User login

Shane Alcock's Blog

31

Jan

2012

Last Friday, I presented a talk at NZNOG 2012 about libprotoident and presented some results showing the impact of the Copyright Amendment Act on New Zealand residential DSL usage.

The slide set from this talk has been attached to this blog post for anyone who missed the talk or wishes to look over the results in more detail.

Feel free to get in touch with me if you have any questions or comments about libprotoident or the results presented in the talk.

31

Jan

2012

Made a few tweaks and changes to my NZNOG slides based on feedback from last week's practice run. Also spent some time working with some of the latest ISP capture and adding new rules to libprotoident based on that.

Spent Wed-Fri at NZNOG. The main program was very high quality this year and it proved to be a rather educational experience. In particular, my interest was piqued by OpenFlow and how it could be used in combination with libprotoident to implement interesting routing policies. My own talk went reasonably well and seemed to catch people's attention. We'll wait and see whether that translates into anything more tangible over the next wee while.

23

Jan

2012

Finished the draft version of my NZNOG talk, which I presented on Friday. Much of the week was spent getting many of the numbers for the talk, mainly memory and CPU usage for the Statistical approach.

Had a look at our latest ISP capture with libprotoident and managed to add support for a few new protocols (Wuala, Zabbix, the ZeroAccess trojan, TCP Gamespy, Akamai and DVRNS).

Submitted the extended version of the NAT sessions paper.

16

Jan

2012

Finally found and fixed the bug that was causing the occasional trace file to be truncated when written to disk. Having done that, I released libtrace 3.0.13 on Monday.

Worked with Nevil to get a test capture up and running on his capture box in Auckland. After a couple of false starts, we managed to successfully capture a day's worth of trace without issues.

Set up a Fedora machine for testing libtrace prior to subsequent releases, as it has become apparent that testing on just Debian and Ubuntu is insufficient. Will hopefully replace with a virtual machine once the new emulation network is up and running.

Started working on a possible presentation for NZNOG, mostly about libprotoident again.

Spent a little bit of time reading over my extended NAT sessions paper, making a few edits here and there.

09

Jan

2012

Libtrace 3.0.13 has been released!

This release adds support for OSPFv2, extending the libtrace API to allow easy access to OSPF headers, LSAs and Router Links and updating libpacketdump to decode OSPFv2 packets. This version also fixes some major bugs, including one where traces written using zlib were occasionally slightly truncated. A bug where trace_get_payload_from_ip was incorrectly calculating the number of bytes remaining has also been fixed.

There are also several other performance enhancements and minor bug fixes.

The full list of changes in this release can be found in the libtrace ChangeLog.

You can download the new version of libtrace from the libtrace website.

09

Jan

2012

Began preparing for a new round of captures at both Auckland and our ISP. Added a feature to wdcap at Nevil's request where the amount of payload to capture can be specified in the config file (rather than being fixed at four bytes). In the process, found and fixed a libtrace bug which was causing wdcap to capture an extra four bytes of payload than what was requested.

Pushed towards a new libtrace release. First finished adding support for OSPFv2, based on Simon's code. This was a bit harder than expected, as OSPF is a rather complicated protocol and I wanted to try and get the API right first time around. There were a few little traps in the spec that Simon's original code didn't deal with very well, so I had to work around those as well. It's not a perfect implementation but seems to deal with the sample OSPF packets I have pretty well.

Started the 2012 ISP capture on Friday, seems to be going well so far.

Met with Steffen Wendzel on Friday and talked about our various projects. He was pretty impressed with libtrace and BSOD, while I expect his experience in cyber security and covert channels could be useful for us one day.

14

Dec

2011

Libprotoident 2.0.4 has been released today.

This release adds support for 9 new protocols (including QQLive, Paltalk and DriveShare). It also improves the rules for many existing protocols and adds a couple of new features to the lpi_live tool.

The full list of changes can be found in the libprotoident ChangeLog.

Download libprotoident 2.0.4 here!

12

Dec

2011

Rather disrupted week this week, only in for three days total.

Draft version of the new sessions paper is nearly finished. Thankfully, running the old analysis against new traces has produced similar results so I can "borrow" most of the text from an old rejected paper on outbound session analysis.

Checked the results of my sleeper analysis using the longer idle time threshold. Again, not much change to the overall results but I can feel more comfortable with the distribution of idle period lengths now. Have processed the 2009 and 2011 datasets using the new threshold.

Created some anonymised versions of the ISP 2009 traces for Asad. In the process I found a weird libtrace threaded I/O bug where the last block of compressed data won't be written out before the file is closed under very specific circumstances. This one is going to be a pain to track down...

06

Dec

2011

Received a new version of NAVL from Vineyard, but unfortunately there is still a problem with double entries in the internal flow cache. I've created a NAVL-only version of the program I've been using and sent that off to them along with a small sample trace that should replicate the problem.

Got some good news in that our ATNAC paper has been recommended for publication in Telecommunication Systems. However, we need at least 40% new content on top of what we've already got and it needs to be ready by Jan 22. Richard suggested we chuck in the work I did measuring outbound TCP and UDP sessions for the SPNAT study, so I started running the analysis against some more recent traces and changing the introductory material to talk about outbound sessions as well as inbound.

Got my degradation graphs looking the way I wanted them to, but a bit of extra analysis revealed that I may have set my sleeper threshold too low. Most of the "sleeping" periods were only just longer than the original threshold of 5 minutes. I've repeated some of the earlier analysis with a threshold of 30 minutes to see how much of a difference that makes.

28

Nov

2011

Continued looking into properties of sleeper traffic, primarily the rate at which sleeper traffic quantities degrade as the host continues to be idle. This has proved a bit tricky to visualise well, but finally managed to come up with what I think should be a useful graphing approach. This did require a lot of battling with R, though.

The fixed version of NAVL was not available last week, but I was able to continue looking at cases where PACE was able to identify traffic that libprotoident could not. Brad set me up with a Windows VM so that I could download various apps and capture traffic while using them, so that I can confirm PACE's classifications and add or update libprotoident's rules so that we can match the traffic as well. This meant I got to have a bit of fun playing Second Life and hanging out in chatrooms....

Started moving towards a new release of libprotoident, seeing as I've now added or updated the rules for quite a few protocols.