electronics Article LAN Traffic Capture Applications Using the Libtins Library Adrian-Tiberiu Costin, Daniel Zinca * and Virgil Dobrota   Citation: Costin, A.-T.; Zinca, D.; Dobrota, V. LAN Traffic Capture Applications Using the Libtins Library. Electronics 2021, 10, 3084. https://doi.org/10.3390/electronics 10243084 Academic Editor: Juan-Carlos Cano Received: 9 November 2021 Accepted: 3 December 2021 Published: 11 December 2021 Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affil- iations. Copyright: © 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/). Communications Department, Technical University of Cluj-Napoca, 400114 Cluj-Napoca, Romania; costin.t.adrian@gmail.com (A.-T.C.); Virgil.Dobrota@com.utcluj.ro (V.D.) * Correspondence: daniel.zinca@com.utcluj.ro Abstract: Capturing traffic and processing its contents is a valuable skill that when put in the right hands makes diagnosing and troubleshooting network issues an approachable task. Apart from aiding in fixing common problems, packet capture can also be used for any application that requires getting a deeper understanding of how things work under the hood. Many tools have been developed in order to allow the user to study the flow of data inside of a network. This paper focuses on documenting the process of creating such tools and showcasing their use in different contexts. This is achieved by leveraging the power of the C++ programming language and of the libtins library in order to create custom extensible sniffing tools, which are then used in VoIP (Voice over IP) and IDS (Intrusion Detection System) applications. Keywords: Apache Kafka; IDS sensors; ksqlDB; libtins; RTP; SIP; VoIP 1. Introduction Capturing the data that flow throughout a network is extremely important because it allows the user to intercept, view and analyze network packets. This grants us the ability to get a better grasp of what happens under the hood, from viewing the protocol stack that is used to seeing the individual bytes of data that are being sent and received. The tools that allow us to perform this analysis are labeled as traffic sniffers, packet capture applications or protocol analyzers. A sniffer, or protocol analyzer, has many uses, from monitoring bandwidth and traffic patterns and exploring the flow of conversations throughout the network to troubleshooting and solving problems as they occur. Furthermore, from a security standpoint, packet sniffing is often used to intercept conversations between users and view the data with the purpose of scanning it for malicious activity or to detect holes in the networks’ security. If the person capturing the traffic has ill intentions, the data can also be used to eavesdrop on the conversations between users. Packet capture tools can be written using a variety of different programming languages. This research paper focuses on showcasing how such a tool can be built using the C++ programming language and the libtins library. The research extends in two different directions. Firstly, the conversation is steered toward extending the libtins [1,2] packet sniffing library by adding support for parsing and processing protocols such as SIP (Session Initiation Protocol), SDP (Session Description Protocol) and RTP (Real-time Transport Protocol). These protocols are used in IP (Internet Protocol) telephony in order to produce an application that intercepts VoIP calls and outputs signaling logs and audio information. The second part of the paper is focused on producing a custom sniffer that outputs network packets in JSON (JavaScript Object Notation) format, which are used as input to an IDS in order to detect different types of attacks. A different approach (that uses mirrored traffic from OpenFlow switches) to the same set of problems is described in [3] and focuses on the loss problems caused by the aggregation of mirrored flows from switches. Our implementation uses the raw traffic Electronics 2021, 10, 3084. https://doi.org/10.3390/electronics10243084 https://www.mdpi.com/journal/electronics