[Coral-dev] Re: DAG & CoralReef

Jesper Peterson jesper at endace.com
Wed Jul 30 10:46:58 PDT 2003 

Pere,

I've CC'd your question (and my response) to the CoralReef development list. 
My answer is below.

Pere Barlet wrote:
> 
> I have another question about CoralReef. When our network was ATM we used 2 
> capture cards. In this case, the output of crl_flow had 2 tables, one for 
> each interface. This feature was very useful in order to detect IP spoofing 
> attacks.
> 
> Now (using only one dag card with 2 ports) the output of crl_flow has only one 
> table, and incoming and outgoing traffic goes mixed in the same file. In 
> order to detect the traffic direction, we have to apply the longest prefix 
> match algorithm. This algorithm is expensive although we use an optimized 
> implementation using Patricia Tries. Furthermore, when input and output 
> addresses of a flow are unknown, we are not able to detect neither the 
> traffic direction nor the spoofed address. For our purposes, these 
> restrictions could be a serious problem.
> 
> Could be possible to distinguish the traffic direction with crl_flow using 
> your patched version of libpcap? If it is not the case, have you planned to 
> do this improvement?

The short answer is that libpcap does not provide a way of passing this 
information to the application. We (Endace) could register a new link type 
(DLT_WHATEVER) with the libpcap project and include extra data in a pseudo 
header but CoralReef would then need to be modified to support this. A better 
approach is to modify CoralReef to have support for the native DAG API which 
would make the port number within the card available.

This work is on the horizon as Endace has recently reached an agreement with 
CAIDA through which we will be able to support their efforts to further 
develop and enhace the CoralReef software suite. Part of the agreement is that 
both parties make effors to enable CoralReef native access to the DAG cards 
via the standardised Endace DAG API, which has benefits both in functionality 
and performance. This work will progress during the next few months and we are 
looking forward to working closely with the folks in San Diego. Perhaps, 
unfortunately for you, no firm deadlines have been established as yet and if 
you have an urgent need it might be advisable for you to become part of that 
effort to speed up the process. Also, it is very likely that we will need 
people to work on field trial for this new integrated solutions.

Pere, would you be interested in working with us, either on development
or testing for the CoralReef/DAGMON solution ?

-- 
Jesper Peterson, Senior Software Developer
http://www.endace.com, +64 7 839 0540

More information about the Coral-dev mailing list