Based on WINDIS 32 Technology to implement Network Communication Monitoring Sun Lechang (PLA Electronic Engineering College)
【Abstract】 This article discusses the realization principle and implementation process of network communication monitoring, compliance with international standardized open system Internet (OSI) seven-layer architecture, using network drive interface to specify WINDIS32 V5.0 technology, realize data links on application layer The layer control has completed real-time interception, unscence and analysis of online flow data frames.
[Key words] Network layered WINDIS32 Technical Network Information Intercept Data Frame NDIS Network Adapter 1. Foreword With the development of computer network technology, the expansion of all kinds of networks, the increase in remote access, the appearance of virtual private network (VPN) and Internet security, network security has become an important research discipline in the computer network. Network monitoring is one of the basic measures to ensure network security. Network monitoring is used to monitor online mobile information and give appropriate control over network information. Network monitoring can be used to debug web applications, and determine if the application is properly transmitted or received. Network monitoring, can also be used to monitor network information, eliminate unhealthy content of unhealthy sites, and maintain network environments. Applying for security, monitoring our information content, ensuring network security, intercepting information, and analyzing the hostile website. Effective attack and protection on a computer network is one of the important development directions of network monitoring technology in military. The realization of real-time monitoring of network communication discusses this paper is a breakthrough in data communication program for special purpose, and is the basis of network monitoring technology, which is based on network architecture and WINDIS32 technology. 2. The network architecture modern computer network design is a highly structured manner, and the International Standardization Organization (ISO) has developed a standardized open system interconnection (OSI) network architecture for a wider computer interconnection, as shown in Figure 1. The OSI Reference Model With Structure Description Method, that is, the communication function of the entire network is divided into seven portions (also known as seven hierarchical), each of which completes certain functions. It is called a physical layer, a data link layer, a network layer, a transport layer, a session layer, a representation layer, and an application layer. When communicating between the two network hosts, the sender transmits data from the application layer to the physical layer, each layer protocol module performs data package for the next layer, flow through the network, reaching the receiver, then then And communicate with the receiver application through the protocol stack and communicate with the receiver application. In a general network, the data link layer is implemented by the network adapter. The foothold in the network communication monitoring in this paper is that the data link layer is inherent based on the inherent broadcast media, through the control, real-time intercept and analysis of the network adapter. All online mobile information of the adapter. 3. WINDIS32 Technical WINDIS32 is known as Win32 NDIS (Network Driver Interface Specification) network driver interface specification for developing Windows products, which can directly access the NDIS Media Access Control (MAC) driver interface on Windows 9x and Windows NT. Figure 2 shows the Windows network drive component and Win32 NDIS structure component: Figure 2. Windows Network Drive Components with WIN32 NDIS Components WINDIS32 Network Components consists of four parts: NDIS adapter, PCANDIS5 NDIS, W32N50 WINDIS32 API DLL, WINDIS32 application. WINDIS32 application calls the API application interface provided by the W32N50.dll Dynamic Link Link, and the access operation to the NDIS adapter is implemented by the NDIS protocol drive module. The main feature of the network driver interface specification NDIS is that all adapter-related drivers are packaged by NDIS interface, for example, the bottom NDIS NIC driver cannot perform I / O directly to NDIS packaging services; high-rise Windows NDIS network components use The NDIS package interface is driven with the adapter. Only NDIS protocol driver can call NDIS packages to access NDIS adapters.
The WINDIS32 application interface function includes: W32N_OpenAdapter (), opens a named NDIS adapter drive, if the operation is successful, generate a Windis32 adapter handle facing the adapter object, this handle is then operated on the adapter W32N_XXX function used; W32N_CloseAdapter (), close open adapter handles; W32N_PacketRead (), the data frame read operation; W32N_PacketReadEx (), the data frame is an asynchronous read operation; W32N_PacketSend (), the transmission of a data frame; W32N_PacketSendEx (), W32N_MakeNdisRequest () and many more. WINDIS32 techniques make NDIS requests from the Win32 application layer as simple as requiring the request within a core mode, and supports multiple network adapters at the same time, and the respective information transmission and reception are completed. 4. The network information monitoring program is divided into two parts: information interception and information analysis, where information intercepting program flow is shown in Figure 3, using multi-process and multi-threaded technology to complete real-time interception of data. The network adapter list is generated by reading system registry; network adapter details include adapter model, network adapter physical address, transmission maximum frame, transmission rate, and machine identifier, by function W32n_makendisrequest (). The protocol filtering section is a PCANDIS5 protocol driver including the PCAUSA port. The BPF filter is an analog mechanism for the UNIX environment to Windows. It provides a general and convenient mechanism for Win32 applications that filter the designated protocol, executed by protocol driver, Reject unwanted data frame. Support protocol includes: Transmission Control Protocol TCP, Internet Protocol IP, Address Resolution Protocol ARP, Reverse Address Resolution Protocol RARP, Interconnection Network Control Packet Protocol IGMP, Interconnect Network Group Management Protocol IGMP, Novell SPX / IPX Protocol IPX, User Data News Agreement UDP , NetBeui protocol, AppleTalk protocol. The information analysis part uses the known media access control protocol, extracts the valid domain value in the data frame, such as the source host physical address, destination host physical address, frame length, and the like. At the same time, it is simultaneously on the intercepted packet, and the serial number is provided, providing a reliable basis for the next data reorganization.
Receiving data frame display and information statistics are as follows: package serial number: 0000000032 Time: 0005860470 MSEC length: 54/54 Ethernet: 00.40.05.39.A2.B0 Source: 00.00.B4.86.74.FA Type: 0x0800 000,000: 00 40 05 39 A2 B0 00 00 00: B45 00. @. 9 ... t ... e. 000010: 00 28 26 03 40 00 20 06: A3 25 64 64 64 7A 64 64. (&. @. ..% DDDZDD 000020: 64 65 04 06 00 8B 00 40: BF 14 00 6C 24 B9 50 10 de ..... @ ... l $ .p. 000030: 22 38 12 EA 00 00: "8 .............. package serial number: 0000000033 Time: 0005860764 MSEC length: 109/109 Ethernet: 00.40.05.39.A2.b0 Source: 00.00.b4. 86.74.fA Type: 0x0800 00000: 00 40 05 39 A2 B0 00 00: B486 74 FA 08 00 45 00. @. 9 ... T ... E. 000010: 00 5F 27 03 40 00 20 06: A1 EE 64 64 64 7A 64 64 64 64 64 64 65 04 06 00 8B 00 40: BF 14 00 6C 24 B9 50 18 de ..... @ ... l . $ .P 000030: 22 38 DE C6 00 00 00 00: 00 33 FF 53 4D 42 1A 00 "8 ....... 3.SMB .. 000040: 00 00 00 00 00 80 00 00: 00 00 00 00 00 00 00 ................ 000050: 00 00 03 08 25 2D 03 08: 01 4C 08 01 08 00 80 10 ....% -... L ...... 000060: 00 00 10 00 00 00 00 00: 00 00 00 00 00 ................................................................................................................................................................................................................................................................................................ Type 0x0800 00000: 00 00 .... t .. @. 9 .... E. 000010: 05 DC 64 0B 40 00 80 06: FF 68 64 64..d. @ .... hddddd 000020: 64 7A 00 8B 04 06 00 6C: 24 B9 00 40 BF 4B 50 10 dz ..... L $ .. @. Kp. 000030 : 20 B7 86 Da 00 00 00 00 00 00 00 00: 10 00 7E 8B 77 Da D2 D0 ......... ~ .w ... 000040: D7 27 59 9A 8F 18 D3 77: 15 D5 6C 86 0F 2C 62 3E ... Stop Data Frame Receive Application Statistics: Accepted Data Frame Number: 34 The number of data frames has been sent: 0 5.
Further research and development This paper is part of the research on computer network system security countermeasures, which belongs to the basic research of network information monitoring. Based on this research results, further software development can be carried out, thereby realizing real-time monitoring, intelligence acquisition, online site address analysis, site type analysis, providing monitoring means for computer network security maintenance, therefore significance. About the author: Professor of the PLA Electronic Engineering System Project Teaching and Hospital Engineering, the main research direction is: computer application, operating system and distributed computer system communication address: Zip code 230037 Hefei Yanshan Road No. 342 System Engineering Teaching Research Office reference literature PCAUSAWINDIS 32 V5.0 Document 1998.3 Liu Jinde Computer Network Daquan Electronic Industry Press, 1997.7 Kris Jamsa, etc. Internet programming Electronic Industry Press 1996.5 David J. Kruglinskivisual C Technical Insider Tsinghua University Press 1996.5 Liao Lake Sounds 1996.2 Zhang Guofeng C Language and Its Program Design Tutorial Electronic Industry Press, 1992.12, Xi'an University of Technology 1995.4 Du Yi Unix systems networking technology Electronics industry Press, 1998.3 Abstract The paper discusses realizing principle and realizing course of network monitor. According to ISO / OSI model of seven layers and making use of WinDis32 V5.0 technology the network monitor realizes controlling data -Link Layer from Application Layer. It can Capture Real-Time, Divide and Analyze Packets on NetWork.