An approach for automating the monitoring and analysis of incoming network traffic in large-scale computer networks is proposed in the paper. The authors suggest using the Linux Berkeley Packet Filter tool to automate traffic analysis in computer networks. The software structure is developed, which includes two main parts: the service machine and the user machine, it is based on the modular principle, which allows for rapid improvement and modernization of the system. The main algorithms for software functionality are built, namely: the algorithm for processing network packets using the Berkeley Packet Filter tool, and the algorithm of the user-space program for loading the Berkeley Packet Filter program to kernel space and setting up communication with it. A study model of program functioning dynamics based on the Petri net theory has been developed. As a result of the application of models based on the Petri net in the software development process, the system works correctly, all states are accessible, and there are no dead ends. A simulation model of the application of the Berkeley Packet Filter tool for the automation of computer network traffic analysis was designed, and the script was created for testing the developed software system. Implemented Python script generates a flow of network packets with random values in the sender IP address, receiver port number, and protocol. These packets, created by the IP address spoofing methodology, later are sent to the service machine's network interface. The developed computer network traffic monitoring software, that uses the Berkeley Packet Filter tool and is implemented in C, C++, and Python programming languages, provides collecting and processing of computer network traffic data. The output of the analysed results is displayed in a user-friendly form. The development and testing of the created software were carried out on the operating system Arch Linux version 5.10.3, which was previously installed on a virtual machine. The results of traffic testing in computer networks in different modes of normal operation and during DDoS attacks are given. In particular, an example of sidebar output with network traffic statistics over a long period, an example of output with network traffic spike parameters, and an example of a warning message, that the sidebar dashboard will show, are presented.
Read full abstract