IPAudit

Software for network monitoring.

Question: Why did you choose IPAudit for a topic?

(Probably should have asked this earlier)

IPAudit – Three stories

Network Monitoring Software Development Open Source Project Management

What IPAudit is

Two parts Binary

Sniffs network and periodically writes traffic summary to a text file

Companion programs I find these two program more generally useful – ipaudit is more

specialized. ipstrings – like strings, but for IP packets. total – reads text records, maintains counts, averages, etc. for

different fields values. IPAudit-Web

Web accessible reports based on data collected by binary.

Problem that IPAudit solves

IMS based DoS attack 1999 infected host in IMS was doing a DoS against

off-campus host. Problem: No easy method of finding host.

Manual method: log into main switch, find busy interface, consult network maps to find next switch/hub, log into it, repeat ....

Solution Monitor traffic by IP address. Find busiest IP address

directly.

Early Development: Ipaudit Binary

Monitored network with TCPDump and Perl scripts Worked on dual 333Mhz Pentium II with 50% load

when monitoring with 4.5mb connection. Uconn had plans to upgrade to between 10 to 45mbs

→ Need faster system. Replace with C program, the IPAudit binary

Learned: pcap library, packet structure, C select() function. Developed: new hash function.

Existing hash functions are like black magic. Mine is easier to understand.

LOCAL-IP| REMOTE-IP| | PROTOCOL| | | LOCAL-PORT| | | | REMOTE-PORT| | | | | INC-BYTES| | | | | | OUT-BYTES| | | | | | | INC-PKT| | | | | | | | OUT-PKT| | | | | | | | | FIRST-TIME| | | | | | | | | | (sort) LAST-TIME| | | | | | | | | | | FIRST-TALKER| | | | | | | | | | | | LAST-TALK| | | | | | | | | | | | |--------------- --------------- - -- ---- ----- ------ --- ---- ------------- ------------- - -137.099.089.110 212.045.068.018 6 21 1317 278 353 5 4 09:51:08.0524 09:51:19.1243 2 2137.099.089.110 212.045.068.018 6 21 1321 842 3389 13 16 09:51:08.7673 09:51:21.6822 2 2137.099.089.110 212.045.068.018 6 20 1324 46120 712706 854 1261 09:51:20.4735 09:59:57.4130 1 2137.099.089.110 212.045.068.018 6 21 1325 847 2316 13 15 09:51:21.5128 09:51:30.0712 2 2137.099.089.110 212.045.068.018 6 21 1326 794 2386 12 15 09:51:22.0193 09:51:31.0847 2 2137.099.089.110 212.045.068.018 6 21 1327 794 2209 12 13 09:51:22.5151 09:51:30.9838 2 2137.099.089.110 212.045.068.018 6 20 1328 47632 709310 882 1255 09:51:28.5105 09:59:59.8142 1 1137.099.089.110 212.045.068.018 6 20 1330 35698 536114 661 949 09:51:29.2214 09:59:59.9341 1 1137.099.089.110 212.045.068.018 6 20 1329 33700 527624 624 934 09:51:29.6458 10:00:00.5380 1 1

Ipaudit Output

IPStrings

Command line program to inspect IP string data

> ipstrings -f "port 25" -pit -s 256 eth0

137.099.025.234 137.099.080.033 6 25 55956 11:41:43.3353 220 mta1.uits.uconn.edu ESMTP Postfix (Debian/GNU)

137.099.080.033 137.099.025.234 6 55956 25 11:41:45.5772 helo uconn.edu

137.099.025.234 137.099.080.033 6 25 55956 11:41:45.5777 250 mta1.uits.uconn.edu

137.099.080.033 137.099.025.234 6 55956 25 11:41:49.9272 mail from: Jon.Rifkin@UConn.EDU

137.099.025.234 137.099.080.033 6 25 55956 11:41:49.9280 250 2.1.0 Ok

137.099.080.033 137.099.025.234 6 55956 25 11:41:57.8978 rcpt to: Jon.Rifkin@UConn.EDU

137.099.025.234 137.099.080.033 6 25 55956 11:41:57.8997 250 2.1.5 Ok

137.099.080.033 137.099.025.234 6 55956 25 11:42:00.9272 data

137.099.025.234 137.099.080.033 6 25 55956 11:42:00.9278 354 End data with <CR><LF>.<CR><LF>

137.099.080.033 137.099.025.234 6 55956 25 11:42:07.7678 Subject: This is a test message.

137.099.080.033 137.099.025.234 6 55956 25 11:42:11.8672 To: Jon.Rifkin@UConn.EDU

137.099.080.033 137.099.025.234 6 55956 25 11:42:21.1472 From: G.W.Bush@Whitehouse.Gov

137.099.080.033 137.099.025.234 6 55956 25 11:42:47.7272 Congratulations! You are the new Homeland Security czar.

137.099.080.033 137.099.025.234 6 55956 25 11:43:00.4878 Please pick up your keys at the office tomorrow 0800.

137.099.080.033 137.099.025.234 6 55956 25 11:43:03.7678 - G.W.

137.099.025.234 137.099.080.033 6 25 55956 11:43:05.3363 250 2.0.0 Ok: queued as D6DB62CFB5

137.099.080.033 137.099.025.234 6 55956 25 11:43:07.2078 quit

137.099.025.234 137.099.080.033 6 25 55956 11:43:07.2086 221 2.0.0 Bye

Total> cat total.in Ford Focus White 20 Ford Taurus White 31 Ford Taurus Red 15 Chevy Aero White 17 Honda Accord Red 12

> total -s1 1 4 total.in Ford 66 Chevy 17 Honda 12

> total 1,3 4 total.in Chevy White 17 Ford White 51 Honda Red 12 Ford Red 15

Web based reporting: Ipaudit-Web

Web graphics and table based reports of ipaudit data.

Graph design inspired by Edward R. Tufte's “The Visual Display of Quantitative Information” My interpretation: “Present as much raw data as

possible in a way the view can recognize meaningful patterns.”

Ipaudit Graph

Live Demo

Uconn's IPAudit system Password protected Managed by Network Security group.

The IPAudit Project

Hosted on Sourceforge since 2001 http://sourceforge.net/projects/ipaudit About 50,000 downloads.

Other Project Admins jh8 – initial tar ball packaging j4_gongloo (a couple of one-time Uconn students) – Ipaudit web site

Contributors Charles Green – ipaudit search binary

Since 2005, only I've touched the project. Conclude

This project does not host an active community. Projects communities need a pro-active person.