Oliver_FF
New Member
- Joined
- Oct 15, 2006
- Messages
- 544 (0.08/day)
| Processor | Intel q9400 @ stock |
|---|---|
| Motherboard | Lanparty P45-T2RS |
| Cooling | Zalman CNPS-9500 |
| Memory | 8GB OCZ PC2-6400 |
| Video Card(s) | BFG Nvidia GTX285 OC |
| Storage | 1TB, 500GB, 500GB |
| Display(s) | 20" Samsung T200HD |
| Case | Antec Mini P180 |
| Audio Device(s) | Sound Blaster X-Fi Elite Pro |
| Power Supply | 700w Hiper |
| Software | Ubuntu x64 virtualising Vista |
I thought I'd share with you all my current project - a network traffic analysis tool I'm writing for Linux. Anyone who's been around for a while should have seen the FAQ I wrote ages (years?) ago about sniffing raw network traffic. In that thread I hinted at some of the possibilities that I'd like to implement in the future if I got the time... Well I've just finished my 4th year of Computer Science at Uni and am waiting for graduation so I figured it was an opportune time to get stuck in.
Just for reference, the interesting stuff I get from each packet I grab from my network includes...
Main Functionality:
Connection View - A list of all active connections on the network within a recent time period. Each connection lists the application using the connection, what transport layer protocol it's using, what application layer protocol it is using over the connection (HTTP, FTP, msnp, etc) and the IP address/resolved host name of the machine on the other end of the connection. As time passes and no packets arrive the status bars drop, when they empty the connection is dropped from the list. The top left button causes the connection to persist indefinitely. The bottom button extends a small text view area which shows a preview of the data travelling over the connection.
Application View - A list of all processes which have recently used the network. It lists the process name, the transport layer protocols it has used, the application layer protocol it is using, a list of each IP address and resolved host name of each host it has communicated with, and a running count of the number of packets it has received, amount of data received and the number of connections it has used. Again, it times out after a long period of inactivity - the button makes it persist on the list.
Host View - A list of all hosts which have been recently communicated with. It lists the IP address and resolved host name, the processes which have communicated with the host, the application/transport layer protocols used and a running count of the amount of packets/data going to the host. Again, the button causes the host to persist in the list.
Thoughts...
It's written in C++ using GTK+ for the user interface. It is currently 2571 lines of C++. The hardest parts are doing all of the lookups dynamically - it can take up to 600ms to lookup which application is using which port and it can take >3000ms to lookup a host. Neither lookups are guaranteed either. All the time you've still got to be grabbing new network data and processing it - all of the lookups have to be offloaded in to new threads and obviously you can't do anything for applications until they've been looked up. In the current implementation, as lookups complete everything gets automatically updated and shuffles along nicely.
Yes, the widgets in the screenshots are stock widgets for Linux these days. Looks good
Just for reference, the interesting stuff I get from each packet I grab from my network includes...
- Source IP address
- Destination IP address
- Source Port
- Destination Port
- Transport layer protocol number
- Data lengths
- Data payload (posssibly encrypted)
Main Functionality:
Connection View - A list of all active connections on the network within a recent time period. Each connection lists the application using the connection, what transport layer protocol it's using, what application layer protocol it is using over the connection (HTTP, FTP, msnp, etc) and the IP address/resolved host name of the machine on the other end of the connection. As time passes and no packets arrive the status bars drop, when they empty the connection is dropped from the list. The top left button causes the connection to persist indefinitely. The bottom button extends a small text view area which shows a preview of the data travelling over the connection.
Code:
+-----------------------------------------------------------+
| (=) firefox {TCP}~[HTTP]195.156.56.743 |
| (v) [=======3567=packets=totalling=~=6,783,568KB========] |
+-----------------------------------------------------------+
+-----------------------------------------------------------+
| (=) firefox {TCP}~[HTTP]somedomain.subdomain.domain.co.uk |
| (v) [=======3567=packets=totalling=~=6,783,568KB========] |
+-----------------------------------------------------------+
+-----------------------------------------------------------+
| (=) firefox {TCP}~[HTTP]somedomain.subdomain.domain.co.uk |
| (^) [=======3567=packets=totalling=~=6,783,568KB========] |
| +-------------------------------------------------------+ |
| | packet data print out g oes here? packet data print | |
| | out goes here? packet dat a printout goes here? pac| |
| | packet data prin tout goes here? pa cket dta p rino| |
| | packet data pri ntout goes he re? pac e t data prn to| |
| | packet da ta p rintout goes here? pcket data ri nto| |
| | packet data printout goes h e re? p cet da t p rinto| |
| | packet data printout goes here? pa ke dta p rinto| |
| +-------------------------------------------------------+ |
+-----------------------------------------------------------+Application View - A list of all processes which have recently used the network. It lists the process name, the transport layer protocols it has used, the application layer protocol it is using, a list of each IP address and resolved host name of each host it has communicated with, and a running count of the number of packets it has received, amount of data received and the number of connections it has used. Again, it times out after a long period of inactivity - the button makes it persist on the list.
Code:
+-----------------------------------------------------------+
| firefox |
| {TCP}[HTTP][FTP] |
| +-------------------------------------------------------+ |
| | somedomain.subdomain.domain.co.uk |^| |
| | somedomain.subdomain.domain.co.uk | | |
| | somedomain.subdomain.domain.co.uk | | |
| | somedomain.subdomain.domain.co.uk | | |
| | somedomain.subdomain.domain.co.uk |v| |
| +-------------------------------------------------------+ |
| [==========3567=packets=totalling=~=6,783,568KB=========] |
+-----------------------------------------------------------+Host View - A list of all hosts which have been recently communicated with. It lists the IP address and resolved host name, the processes which have communicated with the host, the application/transport layer protocols used and a running count of the amount of packets/data going to the host. Again, the button causes the host to persist in the list.
Code:
+----------------------------------------------------------+
| someedomain.subdomain.domain.co.uk (255.255.255.255) |
| (=) [firefox] ~ [TCP] ~ [HTTP] [HTTPS] |
| [=========3567=packets=totalling=~=6,783,568KB=========] |
+----------------------------------------------------------+Thoughts...
It's written in C++ using GTK+ for the user interface. It is currently 2571 lines of C++. The hardest parts are doing all of the lookups dynamically - it can take up to 600ms to lookup which application is using which port and it can take >3000ms to lookup a host. Neither lookups are guaranteed either. All the time you've still got to be grabbing new network data and processing it - all of the lookups have to be offloaded in to new threads and obviously you can't do anything for applications until they've been looked up. In the current implementation, as lookups complete everything gets automatically updated and shuffles along nicely.
Yes, the widgets in the screenshots are stock widgets for Linux these days. Looks good
Attachments
-
Screenshot-1.png -
Screenshot-2.png -
Screenshot-3.png -
Screenshot.png
Last edited: