Networks and Network Security (CS 560)

Project #1 (100 points)

Part 1: A packet printing program (90 points)

The program tcpdump captures the packets traveling on a network and writes them to a binary file. Use the command "man tcpdump" on stu.cs.jmu.edu to learn more about this utility program. A sample 2661 packet dump file collected with tcpdump is in my home directory on stu. Use the command "ls ~tjadenbc/dump" on stu to list it. Normally, only the superuser can run tcpdump because there is lots of sensitive information in these packets to which normal users should not have access. Therefore, if you want to collect your own dump files (which I strongly encourage you to do) you will have to install tcpdump on your own machine (it is available for many platforms - see http://www.tcpdump.org).

Please write a packet printing program, pdump, that scans a dump file produced by tcpdump and prints out information about the packets it contains. Your program should be written in "C++" under UNIX and must run on stu. In order to print out the packets you will have to know the frame format (see Figure 2.2 on page 22 of Comer) and, to a lesser degree, the IP datagram format (see Figure 6.3 on page 75). The format of the packet trace files (produced by tcpdump) that your program should understand is as follows:

The Header - A trace file begins with a 24-byte header which your program should read. The only important part of the header is the "magic number" which you should verify. The format for the header and the "magic number" can be found in the dump_file_header struct in pdump.h
Packets - Each saved packet consists of a header added by tcpdump followed by the raw bytes of an Ethernet packet. The header contains the length of the original packet, the number of bytes actually saved (which may be less) and a timestamp from when the packet was collected. The format of a packet header is represented in the dump_header struct in pdump.h Note that there are two length fields in the header - len which gives the number of bytes in the original packet, and caplen which gives the number of bytes actually captured by tcpdump and stored in the dump file. After each packet header are caplen bytes of packet data.
End of file marker - Tcpdump does not write anything at the end of a dump file to signal the end of the captured packets (though a dump file will end with the normal UNIX end-of-file marker). Therefore, when the file ends or there isn't enough data in the file to make up another packet header, you've read the last packet and your program should exit.

Your packet printing program, pdump, should read a packet dump file produced by tcpdump and print out the following information for each packet:

Packet length (both of the original packet and the captured portion)
Date and time collected (including the microsecond counter)
Ethernet header
- Ethernet source and destination address in both "hex-colon" format and by name (if known). Physical address to name bindings for many hosts can be found in the file eaddr.
- Ethernet type (both as a number and as text if your program knows the name for the type). See the last few # defines in pdump.h for the name to number mappings for ethernet types.
ARP/RARP header (if it's an ARP/RARP packet)
- Hardware type
- Operation (request or response)
- Sender and target ethernet addresses
- Sender and target IP addresses
IP header (if it's an IP packet)
- Version number
- Header length (in bytes)
- Time to live
- Source and destination IP addresses (in dotted decimal notation)
- Protocol type (in decimal)

Here is some sample output from my pdump program. Your program doesn't have to produce output exactly like this, but it can be used as a guide.

The packet printing program that you submit should be well designed and elegantly written. At the very minimum it should be modular with meaningful comments and separate procedures to read the dump file header, read the packets, print different headers, etc. It should also have globally-defined structures and constants for things like the ethernet header, the "magic number", etc. You may use the structures and constants defined in pdump.h if you'd like. Your program should also do a small amount of error checking by not processing a file that doesn't have the "magic number", for instance, and reporting/handling packets that are corrupt or of unknown type.

Part 2: Create a Makefile and README for your program (10 points)

Create a Makefile for your program that checks dependencies and builds the executable. Also, create a text file named README that describes what your program does, how to compile and run it, what options it supports, and any known bugs that it contains.

What is due:

An electronic copy of your program
- Create a directory named proj1 and put all of your program's source files in it along with the README and the makefile.
- Cd to the directory above proj1 and create a tarfile of the directory with the command "tar -cvf youruserid.proj1.tar proj1" where youruserid is your username on stu. For example, if I were submitting a program it would be named "tjadenbc.proj1.tar". (See "man tar" for help with the tar command).
- Uuencode your tarfile with the command "uuencode youruserid.proj1.tar proj1.tar > youruserid.proj1.tar.uu" (See "man uuencode" for help with the uuencode command).
- Check the file youruserid.proj1.tar.uu to see that you can uudecode and untar it to get back your original files.
- Submit the file youruserid.proj1.tar.uu by midnight on Sunday, September 20th.
Here is a copy of the grading sheet I will use to grade your project.

Good luck!