Hackers of India

Flowinspect - A Network Inspection Tool

 Ankur Tyagi 

2014/02/14

This paper introduces flowinspect, a tool developed specifically for network monitoring and inspection purposes. It takes network traffic as input and extracts layer 4 flows from it. These flows are then passed through an inspection engine that will filter them according to the requested options. For flows that meet inspection criteria, output mode would take them in and dump match statistics and other details to either stdout or a file or both.

The primary difference between flowinspect and other network inspection tools is that flowinspect inspects network flows instead of individual layer 4 packet contents. As such if for a flow, certain data to be matched upon spans multiple packets, flowinspect would still be able to identify it. Inspection happens via any of the following inspection modes:

regex: PCRE-compatible regular expressions fuzzy: fuzzy string matching techniques shellcode: libemu based (x86 compatible) shellcode detection yara: yara-project based signature detection Above modes also accept certain options that a user can use to tweak the behaviour of the respective inspection engine. For example, regex matches could be made case insensitive, fuzzy string match threshold could be altered, shellcode profile output detailing the detected system calls could be generated, etc. Once a match is found over a flow, it is then passed onto the output module which takes care of dumping match statistics to either stdout or a file, or both.

Apart from these, there are a few other handy options that could prove useful in different network inspection scenarios. For example, inspection could be completely disabled and any of the output modes could be used to dump available flows as-is to a file. These files will contain direction-specific raw data for a specific five-tuple. These files could then be analysed separately using some other tool or utility. If required, matched flows could also be dumped to a packet capture file.