Beruflich Dokumente
Kultur Dokumente
This project is intended to develop a tool called Packet Sniffer. The Packet
Sniffer allows the computer to examine and analyze all the traffic passing by its network
connection. It decodes the network traffic and makes sense of it.
The output is appended into normal text file, so that the network administrator
can understand the network traffic and later analyze it.
Introduction
A Packet Sniffer is a program that can see all of the information passing over
the network it is connected to. A Packet Sniffer is a Wire-tapping device that plugs
into computer Networks and eavesdrop on the network traffic.
A packet sniffer (also known as a network analyzer or protocol analyzer or, for
particular types of networks, an Ethernet sniffer or wireless sniffer) is computer
software that can intercept and log traffic passing over a digital network or part of a
network. As data streams flow across the network, the sniffer captures each packet
and eventually decodes and analyzes its content.
Most Ethernet networks use to be of a common bus topology, using either coax
cable or twisted pair wire and a hub. All of the nodes (computers and other devices) on
the network could communicate over the same wires and take turns sending data using
a scheme known as carrier sense multiple access with collision detection (CSMA/CD).
Think of CSMA/CD as being like a conversation at a loud party, you may have to wait
for quite a spell for your chance to get your words in during a lull in everybody else’s
conversation. All of the nodes on the network have their own unique MAC (media
access control) address that they use to send packets of information to each other.
Normally a node would only look at the packets that are destined for its MAC address.
However, if the network card is put into what is known as “promiscuous mode” it will
look at all of the packets on the wires it is hooked to.
TCP/IP Protocols
Background:
Internet protocols were first developed in the mid-1970s, when the Defense
Advanced Research Projects Agency (DARPA) became interested in establishing a
packet-switched network that would facilitate communication between dissimilar
computer systems at research institutions. With the goal of heterogeneous connectivity
in mind, DARPA funded research by Stanford University and Bolt, Beranek, and
Newman (BBN). The result of this development effort was the Internet protocol suite,
completed in the late 1970s.
Application NFS
FTP,
Presentation RPC
Telnet,
SNMP
Transport TCP, UDP
Network IP ICMP
ARP RARP
Data Link
Fig 1: Internet protocols span the complete range of OSI model layers.
IP Packet Format:
Total Length — Specifies the length, in bytes, of the entire IP packet, including
the data and header.
IP Addressing:
Each host on a TCP/IP network is assigned a unique 32-bit logical address that
is divided into two main parts: the network number and the host number. The network
number identifies a network and must be assigned by the Internet Network Information
Center (InterNIC) if the network is to be part of the Internet. An Internet Service
Provider (ISP) can obtain blocks of network addresses from the InterNIC and can itself
assign address space as necessary. The host number identifies a host on a network and
is assigned by the local network administrator.
IP Address Format:
The 32-bit IP address is grouped eight bits at a time, separated by dots, and
represented in decimal format (known as dotted decimal notation). Each bit in the octet
has a binary weight (128, 64, 32, 16, 8, 4, 2, 1). The minimum value for an octet is 0,
and the maximum value for an octet is 255. Figure.3 illustrates the basic format of an
IP address.
Network Host
IP Address Classes:
No. of bits 7 24
0 Networks Host Host Host
Class A
Class B 1 0 Network Network Host Host
14 16
Class C 1 1 0 Network Network Network Host
21 8
The class of address can be determined easily by examining the first octet of the
address and mapping that value to a class range in the following table. In an IP address
of 172.31.1.2, for example, the first octet is 172. Because 172 falls between 128 and
191, 172.31.1.2 is a Class B address. Figure 5 summarizes the range of possible values
for the first octet of each address class.
Fig 5: A range of possible values exists for the first octet of each address class.
Class A 1 D 126 0
Subnets are under local administration. As such, the outside world sees an
organization as a single network and has no detailed knowledge of the organization's
internal structure.
A given network address can be broken up into many sub networks. For
example, 172.16.1.0, 172.16.2.0, 172.16.3.0, and 172.16.4.0 are all subnets within
network 171.16.0.0. (All 0s in the host portion of an address specifies the entire
network.)
For two machines on a given network to communicate, they must know the
other machine's physical (or MAC) addresses. By broadcasting Address Resolution
Protocols (ARPs), a host can dynamically discover the MAC-layer address
corresponding to a particular IP network-layer address.
Routers within the Internet are organized hierarchically. Routers used for
information exchange within autonomous systems are called interior routers, which use
a variety of Interior Gateway Protocols (IGPs) to accomplish this purpose. The Routing
Information Protocol (RIP) is an example of an IGP.
Routers that move information between autonomous systems are called exterior
routers. These routers use an exterior gateway protocol to exchange information
between autonomous systems. The Border Gateway Protocol (BGP) is an example of
an exterior gateway protocol.
IP Routing:
ICMP Messages:
An ICMP Redirect message is sent by the router to the source host to stimulate
more efficient routing. The router still forwards the original packet to the destination.
ICMP redirects allow host routing tables to remain small because it is necessary to
know the address of only one router, even if that router does not provide the best path.
Even after receiving an ICMP Redirect message, some devices might continue using
the less-efficient route.
Full-duplex operation means that TCP processes can both send and receive at the same
time.
Each host randomly chooses a sequence number used to track bytes within the
stream it is sending and receiving. Then, the three-way handshake proceeds in the
following manner:
The first host (Host A) initiates a connection by sending a packet with the initial
sequence number (X) and SYN bit set to indicate a connection request. The second host
(Host B) receives the SYN, records the sequence number X, and replies by
acknowledging the SYN (with an ACK = X + 1). Host B includes its own initial
sequence number (SEQ = Y). An ACK = 20 means the host has received bytes 0
through 19 and expects byte 20 next. This technique is called forward
acknowledgment. Host A then acknowledges all bytes Host B sent with a forward
acknowledgment indicating the next byte Host A expects to receive (ACK = Y + 1).
Data transfer then can begin.
Positive Acknowledgment and Retransmission (PAR):
By assigning each packet a sequence number, PAR enables hosts to track lost
or duplicate packets caused by network delays that result in premature retransmission.
The sequence numbers are sent back in the acknowledgments so that the
acknowledgments can be tracked.
PAR is an inefficient use of bandwidth, however, because a host must wait for
an acknowledgment before sending a new packet, and only one packet can be sent at a
time.
A TCP sliding window provides more efficient use of network bandwidth than
PAR because it enables hosts to send multiple bytes or packets before waiting for an
acknowledgment.
In TCP, the receiver specifies the current window size in every packet. Because
TCP provides a byte-stream connection, window sizes are expressed in bytes. This
means that a window is the number of data bytes that the sender is allowed to send
before waiting for an acknowledgment. Initial window sizes are indicated at connection
setup, but might vary throughout the data transfer to provide flow control. A window
size of zero, for instance, means "Send no data."
Sequence number
Acknowledge number
Options (+padding)
Data (variable)
Source Port and Destination Port — Identifies points at which upper-layer source and
destination processes receive TCP services.
Sequence Number — Usually specifies the number assigned to the first byte of data in
the current message. In the connection-establishment phase, this field also can be used
to identify an initial sequence number to be used in an upcoming transmission.
Acknowledgment Number — Contains the sequence number of the next byte of data
the sender of the packet expects to receive.
Data Offset — Indicates the number of 32-bit words in the TCP header.
Flags — Carries a variety of control information, including the SYN and ACK bits
used for connection establishment, and the FIN bit used for connection termination.
Window — Specifies the size of the sender's receive window (that is, the buffer space
available for incoming data).
Urgent Pointer — Points to the first urgent data byte in the packet.
The UDP packet format contains four fields, as shown in Figure 7. These
include source and destination ports, length, and checksum fields.
Length checksum
Source and destination ports contain the 16-bit UDP protocol port numbers used
to de-multiplex datagrams for receiving application-layer processes. A length field
specifies the length of the UDP header and data. Checksum provides an (optional)
integrity check on the UDP header and data.
Network File System (NFS), External Data Representation (XDR), and Remote
Procedure Call (RPC)—Work together to enable transparent access to remote network
resources
Domain Name System (DNS)—Translates the names of network nodes into network
addresses.
The list of the higher-layer protocols and the applications that they support is as follows:
Application Protocols
This is the requirements document for the project. The system to be developed
is for capturing the packets flowing in the network and analyzes them. The information
in the various headers of the packets is to be extracted and saved into the output file.
Introduction:
Purpose:
To develop a tool that easily analyzes the network traffic flow on that particular
system and to show the information for the administrator in human readable format.
Scope:
General Description:
In a computer network every system can see all the packets flowing in the
network, but can capture the packets that are addressed to that particular system only.
But the product must be able to make a copy of all the packets flowing in the network,
which are address to it and also not address to it. The packet copied must be stored in a
buffer. Each packet has headers in which information about the packet will be stored in
a specified format. This information must be extracted and if necessary covert into
human readable form and store it in the output files.
User Characteristics:
The user of the system will be the systems administrator who controls and
configures the network traffic through the server.
General Constraints:
Specific Requirements:
Inputs: Raw packets flowing in the network of the system on which the Packet
Sniffer is installed.
Functional Requirements:
Capture the packets in the network at the data link layer before they are passed
to the protocols implemented in the kernel.
Strip off the various headers in each packet and analyze the information in it.
Append the information in the headers of the packet into output file in a specified
format.
Performance Constraints:
The maximum size of the buffer to hold the packet is 2000 bytes. The speed of
the networks should not exceed 100Mbps if it exceeds this speed all the packets may
not be analyzed.
Requirements Specification:
Software Environment:
The system will run under .net Framework that is to be installed on the system.
Hardware Environment:
Processor : Pentium IV
HDD : 5 GB
LAN : Enabled
Acceptance Criteria:
Before accepting the system, the developer will have to demonstrate how the system
works on the given data. The developer will have to show by suitable test cases that all
conditions are satisfied.
Architecture Diagrams
The data flow diagrams for the current project are show in the following figure.
It is the data flow diagram for the entire process. It specifies the major transform centers
in the approach to be followed for producing the software. This is the first step in the
structured design method. In the project, the inputs are the packets that are flowing in
the network interface that is set to promiscuous mode. The output is the information
contained in the packets in human readable form, which is stored in the output file.
The context diagram and data flow diagram of the proposed system are given
as follows:
Network Protocol
Packets Reports Administrator
interface
Analyzer
card
Promiscuous mode
Ip header
The data flow diagrams for the current project are show in the following figure.
It is the data flow diagram for the entire process. It specifies the major transform centers
in the approach to be followed for producing the software. This is the first step in the
structured design method. In the project, the inputs are the packets that are flowing in
the network interface that is set to promiscuous mode. The output is the information
contained in the packets in human readable form, which is stored in the output file.
Explanation:
In the diagram the input is obtained as packets from the network interface by
the ‘Get packets’ process. For that this process defines a packet socket and obtains the
raw packets from the network interface and stores them into a buffer. The buffer
containing the packets is passed to the ‘separate header’ process, which strips off
various headers of the packet and passes them to ‘analyze headers’ process where they
will be analyzed and the information is passed on to the ‘update output file’ process.
Here the output file will be updated with the latest information obtained from the later
processes. The most abstract inputs are the stripped off headers and the most abstract
output is the information in the headers in human readable form.
Structure Charts:
hdr’s
info
info
hdr’s
Here, there is one input module, which returns the headers in the packet to the
main module. The main module passes these headers to the protocol analysis module,
which transforms them into human readable information. This information is passed to
the main module. The main module passes this information to the output module, which
updates the output files.
hdr’s
Get Input
hdr’s
packetfd buf
buf
packetfd
hdr’s info
Protocol Analyzer
ip hdr
arp or rarp hdr
ip ARP &RARP
info
Output
ofstream ofstream
This module gets the information stored in the headers of the packets as input
from the main module. The output module is split into two sub-modules. The first
module updates the output files with the input obtained by the main module and passes
back the file pointers to the ’output’ module. These file streams are passed to the ‘print
reports’ module where the reports are printed.
UML Diagrams:
Requirements
Architecture
Design
Source code
Project plans
Tests
Prototypes
Releases
Depending on the development culture, some of these artifacts are treated more
or less formally than others. Such artifacts are not only the deliverables of a project,
they are also critical in controlling, measuring, and communicating about a system
during its development and after its deployment.
The UML addresses the documentation of a system's architecture and all of its
details. The UML also provides a language for expressing requirements and for tests.
Finally, the UML provides a language for modeling the activities of project planning
and release management Applications
The UML is intended primarily for software-intensive systems. It has been used
effectively for such domains as
To understand the UML, you need to form a conceptual model of the language,
and this requires learning three major elements: the UML's basic building blocks, the
rules that dictate how those building blocks may be put together, and some common
mechanisms that apply throughout the UML. Once you have grasped these ideas, you
will be able to read UML models and create some basic ones. As you gain more
experience in applying the UML, you can build on this conceptual model, using more
advanced features of the language.
Things
Relationships
Diagrams
Things are the abstractions that are first-class citizens in a model; relationships
tie these things together; diagrams group interesting collections of things.
Structural things
Behavioral things
Grouping things
Annotational things
These things are the basic object-oriented building blocks of the UML. You use
them to write well-formed models.
Structural Things:
Structural things are the nouns of UML models. These are the mostly static
parts of a model, representing elements that are either conceptual or physical. In all,
there are seven kinds of structural things.
First, a class is a description of a set of objects that share the same attributes,
operations, relationships, and semantics. A class implements one or more interfaces.
Graphically, a class is rendered as a rectangle, usually including its name, attributes,
and operations.
CLASS:
Second, an interface is a collection of operations that specify a service of a class
or component. An interface therefore describes the externally visible behavior of that
element. An interface might represent the complete behavior of a class or component
or only a part of that behavior. An interface defines a set of operation specifications
(that is, their signatures) but never a set of operation implementations. Graphically, an
interface is rendered as a circle together with its name. An interface rarely stands alone.
Rather, it is typically attached to the class or component that realizes the interface.
INTERFACE:
Fifth, an active class is a class whose objects own one or more processes or
threads and therefore can initiate control activity. An active class is just like a class
except that its objects represent elements whose behavior is concurrent with other
elements. Graphically, an active class is rendered just like a class, but with heavy lines,
usually including its name, attributes, and operations.
COMPONENT:
Seventh, a node is a physical element that exists at run time and represents a
computational resource, generally having at least some memory and, often, processing
capability. A set of components may reside on a node and may also migrate from node
to node. Graphically, a node is rendered as a cube, usually including only its name.
Behavioral Things:
Behavioral things are the dynamic parts of UML models. These are the verbs of
a model, representing behavior over time and space. In all, there are two primary kinds
of behavioral things.
STATE:
These two elements—interactions and state machines—are the basic behavioral
things that you may include in a UML model. Semantically, these elements are usually
connected to various structural elements, primarily classes, collaborations, and objects.
Grouping Things:
Grouping things are the organizational parts of UML models. These are the
boxes into which a model can be decomposed. In all, there is one primary kind of
grouping thing, namely, packages.
PACKAGE:
Packages are the basic grouping things with which you may organize a UML
model. There are also variations, such as frameworks, models, and subsystems (kinds
of packages).
Annotational Things:
Annotational things are the explanatory parts of UML models. These are the
comments you may apply to describe, illuminate, and remark about any element in a
model. There is one primary kind of annotational thing, called a note. A note is simply
a symbol for rendering constraints and comments attached to an element or a collection
of elements. Graphically, a note is rendered as a rectangle with a dog-eared corner,
together with a textual graphical comment.
NOTES:
This element is the one basic annotational thing you may include in a UML
model. You'll typically use notes to adorn your diagrams with constraints or comments
that are best expressed in informal or formal text. There are also variations on this
element, such as requirements (which specify some desired behavior from the
perspective of outside the model).
1. Dependency
2. Association
3. Generalization
4. Realization
These relationships are the basic relational building blocks of the UML. You
use them to write well-formed models.
DEPENDANCY:
ASSOCIATION:
Employer employee
GENERALIZATION:
REALIZATION:
These four elements are the basic relational things you may include in a UML
model. There are also variations on these four, such as refinement, trace, include, and
extend (for dependencies).
A class diagram shows a set of classes, interfaces, and collaborations and their
relationships. These diagrams are the most common diagram found in modeling object-
oriented systems. Class diagrams address the static design view of a system. Class
diagrams that include active classes address the static process view of a system.
A use case diagram shows a set of use cases and actors (a special kind of class)
and their relationships. Use case diagrams address the static use case view of a system.
These diagrams are especially important in organizing and modeling the behaviors of a
system. Both sequence diagrams and collaboration diagrams are kinds of interaction
diagrams. Shows an interaction, consisting of a set of objects and their relationships,
including the messages that may be dispatched among them. Interaction diagrams
address the dynamic view of a system.
An activity diagram is a special kind of a state chart diagram that shows the
flow from activity to activity within a system. Activity diagrams address the dynamic
view of a system. They are especially important in modeling the function of a system
and emphasize the flow of control among objects.
A component diagram shows the organizations and dependencies among a set
of components. Component diagrams address the static implementation view of a
system. They are related to class diagrams in that a component typically maps to one
or more classes, interfaces, or collaborations.
This is not a closed list of diagrams. Tools may use the UML to provide other
kinds of diagrams, although these nine are by far the most common you will encounter
in practice.
View report: Administrator can view the information of the decoded packets
in the user interface of the tool.
Save/print reports: Administrator can save the information on to file system or can
print the information through the printer if connected.
A class diagram describes the static structure of the symbols in your new
system. It is a graphical presentation of the static view that shows a collection of
declarative (static) model elements, such as classes, types, and their contents and
relationships.
Sequence diagram:
UML sequence diagrams model the flow of logic within your system in a
visual manner, enabling you both to document and validate your logic, and are
commonly used for both analysis and design purposes. Sequence diagrams are the most
popular UML artifacts for dynamic modeling, which focuses on identifying the
behavior within your system.
Getting Wireshark
https://www.wireshark.org/download.html
Starting Wireshark
When you run the Wireshark program, the Wireshark graphic user interface will be
shown as Figure 5. Currently, the program is not capturing the packets.
Then, you need to choose an interface. If you are running the Wireshark on your
laptop, you need to select WiFi interface. If you are at a desktop, you need to select
the Ethernet interface being used. Note that there could be multiple interfaces. In
general, you can select any interface but that does not mean that traffic will flow
through that interface. The network interfaces (i.e., the physical connections) that
your computer has to the network are shown. The attached Figure 6 was taken from
my computer. After you select the interface, you can click start to capture the packets
as shown in Figure 7.
Figure 6: Capture Interfaces in Wireshark
The packet-header details window provides details about the packet selected
(highlighted) in the packet-listing window. (To select a packet in the packet-listing
window, place the cursor over the packet’s one-line summary in the packet-listing
window and click with the left mouse button.). These details include information
about the Ethernet frame and IP datagram that contains this packet. The amount of
Ethernet and IP-layer detail displayed can be expanded or minimized by clicking on
the right- pointing or down-pointing arrowhead to the left of the Ethernet frame or IP
datagram line in the packet details window. If the packet has been carried over TCP
or UDP, TCP or UDP details will also be displayed, which can similarly be expanded
or minimized. Finally, details about the highest-level protocol that sent or received
this packet are also provided.
The packet-contents window displays the entire contents of the captured frame, in
both ASCII and hexadecimal format.
Towards the top of the Wireshark graphical user interface, is the packet display filter
field, into which a protocol name or other information can be entered in order to filter
the information displayed in the packet-listing window (and hence the packet-header
and packet-contents windows). In the example below, we’ll use the packet-display
filter field to have Wireshark hide (not display) packets except those that correspond
to HTTP messages.
Capturing Packets
After downloading and installing Wireshark, you can launch it and click the name of
an interface under Interface List to start capturing packets on that interface. For
example, if you want to capture traffic on the wireless network, click your wireless
interface.
Test Run
Do the following steps:
1. Start up the Wireshark program (select an interface and press start to capture
packets).
2. Startupyourfavoritebrowser(ceweaselinKaliLinux).
3. Inyourbrowser,gotoWayneStatehomepagebytypingwww.wayne.edu.
5. Color Coding: You’ll probably see packets highlighted in green, blue, and
black. Wireshark uses colors to help you identify the types of traffic at a
glance. By default, green is TCP traffic, dark blue is DNS traffic, light blue is
UDP traffic, and black identifies TCP packets with problems — for example,
they could have been delivered out-of-order.
6. You now have live packet data that contains all protocol messages exchanged
between your computer and other network entities! However, as you will
notice the HTTP messages are not clearly shown because there are many other
packets included in the packet capture. Even though the only action you took
was to open your browser, there are many other programs in your computer
that communicate via the network in the background. To filter the connections
to the ones we want to focus on, we have to use the filtering functionality of
Wireshark by typing “http” in the filtering field as shown below:
Notice that we now view only the packets that are of protocol HTTP. However, we
also still do not have the exact communication we want to focus on because using
HTTP as a filter is not descriptive enough to allow us to find our connection to
http://www.wayne.edu. We need to be more precise if we want to capture the correct
set of packets.
9. Let’s try now to find out what are those packets contain by following one of the
conversations (also called network flows), select one of the packets and press the right
mouse button (if you are on a Mac use the command button and click), you should see
something similar to the screen below:
Click on Follow UDP Stream, and then you will see following screen.
In practice, there is not a typical network problem that can’t be discovered and solved
using packet sniffer technology. Sniffers can be used as the first method of attack on a
number of issues that vary from overloaded networks to unresponsive switches to lost
packets. As a number of networks and nodes continue to grow and as network speeds
accelerate, it becomes more and more difficult to monitor a LAN by using traditional
tools, such as RMON (Remote Monitoring) probes. Packet sniffers, by contrast,
monitor traffic on network right down to the Header information on each series of data.
This means that u can actually track data from starting point to its end point. Packet
sniffers can also be used to identify the types of packets on a network and discover
whether or not the specific packet has any errors.
Data is sent across the internet in the form of packets. Packet sniffing can be used for
the benefit of a network or for malicious purposes. It can monitor and analyze traffic
and help with network research. It can also be used by adversaries in order to steal
plaintext data or watch a user’s actions. Software exists to help detect sniffers on a
network. Business systems often set these in place in order to keep data safe. Without
using modern defenses and best practices, data sent across the network can be easily
seen by attackers. It’s important to verify that sites you access are utilizing the safe
guards available, namely encryption, and avoid the sites that are not.
The above experiment asserts the need of IDS/IPS devices in any typical network. We
have also highlighted the capabilities of Wireshark in packet data interpretation and
data handling too. Wireshark, in this experiment has been used primarily in ACL
(Access Control List) filtering. Many other variations of filtering are available in the
Wireshark utility such as filtering based on packet size, filtering based on protocols
used, filtering of substrings etc. Thus, with proper use of filtering commands and
complementing utilities, Wireshark can be developed into comprehensive intrusion
detection software.
Future Scope
Wireshark as a Network Protocol Analyzer has already proven its mettle in all
necessary realms. However it still has scope of improvement in it as far as alert
generation and heuristic development is concerned. We are working to introduce
certain utilities in the source code of Wireshark to overcome the above shortcomings
by making Wireshark capable of alert generations.
As part of future work for this project, testing the ability of detecting attacks can be
performed on many other Snort rules. With good test criteria, with proper network
logs all the snort rules can be examined and tested in order to determine the
performance of the system in detecting threats. Therefore, this project throws beacon
on the scope of security policy design and network
References
wireshark.org
Youtube
Geeksforgeek
Slideshare.