|
|
|
|
CoralReef is a software suite that is built in layers. CoralReef rests on a foundation of drivers and capture software. These drivers are independent of other layers and, in particular, the C and Perl Application Program Interface (API). As additional network card and monitor systems are supported, application programs will be able to use the new tools with little or no change.
The API for C is libcoral. This library was first finalized in version 3.0 of CoralReef. It is the main resource for all development, either in C (or other compiled languages) or Perl via the CRL.pm module.
Since Perl is often preferred for research tools and rapid prototyping, there is a Perl interface to libcoral. The CRL.pm module provides a Perl 5 object-oriented interface to the libcoral functionality.
On top of the access libraries, CoralReef provides a collection of analysis tools written in C/C++ and Perl. These tools provide some turnkey analysis capability. That turnkey capability will continue to be refined and expanded in the increment revision process for the CoralReef software suite. In addition, the CoralReef analysis tools provide a solid starting place for developers seeking to develop custom monitoring solutions.
The top level of the CoralReef analysis suite provides report generation capabilities for the World Wide Web. With the World Wide Web rapidly becoming the communication medium of choice, these report generation capabilities allow traffic analysis results to be shared with groups as small as local network administrators or as large as end users.
The CoralReef monitor drivers are patches to the operating system that permit the passive collection of data. Currently, the monitor drivers exist for FreeBSD UNIX. These drivers have been tested with versions 2.2.6, 2.2.7, and 3.0-Release of FreeBSD. Installation requires a basic familiarity with configuring
a FreeBSD kernel. Device Drivers are available for the following monitors: POINT (OC12), FATM (OC3), and soon the Dag2 (OC3/OC12) card.
In addition to collecting data from the network monitor boards noted above, the CoralReef software suite can use data from other monitoring systems or previously collected data. This data can be used in the same way by any application using the libcoral library or CRL.pm Perl module.
Libcoral provides a C API for reading OCXmon devices and several different trace file formats, and for writing trace files.
Libcoral operates on "sources". A libcoral source is a single file system entry: either an OCXmon device file (e.g., "/dev/point0") or an OCXmon trace in a regular file (e.g., "foo.crl"). A device source has one interface. But a trace file may have been created by monitoring multiple devices, so it may contain multiple interfaces.
The basic sequence of events for using libcoral to read a Coral source is:
The CRL.pm Perl module gives users access to the C coral library, but with the convenience of Perl. By using SWIG (the Simplified Wrapper and Interface Generator), C functions are wrapped and accessible from Perl. It consists of two interfaces to C functions, as well as various useful Perl functions. These two C
libraries are Unpack and Coral.
The Unpack library provides a Perl interface to some basic C structures, specifically packet headers, and to Coral-specific structures. It exists because the Perl method of extracting headers is too inefficient for a tight loop (one is required to extract every possible field from a header, even when unwanted). With the magic of SWIG, the C code to select certain fields from these headers is easily accessible from Perl.
The Analysis tools in C are undergoing refinement and development. Documentation and additional support tools are forthcoming. C tools are in provided when Perl is not efficient enough to produce results in a predictable fashion.
The Analysis tools in Perl are undergoing refinement and development. Documentation and additional support tools are forthcoming. These tools can be used to generate tables and graphs of Internet traffic characteristics.
The top level of the CoralReef analysis tools are the HTML report generation tools. These are rapidly undergoing revision and updating, and will eventually include CGI scripts and other custom controls to allow for remote report generation and system monitoring.