Saturday, December 1, 2007

Adventures With NetDude.

I've been looking for a tool that would allow me to trim a large pcap file down to specific application level connections and wanted to give NetDude a shot. My "fun" started with getting and build from source because there are not RPMs in a repository for openSUSE at this time.

Building NetDude
First I downloaded the netdude-0.4.8a.tar.gz file and the supporting libnetdude-0.10a.tar.gz and libpcapnav-0.8.tar.gz.

After extracting the arcived files I used configure; make; sudo make install | tee install.log in the following order: libpcapnav, libnetdude, netdude.

Next on to the plugins. I downloaded Essentials Pack, Appdemux, and TCP Filter plugins.

Libnetdude Plugins
AppDemux depends on several of the plugins in the Essentials
Pack and TCP Filter depends on Conntrack and Trace-Set from the Essentials Pack so the first order of business is to get the Essentials Pack built and installed.

I used configure; make; sudo make install | tee install.log in the following order: libnetdude-plugin-essentials, libnetdude-tcpfilter-plugin, libnetdude-appdemux-plugin

Netdude Plugins
The only NetDude plugin at the time of writing is the Traffic Analyzer. Unfortunately for me the version I downloaded did not build without errors. Since this was a quick hack I didn't spend time fixing the build so I was unable to try it out.

On to doing something useful with this...
I was able to demux TCP connections (transport level) with the demux plugin using lndtool (lndtool -r demux -0 wk3.01 -p we3.01_Mon.inside.tcpdump). I'm not sure that I like the way the traces are de-muxed. That is they don't directly translate into a format that I can input into a grammatical inference system. Also, I need to check on the parameters used to decide flow membership. It would probably help me out if I tweaked the demux plugin so it was parameterized.

Sadly the AppDemux plugin isn't working for me and that is the feature I really need at the moment. So my quest for a way to demux application level protocols continues. Going to re-evaluate tcpflow.

Does anyone have other flow reconstruction tools they can recommend?

No comments: