To implement the digital forensics in ns3 consists to simulate the environment where the network traffic is taken and evaluated to classify the vulnerabilities, trace back to assailants, and collect the proofs. This procedure will show the set up a general network, capturing the packets and executing the general digital forensics application.
Step-by-Step Implementation
- Install ns3
To make certain ns3 is downloaded on the system and we can install it from the official websites and set it up.
- Define the Network Topology
Network topology that contains
- Normal nodes (legitimate users)
- Attacker nodes
- Server nodes
- Forensic nodes (nodes used to capture and analyze traffic)
- Create Network Nodes
Create network nodes using NodeContainer.
NodeContainer normalNodes, attackerNodes, serverNodes, forensicNodes;
normalNodes.Create(3);
attackerNodes.Create(1);
serverNodes.Create(1);
forensicNodes.Create(1);
- Set Up Network Devices
Install network devices on the nodes using appropriate network interfaces, such as WiFi for wireless communication.
WifiHelper wifi;
wifi.SetStandard(WIFI_PHY_STANDARD_80211n_5GHZ);
WifiMacHelper mac;
mac.SetType(“ns3::AdhocWifiMac”);
YansWifiPhyHelper phy = YansWifiPhyHelper::Default();
YansWifiChannelHelper channel = YansWifiChannelHelper::Default();
phy.SetChannel(channel.Create());
NetDeviceContainer normalDevices = wifi.Install(phy, mac, normalNodes);
NetDeviceContainer attackerDevices = wifi.Install(phy, mac, attackerNodes);
NetDeviceContainer serverDevices = wifi.Install(phy, mac, serverNodes);
NetDeviceContainer forensicDevices = wifi.Install(phy, mac, forensicNodes);
- Configure Mobility Model
For the nodes to Set up mobility model;
MobilityHelper mobility;
mobility.SetMobilityModel(“ns3::ConstantPositionMobilityModel”);
mobility.Install(normalNodes);
mobility.Install(attackerNodes);
mobility.Install(serverNodes);
mobility.Install(forensicNodes);
- Set Up Packet Capture
Configure packet capture on the forensic nodes. Use PcapHelper to capture packets.
PcapHelper pcapHelper;
Ptr<PcapFileWrapper> file = pcapHelper.CreateFile(“forensics.pcap”, std::ios::out, PcapHelper::DLT_PPP);
for (uint32_t i = 0; i < forensicDevices.GetN(); ++i) {
phy.EnablePcap(“forensic_capture”, forensicDevices.Get(i), true, true);
}
- Implement Forensic Analysis Application
Create an application that analyzes captured packets for forensic purposes. Below is a simple example of a packet sniffing application that logs packet details.
Forensic Application (Example)
class ForensicApplication : public Application {
public:
void StartApplication() override {
recvSocket = Socket::CreateSocket(GetNode(), UdpSocketFactory::GetTypeId());
recvSocket->Bind(InetSocketAddress(Ipv4Address::GetAny(), listenPort));
recvSocket->SetRecvCallback(MakeCallback(&ForensicApplication::HandleRead, this));
}
void SetListenPort(uint16_t port) {
listenPort = port;
}
void HandleRead(Ptr<Socket> socket) {
Ptr<Packet> packet;
Address from;
while ((packet = socket->RecvFrom(from))) {
LogPacket(packet, from);
}
}
void LogPacket(Ptr<Packet> packet, Address from) {
std::cout << “Captured packet from ” << InetSocketAddress::ConvertFrom(from).GetIpv4()
<< ” of size ” << packet->GetSize() << std::endl;
}
private:
Ptr<Socket> recvSocket;
uint16_t listenPort;
};
- Set Up Applications
Install the applications on the nodes.
ApplicationContainer normalApps, attackerApps, serverApps, forensicApps;
// Normal node applications (e.g., sending normal traffic)
for (uint32_t i = 0; i < normalNodes.GetN(); ++i) {
OnOffHelper onoff(“ns3::UdpSocketFactory”, InetSocketAddress(serverNodes.Get(0)->GetObject<Ipv4>()->GetAddress(1, 0).GetLocal(), 9));
onoff.SetConstantRate(DataRate(“500kb/s”));
ApplicationContainer app = onoff.Install(normalNodes.Get(i));
app.Start(Seconds(1.0));
app.Stop(Seconds(20.0));
normalApps.Add(app);
}
// Attacker node applications (e.g., DoS attack)
for (uint32_t i = 0; i < attackerNodes.GetN(); ++i) {
Ptr<DoSAttackApplication> app = CreateObject<DoSAttackApplication>();
app->SetRemote(serverNodes.Get(0)->GetObject<Ipv4>()->GetAddress(1, 0).GetLocal(), 9);
attackerNodes.Get(i)->AddApplication(app);
app->SetStartTime(Seconds(5.0));
app->SetStopTime(Seconds(20.0));
attackerApps.Add(app);
}
// Server node application (e.g., packet sink)
PacketSinkHelper sink(“ns3::UdpSocketFactory”, InetSocketAddress(Ipv4Address::GetAny(), 9));
serverApps.Add(sink.Install(serverNodes.Get(0)));
// Forensic node application
Ptr<ForensicApplication> forensicApp = CreateObject<ForensicApplication>();
forensicApp->SetListenPort(9);
forensicNodes.Get(0)->AddApplication(forensicApp);
forensicApp->SetStartTime(Seconds(1.0));
forensicApp->SetStopTime(Seconds(20.0));
forensicApps.Add(forensicApp);
serverApps.Start(Seconds(1.0));
serverApps.Stop(Seconds(20.0));
- Set Up Routing Protocols
Configure routing protocols for the network.
AodvHelper aodv;
InternetStackHelper internet;
internet.SetRoutingHelper(aodv);
internet.Install(normalNodes);
internet.Install(attackerNodes);
internet.Install(serverNodes);
internet.Install(forensicNodes);
- Assign IP Addresses
Assign IP addresses to the network devices.
Ipv4AddressHelper address;
address.SetBase(“10.1.1.0”, “255.255.255.0”);
Ipv4InterfaceContainer normalInterfaces = address.Assign(normalDevices);
Ipv4InterfaceContainer attackerInterfaces = address.Assign(attackerDevices);
Ipv4InterfaceContainer serverInterfaces = address.Assign(serverDevices);
Ipv4InterfaceContainer forensicInterfaces = address.Assign(forensicDevices);
- Run the Simulation
Configure the simulation runtime and execute it.
Simulator::Stop(Seconds(20.0));
Simulator::Run();
Simulator::Destroy();
Example of a Simple Digital Forensics Script
Here, we provide the sample script to complete the digital forensics simulation in ns-3 environment:
#include “ns3/core-module.h”
#include “ns3/network-module.h”
#include “ns3/internet-module.h”
#include “ns3/wifi-module.h”
#include “ns3/mobility-module.h”
#include “ns3/applications-module.h”
#include “ns3/aodv-module.h”
using namespace ns3;
class DoSAttackApplication : public Application {
public:
void StartApplication() override {
sendSocket = Socket::CreateSocket(GetNode(), UdpSocketFactory::GetTypeId());
sendSocket->Connect(InetSocketAddress(destAddress, destPort));
// Schedule the first packet send
SendPacket();
}
void SetRemote(Address address, uint16_t port) {
destAddress = address;
destPort = port;
}
void SendPacket() {
std::string message = “This is a DoS attack packet”;
Ptr<Packet> packet = Create<Packet>((uint8_t*) message.c_str(), message.size());
sendSocket->Send(packet);
// Schedule the next packet send
Simulator::Schedule(MilliSeconds(10), &DoSAttackApplication::SendPacket, this);
}
private:
Ptr<Socket> sendSocket;
Address destAddress;
uint16_t destPort;
};
class ForensicApplication : public Application {
public:
void StartApplication() override {
recvSocket = Socket::CreateSocket(GetNode(), UdpSocketFactory::GetTypeId());
recvSocket->Bind(InetSocketAddress(Ipv4Address::GetAny(), listenPort));
recvSocket->SetRecvCallback(MakeCallback(&ForensicApplication::HandleRead, this));
}
void SetListenPort(uint16_t port) {
listenPort = port;
}
void HandleRead(Ptr<Socket> socket) {
Ptr<Packet> packet;
Address from;
while ((packet = socket->RecvFrom(from))) {
LogPacket(packet, from);
}
}
void LogPacket(Ptr<Packet> packet, Address from) {
std::cout << “Captured packet from ” << InetSocketAddress::ConvertFrom(from).GetIpv4()
<< ” of size ” << packet->GetSize() << std::endl; }
private:
Ptr<Socket> recvSocket;
uint16_t listenPort;
};
int main(int argc, char *argv[]) {
NodeContainer normalNodes, attackerNodes, serverNodes, forensicNodes;
normalNodes.Create(3);
attackerNodes.Create(1);
serverNodes.Create(1);
forensicNodes.Create(1);
// WiFi setup
WifiHelper wifi;
wifi.SetStandard(WIFI_PHY_STANDARD_80211n_5GHZ);
WifiMacHelper mac;
mac.SetType(“ns3::AdhocWifiMac”);
YansWifiPhyHelper phy = YansWifiPhyHelper::Default();
YansWifiChannelHelper channel = YansWifiChannelHelper::Default();
phy.SetChannel(channel.Create());
NetDeviceContainer normalDevices = wifi.Install(phy, mac, normalNodes);
NetDeviceContainer attackerDevices = wifi.Install(phy, mac, attackerNodes);
NetDeviceContainer serverDevices = wifi.Install(phy, mac, serverNodes);
NetDeviceContainer forensicDevices = wifi.Install(phy, mac, forensicNodes);
// Mobility setup
MobilityHelper mobility;
mobility.SetMobilityModel(“ns3::ConstantPositionMobilityModel”);
mobility.Install(normalNodes);
mobility.Install(attackerNodes);
mobility.Install(serverNodes);
mobility.Install(forensicNodes);
// Internet stack and routing
AodvHelper aodv;
InternetStackHelper internet;
internet.SetRoutingHelper(aodv);
internet.Install(normalNodes);
internet.Install(attackerNodes);
internet.Install(serverNodes);
internet.Install(forensicNodes);
Ipv4AddressHelper address;
address.SetBase(“10.1.1.0”, “255.255.255.0”);
Ipv4InterfaceContainer normalInterfaces = address.Assign(normalDevices);
Ipv4InterfaceContainer attackerInterfaces = address.Assign(attackerDevices);
Ipv4InterfaceContainer serverInterfaces = address.Assign(serverDevices);
Ipv4InterfaceContainer forensicInterfaces = address.Assign(forensicDevices);
// Set up packet capture
PcapHelper pcapHelper;
Ptr<PcapFileWrapper> file = pcapHelper.CreateFile(“forensics.pcap”, std::ios::out, PcapHelper::DLT_PPP);
for (uint32_t i = 0; i < forensicDevices.GetN(); ++i) {
phy.EnablePcap(“forensic_capture”, forensicDevices.Get(i), true, true);
}
// Install applications
ApplicationContainer normalApps, attackerApps, serverApps, forensicApps;
// Normal node applications (e.g., sending normal traffic)
for (uint32_t i = 0; i < normalNodes.GetN(); ++i) {
OnOffHelper onoff(“ns3::UdpSocketFactory”, InetSocketAddress(serverNodes.Get(0)->GetObject<Ipv4>()->GetAddress(1, 0).GetLocal(), 9));
onoff.SetConstantRate(DataRate(“500kb/s”));
ApplicationContainer app = onoff.Install(normalNodes.Get(i));
app.Start(Seconds(1.0));
app.Stop(Seconds(20.0));
normalApps.Add(app);
}
// Attacker node applications (e.g., DoS attack)
for (uint32_t i = 0; i < attackerNodes.GetN(); ++i) {
Ptr<DoSAttackApplication> app = CreateObject<DoSAttackApplication>();
app->SetRemote(serverNodes.Get(0)->GetObject<Ipv4>()->GetAddress(1, 0).GetLocal(), 9);
attackerNodes.Get(i)->AddApplication(app);
app->SetStartTime(Seconds(5.0));
app->SetStopTime(Seconds(20.0));
attackerApps.Add(app);
}
// Server node application (e.g., packet sink)
PacketSinkHelper sink(“ns3::UdpSocketFactory”, InetSocketAddress(Ipv4Address::GetAny(), 9));
serverApps.Add(sink.Install(serverNodes.Get(0)));
// Forensic node application
Ptr<ForensicApplication> forensicApp = CreateObject<ForensicApplication>();
forensicApp->SetListenPort(9);
forensicNodes.Get(0)->AddApplication(forensicApp);
forensicApp->SetStartTime(Seconds(1.0));
forensicApp->SetStopTime(Seconds(20.0));
forensicApps.Add(forensicApp);
serverApps.Start(Seconds(1.0));
serverApps.Stop(Seconds(20.0));
Simulator::Stop(Seconds(20.0));
Simulator::Run();
Simulator::Destroy();
return 0;
}
At last we discussed here about the Digital Forensics simulation analysis ns3 environment and further we support all kinds of Digital Forensics that adapt in diverse environment. We lay good emphasis on Implementation of Digital Forensics in ns3.