Main Page   Data Structures   File List   Data Fields   Globals  

snoop.c File Reference

Uses the pcap library, to listen on any available network interface in promiscuous mode. Raw packets are captured and further processed for filtering, IPv6 packets are of interest. TCP streams over IPv6 are monitored. AODV6 packets are in UDP datagrams, again in IPv6 packets. AODVD hello messages are used to populate the neighbor table. The IDS itself is independent of the routing protocol is in use. In this instance we used SecAODV, so neighbors are discovered using AODV hello messages. More...

#include "common.h"
#include "hashtable.h"
#include "snoop.h"

Go to the source code of this file.

Functions

void SIGALRM_handler (int sig)
 Alarm handler, updates drop counts.

void timer_update_state (void)
 Examines the hashtable and clears up packets, updates drop counts.

void pkt_callback (u_char *args, const struct pcap_pkthdr *pkthdr, const u_char *packet)
 The callback function for the packet capture.

u_int16_t handle_ethernet (u_char *args, const struct pcap_pkthdr *pkthdr, const u_char *packet)
 Returns the type of packet contained within the ethernet frame.

int handle_IPv6 (u_char *args, const struct pcap_pkthdr *pkthdr, const u_char *packet)
 Examines IPv6 packets for AODV6 and TCP payloads.

int handle_AODV (const u_char *packet)
 Examines and handles AODV packets.

int find_neighbor (neighbor *pair)
 Helper function that returns the index of the provided neighbor in the neighbor table.

int add_neighbor (neighbor *pair)
 Helper function that adds a neighbor to the neighbor table.

int incr_dropcount (struct ether_addr *ether_src)
 Increments the dropcount of the entry in the neigbor table corresponding to the provided mac address.

void print_neighbors (void)
 Helper function that prints contents of neighbor table.

void log_intrusions (void)
 Reads the neighbor table, logs non-zero dropcount entries as potential intrusions.


Detailed Description

Uses the pcap library, to listen on any available network interface in promiscuous mode. Raw packets are captured and further processed for filtering, IPv6 packets are of interest. TCP streams over IPv6 are monitored. AODV6 packets are in UDP datagrams, again in IPv6 packets. AODVD hello messages are used to populate the neighbor table. The IDS itself is independent of the routing protocol is in use. In this instance we used SecAODV, so neighbors are discovered using AODV hello messages.

See snoop.h documentation for function descriptions.

 Author: Anand Patwardhan
 email: anand.patwardhan@umbc.edu
 Date : 30 April 2004


 The SNOOP program is an intrusion detection mechanism to detect local
 intrusions in a Mobile Ad Hoc Network.

  Copyright(C) 2005 University of Maryland, Baltimore County (UMBC) 
  E-mail: anand.patwardhan@umbc.edu

  eBiquity Research Group
  University of Maryland, Baltimore County
  1000 Hilltop Circle, Baltimore, MD 21250, USA.

  http://research.ebiquity.org

  This program is free software; you can redistribute it and/or
  modify it under the terms of the GNU General Public License
  as published by the Free Software Foundation; either version 2
  of the License, or (at your option) any later version.

  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with this program; if not, write to the Free Software
  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.


 We referred to Tim Carstens' example code and Martin Casado's
 tutorial. We also looked at the ipgrab source code and tcpdump source.
 Source code seems to be the only documentation on pcap.
  

Definition in file snoop.c.


Function Documentation

int find_neighbor neighbor  
 

Helper function that returns the index of the provided neighbor in the neighbor table.

Provided a neighbor instance, looks up and returns the index of the neighbor in the neighbor table.

Definition at line 318 of file snoop.c.

References MAXNEIGHBORS, and neighbor::route_state.

Referenced by handle_AODV(), and handle_IPv6().

int handle_AODV const u_char *   
 

Examines and handles AODV packets.

Looks for RREP messages to build the neigbor tables. We can potentially remove entries from the neigbor table if hello messages are missed.

Definition at line 249 of file snoop.c.

References add_neighbor(), AODV6_RREQ, and find_neighbor().

Referenced by handle_IPv6().

u_int16_t handle_ethernet u_char *   ,
const struct pcap_pkthdr *   ,
const u_char *   
 

Returns the type of packet contained within the ethernet frame.

We are interested only in IPv6, but can be easily modified to handle other protocols

Definition at line 120 of file snoop.c.

References ETHER_HDRLEN.

Referenced by pkt_callback().

int handle_IPv6 u_char *   ,
const struct pcap_pkthdr *   ,
const u_char *   
 

Examines IPv6 packets for AODV6 and TCP payloads.

Once IPv6 packets are filtered out, further filtering of AODV6 and TCP protocols is done here. For AODV6 we watch for "Hello" messages i.e. special RREP messages, to identify neigbhors and populate the neigbor table.

Definition at line 139 of file snoop.c.

References find_neighbor(), handle_AODV(), IP_PROTO_ICMPV6, IP_PROTO_TCP, IP_PROTO_UDP, makeEntry(), performID(), neighbor::src_ether, and neighbor::src_ip6.

Referenced by pkt_callback().

void log_intrusions void   
 

Reads the neighbor table, logs non-zero dropcount entries as potential intrusions.

This function reads the neighbor table, logs non-zero entries to the suspects file and resets dropcounts for the next time period.

Definition at line 372 of file snoop.c.

References intruder::dropcount, neighbor::dropcount, MAXNEIGHBORS, neighbor::route_state, and intruder::when_detected.

Referenced by SIGALRM_handler().

void pkt_callback u_char *   ,
const struct pcap_pkthdr *   ,
const u_char *   
 

The callback function for the packet capture.

The callback function opens the device in promiscuous mode and listens for packets. The raw packets captured (1500 bytes) are then passed on for further filtering. We deal with only IPv6 packets, others are ignored.

Definition at line 111 of file snoop.c.

References ETHERTYPE_IPV6, handle_ethernet(), and handle_IPv6().

void SIGALRM_handler int   
 

Alarm handler, updates drop counts.

Calls the timer_update_state function

Definition at line 64 of file snoop.c.

References ALARM_TIMEOUT, hashtable::count, log_intrusions(), print_neighbors(), SIGALRM_handler(), and timer_update_state().

Referenced by SIGALRM_handler().

void timer_update_state void   
 

Examines the hashtable and clears up packets, updates drop counts.

Will remove entries from the hashtable that are old, gives newer ones a second chance, if entries are not cleared by a second timeout, the packet is assumed to have been dropped.

Definition at line 79 of file snoop.c.

References hashtable::count, incr_dropcount(), hashtable::size, ht_bucket::state, and hashtable::table.

Referenced by SIGALRM_handler().


Generated on Wed Mar 23 11:08:02 2005 for Snoop IDS by doxygen1.2.18