User login

Shane Alcock's Blog

12

Mar

2012

Released libtrace 3.0.14 - mostly just a bug fix release. I also separated the I/O stuff into a separate library so that it can be used outside of libtrace.

Took a quick look at maji again to see if we can use it as part of the MSI project. Fixed up some bugs that became apparent when exporting lots of flow records. Also decided that maji would work a lot better if it underwent a major design change, but resisted the temptation to do so for now.

Secured the RT exporter connected to the live capture point so that only WAND machines can connect to it - someone from a lightwire address had connected to it and sent something invalid which broke the whole wdcap process. The RT exporter also now handles invalid client responses better :)

Started looking at Andreas' time series anomaly detection code. The existing system only really works with offline data, so the first goal is to get it running against a "live" input source.

07

Mar

2012

Libtrace 3.0.14 has been released.

This release fixes a few bugs in the previous release and adds a few minor improvements. Most notably, libtrace no longer assert fails when reading corrupt pcap trace files.

The full list of changes in this release can be found in the libtrace ChangeLog.

You can download the new version of libtrace from the libtrace website.

05

Mar

2012

Released a new version of BSOD client on Tuesday.

Did some planning with Brendon, thinking about how we're going to bring all the components of the MSI project together into something usable.

Played around with a live libprotoident application, getting it to write results into a postgresql database and an RRD. Postgresql required a fair bit of revision of SQL and database theory. The RRD was much easier to get up and running.

Continued improvements to libprotoident - trying to get that accuracy rate up even further!

28

Feb

2012

A new version of the BSOD client (2.0.2) was released today. This release fixes the bug where particles would continue traveling past the planes instead of stopping. We've also restored movement through the 3D space using WASD which used to be present in the older clients. Now you can easily zoom in on the interesting endpoints on each plane and click on them easily to identify them!

We've built updated binaries for Mac OS X and Windows too. The Windows binary now comes with a proper installer. Both the Mac and Windows binaries are 32-bit, due to the limitations of some libraries we depend upon, but have been tested successfully on 64-bit machines.

A new version of the server was also recently released that fixes a build error on some systems and fixes a bug where input looping was not working correctly.

The new versions of BSOD server and client can be downloaded from here. Any problems or questions should be addressed to contact [at] wand [dot] net [dot] nz

27

Feb

2012

Re-ran my CAA analysis using the updated libprotoident and updated the results in my paper accordingly.

Made a few tweaks to libtcpcsm, based on suggestions from a user. Looking towards rolling out a new release soon.

Set up a build environment for BSOD client on BIGMAC. This took a bit longer than expected due to the move to Xcode 4. Managed to find and fix a bug in libwandevent that was preventing looping input from working properly. Also got the client building and running on tkn as well after a painful Windows 7 + Visual Studio install.

Finished the week by adding WASD movement back into BSOD client and an option to the server that forces it to wait for a client to connect before reading from the input
source.

20

Feb

2012

Spent most of my week working on the draft version of the paper on the effect of the CAA on DSL users. Finished the draft on Friday, having included plenty of (hopefully) interesting results. Anyone interested in reading over the paper should get in touch with me and I give you a copy.

Patched libtrace to support --with-foo configure options for all the optional dependencies. Apparently this is a bit of an issue with some Linux distros, e.g. Gentoo.

Released a new version of BSOD server on Friday to fix a crash issue that was occurring with recent libprotoident releases.

Spent some time looking at traffic that was being classed as SSL by libprotoident. Turns out that, with a bit of port and payload size analysis, I can sub-classify the SSL as Google talk, Apple push notifications, Facebook chat, PSN store, POP3S and NNTPS.

13

Feb

2012

Started working on a paper describing the results of the study I presented at NZNOG. Managed to write half of a "short" paper so far, so making reasonably good progress.

Made the necessary changes to the libtrace CCR paper and submitted a final version. One of the reviewers wanted to see more stats from the performance testing but I didn't have space to put it in. I suggested that if the editor was able to grant me more space I would include the stats.

Seemed to have a busy week supporting various software: libtrace, libprotoident etc. Glad to see plenty of people using these libraries :)

07

Feb

2012

Worked on collecting some more numbers measuring the impact of the CAA, with an eye towards writing a paper on the topic. The number of users doing P2P has also dropped dramatically, with rises in the expected categories too (such as tunneling).

Looking at the results more closely, I decided that the HTTP_P2P classification was proving to be incorrect more often than not, so traffic matching that is now treated as web rather than P2P. This change should have only a minor effect on the numbers I had presented at NZNOG.

The libtrace paper was accepted for publication in CCR. This was my fifth attempt to publish that particular paper, so pretty pleased to finally get that one done.

02

Feb

2012

Donald Clark discussed the Copyright Amendment Act study that I presented at NZNOG 2012 on Radio New Zealand: National's Nine to Noon program this morning. He did an excellent job of summarising our results and the conclusions that can be drawn from them.

Anyone who would like to listen to Donald's segment can find it here. The discussion of our work begins around 9:30 but I would recommend listening to the whole segment if you have the time.

31

Jan

2012

At NZNOG 2012, I presented some slides showing a decrease of P2P traffic following the Copyright Amendment Act coming into effect in New Zealand in September 2011. By contrast, the same analysis showed a significant increase in Tunneling, FTP and Remote Access traffic. These results generated a lot of interest, so I am using this blog post to discuss our methodology and results in more detail.