[Coral-dev] Re: DAG & CoralReef
Jesper Peterson
jesper at endace.com
Wed Jul 30 10:46:58 PDT 2003
Pere,
I've CC'd your question (and my response) to the CoralReef development list.
My answer is below.
Pere Barlet wrote:
>
> I have another question about CoralReef. When our network was ATM we used 2
> capture cards. In this case, the output of crl_flow had 2 tables, one for
> each interface. This feature was very useful in order to detect IP spoofing
> attacks.
>
> Now (using only one dag card with 2 ports) the output of crl_flow has only one
> table, and incoming and outgoing traffic goes mixed in the same file. In
> order to detect the traffic direction, we have to apply the longest prefix
> match algorithm. This algorithm is expensive although we use an optimized
> implementation using Patricia Tries. Furthermore, when input and output
> addresses of a flow are unknown, we are not able to detect neither the
> traffic direction nor the spoofed address. For our purposes, these
> restrictions could be a serious problem.
>
> Could be possible to distinguish the traffic direction with crl_flow using
> your patched version of libpcap? If it is not the case, have you planned to
> do this improvement?
The short answer is that libpcap does not provide a way of passing this
information to the application. We (Endace) could register a new link type
(DLT_WHATEVER) with the libpcap project and include extra data in a pseudo
header but CoralReef would then need to be modified to support this. A better
approach is to modify CoralReef to have support for the native DAG API which
would make the port number within the card available.
This work is on the horizon as Endace has recently reached an agreement with
CAIDA through which we will be able to support their efforts to further
develop and enhace the CoralReef software suite. Part of the agreement is that
both parties make effors to enable CoralReef native access to the DAG cards
via the standardised Endace DAG API, which has benefits both in functionality
and performance. This work will progress during the next few months and we are
looking forward to working closely with the folks in San Diego. Perhaps,
unfortunately for you, no firm deadlines have been established as yet and if
you have an urgent need it might be advisable for you to become part of that
effort to speed up the process. Also, it is very likely that we will need
people to work on field trial for this new integrated solutions.
Pere, would you be interested in working with us, either on development
or testing for the CoralReef/DAGMON solution ?
--
Jesper Peterson, Senior Software Developer
http://www.endace.com, +64 7 839 0540
More information about the Coral-dev
mailing list