Project Description.txt

CSE508: Network Security, Spring 2016

Homework 2: Programming with Libpcap
-------------------------------------------------------------------------------

Submission deadline: 3/11/2016 11:59pm EDT
Submission through https://blackboard.stonybrook.edu


In this assignment you will develop a passive network monitoring application
written in C using the libpcap packet capture library. Your program, called
'mydump', will capture the traffic from a network interface in promiscuous mode
(or read the packets from a pcap trace file) and print a record for each packet
in its standard output, much like a simplified version of tcpdump. The user
should be able to specify a BPF filter for capturing a subset of the traffic,
and/or a string pattern for capturing only packets with matching payloads.

Your program should conform to the following specification:

mydump [-i interface] [-r file] [-s string] expression

-i  Listen on network device <interface> (e.g., eth0). If not specified, mydump
    should select a default interface to listen on. (hint 1)

-r  Read packets from <file> (tcpdump format). (hint 2)

-s  Keep only packets that contain <string> in their payload. You are not
    required to implement wildcard or regular expression matching. A simple
    string matching operation should suffice. (hint 3)

<expression> is a BPF filter that specifies which packets will be dumped. If no
filter is given, all packets seen on the interface (or contained in the trace)
will be dumped. Otherwise, only packets matching <expression> will be dumped.

For each packet, mydump outputs a record containing the timestamp, source and
destination MAC address, EtherType, packet length, source and destination IP
address and port, protocol (TCP, UDP, ICMP, OTHER), and the raw content of the
application-layer packet payload (hint 4). You are free, but not required, to
enrich the output with other useful information from the packet headers (e.g.,
TCP flags, IP/TCP options, ICMP message types, etc.).

What to submit:

A tarball with all required source code files, an appropriate Makefile, and a
short report (txt file is fine) with a brief description of your implementation
and an example output from your program.


Hints:

1. pcap_lookupdev()

2. pcap_open_offline()

3. e.g., strstr()

4. 

2016-02-16 13:14:33.224487 01:00:5E:7F:FF:7F -> C4:3D:C7:17:6F:17 type 0x800 len 92
10.0.0.1:137 -> 10.0.0.255:137 UDP
EB 71 01 10 00 01 00 00 00 00 00 00 20 45 42 45  .q.......... EBE
4A 45 42 46 44 43 41 43 41 43 41 43 41 43 41 43  JEBFDCACACACACAC
41 43 41 43 41 43 41 43 41 43 41 41 41 00 00 20  ACACACACACAAA..
00 01                                            ..

2016-02-16 14:44:32.483327 00:1E:4F:A6:2D:77 -> 00:00:5E:00:01:64 type 0x800 len 98
130.245.50.111 -> 130.245.20.2 ICMP
3E 1C F8 49 8E 2A 01 00 08 09 0A 0B 0C 0D 0E 0F  >..I.*..........
10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F  ................
20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F   !"#$%&'()*+,-./
30 31 32 33 34 35 36 37                          01234567

2016-02-16 15:04:13.064632 D0:C7:89:A9:C7:40 -> 00:06:5B:FE:42:1A type 0x800 len 74
192.168.0.1:2365 -> 192.168.1.2:80 TCP

2016-02-16 15:04:13.131911 00:06:5B:FE:42:1A -> D0:C7:89:A9:C7:40 type 0x800 len 74
192.168.1.2:80 -> 192.168.0.1:2365 TCP

2016-02-16 15:04:13.131969 D0:C7:89:A9:C7:40 -> 00:06:5B:FE:42:1A type 0x800 len 66
192.168.0.1:2365 -> 192.168.1.2:80 TCP

2016-02-16 15:04:13.132287 D0:C7:89:A9:C7:40 -> 00:06:5B:FE:42:1A type 0x800 len 168
192.168.0.1:2365 -> 192.168.1.2:80 TCP
47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D 0A  GET / HTTP/1.0..
55 73 65 72 2D 41 67 65 6E 74 3A 20 57 67 65 74  User-Agent: Wget
2F 31 2E 31 31 2E 34 0D 0A 41 63 63 65 70 74 3A  /1.11.4..Accept:
20 2A 2F 2A 0D 0A 48 6F 73 74 3A 20 77 77 77 2E   */*..Host: www.
67 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 43 6F 6E 6E  google.com..Conn
65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69  ection: Keep-Ali
76 65 0D 0A 0D 0A                                ve....