INAV USER DOCUMENTATION v 0.

1
Nathan Robinson Jeff Scapa a

TOC Se ve an! Se ve Too"s • • • • • • #a !$a e Re%&i e'ents Insta""ation • Soft$a e Re%&i e'ents • Do$n"oa!in( the ta .co' • via the s&bve sion se ve UI • Chan(in( the se ve an! po t that the c"ient connects to • Chan(in( the ban!$i!th a'o&nts an! co"o s • E!(e"ife an! ( aph ef esh • Navi(atin( the ( aph • No!e Data • Info 'ation an! "i'itation of the ph*sics en(ine T o&b"e Shootin( . tap • -oca" Co'p&te • .scapa a.co' • via the s&bve sion se ve Dep"o*'ent scena ios • Ra$ Data Capt& e + 'onito po t on s$itch • Ra$ Data Capt& e + via net$o .cap /i"es • Co''a De"i'ite! /i"es • S/"o$ 0/&t& e /eat& e1 • Netf"o$ 0/&t& e /eat& e1 R&nnin( on a non+stan!a ! po t Testin( $ith tnav • Chan(in( the se ve confi(& ation on the f"* • Vie$in( a"" e!(es in the ( aph • Vie$in( no!es as the* !ie T o&b"e Shootin( C"ient • • • • #a !$a e Re%&i e'ents Insta""ation • Soft$a e Re%&i e'ents • Do$n"oa!in( the 2a fi"e f o' inav.() f o' inav.scapa a.

:.Inte active Net$o ..co!=download=server.scapa a. . Originally INAV was developed for visuali ation of traffic in real ti!e as a response to the need to see connection infor!ation and understand the results "uic#ly.co' INAV can be downloaded fro! http. 'he goal behind creating a new tool was to develop so!ething that would be able to process !assive a!ount of data and allow the user to visually !a#e conclusions !uch faster than sorting through a te(t file li#e with wireshar# or tcpdu!p.9 I would suggest this to be the !ini!u! reco!!ended hardware for any enterprise application of INAV.RERE3UISITES libpcap0. Active+T affic Vis&a"i)ation 0INAV1 Preface INAV began as a class project in the spring of 2007 and has been continued to be developed and will continue to be developed. can be installed on ubuntu via < sudo aptitude install libpcap0. 'he server currently running in our testbed that is processing the data for the entire co!puter science depart!ent at a large university is %*000+ connections&.==inav. INAV SERVER Hardware Requirements As with any software$ the better the hardware that it runs on the better the application will run. 'hat said the INAV server can be used even in a production environ!ent with relatively cheap hardware./bps 5iber card 1-2 63 7A6 /entoo 8inu( 2. Insta""ation . )therApe also has a nu!ber of li!itations especially when there is port scanning and the networ# being !onitored is large. • • • • • -. /h 0III 1-2 23 4ache .scaparra.dev g++ .: . Other tools that can be used to analy e traffic in real ti!e are etherApe$ wireshar#$ and tcpdu!p %to na!e a few of the !ore popular&. can be installed on ubuntu via < sudo aptitude install g++ Ta fi"es f o' inav.

c .o client4o!!.2EF .cpp g++ .".scaparra.*..2.> INAVCV)7BIONDEF0.g* .*.A=t!p< cd server= scap@venus..ggdb .cpp g++ .o tcp.c .> INAVCV)7BIONDEF0.ggdb .lpthread .cpp g++ ..ggdb .cpp g++ .g* .cpp g++ .o se!aphore.ggdb .!.o traceroute=traceroute'hread.ggdb .c .c .com/files/server/INAV-Server.o sniffer>ata.c .o traceroute=traceroute>ata.o sniffer.o ip.cpp g++ . 1223 re4uest sent5 awaiting response.> INAVCV)7BIONDEF0.2EF .cpp g++ ..> INAVCV)7BIONDEF0.o sniffer>ata.> INAVCV)7BIONDEF0.c .o ethernet.g* .g#* save0 =$9$"%//$9$"%/? ?npac#ing the tarball.c ."..c .o client4o!!.cpp g++ .2EF .o helper. " 67 8ength: $9$5"%/ :$/.*.g* .o co!!and8ine0arser.2EF .g* ..> INAVCV)7BIONDEF0.> INAVCV)7BIONDEF0.o parse4o!!as..2EF . 4o!piling the server.o pac#et.c .!& 7B/s< .o traceroute=traceroute'hread.2EF .o inavBerver.ggdb .o inavBerver.!.o client4o!!>ata.cpp g++ ..c .ggdb .g* .g# --$%:&$:! -.$&7/s A2A $%:&": & :&.2EF .0.o (!l0arser.c ..o pac#et.ggdb .*.2EF .g* .o base>ata.o udp.o udp.tar.$".> INAVCV)7BIONDEF0.> INAVCV)7BIONDEF0.o udp.".*.Berver.cpp g++ .ggdb .cpp g++ .> INAVCV)7BIONDEF0.g#* +esolving inav.c .!.> INAVCV)7BIONDEF0.o filter>ata.2EF .*.c ..A=t!p< tar (vf INAV.*.o sniffer.> INAVCV)7BIONDEF0.g* .> INAVCV)7BIONDEF0.g* .> INAVCV)7BIONDEF0.".*.o co!!and8ine0arser.*.g* ...scaparra.!.g* .o ethernet.ggdb .> INAVCV)7BIONDEF0.h server=sniffer.*.> INAVCV)7BIONDEF0.> INAVCV)7BIONDEF0..2EF .ggdb .g# '( )INAV-Server.o client4o!!>ata.o inavBerver.*.2EF .cpp g++ .2EF .cpp g++ .2EF .o pac#et.c .g* .c .o parse4o!!as.o ip.o graph>ata.g server= server=pac#et.c .> INAVCV)7BIONDEF0.c .2EF .cpp g++ .)INAV-Server.g* .cpp g++ .ggdb ..*.c .g* .o debug'hread.7< =application/>-tar? $ : @=''''''''''''''''''''''''''''''''''''(? $9$5"%/ &.o ic!p.*.ggdb .o ethernet.o debug'hread.2EF .cpp g++ . .com.o helper.g* .o ic!p.cpp g++ .tar.*.h server=!a#efile .*.c .o (!l0arser.o traceroute=traceroute>ata.ggdb .cpp g++ .ggdb .*.cpp g++ .> INAVCV)7BIONDEF0.o traceroute=traceroute'hread.*.tar.ggdb .com/files/server/INAV-Server.tar.o client4o!!>ata.2EF .2EF .2EF .o parse4o!!as.o ic!p.ggdb .> INAVCV)7BIONDEF0.c .cpp g++ .o se!aphore.g* .o base>ata.c .A=t!p=server< !a#e g++ .*.o .o debug'hread.*.*.ggdb .com.cpp g++ .!!.cpp g++ .ggdb .> INAVCV)7BIONDEF0.ggdb .o tcp. connecte0. scap@venus:~/tmp$ wget http://inav.g* .o filter>ata.$".2EF .*.c .""$. scap@venus.c .o graph>ata.ggdb ...o sniffer.g* .o tcp.!!.. scap@venus.> INAVCV)7BIONDEF0..:/ .o inavd client4o!!.o se!aphore. -onnecting to inav.>ownload the tarball to the directory where you would li#e inav to reside.o ip.lpcap .> INAVCV)7BIONDEF0.scaparra.g* .o graph>ata.*.tar.""$.o bandwidth6onitor.o co!!and8ine0arser.o (!l0arser.scaparra.o helper.g* .g* .2EF .o filter>ata.2EF .http://inav.ggdb .o sniffer>ata.cpp g++ .2EF .*.g* .ggdb .o traceroute=traceroute>ata.g* .o base>ata.*.o bandwidth6onitor.o bandwidth6onitor.2EF .

c .g* . Insta""in( f o' s&bve sion 4a nin(5 4hec#ing out inav fro! subversion will ensure that you have the !ost up to date code however there is no guarantee that it has undergone ANG testing for bugs etc.h A server=base>ata. 4o!piling the code.*. scap@venus.*.c .g* .A=t!p< svn co http.g* .*.==inav.cpp 4ongratulations the server have been installed and can be run by calling . Deployment scenarios Ra$ .scap@venus. If you have proble!s if the this !ethod please revert to the nor!al installation !ethods. Ra$ .o client4o!!.o .c ..2EF g++ .o client4o!!.o client4o!!>ata. • Not all pac#ets can be ensured that they will be captured.cpp client4o!!>ata.=inavd in that folder..A=t!p=server< !a#e g++ . scap@venus.ggdb .cpp A server=co!!and8ine0arser.ggdb .c .2EF g++ .o ..cpp sniffer>ata.2EF g++ .ggdb .> INAVCV)7BIONDEF0.cpp base>ata.ac..h .A=t!p< cd server= scap@venus.> INAVCV)7BIONDEF0. • • • 4an see all the traffic that the switch can see 6ost !anaged switches can provide this data 4an use all of the pac#et data for filtering 4ons.ggdb . If the switch is processing !ore data than can traverse the !onitor port the e(cess data is dropped. )ach has its own pros and cons and it will depend on your networ# as to which is best to suit your needs.ac.2EF . It !ay not co!pile or !ay not wor# right. 4hec#ing out the code.g* .> INAVCV)7BIONDEF0.=inavd in that folder.o .scaparra. .co!=INAV=server A server=pac#et>ata..> INAVCV)7BIONDEF0.o base>ata.h A server=tester..o sniffer>ata.A=t!p=server< 4ongratulations the server have been installed and can be run by calling . .*.et Capt& e via 'onito po t 0ros.et Capt& e 'here are two for!s of raw pac#et capture sniffing fro! a networ# tap and sniffing fro! a !onitor port on a switch.

'his !ode is perfered over other !ethods when the user would li#e to visuali e local traffic as well as traffic traversing the Internet. • • • 8ess overhead than a !onitor port 4an see all the traffic on the device 6ultiple devices can send netflow data to the server . Ra$ . • • 7e"uires e(tra networ# gear 4anHt see any traffic that isnHt traversing the lin#. • • 4an ta#e any data that could be outputted in this for!. In this set up a tap is placed between the internal 8AN and the e(ternal Internet.'his is the original capture deploy!ent !ode for INAV.et Capt& e via net$o . 'he difference is the device and interface that the capture port is connected to. tap 0ros. • • • 4an see all traffic on a particular lin# that is being FtappedF )asy to install As long as the !echanis! use to read the pac#ets is as fast as the lin# it will be able to capture all pac#ets. /i"es 0ros.ac. 'his uses the sa!e interface capture !ethod as raw pac#et capture via a !onitor port. 'he downside to this !ethod is that local traffic that doesnHt leave the 8AN can not be seen and is therefore not processed by the visuali ation. )asy to produce 4ons.CA. 5or this reason if the switch has different speed ports$ the !onitor port should be on the fastest interface on the switch. %8i!ited by the pcap library& 4ons. 4ons. • Not real ti!e %not always a bad thing& CVS /i"es 0 Co''a !e"i'ite! fi"es 1 0ros. • • 4an be replayed and reanaly ed over and over easy to produce elsewhere for playbac# at a different location%s& at a later date. . • Not real ti!e %not always a bad thing& Netf"o$ 0ros. In this !ode all data about the pac#ets are captured as long as the data traversing the switch is not greater that the a!ount that can be sent out of the !onitor port.

4ons. • • Vendor Bpecific %not all hardware is capable& >oesnHt send all the pac#et infor!ation %so!e for!s of filtering will be i!possible& . • • Vendor Bpecific %not all hardware is capable& >oesnHt send all the pac#et infor!ation %so!e for!s of filtering will be i!possible& S/"o$ 0ros. • • • 8ess overhead than a !onitor port 4an see all the traffic on the device 6ultiple devices can send netflow data to the server 4ons.

JAR fi"e f o' the se ve Once you have Java installed$ you will be able to double clic# on the INAV. 'he client used to visuali e the entire co!puter science depart!ent at a large university is. 'hat said the INAV client can be used even in a production environ!ent with relatively cheap hardware..co!=javase=downloads=inde(Cjd#1.scaparra. right clic# and select FOpen with Java 0latfor!. 4hec#ing out the code.0 ?pdate II %where II is the largest nu!ber on the page&..INAV C-IENT #a !$a e Re%&i e'ents As with any software$ the better the hardware that it runs on the better the application will run.sun.9$ OB -0. • • • • • • *200+ I2 A6> 1-2 23 4ache -0 6b=s lin# 2 /3 7A6 Java -.0. .co!=INAV=display . If you have proble!s if the this !ethod please revert to the nor!al installation !ethods.jsp. I would suggest this to be the !ini!u! reco!!ended hardware and software for any enterprise application of INAV. Insta""ation ..0& Kindows I0 B02$ ?buntu 8inu( 7.==java. scap@venus.$ /entoo 8inu( 2.F Insta""in( f o' s&bve sion 4a nin(5 4hec#ing out inav fro! subversion will ensure that you have the !ost up to date code however there is no guarantee that it has undergone ANG testing for bugs etc. Java can be installed fro! http... Ke have e(perienced proble!s$ and as such have developed solutions or wor#arounds so that our goal of co!plete syste! co!patability can be !aintained.RERE3UISITES 'he INAV client is designed to run an any architecture and any OB.==inav. 'he client is designed on a fra!ewor# that allows it to run on any syste!.A=t!p< svn co http..1& and for other operating syste!s$ you will need to install in !anually.1 %1. Gou will want to install the Java 7unti!e )nviron!ent %J7)& 1. At a !ini!u!$ you will need the JAVA runti!e environ!ent installed.jar file to run it$ or in so!e cases . On OB I$ this is already installed %Java -.. It !ay not co!pile or !ay not wor# right.

==inav..4o!piling the code.. scap@venus.co!=INAV=display=INAV.jar.A=t!p< cd dispaly= scap@venus. .A=t!p=display< do stuff . Alternatively$ you can save the client %preco!piled& at http.scaparra. 4ongratulations the disaplyhave been installed and can be run by calling java stuff 'LIN/ >OO>A> in that folder.