First release: Mar 11, 2005
Last modified: Nov 3, 2005
English | Japanese
trackpeer is an agent program that helps network and server administrators with tracking users' computers [1-3]. It makes it possible to determine the MAC addresses of computers over a network, even when the computers are behind NATed gateways. This agent program is intended to be used by the administrators who need to identify and locate malicious computers (users) and virus-infected computers in a network such as middle-sized Wireless LAN system, public ethernet jack system, and campus or corporate network. The program will also be useful for a simple MAC-address-based authentication over a network.
Using MAC addresses has several advantages over other computer/user identification methods, since every ethernet interface has its unique MAC address that cannot be changed easily in many cases.
`trackpeerd' and `trackpeer' are an agent program and a simple client program, respectively. The agent program should run on a gateway (or a packet capturing machine beside it) which resides in the same network segment as the client computers are. We call the router ``frontline router''. The agent listens to the communication through the router and caches packets' header information.
The client program trackpeer is used when an administrator or a server program would like to know the MAC address of a specific peer, just after a communication action is taken by the peer. trackpeer provides the agent with the source/destination addresses of a packet, the port numbers of the packet, and the time of the packet's arrival. The agent looks into its internal cache memory, picks up the address information that matches the query, and provides the server with the information.
In other words, the server asks the agent,
`` Who's knocked the door at around HH:MM.SS? ''.
The agent will forget the address information after a certain period of time (10mins) has passed.
The agent program monitors the ARP table in the OS kernel, detects the changes of ARP entries, and logs the changes via syslog. When a new MAC address appears, it means that a new host has just joined the network. When a MAC address disappears, it means that a host has been disconnected from the network (or has been idle for long time).
trackpeer runs under Linux, and probably under some others as well. The packet capturing library `libpcap' is required.
The source codes are available here as Free Software, under the following license based on the MIT X License.
/*---------------------------------------------------------------------- Copyright (C) 2005 Hideaki Goto All Rights Reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHOR(S) OR COPYRIGHT HOLDER(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name(s) of the copyright holder(s) shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder(s). ----------------------------------------------------------------------*/
$ tar zxf trackpeer-X.XX.tar.gz $ cd trackpeer-X.XX $ makeAfter the compilation, copy trackpeerd and trackpeer to wherever you like. Edit the configuration file trackpeerd.conf appropriately, and put it into /etc .
Use ``-h'' option for help message.
$ trackpeerd -h $ trackpeer -h
Just run the agent as a daemon on the frontline router. You have to be a superuser.
# trackpeerd
Let A.B.C.D be the router's IP address. The following example asks the MAC address of a remote computer which has tried to telnet to the server (E.F.G.H). The port number for telnet is 23.
# trackpeer -s A.B.C.D:49200 -dst E.F.G.H:23 -time TThe time T should be specified in seconds since the Epoch (UTC). The current time is used if ``-time'' option is omitted.
See comment lines in trackpeerd.h for the details of the result codes.
You may use ``-time 0'' to ask for the information about all the telnet sessions directed to the server, if ALLOWWILDCARDt is defined in trackpeerd.c .
To turn on the MAC address logging, start trackpeerd with ``-maclog'' option.
# trackpeerd -maclog 1If ``-maclog 2'' is specified, trackpeerd logs MAC addresses that are active in the ARP table every 3min in addition to New_host/Expired_host information.
(syslog's facility and level are fixed to LOCAL4 and INFO, respectively.)
trackpeer has been designed to work under RedHat-based Linuxes, but not limited to. The programs have been tested under the following operating systems.