jNetCapture packet capture framework

jNetCapture Programming Guide

jNetCapture is a new extensible java framework for working with network traffic. The framework provides methods to capture network traffic or read it from a file, although the jNetCapture framework does not implement these functions, and requires implementation modules such as "jNetPcap" or "jNapatech" to be included as well.

jNetCapture provides the following services:

  • Low-level network packet capture (API only, not implementation). The framework works on the concept of network frames, then packets
  • Attaches an extended frame header with information about layer 2 through layer 5 of the OSI stack. Low level scan is performed (in software or hardware depending on the implementing module) and certain information about offsets, lengths, error conditions is recorded in the extended header
  • Calculates hashcodes based on key fields within the network frame. Hashcodes can be setup as flows, unique ids and other types of informative or identifiable keys.
  • Multi-CPU support. Packets are either directly stored or rebuffered into multiple host buffers which are accessible by the user for multi-cpu support
  • De-duplication of duplicate frames. Duplicate frames are removed.
  • Depending on implementation module, can provide multi-gigabit and zero packet copy into user's host buffers

jNetPcap 2.0 design

[MWB - 3/16/10: this is still work in progress]

This document describes the jnetpcap 2.0 design. Next major step in evolution of jnetpcap software is to make it more manageable in terms of complexity, size and efficiency. The major changes planned for jnetpcap 2.0 are as follows:

  • Break up into multiple modules: jnetpcap, jnetcommon, jnetdecoder, jnetanalyzer
  • Provide a multi-module build script
  • Provide a simple Makefile build process for native components, in addition to existing ant scripts
  • Provide additional protocol modules for specific protocol families

In addition to release structure changes the following API changes will also be implemented:

  • Move common code into more general java packages and bundled into a jnetcommon module
  • Remove java dependencies between modules except for the common module
  • Acquire new domain for more common code: jnetsoft.org [MWB: already registered]
  • Preserve most of the API syntax, but with some classes moved to other java packages in order to facilitate a clean breakup into multiple modules
  • Provide a NDK for native development - specific native functionality will be provided with specific native and java API, especially in the native to java memory boundary area

The above changes will depart from the current monolithic API of jnetpcap releases. The jNetPcap module will become a standalone java wrapper for libpcap/winpcap libraries. Additional modules will provide the decode and analyzer features that will be plugged in at runtime.

New swing module for jnetpcap

I added a new module to jNetPcap called jnetpcap-swing. It will contain various standalone swing components that represent various jnetpcap primitives and functions.

Here is an example of a StatisticsPanel displayed in a window. This panel works with the new StatisticsAnalyzer and updates itself using the statistics collected. Its very similar to what Wireshark displays, but protocol set is different.


This is another little demo app that I actually use to visualize the tcp analyzer output. It needs a lot of work, but it helps to view what the analyzer is seeing graphically. This is also found under "tests/java1.5" directory.

(Source code: TcpStreamMonitor.java)

In Development

jNetPcap project is broken up into 2 modules. The main module is called "jnetpcap" and the second is "protocols". When releases the protocols module is named as "jnetpcap-protocols" for package naming.

To access both packages in SVN you can checkout the latest code anonymously from the SVN server as follows:

svn co https://jnetpcap.svn.sourceforge.net/svnroot/jnetpcap jnetpcap/trunk
svn co https://jnetpcap.svn.sourceforge.net/svnroot/jnetpcap protocols/trunk

Major feature set in the development trunk currently:

  • protocol analyzer - high level protocol based analysis

Here is a list of recent updates and changes to jNetPcap trunk:

  • Feature #2706792 (done) - Added convenience JAnalyze interface and implemented it in Pcap class. This method allows easy packet capture, decode and analysis directly from the Pcap class - see blog for more details

Here is what I know I still have to do:

  • Analyzer timestamp based buffering. Currently analyzer buffering is done using a global hold reference counter. Need a more fine granular holding mechanism that is timestamp based. So that as holds are released any packets that are older then the oldest hold are released upto the point that another hold exists at some other future time. This should improve performance and memory usage.
  • Improve analyzer registration. Currently analyzers are listed within the JRegistry initializer. Need to add annotation to headers that allows a list of analyzer's that belong to that protocol to be specified. Such as analyzer={HttpAnalyzer.class}.
  • DONE Tcp and Http analyzer still needs more work. Currently not working under various conditions.
Syndicate content