JPANDDR-Implementation of a JAVA based tool for Protocol

Analysis, Network Diagnose, and Data Reassembly

Advisor: Dr. Kai-Wei Ke

Speaker: Jaw-Woei Ma

Date:2007 07/28

Outline

IntroductionProtocolJPANDDRTest ResultConclusionsFuture WorkReferencesDemo

IntroductionJAVAJVMObject-OrientedMobility (Byte Code)Support Network

ProgrammingJPANDD is based on JAVA

programming language

IntroductionJAVA APIApplication Program

ming Interface Reuse and ExtendEasy and fast to impl

ementJPANDDR uses JM

F and JPcapJava 2 的三大部份主要的 API

JMF

Java Media Frameworkenables audio, video and other time-based

media to be added to applications and applets built on Java technology

JMF API 可分為兩部份 : 單純的 JMF 及架構在 RTP 上的 JMF 。

JMF JMF Process Model

Input Process Output

擷取(Capture)媒體讀取檔案接收廣播

加入效果壓縮/解壓縮多工/反多工轉換

播放儲存

網路廣播

JPcapJava Package for Packet Capture

allows Java applications to capture and/or send packets to the network

based on libpcap/winpcap and Raw Socket API

JPcap JPcap Process Model

WinPcap(Windows OS)

libpcap(Unix OS)

Jpcap(Java API)

Network Interface Card

捕捉/發送 封包

捕抓/發送 封包

JPcap

Network Interface : represents a network interface

Jpcap Captor : capture packets or read packets from a captured file

Jpcap Sender : send packetsPacket : This is a root class of all the pack

ets captured by Jpcap

ProtocolTCPTransmission Control Protocol Connection-OrientedReliable transmissionFlow Control and Congestion ControlACK and Retransmission

ProtocolTCP Header Format

Flags(6 bits)

0

32

64

96

128

160

Source Port(16 bits)

Destination Port(16 bits)

Sequence Number(32 bits)

Acknowledgment Number(32 bits)

Data Offset(4 bits)

Reserved(6 bits)

Flags(6 bits)

Windows(16 bits)

Checksum(16 bits)

Urgent Pointer(16 bits)

Options(長度不定)

Padding(長度不定)

=Urgent(1 bit)

ACK(1 bit)

Push(1 bit)

Reset(1 bit)

Syn(1 bit)

Finish(1 bit)

Protocol Three-Way Handshake Diagram

SYN

SYN/ACK

ACK

發送TCP Header a.ACK=1,ack=20002

根據收到的TCP封包Header確認所有封包接收無誤可以開始準備接收傳送

時間經過

用戶端主動發送連線要求

主機端接收與回應

1.隨機取>1024的Port2.發送TCP Header a.SYN=1,seq=10001

A

C

B

D

1.有開啟的Port2.發送TCP Headera.ACK=1,ack=10002b.SYN=1,seq=20001

Protocol

FTPFile Transfer Protocol 2 TCP connection Port 21 for control Port 20 for data

Protocol FTP command

指令與語法 意義

USER <SP> <username> <CR> <LF> USER 傳送使用者名稱

QUIT <CR> <LF> QUIT 結束 FTP 連線

PORT <SP> <a1,a2,a3,a4,p1,p2> <CR> <LF> PORT 設定資料連線的 IP 位址與連結埠

TYPE <SP> <type-code> <CR> <LF> TYPE 設定檔案模式

MODE <SP> <mode-code> <CR> <LF> Transfer MODE 設定傳輸模式

STRU <SP> <structure-code> <CR> <LF> File STRUcture 設定檔案結構

RETR <SP> <pathname> <CR> <LF> RETRieve 下載檔案

STOR <SP> <pathname> <CR> <LF> STORe 上傳檔案

NOOP <CR> <LF> NO OPeration 不動作

Protocol

SIPSession Initiation Protocol Client/Server ModeRequest/Response Message

Protocol Session Establishment System Sequence Diagram

User Agent ClientRyan@ntut.edu.tw

Proxy Server User Agent ServerTina@ntut.edu.tw

conversation

INVITE Tina@ntut.edu.tw INVITE

Ryan@ntut.edu.tw

100 Trying

180 Ringing

180 Ringing

200 OK

200 OK

ACK

BYE

200 OK

JPANDDR

JAVA for Protocol Analysis, Network Diagnose, and Data Reassembly

Network Protocol Analyzer

Based on JAVAJPcap and JMF API

JPANDDR

Function - 1(1) Capture Packets and Header Analysis

(2) Protocol Analysis

(3) Packet Handshaking

(4) Protocol Statistics and Analysis

JPANDDRFunction – 2(5) Data Reassembly and Replay

(6) Network Debug and Diagnose

(7) Make up Packets

(8) Additional Function

JPANDDR System Architecture Packet Maker

Subsystem Protocol Process

Subsystem Network Diagnosis and

Debug Subsystem Additional Function

Subsystem

JPANDDR Subsystem Protocol Process Subsystem - Analytic Processor

JPANDDR – Data Reassembly and Replay

FTP Data Reassembly

For Stream ModeRemove Packet

HeaderPacket Reorder and

Reassembly

JPANDDR - Data Reassembly and Replay

pseudo Code

JPANDDR - Data Reassembly and Replay

VoIP Data ReassemblyRTP TransmissionFor PCM encode

JPANDDR - Data Reassembly and Replay PCM decode (1/2)

JPANDDR - Data Reassembly and Replay

PCM decode (2/2)

JPANDDR - Network Diagnose

ICMP Echo Request Parse information in “ICMP Echo Replay”(1) TCP/IP 協定測試 – 127.0.0.1

(2) 網卡測試 - IP

(3) 自動搜索網段鄰居 – xxx.xxx.xxx.1~253

(4) 連外路由器 (Gateway) 測試 – xxx.xxx.xxx.254 (default)

(5) DNS 伺服器測試 – 168.95.1.1 (default)

(6) ping Internet 上某一主機的網址 – www.google.com

JPANDDR - Network Diagnose

int step = 0;

If No error in parsing info. Then step = (++step)%7If step = = 1 Then //ping 127.0.0.1 //by calling Ping Function() call Diagnose_Step1()Else If step = = 2 Then //ping self IP address //by calling Ping Function() call Diagnose_Step2()Else If step = = 3 Then //ping IP address near host //by calling Ping Function() call Diagnose_Step3()Else If step = = 4 Then //ping gateway IP address //by calling Ping Function() call Diagnose_Step4()Else If step = = 5 Then //ping DNS Server IP address //by calling Ping Function() call Diagnose_Step5()Else If step = = 6 Then //ping www.Google.com.tw //by calling Ping Function() call Diagnose_Step6()Else If step = = 7 Then //ping www.yahoo.com //by calling Ping Function() call Diagnose_Step7()End If

al gori thm

Call System Ping

Return parsi ng i nfo.

Diagnose Ping

Sent System Ping RequestWait for responseParsing response Information

If packet all loss Then Stop next step Update user interfaceElse Call function Diagnose Update user interfaceEnd If

al gori thm

Test Result - Network Diagnose Network Diagnose Report

Test Result - Network Diagnose Two test Result

(1) No IP (2) No gateway

Test Result - Data Reassembly and Replay

Use LeapFTPStream Mode

還原檔案格式 還原檔案結果 備註

.jpg 良好

.doc 良好

.ppt 良好

.txt 良好

.exe 良好

.avi 良好

.wav 可 部分時候會失真。

.html 可 網頁內嵌圖片便會失敗。

.rm 良好

.mp3 良好

.rar 良好 傳送之壓縮檔以壓縮最佳方式、加上密碼均可正確還原。

.zip 良好 傳送之壓縮檔以壓縮最佳方式、加上密碼均可正確還原。

.bmp 可

Test Result - Data Reassembly and Replay

Sample Rate - 8kHZSample Bits - 16bits Little Endian.wav file

Hub

Client A Client B

JPANDDR

語音連線

System Compare

Sniffer 、 ClearSight 與 Ethereal ，其中又以 Ethereal 最為被廣泛使用

JPANDDR – Network Protocol AnalyzerEthereal – Network Packet Analyzer

System Compare本系統 JPANDDR Ethereal

封包捕捉標頭解析

目前較少，但可拓展 目前較多

協定分析 相同 相同

封包交握 操作較易 新版本才有此功能操作不易

協定連線統計分析

基本功能相同 基本功能相同

訊息重組檔案還原

有 無

網路偵錯診斷 有且自動偵錯診斷 需使用者自行診斷

自建封包 有，具各式協定封包建立 有

Conclusions

This research implements a system that provides not only the basic function such as protocol tracking 、 monitoring and analyzing network diagnosis capability ,but also information retrieval and recovery from the captured data packets on the networks.

Future Work

JPANDDR 無線網路協定的擴充 IPv6 協定的擴充 還原語音編碼格式的擴充

Goal: The world’s popular network protocol analyzer

References

http://netresearch.ics.uci.edu/kfujii/jpcap/doc/index.html

http://java.sun.com/products/java-media/jmf/reference/api/index.html

http://www.ethereal.com/

Demo