# Current Project: "Eyeball v.4" C++ Linux



## Oliver_FF (Jun 11, 2010)

I thought I'd share with you all my current project - a network traffic analysis tool I'm writing for Linux. Anyone who's been around for a while should have seen the FAQ I wrote ages (years?) ago about sniffing raw network traffic. In that thread I hinted at some of the possibilities that I'd like to implement in the future if I got the time... Well I've just finished my 4th year of Computer Science at Uni and am waiting for graduation so I figured it was an opportune time to get stuck in.

Just for reference, the interesting stuff I get from each packet I grab from my network includes...

Source IP address
Destination IP address
Source Port
Destination Port
Transport layer protocol number
Data lengths
Data payload (posssibly encrypted)
everything else has to be computed/lookedup/referenced.

*Main Functionality:*
*Connection View* - A list of all active connections on the network within a recent time period. Each connection lists the application using the connection, what transport layer protocol it's using, what application layer protocol it is using over the connection (HTTP, FTP, msnp, etc) and the IP address/resolved host name of the machine on the other end of the connection. As time passes and no packets arrive the status bars drop, when they empty the connection is dropped from the list. The top left button causes the connection to persist indefinitely. The bottom button extends a small text view area which shows a preview of the data travelling over the connection.

```
+-----------------------------------------------------------+
| (=)         firefox {TCP}~[HTTP]195.156.56.743            |
| (v) [=======3567=packets=totalling=~=6,783,568KB========] |
+-----------------------------------------------------------+ 
+-----------------------------------------------------------+
| (=) firefox {TCP}~[HTTP]somedomain.subdomain.domain.co.uk |
| (v) [=======3567=packets=totalling=~=6,783,568KB========] |
+-----------------------------------------------------------+ 
+-----------------------------------------------------------+
| (=) firefox {TCP}~[HTTP]somedomain.subdomain.domain.co.uk |
| (^) [=======3567=packets=totalling=~=6,783,568KB========] |
| +-------------------------------------------------------+ |
| | packet data print  out g oes  here? packet data print | |
| | out goes here? packet  dat   a printout goes here? pac| |
| | packet  data prin   tout goes here? pa cket dta p rino| |
| | packet data pri ntout goes he  re? pac e t data prn to| |
| | packet da ta p rintout  goes  here? pcket  data ri nto| |
| | packet data  printout goes h e  re? p cet da t p rinto| |
| | packet data printout  goes    here? pa ke dta  p rinto| |
| +-------------------------------------------------------+ |
+-----------------------------------------------------------+
```













*Application View* - A list of all processes which have recently used the network. It lists the process name, the transport layer protocols it has used, the application layer protocol it is using, a list of each IP address and resolved host name of each host it has communicated with, and a running count of the number of packets it has received, amount of data received and the number of connections it has used. Again, it times out after a long period of inactivity - the button makes it persist on the list.

```
+-----------------------------------------------------------+
|                          firefox                          |
|                      {TCP}[HTTP][FTP]                     |
| +-------------------------------------------------------+ |
| |        somedomain.subdomain.domain.co.uk            |^| |
| |        somedomain.subdomain.domain.co.uk            | | |
| |        somedomain.subdomain.domain.co.uk            | | |
| |        somedomain.subdomain.domain.co.uk            | | |
| |        somedomain.subdomain.domain.co.uk            |v| |
| +-------------------------------------------------------+ |
| [==========3567=packets=totalling=~=6,783,568KB=========] |
+-----------------------------------------------------------+
```








*Host View* - A list of all hosts which have been recently communicated with. It lists the IP address and resolved host name, the processes which have communicated with the host, the application/transport layer protocols used and a running count of the amount of packets/data going to the host. Again, the button causes the host to persist in the list.

```
+----------------------------------------------------------+
|   someedomain.subdomain.domain.co.uk (255.255.255.255)   |
| (=)        [firefox] ~ [TCP] ~ [HTTP] [HTTPS]            |
| [=========3567=packets=totalling=~=6,783,568KB=========] |
+----------------------------------------------------------+
```








*Thoughts...*

It's written in C++ using GTK+ for the user interface. It is currently 2571 lines of C++. The hardest parts are doing all of the lookups dynamically - it can take up to 600ms to lookup which application is using which port and it can take >3000ms to lookup a host. Neither lookups are guaranteed either. All the time you've still got to be grabbing new network data and processing it - all of the lookups have to be offloaded in to new threads and obviously you can't do anything for applications until they've been looked up. In the current implementation, as lookups complete everything gets automatically updated and shuffles along nicely.

Yes, the widgets in the screenshots are stock widgets for Linux these days. Looks good


----------

