Ex3 in the Computer Communications Course

Last updated on May 11

Exercise 3

Target and Motivation

The target of this exercise is to teach you to extract useful information by sniffing the network. Sometimes, sniffing is the only way to find a bug in a network product. In order to do this, you must understand the interconnection between Ethernet, IP and TCP protocols.

The Task

tcpdump is one of sniffing tools. You are supposed to parse the data collected by tcpdump and to provide some statistics over this data.

The tcpdump file.

There is a tcpdump file at tcpdump.out Its format can be found at format.txt This file was collected at w3.cs.huji.ac.il. For every Ethernet frame, its first 96 bytes were logged into the file.

Applications

You are required to write two programs.

dump_filter
dump_info

The filter

The first program that you are required to write is dump_filter. This program

reads the configuration file, whose name is the first parameter of the dump_filter. If no parameter is given, dump_filter.cfg is used.
reads the tcpdump file from stdin.
prints its header to stdout

You should apply the filter to every record(frame); frame which is not sorted out by the filter is printed to stdout.

The Format of the Configuration File.

Empty lines and lines starting with # are ignored. Otherwise, each line in this file is a tuple. If a packet suits one of the tuples, it is printed. Each tuple has the following format:

Each element may have either a specific value or a special zero value, which means that any value is accepted. Spaces in the line are ignored. Ethernet addresses are given in hex format, and IP addresses are given in "CIDR format". CIDR format uses a slash followed by a number, to define the number of contiguous, left-most "one" bits that define the network mask. For example, /24 for a 24-bit mask. Below are a few examples:

132.65.10.1/24 means all packets with IP address in range: from 132.65.10.1 till 132.65.10.255

132.65.10.1/8 limits the range from 132.1.1.1 to 132.255.255.255

132.65.10.1/0 has the special meaning (for this exercise only). I want you to look at the type of the IP address and accept any host from the same network.

If there is "-" before TCP destination port, you should not print packets belonging to TCP connections, relevant to this port, but have been initiated before tcpdump utility was started.

dump_info.

dump_info reads tcpdump file from stdin, and for every TCP connection prints the following information:

The clients (or the nearest routers) Ethernet address.
IP address of the peer (not of the w3.cs.huji.ac.il
TCP port used by the peer.
The timestamp of the first incoming data packet.
The timestamp of the last outgoing data packet.
The number of outgoing data packets.
The maximal TCP window size of the receiver.
The ratio of data packets sent by w3.cs.huji.ac.il to number of ACK packets sent by peer.
The ratio of useful data (without headers) to total amount of bytes sent by w3.cs.huji.ac.il.

An example of the an output

00:90:92:F8:90:00 61.24.157.207 5000 343243.24324 343243.56564 3 12000 1.20 0.83

If a parameter is not relevant, please print "X" instead of the corresponding value.

Tests

Your program will be tested using only the tcpdump.out file. However I may use any subset of the packets in this file to test your program. It is strongly recommended to write the generic code. For example, do not assume that IP header is always of the same size.

Useful Headers

/usr/include/net/ethernet.h
/usr/include/netinet/ip.h
/usr/include/netinet/tcp.h

The Formats

Time printed in the following format sssssssss.uuuuuu (seconds and microseconds in host order).
Ethernet address is printed in the following form: 00:B0:D0:D4:C0:3C
IP address is printed in the dotted form: 132.65.200.101
Ethernet packet type, IP protocol type and TCP port are printed in decimal format. e.g: 8, 6, 8080 (host order)
Ratio is to be printed with two signs after the dot.

Tools and Libraries

There are several tools (tcpdump, tcpslice, ...) that could help you to read and parse the tcpdump file. You are allowed to use those tools only for verifying your results, while you not allowed to use them as building blocks. The only exception is pcap library. You are allowed to use it for both purposes. I am not familiar with this library and I am not sure that it provides all the functionalities are needed for the exercise. If you decide to use this library and have a question or a problem I am afraid I cannot help you!

Design

Please think carefully about the design of your program. There are many things in common between dump_filter and dump_info.

Submission

Submit ex3.tar which include sources, Makefile and README. Please, follow the general instructions in the course guidelines