| With the development of internet and computer technology, networks have enter into almost every aspects of society and our lives. But that also brings out some problems which man has to deal with. Network security threats and the abnormity in network traffic get the networks into trouble at times, which cause a lot of loss. Due to the huge damage of these factors, the research and development of software which monitors and detects the abnormal case in network traffic has become an important task in computer network security field.Firstly, some network security threats and their threads are discussed, then the thesis summarizes some main measure to handle these threats. After that, the thesis puts focus on active network monitor technology, through observation and analysis of some popular network monitor systems and intrusion detection systems. Then the thesis conclude characters that a well designed monitor system should have, i.e. the efficient monitor of high-speed traffic, clearly separation of functional modules, good extensibility.Based on the observation and analysis of current network monitor technology, a network monitor system running in Linux kernel is proposed. It has the responsibility to finish basic tasks of traffic monitoring and analysis, also providing developing interface to the application modules. After the introduction to its architecture, its functions are described, then the functions and implementation ideas of every functional module of its kernel module - KMonitor are discussed, the modules are packet capture, timer management, fragmentation management, connection management, event management, statistics, filters and communication.In the next section, the thesis mainly discusses two key functional module of KMonitor: the connection management and the filters. In the connection management portion, the details of implementation of operations of transportation connection management are discussed. These operations consist of searching, insertion, timeout handling of connections. After the data structures related to connection management are presented, the implementation algorithms are also discussed. In the filters portion, the thesis firstly introduces the base of filter mechanism: the implementation of libpcap's packet filter. Then the implementation details of our system's packet and connection filter function are proposed. In the last portion, the thesis discusses the problem encountered in the Linux kernel programming context and the way to solve it.Finally, through the efficiency testing between our system and another systemimplemented in Linux user space with the same function, the thesis proves the rationality and feasibility of the system's design. Also the future work is introduced: the further processing of payload data, the packet capture of higher speed traffic, with no packet dropped. |
PDF Full Text Request