Passive Network Analysis using Libtrace
Passive measurement using captured network traffic is an effective means of analysing and characterising network behaviour. However, developing portable tools to process captured network traffic can be very difficult. There are several different capture formats that are used to create packet traces, e.g. packet traces created using tcpdump will use the PCAP format. In addition, different types of links will encapsulate IP packets using different headers. The link headers on a wireless packet differ greatly to those present on an Ethernet packet. As a result, developing a network analysis tool that is portable across different trace formats and link types can be time consuming and requires extensive networking knowledge.
Libtrace is a packet capture and analysis library that has been developed by the WAND Group at the University of Waikato. It is designed to provide a single consistent API for trace processing where finer details of the various packet capture formats and link types are dealt with internally, allowing researchers to focus on the information they are directly interested in. This abstraction means that analysis programs can be written and tested on captured trace files and subsequently run on a live network source without modification. Libtrace understands many common trace files and live capture formats, including those use to capture traces found in the CAIDA and WITS public trace archives. The library also comes bundled with a suite of simple tools that can perform a variety of common trace manipulation tasks.
This tutorial is designed to showcase the capabilities of the libtrace library and provide attendees with the necessary knowledge so that they can take advantage of those capabilities to perform their own network analysis. This will include a discussion and demonstration of each of the built-in libtrace tools. The libtrace programming API will be described in detail by the library authors, demonstrating how network analysis tasks that are otherwise difficult or awkward to accomplish can be done easily using libtrace.
Attendees will leave the tutorial with a solid understanding of how to use libtrace to effectively perform passive network analysis using both the built–in tools and their own custom libtrace programs. They will also gain a better understanding of some of the difficulties involved in passive trace capture and analysis and how libtrace deals with these problems internally without the user needing to deal with them directly.
Tutorial Outline
The following is a list of topics covered in the tutorial.
- Introduction to passive network measurement
- What is Libtrace, and why should I use it?
- Acquiring and installing Libtrace
- Libtrace basics: trace formats, filtering traffic
- Using the built-in tools effectively
- Simple Libtrace programming
- Guided Tour of the Libtrace API
- Case study: TCP object extraction using Libtrace
- More complicated Libtrace programming – with audience participation!
- Presenting BSOD: an aesthetically pleasing Libtrace program
Target Audience
This tutorial would be beneficial to anyone interested in measuring and analysing network behaviour using passive packet capture. All attendees will be able to benefit from learning the capabilities of the libtrace tools and how to use them optimally. People with programming experience in the C, C++ or Ruby programming languages will gain even more by observing detailed demonstrations that show how to develop libtrace-based network analysis tools.
Organiser Details
All organisers are members of the WAND Group at the University of Waikato
Shane Alcock is one of the primary authors of libtrace and is also responsible for a variety of other software based on libtrace, including an implementation of the IPFIX flow measurement protocol and TCP object extractor. The latter project resulted in a paper being published at ATNAC 2007 entitled “Extracting Applications Objects from TCP Packet Traces”.
Perry Lorier is the chief author and designer of libtrace. Perry has worked on a number of libtrace based projects, most notably the BSOD network traffic visualization tool.
Jamie Curtis has taught several courses relating to network design, measurements and analysis at the University of Waikato. He also provided significant input during the design phases of the libtrace development process and frequently uses the libtrace tools to diagnose problems with the networks that he manages.
Last modified: Monday, 02-Feb-2009 14:27:36 NZDT