[Haskell-cafe] Packet analysis framework for Haskell.

Vimal j.vimal at gmail.com
Mon Mar 16 06:53:06 EDT 2009


Hi all,

Is there a packet analysis framework in Haskell? The framework should
abstract away the features of packet analysis in the form of a library
that people can use and write extensions to perform computation on the
packets flowing through the network.

What are the "features" of packet analysis?
1. Support for packet packet selection, matching a particular criteria.
Example: (protocol = tcp && destination_port = 80).

2. Multi-threaded.
Since the process of computation on packets is inherently
data-parallel, the framework should abstract away the parallelism and
make use of different CPU cores if available. I believe the features
in Haskell would be a great boon to easily achieve this.

3. Support for statistics.
Packet analysis is usually done for a purpose. Say, I would like to
collect statistics about the rate of connections to a webserver. I
would want to:
(a) Filter packets, using features in (1).
(b) Count the number of packets that pass through after applying operation (a).
(c) Generate reports if a particular condition is flagged in (b).

Example:
(a) protocol = tcp && SYN set in flags && destination_port = 80,
(b) count the number of SYN packets,
(c) report if d(count)/dt > 100.

4. Availability of efficient data structures for achieving real time
performance.
Example:
The user might want to check if ARP spoofing is taking place. In which
case, one has to cache the "already seen" mapping between protocol and
hardware addresses learnt from the packets that flowed, and constantly
checking new addresses against this structure for duplicates.

The above are some of the features which I believe are necessary for
packet analysis (or, analytics maybe?). There could be more. I was
wondering if Haskell would be a good language to achieve these things.
I had a brief idea and started writing an application in C and I
realised the need for such a framework. The ease of parallelism
offered by Haskell prompted me to think about using it. I would like
to hear your comments.

Also, would this qualify as a project that someone in the Haskell
community would be willing to mentor for GSoC 2009? (Assuming Haskell
would be on the list of mentoring organisations, although I have no
reason to doubt it wouldn't.)

Thanks,
Regards,
-- 
Vimal


More information about the Haskell-Cafe mailing list