christian.kreibich@cl.cam.ac.uk

A Framework for Packe Trace Manipulation

Christian Kreibich

Motivation

Say you need to solve a problem that involves manipulating network traffic:complex filtering (e.g. data analysis) fine-grained editing (e.g. header field bitflips) large-scale editing (e.g. anonymization)visualization (e.g. behavioural analysis)

What do you do?

Motivation II

Try to find a tool that does itwhere? does it build? maintained? If so, lucky you!

Motivation II

Try to find a tool that does itwhere? does it build? maintained? If so, lucky you!

Mhmm ... write your own ... again.Okay, pcap.Now you typically need infrastructure:

data types conn. state tracking protocol header lookup

Lots of duplicated effortCut’n’paste sucks

Motivation III

Ewww.

Introducing ...

Netdude — NETwork DUmp Data Editor Framework for packet inspection and manipulation Multiple usage paradigms: GUI + command line Scalable to arbitrary trace sizes Reusable at all levels Extensible

Architecture

Architecture

Architecture

Architecture

Architecture

Experience

Fine-grained header field modifications: M. Handley, C. Kreibich, V. Paxson: Network Intrusion Detection:

Evasion, Traffic Normalization, end End-to-End Protocol Semantics, 9th USENIX Security Symposium, 2001.

Large-scale filtering and reassembly: A. Moore, J. Hall, C. Kreibich, E. Harris, I. Pratt: Architecture of a

Network Monitor, Passive and Active Measurement Workshop, 2003

Fine-grained payload editing: C. Kreibich, J. Crowcroft: Honeycomb - Creating Intrusion

Detection Signatures Using Honeypots, HotNets II, 2003

Future Work

hehe

Don’t get me wrong ...

I

Summary

System detects patterns in network traffic Using honeypots, the system can create useful

signatures Good at worm detection Todo list

Ability to control LCS algorithm (whitelisting?)Tests with higher traffic volumeExperiment with approximate matchingBetter signature reporting scheme

Thanks!

Shoutouts to all contributors! Debian packagers needed ... Questions?