Master Thesis - Past Projects - Abstract

Live network acquisition in a public access scenario

ID: LITH-IDA-EX--07/060--SE

This thesis investigates and implements a system that acquires connection information from UDP and TCP connections. The acquired information is transferred to a backend server for preservation. The purpose of collecting this information is to be able to trace which hosts an end-user has communicated with in the case a law enforcement agency investigates a crime that has been committed while using a public Internet access service. With this information an end-user can be binded to which hosts it has communicated with. The chosen solution takes advantage of the connection tracking system found in the Linux kernel, for acquiring the connection information from TCP and UDP connections. This has the advantage that UDP can be seen as a stateful protocol. The advantage of this is that data acquisition from every UDP packet is not needed and the wanted information will still be acquired, in the same way as for TCP connections. Another advantage is that information of how long time a UDP and TCP connection approximately lasted will be available. The system was implemented to be able to function in the Aptilo Networks system and was evaluated on real data. The evaluation has shown the scalability of the approach and provides a measure for the performance and storage needs.

Keywords:

Author(s): Magnus Florán

Contact: Simin Nadjm-Tehrani