Data Structures for Stateful Inspection

[Captain Blammo]

I'm trying to write a basic stateful packet inspection application using
JPcap in order to get a bit more familiar with TCP/IP, and was wondering if
anyone could point me in the direction of the best/most common algorithms
and data structures for delivering data to the right buffer based on source
and destination IP and port for an incoming segment.

Thanks for any info!

CB

 

[Thomas G. Marshall]

Captain Blammo coughed up:

I'm trying to write a basic stateful packet inspection application
using JPcap in order to get a bit more familiar with TCP/IP, and was
wondering if anyone could point me in the direction of the best/most
common algorithms and data structures for delivering data to the
right buffer based on source and destination IP and port for an
incoming segment.

Forgive my ignorance, but this almost sounds like you might benefit from
looking for NAT algorithms...

 

[Yamin]

I'm trying to write a basic stateful packet inspection application using
JPcap in order to get a bit more familiar with TCP/IP, and was wondering if
anyone could point me in the direction of the best/most common algorithms
and data structures for delivering data to the right buffer based on source
and destination IP and port for an incoming segment.

Thanks for any info!

CB

Check out ethereal (http://www.ethereal.com/). It's pretty much
standard fare for protocol analyzing.

Yamin

 

[Captain Blammo]

Forgive my ignorance, but this almost sounds like you might benefit from

looking for NAT algorithms...

I've been poking around all over the place for all sorts of things, but
still no luck on the specific stuff I'm looking for.

I was thinking that I could stuff the source and destination IP's into a
long, then make a binary tree out of them, then have a further binary tree
of ints representing the source and destination ports coming off each node
in the tree of longs. It seems a bit messy, but it's all I've thought up
thus far.

Assuming I can get the addresses as byte arrays, would just doing this:

public long getAddresses(){
byte[] source=getSource();
byte[] dest=getDest();
long addresses= source[0]|source[1]|...source[7]|dest[0]|dest[1]|...dest[7];
//previous line slightly paraphrased
return addresses;
}

be the best way to go about things? I don't really care about the value of
the longs, I only need to be able to compare them against each other and be
sure that all pairs of addresses will produce a unique value. I also want to
be able to do all this as speedily as possible.

Any help is appreciated

CB

 

[Chris Uppal]

I'm trying to write a basic stateful packet inspection application using
JPcap in order to get a bit more familiar with TCP/IP, and was wondering
if anyone could point me in the direction of the best/most common
algorithms and data structures for delivering data to the right buffer
based on source and destination IP and port for an incoming segment.

If you are doing this in order to educate yourself then you'll only be wasting
your time, and potentially confusing yourself, trying to find/use the 'best'
algorithms.

For instance, to find the runtime data associated an IP/port pair I'd create an
object that represented the pair, and use it as an index in a
java.util.HashMap.

If you want to go beyond that and find more space/time efficient lookups, then
that's fine, and it might even teach you something (more) about programming
Java, but it won't be teaching you anything about understanding TCP/IP.

-- chris