Learn the fundamentals of traffic analysis through a pragmatic approach in this comprehensive conference talk. Explore packet capture techniques, network interface cards, and kernel structures in FreeBSD and Linux. Discover various capture mechanisms, including tcpdump and libpcap, and understand how to handle packet drops. Gain insights into reporting and statistics using gnuplot, and delve into BPF filters and IP options. Examine practical examples of capturing specific network traffic, such as SYN packets and HTTP GET methods. Investigate tools like netsniff-ng for advanced packet capture and analysis, and develop essential skills for effective network traffic analysis.
Overview
Syllabus
Intro
Why do we capture packets?
Obtaining Network Traffic
Network Interface Cards
FreeBSD Packet Processing
FreeBSD Processing cont.
mbuf kernel structure
Linux Frame Processing
sk_buff kernel structure
Keeping Up?
Capture Mechanisms/Sockets
tcpdump tests, average
libpcap buffer
FreeBSD, packet drops netstat
Linux, packet drops ifconfig
tcpdump/libpcap drops
Reporting & Stats
graphing with gnuplot
Packets Per Second
Gigabit Line Rate for UDP
trafgen config files
BPF Filters - 3
Capture SYN
IP Options: RR Example
Capture HTTP GET Method
netsniff-ng: a quick look
netsniff-ng: writing to disk
netsniff-ng: Creating filters
tcpdump & libpcap
Analysis
