Wednesday, February 25, 2009

Traceroute Collector/ Aggregator for Scapy


One of the main reasons I picked up Scapy is for the graphs. I have never been a visual guy, so Scapy is like magic when it comes to network mapping let alone network traffic manipulation. Well, I really liked Scapy's basic graphing features, but when you have a large set of hosts to trace route, it gets annoying popping up the graphs with the black hole hosts. This gets true when the hosts paths to the target network. Another thing that I wanted is the ability to group endpoints.

It took me about a week along with other work to get everything down (note last weeks post), but I think I managed to get a basic implementation. I set it up so I can perform a number of individiual traceroute operations, and then drop them in a collector of sorts. Then when all the traceroutes are complete, then you can generate graphs with grouped endpoints and then the blackholes are ommitted. I borrowed some code from Philippe's implementation of TracerouteResult.make_graph. There is alot of extra code in TracerouteCollector class because I was tried a few different ways of forming the graph. I eventually got so frustrated that I create a basic traceroute path string and parse that result. I attempted merging TracerouteResults as well as maintaining other stuff, but it got complex quick, which lead to more frustration.

Like I said in the end, I gave up on the native traceroute result object and built my own path string. Depending on whether the traceroute found the endpoint it ends up in a completed path or incompleted path bin. When I build the graph, I go through and group the results based on the path taken and the endpoint was reached. I also go through and enumerate all the ASNs. However, when nodes are grouped together, the ASN is based off the first IP address in the grouping. Otherwise, there will be extraneous nodes in the image. While I don't do this, someone could just prune the ASN results, but I have another project that I need to start on, so I did not get around to that.
I also have code that will write the traceroute trace, the graph, and then read in a traceroute trace from file. This might be useful if you want to do something else or save the traceroute for use later.


The class is meant to augment Scapy functionality so you would include it along with your Scapy includes:

# from scapy.all is imported in the trace_route_combine module
from trace_route_combine import *
t = TracerouteCollection()
x = traceroute("172.16.28.140", maxttl=18, dport=80)
t.add_route(x[0])
x = traceroute("172.16.28.141", maxttl=18, dport=80)
t.add_route(x[0])
x = traceroute("172.16.28.142", maxttl=18, dport=80)
t.add_route(x[0])
x = traceroute("172.16.27.140", maxttl=18, dport=80)
t.add_route(x[0])
x = traceroute("172.16.26.140", maxttl=18, dport=80)
t.add_route(x[0])
x = traceroute("172.16.24.140", maxttl=18, dport=80)
t.add_route(x[0])
# now to create the graph
t.do_graph()
# or get the graph string
gs = t.build_graph()
# get paths to all the trace routed hosts
# x> is a down host and => is an up host
paths = t.get_paths_to_hosts()


As usual the code is open source and licensed under GPL. If you like it let me know, if you hate it let me know too. This is experimental but usable code.

Code: trace_route_combine.py
dsoftware

1 comment:

Anonymous said...

Any chance you could post an example image/graph?