JPANDDR-Implementation of a JAVA based tool for Protocol Analysis, Network Diagnose, and

Download Report

Transcript JPANDDR-Implementation of a JAVA based tool for Protocol Analysis, Network Diagnose, and 

JPANDDR-Implementation of a
JAVA based tool for Protocol
Analysis, Network Diagnose, and
Data Reassembly
Advisor: Dr. Kai-Wei Ke
Speaker: Jaw-Woei Ma
Date:2007 07/28
Outline
Introduction
Protocol
JPANDDR
Test Result
Conclusions
Future Work
References
Demo
Introduction
JAVA
JVM
Object-Oriented
Mobility (Byte Code)
Support Network
Programming
JPANDD is based on JAVA
programming language
Introduction
JAVA API
Application
Programming
Interface
Reuse and Extend
Easy and fast to
implement
JPANDDR uses JMF
and JPcap
Java 2的三大部份主要的API
JMF
Java Media Framework
enables audio, video and other time-based
media to be added to applications and
applets built on Java technology
JMF API 可分為兩部份 : 單純的 JMF 及架
構在 RTP 上的JMF 。
JMF
 JMF Process Model
擷取(Capture)媒體
讀取檔案
接收廣播
加入效果
壓縮/解壓縮
多工/反多工
轉換
播放
儲存
網路廣播
Input
Process
Output
JPcap
Java Package for Packet Capture
allows Java applications to capture
and/or send packets to the network
based on libpcap/winpcap and Raw
Socket API
JPcap JPcap Process Model
捕捉/發送 封包
Jpcap
(Java API)
WinPcap
(Windows OS)
libpcap
(Unix OS)
Network Interface Card
捕抓/發送 封包
JPcap
Network Interface : represents a network
interface
Jpcap Captor : capture packets or read
packets from a captured file
Jpcap Sender : send packets
Packet : This is a root class of all the
packets captured by Jpcap
Protocol
TCP
Transmission Control Protocol
Connection-Oriented
Reliable transmission
Flow Control and Congestion Control
ACK and Retransmission
Protocol
TCP Header Format
0
Destination Port
(16 bits)
Source Port
(16 bits)
32
Sequence Number
(32 bits)
64
Acknowledgment Number
(32 bits)
96
Reserved
(6 bits)
Data Offset
(4 bits)
Flags
(6 bits)
Windows
(16 bits)
128
Checksum
(16 bits)
Urgent Pointer
(16 bits)
160
Padding
(長度不定)
Options
(長度不定)
Flags
(6 bits)
=
Urgent
(1 bit)
ACK
(1 bit)
Push
(1 bit)
Reset
(1 bit)
Syn
(1 bit)
Finish
(1 bit)
Protocol  Three-Way Handshake Diagram
用戶端
主動發送連線要求
A
1.隨機取>1024的Port
2.發送TCP Header
a.SYN=1,seq=10001
主機端
接收與回應
SYN
B
1.有開啟的Port
2.發送TCP Header
a.ACK=1,ack=10002
b.SYN=1,seq=20001
D
根據收到的TCP
封包Header確認
所有封包接收
無誤可以開始
準備接收傳送
SYN/ACK
發送TCP Header
C
a.ACK=1,ack=20002
ACK
時間經過
Protocol
FTP
File Transfer Protocol
2 TCP connection
Port 21 for control
Port 20 for data
Protocol
 FTP command
指令與語法
意義
USER <SP> <username> <CR> <LF>
USER 傳送使用者名稱
QUIT <CR> <LF>
QUIT 結束FTP連線
PORT <SP> <a1,a2,a3,a4,p1,p2> <CR> <LF>
PORT設定資料連線的IP位址與連結埠
TYPE <SP> <type-code> <CR> <LF>
TYPE設定檔案模式
MODE <SP> <mode-code> <CR> <LF>
Transfer MODE 設定傳輸模式
STRU <SP> <structure-code> <CR> <LF>
File STRUcture設定檔案結構
RETR <SP> <pathname> <CR> <LF>
RETRieve下載檔案
STOR <SP> <pathname> <CR> <LF>
STORe上傳檔案
NOOP <CR> <LF>
NO OPeration不動作
Protocol
SIP
Session Initiation Protocol
Client/Server Mode
Request/Response Message
Protocol
 Session Establishment System Sequence Diagram
User Agent Client
[email protected]
Proxy Server
INVITE
[email protected]
User Agent Server
[email protected]
INVITE
[email protected]
100 Trying
180 Ringing
180 Ringing
200 OK
200 OK
ACK
conversation
BYE
200 OK
JPANDDR
JAVA for Protocol
Analysis, Network
Diagnose, and Data
Reassembly
Network Protocol
Analyzer
Based on JAVA
JPcap and JMF API
JPANDDR
Function - 1
(1) Capture Packets and Header Analysis
(2) Protocol Analysis
(3) Packet Handshaking
(4) Protocol Statistics and Analysis
JPANDDR
Function – 2
(5) Data Reassembly and Replay
(6) Network Debug and Diagnose
(7) Make up Packets
(8) Additional Function
系統架構
JPANDDR
 System Architecture
 Packet Maker
Subsystem
接
收
 Protocol Process
封
包
Subsystem
 Network Diagnosis and
Debug Subsystem
 Additional Function
Subsystem
其他功能子系統
(Additional Function Subsystem)
假造封包子系統(Packet Maker Subsystem)
協定處理子系統(Protocol Process Subsystem)
封包
儲存池
(Packet
Pool)
統計處理器
(Statistic Processor )
分析處理器
(Analytic Processor)
網路診斷偵錯子系統(Network Diagnosis
and Debug Subsystem)
偵錯器
(Debuger)
Ping
程式工具
診斷器
(Diagnostician)
發送ICMP封包
發
出
封
包
JPANDDR
 Subsystem
 Protocol Process Subsystem - Analytic Processor
傳輸層協定處理器
(Protocol Processor)
接
收
封
包
協定
分析器
(Protocol
Analysis)
分派器
(Dispatch)
應用層TCP協定處理器
(Protocol Processor)
應用層UDP協定處理器
(Protocol Processor)
JPANDDR –
Data Reassembly and Replay
FTP Data
Reassembly
For Stream Mode
Remove Packet
Header
Packet Reorder and
Reassembly
JPANDDR - Data Reassembly and Replay
pseudo Code
JPANDDR Data Reassembly and Replay
VoIP Data Reassembly
RTP Transmission
For PCM encode
JPANDDR - Data Reassembly and Replay
 PCM decode (1/2)
JPANDDR Data Reassembly and Replay
 PCM decode (2/2)
JPANDDR - Network Diagnose
 ICMP Echo Request
 Parse information in “ICMP Echo Replay”
(1)
(2)
(3)
(4)
(5)
TCP/IP協定測試 – 127.0.0.1
網卡測試 - IP
自動搜索網段鄰居 – xxx.xxx.xxx.1~253
連外路由器(Gateway)測試 – xxx.xxx.xxx.254 (default)
DNS伺服器測試 – 168.95.1.1 (default)
(6) ping Internet上某一主機的網址
– www.google.com
JPANDDR - Network Diagnose
Diagnose
Call System Ping
algorithm
Ping
algorithm
Return parsing info.
int step = 0;
If No error in parsing info. Then
step = (++step)%7
If step = = 1 Then
//ping 127.0.0.1
//by calling Ping Function()
call Diagnose_Step1()
Else If step = = 2 Then
//ping self IP address
//by calling Ping Function()
call Diagnose_Step2()
Else If step = = 3 Then
//ping IP address near host
//by calling Ping Function()
call Diagnose_Step3()
Else If step = = 4 Then
//ping gateway IP address
//by calling Ping Function()
call Diagnose_Step4()
Else If step = = 5 Then
//ping DNS Server IP address
//by calling Ping Function()
call Diagnose_Step5()
Else If step = = 6 Then
//ping www.Google.com.tw
//by calling Ping Function()
call Diagnose_Step6()
Else If step = = 7 Then
//ping www.yahoo.com
//by calling Ping Function()
call Diagnose_Step7()
End If
Sent System Ping Request
Wait for response
Parsing response Information
If packet all loss Then
Stop next step
Update user interface
Else
Call function Diagnose
Update user interface
End If
Test Result - Network Diagnose
Network Diagnose Report
Test Result - Network Diagnose
 Two test Result
(1) No IP
(2) No gateway
Test Result - Data Reassembly and Replay
Use LeapFTP
Stream Mode
還原檔案格式
還原檔案結果
備註
.jpg
良好
.doc
良好
.ppt
良好
.txt
良好
.exe
良好
.avi
良好
.wav
可
部分時候會失真。
.html
可
網頁內嵌圖片便會失敗。
.rm
良好
.mp3
良好
.rar
良好
傳送之壓縮檔以壓縮最佳方式、加上
密碼均可正確還原。
.zip
良好
傳送之壓縮檔以壓縮最佳方式、加上
密碼均可正確還原。
.bmp
可
Test Result - Data Reassembly and Replay
Sample Rate - 8kHZ
Sample Bits - 16bits
Little Endian
.wav file
Hub
Client A
Client B
語音連線
JPANDDR
System Compare
Sniffer、ClearSight與Ethereal,其中又以
Ethereal最為被廣泛使用
JPANDDR – Network Protocol Analyzer
Ethereal – Network Packet Analyzer
System Compare
本系統 JPANDDR
Ethereal
封包捕捉
標頭解析
目前較少,但可拓展
目前較多
協定分析
相同
相同
封包交握
操作較易
新版本才有此功能
操作不易
協定連線
統計分析
基本功能相同
基本功能相同
訊息重組
檔案還原
有
無
網路偵錯診斷
有且自動偵錯診斷
需使用者自行診斷
自建封包
有,具各式協定封包建立
有
Conclusions
This research implements a system that
provides not only the basic function such
as protocol tracking、monitoring and
analyzing network diagnosis capability ,but
also information retrieval and recovery
from the captured data packets on the
networks.
Future Work
JPANDDR
 無線網路協定的擴充
 IPv6協定的擴充
 還原語音編碼格式的擴充
Goal: The world’s popular network protocol
analyzer
References
http://netresearch.ics.uci.edu/kfujii/jpcap/d
oc/index.html
http://java.sun.com/products/javamedia/jmf/reference/api/index.html
http://www.ethereal.com/
Demo