Capture

From Computing and Software Wiki

(Difference between revisions)
Jump to: navigation, search
 
(2 intermediate revisions not shown)
Line 1: Line 1:
-
gets the data from the data link layer
+
IDS use different methods to capture the relevant data to be analyzed. A very well known method is pcap.
-
(and from each layer that you get your input, you can go from that layer all the way up)
+
pcap consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library(packet capture library); Windows uses a port of libpcap known as WinPcap.
 +
Monitoring software may use libpcap and/or WinPcap to capture packets travelling over a network and, in newer versions, to transmit packets on a network at the link layer, as well as to get a list of network interfaces for possible use with libpcap or WinPcap.
-
packet capture library:
+
libpcap and WinPcap also support saving captured packets to a file, and reading files containing saved packets; applications can be written, using libpcap or WinPcap, to be able to capture network traffic and analyze it, or to read a saved capture and analyze it, using the same analysis code. A capture file saved in the format that libpcap and WinPcap use can be read by applications that understand that format.
-
- data link layer
+
libpcap and WinPcap provide the packet-capture and filtering engines of network intrusion detection systems. They are usually installed at the data link layer but they can be installed at any desired layer and they capture the net work traffic from that layer all the way up. Filters can be applied so that the NIDS can can sniff the data in a desired way. for example:
-
- fire wall
+
- request a list of all packets except the ones that use UDP.
-
 
+
- request a list of all packets all packets going through TCP and usnig port 80.
-
filters apply to data so that you can sniff what you want.
+
-
 
+
-
ex:
+
-
 
+
-
- everything but UDP
+
-
 
+
-
- all packets going through TCP and usnig port 80
+

Current revision as of 22:55, 23 March 2008

IDS use different methods to capture the relevant data to be analyzed. A very well known method is pcap.

pcap consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library(packet capture library); Windows uses a port of libpcap known as WinPcap.

Monitoring software may use libpcap and/or WinPcap to capture packets travelling over a network and, in newer versions, to transmit packets on a network at the link layer, as well as to get a list of network interfaces for possible use with libpcap or WinPcap.

libpcap and WinPcap also support saving captured packets to a file, and reading files containing saved packets; applications can be written, using libpcap or WinPcap, to be able to capture network traffic and analyze it, or to read a saved capture and analyze it, using the same analysis code. A capture file saved in the format that libpcap and WinPcap use can be read by applications that understand that format.

libpcap and WinPcap provide the packet-capture and filtering engines of network intrusion detection systems. They are usually installed at the data link layer but they can be installed at any desired layer and they capture the net work traffic from that layer all the way up. Filters can be applied so that the NIDS can can sniff the data in a desired way. for example:

- request a list of all packets except the ones that use UDP.

- request a list of all packets all packets going through TCP and usnig port 80.

Personal tools