ModifiedTCPDump

Overview

ModifiedTCPDump is a component of the CogNet Controller. As its name suggests, ModifiedTCPDump is a modified version of the GNU GPL-licensed tcpdump, branching off from the Jan. 29, 2007 build. The modifications performed and the effects of these modifications are described in detail below.

The vast majority of the packets captured by the Nodes fall into two categories: (1) 802.11 control or management frames that terminate at the MAC sublayer (2) 802.11 data frames containing LLC headers, IP packets, and usually Transport and Application layer packets as well. Due to the rigid nature of the table structure in the CogNet Repository and the need to keep the number of columns in the tables at a manageable level, only these two categories of packets have their header data thoroughly processed. All packets are processed up to the MAC layer. The packets are processed as shown below:

attachment:ModifiedTCPDump_operation.png

If some higher-layer headers do not exist in a particular packet, the functions for that protocol are simply not called and the values appear as NULL in the database. Management Frame bodies, IP Options and TCP Options are all output as hexadecimal strings that can potentially be processed further. A list of all values outputted appears in the figure below. This same list is outputted to stderr by ModifiedTCPDump during execution.

ModifiedTCPDump outputs the values extracted to tab-separated values files in the system’s /tmp/ directory. These follow the following format:

tcpdump_<year>_<month>_<6-digit random number>

Each of these files contains the values for maximally one calendar month. If a capture file contains packets from more than one month, one file is created for each month. The names of each file are outputted to stdout, as shown in the following example:

Writing to file: /tmp/tcpdump_2007_06_035601

This is used by the Data Processing Module to determine the file to insert into the database.

An example of ModifiedTCPDump operation is shown here:

attachment:ModifiedTCPDump_cli.png

Values Output by ModifiedTCPDump

General Information

Day
Hour
Min.
Sec.
Microsec.
Epoch Time
Packet Length

Prism Header

Message Code
Message Length
Device Name
Host Time
MAC Time
Channel
RSSI
SQ
Signal 
Noise
Rate
IsTX
Frame Length

802.11 Header

Type
Subtype
To DS
From DS
More Frag
Retry
Pwr Mgmt
More Data
WEP
Order
Duration
Source MAC Address
Destination MAC Address
BSSID
Transmitter Address
Receiver Address
Frag. Number
Seq. Number
Mgmt. Hexdump

LLC Header

DSAP
SSAP
Org. Code
Type

IP Header

Version
Header Length
Type of Service
Total Length
Identification
Don't Fragment
More Fragments
Fragment Offset
TTL
Protocol
Header Checksum
Source Address
Destination Address
Options Hexdump

TCP Header

Source Port
Destination Port
Seq. Num.
Ack. Num.
Data Offset
Flags
Window
Checksum
Options Hexdump

UDP Header

Source Port
Destination Port
Length
Checksum

Obtaining ModifiedTCPDump

The latest version can be obtained via anonymous CVS:

cvs -d :pserver:anonymous@cognet1.ucsd.edu:/CogNetData/cvs checkout ModifiedTCPDump

And can be installed with the usual

./configure
make
make install

Please note that to compile you will need libpcap, obtainable via apt-get/yum/package manager of your choice (be sure to get the libpcap-devel packages too) or CVS:

cvs -d :pserver:tcpdump@cvs.tcpdump.org:/tcpdump/master login

Password: anoncvs

cvs -d :pserver:tcpdump@cvs.tcpdump.org:/tcpdump/master checkout libpcap

or at http://tcpdump.org.

To output header data with ModifiedTCPDump from a previously created (with an unmodified version of tcpdump) capture file, execute it with the -r option:

tcpdump -r <capture file name>

Questions: contact Paul