NSSA-220
Mini Project 2
Packet Capture Analysis Tool
Mini Project 2 Preliminaries
- Done in teams of 3students
- Declare your team on myCourses inthe Mini Project 2 Teams discussion area
- You are required to submit peer reviews as part of this project to encourage reasonable contributions from eachteam member
- Fair warning: do NOT wait to start this project. It will not go well if youdo!
- This project and peer review forms are due on Sunday 12/9 at 11:59PM
Packet Capture Analysis (PCA)
- Network engineers and security analysts are often interested in analyzing network packet captures to then analyze networkactivity
- Network activity analysis may result in outcomes such as introducing additional network components for load balancing, new routes/paths through the network, or spinning up further analysis for confirming networking breaches
PCA continued
- Typically, individuals and organizations will collect packet captures, but do nothing substantial with them
- The purpose of this project is to create a Packet Capture Analysis (PCA) tool that computes metrics from these packet captures that could be used in decisionmaking
Network Topology Diagram
Packets were captured at each of the 5 nodes in the topology. ICMP requests were manually sent between nodes using a simple schedule.
Internet Control Message Protocol (ICMP)
- ICMP is used by the Internet Protocol to send error messages and operational/diagnostic information to devices in anetwork
- We’ll focus on the messages generated by the pingprogram
- Echo Request (ICMP Type 8message)
- Echo Reply (ICMP Type 0message)
- Used in tandem to verifyconnectivity between network devices
Echo Request Example
The Ethernet II frame contains the Destination and Source MAC, followed by the Type field, which indicates the upper layer protocol contained in the frame (IP in this case, indicated by 0x0800). Wireshark removes the Frame Checksum (FCS) from the frame. Notice that clicking on Ethernet II will highlight the related hex representation of its header at the bottom of the window.
ICMP operates on top of the Internet Protocol (at Layer 3) and is therefore contained within an Ethernet II frame/IP packet
Echo Request Example (cont.)
The IP packet contains all the standard IPv4 header fields. Most notably, the Protocol field (1 for ICMP) that indicates the upper layer protocol used, and the Source and Destination IP addresses. Again, the hex for the IPv4 header is highlighted below.
ICMP operates on top of the Internet Protocol (at Layer 3) and is therefore contained within an Ethernet II frame/IP packet
Echo Request Example (cont.)
The ICMP header shows that this packet is an Echo Request (Type 8) and its sequence number (14). In addition, the ICMP request contains 32 bytes of Data. Notice that the length of the entire FRAME is 74 bytes, but the data portion is only 32 bytes.
The Echo Request was sent at Time 0.000000. This time indicates the time since the packet capture session was started on the node.
Echo Reply Example
The ICMP header in Packet 2 shows that this packet is an Echo Reply (Type 0) and its sequence number (14). The only way that a node knows that it received a reply to a given Echo Request is by receiving this same sequence number in an Echo Reply from its originally intended destination IP address! The time difference between Packet 1 and 2 is 3.678 ms, which is the round trip time (RTT) for the “ping”.
The combination of Source/Destination IP and sequence number allows you to associate an Echo Request/Reply pair.
PCA Tool
- The packet capture analysis tool will consist of three mainphases
- Packet Filtering: keep only the packets we want toanalyze
- Packet Parsing: read relevantpacket fields into memory for processing
- Compute Metrics: using packet fieldsto compute metrics
- Your task is to filter select ICMP packets out of packet captures containing ~8000 packets collected across 5 nodes and compute 13 metrics fromthem
PCA Phase 1 – Packet Filtering
- You’ll be given one PCAP file per node (see Node*.pcap) and a raw text file derived from the PCAP (seeNode*.txt)
- Capture files contain anywhere from 1300-1800packets
- The packet filtering phase will filter the raw text file so that only ICMP Echo Request and ICMP Echo Reply packets remain and are placed in a new filtered output file (Node*_filtered.txt)
PCA Phase 2 – Packet Parsing
- Before you can compute metrics, you must parse the filtered raw text files and read packet fields into yourtool
- You may choose to parse the summary line text or the hex (bonus points will be awarded for parsing thehex)
- The fields you need will be determined by the metrics you need tocompute
PCA Phase 3 – Compute Metrics
- All 13 metrics you collect will be on a “per end node” basis. The end nodes in the topology are Nodes 1, 2, 3, 4. Node 5’s capture may be needed to calculate some of these
- You will be calculating three categories ofmetrics
- Data size metrics (8metrics)
- Time based metrics (4metrics)
- Distance metric (1metric)
Data Size Metrics
- These metrics indicates how many packets a node sends/receive and the related amount of data/bytes sent/received
- Number of Echo Requestssent
- Number of Echo Requestsreceived
- Number of Echo Repliessent
- Number of Echo Repliesreceived
Data Size Metrics (cont.)
- Total Echo Request bytessent
- In bytes, based on the size of the“frame”
- Total Echo Request bytesreceived
- In bytes, based on the size of the“frame”
- Total Echo Request datasent
- In bytes, based on amount of data inthe ICMP payload
- Total Echo Request datareceived
- In bytes, based on amount of data inthe ICMP payload
Time Based Metrics
- These metrics indicate how “quickly” data is getting through the network in terms of time andrate
- Average Ping Round Trip Time(RTT)
- Ping RTT is defined as the timebetween sending an Echo Request packet and receiving a corresponding Echo Reply packet from the destination
- Measured inmilliseconds
Time Based Metrics (cont.)
- Echo Request Througput (inkB/sec)
- Defined as the sum of the frame sizes of all Echo Request packets sent by thenode divided by the sum of all Ping RTTs
- Echo Request Goodput (inkB/sec)
- Defined as the sum of the ICMP payloads of all Echo Request packets sent by the node divided by the sum of all PingRTTs
Time Based Metrics (cont.)
- Average Reply Delay (in microseconds)
- Defined as the time between the destination node receiving an Echo Request packet and sending an EchoReply packet back to the source
Distance Metric
- Average number of hops per Echo Request
- The hop count of an Echo Request is defined as the number of networks thatan Echo Request packet must traverse in order to reach its destination
- Hop count will be 1 if the destination ison a node’s network or 3 if it has to go through routers to reach its destination
- You cannot hard code this logic since it’s not accurate for any given network, just this topology. (Hint: think about Node 5or a field in the IP header)
General Code Structure
- All of your code should originate in a file called packet_analyzer.py
- Each project phase should be contained in their own .pyfiles
- Packet Filtering inpy
- Packet Parsing inpy
- Compute Metrics inpy
- See the provided .py files for how to properly import the project phases code into the maincode
PCA Tool Grading
- See Mini Project 2 Grading Sheet for details
- You can copy the table from the grading sheet to make your own table to keep track ofrequirements
- Grades may be adjusted based upon peer reviews
- Bonus points for heroiceffort
- (Major) point loss for lack ofeffort
Project Submission
- Submit a single zip file to your group’s project submissiondropbox
- The zip file willcontain
- All .pyfiles
- Five raw inputfiles
- Five filtered packet capturefiles
- Output files containing the metrics computed for each end node (formatwill be provided)
Ask for help!
- Don’t suffer in silence. Ask me or your TA for help sooner rather thanlater!
- Attend my office hours or theTA’s
- Make an appointment outside ofoffice hours
- Send anemail
- If you’re not sure if you’ve met a specific requirement, pleaseask!