SlideShare ist ein Scribd-Unternehmen logo

Tutorial of SF-TAP Flow Abstractor

Yuuki Takano
Yuuki Takano

This is a tutorial for implementing application level traffic analyzer by using SF-TAP flow abstractor. http://sf-tap.github.io/ https://github.com/SF-TAP/ https://github.com/SF-TAP/flow-abstractor https://www.usenix.org/conference/lisa15/conference-program/presentation/takano http://ytakano.github.io/

Technologie
1 von 21
Downloaden Sie, um offline zu lesen
SF-TAP Tutorial Flow Abstractor ver. National Institute of Information and Communications Technology Yuuki Takano
What Flow Abstractor Do? 2 NW I/F HTTP I/F TLS I/F Flow Abstractor Flow Classifier TLS Analyzer HTTP Analyzer HTTP Proxy TCP and UDP Handler filter and classifier rule L7 Loopback I/F DB Forensic IDS/IPS etc... Application Protocol Analyzer etc...TCP Default I/F UDP Default I/F Analyzer PlaneAbstractor Plane Flow Identifier SF-TAP Cell IP Packet Defragmenter Flow Classification TCP Reassemble IP Defragmentation You can easily develop application level analyzers.
Operating Systems, on which Flow Abstractor can Run Linux *BSD MacOS X 3
Required Libraries Dependencies Boost C++ Library libpcap libevent (2.0 or later) RE2 yaml-cpp Other Tools cmake git C++11 Compiler (gcc or clang) 4
Install Required Libraries (Assuming Ubuntu 15.04) 5 $ sudo apt-get install build-essential cmake git libevent-dev libboost-all-dev libpcap-dev libre2-dev libyaml-cpp-dev
Download Source Code and Compile It 6 $ git clone https://github.com/SF-TAP/flow- abstractor.git $ cd flow-abstractor $ cmake -DCMAKE_BUILD_TYPE=Release CMakeLists.txt $ make
Configuration File (cont.) 7 # global configuration global: home: /tmp/sf-tap # directory, on which UNIX domain files are placed timeout: 600 # close long-lived (over 600[s]) but do-nothing connections lru: yes # bring the least recently used pattern to front of list cache: yes # use cache for regex # loopback interface for injecting L7 traffic to the flow abstractor loopback7: if: loopback7 format: text tcp_default: if: default # for every flow that wasn't matched by any rules proto: TCP format: text body: yes udp_default: if: default # for every flow that wasn't matched by any rules proto: UDP format: text body: yes
Configuration File 8 http: up: '^[-a-zA-Z]+ .+ HTTP/1.(0r?n|1r?n([-a-zA-Z]+: .+r?n)+)' down: '^HTTP/1.[01] [1-9][0-9]{2} .+r?n' proto: TCP # TCP or UDP if: http # file name of UNIX domain socket format: text # text or binary body: yes # if specified 'no', only header is output nice: 100 # the smaller a value is, the higher a priority is # balance = 2 # flows are balanced by 2 interfaces dns_udp: proto: UDP if: dns port: 53 # port number format: text nice: 200
Run Flow Abstractor 9 $ sudo ./src/sftap_fabs -i en1 -c ./examples/fabs.yaml run the fow abstractor $ ls -R /tmp/sf-tap loopback7= tcp/ udp/ /tmp/sf-tap/tcp: default= http= smtp= torrent_tracker= dns= http_proxy= ssh= websocket= ftp= irc= ssl= /tmp/sf-tap/udp: default= dns= torrent_dht= confirm that flow abstraction interfaces were created
Sniff HTTP Flows 10 $ sudo nc -U /tmp/sf-tap/tcp/http $ curl http://www.google.com/ read the abstraction interface of HTTP access some web sites
Protocol Format of Flow Abstraction Interfaces 11 $ sudo nc -U /tmp/sf-tap/tcp/http ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=CREATED ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=DATA,from=2,match=down,len=494 HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=UTF-8 Location: http://www.google.co.jp/?gfe_rd=cr&ei=oVcLVvL7JsHD8AfZnYHQAQ (omitted) ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=DATA,from=1,match=up,len=78 GET / HTTP/1.1 Host: www.google.com User-Agent: curl/7.43.0 Accept: */* ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=DESTROYED header header data header data header
Header Format CSV like key-value pairs. Consisting of one line. (ended with n) 12 ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0, l3=ipv4,l4=tcp,event=CREATED { “ip1”: “192.168.24.54”, “ip2”: “216.58.221.196”, “port1”: 59547, “port2”: 80, “hop”: 0, “l3”: “ipv4”, “l4”: “tcp”, “event”: “CREATED” } equivalents for
Life Cycle of a Flow 13 CREATED DESTROYED DATA When TCP connection is established (performed 3-way handshake), CREATED event is invoked. When TCP connection is destroyed (received FIN/RST, or timeout), DESTROYED event is invoked. When arriving data, DATA event is invoked.
Protocols of UDP UDP is not connection oriented. Therefore, only DATA event is invoked. 14
Flow Identification Each flow is identified by IP addresses, Port numbers and hop count. Flows are Identified by tuple of
 (ip1, port1, ip2, port2, hop) Hop filed indicates that how many times the flow is re-injected to the L7 loopback interface. 15 ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80, hop=0,l3=ipv4,l4=tcp,event=CREATED
Origin of DATA TCP is connection oriented. Therefore, data is coming from 2 origins. 16 (ip1, port1) (ip2, port2) data from host1 data from host2 host1 host2 ip1=192.168.24.54,ip2=216.58.221.196,po rt1=59547,port2=80,hop=0,l3=ipv4,l4=tcp ,event=DATA,from=2,match=down,len=494 from field indicates the origin of data
Length of DATA Len filed indicates the length of data. 17 ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0, l3=ipv4,l4=tcp,event=DATA,from=2,match=down,len=494 header event=DATA,len=494 data 494 bytes
Upstream and Downstream Match filed indicates that which pattern is used for matching. 18 ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=DATA,from=2,match=down,len=494 http: up: '^[-a-zA-Z]+ .+ HTTP/1.(0r?n|1r?n([-a-zA-Z]+: .+r?n)+)' down: '^HTTP/1.[01] [1-9][0-9]{2} .+r?n' proto: TCP # TCP or UDP if: http # file name of UNIX domain socket format: text # text or binary body: yes # if specified 'no', only header is output nice: 100 # the smaller a value is, the higher a priority is # balance = 2 # flows are balanced by 2 interfaces Configuration Matched with the pattern of downstream Matched with the pattern of upstream ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=DATA,from=1,match=up,len=78
Write Your Own Analyzers Skelton in Pseudo Code 19 // connect to socket s = socket(); connect(s, “/tmp/sf-tap/tcp/http”); for (;;) { // read header readline(s, line); h = parse_header(line); // generate session ID sid = new sessionID(h[“ip1”], h[“ip2”], h[“port1”], h[“port2”], h[“hop”]); if (h[“event”] == “DATA”) { read(s, buf, h[“len”]); } }
Skelton in Python 20 https://gist.github.com/ytakano/87fcb3377df3c29c60c3
Examples Protocol Parsers 21 $ git clone https://github.com/SF-TAP/protocol- parser.git $ cd protocol-parser/http $ sudo python3 sftap_http.py more information is available on https://github.com/SF-TAP/documents/blob/master/ tutorial_fabs_ubuntu1504.md

Empfohlen

SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)Yuuki Takano
 
FARIS: Fast and Memory-efficient URL Filter by Domain Specific Machine
FARIS: Fast and Memory-efficient URL Filter by Domain Specific MachineFARIS: Fast and Memory-efficient URL Filter by Domain Specific Machine
FARIS: Fast and Memory-efficient URL Filter by Domain Specific MachineYuuki Takano
 
The Next Linux Superpower: eBPF Primer
The Next Linux Superpower: eBPF PrimerThe Next Linux Superpower: eBPF Primer
The Next Linux Superpower: eBPF PrimerSasha Goldshtein
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machineAlexei Starovoitov
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF AbyssSasha Goldshtein
 
BPF - All your packets belong to me
BPF - All your packets belong to meBPF - All your packets belong to me
BPF - All your packets belong to me_xhr_
 
Networking and Go: An Epic Journey
Networking and Go: An Epic JourneyNetworking and Go: An Epic Journey
Networking and Go: An Epic JourneySneha Inguva
 
20170925 onos and p4
20170925 onos and p420170925 onos and p4
20170925 onos and p4Yi Tseng
 

Empfohlen

SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)Yuuki Takano
 
FARIS: Fast and Memory-efficient URL Filter by Domain Specific Machine
FARIS: Fast and Memory-efficient URL Filter by Domain Specific MachineFARIS: Fast and Memory-efficient URL Filter by Domain Specific Machine
FARIS: Fast and Memory-efficient URL Filter by Domain Specific MachineYuuki Takano
 
The Next Linux Superpower: eBPF Primer
The Next Linux Superpower: eBPF PrimerThe Next Linux Superpower: eBPF Primer
The Next Linux Superpower: eBPF PrimerSasha Goldshtein
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machineAlexei Starovoitov
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF AbyssSasha Goldshtein
 
BPF - All your packets belong to me
BPF - All your packets belong to meBPF - All your packets belong to me
BPF - All your packets belong to me_xhr_
 
Networking and Go: An Epic Journey
Networking and Go: An Epic JourneyNetworking and Go: An Epic Journey
Networking and Go: An Epic JourneySneha Inguva
 
20170925 onos and p4
20170925 onos and p420170925 onos and p4
20170925 onos and p4Yi Tseng
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!Affan Syed
 
2016 NCTU P4 Workshop
2016 NCTU P4 Workshop2016 NCTU P4 Workshop
2016 NCTU P4 WorkshopYi Tseng
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of MeltdownsAndriy Berestovskyy
 
Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Andriy Berestovskyy
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
 
Socket Programming- Data Link Access
Socket Programming- Data Link AccessSocket Programming- Data Link Access
Socket Programming- Data Link AccessLJ PROJECTS
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
 
Programming Protocol-Independent Packet Processors
Programming Protocol-Independent Packet ProcessorsProgramming Protocol-Independent Packet Processors
Programming Protocol-Independent Packet ProcessorsOpen Networking Summits
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 
Network sockets
Network socketsNetwork sockets
Network socketsDenys Haryachyy
 
BPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable DatapathBPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable DatapathThomas Graf
 
eBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging InfrastructureeBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging InfrastructureNetronome
 
Ebpf ovsconf-2016
Ebpf ovsconf-2016Ebpf ovsconf-2016
Ebpf ovsconf-2016Cheng-Chun William Tu
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesAnne Nicolas
 
2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful ServicesThomas Graf
 
[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4Open Networking Summits
 
MPI
MPIMPI
MPIZongYing Lyu
 
Sockets and Socket-Buffer
Sockets and Socket-BufferSockets and Socket-Buffer
Sockets and Socket-BufferSourav Punoriyar
 
Lec7 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Dynamic Sch...
Lec7 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Dynamic Sch...Lec7 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Dynamic Sch...
Lec7 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Dynamic Sch...Hsien-Hsin Sean Lee, Ph.D.
 
Netkitmig
NetkitmigNetkitmig
Netkitmigrenyufei
 
Ngrep commands
Ngrep commandsNgrep commands
Ngrep commandsRishu Seth
 

Weitere ähnliche Inhalte

Was ist angesagt?

ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!Affan Syed
 
2016 NCTU P4 Workshop
2016 NCTU P4 Workshop2016 NCTU P4 Workshop
2016 NCTU P4 WorkshopYi Tseng
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Andriy Berestovskyy
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
 
Socket Programming- Data Link Access
Socket Programming- Data Link AccessSocket Programming- Data Link Access
Socket Programming- Data Link AccessLJ PROJECTS
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
 
Programming Protocol-Independent Packet Processors
Programming Protocol-Independent Packet ProcessorsProgramming Protocol-Independent Packet Processors
Programming Protocol-Independent Packet ProcessorsOpen Networking Summits
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 
BPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable DatapathBPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable DatapathThomas Graf
 
eBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging InfrastructureeBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging InfrastructureNetronome
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesAnne Nicolas
 
2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful ServicesThomas Graf
 
[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4Open Networking Summits
 
Lec7 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Dynamic Sch...
Lec7 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Dynamic Sch...Lec7 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Dynamic Sch...
Lec7 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Dynamic Sch...Hsien-Hsin Sean Lee, Ph.D.
 

Was ist angesagt? (20)

ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!
 
2016 NCTU P4 Workshop
2016 NCTU P4 Workshop2016 NCTU P4 Workshop
2016 NCTU P4 Workshop
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of Meltdowns
 
Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
 
Socket Programming- Data Link Access
Socket Programming- Data Link AccessSocket Programming- Data Link Access
Socket Programming- Data Link Access
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 
Programming Protocol-Independent Packet Processors
Programming Protocol-Independent Packet ProcessorsProgramming Protocol-Independent Packet Processors
Programming Protocol-Independent Packet Processors
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
 
Network sockets
Network socketsNetwork sockets
Network sockets
 
BPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable DatapathBPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable Datapath
 
eBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging InfrastructureeBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging Infrastructure
 
Ebpf ovsconf-2016
Ebpf ovsconf-2016Ebpf ovsconf-2016
Ebpf ovsconf-2016
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering Oopsies
 
2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services
 
[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4
 
MPI
MPIMPI
MPI
 
Sockets and Socket-Buffer
Sockets and Socket-BufferSockets and Socket-Buffer
Sockets and Socket-Buffer
 
Lec7 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Dynamic Sch...
Lec7 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Dynamic Sch...Lec7 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Dynamic Sch...
Lec7 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- Dynamic Sch...
 

Ähnlich wie Tutorial of SF-TAP Flow Abstractor

Ngrep commands
Ngrep commandsNgrep commands
Ngrep commandsRishu Seth
 
13048671.ppt
13048671.ppt13048671.ppt
13048671.pptLyVu51
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commandsHanan Nmr
 
Introduction to tcpdump
Introduction to tcpdumpIntroduction to tcpdump
Introduction to tcpdumpLev Walkin
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDGiovanni Bechis
 
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Andriy Berestovskyy
 
IL: 失われたプロトコル
IL: 失われたプロトコルIL: 失われたプロトコル
IL: 失われたプロトコルRyousei Takano
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
 
How to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsHow to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsDigitalOcean
 
Go with the Flow-v2
Go with the Flow-v2Go with the Flow-v2
Go with the Flow-v2Zobair Khan
 
Arp Dan Ipconfig Syntax
Arp Dan Ipconfig SyntaxArp Dan Ipconfig Syntax
Arp Dan Ipconfig Syntaxguestcc37e8c
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterAnne Nicolas
 
101 3.2 process text streams using filters
101 3.2 process text streams using filters101 3.2 process text streams using filters
101 3.2 process text streams using filtersAcácio Oliveira
 

Ähnlich wie Tutorial of SF-TAP Flow Abstractor (20)

Netkitmig
NetkitmigNetkitmig
Netkitmig
 
Ngrep commands
Ngrep commandsNgrep commands
Ngrep commands
 
13048671.ppt
13048671.ppt13048671.ppt
13048671.ppt
 
Linux Network commands
Linux Network commandsLinux Network commands
Linux Network commands
 
Introduction to tcpdump
Introduction to tcpdumpIntroduction to tcpdump
Introduction to tcpdump
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSD
 
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)
 
IL: 失われたプロトコル
IL: 失われたプロトコルIL: 失われたプロトコル
IL: 失われたプロトコル
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
 
How to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsHow to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking Needs
 
Commands.pptx
Commands.pptxCommands.pptx
Commands.pptx
 
CN 1.docx
CN 1.docxCN 1.docx
CN 1.docx
 
Go with the Flow-v2
Go with the Flow-v2Go with the Flow-v2
Go with the Flow-v2
 
Go with the Flow
Go with the Flow Go with the Flow
Go with the Flow
 
Arp Dan Ipconfig Syntax
Arp Dan Ipconfig SyntaxArp Dan Ipconfig Syntax
Arp Dan Ipconfig Syntax
 
nwlab-ex1.pdf
nwlab-ex1.pdfnwlab-ex1.pdf
nwlab-ex1.pdf
 
null Pune meet - Understanding TCP/IP and Network Intrusion
null Pune meet - Understanding TCP/IP and Network Intrusionnull Pune meet - Understanding TCP/IP and Network Intrusion
null Pune meet - Understanding TCP/IP and Network Intrusion
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
 
101 3.2 process text streams using filters
101 3.2 process text streams using filters101 3.2 process text streams using filters
101 3.2 process text streams using filters
 

Mehr von Yuuki Takano

アクターモデル
アクターモデルアクターモデル
アクターモデルYuuki Takano
 
リアクティブプログラミング
リアクティブプログラミングリアクティブプログラミング
リアクティブプログラミングYuuki Takano
 
Transactional Memory
Transactional MemoryTransactional Memory
Transactional MemoryYuuki Takano
 
【やってみた】リーマン多様体へのグラフ描画アルゴリズムの実装【実装してみた】
【やってみた】リーマン多様体へのグラフ描画アルゴリズムの実装【実装してみた】【やってみた】リーマン多様体へのグラフ描画アルゴリズムの実装【実装してみた】
【やってみた】リーマン多様体へのグラフ描画アルゴリズムの実装【実装してみた】Yuuki Takano
 
SF-TAP: L7レベルネットワークトラフィック解析器
SF-TAP: L7レベルネットワークトラフィック解析器SF-TAP: L7レベルネットワークトラフィック解析器
SF-TAP: L7レベルネットワークトラフィック解析器Yuuki Takano
 
MindYourPrivacy: Design and Implementation of a Visualization System for Thir...
MindYourPrivacy: Design and Implementation of a Visualization System for Thir...MindYourPrivacy: Design and Implementation of a Visualization System for Thir...
MindYourPrivacy: Design and Implementation of a Visualization System for Thir...Yuuki Takano
 
SF-TAP: 柔軟で規模追従可能なトラフィック解析基盤の設計
SF-TAP: 柔軟で規模追従可能なトラフィック解析基盤の設計SF-TAP: 柔軟で規模追従可能なトラフィック解析基盤の設計
SF-TAP: 柔軟で規模追従可能なトラフィック解析基盤の設計Yuuki Takano
 
Measurement Study of Open Resolvers and DNS Server Version
Measurement Study of Open Resolvers and DNS Server VersionMeasurement Study of Open Resolvers and DNS Server Version
Measurement Study of Open Resolvers and DNS Server VersionYuuki Takano
 
Security workshop 20131220
Security workshop 20131220Security workshop 20131220
Security workshop 20131220Yuuki Takano
 
Security workshop 20131213
Security workshop 20131213Security workshop 20131213
Security workshop 20131213Yuuki Takano
 
Security workshop 20131127
Security workshop 20131127Security workshop 20131127
Security workshop 20131127Yuuki Takano
 
A Measurement Study of Open Resolvers and DNS Server Version
A Measurement Study of Open Resolvers and DNS Server VersionA Measurement Study of Open Resolvers and DNS Server Version
A Measurement Study of Open Resolvers and DNS Server VersionYuuki Takano
 

Mehr von Yuuki Takano (14)

アクターモデル
アクターモデルアクターモデル
アクターモデル
 
π計算
π計算π計算
π計算
 
リアクティブプログラミング
リアクティブプログラミングリアクティブプログラミング
リアクティブプログラミング
 
Transactional Memory
Transactional MemoryTransactional Memory
Transactional Memory
 
CUDAメモ
CUDAメモCUDAメモ
CUDAメモ
 
【やってみた】リーマン多様体へのグラフ描画アルゴリズムの実装【実装してみた】
【やってみた】リーマン多様体へのグラフ描画アルゴリズムの実装【実装してみた】【やってみた】リーマン多様体へのグラフ描画アルゴリズムの実装【実装してみた】
【やってみた】リーマン多様体へのグラフ描画アルゴリズムの実装【実装してみた】
 
SF-TAP: L7レベルネットワークトラフィック解析器
SF-TAP: L7レベルネットワークトラフィック解析器SF-TAP: L7レベルネットワークトラフィック解析器
SF-TAP: L7レベルネットワークトラフィック解析器
 
MindYourPrivacy: Design and Implementation of a Visualization System for Thir...
MindYourPrivacy: Design and Implementation of a Visualization System for Thir...MindYourPrivacy: Design and Implementation of a Visualization System for Thir...
MindYourPrivacy: Design and Implementation of a Visualization System for Thir...
 
SF-TAP: 柔軟で規模追従可能なトラフィック解析基盤の設計
SF-TAP: 柔軟で規模追従可能なトラフィック解析基盤の設計SF-TAP: 柔軟で規模追従可能なトラフィック解析基盤の設計
SF-TAP: 柔軟で規模追従可能なトラフィック解析基盤の設計
 
Measurement Study of Open Resolvers and DNS Server Version
Measurement Study of Open Resolvers and DNS Server VersionMeasurement Study of Open Resolvers and DNS Server Version
Measurement Study of Open Resolvers and DNS Server Version
 
Security workshop 20131220
Security workshop 20131220Security workshop 20131220
Security workshop 20131220
 
Security workshop 20131213
Security workshop 20131213Security workshop 20131213
Security workshop 20131213
 
Security workshop 20131127
Security workshop 20131127Security workshop 20131127
Security workshop 20131127
 
A Measurement Study of Open Resolvers and DNS Server Version
A Measurement Study of Open Resolvers and DNS Server VersionA Measurement Study of Open Resolvers and DNS Server Version
A Measurement Study of Open Resolvers and DNS Server Version
 

Kürzlich hochgeladen

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 

Kürzlich hochgeladen (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 

Tutorial of SF-TAP Flow Abstractor

  • 1. SF-TAP Tutorial Flow Abstractor ver. National Institute of Information and Communications Technology Yuuki Takano
  • 2. What Flow Abstractor Do? 2 NW I/F HTTP I/F TLS I/F Flow Abstractor Flow Classifier TLS Analyzer HTTP Analyzer HTTP Proxy TCP and UDP Handler filter and classifier rule L7 Loopback I/F DB Forensic IDS/IPS etc... Application Protocol Analyzer etc...TCP Default I/F UDP Default I/F Analyzer PlaneAbstractor Plane Flow Identifier SF-TAP Cell IP Packet Defragmenter Flow Classification TCP Reassemble IP Defragmentation You can easily develop application level analyzers.
  • 3. Operating Systems, on which Flow Abstractor can Run Linux *BSD MacOS X 3
  • 4. Required Libraries Dependencies Boost C++ Library libpcap libevent (2.0 or later) RE2 yaml-cpp Other Tools cmake git C++11 Compiler (gcc or clang) 4
  • 5. Install Required Libraries (Assuming Ubuntu 15.04) 5 $ sudo apt-get install build-essential cmake git libevent-dev libboost-all-dev libpcap-dev libre2-dev libyaml-cpp-dev
  • 6. Download Source Code and Compile It 6 $ git clone https://github.com/SF-TAP/flow- abstractor.git $ cd flow-abstractor $ cmake -DCMAKE_BUILD_TYPE=Release CMakeLists.txt $ make
  • 7. Configuration File (cont.) 7 # global configuration global: home: /tmp/sf-tap # directory, on which UNIX domain files are placed timeout: 600 # close long-lived (over 600[s]) but do-nothing connections lru: yes # bring the least recently used pattern to front of list cache: yes # use cache for regex # loopback interface for injecting L7 traffic to the flow abstractor loopback7: if: loopback7 format: text tcp_default: if: default # for every flow that wasn't matched by any rules proto: TCP format: text body: yes udp_default: if: default # for every flow that wasn't matched by any rules proto: UDP format: text body: yes
  • 8. Configuration File 8 http: up: '^[-a-zA-Z]+ .+ HTTP/1.(0r?n|1r?n([-a-zA-Z]+: .+r?n)+)' down: '^HTTP/1.[01] [1-9][0-9]{2} .+r?n' proto: TCP # TCP or UDP if: http # file name of UNIX domain socket format: text # text or binary body: yes # if specified 'no', only header is output nice: 100 # the smaller a value is, the higher a priority is # balance = 2 # flows are balanced by 2 interfaces dns_udp: proto: UDP if: dns port: 53 # port number format: text nice: 200
  • 9. Run Flow Abstractor 9 $ sudo ./src/sftap_fabs -i en1 -c ./examples/fabs.yaml run the fow abstractor $ ls -R /tmp/sf-tap loopback7= tcp/ udp/ /tmp/sf-tap/tcp: default= http= smtp= torrent_tracker= dns= http_proxy= ssh= websocket= ftp= irc= ssl= /tmp/sf-tap/udp: default= dns= torrent_dht= confirm that flow abstraction interfaces were created
  • 10. Sniff HTTP Flows 10 $ sudo nc -U /tmp/sf-tap/tcp/http $ curl http://www.google.com/ read the abstraction interface of HTTP access some web sites
  • 11. Protocol Format of Flow Abstraction Interfaces 11 $ sudo nc -U /tmp/sf-tap/tcp/http ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=CREATED ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=DATA,from=2,match=down,len=494 HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=UTF-8 Location: http://www.google.co.jp/?gfe_rd=cr&ei=oVcLVvL7JsHD8AfZnYHQAQ (omitted) ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=DATA,from=1,match=up,len=78 GET / HTTP/1.1 Host: www.google.com User-Agent: curl/7.43.0 Accept: */* ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=DESTROYED header header data header data header
  • 12. Header Format CSV like key-value pairs. Consisting of one line. (ended with n) 12 ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0, l3=ipv4,l4=tcp,event=CREATED { “ip1”: “192.168.24.54”, “ip2”: “216.58.221.196”, “port1”: 59547, “port2”: 80, “hop”: 0, “l3”: “ipv4”, “l4”: “tcp”, “event”: “CREATED” } equivalents for
  • 13. Life Cycle of a Flow 13 CREATED DESTROYED DATA When TCP connection is established (performed 3-way handshake), CREATED event is invoked. When TCP connection is destroyed (received FIN/RST, or timeout), DESTROYED event is invoked. When arriving data, DATA event is invoked.
  • 14. Protocols of UDP UDP is not connection oriented. Therefore, only DATA event is invoked. 14
  • 15. Flow Identification Each flow is identified by IP addresses, Port numbers and hop count. Flows are Identified by tuple of
 (ip1, port1, ip2, port2, hop) Hop filed indicates that how many times the flow is re-injected to the L7 loopback interface. 15 ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80, hop=0,l3=ipv4,l4=tcp,event=CREATED
  • 16. Origin of DATA TCP is connection oriented. Therefore, data is coming from 2 origins. 16 (ip1, port1) (ip2, port2) data from host1 data from host2 host1 host2 ip1=192.168.24.54,ip2=216.58.221.196,po rt1=59547,port2=80,hop=0,l3=ipv4,l4=tcp ,event=DATA,from=2,match=down,len=494 from field indicates the origin of data
  • 17. Length of DATA Len filed indicates the length of data. 17 ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0, l3=ipv4,l4=tcp,event=DATA,from=2,match=down,len=494 header event=DATA,len=494 data 494 bytes
  • 18. Upstream and Downstream Match filed indicates that which pattern is used for matching. 18 ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=DATA,from=2,match=down,len=494 http: up: '^[-a-zA-Z]+ .+ HTTP/1.(0r?n|1r?n([-a-zA-Z]+: .+r?n)+)' down: '^HTTP/1.[01] [1-9][0-9]{2} .+r?n' proto: TCP # TCP or UDP if: http # file name of UNIX domain socket format: text # text or binary body: yes # if specified 'no', only header is output nice: 100 # the smaller a value is, the higher a priority is # balance = 2 # flows are balanced by 2 interfaces Configuration Matched with the pattern of downstream Matched with the pattern of upstream ip1=192.168.24.54,ip2=216.58.221.196,port1=59547,port2=80,hop=0,l3=ipv4, l4=tcp,event=DATA,from=1,match=up,len=78
  • 19. Write Your Own Analyzers Skelton in Pseudo Code 19 // connect to socket s = socket(); connect(s, “/tmp/sf-tap/tcp/http”); for (;;) { // read header readline(s, line); h = parse_header(line); // generate session ID sid = new sessionID(h[“ip1”], h[“ip2”], h[“port1”], h[“port2”], h[“hop”]); if (h[“event”] == “DATA”) { read(s, buf, h[“len”]); } }
  • 21. Examples Protocol Parsers 21 $ git clone https://github.com/SF-TAP/protocol- parser.git $ cd protocol-parser/http $ sudo python3 sftap_http.py more information is available on https://github.com/SF-TAP/documents/blob/master/ tutorial_fabs_ubuntu1504.md