a framework for packe trace manipulation
DESCRIPTION
A Framework for Packe Trace Manipulation. Christian Kreibich. Motivation. Say you need to solve a problem that involves manipulating network traffic: complex filtering (e.g. data analysis) fine-grained editing (e.g. header field bitflips) large-scale editing (e.g. anonymization) - PowerPoint PPT PresentationTRANSCRIPT
![Page 2: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/2.jpg)
Motivation Say you need to solve a problem that involves
manipulating network traffic:complex filtering (e.g. data analysis) fine-grained editing (e.g. header field bitflips) large-scale editing (e.g. anonymization)visualization (e.g. behavioural analysis)
What do you do?
![Page 3: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/3.jpg)
Motivation II Find a tool that does it
where? does it build? maintained? If so, lucky you!
![Page 4: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/4.jpg)
Motivation II Find a tool that does it
where? does it build? maintained? If so, lucky you!
Mhmm ... invent here ... again.Okay, pcap.Now you typically need infrastructure:
data types conn. state tracking protocol header lookup
Lots of duplicated effortCut’n’paste is bad
![Page 5: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/5.jpg)
Motivation III Current practice:
![Page 6: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/6.jpg)
Introducing ... Netdude — NETwork DUmp Data Editor Framework for packet inspection and manipulation Multiple usage paradigms: GUI + command line Scalable to arbitrary trace sizes Reusable at all levels Extensible
![Page 7: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/7.jpg)
Architecture
![Page 8: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/8.jpg)
Architecture
![Page 9: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/9.jpg)
Architecture
![Page 10: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/10.jpg)
Architecture
![Page 11: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/11.jpg)
Architecture
![Page 12: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/12.jpg)
Experience Fine-grained header field modifications:
M. Handley, C. Kreibich, V. Paxson: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, 9th USENIX Security Symposium, 2001
Large-scale filtering and reassembly: A. Moore, J. Hall, C. Kreibich, E. Harris, I. Pratt: Architecture of a
Network Monitor, PAM Workshop, 2003
Fine-grained payload editing: C. Kreibich, J. Crowcroft: Honeycomb - Creating Intrusion
Detection Signatures Using Honeypots, HotNets II, 2003
![Page 13: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/13.jpg)
Future Work
Perceived length (normalized)
Vis
ual i
nter
pret
atio
n
Progress Chart
0 1
![Page 14: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/14.jpg)
Future Work
Perceived length (normalized)
Vis
ual i
nter
pret
atio
n
Progress Chart
0 1
![Page 15: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/15.jpg)
Future Work
Perceived length (normalized)
Vis
ual i
nter
pret
atio
n
Progress Chart
0 1
![Page 16: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/16.jpg)
Future Work
Lots to do:Packet resizing Less coding Scriptability
Perceived length (normalized)
Vis
ual i
nter
pret
atio
n
Progress Chart
0 1
![Page 17: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/17.jpg)
Don’t get me wrong ...
I
![Page 18: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/18.jpg)
Summary System detects patterns in network traffic Using honeypots, the system can create useful
signatures Good at worm detection Todo list
Ability to control LCS algorithm (whitelisting?)Tests with higher traffic volumeExperiment with approximate matchingBetter signature reporting scheme
![Page 19: A Framework for Packe Trace Manipulation](https://reader030.vdocuments.us/reader030/viewer/2022020322/56814b70550346895db85b14/html5/thumbnails/19.jpg)
Thanks!
Shoutouts to all contributors! Debian packagers needed ... Questions?