Network

PACKET SNIFFER
WITH INTRUSION DETECTION
MAIN PROJECT REPORT
Submitted by
ANINA JOSEPH V
GYTHA JOHN ALAPATT
JAIN ROSE KURIAKOSE
KIRAN GEORGE A
in partial fulfillment for the award of the degree

of
BACHELOR OF TECHNOLOGY (B.TECH)

in
COMPUTER SCIENCE & ENGINEERING
of
UNIVERSITY OF CALICUT
Under the guidance of
Mr. ANIL ANTONY
JUNE 2011
Department of Computer Science & Engineering
JYOTHI ENGINEERING COLLEGE, CHERUTHURUTHY
THRISSUR 679 531
PACKET SNIFFER
WITH INTRUSION DETECTION
MAIN PROJECT REPORT
Submitted by
ANINA JOSEPH V
GYTHA JOHN ALAPATT
JAIN ROSE KURIAKOSE
KIRAN GEORGE A
in partial fulfillment for the award of the degree

of
BACHELOR OF TECHNOLOGY (B.TECH)

in
COMPUTER SCIENCE & ENGINEERING
of
UNIVERSITY OF CALICUT
Under the guidance of
Mr. ANIL ANTONY
JUNE 2011
THRISSUR 679 531
THRISSUR 679 531
JUNE 2011
BONAFIDE CERTIFICATE
Certified that this project report “ . . . PACKET SNIFFER WITH INTRUSION

DETECTION . . . ” being submitted in partial fulfillment of the requirements for
the award of degree of Bachelor of Technology of University of Calicut is the
bonafide work of “ . . . ANINA JOSEPH V, GYTHA JOHN ALAPATT, JAIN

ROSE KURIAKOSE, KIRAN GEORGE A . . . ”, who carried out the project
work under our supervision.
Prof. Muralee Krishnan C Mr. Anil Antony

HOD PROJECT GUIDE
Dept. of CSE Asst. Professor
Dept. of CSE
CONTENTS
Acknowledgement iii
Abstract iv
List of Figures vi
List of Tables vii
List of Abbreviations viii
1 Introduction 1
1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Motivation and Technical Relevance . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Progress of project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Member roles and responsibilities . . . . . . . . . . . . . . . . . . . . . . . . 5
1.5 Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Literature Survey 6
2.1 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.1 Related works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.2 Papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.3 Advantages of the proposed system . . . . . . . . . . . . . . . . . . . 8
2.2 State of the Art . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 Proposed System 11
3.1 Process model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2 Description of the protocols analysed . . . . . . . . . . . . . . . . . . . . . . . 12
4 System Requirements Specification 19

4.1 Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.3 Description of software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.3.1 JAVA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.3.2 NETBEANS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.4 Description of hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
i
4.4.1 REALTEK NIC Card . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5 Design & Analysis 30

5.1 System Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.1.1 Module breakup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.1.2 Member effort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.2 System Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.2.1 Flow Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
6 Implementation 35
6.1 Screen shots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
6.2 Pseudo code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
7 Testing & Maintenance 45

7.1 Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
7.1.1 Unit testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
7.1.2 Integration testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
7.2 Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
8 Conclusion 48
8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
8.2 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
References 51
ii
ACKNOWLEDGEMENT
We take this opportunity to express our heartfelt gratitude to all respected personalities who
had guided, inspired and helped us in the successful completion of this project.
First and foremost, we express our thanks to The Lord Almighty for guiding us in this
endeavour and making it a success.
We are thankful to our Principal Dr. U Lazar John and the Management for providing us
with excellent lab and infrastructure facilities.
Our sincere thanks to the Head of the Department of Computer Science & Engineering, Prof.
Muralee Krishnan C for his valuable guidance and suggestions.
We would like to express our deepest gratitude to Mr. Anil Antony for his valuable contri-
butions and guidance.
Last but not least, we thank all our teaching and non teaching staffs of Department of Com-
puter Science & Engineering, and also our friends for their immense support and help in all the
stages for the development of the project.
iii
ABSTRACT
The projects objective is to provide a network tool designed to run on any platform to
support the administrator to track the network resource usage specifying into protocol level and
the volume of data transferred from the network. The application is also meant to scan through
unsecured content passed on the network. The data can be put to use further as the project
proceeds.
This project is aimed at developing a packet sniffer. This sniffer is able to monitor and
save files transmitted over network. This project is scalable to support various protocols. The
practical purpose of the project is providing monitoring ability for the administrator of a net-
work. This can be deployed in home PC by parents to monitor the internet access, also.
The versatility of packet sniffers means they can be used to:
Analyze network problems.
Detect network intrusion attempts.
Gain information for effecting a network intrusion.
Gather and report network statistics.
Filter suspect content from network traffic.
Intrusion detection
Functional components of the project
Packet Capture Module: This module will integrate with library jpcap and provide a
method to investigate the packet. It is used to capture packets or read packets from a captured
file.
Packet Parser Module: This module will parse the packet header and identify the de-
tails. It classifies the packets and identifies which network has been sending or receiving these
packets.
iv
User Interface Module (GUI): This module will have the user interface and method to
trigger actions based on user request. It will use the other two modules to accomplish the
triggered action.
Intrusion detection module: This module will detect the intrusion to the system. Deals
with protecting a network from invasion by unauthorized users.
This project is implemented in java using jpcap library.
v
List of Figures
1.1 Sniffer connected to the LAN . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 Project Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1 Format of an ARP message . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.2 Format of an HTTP message . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3 Format of an IP message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.4 Format of a UDP message . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.5 Format of a TCP message . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.6 Format of an ICMP message . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.1 Realtek NIC card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.1 Data flow diagram of packet sniffer . . . . . . . . . . . . . . . . . . . . . . . . 33

5.2 Data flow diagram of intrusion detection . . . . . . . . . . . . . . . . . . . . . 34
6.1 The Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

6.2 Initiating the process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
6.3 After capturing packets in the network . . . . . . . . . . . . . . . . . . . . . . 36
6.4 Transport layer protocol ratio (pie chart) . . . . . . . . . . . . . . . . . . . . . 36
6.5 Transport layer protocol ratio (line graph) . . . . . . . . . . . . . . . . . . . . 37
6.6 Save the captured packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
6.7 Starting intrusion detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6.8 Logs and Warnings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6.9 General settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6.10 Add mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
vi
List of Tables
1.1 Team Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1 Protocols analysed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.1 Module Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

5.2 Module Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
7.1 Unit test chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
vii
List of Abbreviations
ARP : Address Resolution Protocol

RARP : Reverse Address Resolution Protocol
HTTP : Hyper Text Trans f er Protocol
SMTP : Simple Mail Trans f er Protocol
IP : Internet Protocol
IPv4 : Internet Protocolversion4
UDP : User Datagram Protocol
TCP : Transmission Control Protocol
FTP : File Trans f er Protocol
POP3 : Post O f f ice Protocol
ICMP : Internet Control Message Protocol
SSH : Secure Shell
NIC : Network Inter f ace Card
IDS : Intrusion Detection System
IDE : Integrated Development Environment
viii
Packet Sniffer with Intrusion Detection 1
CHAPTER 1
Introduction
1.1 Overview
The project is used to capture network data and to measure the traffic and volume of
data classifying them under different protocol. The application is planned to be programmed
in java language so that the requirement of platform independence can be achieved. Jpcap is a
Java API that provides access on Windows or UNIX systems. Jpcap is a Java library to capture
and send network packets. Jpcap is open source, and supports Windows, Linux, FreeBSD,
Solaris and Mac OS X.
A packet sniffer is a wire-tap device software that plugs into computer networks and
eavesdrops on the network traffic. A packet sniffer also known as a network analyzer or pro-
tocol analyzer, for particular types of networks, an Ethernet sniffer or wireless sniffer. Packet
sniffer can intercept and log traffic passing over a digital network or part of a network. As data
streams travel back and forth over the network, the sniffer captures each packet and eventu-
ally decodes and analyzes its content according with any specifications. However, computer
conversations consist of apparently random binary data. Therefore, network wiretap programs
also come with a feature known as protocol analysis, which allow them to decode the computer
traffic and make sense of it. A packet sniffer can be used legitimately by a network or system
administrator to monitor and troubleshoot network traffic. Using the information captured by
the packet sniffer an administrator can identify erroneous packets and use the data to pinpoint
bottlenecks and help maintain efficient network data transmission. The project is objective to
provide a network tool designed to run on any platform to support the administrator to track the
network resource usage specifying into protocol level and the volume of data transferred from
the network. The application is also meant to scan through unsecured content passed on the
network. The data can be put to use further as the project proceeds. [1]
Jyothi Engineering College Dept. of CSE, 2011

Fig. 1.1: Sniffer connected to the LAN
The term ”Intrusion Detection” implies discovering attacks and threats throughout an
enterprise, and responding to those discoveries.One method of real-time Intrusion Detection
is to dedicate a system to sniffing packets travelling across a single network segment. And
usually, the only links that could be monitored were ethernets. Using this methodology, the
Intrusion Detection software is placed on the system, which puts the ethernet card in ”promis-
cuous mode” so that the software can read and analyze all traffic. It does this by examining
both the packet header fields and packet contents. The Intrusion Detection software includes
an engine, which looks for specific types of network attacks, such as IP spoofing and packet
floods. When the packet analysis software detects a potential problem it reponds immediately
by notifying a console, beeping a pager, sending an e-mail, or even shutting down the network
session. This category includes products such as Wheelgroups NetRanger, ISS RealSecure, and
Network Associates CyberCop. [2]

1.2 Motivation and Technical Relevance
Though there are several products available to scan and sniff on the network this project
is meant to be light sized, portable and free to distribute tool for network administrator. The
administrator can deal with the challenges of his network exploitation by malicious applications
or unauthorized use of network as well as bandwidth consumptions.
Though the firewall and the intrusion detection system relate to network security, an
intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for
intrusions in order to stop them from happening. Firewalls limit access between networks to
prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a
suspected intrusion once it has taken place and signals an alarm. An IDS also watches for
attacks that originate from within a system.
1.3 Progress of project
First, we conducted the literature survey. Then we designed the system. After that
we decided the requirements for the system. Then we completed the study of protocols. We
studied in detail about the header files of various protocols such as ARP, http, ftp, smtp, etc.
We revised java basics and began to study java in detail. After that we began to implement
programs in net beans. We have also wrote the java program to analyze and dump different
protocols. By the month of December we could write the code for sniffing several protocols
like ARP, http, tcp, udp, ipv4, telnet, smtp, etc. We have also completed the coding for the GUI.
After that we started coding for getting the statistics of the different protocols that are sniffed
using our sniffer. We included line graph and pie chart to show the statistics. After completing
the statistics we started coding for intrusion detection. The intrusion detection module can be
used to find the intruders in the network. This is done by checking the mac addresses. By the
end of April we completed our project packet sniffer with intrusion detection.

Fig. 1.2: Project Plan

1.4 Member roles and responsibilities
Our team consist of four members. The roles are assigned as follows:-
1.1: Team Organization

Name Role/Responsibility
Anina Joseph V Leader
Gytha John Alapatt Designer
Jain Rose Kuriakose Debugger
Kiran George A Programmer
Eventhough we have assigned specific roles we will be working together during each
phase.This would provide each of us with a complete knowledge of the project.
1.5 Layout
We are presenting an outline of the contents for the chapters to follow.
Chapter 2 presents the relevant documents referenced during the initial survey of the
project concept.
Chapter 3 We have included concepts about the process model followed and the descrip-
tion of the protocols being analysed are also given.
Chapter 4 includes the hardware and software requirements for the project.
Chapter 5 gives an overview of the schedule of the Term project work. We have included
member work effort and module allocations to each member here as per her responsibility.The
section also presents the general architecture of our project concept.
Chapter 6 includes the program code elements (working implementation) of the project.
Chapter 7 includes the details of the unit tests, integration tests and proposals for future
maintenance.
The last chapter, Chapter 8 summarizes the work done in this semester(Final).

CHAPTER 2
Literature Survey
2.1 Documentation
We went through several papers and documents related to packet sniffing.
2.1.1 Related works
The related work includes several sniffers such as the following:- [3]
Wireshark : Sniffing the glue that holds the Internet together. Wireshark (known as
Ethereal until a trademark dispute in Summer 2006) is a fantastic open source network protocol
analyzer for Unix and Windows. It allows you to examine data from a live network or from a
capture file on disk.
Kismet : A powerful wireless sniffer. Kismet is an console (ncurses) based 802.11

layer2 wireless network detector, sniffer, and intrusion detection system. It identifies networks
by passively sniffing (as opposed to more active tools such as NetStumbler), and can even
decloak hidden (non-beaconing) networks if they are in use.
Tcpdump : The classic sniffer for network monitoring and data acquisition. It does the
job well and with fewer security holes. It also requires fewer system resources. While it doesnt
receive new features often, it is actively maintained to fix bugs and portability problems.
Cain and Abel : The top password recovery tool for Windows. This Windows-only
password recovery tool handles an enormous variety of tasks. It can recover passwords by
sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Crypt-
analysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing pass-
word boxes, uncovering cached passwords and analyzing routing protocols.

Ettercap : In case you still thought switched LANs provide much extra security. Etter-
cap is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It supports active
and passive dissection of many protocols (even ciphered ones, like ssh and https).
Dsniff : A suite of powerful network auditing and penetration-testing tools. This pop-
ular and well-engineered suite by Dug Song includes many tools. dsniff, filesnarf, mailsnarf,
msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords,
e-mail, files, etc.).
NetStumbler : Free Windows 802.11 Sniffer. Netstumbler is the best known Win-
dows tool for finding open wireless access points (wardriving). The tool is currently free but
Windows-only and no source code is provided.
Ntop : A network traffic usage monitor. Ntop shows network usage in a way similar
to what top does for processes. In interactive mode, it displays the network status on the users
terminal. In Web mode, it acts as a Web server, creating an HTML dump of the network status.
Ngrep : Convenient packet matching and display. ngrep strives to provide most of GNU
greps common features, applying them to the network layer. It currently recognizes TCP, UDP
and ICMP across Ethernet, etc.
EtherApe : EtherApe is a graphical network monitor for Unix modeled after etherman.
Featuring link layer, IP and TCP modes, EtherApe displays network activity graphically with a
color coded protocols display.
KisMAC : A A GUI passive wireless stumbler for Mac OS X. This popular stumbler for
Mac OS X offers many of the features of its namesake Kismet, though the codebase is entirely
different. Unlike console-based Kismet, KisMAC offers a pretty GUI and was around before
Kismet was ported to OS X.

2.1.2 Papers
IEEE Papers;
Network traffic analysis and intrusion detection using packet sniffer.Mohammed Ab-
dul Qadeer, Dept. of Computer Engineering, Aligarh Muslim University, Aligarh- 202002,
India. Mohammad Zahid, Asst. System Engineer, Tata Consultancy Services, Trivandrum, In-
dia. Arshad Iqbal, Scientist B, GTRE, DRDO, Bangalore, India. MisbahurRahman Siddiqui,
Univ. Womens Polytechnic, Aligarh Muslim University, Aligarh- 202002, India. 2010 Second
International Conference on Communication Software and Networks.
Design and Implementation of V6SNIFF: An Efficient IPv6 Packet Sniffer. Conver-

gence and Hybrid Information Technology, 2008.
Packet Sniffing: A brief introduction. Sabeel Ansari, Rajeev S G, Chandrashekar H S.
An introduction to data capturing. Liqiang Zhang, Huanguo Zhang, Wuhan University,

Hubei, China.
Intrusion Detection Methodologies. A White Paper by Robert A. Clyde
2.1.3 Advantages of the proposed system
Easy to understand and use:- One of the most important advantage of such approach is
the fact that it is non-intrusive technology (no server log integration, no painful page tagging).
So there is no risks to deploy the sniffer into local network environment of servers to be tracked.
Unlike server logs or page tagging, packet sniffing is completely transparent for tracked web-
site(s) and is able to produce more complex and quality clickstream data than server logs or
page tags. [4]
Platform independent:- When Java Code is compiled a byte code is generated which
is independent of the system. This byte code is fed to the JVM (Java Virtual Machine) which
resides in the system. Since every system has its own JVM, it doesn’t matter where you compile

the source code. The byte code generated by the compiler can be interpreted by any JVM of any
machine. Hence it is called Platform independent Language. Java’s bytecodes are desgined to
be read and interpreted in exactly same manner on any computer hardware or operating system
that supports Java Runtime Environment. As the packet sniffer is implemented in java it is said
to be platform independent. [4]
Intrusion detection:- In Information Security, intrusion detection is the act of detecting

actions that attempt to compromise the confidentiality, integrity or availability of a resource.
When Intrusion detection takes a preventive measure without direct human intervention, then
it becomes an Intrusion-prevention system. Intrusion detection can be performed manually or
automatically. Intrusion prevention is an evolution of intrusion detection. [4]
Light size:- Using Packet Sniffer the developer does not need to create special network
drivers or to learn internal implementation of the network functionalities. [4]
Free to distribute tool for network admin:- The administrator can easily change the
policy enforcements, i.e. its user friendly. Moreover it is not accessible by the clients in the
network, which ensures that the security measure cannot be breached in any way. Any number
of clients can be added to the network by the administrator and also removed at any point of
time. [4]
Portable:- Portability is one of the key concepts of high-level programming. Portability

is the software codebase feature to be able to reuse the existing code instead of creating new
code when moving software from an environment to another. The prerequirement for portabil-
ity is the generalized abstraction between the application logic and system interfaces. When
one is targeting several platforms with the same application, portability is the key issue for
development cost reduction. [4]

2.2 State of the Art
The thing with Packet Sniffer is, they were invented in 1986 (great innovation and very
state of the art at the time) and really havent change much since.
A few major deficiencies of the Packet Sniffer:
1. They are reactive:- In the most common scenario, the network team is informed
of a performance issue and then tries to track it down by moving the packet sniffer around
on the network, taking packet dumps for offline analysis, hoping to catch the right segment.
By definition, this reactive process is only effective when there is a reproducible issue, while
intermittent issues are almost certain to slip through the cracks.
2. Not enough visibility:- Packet sniffers are good at providing detailed data about a
single traffic flow; however, they generally cant look across multiple flows and transactions to
spot patterns and commonalities. Additionally, visibility provided by packet sniffers often is
restricted to the network layer. For complex applications that have interdependent components
across the network, application, database, and storage tiers, the packet sniffer can tell you very
little about those, thus we see the common picture of IT owning 50+ different tools and trying
to piece all of them together when diagnosing a problem.
3. Very difficult to use:- A common shortcoming most often associated with packet
sniffers is that it is difficult to find the relevant information within a packet dump. Searching
for a problem in a large packet dump is like looking for a snowflake in an avalanche. When it
is difficult to find the root cause in a 2-MB packet dump, a 48-terabyte dump (the current state
of the art as far as packet analyser technology goes) can be outright daunting. [5]
In our project we are making an efficient packet sniffer that can detect the packets that
are being sent in the network. We are also including an intrusion detection system that can
detect the unknown computers that enter the network. Thus we are implementing a packet
sniffer with an intrusion detection system that will capture the packets entering the network as
well as find the intruders in the network.

CHAPTER 3
Proposed System
3.1 Process model
We followed the evolutionary model. Its defined as the model whose stages consist of
expanding increments of an operational software product with the direction of evolution being
determined by operational experience. Increments may be delivered to the customer as they are
developed.
The development strategy behind an evolutionary process model may be stated in the
following simple form:-
1. Deliver something to a real user.
2. Measure the added value to the user in all critical dimensions.
3. Adjust both the design and the objectives based on observed realities.
A sequence of code-and-test and integration-and-test stages for the various increments.

We start with a step that covers system objectives, architecture, and plan. The development be-
gins with analysis of an increment at the requirements level. Each increment is then separately
designed, coded, tested, integrated and delivered.
Prototyping is an evolutionary principle for structuring the life cycle.In our project the
evolutionary prototype is progressively transformed into the final application. [6]
We referred several ieee papers for the completion of the project.

3.2 Description of the protocols analysed
3.1: Protocols analysed

Layers Protocols
Application Layer HTTP,FTP,TELNET,SSH,SMTP,POP3
Transport Layer TCP,UDP,ICMP
Network Layer IPv4,IPv6,ARP/RARP
1. ARP:- The address resolution protocol is a protocol used by the Internet Protocol,
specifically IPv4, to map IP network addresses to the hardware addresses used by a data link
protocol. The protocol operates below the network layer as a part of the interface between the
OSI network and OSI link layer. It is used when IPv4 is used over Ethernet.
The term address resolution refers to the process of finding an address of a computer
in a network. The address is ”resolved” using a protocol in which a piece of information is
sent by a client process executing on the local computer to a server process executing on a
remote computer. The information received by the server allows the server to uniquely identify
the network system for which the address was required and therefore to provide the required
address. The address resolution procedure is completed when the client receives a response
from the server containing the required address. [4] [7]
Fig. 3.1: Format of an ARP message
2. RARP:- Reverse Address Resolution Protocol is a protocol by which a physical

machine in a local area network can request to learn its IP address from a gateway server’s
Address Resolution Protocol table or cache. A network administrator creates a table in a local

area network’s gateway router that maps the physical machine (or Media Access Control -
MAC address) addresses to corresponding Internet Protocol addresses. When a new machine
is set up, its RARP client program requests from the RARP server on the router to be sent its
IP address. Assuming that an entry has been set up in the router table, the RARP server will
return the IP address to the machine which can store it for future use.
A reverse address resolution protocol (RARP) is used for diskless computers to deter-
mine their IP address using the network. The RARP message format is very similar to the
ARP format. When the booting computer sends the broadcast ARP request, it places its own
hardware address in both the sending and receiving fields in the encapsulated ARP data packet.
The RARP server will fill in the correct sending and receiving IP addresses in its response to
the message. This way, the booting computer will know its IP address when it gets the message
from the RARP server. [4] [7]
3. HTTP:- The Hypertext Transfer Protocol is an application-level protocol with the

lightness and speed necessary for distributed, collaborative, hypermedia information systems.
The HTTP protocol is based on a request/response paradigm. A client establishes a connec-
tion with a server and sends a request to the server in the form of a request method, URI,
and protocol version, followed by a MIME-like message containing request modifiers, client
information, and possible body content. The server responds with a status line, including the
message’s protocol version and a success or error code, followed by a MIME-like message
containing server information, entity meta information, and possible body content. [4] [7]
Fig. 3.2: Format of an HTTP message
4. SMTP:- Simple Mail Transfer Protocol is a TCP/IP protocol used in sending and
receiving e-mail. However, since it is limited in its ability to queue messages at the receiv-

ing end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user
save messages in a server mailbox and download them periodically from the server. In other
words, users typically use a program that uses SMTP for sending e-mail and either POP3 or
IMAP for receiving e-mail. Microsoft Exchange includes an SMTP server and can also be set
up to include POP3 support. SMTP usually is implemented to operate over Internet port 25.
An alternative to SMTP that is widely used in Europe is X.400. Many mail servers now sup-
port Extended Simple Mail Transfer Protocol (ESMTP), which allows multimedia files to be
delivered as e-mail. [4] [7]
5. IP:- The Internet Protocol is the principal communications protocol used for relay-
ing datagrams (packets) across an internetwork using the Internet Protocol Suite. Responsible
for routing packets across network boundaries, it is the primary protocol that establishes the
Internet.
IP is the primary protocol in the Internet Layer of the Internet Protocol Suite and has
the task of delivering datagrams from the source host to the destination host solely based on
their addresses. For this purpose, IP defines addressing methods and structures for datagram
encapsulation. [4] [7]
Fig. 3.3: Format of an IP message
6. IPv4:- Internet Protocol version 4 (IPv4) is the fourth revision in the development
of the Internet Protocol (IP) and it is the first version of the protocol to be widely deployed.
Together with IPv6, it is at the core of standards-based internetworking methods of the Internet.
IPv4 is still by far the most widely deployed Internet Layer protocol. As of 2011[update], IPv6
deployment is still in its infancy.

IPv4 is a connectionless protocol for use on packet-switched Link Layer networks (e.g.,
Ethernet). It operates on a best effort delivery model, in that it does not guarantee delivery, nor
does it assure proper sequencing or avoidance of duplicate delivery. These aspects, including
data integrity, are addressed by an upper layer transport protocol (e.g., Transmission Control
Protocol). [4] [7]
7. IPv6:- Internet Protocol version 6 is a version of the Internet Protocol (IP) that is
designed to succeed Internet Protocol version 4 (IPv4). The Internet operates by transferring
data in small packets that are independently routed across networks as specified by an interna-
tional communications protocol known as the Internet Protocol. Each data packet contains two
numeric addresses that are the packet’s origin and destination devices. Since 1981, IPv4 has
been the publicly used version of the Internet Protocol, and it is currently the foundation for
most Internet communications. The Internet’s growth has created a need for more addresses
than IPv4 is capable of. IPv6 allows for vastly more numerical addresses, but switching from
IPv4 to IPv6 may be a difficult process.
IPv6 implements additional features not present in IPv4. It simplifies aspects of ad-
dress assignment (stateless address auto configuration) and network renumbering (prefix and
router announcements) when changing Internet connectivity providers. The IPv6 subnet size
has been standardized by fixing the size of the host identifier portion of an address to 64 bits
to facilitate an automatic mechanism for forming the host identifier from link layer media ad-
dressing information (MAC address). Network security is also integrated into the design of
the IPv6 architecture, and the IPv6 specification mandates support for IPsec as a fundamental
interoperability requirement. [4] [7]
8. UDP:- The User Datagram Protocol (UDP) is one of the core members of the Internet
Protocol Suite, the set of network protocols used for the Internet. With UDP, computer appli-
cations can send messages, in this case referred to as datagrams, to other hosts on an Internet
Protocol (IP) network without requiring prior communications to set up special transmission
channels or data paths.
UDP uses a simple transmission model without implicit hand-shaking dialogues for
providing reliability, ordering, or data integrity. Thus, UDP provides an unreliable service and
datagrams may arrive out of order, appear duplicated, or go missing without notice. UDP as-
sumes that error checking and correction is either not necessary or performed in the application,

avoiding the overhead of such processing at the network interface level. Time-sensitive appli-
cations often use UDP because dropping packets is preferable to waiting for delayed packets,
which may not be an option in a real-time system. If error correction facilities are needed at
the network interface level, an application may use the Transmission Control Protocol (TCP)
or Stream Control Transmission Protocol (SCTP) which are designed for this purpose. [4] [7]
Fig. 3.4: Format of a UDP message
9. TCP:- The Transmission Control Protocol is one of the core protocols of the Internet
Protocol Suite. TCP is one of the two original components of the suite, complementing the
Internet Protocol (IP), and therefore the entire suite is commonly referred to as TCP/IP. TCP
provides reliable, ordered delivery of a stream of bytes from a program on one computer to
another program on another computer. TCP is the protocol that major Internet applications
rely on, applications such as the World Wide Web, e-mail, and file transfer. Other applications,
which do not require reliable data stream service, may use the User Datagram Protocol (UDP)
which provides a datagram service that emphasizes reduced latency over reliability. TCP pro-
vides a point-to-point channel for applications that require reliable communications. The Hy-
pertext Transfer Protocol (HTTP), File Transfer Protocol (FTP) and Telnet are all examples of
applications that require a reliable communication channel. [4] [7]
10. FTP:- File Transfer Protocol is a standard network protocol used to copy a file
from one host to another over a TCP-based network, such as the Internet. FTP is built on a
client-server architecture and utilizes separate control and data connections between the client
and server. FTP users may authenticate themselves using a clear-text sign-in protocol but can
connect anonymously if the server is configured to allow it.

Fig. 3.5: Format of a TCP message
The first FTP client applications were interactive command-line tools, implementing
standard commands and syntax. Graphical user interface clients have since been developed for
many of the popular desktop operating systems in use today. [4] [7]
11. POP3:- In computing, the Post Office Protocol (POP) is an application-layer Internet
standard protocol used by local e-mail clients to retrieve e-mail from a remote server over a
TCP/IP connection. POP and IMAP (Internet Message Access Protocol) are the two most
prevalent Internet standard protocols for e-mail retrieval. Virtually all modern e-mail clients
and servers support both. The POP protocol has been developed through several versions, with
version 3 (POP3) being the current standard. Like IMAP, POP3 is supported by most webmail
services such as Hotmail, Gmail and Yahoo! Mail. [4] [7]
12. ICMP:- The Internet Control Message Protocol is one of the core protocols of the
Internet Protocol Suite. It is chiefly used by the operating systems of networked computers to
send error messages indicating, for example, that a requested service is not available or that a
host or router could not be reached. ICMP can also be used to relay query messages.
ICMP differs from transport protocols such as TCP and UDP in that it is not typically
used to exchange data between systems, nor is it regularly employed by end-user network
applications (with the exception of some diagnostic tools like ping and traceroute).
ICMP for Internet Protocol version 4 (IPv4) is also known as ICMPv4. IPv6 has a
similar protocol, ICMPv6. [4] [7]

Fig. 3.6: Format of an ICMP message
13. SSH:- Secure Shell or SSH is a network protocol that allows data to be exchanged
using a secure channel between two networked devices. The two major versions of the pro-
tocol are referred to as SSH1 or SSH-1 and SSH2 or SSH-2. Used primarily on Linux and
Unix based systems to access shell accounts, SSH was designed as a replacement for Telnet
and other insecure remote shells, which send information, notably passwords, in plaintext, ren-
dering them susceptible to packet analysis. The encryption used by SSH is intended to provide
confidentiality and integrity of data over an unsecured network, such as the Internet. [4] [7]
14. TELNET:- Telnet is a network protocol used on the Internet or local area networks to
provide a bidirectional interactive text-oriented communications facility using a virtual terminal
connection. User data is interspersed in-band with Telnet control information in an 8-bit byte
oriented data connection over the Transmission Control Protocol (TCP).
Historically, Telnet provided access to a command-line interface (usually, of an operat-

ing system) on a remote host. Most network equipment and operating systems with a TCP/IP
stack support a Telnet service for remote configuration (including systems based on Windows
NT). Because of security issues with Telnet, its use for this purpose has waned in favor of SSH.
The term telnet may also refer to the software that implements the client part of the
protocol. Telnet client applications are available for virtually all computer platforms. Telnet
is also used as a verb. To telnet means to establish a connection with the Telnet protocol,
either with command line client or with a programmatic interface. For example, a common
directive might be: ”To change your password, telnet to the server, login and run the passwd
command.” [4] [7]

CHAPTER 4
System Requirements Specification
4.1 Software Requirements
1. Platform: Any OS
2. Language: JAVA
3. IDE: NETBEANS
4.2 Hardware Requirements
1. Processor & Speed: Pentium 2.17GHz
2. Min. Required Memory: 2GB RAM, 250GB HDD
3. NIC card: REALTEK
4.3 Description of software
The software includes java as the language and the IDE we used to develop the programs
in java is the netbeans.The following sections give a detailed description of the java language
and the netbeans IDE.
4.3.1 JAVA
Java is a programming language originally developed by James Gosling at Sun Mi-

crosystems (which is now a subsidiary of Oracle Corporation) and released in 1995 as a core
component of Sun Microsystems’ Java platform. The language derives much of its syntax from
C and C++ but has a simpler object model and fewer low-level facilities. Java applications are

typically compiled to bytecode (class file) that can run on any Java Virtual Machine (JVM)
regardless of computer architecture. Java is a general-purpose, concurrent, class-based, object-
oriented language that is specifically designed to have as few implementation dependencies
as possible. It is intended to let application developers ”write once, run anywhere”. Java is
currently one of the most popular programming languages in use, and is widely used from
application software to web applications. [8]
Java technology’s versatility, efficiency, platform portability, and security make it the
ideal technology for network computing. From laptops to datacenters, game consoles to scien-
tific supercomputers, cell phones to the Internet, Java is everywhere!
Principles
There were five primary goals in the creation of the Java language:-
1. It should be ”simple, object oriented and familiar”.
2. It should be ”robust and secure”.
3. It should have ”an architecture-neutral and portable environment”.
4. It should execute with ”high performance”.
5. It should be ”interpreted, threaded, and dynamic”.
Java Platform
One characteristic of Java is portability, which means that computer programs written
in the Java language must run similarly on any supported hardware/operating-system platform.
This is achieved by compiling the Java language code to an intermediate representation called
Java bytecode, instead of directly to platform-specific machine code. Java bytecode instruc-
tions are analogous to machine code, but are intended to be interpreted by a virtual machine

(VM) written specifically for the host hardware. End-users commonly use a Java Runtime En-
vironment (JRE) installed on their own machine for standalone Java applications, or in a Web
browser for Java applets. [8]
Standardized libraries provide a generic way to access host-specific features such as

graphics, threading, and networking.
A major benefit of using bytecode is porting. However, the overhead of interpretation

means that interpreted programs almost always run more slowly than programs compiled to
native executables would. Just-in-Time compilers were introduced from an early stage that
compiles bytecodes to machine code during runtime.
Performance
Programs written in Java have a reputation for being slower and requiring more memory
than those written in C. However, Java programs’ execution speed improved significantly with
the introduction of Just-in-time compilation, the addition of language features supporting better
code analysis, and optimizations in the Java Virtual Machine itself. Currently, Java code has
approximately half the performance of C code.
Some platforms offer direct hardware support for Java; there are microcontrollers that
can run java in hardware instead of a software JVM, and ARM based processors can have
hardware support for executing Java bytecode through its Jazelle option. [8]
Automatic memory management
Java uses an automatic garbage collector to manage memory in the object lifecycle.
The programmer determines when objects are created, and the Java runtime is responsible for
recovering the memory once objects are no longer in use. Once no references to an object
remain, the unreachable memory becomes eligible to be freed automatically by the garbage
collector. Something similar to a memory leak may still occur if a programmer’s code holds a
reference to an object that is no longer needed, typically when objects that are no longer needed
are stored in containers that are still in use. If methods for a nonexistent object are called, a
”null pointer exception” is thrown.

One of the ideas behind Java’s automatic memory management model is that program-
mers can be spared the burden of having to perform manual memory management.
Garbage collection may happen at any time. Ideally, it will occur when a program is
idle. It is guaranteed to be triggered if there is insufficient free memory on the heap to allocate
a new object; this can cause a program to stall momentarily. Explicit memory management is
not possible in Java.
Java does not support C/C++ style pointer arithmetic, where object addresses and un-
signed integers (usually long integers) can be used interchangeably. This allows the garbage
collector to relocate referenced objects and ensures type safety and security.
As in C++ and some other object-oriented languages, variables of Java’s primitive data
types are not objects. Values of primitive types are either stored directly in fields (for objects)
or on the stack (for methods) rather than on the heap, as commonly true for objects. Because
of this, Java was not considered to be a pure object-oriented programming language. [8]
Syntax
The syntax of Java is largely derived from C++. Unlike C++, which combines the syntax
for structured, generic, and object-oriented programming, Java was built almost exclusively as
an object-oriented language. All code is written inside a class, and everything is an object, with
the exception of the primitive data types (integers, floating-point numbers, boolean values, and
characters), which are not classes for performance reasons.
Java suppresses several features (such as operator overloading and multiple inheritance)
for classes in order to simplify the language and to prevent possible errors and anti-pattern
design.
Java uses similar commenting methods to C++. There are three different styles of com-
ment: a single line style marked with two slashes (//), a multiple line style opened with a slash
asterisk (/*) and closed with an asterisk slash (*/), and the Javadoc commenting style opened
with a slash and two asterisks (/**) and closed with an asterisk slash (*/). The Javadoc style
of commenting allows the user to run the Javadoc executable to compile documentation for the
program. [8]

Applet
Java applets are programs that are embedded in other applications, typically in a Web
page displayed in a Web browser.
Swing application
Swing is a graphical user interface library for the Java SE platform. It is possible to
specify a different look and feel through the pluggable look and feel system of Swing.
4.3.2 NETBEANS
The NetBeans IDE is an award-winning integrated development environment available

for Windows, Mac, Linux, and Solaris. The NetBeans project consists of an open-source IDE
(A free, open-source Integrated Development Environment for software developers. You get
all the tools you need to create professional desktop, enterprise, web, and mobile applications
with the Java platform, as well as C/C++, PHP, JavaScript, Groovy, and Ruby. ) and an appli-
cation platform that enable developers to rapidly create web, enterprise, desktop, and mobile
applications using the Java platform, as well as JavaFX, PHP, JavaScript and Ajax, Ruby and
Ruby on Rails, Groovy and Grails, and C/C++. [9]
NetBeans refers to both a platform framework for Java desktop applications, and an
integrated development environment (IDE) for developing with Java, JavaScript, PHP, Python,
Ruby, Groovy, C, C++, Scala, Clojure, and others.
The NetBeans IDE is written in Java and can run anywhere a JVM is installed, including
Windows, Mac OS, Linux, and Solaris. A JDK is required for Java development functionality,
but is not required for development in other programming languages.
The NetBeans Platform allows applications to be developed from a set of modular soft-
ware components called modules. Applications based on the NetBeans platform (including the
NetBeans IDE) can be extended by third party developers.

The NetBeans Platform is a reusable framework for simplifying the development of Java
Swing desktop applications. The NetBeans IDE bundle for Java SE contains what is needed
to start developing NetBeans plugins and NetBeans Platform based applications; no additional
SDK is required.
Applications can install modules dynamically. Any application can include the Update
Center module to allow users of the application to download digitally-signed upgrades and new
features directly into the running application. Reinstalling an upgrade or a new release does
not force users to download the entire application again. [9]
The platform offers reusable services common to desktop applications, allowing developers
to focus on the logic specific to their application. Among the features of the platform are:-
1. User interface management (e.g. menus and toolbars)
2. User settings management
3. Storage management (saving and loading any kind of data)
4. Window management
5. Wizard framework (supports step-by-step dialogs)
6. NetBeans Visual Library
7. Integrated Development Tools
The NetBeans IDE is an open-source integrated development environment. NetBeans

IDE supports development of all Java application types (Java SE including JavaFX, (Java ME,
web, EJB and mobile applications) out of the box. [4]

Modularity: All the functions of the IDE are provided by modules. Each module pro-
vides a well defined function, such as support for the Java language, editing, or support for the
CVS versioning system, and SVN. NetBeans contains all the modules needed for Java develop-
ment in a single download, allowing the user to start working immediately. Modules also allow
NetBeans to be extended. New features, such as support for other programming languages,
can be added by installing additional modules. For instance, Sun Studio, Sun Java Studio En-
terprise, and Sun Java Studio Creator from Sun Microsystems are all based on the NetBeans
IDE. [4]
NetBeans Profiler
The NetBeans Profiler is a tool for the monitoring of Java applications: It helps devel-
opers find memory leaks and optimize speed. Formerly downloaded separately, it is integrated
into the core IDE since version 6.0.
The Profiler is based on a Sun Laboratories research project that was named JFluid.
That research uncovered specific techniques that can be used to lower the overhead of profiling
a Java application. One of those techniques is dynamic bytecode instrumentation, which is
particularly useful for profiling large Java applications. Using dynamic bytecode instrumenta-
tion and additional algorithms, the NetBeans Profiler is able to obtain runtime information on
applications that are too large or complex for other profilers. NetBeans also support Profiling
Points that let you profile precise points of execution and measure execution time.
JavaScript editor features comprise syntax highlighting, refactoring, code completion

for native objects and functions, generation of JavaScript class skeletons, generation of Ajax
callbacks from a template; and automatic browser compatibility checks.

4.4 Description of hardware
The major hardware requirement is the realtek nic card. The following section gives a
brief description of the realtek nic card that can be used for capturing the packets in the network
4.4.1 REALTEK NIC Card
Fig. 4.1: Realtek NIC card
Realtek manufactures and sells a wide variety of products throughout the world, and its
product lines can be broadly categorized into two subdivisions: Communications Network ICs,
and Computer Peripheral and Multimedia ICs. Included among the communications network
IC products manufactured and provided by Realtek are: network interface controllers (both the
traditional 10/100M Ethernet controllers and the more advanced gigabit Ethernet controllers),
physical layer controllers (PHYceivers), network switch controllers, gateway controllers, wire-
less LAN ICs, as well as ADSL router controllers. In particular, the RTL8139 series 10/100M
Fast Ethernet controllers met their height during the late 90s, and continued to take up a signif-
icant, and eventually predominant share in the worldwide market in the following years. Those
devices categorized as Realteks computer peripheral and multimedia IC products consist of
the traditional AC’97 audio codecs, the High Definition Audio codecs, card reader controllers,
clock generators, IEEE 1394 ICs, and LCD controllers. [10]

The most notable Realtek products are 10/100M Ethernet controllers, with a global
market share of 70 percent as of 2003, and AC’97 audio codecs, where Realtek’s market share
is 50 percent, primarily concentrated in the integrated OEM on-board audio market segment.
Presently the ALC850 and RTL8139 are particular OEM favorites, offering low prices, and
basic feature sets. RTL8139-based NICs are dubbed ”crab cards” in Taiwan, alluding to the
crab-like appearance of the Realtek logo.
It has been announced or projected, on several different occasions, that Realtek will,
in the future, focus its R&D resources in the field of digital television technologies, as well as
more advanced wireless communications technologies such as ultra-wide band (UWB) com-
munications and the yet-to-be-realized 802.11n standard. It seems clear that Realtek has been
setting its eye on pursuing the Holy Grail of the anticipated new applications and needs derived
from the concept of Digital home proposed by Intel.
A network interface controller (also known as a network interface card, network adapter,
LAN adapter and by similar terms) is a computer hardware component that connects a computer
to a computer network. [11]
Whereas network interface controllers were commonly implemented on expansion cards

that plug into a computer bus, the low cost and ubiquity of the Ethernet standard means that
most newer computers have a network interface built into the motherboard.
The network controller implements the electronic circuitry required to communicate

using a specific physical layer and data link layer standard such as Ethernet, Wi-Fi, or Token
Ring. This provides a base for a full network protocol stack, allowing communication among
small groups of computers on the same LAN and large-scale network communications through
routable protocols, such as IP.
Although other network technologies exist (e.g. token ring), Ethernet has achieved
near-ubiquity since the mid-1990s.
Every Ethernet network controller has a unique 48-bit serial number called a MAC
address, which is stored in read-only memory carried on the card for add-on cards. Every
computer on an Ethernet network must have at least one controller. Each controller must have
a unique MAC address. Normally it is safe to assume that no two network controllers will share

the same address, because controller vendors purchase blocks of addresses from the Institute
of Electrical and Electronics Engineers (IEEE) and assign a unique address to each controller
at the time of manufacture.
The NIC allows computers to communicate over a computer network. It is both an OSI
layer 1 (physical layer) and layer 2 (data link layer) device, as it provides physical access to
a networking medium and provides a low-level addressing system through the use of MAC
addresses. It allows users to connect to each other either by using cables or wirelessly.
Whereas network controllers used to be expansion cards that plugged into a computer
bus, the low cost and ubiquity of the Ethernet standard means that most newer computers have
a network interface built into the motherboard. Newer server motherboards may even have dual
network interfaces built-in. The Ethernet capabilities are either integrated into the motherboard
chipset or implemented via a low cost dedicated Ethernet chip, connected through the PCI (or
the newer PCI express) bus. A separate network card is not required unless additional interfaces
are needed or some other type of network is used.
There are four techniques used to transfer data, the NIC may use one or more of these
techniques.
1. Polling is where the CPU examines the status of the peripheral under program con-
trol.
2. Programmed I/O is where the microprocessor alerts the designated peripheral by

applying its address to the system’s address bus.
3. Interrupt-driven I/O is where the peripheral alerts the microprocessor that it is ready
to transfer data.
4. Direct memory access is where an intelligent peripheral assumes control of the sys-
tem bus to access memory directly. This removes load from the CPU but requires a separate
processor on the card.

An Ethernet network controller typically has a RJ45 socket where the network cable is
connected. Older NICs also supplied BNC, or AUI connections. A few LEDs inform the user of
whether the network is active, and whether or not there is data being transmitted on it. Ethernet
network controllers typically support 10 Mbit/s Ethernet, 100 Mbit/s Ethernet, and 1000 Mbit/s
Ethernet varieties. Such controllers are designated 10/100/1000 and this means they can support
a notional maximum transfer rate of 10, 100 or 1000 Megabits per second. [11]

CHAPTER 5
Design & Analysis
5.1 System Analysis
5.1.1 Module breakup
5.1: Module Description

Module Description
Module1: Packet Capture Capture packets or read packets.
Module2: Packet Analyzer Classifies the packets.
Module3: User Interface User interface and method to trigger actions.
Module4: Intrusion Detection Detect intrusion in the system
Packet Capture Module: This module is used to capture packets or read packets from a
captured file. This module will integrate with library jpcap and provide a method to investigate
the packet.
Packet Analyzer Module: This module classifies the packets and identifies which net-
work has been sending or receiving these packets. This module will parse the packet header
and identify the details.
User Interface Module (GUI): This module will have the user interface and method to
trigger actions based on user request.
Intrusion Detection Module: Deals with protecting a wireless network from invasion by
unauthorized users. An intrusion detection system (IDS) monitors network traffic and monitors
for suspicious activity and alerts the system or network administrator.

5.1.2 Member effort
This section presents each member’s effort in the team. The work-hours are also men-
tioned here alongside the module assigned. Eventhough we have assigned several responsibili-
ties we were working together so that we get a better knowledge of the project work.
5.2: Module Allocation

# Task Start Date End Date Person
1 Intrusion Detection 05/01/2011 15/04/2011 Anina Joseph V
2 Analysis 09/11/2010 10/03/2011 Gytha John Alapatt
3 Statistics 05/01/2011 15/03/2011 Jain Rose Kuriakose
4 GUI 09/11/2010 10/04/2011 Kiran George A
5.2 System Design
The required function are implemented using jpcap, a library that allows to send and
receive raw Ethernet frames form Java. Jpcap relies on pcap, a C library that provides a high
level interface to packet capture systems.
Jpcap is an open source library for capturing and sending network packets from Java
applications. It provides facilities to:
1. Capture raw packets live from the wire.
2. Save captured packets to an offline file, and read captured packets from an offline
file.
3. Automatically identify packet types and generate corresponding Java objects (for
Ethernet, IPv4, IPv6, ARP/RARP, TCP, UDP, and ICMPv4 packets).
4. Filter the packets according to user-specified rules before dispatching them to the
application.
5. Send raw packets to the network

Jpcap is based on libpcap/winpcap, and is implemented in C and Java.
Jpcap has been tested on Microsoft Windows (98/2000/XP/Vista), Linux (Fedora, Ubuntu),
Mac OS X (Darwin), FreeBSD, and Solaris.
Jpcap can be used to develop many kinds of network applications, including (but not limited
to):
1. network and protocol analyzers
2. network monitors
3. traffic loggers
4. traffic generators
5. user-level bridges and routers
6. network intrusion detection systems (NIDS)
7. network scanners
8. security tools
Jpcap captures and sends packets independently from the host protocols (e.g., TCP/IP).
This means that Jpcap does not (cannot) block, filter or manipulate the traffic generated by
other programs on the same machine: it simply ”sniffs” the packets that transit on the wire.
Therefore, it does not provide the appropriate support for applications like traffic shapers, QoS
schedulers and personal firewalls. [12]

5.2.1 Flow Diagrams
Fig. 5.1: Data flow diagram of packet sniffer

Fig. 5.2: Data flow diagram of intrusion detection

CHAPTER 6
Implementation
6.1 Screen shots
Fig. 6.1: The Software
Fig. 6.2: Initiating the process

Fig. 6.3: After capturing packets in the network
pie.png pie.png
Fig. 6.4: Transport layer protocol ratio (pie chart)

line.png line.png
Fig. 6.5: Transport layer protocol ratio (line graph)
Fig. 6.6: Save the captured packets

Fig. 6.7: Starting intrusion detection
Fig. 6.8: Logs and Warnings

Fig. 6.9: General settings
Fig. 6.10: Add mac

6.2 Pseudo code
package jdumper ;
import java . u t i l . ∗ ;
import java . io . ∗ ;
i m p o r t j a v a x . swing . JOptionPane ;
i m p o r t j d u m p e r . u i . JDFrame ;
import jpcap . JpcapCaptor ;
p u b l i c c l a s s JpcapDumper
{
public s t a t i c P r o p e r t i e s JDProperty ;
p u b l i c s t a t i c j a v a x . s w i n g . J F i l e C h o o s e r c h o o s e r =new
j a v a x . swing . J F i l e C h o o s e r ( ) ;
s t a t i c V e c t o r f r a m e s =new V e c t o r ( ) ;
p u b l i c s t a t i c v o i d main ( S t r i n g [ ] a r g s ) {
try{
C l a s s c= C l a s s . forName ( ” j p c a p . J p c a p C a p t o r ” ) ;
} catch ( ClassNotFoundException e ){
JOptionPane . showMessageDialog ( n u l l , ” Cannot
f i n d J p c a p . P l e a s e download and i n s t a l l J p c a p b e f o r e r u n n i n g . ” ) ;
System . e x i t ( 0 ) ;
}
JDPacketAnalyzerLoader . loadDefaultAnalyzer ( ) ;
JDStatisticsTakerLoader . loadStatisticsTaker ( ) ;
loadProperty ( ) ;
openNewWindow ( ) ;
}

public s t a t i c void saveProperty (){

i f ( J D P r o p e r t y == n u l l ) r e t u r n ;
try{
J D P r o p e r t y . s t o r e ( ( O u t p u t S t r e a m ) new
F i l e O u t p u t S t r e a m ( ” JpcapDumper . p r o p e r t y ” ) , ” JpcapDumper ” ) ;
/ / J D P r o p e r t y . s t o r e ( new F i l e O u t p u t S t r e a m
( ” JpcapDumper . p r o p e r t y ” ) , ” JpcapDumper ” ) ;
} catch ( IOException e ){
} catch ( ClassCastException e ){
}
}
s t a t i c void loadProperty (){

try{
J D P r o p e r t y =new P r o p e r t i e s ( ) ;
J D P r o p e r t y . l o a d ( ( I n p u t S t r e a m ) new
F i l e I n p u t S t r e a m ( ” JpcapDumper . p r o p e r t y ” ) ) ;
} catch ( IOException e ){
}
}
p u b l i c s t a t i c v o i d openNewWindow ( ) {
J D C a p t o r c a p t o r =new J D C a p t o r ( ) ;
f r a m e s . add ( JDFrame . openNewWindow ( c a p t o r ) ) ;
}
p u b l i c s t a t i c v o i d closeWindow ( JDFrame f r a m e ) {
frame . c a p t o r . s t o p C a p t u r e ( ) ;
frame . c a p t o r . s a v e I f N o t ( ) ;
frame . c a p t o r . closeAllWindows ( ) ;
f r a m e s . remove ( f r a m e ) ;
frame . d i s p o s e ( ) ;
i f ( frames . isEmpty ( ) ) {
saveProperty ( ) ;
System . e x i t ( 0 ) ;
}
}

p r o t e c t e d void f i n a l i z e ( ) throws Throwable {

saveProperty ( ) ;
}
}
IDS
package jdumper . i d s ;
i m p o r t j a v a . awt . B o r d e r L a y o u t ;
i m p o r t j a v a . awt . C a r d L a y o u t ;
i m p o r t j a v a . awt . C o l o r ;
import java . u t i l . ArrayList ;
i m p o r t j a v a x . swing . ∗ ;
p u b l i c c l a s s S n i f f e r P a c k e t e x t e n d s JFrame {
SnifferEngine snifer ;
CardLayout layout ;
CallAnalyzerPanel AnalyzerPanelConnections ;
PacketPreview packetViewer ;
Logs logsPanel ;
Settings SettingsPanel ;
MenuPanel menuPanel ;
JPanel cardsPanel ;
public SnifferPacket () {
menuPanel = new MenuPanel ( t h i s ) ;

logsPanel = new Logs ( t h i s ) ;
layout = new C a r d L a y o u t ( ) ;

snifer = new S n i f f e r E n g i n e ( t h i s ) ;
A n a l y z e r P a n e l C o n n e c t i o n s = new C a l l A n a l y z e r P a n e l ( t h i s ) ;
SettingsPanel = new S e t t i n g s ( t h i s ) ;
packetViewer = new P a c k e t P r e v i e w ( ) ;
GUIcreation ( ) ;
}
public void GUIcreation ( ) {
c a r d s P a n e l = new J P a n e l ( l a y o u t ) ;
c a r d s P a n e l . add ( s n i f e r , ” s n i f e r O p t i o n s ” ) ;
c a r d s P a n e l . add ( p a c k e t V i e w e r , ” P a c k e t V i e w e r ” ) ;
c a r d s P a n e l . add ( a n a l y z e r P a n e l C o n n e c t i o n s , ” S t a t i s t i c s ” ) ;
c a r d s P a n e l . add ( l o g s P a n e l , ” l o g s ” ) ;
c a r d s P a n e l . add ( S e t t i n g s P a n e l , ” S e t t i n g s ” ) ;
s e t S i z e (1024 , 768);
s e t L a y o u t ( new B o r d e r L a y o u t ( ) ) ;
add ( c a r d s P a n e l , B o r d e r L a y o u t . CENTER ) ;
add ( new J S c r o l l P a n e ( menuPanel ) , B o r d e r L a y o u t . EAST ) ;
s e t T i t l e ( ” INTRUSION DETECTION ” ) ;
setVisible ( true );
s e t D e f a u l t C l o s e O p e r a t i o n ( JFrame . EXIT ON CLOSE ) ;
}
p u b l i c s t a t i c v o i d main ( S t r i n g [ ] a r g s ) {
try {
UIManager . s e t L o o k A n d F e e l ( UIManager .
getSystemLookAndFeelClassName ( ) ) ;
} c a t c h ( E x c e p t i o n u n u s e d ) {}
S n i f f e r P a c k e t myFrame = new S n i f f e r P a c k e t ( ) ;
}
}

6.3 Limitations
All protocols are not being implemented in our project. We have implemented only the
following protocols in our prototype: ARP, HTTP, TCP, UDP, IPv4, TELNET, SMTP. Packet
sniffing puts quite a heavy load on the server running and on the router. For this reason, in some
situations it might be worth considering one of the other bandwidth monitoring technologies.
For certain issues, the location where the sniffing is done can make all the difference. For
instance, if you sniff on a host that’s an endpoint of the conversations you’re interested in,
you can miss clues about corruption by the NIC of outgoing packets, or silent dropping of
packets. In particular, on modern hardware TCP checksum calculation is typically offloaded
to the NIC. Only by really sniffing on the wire (e.g. using a hub), such problems will become
clear. If all you have is a hammer, you’ll treat any problem as a nail. Make sure that packet
sniffing and network traffic analysis is the appropriate troubleshooting tool for the issue at hand.
Perhaps your problem can be solved at a higher level, for instance by analysing client and/or
server logs, or by system call traces of client or server. For other problems, a combination of
troubleshooting tools are needed. Often it is not possible to analyse the contents of encrypted
traffic (e.g. https or imaps traffic), and when it is, it is difficult to set up. Then again, that’s a
major reason for using encryption. Packet sniffers do little in the space of encrypted packets.
At best, sniffers can acknowledge that a packet transferred across the link. But since the data is
encrypted, the sniffer cannot report in context as to what the packet contained.

CHAPTER 7
Testing & Maintenance
7.1 Tests
Testing is the process of executing a program with the intent of finding an error. A suc-
cessful test is one that uncovers a yet undiscovered error. Software testing is a critical element
of software quality assurance and represents the ultimate review of specification, design and
coding. Testing is very important to verify the logical and physical operation of all building
blocks. Several bugs were found during preliminary tests, were corrected and subsequent tests
were carried out until the program became full-proof. [6]
There are many testing principles namely:-
1. All tests should be traceable to customer requirements.
2. Tests should be planned along before testing begins.
3. The testing should begin in the small and progress toward testing in the large.
4. To be most effective ,an independent third party should contact testing .The main ob-
jective of testing must have the highest likelihood of finding the error with a minimum amount
of time and effort.
Two steps are included for testing the software. They are;
1. Unit testing.
2. Integration testing.

7.1.1 Unit testing
This is the first level of testing. During the design, the system is divided in to a number
of small units called modules and each module is tested against the specification produced
during the design of these modules .Unit testing focuses on correctness of these modules and
hence is known as module testing.
Unit testing is done for verification of code produced during the coding phase and to
test the internal logic of the modules. Since the proposed system is done in different modules,
testing is individually performed on each module. Using the details design description as a
guide, important control paths are tested to uncover errors within the boundary of the modules.
The unit test is white box oriented and the steps can be conducted in parallel for multiple
components. [6]
This testing was carried out during programming stage itself. In this testing step each
module is found to be working satisfactorily as regard to the expected output from the module.
7.1: Unit test chart

No Unit Name Test Status
1 Analyser Module Complete
2 GUI Module Complete
3 Dumper Module Complete
4 Intrusion Detection Module Complete
7.1.2 Integration testing
When the modules of the system are combined together to form the whole system, there
will be the problem of interfacing. Integration testing is a systematic testing technique for
constructing the program structure while conducting tests to uncover errors associated with
interfacing. The current system modules are combining using bottom up integration with in-
cremental to form either embedding or retrieving.
Integration testing was carried out in our system by integrating all modules together and
did the testing. [6]

7.2 Maintenance
In software engineering, ’software maintenance’ is the modification of a software prod-

uct after delivery to correct faults, who improve performance or other attributes, or to adapt the
product to a modified environment. Categories of maintenance:- corrective, adaptive, perfec-
tive, and preventive.
1. Corrective maintenance:- Reactive modification of a software product performed

after delivery to correct discovered problems.
2. Adaptive maintenance:- Modification of a software product performed after delivery

to keep a software product usable in a changed or changing environment.
3. Perfective maintenance:- Modification of a software product after delivery to improve

performance or maintainability.
4. Preventive maintenance:- Modification of a software product after delivery to detect

and correct latent faults in the software product before they become effective faults.
Our project has been designed in such a way that future modifications can be carried
out smoothly. The modules are clearly defined so that changes to one module can be applied
without affecting the other module. [6]

CHAPTER 8
Conclusion
8.1 Introduction
A packet sniffer can be used for network traffic monitoring, traffic analysis, trou-
bleshooting and other useful purposes. The packet sniffer has features like the packet sniffer
program platform independent, filtering the suspect content from the network traffic and gather
and report network statistics.
Packet sniffer is a program which monitors network traffic which passes through your
computer. A packet sniffer which runs on your PC connected to the internet using a modem,
can tell you your current IP address as well as the IP addresses of the web servers whose sites
you are visiting.
You can watch all the un-encrypted data that travels from your computer, onto the in-
ternet. This includes passwords and other sensitive data that is not secured by encryption. Put
a packet sniffer on a router on the internet, and you can watch all the network traffic that passes
through that router. This includes absolutely anyone whose data happens to pass through that
router.
Sniffers are basically data interception programs. They work because the Ethernet was
built around a principle of sharing. Most networks use what is known as broadcast technology,
meaning that every message transmitted by one computer on a network can be read by any
other computer on that network. In practice, all the other computers, except the one for which
the message is meant, will ignore that message. However, computers can be made to accept
messages, even if they are not meant for them, by means of a sniffer. [1]
An intrusion detection system is a crucial part of the defensive operations that comple-
ments the static defenses such as firewalls. Essentially, intrusion detection systems search for
signs of an attack and flag when an intrusion is detected. In some cases they may take an action
to stop the attack by closing the connection or report the incident for further analysis by net-

work administrators. According to the detection methodology, intrusion detection systems are
typically categorized as misuse detection and anomaly detection systems. From a deployment
perspective, they are be classified as network based or host based although such distinction is
coming to an end in todays intrusion detection systems where information is collected from
both network and host resources. In terms of performance, an intrusion detection system be-
comes more accurate as it detects more attacks and raises fewer false alarms. Future advances in
IDS are likely to continue to integrate more information from multiple sources (sensor fusion)
whilst making further use of artificial intelligence to minimize the size of log files necessary
to support signature databases. Human intervention, however, is certainly necessary and set to
continue for the foreseeable future. [13]
There is a definite need for intrusion detection systems in an overall security infras-
tructure; however, in large organizations, this may be easier said than done. There are many
obstacles to the deployment, configuration, management, and data handling of the various IDS
solutions. Many of these challenges have already been faced and overcome by organizations
that have successfully implemented IDSs.
8.2 Future work
The project is provided as open source so any further relevant needs can be further
added to this application like, capturing the wi-fi networks packets (with the help of other
library) ,or detecting torrent and vrml packets.
There are a number of new features that could potentially be added and should be investi-
gated. Among these are:
1. Add the ability to identify gateways and name servers.
2. Add the ability to cache routing information and build a route table.
3. Add the ability to log and display current DHCP leases.
4. Add the ability to track website usage by each host on the network.

5. Allow audio eavesdropping on VoIP phone calls.
The field of intrusion detection is still in its infancy and there are many areas that require
further work. Some of the main problems that need to be addressed in the field are as follows:-
1. It is currently impossible to detect misuse in encrypted network traffic. Increasingly,

secure protocols such as secure shell (SSH) and secure HTTP (http) are being used. When using
these protocols network traffic is encrypted to defeat the use of packet sniffers on systems
between the client and server. Unfortunately, this also means that an IDS cannot use attack
signatures to detect misuse. This is because the IDS requires access to the data part of the
packets, not just the headers, to detect intrusions.
2. There is a need to make the IDS itself more resistant to attack. As the popularity
and awareness of intrusion detection systems rises, attackers will concentrate on ways of either
evading or disabling the IDS itself before attacking the rest of the network.
3. Currently most IDS products react to detected attacks merely by logging them or
contacting the system administrator. Ideally, the IDS should be able to take the necessary
actions to deal with the attack itself. This could involve terminating network connections,
blocking IP addresses at the firewall, or, in a military context, launching an attack against the
intruder. Presently, intrusion detection systems are not sufficiently accurate to trust them with
this power. Attackers could actually use the IDS to help with the attack by tricking it into
throwing specific users off the system or closing particular connections. This could be done by
carrying out attacks with the source spoofed as the user to disconnect.
4. When designing host-based intrusion detection systems it has been common practice
for some time to include both misuse detection and anomaly detection. This gives a system with
the benefits of both approaches; it can detect both known attacks and novel attacks. However,
network-based intrusion detection systems usually depend solely on misuse detection. Re-
search should be done into applying both misuse detection and anomaly detection to network
traffic and so producing an IDS with the strengths of both approaches.

REFERENCES
[1] [Online]. Available: www.packet-sniffer.net
[2] [Online]. Available: http://www.webopedia.com/TERM/I/intrusion detection system.
html
[3] [Online]. Available: http://sectools.org/sniffers.html
[4] [Online]. Available: en.wikipedia.org/packetsniffing
[5] [Online]. Available: http://www.extrahop.com/category/blog/?p=189
[6] D. M. Carlo Ghezzi, Mehdi Jazayeri, Fundamentals of Software Engineering. Prentice
Hall, 2003.
[7] B. A. Forouzan, Data Communications and Networking. The McGraw-Hill Companies,
2006.
[8] H. Schildt, The Complete Reference Java 2. Tata McGraw Hill, 2002.
[9] B.M.Harwani, Java Server Faces. PHI Learning Pvt.Limited, 2009.
[10] [Online]. Available: http://www.realtek.com.tw/
[11] [Online]. Available: http://www.webopedia.com/TERM/N/network interface card NIC.
html
[12] [Online]. Available: http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/
[13] [Online]. Available: http://encyclopedia.jrank.org/Intrusion-Detection-Systems.html

Network

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Network

Caricato da

Copyright:

Formati disponibili

PACKET SNIFFER

WITH INTRUSION DETECTION

MAIN PROJECT REPORT

in partial fulfillment for the award of the degree

BACHELOR OF TECHNOLOGY (B.TECH)

COMPUTER SCIENCE & ENGINEERING

Under the guidance of

Mr. ANIL ANTONY

WITH INTRUSION DETECTION

MAIN PROJECT REPORT

in partial fulfillment for the award of the degree

BACHELOR OF TECHNOLOGY (B.TECH)

COMPUTER SCIENCE & ENGINEERING

Under the guidance of

Mr. ANIL ANTONY

Certified that this project report “ . . . PACKET SNIFFER WITH INTRUSION

bonafide work of “ . . . ANINA JOSEPH V, GYTHA JOHN ALAPATT, JAIN

Prof. Muralee Krishnan C Mr. Anil Antony

List of Tables vii

List of Abbreviations viii

4 System Requirements Specification 19

5 Design & Analysis 30

7 Testing & Maintenance 45

The versatility of packet sniffers means they can be used to:

Analyze network problems.

Detect network intrusion attempts.

Gain information for effecting a network intrusion.

Gather and report network statistics.

Filter suspect content from network traffic.

Functional components of the project

This project is implemented in java using jpcap library.

1.1 Sniffer connected to the LAN . . . . . . . . . . . . . . . . . . . . . . . . . . 2

3.1 Format of an ARP message . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4.1 Realtek NIC card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

5.1 Data flow diagram of packet sniffer . . . . . . . . . . . . . . . . . . . . . . . . 33

6.1 The Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

1.1 Team Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3.1 Protocols analysed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

5.1 Module Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

7.1 Unit test chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

ARP : Address Resolution Protocol

Jyothi Engineering College Dept. of CSE, 2011

Fig. 1.1: Sniffer connected to the LAN

Jyothi Engineering College Dept. of CSE, 2011

1.2 Motivation and Technical Relevance

1.3 Progress of project

Jyothi Engineering College Dept. of CSE, 2011

Fig. 1.2: Project Plan

Jyothi Engineering College Dept. of CSE, 2011

1.4 Member roles and responsibilities

1.1: Team Organization

We are presenting an outline of the contents for the chapters to follow.

Jyothi Engineering College Dept. of CSE, 2011

We went through several papers and documents related to packet sniffing.

2.1.1 Related works

Kismet : A powerful wireless sniffer. Kismet is an console (ncurses) based 802.11

Jyothi Engineering College Dept. of CSE, 2011

Jyothi Engineering College Dept. of CSE, 2011

Design and Implementation of V6SNIFF: An Efficient IPv6 Packet Sniffer. Conver-

Packet Sniffing: A brief introduction. Sabeel Ansari, Rajeev S G, Chandrashekar H S.

An introduction to data capturing. Liqiang Zhang, Huanguo Zhang, Wuhan University,

Intrusion Detection Methodologies. A White Paper by Robert A. Clyde

2.1.3 Advantages of the proposed system