First release: Mar 11, 2005
Last modified: Nov 3, 2005
English | Japanese

trackpeer : Peer Tracking Agent

Introduction

trackpeer is an agent program that helps network and server administrators with tracking users' computers [1-3]. It makes it possible to determine the MAC addresses of computers over a network, even when the computers are behind NATed gateways. This agent program is intended to be used by the administrators who need to identify and locate malicious computers (users) and virus-infected computers in a network such as middle-sized Wireless LAN system, public ethernet jack system, and campus or corporate network. The program will also be useful for a simple MAC-address-based authentication over a network.

Using MAC addresses has several advantages over other computer/user identification methods, since every ethernet interface has its unique MAC address that cannot be changed easily in many cases.

How this agent works

The agent program has two features, MAC address informing and MAC address logging.

MAC address informing

`trackpeerd' and `trackpeer' are an agent program and a simple client program, respectively. The agent program should run on a gateway (or a packet capturing machine beside it) which resides in the same network segment as the client computers are. We call the router ``frontline router''. The agent listens to the communication through the router and caches packets' header information.

trackpeer

The client program trackpeer is used when an administrator or a server program would like to know the MAC address of a specific peer, just after a communication action is taken by the peer. trackpeer provides the agent with the source/destination addresses of a packet, the port numbers of the packet, and the time of the packet's arrival. The agent looks into its internal cache memory, picks up the address information that matches the query, and provides the server with the information.

In other words, the server asks the agent,
   `` Who's knocked the door at around HH:MM.SS? ''.

The agent will forget the address information after a certain period of time (10mins) has passed.

MAC address logging

The agent program monitors the ARP table in the OS kernel, detects the changes of ARP entries, and logs the changes via syslog. When a new MAC address appears, it means that a new host has just joined the network. When a MAC address disappears, it means that a host has been disconnected from the network (or has been idle for long time).

Source Package

trackpeer runs under Linux, and probably under some others as well. The packet capturing library `libpcap' is required.

The source codes are available here as Free Software, under the following license based on the MIT X License.

/*----------------------------------------------------------------------
  Copyright (C) 2005  Hideaki Goto

  All Rights Reserved.

  Permission is hereby granted, free of charge, to any person obtaining
  a copy of this software and associated documentation files (the
  "Software"), to deal in the Software without restriction, including
  without limitation the rights to use, copy, modify, merge, publish,
  distribute, sublicense, and/or sell copies of the Software, and to
  permit persons to whom the Software is furnished to do so, subject to
  the following conditions:

  The above copyright notice and this permission notice shall be
  included in all copies or substantial portions of the Software.

  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
  EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
  IN NO EVENT SHALL THE AUTHOR(S) OR COPYRIGHT HOLDER(S) BE LIABLE FOR
  ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
  CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
  WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

  Except as contained in this notice, the name(s) of the copyright
  holder(s) shall not be used in advertising or otherwise to promote
  the sale, use or other dealings in this Software without prior
  written authorization of the copyright holder(s).
----------------------------------------------------------------------*/

Installation

  $ tar zxf trackpeer-X.XX.tar.gz
  $ cd trackpeer-X.XX
  $ make
After the compilation, copy trackpeerd and trackpeer to wherever you like. Edit the configuration file trackpeerd.conf appropriately, and put it into /etc .

Using the agent

Use ``-h'' option for help message.

  $ trackpeerd -h
  $ trackpeer -h

Just run the agent as a daemon on the frontline router. You have to be a superuser.

  # trackpeerd

Let A.B.C.D be the router's IP address. The following example asks the MAC address of a remote computer which has tried to telnet to the server (E.F.G.H). The port number for telnet is 23.

  # trackpeer -s A.B.C.D:49200 -dst E.F.G.H:23 -time T
The time T should be specified in seconds since the Epoch (UTC). The current time is used if ``-time'' option is omitted.

See comment lines in trackpeerd.h for the details of the result codes.

You may use ``-time 0'' to ask for the information about all the telnet sessions directed to the server, if ALLOWWILDCARDt is defined in trackpeerd.c .

To turn on the MAC address logging, start trackpeerd with ``-maclog'' option.

  # trackpeerd -maclog 1
If ``-maclog 2'' is specified, trackpeerd logs MAC addresses that are active in the ARP table every 3min in addition to New_host/Expired_host information.

(syslog's facility and level are fixed to LOCAL4 and INFO, respectively.)

Testing Environments

trackpeer has been designed to work under RedHat-based Linuxes, but not limited to. The programs have been tested under the following operating systems.

TODOs

References

  1. Hideaki Goto, ``Identifying Peers by Examining Remote MAC Addresses and its Possible Applications for Information Security,'' ITRC Technical Report No.33, pp.61-68, 2005. (in Japanese)
  2. Hideaki Goto, ``Identifying Peers by Examining Remote MAC Addresses,'' Proceedings of the 2005 IEICE General Conference, p.512, 2005. (in Japanese)
  3. Hideaki Goto, ``Surveillance Camera System for Mobile Computing Environments using an Active Zooming Camera and MAC Address Tracking,'' Proceedings Image and Vision Computing New Zealand 2005 (IVCNZ2005).

This page: All Rights Reserved, Copyright (C) Hideaki Goto 2005
http://www.sc.isc.tohoku.ac.jp/~hgot/sources/trackpeer.html
Other programs