the PCAP_LOOP () finally selects the packet according to the data link type, and then the protocol analysis is performed by ProcessPacket (), and the matching of information flow is implemented. Such as: ProcesspaceKET function calls the DecodeEthPkt function to decode Ethernet data. Where the decodeethpkt () function calls the subfunction decode? IP to decode the IP protocol ... LibPCAP function enumeration: PCAP_OPEN_LIVE (): I get the packet universal handle. PCAP_LOOKUP_DEV () :? Point to the network available device. PCAP_LOOKNET () :? Initially determine the IP? &? Netmask of the network device itself. PCAP_DUMP ():? Save the network packet into files based on TCPDUMP.
The program part of the program is as follows: / *? Read? All? Packets? On? The? Device.? Continue? Until? CNT? Packets? Read? * / Pcap_loop (pcap_t? * P,? Int? CNT,? PCAP_HANDLER? CALLBACK, ? u_char? * user) {register? int? n; for? (; ?? {? // for loop if? (p-> sf.rfile?! =? null)? {n? =? PCAP_OFFLINE_READ (P, ? CNT,? Callback,? user;}? else? {//? xxx? keep? ready? until? we? get? Somethingdo? {n? =? p-> read_op (p,? cnt,? callback, ? user);}? while? (n? ==? 0);} if? (n? <=? 0) RETURN? (N);? // In the wrong, return IF? (CNT?>? 0) ? {cnt? - =? n; if? (cnt? <=? 0) RETURN? (0);? // reach a set number, return}}} PCAP_LOOP () There are several important parameters: parameter is pv.pkt_cnt Represents the number of packets to be captured. When the main function is initialized, the default setting is -1, becomes a permanent loop, and caught until the program exits:? / *? Initialize? Loop? / *? Initialize? Loop? Forever? * /? pv.pkt_cnt? =? - 1; or set the number of packets to be captured in the command line. In the call to the PaRSecmdline function, the parameter n is encountered, and the value of PV.pkt_cnt is reset. Parsecmdline The relevant statements are as follows:? Case? 'N':? / *? Grab? X? Packets? And? Exit? * /? Pv.pkt_cnt? =? ATOI (OPTARG); Snort.c main program, PCAP_LOOP () function There are two extraction data modes: open the NIC and open the file. /*Get?the?device?file?descriptor, open the NIC interface? * /? Pd? =? Pcap_open_live (pv.interface,? Snake,? Pv.promisc_flag ??? promisc?:? 0,? Read_timeout,? Errorbuf);? / *? Open? The? File, open the file? * /? Pd? =? PCAP_OPEN_OFFLINE (INTF,? E RRRORBUF); only the above two returns. Snort stores the real packet in the data structure pointed to by the pointer in the memory. In decode.h, all SNORTs to be used, including TCP, IP, Too, VLAN, etc. These structures of Snort will point to the intercepted package to represent the corresponding protocol. If you use a data pointer to use a data pointer to use the_ethrhdr head.
