Research And Implementation Of Network Packets Capture For Web Defending System

WWW service is one of the fastest growing and most widely used services. It is precisely because of the WWW service, the Internet has a rapid development in recent years, and the number of users has a rapid growth too. The service has brought great convenience to the people. But on the other hand, the ways aiming at attacking the WWW service are popular, so the service security problems are causing more and more concerns. There are lots of enhanced security solutions for WWW service, no matter which one is used, it is important to know how to get the network data packets, so the ways to process and analysis data packets efficiently are research priorities. In this thesis, we do a research on using intermediate driver to capture network packets.Firstly this thesis introduces Windows network architecture and Windows drivers. In this section, we talk about the hierarchical model of Windows network architecture, and compare several kinds of methods generally used to capture network packets in different layers. After that, we make a decision to use the intermediate driver (IMD) to capture packets. As the driver is developed by Passthru which is one of the intermediate driver routines, we introduce the architecture of the Passthru driver.Secondly we describe the structure of the Web defending system. Our system consist of two parts, the driver part plays a role of getting and caching network packets; the application part is responsible for the detection of captured packets. In this part, we make a detailed explanation of the design and implementation of the intermediate driver. We explain some important data structure which is essential to programming drivers. We also program and rewrite some functions, such as copy packets function, send packets function, etc. In the application part, we judge whether the captured packets contain some hostile contents after matching the existing rules, and then the application will tell the driver what to do. The system can run effectively, because all of the network packets have to pass the intermediate driver.After testing the validity of the system, the research work is summarized, and next-step work of system is viewed.