jpanddr-implementation of a java based tool for protocol analysis, network diagnose, and data...
Post on 21-Dec-2015
215 Views
Preview:
TRANSCRIPT
JPANDDR-Implementation of a JAVA based tool for Protocol
Analysis, Network Diagnose, and Data Reassembly
Advisor: Dr. Kai-Wei Ke
Speaker: Jaw-Woei Ma
Date:2007 07/28
IntroductionJAVAJVMObject-OrientedMobility (Byte Code)Support Network
ProgrammingJPANDD is based on JAVA
programming language
IntroductionJAVA APIApplication Program
ming Interface Reuse and ExtendEasy and fast to impl
ementJPANDDR uses JM
F and JPcapJava 2 的三大部份主要的 API
JMF
Java Media Frameworkenables audio, video and other time-based
media to be added to applications and applets built on Java technology
JMF API 可分為兩部份 : 單純的 JMF 及架構在 RTP 上的 JMF 。
JPcapJava Package for Packet Capture
allows Java applications to capture and/or send packets to the network
based on libpcap/winpcap and Raw Socket API
JPcap JPcap Process Model
WinPcap(Windows OS)
libpcap(Unix OS)
Jpcap(Java API)
Network Interface Card
捕捉/發送 封包
捕抓/發送 封包
JPcap
Network Interface : represents a network interface
Jpcap Captor : capture packets or read packets from a captured file
Jpcap Sender : send packetsPacket : This is a root class of all the pack
ets captured by Jpcap
ProtocolTCPTransmission Control Protocol Connection-OrientedReliable transmissionFlow Control and Congestion ControlACK and Retransmission
ProtocolTCP Header Format
Flags(6 bits)
0
32
64
96
128
160
Source Port(16 bits)
Destination Port(16 bits)
Sequence Number(32 bits)
Acknowledgment Number(32 bits)
Data Offset(4 bits)
Reserved(6 bits)
Flags(6 bits)
Windows(16 bits)
Checksum(16 bits)
Urgent Pointer(16 bits)
Options(長度不定)
Padding(長度不定)
=Urgent(1 bit)
ACK(1 bit)
Push(1 bit)
Reset(1 bit)
Syn(1 bit)
Finish(1 bit)
Protocol Three-Way Handshake Diagram
SYN
SYN/ACK
ACK
發送TCP Header a.ACK=1,ack=20002
根據收到的TCP封包Header確認所有封包接收無誤可以開始準備接收傳送
時間經過
用戶端主動發送連線要求
主機端接收與回應
1.隨機取>1024的Port2.發送TCP Header a.SYN=1,seq=10001
A
C
B
D
1.有開啟的Port2.發送TCP Headera.ACK=1,ack=10002b.SYN=1,seq=20001
Protocol FTP command
指令與語法 意義
USER <SP> <username> <CR> <LF> USER 傳送使用者名稱
QUIT <CR> <LF> QUIT 結束 FTP 連線
PORT <SP> <a1,a2,a3,a4,p1,p2> <CR> <LF> PORT 設定資料連線的 IP 位址與連結埠
TYPE <SP> <type-code> <CR> <LF> TYPE 設定檔案模式
MODE <SP> <mode-code> <CR> <LF> Transfer MODE 設定傳輸模式
STRU <SP> <structure-code> <CR> <LF> File STRUcture 設定檔案結構
RETR <SP> <pathname> <CR> <LF> RETRieve 下載檔案
STOR <SP> <pathname> <CR> <LF> STORe 上傳檔案
NOOP <CR> <LF> NO OPeration 不動作
Protocol Session Establishment System Sequence Diagram
User Agent ClientRyan@ntut.edu.tw
Proxy Server User Agent ServerTina@ntut.edu.tw
conversation
INVITE Tina@ntut.edu.tw INVITE
Ryan@ntut.edu.tw
100 Trying
180 Ringing
180 Ringing
200 OK
200 OK
ACK
BYE
200 OK
JPANDDR
JAVA for Protocol Analysis, Network Diagnose, and Data Reassembly
Network Protocol Analyzer
Based on JAVAJPcap and JMF API
JPANDDR
Function - 1(1) Capture Packets and Header Analysis
(2) Protocol Analysis
(3) Packet Handshaking
(4) Protocol Statistics and Analysis
JPANDDRFunction – 2(5) Data Reassembly and Replay
(6) Network Debug and Diagnose
(7) Make up Packets
(8) Additional Function
JPANDDR System Architecture Packet Maker
Subsystem Protocol Process
Subsystem Network Diagnosis and
Debug Subsystem Additional Function
Subsystem
JPANDDR – Data Reassembly and Replay
FTP Data Reassembly
For Stream ModeRemove Packet
HeaderPacket Reorder and
Reassembly
JPANDDR - Network Diagnose
ICMP Echo Request Parse information in “ICMP Echo Replay”(1) TCP/IP 協定測試 – 127.0.0.1
(2) 網卡測試 - IP
(3) 自動搜索網段鄰居 – xxx.xxx.xxx.1~253
(4) 連外路由器 (Gateway) 測試 – xxx.xxx.xxx.254 (default)
(5) DNS 伺服器測試 – 168.95.1.1 (default)
(6) ping Internet 上某一主機的網址 – www.google.com
JPANDDR - Network Diagnose
int step = 0;
If No error in parsing info. Then step = (++step)%7If step = = 1 Then //ping 127.0.0.1 //by calling Ping Function() call Diagnose_Step1()Else If step = = 2 Then //ping self IP address //by calling Ping Function() call Diagnose_Step2()Else If step = = 3 Then //ping IP address near host //by calling Ping Function() call Diagnose_Step3()Else If step = = 4 Then //ping gateway IP address //by calling Ping Function() call Diagnose_Step4()Else If step = = 5 Then //ping DNS Server IP address //by calling Ping Function() call Diagnose_Step5()Else If step = = 6 Then //ping www.Google.com.tw //by calling Ping Function() call Diagnose_Step6()Else If step = = 7 Then //ping www.yahoo.com //by calling Ping Function() call Diagnose_Step7()End If
al gori thm
Call System Ping
Return parsi ng i nfo.
Diagnose Ping
Sent System Ping RequestWait for responseParsing response Information
If packet all loss Then Stop next step Update user interfaceElse Call function Diagnose Update user interfaceEnd If
al gori thm
還原檔案格式 還原檔案結果 備註
.jpg 良好
.doc 良好
.ppt 良好
.txt 良好
.exe 良好
.avi 良好
.wav 可 部分時候會失真。
.html 可 網頁內嵌圖片便會失敗。
.rm 良好
.mp3 良好
.rar 良好 傳送之壓縮檔以壓縮最佳方式、加上密碼均可正確還原。
.zip 良好 傳送之壓縮檔以壓縮最佳方式、加上密碼均可正確還原。
.bmp 可
Test Result - Data Reassembly and Replay
Sample Rate - 8kHZSample Bits - 16bits Little Endian.wav file
Hub
Client A Client B
JPANDDR
語音連線
System Compare
Sniffer 、 ClearSight 與 Ethereal ,其中又以 Ethereal 最為被廣泛使用
JPANDDR – Network Protocol AnalyzerEthereal – Network Packet Analyzer
System Compare本系統 JPANDDR Ethereal
封包捕捉標頭解析
目前較少,但可拓展 目前較多
協定分析 相同 相同
封包交握 操作較易 新版本才有此功能操作不易
協定連線統計分析
基本功能相同 基本功能相同
訊息重組檔案還原
有 無
網路偵錯診斷 有且自動偵錯診斷 需使用者自行診斷
自建封包 有,具各式協定封包建立 有
Conclusions
This research implements a system that provides not only the basic function such as protocol tracking 、 monitoring and analyzing network diagnosis capability ,but also information retrieval and recovery from the captured data packets on the networks.
Future Work
JPANDDR 無線網路協定的擴充 IPv6 協定的擴充 還原語音編碼格式的擴充
Goal: The world’s popular network protocol analyzer
References
http://netresearch.ics.uci.edu/kfujii/jpcap/doc/index.html
http://java.sun.com/products/java-media/jmf/reference/api/index.html
http://www.ethereal.com/
top related