The trace files needed for this project are available here.
In this part of the assignment,you will be play the part of a network defender.You will be writing code that detects 'scanning' given a trace file representing traffic traversing the network.
The trace file given to you has been generated using Wireshark as in Part 1 of the project.
Wireshark's native network trace file format is the libpcap format supported by libpcap and WinPcap.
Your code will use the Packet Capture library
For this assignment you will make use of routines provided as part of the Packet Capture Library. Start by looking at the pcap man page. You should be familiar with the TCP/IP stack and network packet structures to effectively decode the pcap packets that you read and parse them to extract source IP addresses,destination IP addresses of TCP packets and similar interesting fields.
struct ip* ip_hdr = (struct ip*) packet; struct tcp* tcp_hdr = (struct tcp*) (packet + ip_hdr->ip_hl * 4);The struct pointers can then be used to read specific interesting fields of the packet. Your job is to read these packets and perform scan detection. You will report warnings of suspicious scans along with the IP addresses of the sources performing the scanning and the IP addresses of the targets.
Your code is required to keep track of the following network events:
Connection requests:For each sending source, keep track of the number of connection requests vs. positive responses. If this ratio exceeds 3 to 1, your code must issue a warning.
In addition you need to include in your README a write-up on how you will extend the above solution to include:
1. Host Scans
2. Syn Floods.
Including data structures that need to be updated/added, states that need to be maintained and algorithm you use to flag it as one of the above.
You are expected to submit your scan dectection code along with a file (README.2) that describes your implementation.Your code should only print out the warnings with the associated IP addresses and nothing else. Your writeup is expected to be brief, no more than a page, but should describe how you implemented caching of pending events before you added them to the ratio.Your code will be tested against our test trace files as well for grading.