Lab 10: Building a Packet Analyzer for IP Traffic



The material for this lab was created by Professor L. Felipe Perrone based on previous work by Professor Xiannong Meng (Bucknell University) and Professor Ralph Droms (now Cisco). Permission to reuse this material in parts or in its entirety is granted provided that the credits note is not removed. Additional students files associated with this lab, as well as any existing solutions, can be provided upon request by e-mail to perrone[at]bucknell[dot]edu.


You successfully parsed out the Ethernet frames within a trace data file in your last lab. Review the Processing Captured Network Traffic lab if necessary. An Ethernet frame looks as follows.

Ethernet frame format
Figure: Ethernet Frame Format

If the Type field has the value of 0x0800, then the payload of the Ethernet frame contains an IP packet, whose header looks as follows.

IP Packet Header
Figure: IP Packet Format

In your last lab, you printed the source and destination IP addresses. In this lab, you will extract further information from an IP packet. Specifically, you are to extract various pieces of information from TCP and UDP packets.

Within an IP packet, the protocol field specifies the type of the current IP packet. If the value is 6, the transport layer protocol is TCP; if the value is 17, the transport layer protocol is UDP. There are other types of transport protocols, we are primarily interested in TCP and UDP in this lab. Given this layered structure, you are asked to extract transport layer information from the trace data once an IP packet is encountered. The general strategy is to read the trace data as you did in your last lab; analyze each Ethernet frame; extract IP and transport layer protocol information; if the transport layer is either UDP or TCP, further dissect the packet to print the detailed information about these two protocols in the packet. The packet formats for UDP and TCP are listed as follows.

TCP Packet Header
Figure: TCP Packet Format

UDP Packet Header
Figure: UDP Packet Format

While the above figures should help you understand the structure of the packets, the actual header files and the names of the fields are needed for programming. These files can be found on the Linux system at the following locations.


Your work

You are given a program skeleton that outline the tasks for you. Part of the program has been completed. Your task is to finish the remaining part of the program so that the program is able to parse out the TCP and UDP packets in the trace file.

First copy all the files from the course directory to your local Git repository.

cp -r ~cs363/Spring16/student/labs/lab10 .

You should receive a set of files. The use of these files will become clear as you go through the lab. One file we might not use directly is the file named manu, which is the mapping between the Ethernet MAC addresses and the name of the manufacturers that make these Ethernet cards. This file gives you some sense who are making these cards.

Glance over the files etherTrace.c, etherTrace.h, and prot_strings.c to see what these programs do. You should concentrate on etherTrace.c once you have a basic understanding of what etherTrace.c and prot_strings.c do. Make sure you know what each function does in etherTrace.c. The files trace-dec21-2005.out and trace-nov29-2015.out are the two sample output files of a completed program. Your result should be similar to that file, though you may change the presentation format if you want to. your tasks include the following.

When all completed, run make clean to remove unnecessary files. Then submit and commit the entire lab10 directory to your Gitlab repository by the deadline.

Congratulations, you have just finished lab 10!