Network Analysis

Network Analyser

Mini project report submitted in partial fulfillment of the requirement for the award of the degree of

Master of Technology In Computer Science and Engineering by Abdul Gafur M (M050183CS) Guided by: Mr. Saidalavi Kaladi

Department of Computer Engineering, National Institute of Technology,Calicut, Kerala -673601.

CERTIFICATE

This is to certify that Network Analyser is a bonafide record of the mini project done by Abdul Gafur M (M050183CS) under our supervision and guidance. The project report has been submitted to Department of Computer Engineering of National Institute of Technology, Calicut in partial fulfillment of Degree of Master of Technology in Computer Science and Engineering. Dr. M.P.Sebastian, Head of the Department, Dept. of Computer Engineering.

Mr.Saidalavi Kaladi, Lecturer, Dept. of Computer Engineering.

ACKNOWLEDGEMENT

I have been very fortunate to have Mr.Saidalavi Kaladi, Lecturer, Department of Computer Engineering, as my guide whose timely guidance, advice and inspiration helped me in preparation of this Mini Project. I express my sincere gratitude for having guided me through this work. I am thankful to Dr. M.P.Sebastian Head of Computer Engineering Department for his encouragement and for giving me this opportunity Abdul Gafur M.

ABSTRACT

Network Analyser is a network traffic monitoring, analysis and remote Operating System detection and reporting tool, based on Windows operating system (all versions). It captures and analyzes all traffic transport over both Ethernet and WLAN networks and decodes all major TCP/IP and application protocols. With Network Analyser, you can easily filter the network traffic to focus on the information that you are looking for. The detailed report using GUI allows you to understand network performance, bandwidth usage, network protocols and communicating hosts quickly. In addition to that this tool will identify the remote Operating System in the LAN and outside the LAN.

TABLE OF CONTENTS

PAGE NO.

1. INTRODUCTION

6

2. KEY FEATURES

7

3. IMPORTANT FUNCTIONALITIES

8

a. Remote Operating System Detection

8

b. Current Data Rate Calculation

9

c. Host and Protocol Identification 4. PLATFORM and LANGUAGE USED

11 12

5. CONCLUSION

13

6. REFERENCES

14

INTRODUCTION

The Network becomes the business... You must ensure network security, identify possible security breaches, trace the root cause and take action quickly. You need to know how are your network bandwidth and other resources used for accounting, auditing or for network planning purposes. You need to monitor network traffic and conduct forensic analysis to ensure company policies are complied with and violations are recorded and stopped. You may have problems in your newly deployed applications and must know what's wrong and fix the problems immediately. You are developing a new application and need a handy tool to assist you in debugging and testing by examining every packets and messages. Or, for whatever reason, you just need to have a quick peek of the packets passing through the network. Its a cruel irony in information security that many of the features that make using computers easier or more efficient and the tools used to protect and secure the network can also be used to exploit and compromise the same computers and networks. As far as the security of the network is concerned resource identification has great importance. For example learning remote OS versions can be an extremely valuable network investigation tool, since many security holes are dependent on OS version.

KEY FEATURES

• •

• • • • •

Monitoring network traffic for performance, bandwidth usage, and security reasons; Easy to understand-generate and view reports in tables and popup windows and hence it is very easy to understand the result data. Easy to use. Even a novice can use it with minutes of selftraining. Real-time packet capture and analysis over both Ethernet and WLAN Remote Operating System detection (inside and outside of the LAN) Protocol decoders for TCP/IP and many application protocols including ICMP, IP, TCP, UDP, DNS The tool can use in Linux and Widows Platforms with minor changes of supporting software

IMPORTANT FUNCTIONALITIES 1. Remote Operating System Detection I have used one valuable information called hop-limit from the IP

Packet header for identifying the remote OS. The default hop-limit is vary from system to system depending on the underlying OS in the system. When a packet captured by the Network Analyser I check this information. For example the default hop-limit of the Linux machine is 64 and Windows machine is 128.This hop-limit in the packet decrement one by one along its path from source to destination. Since the range of default hop-limit is significantly large this decrement will not prevent us from using it for our purpose. Sample screen shots are given below

2. Current Data Rate Calculation To get the Data rate we calculate the sum of length of packet in every second. For this purpose I set a timer with one second duration. The program will calculate the total length of the data received by interface card during this period. After every second this procedure continues. I implemented the timer for this purpose using javax.swing.Timer.In addition to that I capture the current system time using a powerful class called Calendar and its subclass called GregorianCalendar.Program segment and screen shot is shown below

Timer timer = new Timer(1000, new ActionListener() { public void actionPerformed(ActionEvent evt) { String tme1; Calendar cal = new GregorianCalendar(); // Get the components of the time int hour12 = cal.get(Calendar.HOUR); //tme= hour12; //int hour24 = cal.get(Calendar.HOUR_OF_DAY); int min = cal.get(Calendar.MINUTE); int sec = cal.get(Calendar.SECOND); int ms = cal.get(Calendar.MILLISECOND); int ampm = cal.get(Calendar.AM_PM); tme1=hour12+":"+min+":"+sec ; if(ampm==1) tme1=tme1+"PM"; else

tme1=tme1+"AM"; if(rate!=0){CurrenttimeLabel1.setText(" Current Time : "+tme1); DatarateLabel1.setText(" Data Rate : "+rate/1000+" Kbps"); } rate=0; } }; timer.start();

jpcap.loopPacket(-1, new analyse1()); }

class analyse1 implements JpcapHandler { public void handlePacket(Packet packet) { datarate1.rate+=packet.len; } } screen shots

3.

Host and Protocol Identification

We have enough information in our captured packet to identify different machines or hosts communicating in the network and the protocols they use for that communication. We can easily classify the packet based on the port numbers. Different applications have different port numbers, for example HTTP port number is 80, FTP port number is 21and SMTP port number is 25. Since reliability is very important in all of these applications they use TCP as the transport layer protocols. Similarly there are some other applications like DNS and RTP they use UDP as the transport layer protocol. It is because in these cases timing is more important than reliability. Screen shot of the captured detailed shown below.

In the above screen shot there is a port number 53 as shown in color. Note that corresponding transport layer protocol is UDP.It is because 53 is the port number of DNS where timing is more important than reliability

PLATFORM and LANGUAGE USED I have used JAVA 2 for coding and JPCAP-4 and WINPCAP as supporting software. I have run the tool on WINDOWS platform. I have included some words about JPCAP and WINPCAP below. JPCAP Jpcap is a Java class package that allows Java applications to capture and/or send packets to the network.Jpcap is based on libpcap/winpcap and Raw Socket API. Therefore, Jpcap is supposed to work on any OS on which libpcap/winpcap has been implemented. Currently, Jpcap has been tested on FreeBSD 3.x, Linux RedHat 6.1, Fedora Core 4, Solaris, and Microsoft Windows 2000/XP. Jpcap supports the following types of packets: Ethernet, IPv4, IPv6, ARP/RARP, TCP, UDP, and ICMPv4. Other types of packets are captured as raw packets (i.e., instances of the Packet class) which contains the whole data of the packets. This allows Java applications to analyze unsupported packet types. WINPCAP WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture. WinPcap consists of a driver, that extends the operating system to provide low-level network access, and a library that is used to easily access the low-level network layers. This library also contains the Windows version of the well known libpcap Unix API.

CONCLUSION Network Analyser can be used to strengthen the security of our network. Its resource identification like OS detection is helpful to prevent security vulnerability in a certain extant. As mentioned earlier remote OS versions can be an extremely valuable network investigation tool, since many security holes are dependent on OS version. Availability of data rate at any moment in the network is valuable information for a network administrator. But Network Analyser is not free from demerits. For example if the packet make a large number of jumps or hops (Exactly speaking, number of hops exceed the difference in range of default hop-limit ) our tool will not give correct information. But this is very rare in the network. Since the tool can run in Linux environment also it is acceptable for whom they prefer Open source and free software.

REFERENCES

1.James F.Kurose Keith W.Ross Computer Networking, A Top-Down Approach Featuring the Internet 2. Douglas Comer, Internetworking with TCP/IP 3. http://netresearch.ics.uci.edu/kfujii/jpcap