#include "common.h"
Go to the source code of this file.
Data Structures | |
struct | intruder |
The intruder struct holds the mac, ipv6 addresses, the time when it was classified as intrusive and the dropcount for that period. More... | |
struct | neighbor |
The neighbor struct stores that mac address and corresponding IPv6 address of its neighbors. More... | |
Defines | |
#define | MAXNEIGHBORS 10 |
MAXNEIGHBORS is used to limit the number of neigbors to watch for intrusions. | |
#define | ALARM_TIMEOUT 3 |
ALARM_TIMEOUT is the value in seconds for the timeout to examine the hashtable. | |
Enumerations | |
enum | r_state |
Three states of a neighbor within the neighbor table. | |
Functions | |
void | SIGALRM_handler (int) |
Alarm handler, updates drop counts. | |
void | timer_update_state (void) |
Examines the hashtable and clears up packets, updates drop counts. | |
void | pkt_callback (u_char *, const struct pcap_pkthdr *, const u_char *) |
The callback function for the packet capture. | |
u_int16_t | handle_ethernet (u_char *, const struct pcap_pkthdr *, const u_char *) |
Returns the type of packet contained within the ethernet frame. | |
int | handle_IPv6 (u_char *, const struct pcap_pkthdr *, const u_char *) |
Examines IPv6 packets for AODV6 and TCP payloads. | |
int | handle_AODV (const u_char *) |
Examines and handles AODV packets. | |
int | find_neighbor (neighbor *) |
Helper function that returns the index of the provided neighbor in the neighbor table. | |
int | add_neighbor (neighbor *) |
Helper function that adds a neighbor to the neighbor table. | |
void | print_neighbors (void) |
Helper function that prints contents of neighbor table. | |
int | incr_dropcount (struct ether_addr *) |
Increments the dropcount of the entry in the neigbor table corresponding to the provided mac address. | |
void | log_intrusions (void) |
Reads the neighbor table, logs non-zero dropcount entries as potential intrusions. |
Author: Anand Patwardhan email: anand.patwardhan@umbc.edu Date : 30 April 2004 The SNOOP program is an intrusion detection mechanism to detect local intrusions in a Mobile Ad Hoc Network. Copyright (C) 2005 University of Maryland, Baltimore County (UMBC) E-mail: anand.patwardhan@umbc.edu eBiquity Research Group University of Maryland, Baltimore County 1000 Hilltop Circle, Baltimore, MD 21250, USA. http://research.ebiquity.org This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. We referred to Tim Carstens' example code and Martin Casado's tutorial. We also looked at the ipgrab source code and tcpdump source. Source code seems to be the only documentation on pcap.
Definition in file snoop.h.
|
ALARM_TIMEOUT is the value in seconds for the timeout to examine the hashtable. The hashtable is examined every ALARM_TIMEOUT seconds; a second chance algorithm is used to classify packet drops as intrusions. Basically if a packet is not retransmitted by the time of a second timeout, it is considered to be dropped and removed from the hashtable. Definition at line 64 of file snoop.h. Referenced by SIGALRM_handler(). |
|
MAXNEIGHBORS is used to limit the number of neigbors to watch for intrusions. To be scalable, it is necessary to watch only a bounded number of neighbors depending on the memory and cpu capacity of the device, or else it can be quickly overwhelmed and effectiveness of the IDS will decrease. Definition at line 56 of file snoop.h. Referenced by add_neighbor(), find_neighbor(), incr_dropcount(), log_intrusions(), and print_neighbors(). |
|
Helper function that returns the index of the provided neighbor in the neighbor table. Provided a neighbor instance, looks up and returns the index of the neighbor in the neighbor table. Definition at line 318 of file snoop.c. References MAXNEIGHBORS, and neighbor::route_state. Referenced by handle_AODV(), and handle_IPv6(). |
|
Examines and handles AODV packets. Looks for RREP messages to build the neigbor tables. We can potentially remove entries from the neigbor table if hello messages are missed. Definition at line 249 of file snoop.c. References add_neighbor(), AODV6_RREQ, and find_neighbor(). Referenced by handle_IPv6(). |
|
Returns the type of packet contained within the ethernet frame. We are interested only in IPv6, but can be easily modified to handle other protocols Definition at line 120 of file snoop.c. References ETHER_HDRLEN. Referenced by pkt_callback(). |
|
Examines IPv6 packets for AODV6 and TCP payloads. Once IPv6 packets are filtered out, further filtering of AODV6 and TCP protocols is done here. For AODV6 we watch for "Hello" messages i.e. special RREP messages, to identify neigbhors and populate the neigbor table. Definition at line 139 of file snoop.c. References find_neighbor(), handle_AODV(), IP_PROTO_ICMPV6, IP_PROTO_TCP, IP_PROTO_UDP, makeEntry(), performID(), neighbor::src_ether, and neighbor::src_ip6. Referenced by pkt_callback(). |
|
Reads the neighbor table, logs non-zero dropcount entries as potential intrusions. This function reads the neighbor table, logs non-zero entries to the suspects file and resets dropcounts for the next time period. Definition at line 372 of file snoop.c. References neighbor::dropcount, intruder::dropcount, MAXNEIGHBORS, neighbor::route_state, and intruder::when_detected. Referenced by SIGALRM_handler(). |
|
The callback function for the packet capture. The callback function opens the device in promiscuous mode and listens for packets. The raw packets captured (1500 bytes) are then passed on for further filtering. We deal with only IPv6 packets, others are ignored. Definition at line 111 of file snoop.c. References ETHERTYPE_IPV6, handle_ethernet(), and handle_IPv6(). |
|
Alarm handler, updates drop counts. Calls the timer_update_state function Definition at line 64 of file snoop.c. References ALARM_TIMEOUT, hashtable::count, log_intrusions(), print_neighbors(), SIGALRM_handler(), and timer_update_state(). Referenced by SIGALRM_handler(). |
|
Examines the hashtable and clears up packets, updates drop counts. Will remove entries from the hashtable that are old, gives newer ones a second chance, if entries are not cleared by a second timeout, the packet is assumed to have been dropped. Definition at line 79 of file snoop.c. References hashtable::count, incr_dropcount(), hashtable::size, ht_bucket::state, and hashtable::table. Referenced by SIGALRM_handler(). |