Z. Kwecka, BSc (Hons) Network Computing, 2006 38- transmit raw packets to the network- gather statistical information on the network trafficHowever, our software employs only the first three functions listed above. Since theprototype was build using C# programming language <strong>and</strong> WinPcap should be drivenby C++, <strong>and</strong> interface between those two was required. We have tried two differentwrappers allowing simplified usage of WinPcap in .NET framework:- PacketX, commercial ActiveX control 6- SharpPcap, freely available network traffic capture library 7WinPcap <strong>and</strong> SharpPcap are an open source packages <strong>and</strong> their licenses permitredistribution <strong>and</strong> usage free of charge, however PacketX is a commercial product.Thus, the copyright owners, BeeSync Technologies, were contacted <strong>and</strong> kindlygranted the licence permitting use of PacketX free of charge for duration of thisproject. After building simple test applications using both wrappers, they bothperformed to similar level. However, taking into consideration the usability we havedecided that SharpPcap designed by Tamir Gel was better for the project. WhilePacketX done exactly that what we expected, allowed link level reading from anetwork interface, it produced a downfall in mobility of the code, since it requiresinstallation. On the other h<strong>and</strong> SharpPcap provides functionality as long as theapplication has an access to the code library. Additionally, the later one providedhigh-level information on the data captured, while PacketX produced only raw bytes.Thus code that was necessary to calculate the value of acknowledgment field, whenusing PacketX:long ack;int flags_byte = 27 + 4*(Convert.ToInt16(oPacket.DataArray.GetValue(14))& 0x0F);ack = Convert.ToInt16(oPacket.DataArray.GetValue(flags_byte-5));ack = ack*256 + Convert.ToInt16(oPacket.DataArray.GetValue(flags_byte-4));ack = ack*256 + Convert.ToInt16(oPacket.DataArray.GetValue(flags_byte-3));ack = ack*256 + Convert.ToInt16(oPacket.DataArray.GetValue(flags_byte-2));Could be implemented using SharpPcap in the following way:long ack = oPacket.AcknowledgmentNumber;Figure 5-2 HTTP Analyser Foundation6 Autor: BeeSync Technologies; Website: http://www.beesync.com/packetx/index.html7 Autor: Tamir Gal; Website: http://www.tamirgal.com/home/dev.aspx?Item=SharpPcap
Z. Kwecka, BSc (Hons) Network Computing, 2006 39The final solution developed is capable of capturing HTTP traffic, as well as writing<strong>and</strong> reading tcpdump format. To allow for HTTP connection monitoring the HTTPAnalyser Foundation (illustrated in Figure 5-2), splits the traffic based on combinationof client IP, client port, server IP <strong>and</strong> server port. This at the beginning proved to beproblematic, since nested ArrayList were chosen to store raw packets. Microsoftguarantees that ArrayLists are thread-safe for read <strong>and</strong> write operations, however onlyway to search an ArrayList is to iterate through it, <strong>and</strong> here was the problem. Theprogram produced errors, when there was a write to an ArrayList under iteration. Thisproblem was solved by using synchronised wrappers for ArrayLists used. Then, forthe purpose of HTTP conversation monitoring the application was programmed to“underst<strong>and</strong>” basic TCP <strong>and</strong> HTTP parameters. Thus, logic of the implementationtreats following packets as interesting:- First packet from client to server after 3XX or zero in length response from theserver.- Packet with TCP sequence number equal to the acknowledgment number fromthe last client’s request.Additionally some extra logic was added into the application, following testing. Thoseimprovements included adding a tick box which allows work in promiscuous modewith some Intel based adapters, which proved to inverse logic to that used in most ofthe adapters. Also some extra filtering capabilities were added, to allow directionalvisualisation.5.3.2 HTTP ProxiesIn the design section we have identified that development of HTTP Proxy foundationcould create a base for implementation of the prototype’s Inline Filtering Agent, aswell as applications required for experiments (Filtering Proxy, Data Hiding Proxy).Thus, we have performed an investigation with an objective to find genuine opensource Proxy server that could be adjusted to our needs. This resulted in identificationof a Mentalis.org Proxy 8 , open source software, with a licence permittingredistribution <strong>and</strong> modification. While, the original software was a consoleapplication, which could perform functions of HTTP, FTP <strong>and</strong> SOCKS Proxy servers,we have employed only the classes responsible for HTTP operation, i.e. client,HTTPclient, listener <strong>and</strong> HTTPlistener, out of the original design. Consequentlygraphic user interface was produced, to control the application. The final HTTP ProxyFoundation (illustrated in Figure 5-3) is using asynchronous system calls. Therefore,an interfacing is needed between the GUI <strong>and</strong> the functional classes. At first it wastroublesome, since the GUI instantiated other classes, <strong>and</strong> therefore, had a full controlover them, but the instances of the functional classes could not communicate back toit. This was solved by the implementation of ConsoleBuffer class, with a number ofstatic variables. Static variables are the same among different instances of the sameclass, thus different components of HTTP Proxy Foundation implementation use it tocommunicate between each other.8 Autor: KPD-Team; Website: http://www.mentalis.org/soft/projects/Proxy/
- Page 1 and 2: Application Layer Covert ChannelAna
- Page 3 and 4: Z. Kwecka, BSc (Hons) Network Compu
- Page 5 and 6: Z. Kwecka, BSc (Hons) Network Compu
- Page 7 and 8: Z. Kwecka, BSc (Hons) Network Compu
- Page 9 and 10: Z. Kwecka, BSc (Hons) Network Compu
- Page 11: Z. Kwecka, BSc (Hons) Network Compu
- Page 14: Z. Kwecka, BSc (Hons) Network Compu
- Page 17 and 18: Z. Kwecka, BSc (Hons) Network Compu
- Page 19 and 20: Z. Kwecka, BSc (Hons) Network Compu
- Page 21 and 22: Z. Kwecka, BSc (Hons) Network Compu
- Page 23 and 24: Z. Kwecka, BSc (Hons) Network Compu
- Page 25: Z. Kwecka, BSc (Hons) Network Compu
- Page 28 and 29: Z. Kwecka, BSc (Hons) Network Compu
- Page 30 and 31: Z. Kwecka, BSc (Hons) Network Compu
- Page 32 and 33: Z. Kwecka, BSc (Hons) Network Compu
- Page 34 and 35: Z. Kwecka, BSc (Hons) Network Compu
- Page 36 and 37: Z. Kwecka, BSc (Hons) Network Compu
- Page 40 and 41: Z. Kwecka, BSc (Hons) Network Compu
- Page 42 and 43: Z. Kwecka, BSc (Hons) Network Compu
- Page 44 and 45: Z. Kwecka, BSc (Hons) Network Compu
- Page 46 and 47: Z. Kwecka, BSc (Hons) Network Compu
- Page 48 and 49: Z. Kwecka, BSc (Hons) Network Compu
- Page 50 and 51: Z. Kwecka, BSc (Hons) Network Compu
- Page 52 and 53: Z. Kwecka, BSc (Hons) Network Compu
- Page 54 and 55: Z. Kwecka, BSc (Hons) Network Compu
- Page 56: Z. Kwecka, BSc (Hons) Network Compu
- Page 60 and 61: Z. Kwecka, BSc (Hons) Network Compu
- Page 63 and 64: Z. Kwecka, BSc (Hons) Network Compu
- Page 65 and 66: Z. Kwecka, BSc (Hons) Network Compu
- Page 67 and 68: Z. Kwecka, BSc (Hons) Network Compu
- Page 69 and 70: Z. Kwecka, BSc (Hons) Network Compu
- Page 71 and 72: Z. Kwecka, BSc (Hons) Network Compu
- Page 73 and 74: Z. Kwecka, BSc (Hons) Network Compu
- Page 75 and 76: Z. Kwecka, BSc (Hons) Network Compu
- Page 77 and 78: Z. Kwecka, BSc (Hons) Network Compu
- Page 79 and 80: Z. Kwecka, BSc (Hons) Network Compu
- Page 81 and 82: Z. Kwecka, BSc (Hons) Network Compu
- Page 83 and 84: Z. Kwecka, BSc (Hons) Network Compu
- Page 85 and 86: Z. Kwecka, BSc (Hons) Network Compu
- Page 87 and 88: Z. Kwecka, BSc (Hons) Network Compu
- Page 89 and 90:
Z. Kwecka, BSc (Hons) Network Compu
- Page 91 and 92:
Z. Kwecka, BSc (Hons) Network Compu
- Page 93 and 94:
Z. Kwecka, BSc (Hons) Network Compu
- Page 95 and 96:
Z. Kwecka, BSc (Hons) Network Compu
- Page 97 and 98:
Z. Kwecka, BSc (Hons) Network Compu
- Page 99 and 100:
Z. Kwecka, BSc (Hons) Network Compu
- Page 101 and 102:
Z. Kwecka, BSc (Hons) Network Compu
- Page 103 and 104:
Z. Kwecka, BSc (Hons) Network Compu
- Page 105 and 106:
Z. Kwecka, BSc (Hons) Network Compu
- Page 107 and 108:
Z. Kwecka, BSc (Hons) Network Compu
- Page 109 and 110:
Z. Kwecka, BSc (Hons) Network Compu
- Page 111 and 112:
Z. Kwecka, BSc (Hons) Network Compu
- Page 113:
Z. Kwecka, BSc (Hons) Network Compu
- Page 116 and 117:
Z. Kwecka, BSc (Hons) Network Compu
- Page 118 and 119:
Z. Kwecka, BSc (Hons) Network Compu
- Page 120 and 121:
Z. Kwecka, BSc (Hons) Network Compu
- Page 122 and 123:
Z. Kwecka, BSc (Hons) Network Compu
- Page 124 and 125:
Z. Kwecka, BSc (Hons) Network Compu
- Page 126 and 127:
Z. Kwecka, BSc (Hons) Network Compu
- Page 128 and 129:
Z. Kwecka, BSc (Hons) Network Compu
- Page 130 and 131:
Z. Kwecka, BSc (Hons) Network Compu
- Page 132 and 133:
Z. Kwecka, BSc (Hons) Network Compu
- Page 134 and 135:
Z. Kwecka, BSc (Hons) Network Compu
- Page 136 and 137:
Z. Kwecka, BSc (Hons) Network Compu
- Page 138:
Z. Kwecka, BSc (Hons) Network Compu