Unleash Networks Blog

I just uploaded a new build of Unsniff 1.8 Beta that supports Google’s new protocol buffers scheme. Basically, you can stick your proto files in a particular folder and decode files and network streams on the fly.
Click here for step by steps on how to use this feature.

This is Beta software. Please report problems and suggestions - either as comments to this post or to the forum.

In the rest of the post, I will explain why we worked on this feature and how it works.
—–

If you have not yet heard, Protocol Buffers (protobuf) is a serialization mechanism for structured data.

From Googles Open Source Blog,

Protocol Buffers allow you to define simple data structures in a special definition language, then compile them to produce classes to represent those structures in the language of your choice. These classes come complete with heavily-optimized code to parse and serialize your message in an extremely compact format.

Blog post by Kenton Varda, Software Engineering Team at Google

You can visit the project page for more detail.

When the project was first announced in July 08, I was immediately attracted to it. It sounded like a perfect test case for Unsniff 2.0’s dynamic plugin framework.

A little background first, Unsniff Network Analyzer is a multi layer, scriptable, and content aware network analyzer. One of the cool things about Unsniff is its API. You can write a variety of plugins using the Unsniff API, but protocol plugins are the most common.

The types of protocol plugins you could write are.

• A native plugin. A protocol plugin written as a C++ ATL COM Object using the framework provided. It is packaged as a DLL.
• A dynamic plugin. Written using XML which describes the protocol in detail.
• A mix. The XML handles the field dissection and the ATL handles other things like reassembly, custom descriptions, etc.

In Unsniff 2.0, we are introducing a new concept called “Custom Dynamic Plugin”. Instead of XML, the user can create plugins in any “IDL like” language they could parse. The API provides hooks so and they can be integrated into the Unsniff framework. This approach has great advantages because frequently a user has hundreds of in-house protocol messages in a custom format. They cannot be expected to write “XML documents” and certainly not “C functions”.
So, we decided to try supporting Protocol Buffers in the Beta (Unsniff 1.8) as a way to test out the concept. The way it works is.

1. You stick all your proto files in a special folder

2. You write a small XML stub describing each protocol and how they integrate into the Unsniff framework (eg, which ports they operate on, the name of the protocol, the ID etc)

Thats it !

When required, Unsniff will compile each proto on the fly and create a dynamic custom decoder. This supports decoding network packets as well as files containing protobuf encoded data.

You get all of Unsniff’s larger network features for free. This includes handling many link layer protocols, TCP segmentation, IP defragmentation, TLS decryption for debugging, etc. Each message is shown as a separate PDU in the PDU sheet. These messages could span multiple packets or several could be contained in a single link layer packet.

You can download the latest builds from the Beta Page

Enjoy !

—-

Postscript

I wrote a custom parser and lexer for proto files. It handles pretty much everything including groups, extensions, import files, package names, etc. I could have just used the library’s methods for compiling it, but I was already too far down the road of YACC. I also wanted to extract the comments in the proto file, which the grammar does.

If anyone is interested I can post the YACC and LEX files as public domain. I will post this offer in the discussion group.

No Comments »

Unbrowse SNMP already has a powerful trap receiver. It supports SNMPv1, v2, v3 and IPv4 and IPv6. It can also run authentication checks on incoming traps. However, it could not decrypt SNMPv3 traps sent in authPriv mode.

Our latest release of Unbrowse SNMP now has the ability to decrypt SNMPv3 traps and show the results in the trap console. All auth protocols (MD5 and SHA) and privacy protocols (DES and AES-128) are supported.

Download it from here

Enjoy ! 

—————–

How to use ?

To make it work you need to enter the security information for each agent from which you are expecting a trap. Use the Agents > Manage menu to create the agent and user.

Next enable this feature,

• Select Tools > Customize > Advanced, Locate the Trap Console group in the Miscellaneous box
• Find the last item “Try to decrypt authPriv traps” - and check it
• You may also want to check “Authenticate incoming traps” ( 4 items up the list from the above)
• See the screen below for the recommended options !

Now, incoming traps will be matched against the agent database. If there is a matching entry for User Name and the IP Address, the passwords specified by you will be used to decrypt and authenticate the trap.

No Comments »

A new version of the Cisco MIB Package for Unbrowse SNMP is now available. This features dozens of new and updated MIB definitions.

Download it from here

This is a 35 MB download and takes about 2 minutes to install.

——————

About MIB Packages

We frequently visit the public websites of major vendors and package latest MIB files for Unbrowse SNMP. You can then install this MIB Package to give you instant access to all knowledge in these MIBs. There is no need to explicitly load or unload MIBs like other tools.

The easiest way to perform SNMP operations (walking, trap reception, polling) is :

1. Download Unbrowse SNMP

2. Install the latest MIB Package

Thats it ! You can now confidently perform all operations knowing you have the latest version of all MIBs in place.

For more information check out this post.

Happy SNMP !

No Comments »

You may finally be able to call a fixed line or mobile from your computer in India. In a major move, the TRAI (Telecom Regulatory Authority of India) has allowed ISPs to provide unrestricted internet telephony.

From Indiatimes

According to TRAI, TEC (Telecommunication Engineering Centre) will identify distinct number resources for Internet telephony subscribers. Telephone numbers from the identified blocks will be allocated to ISPs, UASPs (unified access service providers), BSOs (basic service operators) and CMSPs (cellular mobile service providers) for Internet telephony.

 

This is exciting news for all VoIP products and professionals in India. As expected, all ISPs must mandatorily invest in lawful intercept technology.  Now, that is interesting for Unleash Networks.

Indian ISPs, we have the perfect solution for you. Trisul - our open source network forensics package is capable of real time analysis of VoIP calls, metering of traffic, call (audio/video) recording and on demand reproduction and much more.

We are local and offer support, customization, and professional services for Trisul.

Contact us (info @ unleashnetworks dot com).

No Comments »

We just released a new build (R.1.5.1.1239) of Unbrowse SNMP with major updates to the MIB Walker (also known as MIB Browser in other products).

This is a FREE update to all current customers. Please download the latest version from here.

Lets take a quick tour of the new features

1. Enhanced user interface (see above)

To access this functionality : Right click on the tab sheet

If you are dealing with a MIB walk containing, say 100+ tables, clicking the sheet tabs quickly gets cumbersome.(See screenshot above). We added a menu which allows you to quickly navigate to the desired sheet.  The tables are sorted in alphabetical order and even show the number of rows present in the walk. This menu does not appear if there are just a dozen or so tables.

2. SNMPWALK import more tolerant to input formats

This is one of the commonly used features of Unbrowse SNMP. It interprets text dumps from snmpwalk tools like Cisco, Juniper, Net-SNMP into a fully OID-to-name resolved spreadsheet like interface. Saves you tons of time and hair pulling.  See here for more details about this feature.

In this release, we add an option for interpreting any bunch of hex strings as human readable ( See Tools->Customize->Advanced->Tools and check the “SNMPWALK Import : Make Hex Strings human readable” option)

Unbrowse SNMP can also now handle broken lines, inconsistent BITS datatypes, and large files.

3. Option to quickly open the MIB definition of any table

Just right click any sheet and select “Show Definition”.

4. Option to export a selected sheet as HTML or CSV

Right click on any sheet and select “Export as HTML” or “Export as CSV”. This allows you to only export a single sheet in a large MIB walk.

5. Option to export numeric OIDs instead of object names

By default, Unbrowse resolves all OIDs using the MIBs installed. Now you can export a MIB walk and see OIDs instead of names in the HTML output.

To enable this use Tools->Customize->Advanced-> Scroll down to the Walker group, then check the “Export OIDs instead of names to HTML” option (see screenshot above)

Various other minor bugs reported by users have been fixed in this build.

Download it now from http://www.unleashnetworks.com/unsniff/unsniff.html

Happy MIB Walking

We wish to thank a very cooperative customer (David Smith) for his help with major parts of this release.

No Comments »

There has been a lot of heavy activity on the open source Trisul Network Metering and Forensics project.

Packages available

We have packages for Ubuntu (i386,32-bit) and Fedora (i386,32-bit) available for download. This is the easiest way to get install and give Trisul a spin.Please download the packages from http://code.google.com/p/trisul/downloads/list

You could be up and running in only 3 steps on Red Hat for example

1. Download the RPM package from http://code.google.com/p/trisul/downloads/list
2. As root : rpm -Uvh trisul-x.y.z.rpm
3. As root : service trisul start

Thats it ! Trisul will now be capturing forensics data from eth0. Statistics and flows are stored in a SQLITE3 database, raw packets are stored in a ring directory. See the installation documentation for more details.
Mailing list support
Any trouble / questions / contributions ? Send email to trisul@googlegroups.com

You can browse the newly setup group at http://groups.google.com/group/trisul/topics

Freshmeat announcement
We are ready for our first public announcement on Freshmeat today. Trisul is stable and usable enough to be of great value immediately.

No Comments »

One of the most used features of Unbrowse SNMP is the passive SNMP trap receiver. The trap receiver can listen to SNMP trap activity using any of the following three options.

• On UDP Port 162 (this is the classic mode)
• Via Windows Raw Sockets
• Via Winpcap

When running Unbrowse SNMP on Windows Vista, you may encounter the following message when attempting to listen to SNMP traps using the Winpcap library.

This message means that Unbrowse SNMP is not able to load the Winpcap driver service using the current users credentials. Unfortunately, running Unbrowse SNMP as administrator does not fix the problem.

The work around is :

• Open a command prompt as administrator (Start->All Programs->Accessories -> Right click on Command Prompt and Run as administrator)
• Type “net start npf” This loads the driver used by Winpcap.
• Exit

Now, Unbrowse SNMP can listen to traps without further issues.

Note : This only needs to be done once after you restart the machine.

No Comments »

A new version of Unbrowse SNMP is available (Build 1234).

You can get it from the downloads page.

Release highlights :

• Handle SNMP devices (Cisco) which include special characters like CR and LF as part of printable Octet Strings. When such characters are seen Unbrowse will replace them with {CR} {LF} in the MIB Walker.
• Fix a bug while issuing SNMP SET commands for binary data (Eg, Hex: ff ff ff). You can now include spaces for readability.
• Allow copying the output of the MIB compiler window.
• Allow clearing the MIB compiler window. 
• Various minor fixes

Get it now !

No Comments »

Unleash Networks is a member of the Intel Software Partner Program. Thanks to the program we have access to a powerful tool for measuring multi core performance of the new Trisul Open Source Network Metering and Forensics tool. I installed the 45-day eval of the Intel Thread Profiler for Windows with the Linux Data Collector.
I then measured Trisul’s packet processing performance on a dual core system. The results are at the Project Wiki Site.

From my various experiments with threading packet processing, I am leaning towards these conclusions
1. Getting packet processing right on multiple cores is hard.

2. Traditional threading systems seem to be very difficult to get right. Given the volume of tokens (packets), it is easy to incur too much synchronization overhead or severely impact cache performance.

3. Task based approaches like the Intel Threading Building Blocks appear more attractive.

The next major task would be to create a quick prototype application using the Intel TBB library and revisit the measurements.

-

Trisul news :

I got some email pointing out that the DEB and RPM packages were missing. Sorry, they will be up shortly. The packager is broken.
There are many packet processing tools like Ntop, Snort, Sancp, Argus, etc. Trisul will hopefully find a niche because of its ability to reduce traffic data to a SQL database and its extensible architecture that allows other functions to be plugged in. (Documentation about the architecture is not yet available but see the sysplugs directory in the source code)

No Comments »

Project Hosting

Trisul is a new open source project that is targeted at security analysts. I set up both Google Code and Sourceforge project sites. As much as I like SF, its performance leaves a lot to be desired. It also loads a lot of external content which adds to its load time. I will use the issue tracker and download link on Google Code. Perhaps as the project matures, we can revisit Sourceforge.

Blog

I also created a wordpress blog called trisul.wordpress.com

Domain

I purchased the domain trisul.org. Eventually, the project will move there. We probably need a VPS if we want to host a demo of Web Trisul (the Ruby on Rails web frontend to the network metering data)

Todo List

Just playing with some options here. I quickly checked out tadalist and todoist. I could not find an easy way to publicly share list items on todoist, so I chose tadalist. The public tasks page is here

New code

The first release on sourceforge (0.4.116) was an embarassing mess. This was due to my unfamiliarity with autoconf and friends. I had just zipped up the source directory as a tarball instead of “make distcheck”. The new release takes care of that.

————————————————–

Some questions people ask me about Trisul. I will try to answer them in the next blog post.

1) Is this project too ambitious ? Can one system integrate traffic monitoring, raw data recording, session tracking, and forensics ?

2) When good stuff like SANCP, Time Machine, ntop, argus, are already available - what beverage is Trisul bringing to the party ?

3) Trisul is at best a single “sensor” or “observation point”, how does it plan to integrate into a centralized console like SGUIL etc.

2 Comments »