1. INTRODUCTION
1.1 ABSTRACT
This project is intended to develop a tool called Packet Sniffer. The Packet Sniffer allows the computer to examine and analyze all the traffic passing by its network connection. It decodes the network traffic and makes sense of it.
When it is set up on a computer, the network interface of the computer is set to promiscuous mode, listening to all the traffic on the network rather than just those packets destined for it. Packet Sniffer is a tool that sniffs without modifying the network’s packet in anyway. It merely makes a copy of each packet flowing through the network interface and finds the source and destination Ethernet addresses of the packets. It decodes the protocols in the packets given below:
IP (Internet Protocol), TCP (Transmission Control Protocol), UDP (User Datagram Protocol).
The output is appended into normal text file, so that the network administrator can understand the network traffic and later analyze it.
1.2 ORGANIZATION PROFILE
Vijay technologies established in 2009. It has registered office at Dwaraka Nagar, Visakhapatnam-16. It has three strategic service groups specifically Software Development, Web Hosting and Training.
Vijay technologies development division has attained reputation for providing customized business applications for RDBMS applications offering a full range of IT solutions on various platforms. It is specialized in providing Business solutions for industries of varied sizes, simple solutions that is the result of combining technology with the best personnel.
Our technology expertise is in the design and development of applications software in Client Server and ERP-computing environment under various RDBMS platforms such as Oracle, Oracle DBA and Sql Server, using GUI Tools like Developer 2000, Visual Basic, VB.Net, ASP.Net, C#.Net, Java, Reusable Active A component and Web applications.
We also participate in a number of Vendors – testing Programs allowing us to evaluate emerging technologies and their application to our clients need for the entire project life cycle.
Vijay Technologies has been designed by leading Academicians and software Professionals from the IT industries keeping in view the increasing demand for software professionals.
Requirements of the IT industry the curriculum is built in away to bridge the gap between the technology and resources.
As the industries are focusing on Vijay Technologies Resources planning, Vijay Technologies have started training its student in the Web Technologies and internet concepts giving orientation towards e-commerce.
Vijay Technologies offers training programs in products of Microsoft, Oracle, Borland and Sun. On average, 100-150 students graduate from our institute every
2. SYSTEM STUDY
2.1 Introduction to Packet Sniffers:
A Packet Sniffer is a program that can see all of the information passing over the network it is connected to. A Packet Sniffer is a Wire-tapping device that plugs into computer Networks and eavesdrop on the network traffic.
A packet sniffer (also known as a network analyzer or protocol analyzer or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is computer software that can intercept and log traffic passing over a digital network or part of a network. As data streams flow across the network, the sniffer captures each packet and eventually decodes and analyzes its content.
Most Ethernet networks use to be of a common bus topology, using either coax cable or twisted pair wire and a hub. All of the nodes (computers and other devices) on the network could communicate over the same wires and take turns sending data using a scheme known as carrier sense multiple access with collision detection (CSMA/CD). Think of CSMA/CD as being like a conversation at a loud party, you may have to wait for quite a spell for your chance to get your words in during a lull in everybody else’s conversation. All of the nodes on the network have their own unique MAC (media access control) address that they use to send packets of information to each other. Normally a node would only look at the packets that are destined for its MAC address. However, if the network card is put into what is known as “promiscuous mode” it will look at all of the packets on the wires it is hooked to.
2.2 TCP/IP Protocols:
Background:
The Internet protocols are the world's most popular open-system (nonproprietary) protocol suite because they can be used to communicate across any set of interconnected networks and are equally well suited for LAN and WAN communications. The Internet protocols consist of a suite of communication protocols, of which the two best known are the Transmission Control Protocol (TCP) and the Internet Protocol (IP). The Internet protocol suite not only includes
lower-layer protocols (such as TCP and IP), but it also specifies common applications such as electronic mail, terminal emulation, and file transfer. This document provides a broad introduction to specifications that comprise the Internet protocols.
Internet protocols were first developed in the mid-1970s, when the Defense Advanced Research Projects Agency (DARPA) became interested in establishing a packet-switched network that would facilitate communication between dissimilar computer systems at research institutions. With the goal of heterogeneous connectivity in mind, DARPA funded research by Stanford University and Bolt, Beranek, and Newman (BBN). The result of this development effort was the Internet protocol suite, completed in the late 1970s.
Documentation of the Internet protocols (including new or revised protocols) and policies are specified in technical reports called Request for Comments (RFCs), which are published and then reviewed and analyzed by the Internet community. Protocol refinements are published in the new RFCs. To illustrate the scope of the Internet protocols, Figure 1. Maps many of the protocols of the Internet protocol suite and their corresponding OSI layers.
Fig 1: Internet protocols span the complete range of OSI model layers. The Internet Protocol (IP) is a network-layer (Layer 3) protocol that contains addressing information and some control information that enables packets to be routed. IP is the primary network-layer protocol in the Internet protocol suite. Along with the Transmission Control Protocol (TCP), IP represents the heart of the Internet protocols. IP has two primary responsibilities: providing connectionless, best-effort delivery of data grams through an inter-network; and providing fragmentation and reassembly of data grams to support data links with different maximum-transmission unit (MTU) sizes.
IP Packet Format:
An IP packet contains several types of information, as illustrated in Physical FTP, Telnet, SMTP, SNMP Application Presentation Session Transport Data Link Network NFS XDR RPC TCP, UDP ARP RARP Not Specified IP ICMP
Internet protocol suite OSI model
Fig 2: Fourteen fields comprise an IP packet.
The following discussion describes the IP packet fields illustrated in Figure.2 Version— Indicates the version of IP currently used.
IP Header Length (IHL) — Indicates the datagram header length in 32-bit words.
Type-of-Service— Specifies how an upper-layer protocol would like a current datagram to be handled, and assigns data grams various levels of importance. Total Length — Specifies the length, in bytes, of the entire IP packet,
including the data and header.
Identification — Contains an integer that identifies the current datagram. This field is used to help piece together datagram fragments.
Flags — Consists of a 3-bit field of which the two low-order (least-significant) bits control fragmentation. The low-order bit specifies whether the packet can be fragmented. The middle bit specifies whether the packet is the last fragment in a series of fragmented packets. The third or high-order bit is not used.
Flags Fragment Offset Header checksum Protocol Total length Type of Service IHL Data (variable) Options (+padding) Destination Address Source Address Identification Time to live Version
Fragment Offset — Indicates the position of the fragment's data relative to the beginning of the data in the original datagram, which allows the destination IP process to properly reconstruct the original datagram.
Time-to-Live — Maintains a counter that gradually decrements down to zero, at which point the datagram is discarded. This keeps packets from looping endlessly.
Protocol — Indicates which upper-layer protocol receives incoming packets after IP processing is complete.
Header Checksum— Helps ensure IP header integrity.
Source Address — Specifies the sending node. Destination Address — Specifies the receiving node.
Options — Allows IP to support various options, such as security.
Data — Contains upper-layer information.
IP Addressing:
As with any other network-layer protocol, the IP addressing scheme is integral to the process of routing IP datagram through an inter-network. Each IP address has specific components and follows a basic format. These IP addresses can be subdivided and used to create addresses for sub-networks.
Each host on a TCP/IP network is assigned a unique 32-bit logical address that is divided into two main parts: the network number and the host number. The network number identifies a network and must be assigned by the Internet Network Information Center (InterNIC) if the network is to be part of the Internet. An Internet Service Provider (ISP) can obtain blocks of network addresses from the InterNIC and can itself assign address space as necessary. The host number identifies a host on a network and is assigned by the local network administrator.
IP Address Format:
The 32-bit IP address is grouped eight bits at a time, separated by dots, and represented in decimal format (known as dotted decimal notation). Each bit in the octet has a binary weight (128, 64, 32, 16, 8, 4, 2, 1). The minimum value for an octet is 0, and the maximum value for an octet is 255. Figure.3 illustrates the basic format of an IP address.
Fig 3: An IP address consists of 32 bits, grouped into four octets.
8bits 8bits 8bits 8bits IP Address Classes:
IP addressing supports five different address classes: A, B, C, D, and E. only classes A, B, and C are available for commercial use. The left-most (high-order) bits indicate the network class.
Fig 4: IP address formats A, B, and C are available for commercial use. No. of bits 7 24 Class A Class B 14 16 Class C 21 8
The class of address can be determined easily by examining the first octet of the address and mapping that value to a class range in the following table. In an IP address of 172.31.1.2, for example, the first octet is 172. Because 172 falls between
32Bits Network Host Host Network Host Host Host Host Host Network Network 0 Networks 1 0 Network 1 1 0 Network
128 and 191, 172.31.1.2 is a Class B address. Figure 5 summarizes the range of possible values for the first octet of each address class.
Fig 5: A range of possible values exists for the first octet of each address class. Address Class First Octet in
Decimal High-order Bits Class A Class B Class C Class D Class E 1 D 126 128 D 191 192 D 223 224 D 239 240 D 254 0 10 110 1110 1111 IP Subnet Addressing:
IP networks can be divided into smaller networks called sub-networks (or subnets). Sub-netting provides the network administrator with several benefits, including extra flexibility, more efficient use of network addresses, and the capability to contain broadcast traffic (a broadcast will not cross a router).
Subnets are under local administration. As such, the outside world sees an organization as a single network and has no detailed knowledge of the organization's internal structure.
A given network address can be broken up into many sub networks. For example, 172.16.1.0, 172.16.2.0, 172.16.3.0, and 172.16.4.0 are all subnets within network 171.16.0.0. (All 0s in the host portion of an address specifies the entire network.)
Address Resolution Protocol (ARP) Overview:
For two machines on a given network to communicate, they must know the other machine's physical (or MAC) addresses. By broadcasting Address Resolution
Protocols (ARPs), a host can dynamically discover the MAC-layer address corresponding to a particular IP network-layer address.
After receiving a MAC-layer address, IP devices create an ARP cache to store the recently acquired IP-to-MAC address mapping, thus avoiding having to broadcast ARPS when they want to re-contact a device. If the device does not respond within a specified time frame, the cache entry is flushed.
In addition to the Reverse Address Resolution Protocol (RARP) is used to map MAC-layer addresses to IP addresses. RARP, which is the logical inverse of ARP, might be used by diskless workstations that do not know their IP addresses when they boot. RARP relies on the presence of a RARP server with table entries of MAC-layer-to-IP address mappings.
Internet Routing:
Internet routing devices traditionally have been called gateways. In today's terminology, however, the term gateway refers specifically to a device that performs application-layer protocol translation between devices. Interior gateways refer to devices that perform these protocol functions between machines or networks under the same administrative control or authority, such as a corporation's internal network. These are known as autonomous systems. Exterior gateways perform protocol functions between independent networks.
Routers within the Internet are organized hierarchically. Routers used for information exchange within autonomous systems are called interior routers, which use a variety of Interior Gateway Protocols (IGPs) to accomplish this purpose. The Routing Information Protocol (RIP) is an example of an IGP.
Routers that move information between autonomous systems are called exterior routers. These routers use an exterior gateway protocol to exchange information between autonomous systems. The Border Gateway Protocol (BGP) is an example of an exterior gateway protocol.
IP Routing:
IP routing protocols are dynamic. Dynamic routing calls for routes to be calculated automatically at regular intervals by software in routing devices. This contrasts with static routing, where routers are established by the network administrator and do not change until the network administrator changes them.
An IP routing table, which consists of destination address/next hop pairs, is used to enable dynamic routing. An entry in this table, for example, would be interpreted as follows: to get to network 172.31.0.0, send the packet out Ethernet interface 0 (E0).
IP routing specifies that IP datagrams travel through internetworks one hop at a time. The entire route is not known at the onset of the journey, however. Instead, at each stop, the next destination is calculated by matching the destination address within the datagram with an entry in the current node's routing table.
Each node's involvement in the routing process is limited to forwarding packets based on internal information. The nodes do not monitor whether the packets get to their final destination, nor does IP provide for error reporting back to the source when routing anomalies occur. This task is left to another Internet protocol, the Internet Control-Message Protocol (ICMP), which is discussed in the following section.
Internet Control Message Protocol (ICMP):
The Internet Control Message Protocol (ICMP) is a network-layer Internet protocol that provides message packets to report errors and other information regarding IP packet processing back to the source. ICMP is documented in RFC 792. ICMP Messages:
ICMPs generate several kinds of useful messages, including Destination Unreachable, Echo Request and Reply, Redirect, Time Exceeded, and Router Advertisement and Router Solicitation. If an ICMP message cannot be delivered, no second one is generated. This is to avoid an endless flood of ICMP messages.
When an ICMP destination-unreachable message is sent by a router, it means that the router is unable to send the package to its final destination. The router then discards the original packet. Two reasons exist for why a destination might be unreachable. Most commonly, the source host has specified a nonexistent address. Less frequently, the router does not have a route to the destination.
Destination-unreachable messages include four basic types: network unreachable, host unreachable, protocol unreachable and port unreachable.
Network-unreachable messages usually mean that a failure has occurred in the routing or
addressing of a packet. Host-unreachable messages usually indicate delivery failure, such as a wrong subnet mask. Protocol-unreachable messages generally mean that the destination does not support the upper-layer protocol specified in the packet.
Port-unreachable messages imply that the TCP socket or port is not available.
An ICMP echo-request message, which is generated by the ping command, is sent by any host to test node reachability across an inter network. The ICMP echo-reply message indicates that the node can be successfully reached.
An ICMP Redirect message is sent by the router to the source host to stimulate more efficient routing. The router still forwards the original packet to the destination. ICMP redirects allow host routing tables to remain small because it is necessary to know the address of only one router, even if that router does not provide the best path. Even after receiving an ICMP Redirect message, some devices might continue using the less-efficient route.
The router sends an ICMP Time-exceeded message if an IP packet's Time-to-Live field (expressed in hops or seconds) reaches zero. The Time-to-Time-to-Live field prevents packets from continuously circulating the internetwork if the internetwork contains a routing loop. The router then discards the original packet.
Transmission Control Protocol (TCP):
The TCP provides reliable transmission of data in an IP environment. TCP corresponds to the transport layer (Layer 4) of the OSI reference model. Among the services TCP provides are stream data transfer, reliability, efficient flow control,
full-With stream data transfer, TCP delivers an unstructured stream of bytes identified by sequence numbers. This service benefits applications because they do not have to chop data into blocks before handing it off to TCP. Instead, TCP groups bytes into segments and passes them to IP for delivery.
TCP offers reliability by providing connection-oriented, end-to-end reliable packet delivery through an internetwork. It does this by sequencing bytes with a forwarding acknowledgment number that indicates to the destination the next byte the source expects to receive. Bytes not acknowledged within a specified time period are retransmitted. The reliability mechanism of TCP allows devices to deal with lost, delayed, duplicate, or misread packets. A time-out mechanism allows devices to detect lost packets and request retransmission.
TCP offers efficient flow control, which means that, when sending acknowledgments back to the source, the receiving TCP process indicates the highest sequence number it can receive without overflowing its internal buffers.
Full-duplex operation means that TCP processes can both send and receive at the same time.
Finally, TCP's multiplexing means that numerous simultaneous upper-layer conversations can be multiplexed over a single connection.
TCP Connection Establishment:
To use reliable transport services, TCP hosts must establish a connection-oriented session with one another. Connection establishment is performed by using a "three-way handshake" mechanism.
A three-way handshake synchronizes both ends of a connection by allowing both sides to agree upon initial sequence numbers. This mechanism also guarantees that both sides are ready to transmit data and know that the other side is ready to transmit as well. This is necessary so that packets are not transmitted or retransmitted during session establishment or after session termination.
Each host randomly chooses a sequence number used to track bytes within the stream it is sending and receiving. Then, the three-way handshake proceeds in the following manner:
The first host (Host A) initiates a connection by sending a packet with the initial sequence number (X) and SYN bit set to indicate a connection request. The second host (Host B) receives the SYN, records the sequence number X, and replies by acknowledging the SYN (with an ACK = X + 1). Host B includes its own initial sequence number (SEQ = Y). An ACK = 20 means the host has received bytes 0 through 19 and expects byte 20 next. This technique is called forward
acknowledgment. Host A then acknowledges all bytes Host B sent with a forward
acknowledgment indicating the next byte Host A expects to receive (ACK = Y + 1). Data transfer then can begin.
Positive Acknowledgment and Retransmission (PAR):
A simple transport protocol might implement a reliability-and-flow-control technique where the source sends one packet, starts a timer, and waits for an acknowledgment before sending a new packet. If the acknowledgment is not received before the timer expires, the source retransmits the packet. Such a technique is called
positive acknowledgment and retransmission (PAR).
By assigning each packet a sequence number, PAR enables hosts to track lost or duplicate packets caused by network delays that result in premature retransmission. The sequence numbers are sent back in the acknowledgments so that the acknowledgments can be tracked.
PAR is an inefficient use of bandwidth, however, because a host must wait for an acknowledgment before sending a new packet, and only one packet can be sent at a time.
TCP Sliding Window:
A TCP sliding window provides more efficient use of network bandwidth than PAR because it enables hosts to send multiple bytes or packets before waiting for an
In TCP, the receiver specifies the current window size in every packet. Because TCP provides a byte-stream connection, window sizes are expressed in bytes. This means that a window is the number of data bytes that the sender is allowed to send before waiting for an acknowledgment. Initial window sizes are indicated at connection setup, but might vary throughout the data transfer to provide flow control. A window size of zero, for instance, means "Send no data."
In a TCP sliding-window operation, for example, the sender might have a sequence of bytes to send (numbered 1 to 10) to a receiver who has a window size of five. The sender then would place a window around the first five bytes and transmit them together. It would then wait for an acknowledgment.
The receiver would respond with an ACK = 6, indicating that it has received bytes 1 to 5 and is expecting byte 6 next. In the same packet, the receiver would indicate that its window size is 5. The sender then would move the sliding window five bytes to the right and transmit bytes 6 to 10. The receiver would respond with an ACK = 11, indicating that it is expecting sequenced byte 11 next. In this packet, the receiver might indicate that its window size is 0 (because, for example, its internal buffers are full). At this point, the sender cannot send any more bytes until the receiver sends another packet with a window size greater than 0.
TCP Packet Format:
Figure 6 illustrate the fields and overall format of a TCP packet. Twelve fields comprise a TCP packet.
15 Source port Destination port
Sequence number Acknowledge number
Data offset Reserved Flags Window Checksum Urgent pointer
TCP Packet Field Descriptions:
The following descriptions summarize the TCP packet fields illustrated in Figure. 6
Source Port and Destination Port — Identifies points at which upper-layer source and destination processes receive TCP services.
Sequence Number — Usually specifies the number assigned to the first byte of data in the current message. In the connection-establishment phase, this field also can be used to identify an initial sequence number to be used in an upcoming transmission. Acknowledgment Number — Contains the sequence number of the next byte of data the sender of the packet expects to receive.
Data Offset — Indicates the number of 32-bit words in the TCP header.
Reserved—Remains reserved for future use.
Flags — Carries a variety of control information, including the SYN and ACK bits used for connection establishment, and the FIN bit used for connection termination. Window — Specifies the size of the sender's receive window (that is, the buffer space available for incoming data).
Checksum — Indicates whether the header was damaged in transit.
Urgent Pointer — Points to the first urgent data byte in the packet.
User Datagram Protocol (UDP):
The User Datagram Protocol (UDP) is a connectionless transport-layer protocol (Layer 4) that belongs to the Internet protocol family. UDP is basically an interface between IP and upper-layer processes. UDP protocol ports distinguish multiple applications running on a single device from one another.
Unlike the TCP, UDP adds no reliability, flow-control, or error-recovery functions to IP. Because of UDP's simplicity, UDP headers contain fewer bytes and consume less network overhead than TCP.
UDP is useful in situations where the reliability mechanisms of TCP are not necessary, such as in cases where a higher-layer protocol might provide error and flow control.
UDP is the transport protocol for several well-known application-layer protocols, including Network File System (NFS), Simple Network Management Protocol (SNMP), Domain Name System (DNS), and Trivial File Transfer Protocol (TFTP).
The UDP packet format contains four fields, as shown in Figure 7. These include source and destination ports, length, and checksum fields.
A UDP packet consists of four fields. 32 bits
Source and destination ports contain the 16-bit UDP protocol port numbers used to de-multiplex datagrams for receiving application-layer processes. A length field specifies the length of the UDP header and data. Checksum provides an (optional) integrity check on the UDP header and data.
Source Port Destination Port Length checksum
Internet Protocols: Application Layer Protocols
The Internet protocol suite includes many application-layer protocols that represent a wide variety of applications, including the following:
File Transfer Protocol (FTP)—Moves files between devices
Simple Network-Management Protocol (SNMP)—Primarily reports anomalous network conditions and sets network threshold values
Telnet—Serves as a terminal emulation protocol
X Windows—Serves as a distributed windowing and graphics system used for communication between X terminals and UNIX workstations
Network File System (NFS), External Data Representation (XDR), and Remote Procedure Call (RPC)—Work together to enable transparent access to remote network resources
Simple Mail Transfer Protocol (SMTP)—Provides electronic mail services
Domain Name System (DNS)—Translates the names of network nodes into network addresses.
The list of the higher-layer protocols and the applications that they support is as follows:
Application Protocols
File transfer FTP
Terminal emulation Telnet
Electronic mail SMTP
Network management SNMP
Computer administrators need Packet Sniffer to monitor their networks and perform diagnostic tests or trouble shoot problems. It can be used to analyze the load on the network and according to that administrator can redirect the traffic so that packets flow across networks without leading to congestion. It is also used for debugging by Programmers developing network related software. Anyone interested in having a full picture of the traffic going through one’s LAN segment can use the Packet Sniffer. Packet Sniffer converts the data flowing in the network into human readable format, so that people can read the traffic and understand it.
On wired broadcast LANs, depending on the network structure (hub or switch), one can capture traffic on all or just parts of the traffic from a single machine within the network; however, there are some methods to avoid traffic narrowing by switches to gain access to traffic from other systems on the network (e.g. ARP spoofing). For network monitoring purposes it may also be desirable to monitor all data packets in a LAN by using a network switch with a so-called monitoring port, whose purpose is to mirror all packets passing through all ports of the switch. When systems (computers) are connected to a switch port rather than a hub the analyzer will be unable to read the data due to the intrinsic nature of switched networks. In this case a shadow port must be created in order for the sniffer to capture the data.
On wireless LANs, one can capture traffic on a particular channel.
On wired broadcast and wireless LANs, in order to capture traffic other than unicast traffic sent to the machine running the sniffer software, multicast traffic sent to a multicast group to which that machine is listening, and broadcast traffic, the network adapter being used to capture the traffic must be put into promiscuous mode; some sniffers support this, others don't. On wireless LANs, even if the adapter is in promiscuous mode, packets not for the service set for which the adapter is configured will usually be ignored; in order to see those packets, the adapter must be put into monitor mode.
Uses of Sniffers:
Sniffing programs have been around for a long time in two forms. Commercial packet sniffers are used to help maintain networks.
Typical uses of such programs include:
Automatic sniffing of clear-text passwords and usernames from the network.
Conversion of data to human readable formats so that people can read the traffic.
Fault analysis to discover problems in the network, such as why computer A can’t talk to computer B.
Performance analysis to discover network bottlenecks.
Network intrusion detection in order to discover hackers/crackers.
Network traffic logging, to create logs that hacker's can't break into and erase.
Monitor network usage.
Debug client/server communications. Debug network protocol implementations. Example Uses:
A packet sniffer for a token ring network could detect that the token has been lost or the presence of too many tokens (verifying the protocol). A packet sniffer could detect that messages are being sent to a network
adapter; if the network adapter did not report receiving the messages then this would localize the failure to the adapter.
A packet sniffer could detect excessive messages being sent by a port, detecting an error in the implementation.
A packet sniffer could collect statistics on the amount of traffic (number of messages) from a process detecting the need for more bandwidth or a better method.
A packet sniffer could be used to extract messages and reassemble into a complete form the traffic from a process, allowing it to be reverse
A packet sniffer could be used to diagnose operating system connectivity issues like web, ftp, sql, active directory, etc.
A packet sniffer could be used to analyze data sent to and from secure systems in order to understand and circumvent security measures, for the purposes of penetration testing or illegal activities.
A packet sniffer can passively capture data going between a web visitor and the web servers decode it at the HTTP and HTML level and create web log files as a substitute for server logs and page tagging for web analytics.
2.4 Existing System:
In present as there are many sniffers are available in the market. They can be freely downloaded from the internet. Some sniffers uses winpcap, others use libpcap according to the platform on which they are working. If the platform is windows then they are using winpcap, and if the platform is UNIX then they are using libpcap.
2.5 Proposed System:
Proposed system uses jpcap API in order to capture packets from the network. Jpcap is a java library for capturing and sending network packets. Using Jpcap, you can develop applications to capture packets from a network interface and visualize/analyze them. Jpcap can capture Ethernet, IPv4, IPv6, ARP/RARP, TCP, UDP, and ICMPv4 packets. Jpcap has been tested on Microsoft Windows (98/2000/XP/Vista), Linux (Fedora, Mandriva, Ubuntu), Mac OS X (Darwin), FreeBSD, and Solaris.
We can observe the old packets those were passed through the network in the past. We can observe the DOS attacks.
3. SYSTEM ANALYSIS
3.1 Project Description:
This Project deals with a packet capture utility and Network monitoring. This Project is useful to the Network Administrators to observe each and every incoming packet for security enhancements. Irrespective of the Destination IP of incoming packet the machine on which this project is running captures all packets .This Project Keeps on differentiating the type of the entities which are there in Ethernet header.
The main program will have an infinite loop which keeps an eye on each and every incoming packet. The moment it collects that packet it starts invoking respective modules and those modules will internally redirects that information to respective text files. The utilities used in this project are WinPcap and PacketX. WinPcap:
In the field of computer network administration, pcap consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library; Windows uses a port of libpcap known as WinPcap.
Monitoring software may use libpcap and/or WinPcap to capture packets traveling over a network and, in newer versions, to transmit packets on a network at the link layer, as well as to get a list of network interfaces for possible use with libpcap or WinPcap.
Libpcap and WinPcap also support saving captured packets to a file, and reading files containing saved packets; applications can be written, using libpcap or WinPcap, to be able to capture network traffic and analyze it, or to read a saved capture and analyze it, using the same analysis code. A capture file saved in the format that libpcap and WinPcap use can be read by applications that understand that format.
Libpcap and WinPcap provide the packet-capture and filtering engines of many open-source and commercial network tools, including protocol analyzers (packet sniffers), network monitors, network intrusion detection systems, traffic-generators and network-testers.
WinPcap consists of:
drivers for Windows 95/98/Me, and for the Windows NT family (Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, etc.), which use NDIS to read packets directly from a network adapter;
Implementations of a lower-level library for the listed operating systems, to communicate with those drivers;
A port of libpcap that uses the API offered by the low-level library implementations.
Programmers at the Politecnico di Torino wrote the original code; as of 2008 CACE Technologies, a company set up by some of the WinPcap developers, develops and maintains the product.
PacketX:
PacketX class library integrates WinPcap packet capture functionality with ActiveX programming and scripting languages. PacketX hides the low level programming details by implementing simple class framework that can be used to build networking applications with minimum effort and time. In brief, PacketX uses WinPcap libraries to capture (and optionally filter) network packets. In addition to standard capture mode you can collect network statistics and send raw packets. All captured packets or statistics are encapsulated inside wrapper class and returned to client as events. PacketX uses WinPcap Packet Driver API implemented by packet.dll and BPF filtering support from pcap.dll. This means that you can use PacketX to capture, send (and optionally filter) packets and collect network statistics. PacketX cannot be used to block network traffic to build a firewall. The library contains an ActiveX control that can be used from
RAD development tools like Microsoft Visual Basic or Borland Delphi. For scripting languages there are corresponding lightweight COM classes.
Some of the classes are PacketXClass AdapterCollection Adapter Packet _IPktXPacketXEvents_OnPacketEventHandler
3.2 Modules:
3.2.1 Login/logout for Admin:
Required to login and logout before and after access the Application for Admin. Required username and password for security purpose just to identify them selves.
This is for the Admin, member of the Application have access to the management administration Form. Management Admin can provide the IP Addresses or Domain Name (Example news.microsoft.com) to connect Network news transfer Protocol server,
3.2.3 Ping Information:
The ping utility is essentially a system administrator's tool that is used to see if a computer is operating and if network connections are intact. Ping uses the Internet Control Message Protocol (ICMP) Echo function which The ping utility verifies connections to a remote computer or computers. You can use ping to test both the computer name and the IP address. If the IP address is verified, but the computer name is not, you may have a name resolution problem. In this case, make sure the computer name you are querying is in either the local host file or in the DNS database.
3.2.4 Hop Information:
Definition: In computer networking, a hop represents one portion of the path between source and destination. When communicating over the Internet, for example, data passes through a number of intermediate devices (like routers) rather than flowing directly over a single wire. Each such device causes data to "hop" between one point-to-point network connection and another.
3.2.5 Packet Information:
A packet is the unit of data that is routed between an origin and a destination on the Internet or any other packet-switched network. When any file (e-mail message, HTML file, Graphics Interchange Format file, Uniform Resource Locator request, and so forth) is sent from one place to another on the Internet, the Transmission Control Protocol (TCP) layer of TCP/IP divides the file into "chunks" of an efficient size for routing. Each of these packets is separately numbered and includes the Internet address of the destination. The individual packets for a given file may travel different
routes through the Internet. When they have all arrived, they are reassembled into the original file (by the TCP layer at the receiving end).
3.2.6 NetStat Information:
The netstat command displays the protocol statistics and current TCP/IP connections on the local system. Used without any switches, the netstat command shows the active connections for all outbound TCP/IP connections. In addition, several switches are available that change the type of information netstat displays. Table 5 shows the various switches available for the netstat utility.
3.2.7 Trace Route Information:
The traceroute application will print the route that packets take in order to arrive at a network host. It works by trying to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to a particular host. For this reason, the times, which are actually returned
in the traceroute readout, are not actually reflective of the times that it requires packets from another protocol such as telnet, SMTP, or FTP to arrive at the destination and gateways along the route.
Usage:
This application is useful for determining whether a host is up and running on the network and/or whether there is a host or gateway along the path that is not passing along packets properly.
3.3 Software Requirements Specification:
This is the requirements document for the project. The system to be developed is for capturing the packets flowing in the network and analyzes them. The information in the various headers of the packets is to be extracted and saved into the output file.
Introduction: Purpose:
To develop a tool that easily analyzes the network traffic flow on that particular system and to show the information for the administrator in human readable format.
Scope:
This can be used by network administrators, organizations and by common man who want to know the network flow, in and out, of the system and also save the file for later analysis such as load on the system, network intrusion detection etc. Developer’s Responsibilities Overview:
The developer is responsible for: Developing the system.
Installing the software on the client’s hardware. General Description:
Product Functions Overview:
In a computer network every system can see all the packets flowing in the network, but can capture the packets that are addressed to that particular system only. But the product must be able to make a copy of all the packets flowing in the network, which are address to it and also not address to it. The packet copied must be stored in a buffer. Each packet has headers in which information about the packet will be stored in a specified format. This information must be extracted and if necessary covert into human readable form and store it in the output files.
User Characteristics:
The user of the system will be the systems administrator who controls and configures the network traffic through the server.
General Constraints:
The system should have winpcap & packetx installed. General assumptions and dependencies:
The assumption is that the packets moving in the networking are coming from only Ethernet and not from any other like FDDI, etc.
3.3.1 Specific Requirements: Inputs and Outputs:
Inputs: Raw packets flowing in the network of the system on which the Packet Sniffer is installed.
Outputs: The output is stored in a file. Functional Requirements:
Capture the packets in the network at the data link layer before they are passed to the protocols implemented in the kernel.
Strip off the various headers in each packet and analyze the information in it.
Append the information in the headers of the packet into output file in a specified format.
Performance Constraints:
The maximum size of the buffer to hold the packet is 2000 bytes. The speed of the networks should not exceed 100Mbps if it exceeds this speed all the packets may not be analyzed.
3.4 Feasibility Study:
It is necessary and prudent to evaluate the feasibility of a project at the earliest possible time. There may be different ways of checking whether a system is feasible
Operational feasibility:
In this test, the operational scope of the system is checked. The system under consideration should have enough operational research. It is observed that proposed system is very user friendly and since the system is built with enough help, even persons with little knowledge of windows can find the system very easy.
Technical feasibility:
This test includes a study of function, performance and constraints that may affect the ability to achieve an acceptable system. This test begins with an assessment of the technical viability of the proposed system. One of the main factors to be accessed is the need of various kinds of resources for the successful implementation of the proposed system.
Economical feasibility:
An evaluation of development cost weighed against the ultimate income of benefit from the development of the proposed system is made. Care must be taken regarding the costs that incur in the development process of the proposed system.
3.5 Requirements Specification:
Software Environment:
The system will run under .net Framework that is to be installed on the system. Operating Platform : WINDOWS XP
Front End : Visual Studio .NET
Back End : SQL Server 2000
Language : C# .NET
Hardware Environment:
Processor : Pentium IV
HDD : 5 GB
LAN : Enabled
Acceptance Criteria:
Before accepting the system, the developer will have to demonstrate how the system works on the given data. The developer will have to show by suitable test cases that all conditions are satisfied.
4. SYSTEM DESIGN
Software Engineering is the systematic approach to the development, operation, maintenance, and retirement of software.
All Software products can be developed with the help of a Software Process i.e. Software Life Cycle. This Software Process is nothing but a series of identifiable stages that a software product undergoes during its lifetime. And this series basically starts with a Feasibility Study Stage, Requirement Analysis and Specification, Design, Coding, Testing and Maintenance. Each of these phases is called the Life Cycle Phase. And this Software process is achieved, with the help of software life cycle model (or process model). A Process Model is a descriptive and diagrammatical model of a software Process. A process model identity all the activities required to develop and maintain a software product, and establish a precedence ordering among the different activities.
A process model defines entry and exit criteria for every phase. e.g. the corresponding phase-entry criteria for the Software Requirement Specification phase can be that the software Requirement Specification document has been completed, internally reviewed, and approved by the customer. With such well-defined entry and exit criteria for various phases, it becomes easier to manage and monitor the progress of the project. Thus, we can say that life cycle models encourage development of software in a systematic and disciplined manner. Due to the above fact, the developer should adhere to well-defined life cycle model. Thus, a major advantage of adhering to a well-defined life cycle model is that it helps to control and organize systematically various activities of the product, which is taken to develop. When a life cycle model is adhered to, the developer can easily tell at which stage (e.g. design, code, testing) of development, the project currently is. If no life cycle model is adhered to, it becomes very difficulty to chart the progress of the project and the developer may face a problem known as the 99% complete syndrome. In this syndrome, which appears when there is no definite way to access the progress of the project, the optimistic developer feels that the project is 99% complete, even when the project is far from its completion. Success or completion of project is heavily dependent upon which type of life cycle model the developer is going to adhere. So a life cycle model plays an important role in the successful completion of a project. Basically five types of life cycle models are used, while developing a software product.
Classical waterfall Model. Iterative waterfall Model. Evolutionary Model Prototyping Model. Spiral Model.
During the development of the project Packet Sniffer, I followed the Classical Waterfall Model. This model divides the life cycle of a software development process into the phases, shown below:
Development phase = Feasibility Study + Requirement Analysis and Specification + Design + Coding and Unit Testing + Integration and system testing.
4.1 Problem Specification:
Network Administrators have to maintain the network to meet the needs of the users. For this they should have the information of the network traffic so that they can fine tune their systems according to the traffic on the network and enhance the performance of the servers to provide efficient and reliable facilities to the users. So they want a utility that can monitor the traffic on their network. The parties involved are:
Client/End-users: Network administrator
To transmit data from host A to host B, the data has to travel via x,y, hosts in the network. So every host will see all the packets, but in normal operation it will take only the packets, which are addressed to it, and the packets are passed to the kernel where further analysis of the packet takes place. So our problem now is to make a copy of all the packets flowing in the network even though they are not addressed to our host and pass them directly to our application program without passing them to the kernel. The proposed system should not disturb the network traffic or modify any of the packets. It should merely make a copy of the packets. Each packet must be analyzed in detail. This information must be stored in output file so that the administrator can later take printouts. Also time and date of arrival of the packet must be found and stored in the output files.
4.2 Data Flow Diagrams:
Data flow diagrams are made up of a number of symbols, which represent system components. Most data flow modeling methods use four kinds of symbols. These symbols are used to represent four kinds of system components: processes, data stores, data flows and external entities.
The data flow diagrams for the current project are show in the following figure. It is the data flow diagram for the entire process. It specifies the major
the first step in the structured design method. In the project, the inputs are the packets that are flowing in the network interface that is set to promiscuous mode. The output is the information contained in the packets in human readable form, which is stored in the output file.
The context diagram and data flow diagram of the proposed system are given as follows:
Fig: Context Diagram
.
Fig: DFD for the Protocol Analyzer process Network interface card Protocol Analyzer Administrato r Packets Repor ts Promiscuous mode packets Ip header dtl header Separat e headers dtl header info ip &dtl Headers Info Transport layer header output ip header analysi s tl heade r analys is dtl header analysi s
The data flow diagrams for the current project are show in the following figure. It is the data flow diagram for the entire process. It specifies the major transform centers in the approach to be followed for producing the software. This is the first step in the structured design method. In the project, the inputs are the packets that are flowing in the network interface that is set to promiscuous mode. The output is the information contained in the packets in human readable form, which is stored in the output file.
Fig: Data flow diagram for Packet Sniffer
Explanation:
In the diagram the input is obtained as packets from the network interface by the ‘Get packets’ process. For that this process defines a packet socket and obtains the raw packets from the network interface and stores them into a buffer. The buffer containing the packets is passed to the ‘separate header’ process, which strips off various headers of the packet and passes them to ‘analyze headers’ process where they will be analyzed and the information is passed on to the ‘update output file’ process. Here the output file will be updated with the latest information obtained from the later processes.
The most abstract inputs are the stripped off headers and the most abstract output is the information in the headers in human readable form.
4.3 Structure Charts:
For a function-oriented design, structure charts can represent the design
Update output file Packets Buffer with packets Get packet s Separat e headers hdr’s Analyze header s Info in headers
together with the interconnections between modules. The structure chart of a program is a graphic representation of its structure. In a structure chart, a box represents a module with the module name written in the box. The parameters returned as output by a module.
Fig: Structure Chart
In the structure chart, there are three modules: - one for input, one for output and another is called the central transform module which performs the basic transformation for the system, taking the most abstract input and transforming it into the most abstract output. The main module’s job is to invoke the subordinates.
Here, there is one input module, which returns the headers in the packet to the main module. The main module passes these headers to the protocol analysis module, which transforms them into human readable information. This information is passed to the main module. The main module passes this information to the output module, which updates the output files.
35 MAIN Get Input Protocol Analysis Output hdr’s info hdr’s info buf buf Get Input
Adapter receive Strip off
hdr ’s
hdr ’s
Fig. Input Module
In the input module, the network interface is turned into promiscuous mode so that all the packets can be captured even though they are not intended to it. This is done by defining an adapter object and reading all the packets into a buffer. Then each packet is taken and the various headers are stripped off and sent to the main module.
packetf d
packetf d
info
info info info
Protocol Analyzer ip ARP &RARP hdr’ s info arp or rarp hdr ip hdr
Fig: Protocol Analysis Module
The central transform module is shown in figure. In the central transform module i.e. protocol analysis system, the process is split into three modules viz. ip, arp and rarp. Here the major decision is taken about which module to be invoked by the central module basing on the type of header sent by the main module. The ip module takes a further decision as which module to be invoked based on the type of header passed to it. IP module is further divided into icmp, igmp, tcp and udp modules. The modules are named after the type of headers they handle. Each module knows the specified format in which the information in that particular header is stored, so they convert it into required format by which we can easily understand and know about the packets in detail. This information is passed to the main module.
Fig: Output Module
This module gets the information stored in the headers of the packets as input from the main module. The output module is split into two sub-modules. The first
Append into file Print reports Output info ofstream ofstream
module updates the output files with the input obtained by the main module and passes back the file pointers to the ’output’ module. These file streams are passed to the ‘print reports’ module where the reports are printed.
4.4 UML Diagrams:
Unified Modeling LanguageThis mapping permits forward engineering: The generation of code from a UML model into a programming language. The reverse is also possible: You can reconstruct a model from an implementation back into the UML. Reverse engineering is not magic. Unless you encode that information in the implementation, information is lost when moving forward from models to code. Reverse engineering thus requires tool support with human intervention. Combining these two paths of forward code generation and reverse engineering yields round-trip engineering, meaning the ability to work in either a graphical or a textual view, while tools keep the two views consistent.
In addition to this direct mapping, the UML is sufficiently expressive and unambiguous to permit the direct execution of models, the simulation of systems, and the instrumentation of running systems.
The UML is a Language for Documenting:
A healthy software organization produces all sorts of artifacts in addition to raw executable code. These artifacts include (but are not limited to)
Requirements Architecture Design Source code Project plans Tests Prototypes
Depending on the development culture, some of these artifacts are treated more or less formally than others. Such artifacts are not only the deliverables of a project, they are also critical in controlling, measuring, and communicating about a system during its development and after its deployment.
The UML addresses the documentation of a system's architecture and all of its details. The UML also provides a language for expressing requirements and for tests. Finally, the UML provides a language for modeling the activities of project planning and release management Applications
The UML is intended primarily for software-intensive systems. It has been used effectively for such domains as
Enterprise information systems Banking and financial services Telecommunications Transportation Defense/aerospace Retail Medical electronics Scientific
Distributed Web-based services
The UML is not limited to modeling software. In fact, it is expressive enough to model non-software systems, such as workflow in the legal system, the structure and behavior of a patient healthcare system, and the design of hardware.
A Conceptual Model of the UML:
To understand the UML, you need to form a conceptual model of the language, and this requires learning three major elements: the UML's basic building blocks, the rules that dictate how those building blocks may be put together, and some common mechanisms that apply throughout the UML. Once you have grasped these ideas, you will be able to read UML models and create some basic ones. As you gain
more experience in applying the UML, you can build on this conceptual model, using more advanced features of the language.
Building Blocks of the UML:
The vocabulary of the UML encompasses three kinds of building blocks: Things
Relationships Diagrams
Things are the abstractions that are first-class citizens in a model; relationships tie these things together; diagrams group interesting collections of things.
Things in the UML:
There are four kinds of things in the UML: Structural things
Behavioral things Grouping things Annotational things
These things are the basic object-oriented building blocks of the UML. You use them to write well-formed models.
Structural Things:
Structural things are the nouns of UML models. These are the mostly static parts of a model, representing elements that are either conceptual or physical. In all, there are seven kinds of structural things.
First, a class is a description of a set of objects that share the same attributes, operations, relationships, and semantics. A class implements one or more interfaces. Graphically, a class is rendered as a rectangle, usually including its name, attributes,
CLASS: NewClass window origin size open() close() move()
Second, an interface is a collection of operations that specify a service of a class or component. An interface therefore describes the externally visible behavior of that element. An interface might represent the complete behavior of a class or component or only a part of that behavior. An interface defines a set of operation specifications (that is, their signatures) but never a set of operation implementations. Graphically, an interface is rendered as a circle together with its name. An interface rarely stands alone. Rather, it is typically attached to the class or component that realizes the interface.
INTERFACE:
NewInterfac e
Third, a collaboration defines an interaction and is a society of roles and other elements that work together to provide some cooperative behavior that's bigger than the sum of all the elements. Therefore, collaborations have structural, as well as behavioral, dimensions. A given class might participate in several collaborations. These collaborations therefore represent the implementation of patterns that make up a system. Graphically, collaboration is rendered as an ellipse with dashed lines, usually including only its name.
Fourth, a use case is a description of set of sequence of actions that a system performs that yields an observable result of value to a particular actor. A use case is
used to structure the behavioral things in a model. A use case is realized by collaboration. Graphically, a use case is rendered as an ellipse with solid lines, usually including only its name.
UseCase
The remaining three things—active classes, components, and nodes—are all class-like, meaning they also describe a set of objects that share the same attributes, operations, relationships, and semantics. However, these three are different enough and are necessary for modeling certain aspects of an object-oriented system, and so they warrant special treatment.
Fifth, an active class is a class whose objects own one or more processes or threads and therefore can initiate control activity. An active class is just like a class except that its objects represent elements whose behavior is concurrent with other elements. Graphically, an active class is rendered just like a class, but with heavy lines, usually including its name, attributes, and operations.
The remaining two elements—component, and nodes—are also different. They represent physical things, whereas the previous five things represent conceptual or logical things.
Sixth, a component is a physical and replaceable part of a system that conforms to and provides the realization of a set of interfaces. In a system, you'll encounter different kinds of deployment components, such as COM+ components or Java Beans, as well as components that are artifacts of the development process, such as source code files. A component typically represents the physical packaging of otherwise logical elements, such as classes, interfaces, and collaborations. Graphically, a component is rendered as a rectangle with tabs, usually including only its name.
NewComponent
Seventh, a node is a physical element that exists at run time and represents a computational resource, generally having at least some memory and, often, processing capability. A set of components may reside on a node and may also migrate from node to node. Graphically, a node is rendered as a cube, usually including only its name.
Behavioral Things:
Behavioral things are the dynamic parts of UML models. These are the verbs of a model, representing behavior over time and space. In all, there are two primary kinds of behavioral things.
First, an interaction is a behavior that comprises a set of messages exchanged among a set of objects within a particular context to accomplish a specific purpose. The behavior of a society of objects or of an individual operation may be specified with an interaction. An interaction involves a number of other elements, including messages, action sequences (the behavior invoked by a message), and links (the connection between objects). Graphically, a message is rendered as a directed line, almost always including the name of its operation.
Second, a state machine is a behavior that specifies the sequences of states an object or an interaction goes through during its lifetime in response to events, together with its responses to those events. The behavior of an individual class or a collaboration of classes may be specified with a state machine.
A state machine involves a number of other elements, including states, transitions (the flow from state to state), events (things that trigger a transition), and
activities (the response to a transition). Graphically, a state is rendered as a rounded rectangle, usually including its name and its sub states, if any.
STATE:
NewState
These two elements—interactions and state machines—are the basic behavioral things that you may include in a UML model. Semantically, these elements are usually connected to various structural elements, primarily classes, collaborations, and objects.
Grouping Things:
Grouping things are the organizational parts of UML models. These are the boxes into which a model can be decomposed. In all, there is one primary kind of grouping thing, namely, packages.
A package is a general-purpose mechanism for organizing elements into groups. Structural things, behavioral things, and even other grouping things may be placed in a package. Unlike components (which exist at run time), a package is purely conceptual (meaning that it exists only at development time). Graphically, a package is rendered as a tabbed folder, usually including only its name and, sometimes, its contents.
PACKAGE:
Packages are the basic grouping things with which you may organize a UML model. There are also variations, such as frameworks, models, and subsystems (kinds of packages).
Annotational things are the explanatory parts of UML models. These are the comments you may apply to describe, illuminate, and remark about any element in a model. There is one primary kind of annotational thing, called a note. A note is simply a symbol for rendering constraints and comments attached to an element or a collection of elements. Graphically, a note is rendered as a rectangle with a dog-eared corner, together with a textual graphical comment.
NOTES:
This element is the one basic annotational thing you may include in a UML model. You'll typically use notes to adorn your diagrams with constraints or comments that are best expressed in informal or formal text. There are also variations on this element, such as requirements (which specify some desired behavior from the perspective of outside the model).
Relationships in the UML :
There are four kinds of relationships in the UML: 1. Dependency
2. Association 3. Generalization 4. Realization
These relationships are the basic relational building blocks of the UML. You use them to write well-formed models.
First, a dependency is a semantic relationship between two things in which a change to one thing (the independent thing) may affect the semantics of the other thing (the dependent thing). Graphically, a dependency is rendered as a dashed line, possibly directed, and occasionally including a label.
DEPENDANCY:
ASSOCIATION:
Employer employee
Second, an association is a structural relationship that describes a set of links, a link being a connection among objects. Aggregation is a special kind of association, representing a structural relationship between a whole and its parts. Graphically, an association is rendered as a solid line, possibly directed, occasionally including a label, and often containing other adornments, such as multiplicity and role names.
Third, a generalization is a specialization/generalization relationship in which objects of the specialized element (the child) are substitutable for objects of the generalized element (the parent). In this way, the child shares the structure and the behavior of the parent. Graphically, a generalization relationship is rendered as a solid line with a hollow arrowhead pointing to the parent.
GENERALIZATION:
. Fourth, a realization is a semantic relationship between classifiers, wherein one classifier specifies a contract that another classifier guarantees to carry out. You'll encounter realization relationships in two places: between interfaces and the classes or components that realize them, and between use cases and the collaborations that realize them. Graphically, a realization relationship is rendered as a cross between a generalization and a dependency relationship.
REALIZATION:
These four elements are the basic relational things you may include in a UML model. There are also variations on these four, such as refinement, trace, include, and
