IPAudit Software for network monitoring.
Dec 21, 2015
IPAudit
Software for network monitoring.
Question: Why did you choose IPAudit for a topic?
(Probably should have asked this earlier)
IPAudit – Three stories
Network Monitoring Software Development Open Source Project Management
What IPAudit is
Two parts Binary
Sniffs network and periodically writes traffic summary to a text file
Companion programs I find these two program more generally useful – ipaudit is more
specialized. ipstrings – like strings, but for IP packets. total – reads text records, maintains counts, averages, etc. for
different fields values. IPAudit-Web
Web accessible reports based on data collected by binary.
Problem that IPAudit solves
IMS based DoS attack 1999 infected host in IMS was doing a DoS against
off-campus host. Problem: No easy method of finding host.
Manual method: log into main switch, find busy interface, consult network maps to find next switch/hub, log into it, repeat ....
Solution Monitor traffic by IP address. Find busiest IP address
directly.
Early Development: Ipaudit Binary
Monitored network with TCPDump and Perl scripts Worked on dual 333Mhz Pentium II with 50% load
when monitoring with 4.5mb connection. Uconn had plans to upgrade to between 10 to 45mbs
→ Need faster system. Replace with C program, the IPAudit binary
Learned: pcap library, packet structure, C select() function. Developed: new hash function.
Existing hash functions are like black magic. Mine is easier to understand.
LOCAL-IP| REMOTE-IP| | PROTOCOL| | | LOCAL-PORT| | | | REMOTE-PORT| | | | | INC-BYTES| | | | | | OUT-BYTES| | | | | | | INC-PKT| | | | | | | | OUT-PKT| | | | | | | | | FIRST-TIME| | | | | | | | | | (sort) LAST-TIME| | | | | | | | | | | FIRST-TALKER| | | | | | | | | | | | LAST-TALK| | | | | | | | | | | | |--------------- --------------- - -- ---- ----- ------ --- ---- ------------- ------------- - -137.099.089.110 212.045.068.018 6 21 1317 278 353 5 4 09:51:08.0524 09:51:19.1243 2 2137.099.089.110 212.045.068.018 6 21 1321 842 3389 13 16 09:51:08.7673 09:51:21.6822 2 2137.099.089.110 212.045.068.018 6 20 1324 46120 712706 854 1261 09:51:20.4735 09:59:57.4130 1 2137.099.089.110 212.045.068.018 6 21 1325 847 2316 13 15 09:51:21.5128 09:51:30.0712 2 2137.099.089.110 212.045.068.018 6 21 1326 794 2386 12 15 09:51:22.0193 09:51:31.0847 2 2137.099.089.110 212.045.068.018 6 21 1327 794 2209 12 13 09:51:22.5151 09:51:30.9838 2 2137.099.089.110 212.045.068.018 6 20 1328 47632 709310 882 1255 09:51:28.5105 09:59:59.8142 1 1137.099.089.110 212.045.068.018 6 20 1330 35698 536114 661 949 09:51:29.2214 09:59:59.9341 1 1137.099.089.110 212.045.068.018 6 20 1329 33700 527624 624 934 09:51:29.6458 10:00:00.5380 1 1
Ipaudit Output
IPStrings
Command line program to inspect IP string data
> ipstrings -f "port 25" -pit -s 256 eth0
137.099.025.234 137.099.080.033 6 25 55956 11:41:43.3353 220 mta1.uits.uconn.edu ESMTP Postfix (Debian/GNU)
137.099.080.033 137.099.025.234 6 55956 25 11:41:45.5772 helo uconn.edu
137.099.025.234 137.099.080.033 6 25 55956 11:41:45.5777 250 mta1.uits.uconn.edu
137.099.080.033 137.099.025.234 6 55956 25 11:41:49.9272 mail from: [email protected]
137.099.025.234 137.099.080.033 6 25 55956 11:41:49.9280 250 2.1.0 Ok
137.099.080.033 137.099.025.234 6 55956 25 11:41:57.8978 rcpt to: [email protected]
137.099.025.234 137.099.080.033 6 25 55956 11:41:57.8997 250 2.1.5 Ok
137.099.080.033 137.099.025.234 6 55956 25 11:42:00.9272 data
137.099.025.234 137.099.080.033 6 25 55956 11:42:00.9278 354 End data with <CR><LF>.<CR><LF>
137.099.080.033 137.099.025.234 6 55956 25 11:42:07.7678 Subject: This is a test message.
137.099.080.033 137.099.025.234 6 55956 25 11:42:11.8672 To: [email protected]
137.099.080.033 137.099.025.234 6 55956 25 11:42:21.1472 From: [email protected]
137.099.080.033 137.099.025.234 6 55956 25 11:42:47.7272 Congratulations! You are the new Homeland Security czar.
137.099.080.033 137.099.025.234 6 55956 25 11:43:00.4878 Please pick up your keys at the office tomorrow 0800.
137.099.080.033 137.099.025.234 6 55956 25 11:43:03.7678 - G.W.
137.099.025.234 137.099.080.033 6 25 55956 11:43:05.3363 250 2.0.0 Ok: queued as D6DB62CFB5
137.099.080.033 137.099.025.234 6 55956 25 11:43:07.2078 quit
137.099.025.234 137.099.080.033 6 25 55956 11:43:07.2086 221 2.0.0 Bye
Total> cat total.in Ford Focus White 20 Ford Taurus White 31 Ford Taurus Red 15 Chevy Aero White 17 Honda Accord Red 12
> total -s1 1 4 total.in Ford 66 Chevy 17 Honda 12
> total 1,3 4 total.in Chevy White 17 Ford White 51 Honda Red 12 Ford Red 15
Web based reporting: Ipaudit-Web
Web graphics and table based reports of ipaudit data.
Graph design inspired by Edward R. Tufte's “The Visual Display of Quantitative Information” My interpretation: “Present as much raw data as
possible in a way the view can recognize meaningful patterns.”
Ipaudit Graph
Live Demo
Uconn's IPAudit system Password protected Managed by Network Security group.
The IPAudit Project
Hosted on Sourceforge since 2001 http://sourceforge.net/projects/ipaudit About 50,000 downloads.
Other Project Admins jh8 – initial tar ball packaging j4_gongloo (a couple of one-time Uconn students) – Ipaudit web site
Contributors Charles Green – ipaudit search binary
Since 2005, only I've touched the project. Conclude
This project does not host an active community. Projects communities need a pro-active person.