Net Sensor

From Association for Computing Machinery

Jump to: navigation, search

This program aims to be a general-purpose, modular network-analysis suite for use in research, monitoring, diagnostics, forensics, and statistics-gathering. It monitors traffic on an Ethernet interface, performs some preprocessing on it--such as figuring out where a packet's payload begins--and passes it along to any number of modules. A module is an ELF shared object which may maintain state, write data out to disk using the Berkeley DB-backed Writer library, or send e-mail using the SMTP library. In addition to processing packets from the network, a module can also accept input from any number of other modules.

Contents

Sensor Modules

There are currently five sensor modules included:

HTTP (sensor/modules/http)

  • Parses HTTP messages and maintains a table of active HTTP sessions

HTTP Logger (sensor/modules/httpLog)

  • Writes HTTP session headers to disk
  • HTTP session headers may be read back from disk with the dumpHTTP utility (tools/dumpHTTP)

BitTorrent (sensor/modules/bt)

  • Detects .torrent file downloads over HTTP
  • Detects communication with HTTP BitTorrent trackers
  • Detects communication with UDP BitTorrent trackers
  • Sends detailed e-mail notifications of any of the above actitivies to any number of e-mail addresses

Printer Job Language (sensor/modules/pjl)

  • Parses Printer Job Language/PostScript print jobs and maintains a table of active PJL sessions
  • Writes various useful information about them to disk
  • PJL data may be read back from disk with the dumpPJL utility (tools/dumpPJL)
  • Pages printed per computer can be counted up with the countPJL utility (tools/countPJL)

Packets per Second (sensor/modules/pps)

  • Monitors inbound and outbound packet rates of IPv4 addresses
  • Sends out e-mail about IPv4 addresses that exceed a configured packet rate threshold
    • E-mail includes a snippet of traffic to and from a reported IPv4 address

Requirements

The code is C/C++ and has the following dependencies:

  • libpcap (0.9.4 through 1.1.1 tested)
  • Berkeley DB (4.4 through 5.3 tested)
  • libESMTP (1.0.4 through 1.0.6 tested)

Operating systems tested:

  • FreeBSD (7.1 through 9.1)
  • GNU/Linux (kernels 2.6.18 through 2.6.32, glibc 2.5 through 2.11.1)

Microarchitectures tested:

  • i386
  • amd64
  • sparc64

Compilers tested:

  • GCC 4.1.2
  • GCC 4.2.1
  • GCC 4.4.3
  • Clang/LLVM 2.8

Download

Upcoming Features

  • Build Infrastructure
    • NetBSD support
    • OpenBSD support
    • Mac OS X support (added in 0.8.1)
    • Automatic detection of Berkeley DB versions on BSD and OS X (automatic detection on FreeBSD added in r37)
  • Sensor
    • IPv6 support
  • Sensor Modules
    • Optional compression for on-disk records
  • HTTP Sensor Module
    • Chronological ordering of HTTP messages, as opposed to all requests followed by all replies
  • dumpHTTP Utility
    • Filtering by client and server IPv4 addresses (added in 0.8.1)
    • Filtering by HTTP headers

Release History

  • 0.8.1 (October 26th, 2011)
    • New features:
      • Build infrastructure:
        • Added Mac OS X support (assumes an installation of Berkeley DB 4.4 from MacPorts).
      • Libraries:
        • Added a sensor DNS library (sensor/include/dns.*) for reverse DNS resolution.
        • Sensor SMTP library (sensor/include/smtp.*):
          • Modified the subject() and message() member functions to return std::ostringstream objects that can be used to set the subject and message of an e-mail, respectively. This is believed to make using the library easier.
      • Sensor modules:
        • Added PPS module (sensor/modules/pps), which monitors the inbound and outbound packet rates of IPv4 addresses on an arbitrary number of IPv4 networks. If the inbound or outbound packet rate for an IPv4 address exceeds a configured threshold, an e-mail to this effect is sent out, which includes a snippet of traffic to and from the IPv4 address. Sponsored by the New York Internet Company.
        • Added PJL sensor module (sensor/modules/pjl), which parses Printer Job Language/PostScript printer jobs and writes various useful information about them to disk. Sponsored by Ecological, LLC.
    • Tools:
      • Added tools/countPJL for counting up the number of pages printed per computer using data written by the PJL sensor module.
      • Added tools/deleteRecords for deleting records from Berkeley DB Recno databases.
      • Added tools/dumpPJL for displaying data written by the PJL sensor module.
      • tools/dumpHTTP:
        • Added the -cI and -sI command-line options for filtering messages by client and server IPv4 addresses, respectively.
    • Bug fixes:
      • Libraries:
        • Sensor SMTP library (sensor/include/smtp.*):
          • SMTP error messages from previous attempts to send mail are no longer carried over and prepended to new ones.
          • Fixed a bug that caused all e-mail after the first one to be sent to only the last configured recipient.
          • The value of the "from" configuration parameter should not be sent as the SMTP envelope sender, as that has the possibility of violating RFC 2821. Consequently, the "from" configuration parameter has been replaced by the "senderName" and "senderAddress" parameters, from which a correct envelope sender and "From" message header will be generated.
        • Shared address library (shared/include/address.*):
          • The binaryMAC() and textMAC() functions have been converted to use homegrown address-conversion techniques instead of ether_aton_r() and ether_ntoa_r(). This works around a bug in glibc 2.11.1's ether_ntoa_r() function that prevents it from zero-padding Ethernet addresses. It also works around the fact that some UNIX-like systems, such as Mac OS X 10.6.6, don't have the ether_aton_r() or ether_ntoa_r() functions.
      • Sensor:
        • Fixed a potential crash when a malformed TCP packet is captured.
        • Fixed ICMP payload size calculation.
      • Sensor modules:
        • HTTP (sensor/modules/http):
          • Fixed a crash.
      • Tools:
        • tools/dumpHTTP:
          • Added the -req and -res command-line options to the usage message. The options themselves were always present.
  • 0.8.0 (March 1st, 2011)
    • Initial release.
Personal tools