Session 2 - 2 - High-performance packet sniffing

Presentation Abstract

Recording network traffic is common practice in honeynets to backup all data that enters or leaves the network. Complete traces provide a means to investigate a phenomenon on the packet level at any later time. The pcap format is the de-facto standard for storing traffic dumps in files, and a number of tools support it. Most of these tools combine capturing and analysis capabilities, but that comes on cost of some overhead that makes them sometimes less suited for specialized tasks. In this talk we will introduce two new open-source tools, multicap and streams, that address the need for more flexible, specialized tools.

In the first part of the presentation we will discuss the special requirements of a packet recorder in honeynets where the most important aspect is a low drop rate. At the same time, traffic should be stored in a way that supports post-processing, e.g., it would be nice to rotate dump files based on time intervals or size. We will then introduce mutlicap, a high performance network sniffer, and explain the design decisions made. In a live demo, some usage examples will be shown.

The second part of the presentation discusses the analysis work-flow during post-processing of recorded packet traces. Amongst the most Session II: Combating the Ever-Evolving Malware common tasks is the analysis of individual TCP streams: an analyst wants to find sessions that contain a certain pattern and decode the data using external tools, downloaded files must be extracted from a recorded FTP session, etc. Many traffic analysis tools lack important features to support this work and are especially of little help when it comes to working with larger trace files. We have developed the tool streams that addresses this lacking and provides analysts with an interface to browse and process recorded streams in a convenient way. We will look at several real-world examples to demonstrate its power and flexibility.


Get the slides here           View the video here











pic by Cedric Blancher
(CC BY-SA-NC)

AttachmentSize
HPW2011_tillmann_werner.jpg128.96 KB
HPW2011 - High-performance packet sniffing - Tillmann Werner.pdf927.6 KB