網際網路的快速發展,使得網路安全的監控和防範受到了高度的重視,許多網路監控系統最重要的目的就是網路安全的防範,因此目前有很多網路安全工具和軟體可以進行監控,例如:常見的Snort等軟體。這些網路監控系統都是由許多API library為基礎來開發而成,像是運用libpcap來進行封包擷取、使用libnet來做封包的修改以及利用libnids來進行封包重組等。許多監控系統中,常用到libnids來進行封包擷取、IP分段重組、TCP資料串流重組等功能並將封包還原為原始的資料,但是在被動式網路監控的情形下,libnids在封包擷取時已不具有封包可靠的傳輸機制,因此更易發生封包遺失或是無法擷取成功的情況。然而,在libnids進行TCP資料串流重組時,若遇到封包遺失或無法擷取成功的狀況時,則無法繼續解析後來已到的封包。因此,本研究將改進libnids在進行TCP資料串流重組時的處理程序,在重組的過程中加入一個packet dispatch機制,讓libnids在等待遲遲不來的封包一段時間後,可繼續往下重組已先到來的封包,此外,更可避免系統消耗大量動態記憶體來儲存已先到來而無法被重組還原的封包。最後,本研究會將重組完成的封包在添加封包標頭資訊往上傳送至應用層加以處理繼續解析,利用封包各種資訊可助於獲得更多有用的網路資訊做到更有效率的網路管理。
Internet’s growing quickly makes the monitor and protect about the Internet security have become more important. The most important thing about monitor system design is to protect the internet security, so there is a lot of tool and software that we can use to monitor the internet. Most of these monitoring systems are designed basis on the API’s library, such as the libcap to capture the packets and the libnids to reassemble packets. Most of the monitoring system usually use the libnids to capture the packet, IP defragmentation, and TCP stream reassembly. When using the libnids to reassembly the TCP data stream, if the situation about packet loss and capture unsuccessful happened, that will fail to continue analyzing following packets. So, we will improve the procedure of libnids in TCP stream reassembly by add a interrupt waiting mechanism. Packet dispatch mechanism make the libnids been waiting for a period of time, it can continue o analyze following packets. In addition, libnids will avoid consuming a lot of memory to store following packets that can’t be reassembly. Finally, we will deliver packets with packet header informations to the application layer for get more useful network information to make the network management.