• Part 1 [50 points total]: Construct a packet trace filtering tool. You've been asked to build a tool to filter packets captured by an Intelligence Agency on the war against terrorism. They want a tool that can read captured packets saved to a file and filter them for usage by other signal intelligence (SIGINT) tools. The captured packets are stored as a sequence of records in a file with the format below.

  
   0                             15                              31
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                        Capture Second                         |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                     Capture Microsecond                       |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                        Capture Length                         |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                         Packet Length                         |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                          IP Header                           ...
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                       TCP/UDP Header                         ...
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                       Data (Optional)                        ...
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  ...                                                             |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                 Capture Second (Packet 2)                     |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |              Capture Microsecond (Packet 2)                   |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                 Capture Length (Packet 2)                     |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                  Packet Length (Packet 2)                     |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                      IP Header (Packet 2)                    ...
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  ...
  

  The capture seconds are measured since the epoch on January 1, 1970. Microseconds is the number of microseconds within that second. This is the standard C timeval structure timing. The capture length is the number of bytes captured of the message. The packet length is the total length of the packet. The processing takes the form of the following.
  • A [25 points]: Display information for each IP packet in a condensed format. This format must follow the form below for each IP packet

    HH:MM:SS.UUUUUU IP.port -> IP.port Proto TCPFlags Datalen

    Where HH:MM:SS.UUUUUU displays the capture time of the packet. Proto is either "TCP" or "UDP" depending on the protocol field. TCPFlags is a set of characters specifying the TCP flags that are set. These are U, A, P, R, S, or F. And Datalen is the length of the data portion of the message. This value does not include the IP, TCP or UDP headers. An example would be:

    12:56:42.005679 157.182.194.28.7462 -> 157.182.194.39.22 TCP AP 1460

    This would be an TCP packet with IP source address of 157.182.194.28 and source port of 7462 going to IP destination address 157.182.194.39 and destination port 22. The TCP flags that are set are A and P and the data is 1460 bytes in length. The packet was captured at 12:56:42 and 5679 microseconds.
  • B [13 points]: Display only IP packets meeting specific IP address criteria. The Source IP address and/or the Destination IP address must match criteria given by the user. This criteria may include a netmask to apply to the IP address as well. This criteria may be given as command line arguments to the filter. With the -s argument specifying the Source IP address to look for and the -d argument specifying the Destination IP address to look for. e.g. $ pfilter -s 157.182.194.28/24 filename might only display information for IP packets that have a source IP address that falls in the 157.182.194.28/24 subnet. Both the Source IP address and Destination IP address may be given or just one of them may be given.
  • C [12 points]: Display only IP packets meeting protocol and port criteria. The source port and/or destination port as well as the protocol (TCP or UDP) can be specified.
• Part 2 [50 points total]: Construct an Internet event logging protocol client and server. The client will periodically send UDP messages containing text to a given server. These messages tell the server that the client is alive as well as allowing the client to send events to be logged by the server. The server uses absence of these messages to signify a client that has been shutdown. The messages sent and received must follow these formats.

  
  Notification:
  
  Bytes:    2      Var     1
        +------+----------+-+
        |  0x1 |  client  |0|
        +------+----------+-+
  
  Event:
  
  Bytes:    2      Var     1   Var  1      Var        1
        +------+----------+-+------+-+--------+------+-+
        |  0x2 |  client  |0| type |0| event message |0|
        +------+----------+-+------+-+--------+------+-+
  
  

  Notifications are sent in the absence of events to log. They contain a string used as the name of the client (this is the hostname). Events are sent to the server for logging. The event has a type field which is a string and a message field which is also a string.
  • A [15 points]: Construct a event client that sends events on the following schedule to a given IP address and UDP port.

    Every second send a notification unless an event was sent within the last second.

    Every 10 seconds send an event type of "MARK" message with the message being the time of day and date.

  • B [10 points]: Construct an event logging server that listens on a given UDP port for events. Each event and notification should be printed to the screen with client, the time of day and date as well as event type and event message.
  • C [25 points]: Modify the server so that it remembers each client for 2 minutes. If a client is not heard from for 2 minutes, it should be forgotten and a message printed about the client being "DEAD". The server must be able to track multiple clients and not just one of them at a time.

Notes: Your submissions must at least compile before any credit will be given. Submissions that do not compile will not be graded. Submissions submitted after the due date will not be graded. All work must be your own original work. To get partial credit for parts of the assignment, you must demonstrate that those pieces work by themselves. If you share code with others, you will be given a 0 for the assignment. This assignment set is worth 25% of your total grade.

Extra Credit

For extra credit, construct a DNS client application that can send MX queries for a given domain name to a given DNS server, wait for the response (resending if necessary), and display the MX Resource Record returned.

Submission Guidelines