CSE508: Network Security (PhD Section), Spring 2015 Homework 2: Programming with Libpcap ------------------------------------------------------------------------------- Submission deadline: 3/6/2015 11:59pm EDT Submission through email to: mikepo+CSE508HW2@cs.stonybrook.edu In this assignment you will develop a passive network monitoring application written in C using the libpcap packet capture library. Your program, called 'mydump', will capture the traffic from a network interface in promiscuous mode (or read the packets from a pcap trace file) and print a record for each packet in its standard output, much like a simplified version of tcpdump. The user should be able to specify a BPF filter for capturing a subset of the traffic, and/or a string pattern for capturing only packets with matching payloads. For HTTP traffic only, mydump also should enable the inspection of HTTP requests by printing the URI of GET and POST requests. Your program should conform to the following specification: mydump [-i interface] [-r file] [-s string] [-g] expression -i Listen on network device (e.g., eth0). If not specified, mydump should select a default interface to listen on. (hint 1) -r Read packets from (tcpdump format). (hint 2) -s Keep only packets that contain in their payload. You are not required to implement wildcard or regular expression matching. A simple string matching operation should suffice. (hint 3) -g HTTP sniffer mode: print the URIs of HTTP GET and POST requests. is a BPF filter that specifies which packets will be dumped. If no expression is given, all packets seen on the interface (or contained in the trace file) will be dumped. Otherwise, only packets matching will be dumped. For each packet, mydump outputs a record containing the timestamp, protocol (TCP, UDP, ICMP, OTHER), source and destination IP address and port, packet length, and the raw application-layer packet contents (hint 4). You are free, but not required, to enrich the output with other useful information from the packet headers (e.g., MAC addresses, TCP flags, IP/TCP options, ICMP message types, etc.). When the '-g' option is supplied, only packets that contain HTTP GET and POST requests are printed. (hint 5) What to submit: A tarball with all required source code files, an appropriate Makefile, and a short report (txt file is fine) with a brief description and example output from your program. Hints: 1. pcap_lookupdev() 2. pcap_open_offline() 3. e.g., strstr() 4. 2015-02-19 13:14:33.224487 UDP 10.0.0.1:137 -> 10.0.0.255:137 len 92 EB 71 01 10 00 01 00 00 00 00 00 00 20 45 42 45 .q.......... EBE 4A 45 42 46 44 43 41 43 41 43 41 43 41 43 41 43 JEBFDCACACACACAC 41 43 41 43 41 43 41 43 41 43 41 41 41 00 00 20 ACACACACACAAA.. 00 01 .. 2015-02-19 14:44:32.483327 ICMP 130.245.50.111 -> 130.245.20.2 len 98 3E 1C F8 49 8E 2A 01 00 08 09 0A 0B 0C 0D 0E 0F >..I.*.......... 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 30 31 32 33 34 35 36 37 01234567 2015-02-19 15:04:13.064632 TCP 192.168.0.1:2365 -> 192.168.1.2:80 len 74 2015-02-19 15:04:13.131911 TCP 192.168.1.2:80 -> 192.168.0.1:2365 len 74 2015-02-19 15:04:13.131969 TCP 192.168.0.1:2365 -> 192.168.1.2:80 len 66 2015-02-19 15:04:13.132287 TCP 192.168.0.1:2365 -> 192.168.1.2:80 len 168 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D 0A GET / HTTP/1.0.. 55 73 65 72 2D 41 67 65 6E 74 3A 20 57 67 65 74 User-Agent: Wget 2F 31 2E 31 31 2E 34 0D 0A 41 63 63 65 70 74 3A /1.11.4..Accept: 20 2A 2F 2A 0D 0A 48 6F 73 74 3A 20 77 77 77 2E */*..Host: www. 67 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 43 6F 6E 6E google.com..Conn 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection: Keep-Ali 76 65 0D 0A 0D 0A ve.... 5. 2015-02-19 15:04:13.132287 TCP 192.168.0.1:2365 -> 192.168.1.2:80 len 168 GET / 2015-02-19 15:06:14.242688 TCP 192.168.0.1:5465 -> 192.168.1.2:80 len 175 GET /images/logo_small.png 2015-02-19 15:10:33.848104 TCP 192.168.0.16:6653 -> 192.168.1.32:80 len 214 POST /mail/channel/bind?at=xn3j38mbqtyb11e87gwnns2ze876zf&ui=2&VER=6