Design And Implementation On Network Sniffer System Based On Bridge

Along with the rapid development of network technology, the network sniffer to supervise the network data-flow and analyze the network problems is becoming a necessary tool and work assistant for the network managers, and it is very popular among the hackers to do some network attacks. Considering the factors such as network management, maintenance of national security, punishment of the computer criminals and protection of the security of the country, research about the network sniffer is significant and practical for our daily life.On the basis of work principles of the Ethernet, the special characters of the Ethernet based on hubs and switches are presented. Based on the work principle of Winpcap, a design method of Network Sniffer Based on Bridge (NSBB) is discussed. The whole design principle of the NSBB is explained, while the basic architecture, the work flow, the division and the device of each function module are described.Considering the defects of Winpcap in the method of data packet capture, four optimization methods are discussed: move the main application to the kernel processing procedures, zero-copy technology, reduce the hardware interrupt frequency and mass copy technology. After comparing of the characteristics of the various methods, we final select mass copy technology.Three different models of memory model are discussed: fragmented memory model, cluster memory model and recycling memory model. On basis of summarizing advantages and shortcomings in the three models, we choose recycling memory model as the final memory model.Considering the basic characters of the TCP (Transfer Control Protocol) and UDP (User Datagram Protocol), the design and implementation of the network packages reassemble module is presented. Then the work flow of the network packages reassemble module is expounded, while the details of the data packet capture thread and network packages reassemble thread are described.In real result of the implementation, NBSS can detect the existing Ethernet based on the switch with good performance.