Name: LTMON
Version: 0.1, January 17th, 2006

Author: Alex Shoolman (ashoolman@swin.edu.au)
Copyright 2006, Centre for Advanced Internet Architectures,
Swinburne University of Technology, http://caia.swin.edu.au

This product makes use of GeoLite data created by MaxMind, 
available from http://www.maxmind.com/.

Images used in the Quake III Arena map ltmon_worldmap.pk3
provided were taken from the ESA website. These images 
include the map of the world as well as the map of Europe. 
http://www.esa.int

LTMON is made up of a Quake III Arena modification (ltmon_3Ds_mod),
a sniffing program (ltmon_3DSniffer.c) and a specially designed
Quake III Arena map (ltmon_worldmap.pk3). Its purpose is to demonstrate
the possibilities that are present in displaying network traffic
details inside a commercial 3D game environment. This tool allows
you to join a Quake III Arena server and see which parts of the
world are sending data to your machine the most. LTMON detects packets
on specific capture devices (or a saved tcpdump file) and if that
packet matches the IP address of your machine, it increases the size
of the pole for that country. Using a specified filter rule, you can
single out web traffic, game traffic, bit torrent traffic or
anything else you wish, selecting specific hosts, protocols or ports.

1. ltmon_3DSniffer Intro:

 ltmon_3DSniffer works in conjunction with a standard Quake III Arena
 server running the provide Quake III Arena mod ltmon_3Ds_mod and map
 ltmon_worldmap.pk3. It analyses and displays in 3D the packets per
 second rate coming from each country in the world to the specified
 destination IP address. The ltmon_3DSniffer program does not work on
 Windows platforms. However, you may connect to a ltmon_3DSniffer
 server from a host running any OS for which a Quake III Arena
 client has been released.

 This proof-of-concept code has not been optimised for speed,
 and lacks a number of ideas we hope to implement in the future.

 The original  point of this program was to show the PPS
 (packets per second) rate for people sending probe traffic to a
 specific Quake III Arena server hosted at the CAIA research centre.
 By simply editing the TCPDUMP filter expression though, this program
 can display PPS rates on anything from game traffic, to web traffic
 to Bit Torent traffic. All in 3D and all viewable by simply joining
 a running Quake III Arena game server that's running the
 ltmon_3Ds_mod and ltmon_worldmap supplied with this program.

 As of version 0.1 there are 30 countries displayed. 
 A map containing more countries may be released in future
 versions of this program.

 Files included in LTMON_V0.1.tar.gz are as follows:

 ltmon_3DSniffer.c	
 - Source Code.
 ltmon_3DSniffer	
 - Compiled Code.
 ltmon_worldmap.pk3	
 - Quake III Arena map of the world.
 vm			
 - Folder containing Quake III Arena modification code ltmon_3Ds_mod.
 Countries		
 - Folder that contains each of the countries current PPS rate file.
 Country List.txt	
 - List of countries available that display PPS rates.
 README.txt		
 - Read Me File.
 Code Differences.txt	
 - The file containing all the changes made to the original Quake
 III Arena base code.

 You will also need GeoIPCountryCSV.zip file as well as the Quake
 III Arena patch 1.32b.

2. Installation:

 Due to licensing restrictions the GeoIP file is not supplied
 with this file. You MUST obtain a copy of this before running the program.
 This file contains the list of all allocated IP addresses and what 
 country they map to. You can gain the latest version of this file
 from here:

 http://www.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip

 Simply extract the .zip file and place it in the LTMON_V0.1 directory.

 The current development environment for LTMON_V0.1 is
 FreeBSD 6.1. To install simply put the folder "LTMON_V0.1"
 into your /usr/home/${USER}/.q3a/ directory.

2.1 Recompiling ltmon_3DSniffer:

 If you wish to ever change anything in the ltmon_3DSniffer.c code you
 will have to recompile it. You may wish to change how it outputs
 its data or even its searching algorithm. To do so simply type the
 following:

 > gcc ltmon_3DSniffer.c -lpcap -lm -o ltmon_3DSniffer_NewVersion

3. Running ltmon_3DSniffer:

 You may keep the Quake III Arena server running while you start/stop
 the ltmon_3DSniffer program but you will only see results in the
 Quake III Arena map ltmon_worldmap WHILE the ltmon_3DSniffer
 program is running.

 To simply start using ltmon_3DSniffer (after it is installed)
 use the following:

 ****** You may need to be root to run this command *******
 The reason you need to be root to run the ltmon_3DSniffer program
 is that systems default to only allowing the root user to
 promiscuously sniff network interfaces. As this program relies
 on the libpcap packet capture library it needs to be run as root.

 These two commands will:
 - Run the ltmon_3DSniffer program, set a tcpdump filter
 rule as "ip", set the sampling time to "2 minutes", set the
 update rate to "2 seconds" and use "em0" as the capture
 device.
 - Start the Quake III Arena server (from your machine),
 log you into it and make sure the right map and mod are activated.

 > ./ltmon_3DSniffer -f "ip and dst <your ip address>" -u 2 -s 2 -i em0
 (Note "em0" is your capture device name)
 
 Then while the ltmon_3DSniffer program is running, run this Quake III Arena
 command to create your own server and auto log into it:

 > quake3 +set vm_game 2 +set fs_game LTMON_V0.1 +sv_pure 0 +devmap ltmon_worldmap

 If you wish to start the mod in server mode, then use this command:
 > quake3 +set dedicated 2 +set sv_punkbuster 0 +set vm_game 2 +set
   fs_game LTMON_V0.1 +set cl_allowdownload 1 +devmap ltmon_worldmap

3.1 More detailed use of ltmon_3DSniffer:

 The following is a list of command line arguments that
 can be input when starting the program and what they do.

 ./ltmon_3DSniffer: -f -u -s [-h] then [-r] OR [-i]
        -f <filter expression>
        -u <update rate in seconds>
        -s <sampling time in minutes> - Must be under 60 minutes.
        -r <file name of recorded tcpdump file> - Must be in the
            same directory as this program.
        -i <capture device>
        -h help

 The filter expression is the same as anything you would
 enter into tcpdump. For example "ip" only captures IP packets.
 "udp and port 27690" only captures packets that are UDP and 
 are on port 27960 (the Quake III Arena port). Below are a list of useful
 tcpdump filter rules and what the program will capture:

 "ip and dst <ip address>"			
 - Used to capture all ip traffic to the IP address <IP address>
   (This includes bit torrent traffic)
 "ip and port 80 and dst <ip address>"		
 - Used to capture web traffic to the IP address <IP address>
 "udp and port 27690 and dst <ip address>"	
 - Used to capture all traffic related to Quake III Arena on the game 
   server at <IP address>
 "(ip[32] == 103) and (ip[33] == 101) and (ip[34] == 116) and 
  (ip[35] == 105) and (ip[36] == 110) and (ip[37] == 102) and
  (ip[38] == 111) and dst <ip address> and port 27960"
 - Used to capture ONLY probe packets (not game flow traffic) for
   Quake III Arena, to the game server at <IP address>

 The update rate is in seconds and relates to how often the platforms
 in the ltmon_worldmap will be updated. If you choose an update rate of
 2 seconds, then every 2 seconds the platforms height will be re calculated
 and shown.

 The sampling rate is in minutes and is the time period over which the
 PPS rate is averaged. For instance if it is set to 10 then every
 update an array of 600 values for each country is added up and divided
 by 600 to give the average PPS rate. An easy way to think of it is 
 in terms of a moving window average. This sampling rate can only go up
 to 60 minutes (an array of 3600).

 At the end of the command to run the program you must specify
 either a capture device or a tcpdump file to read in. If you don't
 specify anything it will default to "em0". If you wish
 to use a capture device simply specify the name of it for example
 "-i em0", "-i sis0" etc. If you wish to specify a TCPDUMP file simply put
 "-r <file name>" making sure the tcpdump file is in the LTMON_V0.1
 directory first.

3.2 Using the ltmon_3Ds_mod:

 To use the Quake III Arena mod ltmon_3Ds_mod you must make sure the
 "LTMON_V0.1" folder is in you /usr/home/${USER}/.q3a directory
 first then enter:

 > quake3 +set vm_game 2 +set fs_game LTMON_V0.1 +sv_pure 0
   +devmap ltmon_worldmap

 This will start up a client Quake III Arena game and load the
 ltmon_worldmap. Make sure the ltmon_3DSniffer program is
 running first though.

 If you wish to start the ltmon_3Ds_mod in server mode, then
 use this command:

 > quake3 +set dedicated 2 +set sv_punkbuster 0 +set vm_game 2 +set 
   fs_game LTMON_V0.1 +set cl_allowdownload 1 +devmap ltmon_worldmap

 The ltmon_3Ds_mod program reads in from a number of text files
 that are being generated by the ltmon_3DSniffer program.
 The ltmon_3Ds_mod and ltmon_3DSniffer programs can be running
 on separate machines as long as they both access the same set of
 country files. Multiple users can log into the Quake III
 Arena server running the ltmon_3Ds_mod and view the
 ltmon_worldmap without having to run modified clients.

3.3 Country List Editing:
 
 To view a list of these countries open the "Country List.txt"
 file in the LTMON_V0.1 folder. You will notice that there is
 one country per line, with "@ " on the final line. DO NOT remove
 this last line as the ltmon_3Ds_mod requires it as an end of
 file character. Use this text file to select exactly which
 countries you wish to see displayed in the ltmon_worldmap.
 If a country is in this list, it will display a "pole" coming
 from the centre of that country that will tell you the PPS
 rate from that country.

 When changing this list, make sure the name of the country in
 the GeoIPCountryWhois.csv file exactly matches that of the 
 country in the Country List.txt file.

 For example:
 If you enter "USA" into the Country List.txt file it will not
 show that country. You must enter "United States" as this is
 what appears in the GeoIPCountryWhois.cvs file.

4. The ltmon_worldmap.pk3:

 The provided map file called "ltmon_worldmap.pk3" is a zip file
 renamed with a ".pk3" extension. If you rename the file to
 "ltmon_worldmap.zip" you can access the entire map with the
 ltmon_worldmap.pk3 file located inside the "map" directory. A
 program such as GtkRadiant will be able to interpret the map.
 You can add more countries, more rooms or even change it
 completely.

 On line 655 of the ltmon_3DSniffer.c program there is an
 equation that translates the  calculated PPS value into the
 value needed to match up with the numbers located on the
 ltmon_worldmap walls.

 For example if you take a PPS Rate of 50, and put it
 through the mentioned equation, you will get the approximate
 value 350. When Quake III Arena reads in this value and sets
 a platform to the height 350, it will be at roughly the same
 height as the markings on the wall stating "50 PPS".

 PPS Value:		Value Put Into Country Text File:
     5					57
     10					180
     50					350
     100				550
     250				870
     500				1390


*****************************************************************************

ashoolman@swin.edu.au