SenSys Sniffer

The network sniffer relies on packets that are overheard in a sensor's node neighborhood. It captures them and logs them for later analysis. Conceptually the sniffer consists of a Local Packet Monitoring module for gathering audit data to be forwarded, over its serial port, to the Packet Storage module for logging at the attached host. This allows offine analysis, through the Packet Description Database, in order to extract vital network information such as node IDs, traffic data or used protocol versions. Essentially, the sniffer enables the construction of a directed graph of all neighboring nodes. Overheard packets flow along the edges of the graph and are provided with a number of operators for manipulating them.

Audit data consist of the communication activities within the sniffer's radio range. Such data can be collected by listening promiscuously to neighboring nodes' transmissions. By promiscuously we mean that when a node is within radio range, the local packet monitoring module can overhear communications originating from that node. Once captured by the radio, all packets are timestamped in order to facilitate subsequent time-based analysis. Timestamping is performed the moment the packet is received by the network sniffer.

Once the sniffer receives a packet, a flexible mechanism (due to lack of standardized protocols in sensor networks) is needed to decode overheard packets. That is why we have created the Packet Description Database which contains annotated message structures for the most widely used network protocols and applications (e.g., MintRoute and MultihopLQI routing protocols, Delta monitoring application,etc). This way, our packet decoder can use these loaded structures as a description of the overheard packet contents. The configuration of the packet description database is extendable and can be enhanced with new message structures. The user can specify message contents as C structs which will automatically be converted to message classes and be added to the underlying database. However, even in the case of an unrecognized overheard message, the sniffer still logs it and provides access and manipulating operators on the byte representation of its content. Thus, an adversary may alter it and resend it, leading again to other type of attacks like Replay, Selective Forwarding or even Denial of Service attacks.

All overheard packets are displayed by SenSys through the Network Visualization component. Message structure, packet contents and time of reception are provided to the user along with a number of operators for acting on them. These operators provide access, aggregation, alteration or re-transmission privileges for any of the stored messages.