Disclaimer: this program is not for professional use. It has been written only for educational purpose, as an assignment project for the Network Management course at Unipi.
This is a sniffer example using libpcap to analyze the communication frequency of TCP streams.
libpcap is a portable C/C++ library for network traffic capture. (GitHub repository)
What does the jitter measure? The jitter is defined as the variation in the delay (or latency) of received packets.
This program aims to see the jitter of TCP comunications happening from/to the host machine, and detects suspicious jitter variation. In this text we will try to cover and explain the essential components of this program and how it works in the following order:
The main purpose of this program is to allow the user to monitor his network traffic.
An alarm is sent to the user when a detected connection happens to have a unusual jitter behaviour.
Since an alarm could not represent a malicious activity, this software can be seen as a tool to have a first look on what's going on in his network.
It also offers the option to save, as a graph, the image of a communication trend about his jitter. Those images will be stored in the graphs directory.
This is a quite small project, but it's never a bad idea to give a general overview for a better file exploration.
📁headers
📃jitter_data.h
📃time_tools.h
📃menu.h
📃gnuplot_i.h
📁src
📃jitter3.c main packet capture loop
📃jitter_data.c data structure to store sniffed packets
📃time_tools.c implements time related methods (e.g get elapsed time)
📃menu.c user menu navigation & print methods
📃gnuplot_i.c used to represent data in graphs
📁graphs
🖼img.png saved communications graph
🛠️Makefile project builder
⚙️jitter executable file
💻 test.sh script file
In order to compile this project, you need to have libpcap (v 1.9.1-3 or newer), gnuplot (v 5.2 or newer) and libnotify (v 0.7.9-1ubuntu2) installed.
One way to easily get it, on Ubuntu, is to use the following commands:
sudo apt-get install libpcap-dev sudo apt-get install gnuplot sudo apt-get install libnotify-dev
For testing only nmap and xterm are also needed. To get them:
sudo apt install nmap sudo apt-get install -y xterm
To check your current versions:
apt-cache show libpcap-dev gnuplot-V apt-cache show libnotify-dev
That's it! Now you can use the Makefile to get everything done, just run make in the project folder and you are ready to go.
This program, once started, can capture packets endlessly or stop once a default amount has been reached. Those two ways to run and which network device to use can be set giving extra parameters at launch. All available parameters are listed below:
| NAME | TYPE | OPTIONAL |
|---|---|---|
| packet_number | Non negative integer | yes |
| device_name | String | yes |
The network device to use can be chosen by adding its name as an additional parameter, writing "-i device_name".
If no "-i device_name" is provided, the first network device listed by libpcap's method pcap_findalldevs() will be used.
Otherwise, if you need help, you can run it with "-h" to read a short description on how to launch and what to expect from it.
Examples:
sudo ./jitter 50will stop after capturing the next 50 packets.sudo ./jitterwill start sniffing until interrupted.sudo ./jitter -i wlp2s0will start sniffing from the wlp2s0 interface until interrupted.sudo ./jitter 50 -i wlp2s0will stop after capturing the next 50 packets from the wlp2s0 interface.sudo ./jitter -hwill show a help description.
In the first four cases the sniffing can be correctly stopped sending a SIGINT (Ctlr + c) interruption to this process.
It is required to run this program with sudo.
Once that the sniffing has stopped, a very simple menu will show up to see the collected data.
This program aims to detect and notify a suspicious jitter variation happening in a TCP communication that has been captured since the program is sniffing.
Each pair of <IP_source, IP_destination> gets treated as a different communication, and it will be prepresented as IP:IP_source->IP_destination.
The programs notes every time a pair of hosts exchanges a stream of TCP packets by looking at the ones having SYN = 1 ( The SYN flag synchronizes sequence numbers to initiate a TCP connection ).
Every time that one of those packets gets captured, informations about it will be stored, as:
- Arrive time
- Delay from previous packet
- Source port
- Destination port
- Jitter of its communication
- Order of arrival
In order to calculate the jitter, since it represents the variance of intra-packet delay, at least three TCP streams exchanges need to have happened in a communication.
A communication's jitter gets calculated using the following formula:
Where:
x(i) = arrive time of the i th packet.
n = total packets number at the moment.
This program defines a behaviour suspicious when a new jitter undergoes a variation greater than 50% of the average jitter's communication.
A minimal example on a <IP_source, IP_destination> exchange of TCP packets:
Packet with SYN = 1 |
Jitter (ms) | Average jitter (ms) | Is suspicious |
|---|---|---|---|
| 5 th | 105 | 60 | yes |
| 6 th | 120 | 72 | yes |
| 7 th | 115 | 79 | no |
| 8 th | 99 | 82 | no |
In order to get a more accurate jitter average and avoid sending false/premature alarms when the connection is just starting, the program will start to decide to notify a jitter variation to the user from the 5 th packet on.
The Makefile is provided with a test option, but in order to correcly run it, you have to install two more things: nmap and xterm.
To install them,on Ubuntu, just type in your terminal:
sudo apt install nmap sudo apt-get install -y xterm
Nmap is a open source tool for packet network generation.
xterm is a unix-like terminal emulator.
Type make test to start the test.
It consists in starting various TCP communications to generate some network traffic meanwhile this tool is running, to let the sniffing start.
This little project has been a fun experience made as a team by Alessandro Niccolini, Kostantino Prifti and Andrea Boccone. 🍻