Subsections

3 Design Thoughts

3.1 Sending and Receiving traffic

Flowreplay must be able to process multiple connections to one or more devices. There are two options:

  1. Use sockets2 to send and receive data
  2. Use libpcap3 to receive packets and libnet4 to send packets
Although using libpcap/libnet would allow more simultaneous connections and greater flexibility, there would be a very high complexity cost associated with it. With that in mind, I've decided to use sockets to send and receive data.

3.2 Handling Multiple Connections

Because a pcap file can contain multiple simultaneous flows, we need to be able to support that too. The biggest problem with this is reading packet data in a different order then stored in the pcap file.

Reading and writing to multiple sockets is easy with select() or poll(), however a pcap file has it's data stored serially, but we need to access it randomly. There are a number of possible solutions for this such as caching packets in RAM where they can be accessed more randomly, creating an index of the packets in the pcap file, or converting the pcap file to another format altogether. Alternatively, I've started looking at libpcapnav5 as an alternate means to navigate a pcap file and process packets out of order.

3.3 Data Synchronization

Knowing when to start sending client traffic in response to the server will be "tricky". Without understanding the actual protocol involved, probably the best general solution is waiting for a given period of time after no more data from the server has been received. Not sure what to do if the client traffic doesn't elicit a response from the server (implement some kind of timeout?). This will be the basis for the default plug-in.

3.4 TCP/IP

Dealing with IP fragmentation and TCP stream reassembly will be another really complex problem. We're basically talking about implementing a significant portion of a TCP/IP stack. One thought is to use libnids6 which basically implements a Linux 2.0.37 TCP/IP stack in user-space. Other solutions include porting a TCP/IP stack from Open/Net/FreeBSD or writing our own custom stack from scratch.



Footnotes

... 2
socket(2)
... 3
http://www.tcpdump.org/
... 4
http://www.packetfactory.net/projects/libnet/
... 5
http://netdude.sourceforge.net/
... 6
http://www.avet.com.pl/~nergal/libnids/
Aaron Turner 2005-06-28