Sale!

Homework 2: Network Traffic Sniffing

$30.00

CSE508: Network Security,

Homework 2: Network Traffic Sniffing
——————————————————————————-

In this assignment you will develop a passive network monitoring application
written in Go using the GoPacket library. Your program, called ‘mydump’, will
capture the traffic from a network interface in promiscuous mode (or read the
packets from a pcap trace file) and print a record for each packet in its
standard output, much like a simplified version of tcpdump. The user should be
able to specify a BPF filter for capturing a subset of the traffic, and/or a
string pattern for capturing only packets with matching payloads.

Categories: ,

Description

5/5 - (2 votes)

CSE508: Network Security,

Homework 2: Network Traffic Sniffing
——————————————————————————-

In this assignment you will develop a passive network monitoring application
written in Go using the GoPacket library. Your program, called ‘mydump’, will
capture the traffic from a network interface in promiscuous mode (or read the
packets from a pcap trace file) and print a record for each packet in its
standard output, much like a simplified version of tcpdump. The user should be
able to specify a BPF filter for capturing a subset of the traffic, and/or a
string pattern for capturing only packets with matching payloads.

Your program should conform to the following specification:

go run mydump.go [-i interface] [-r file] [-s string] expression

-i Live capture from the network device <interface> (e.g., eth0). If not
specified, mydump should automatically select a default interface to
listen on (hint 1). Capture should continue indefinitely until the user
terminates the program.

-r Read packets from <file> in tcpdump format (hint 2).

-s Keep only packets that contain <string> in their payload (after any BPF
filter is applied). You are not required to implement wildcard or regular
expression matching. A simple string matching operation should suffice.

<expression> is a BPF filter that specifies which packets will be dumped. If
no filter is given, all packets seen on the interface (or contained in the
trace) should be dumped. Otherwise, only packets matching <expression> should
be dumped.

For each packet, mydump prints a record containing the timestamp, source and
destination MAC addresses, EtherType (as a hexadecimal number), packet length,
source and destination IP addresses, protocol type (you need to support only
“TCP”, “UDP”, “ICMP”, and “OTHER”), source and destination ports (for TCP and
UDP packets), the TCP flags in case of TCP packets, and the raw content of the
packet payload (hint 3). You are free, but not required, to enrich the output
with other useful information from the packet headers (e.g., IP/TCP options,
ICMP message types). You do not need to support any link layer protocol other
than Ethernet. Support for IPv6 is also optional.

Your program should be compatible with modern Linux distributions. Your
submission will be tested on Ubuntu.

What to submit:

A tarball (.tar.gz) with all required source code files and a short report
(ASCII text file is fine) with a brief description of your implementation and
a short example output from your program.

Hints:

0. Some useful resources:

https://www.tcpdump.org/pcap.html
https://www.tcpdump.org/index.html#documentation
https://pkg.go.dev/github.com/google/gopacket/
https://pkg.go.dev/github.com/google/gopacket/pcap
https://golang.org/doc/
https://golang.org/pkg/encoding/hex/#example_Dump
https://gobyexample.com/

1. pcap.FindAllDevs()

2. pcap.OpenOffline()

3. Your output should conform to the following format:

2021-02-16 13:14:33.224487 01:00:5E:7F:FF:7F -> C4:3D:C7:17:6F:17 type 0x800 len 92
10.0.0.1:137 -> 10.0.0.255:137 UDP
EB 71 01 10 00 01 00 00 00 00 00 00 20 45 42 45 .q………. EBE
4A 45 42 46 44 43 41 43 41 43 41 43 41 43 41 43 JEBFDCACACACACAC
41 43 41 43 41 43 41 43 41 43 41 41 41 00 00 20 ACACACACACAAA..
00 01 ..

2021-02-16 14:44:32.483327 00:1E:4F:A6:2D:77 -> 00:00:5E:00:01:64 type 0x800 len 98
130.245.50.111 -> 130.245.20.2 ICMP
3E 1C F8 49 8E 2A 01 00 08 09 0A 0B 0C 0D 0E 0F >..I.*……….
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F …………….
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !”#$%&'()*+,-./
30 31 32 33 34 35 36 37 01234567

2021-02-16 15:04:13.064632 D0:C7:89:A9:C7:40 -> 00:06:5B:FE:42:1A type 0x800 len 74
192.168.0.1:2365 -> 192.168.1.2:80 TCP SYN

2021-02-16 15:04:13.131911 00:06:5B:FE:42:1A -> D0:C7:89:A9:C7:40 type 0x800 len 74
192.168.1.2:80 -> 192.168.0.1:2365 TCP SYN ACK

2021-02-16 15:04:13.131969 D0:C7:89:A9:C7:40 -> 00:06:5B:FE:42:1A type 0x800 len 66
192.168.0.1:2365 -> 192.168.1.2:80 TCP ACK

2021-02-16 15:04:13.132287 D0:C7:89:A9:C7:40 -> 00:06:5B:FE:42:1A type 0x800 len 168
192.168.0.1:2365 -> 192.168.1.2:80 TCP PSH ACK
47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D 0A GET / HTTP/1.0..
55 73 65 72 2D 41 67 65 6E 74 3A 20 57 67 65 74 User-Agent: Wget
2F 31 2E 31 31 2E 34 0D 0A 41 63 63 65 70 74 3A /1.11.4..Accept:
20 2A 2F 2A 0D 0A 48 6F 73 74 3A 20 77 77 77 2E */*..Host: www.
67 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 43 6F 6E 6E google.com..Conn
65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection: Keep-Ali
76 65 0D 0A 0D 0A ve….

2021-02-16 15:04:14.283347 00:0C:29:E9:94:8E -> C4:3D:C7:17:6F:99 type 0x806 len 42
00 01 08 00 06 04 00 02 00 0c 29 e9 94 8e c0 a8 ……….)…..
00 c8 c4 3d c7 17 6f 99 56 00 21 14 …=..o.V.!.