以太网网络监听的研究与实现
摘要
当今,计算机网络与通信技术被广泛应用于生活工作的方方面面。因特网的成功把网络带入家家户户。然而,这也使得计算机网络的复杂性越来越高,使得设计、维护、保证网络安全的工作更艰难。于是,对于网络功能和网络安全的分析、诊断、测试工具的需求也越来越大。这些工具通常需要获得网络上传输的数据。大量的数据传输技术与通信协议使得数据捕获过程复杂化,而且为了在高速网络下捕获数据而不丢失数据,捕获性能又是至关重要的。
本论文首先介绍了网络监听的概念和相关Windows操作系统概念。接着从概念到代码、从高层设计到具体实现、从用户层到内核层详细探讨网络监听解决方案。WinPcap是建立在Win32操作系统上的监听框架,它提供了一套系统调用用于获取网络上的原始数据。本论文介绍了基于WinPcap应用程序的实现的基本步骤和高级功能,实现了一个以太网网络监听程序。最后本论文讨论了影响监听性能的因素。本论文分别对监听系统各组成部分如过滤器的效率、数据包缓冲区的大小、拷贝数据包的大小、系统调用数等以及监听系统整体进行了性能分析,并提供了一些性能测试用例,进行了监听系统的性能测试。
Computer networks and telecommunication technologies are nowadays used in a wide range of applications in daily life and work. The success of the Internet brought networking in every house. However, This makes the complexity of computer networks growing every day. This also makes harder the work of design, maintain and making a network secure. For this reason there is an increasing need of tools able to analyse, diagnose and test the functionality and the security of networks. These tools, in order to perform their work, need usually to obtain the data transiting on a network, capturing it while the network is working. The great number of transmission techniques and communication protocols complicates this task. Moreover, performance is very important in order to capture from fast networks at full speed without loosing data.
First this paper introduces some concepts of sniffing and related windows operating system concepts. Then this paper discusses the sniffing solution in detail from concepts to codes, from high level to implementation and from user level to kernel level. This paper talks about the essential steps and advanced functions to implement a WinPcap based application. At last this paper presents the details of the parameters influencing the performances. Performance measurements are discussed on each of the components of the system such as the efficiency of the filter, size of the packet buffer, the number of bytes copied and the number of system call and so on and the system as a whole. Some test eases of the performance are provided and a whole system performance testing is executed.
本论文首先介绍了网络监听的概念和相关Windows操作系统概念。接着从概念到代码、从高层设计到具体实现、从用户层到内核层详细探讨网络监听解决方案。WinPcap是建立在Win32操作系统上的监听框架,它提供了一套系统调用用于获取网络上的原始数据。本论文介绍了基于WinPcap应用程序的实现的基本步骤和高级功能,实现了一个以太网网络监听程序。最后本论文讨论了影响监听性能的因素。本论文分别对监听系统各组成部分如过滤器的效率、数据包缓冲区的大小、拷贝数据包的大小、系统调用数等以及监听系统整体进行了性能分析,并提供了一些性能测试用例,进行了监听系统的性能测试。
Computer networks and telecommunication technologies are nowadays used in a wide range of applications in daily life and work. The success of the Internet brought networking in every house. However, This makes the complexity of computer networks growing every day. This also makes harder the work of design, maintain and making a network secure. For this reason there is an increasing need of tools able to analyse, diagnose and test the functionality and the security of networks. These tools, in order to perform their work, need usually to obtain the data transiting on a network, capturing it while the network is working. The great number of transmission techniques and communication protocols complicates this task. Moreover, performance is very important in order to capture from fast networks at full speed without loosing data.
First this paper introduces some concepts of sniffing and related windows operating system concepts. Then this paper discusses the sniffing solution in detail from concepts to codes, from high level to implementation and from user level to kernel level. This paper talks about the essential steps and advanced functions to implement a WinPcap based application. At last this paper presents the details of the parameters influencing the performances. Performance measurements are discussed on each of the components of the system such as the efficiency of the filter, size of the packet buffer, the number of bytes copied and the number of system call and so on and the system as a whole. Some test eases of the performance are provided and a whole system performance testing is executed.
引文
1 谭思亮.监听与隐藏—网络侦听揭密与数据保护技术.北京:人民邮电出版社,2002
2 王宇,张宁.网络监听原理分析与实现.计算机应用研究.2003:142-145
3 V. Jacobson, C. Leres, S. McCanne. libpcap. Lawrence Berkeley Laboratory. June 1994
4 WinPcap web site http://www.winpcap.org/
5 Jeffrey C. Mogul, Richard F. Rashid, Michael J. Accetta. The Packet Filter: An Efficient Mechanism for User-Level Network Code. 11th Symposium on Operation Systems Principles. November 1987: 39-51
6 S. McCanne, V. Jacobson. The BSD Packet Filter: A New Architecture for User-level Packet Capture. Proceedings of the 1993 Winter USENIX Technical Conference. 1993
7 A. Begel, S. McCanne, S.L. Graham. BPF+: Exploiting Global Dataflow Optimization in a Generalized Packet Filter Architecture. Proceedings of ACM SIGCOMM 99. September 1999: 123-134
8 M. Yuhara, B. Bershad, C. Maeda, J.E.B. Moss. Efficient Packet Demultiplexing For Multiple Endpoints And Large Messages. The 1994 Winter USENIX Technical Conference. January 1994:153-165
9 Mary L. Bailey, Burra Gopal, Michael A. Pagels and Larry L. Peterson. PATHFINDER: A Pattern-Based Packet Classifier. In Proceedings of the First USENIX Symposium on Operating Systems Design and Implementation. November 1994:115-123
10 Dawson R. Engler, M. Frans Kaashoek. DPF: Fast, Flexible Packet Demultiplexing. In Proceedings of ACM SIGCOMM 96
11 Pankaj Gupta, Nick McKeown. Algorithms for Packet Classification. IEEE Network Special Issue. March/April 2001:24-32
12 Marcus J. Ranum, Kent Landfield, Mike Stolarchuk, etc. Implementing a Generalized Tool for Network Monitoring. LISA 97. October 1997
13 武安河.Windows 2000/XP WDM设备驱动程序开发.第二版.北京:电子工业出版社,2005
14 Chris Cant.Windows WDM设备驱动程序开发指南.马莉波译.北京:机械工业出版社,2000
15 Novell Press.Linux内核设计与实现.第二版.陈莉君等译.北京:机械工业出版社,2006
16 Jonathan等.Linux设备驱动程序.第三版.魏永明等译.北京:中国电力出版社,2006
17 Jeffrey Richter.Windows核心编程.王建华等译.北京:机械工业出版社,2005
18 Johnson M.Hart.Windows系统编程.第三版.安娜,吴明军译.北京:机械工业出版社,2006
19 Anthony Jones,Jim Ohlund.Microsoft windows网络编程.第二版.杨合庆译.北京:清华大学出版社,2002
20 Steve Suehring,Robert L.Ziegler.Linux防火墙.第三版.何泾沙等译.北京:机械工业出版社,2006
21 Andrew S.Tanenbaum.计算机网络.第四版。潘爱民译.北京:清华大学出版社,2004
22 tcpdump web site http://www.tcpdump.org/
23 陈向群等.Windows操作系统原理.第二版.北京:机械工业出版社,2004
24 Mark E.Russinovich,David A.Solomon.深入解析Windows操作系统.第四版.潘爱民译.北京:电子工业出版社,2007
25 Microsoft Corporation, 3Com Corporation. NDIS. Network Driver Interface Specification, May 1988
26 朱雁辉.Windows防火墙与网络封包截获技术.北京:电子工业出版社,2002
27 Microsoft Windows Driver Development Kits(DDKs) http://www.microsoft.com/ddk/
28 Fulvio Risso, Loris Degioanni. An Architecture for High Performance Network Analysis. Proceedings of the 6 IEEE Symposium on Computers and Communications, July 2001
29 Gary R.Wright,W.Ri chard Stevens.TCP/IP详解卷2:实现.陆雪莹等译.北京:机械工业出版社,2000
30 WinDump web site http://www.winpcap.org/windump/default.htm
31 IP traffic - test & measure web site http://www.pds-test.co.uk/products/ip_test_measure.html
32 Wireshark web site http://www.wireshark.org/
33 Intel Corporation. IA-32 Intel @ Architecture Software Developer' s Manual Volume 2: Instruction Set Reference
34 Intel Corporation. IA-32 Intel @ Architecture Software Developer' s Manual Volume 3: System Programming Guide-
35 Intel Vtune Performance Analyzer, Intel Corporation Http://developer.intel.com/software/products/vtune/vpa/
36 PAUL C.JORGENSEN.软件测试的艺术.王峰,陈杰译.北京:机械工业出版社,2006
37 AirPcap web site http://www.cacetech.com/products/airpcap.htm
2 王宇,张宁.网络监听原理分析与实现.计算机应用研究.2003:142-145
3 V. Jacobson, C. Leres, S. McCanne. libpcap. Lawrence Berkeley Laboratory. June 1994
4 WinPcap web site http://www.winpcap.org/
5 Jeffrey C. Mogul, Richard F. Rashid, Michael J. Accetta. The Packet Filter: An Efficient Mechanism for User-Level Network Code. 11th Symposium on Operation Systems Principles. November 1987: 39-51
6 S. McCanne, V. Jacobson. The BSD Packet Filter: A New Architecture for User-level Packet Capture. Proceedings of the 1993 Winter USENIX Technical Conference. 1993
7 A. Begel, S. McCanne, S.L. Graham. BPF+: Exploiting Global Dataflow Optimization in a Generalized Packet Filter Architecture. Proceedings of ACM SIGCOMM 99. September 1999: 123-134
8 M. Yuhara, B. Bershad, C. Maeda, J.E.B. Moss. Efficient Packet Demultiplexing For Multiple Endpoints And Large Messages. The 1994 Winter USENIX Technical Conference. January 1994:153-165
9 Mary L. Bailey, Burra Gopal, Michael A. Pagels and Larry L. Peterson. PATHFINDER: A Pattern-Based Packet Classifier. In Proceedings of the First USENIX Symposium on Operating Systems Design and Implementation. November 1994:115-123
10 Dawson R. Engler, M. Frans Kaashoek. DPF: Fast, Flexible Packet Demultiplexing. In Proceedings of ACM SIGCOMM 96
11 Pankaj Gupta, Nick McKeown. Algorithms for Packet Classification. IEEE Network Special Issue. March/April 2001:24-32
12 Marcus J. Ranum, Kent Landfield, Mike Stolarchuk, etc. Implementing a Generalized Tool for Network Monitoring. LISA 97. October 1997
13 武安河.Windows 2000/XP WDM设备驱动程序开发.第二版.北京:电子工业出版社,2005
14 Chris Cant.Windows WDM设备驱动程序开发指南.马莉波译.北京:机械工业出版社,2000
15 Novell Press.Linux内核设计与实现.第二版.陈莉君等译.北京:机械工业出版社,2006
16 Jonathan等.Linux设备驱动程序.第三版.魏永明等译.北京:中国电力出版社,2006
17 Jeffrey Richter.Windows核心编程.王建华等译.北京:机械工业出版社,2005
18 Johnson M.Hart.Windows系统编程.第三版.安娜,吴明军译.北京:机械工业出版社,2006
19 Anthony Jones,Jim Ohlund.Microsoft windows网络编程.第二版.杨合庆译.北京:清华大学出版社,2002
20 Steve Suehring,Robert L.Ziegler.Linux防火墙.第三版.何泾沙等译.北京:机械工业出版社,2006
21 Andrew S.Tanenbaum.计算机网络.第四版。潘爱民译.北京:清华大学出版社,2004
22 tcpdump web site http://www.tcpdump.org/
23 陈向群等.Windows操作系统原理.第二版.北京:机械工业出版社,2004
24 Mark E.Russinovich,David A.Solomon.深入解析Windows操作系统.第四版.潘爱民译.北京:电子工业出版社,2007
25 Microsoft Corporation, 3Com Corporation. NDIS. Network Driver Interface Specification, May 1988
26 朱雁辉.Windows防火墙与网络封包截获技术.北京:电子工业出版社,2002
27 Microsoft Windows Driver Development Kits(DDKs) http://www.microsoft.com/ddk/
28 Fulvio Risso, Loris Degioanni. An Architecture for High Performance Network Analysis. Proceedings of the 6 IEEE Symposium on Computers and Communications, July 2001
29 Gary R.Wright,W.Ri chard Stevens.TCP/IP详解卷2:实现.陆雪莹等译.北京:机械工业出版社,2000
30 WinDump web site http://www.winpcap.org/windump/default.htm
31 IP traffic - test & measure web site http://www.pds-test.co.uk/products/ip_test_measure.html
32 Wireshark web site http://www.wireshark.org/
33 Intel Corporation. IA-32 Intel @ Architecture Software Developer' s Manual Volume 2: Instruction Set Reference
34 Intel Corporation. IA-32 Intel @ Architecture Software Developer' s Manual Volume 3: System Programming Guide-
35 Intel Vtune Performance Analyzer, Intel Corporation Http://developer.intel.com/software/products/vtune/vpa/
36 PAUL C.JORGENSEN.软件测试的艺术.王峰,陈杰译.北京:机械工业出版社,2006
37 AirPcap web site http://www.cacetech.com/products/airpcap.htm