Network Analyser

Mini project report

submitted in partial fulfillment of
the requirement for the award of the degree of

Master of Technology
In
Computer Science and Engineering
by

Abdul Gafur M
(M050183CS)

Guided by: Mr. Saidalavi Kaladi

Department of Computer Engineering,

National Institute of Technology,Calicut,
Kerala -673601.
 CERTIFICATE

This is to certify that Network Analyser is a bonafide record of the

mini project done by Abdul Gafur M (M050183CS) under our
supervision and guidance. The project report has been submitted to
Department of Computer Engineering of National Institute of
Technology, Calicut in partial fulfillment of Degree of Master of
Technology in Computer Science and Engineering.

Dr. M.P.Sebastian, Mr.Saidalavi Kaladi,

Head of the Department, Lecturer,
Dept. of Computer Engineering. Dept. of Computer Engineering.
 ACKNOWLEDGEMENT

I have been very fortunate to have Mr.Saidalavi Kaladi, Lecturer,

Department of Computer Engineering, as my guide whose timely
guidance, advice and inspiration helped me in preparation of this Mini
Project. I express my sincere gratitude for having guided me through
this work. I am thankful to Dr. M.P.Sebastian Head of Computer
Engineering Department for his encouragement and for giving me this
opportunity

Abdul Gafur M.
 ABSTRACT

Network Analyser is a network traffic monitoring, analysis and

remote Operating System detection and reporting tool, based on
Windows operating system (all versions). It captures and analyzes all
traffic transport over both Ethernet and WLAN networks and decodes
all major TCP/IP and application protocols. With Network Analyser,
you can easily filter the network traffic to focus on the information that
you are looking for. The detailed report using GUI allows you to
understand network performance, bandwidth usage, network protocols
and communicating hosts quickly. In addition to that this tool will
identify the remote Operating System in the LAN and outside the LAN.
TABLE OF CONTENTS PAGE NO.

1. INTRODUCTION 6

2. KEY FEATURES 7

3. IMPORTANT FUNCTIONALITIES 8

a. Remote Operating System Detection 8

b. Current Data Rate Calculation 9

c. Host and Protocol Identification 11

4. PLATFORM and LANGUAGE USED 12

5. CONCLUSION 13

6. REFERENCES 14
 INTRODUCTION

The Network becomes the business... You must ensure network

security, identify possible security breaches, trace the root cause and
take action quickly. You need to know how are your network
bandwidth and other resources used for accounting, auditing or for
network planning purposes. You need to monitor network traffic and
conduct forensic analysis to ensure company policies are complied with
and violations are recorded and stopped. You may have problems in
your newly deployed applications and must know what's wrong and fix
the problems immediately. You are developing a new application and
need a handy tool to assist you in debugging and testing by examining
every packets and messages. Or, for whatever reason, you just need
to have a quick peek of the packets passing through the network. Its a
cruel irony in information security that many of the features that make
using computers easier or more efficient and the tools used to protect
and secure the network can also be used to exploit and compromise
the same computers and networks. As far as the security of the
network is concerned resource identification has great importance. For
example learning remote OS versions can be an extremely valuable
network investigation tool, since many security holes are dependent
on OS version.
 KEY FEATURES

• Monitoring network traffic for performance, bandwidth usage,

and security reasons;
• Easy to understand-generate and view reports in tables and
popup windows and hence it is very easy to understand the
result data.
• Easy to use. Even a novice can use it with minutes of self-
training.
• Real-time packet capture and analysis over both Ethernet and
WLAN
• Remote Operating System detection (inside and outside of the
LAN)
• Protocol decoders for TCP/IP and many application protocols
including ICMP, IP, TCP, UDP, DNS
• The tool can use in Linux and Widows Platforms with minor
changes of supporting software
 IMPORTANT FUNCTIONALITIES

1. Remote Operating System Detection

I have used one valuable information called hop-limit from the IP

Packet header for identifying the remote OS. The default hop-limit is
vary from system to system depending on the underlying OS in the
system. When a packet captured by the Network Analyser I check
this information. For example the default hop-limit of the Linux
machine is 64 and Windows machine is 128.This hop-limit in the
packet decrement one by one along its path from source to
destination. Since the range of default hop-limit is significantly large
this decrement will not prevent us from using it for our purpose.
Sample screen shots are given below
 2. Current Data Rate Calculation

To get the Data rate we calculate the sum of length of packet in

every second. For this purpose I set a timer with one second
duration. The program will calculate the total length of the data
received by interface card during this period. After every second
this procedure continues. I implemented the timer for this purpose
using javax.swing.Timer.In addition to that I capture the current
system time using a powerful class called Calendar and its
subclass called GregorianCalendar.Program segment and screen
shot is shown below

Timer timer = new Timer(1000, new ActionListener() {

public void actionPerformed(ActionEvent evt) {
String tme1;
Calendar cal = new GregorianCalendar();

// Get the components of the time

int hour12 = cal.get(Calendar.HOUR);
//tme= hour12;
//int hour24 = cal.get(Calendar.HOUR_OF_DAY);

int min = cal.get(Calendar.MINUTE);

int sec = cal.get(Calendar.SECOND);

int ms = cal.get(Calendar.MILLISECOND);
int ampm = cal.get(Calendar.AM_PM);

tme1=hour12+":"+min+":"+sec ;
if(ampm==1)
tme1=tme1+"PM";

else
tme1=tme1+"AM";
if(rate!=0){CurrenttimeLabel1.setText(" Current Time : "+tme1);
DatarateLabel1.setText(" Data Rate : "+rate/1000+" Kbps");
}
rate=0;
}
};
timer.start();
jpcap.loopPacket(-1, new analyse1());

class analyse1 implements JpcapHandler

{
public void handlePacket(Packet packet)
{
datarate1.rate+=packet.len;

}
}

screen shots
3. Host and Protocol Identification

We have enough information in our captured packet to identify

different machines or hosts communicating in the network and the
protocols they use for that communication. We can easily classify
the packet based on the port numbers. Different applications have
different port numbers, for example HTTP port number is 80, FTP port
number is 21and SMTP port number is 25. Since reliability is very
important in all of these applications they use TCP as the transport
layer protocols. Similarly there are some other applications like DNS
and RTP they use UDP as the transport layer protocol. It is because in
these cases timing is more important than reliability. Screen shot of
the captured detailed shown below.

In the above screen shot there is a port number 53 as shown in

color. Note that corresponding transport layer protocol is UDP.It is
because 53 is the port number of DNS where timing is more
important than reliability
 PLATFORM and LANGUAGE USED

I have used JAVA 2 for coding and JPCAP-4 and WINPCAP as

supporting software. I have run the tool on WINDOWS platform. I
have included some words about JPCAP and WINPCAP below.

JPCAP

Jpcap is a Java class package that allows Java applications to

capture and/or send packets to the network.Jpcap is based on
libpcap/winpcap and Raw Socket API. Therefore, Jpcap is
supposed to work on any OS on which libpcap/winpcap has been
implemented. Currently, Jpcap has been tested on FreeBSD 3.x,
Linux RedHat 6.1, Fedora Core 4, Solaris, and Microsoft Windows
2000/XP.

Jpcap supports the following types of packets: Ethernet, IPv4,

IPv6, ARP/RARP, TCP, UDP, and ICMPv4. Other types of packets
are captured as raw packets (i.e., instances of the Packet class)
which contains the whole data of the packets. This allows Java
applications to analyze unsupported packet types.

WINPCAP

WinPcap is the industry-standard tool for link-layer network

access in Windows environments: it allows applications to capture
and transmit network packets bypassing the protocol stack, and
has additional useful features, including kernel-level packet
filtering, a network statistics engine and support for remote
packet capture.

WinPcap consists of a driver, that extends the operating system

to provide low-level network access, and a library that is used to
easily access the low-level network layers. This library also
contains the Windows version of the well known libpcap Unix API.
 CONCLUSION

Network Analyser can be used to strengthen the security of

our network. Its resource identification like OS detection is helpful
to prevent security vulnerability in a certain extant. As mentioned
earlier remote OS versions can be an extremely valuable network
investigation tool, since many security holes are dependent on OS
version. Availability of data rate at any moment in the network is
valuable information for a network administrator. But Network
Analyser is not free from demerits. For example if the packet
make a large number of jumps or hops (Exactly speaking, number
of hops exceed the difference in range of default hop-limit ) our
tool will not give correct information. But this is very rare in the
network. Since the tool can run in Linux environment also it is
acceptable for whom they prefer Open source and free software.
 REFERENCES

1.James F.Kurose Keith W.Ross Computer Networking,

A Top-Down Approach Featuring the Internet
2. Douglas Comer, Internetworking with TCP/IP

3. http://netresearch.ics.uci.edu/kfujii/jpcap