SlideShare una empresa de Scribd logo
1 de 5
Descargar para leer sin conexión
ISSN: 2277 – 9043
        International Journal of Advanced Research in Computer Science and Electronics Engineering
                                                                    Volume 1, Issue 6, August 2012

         “Enterprise Network Traffic Monitoring, Analysis, and Reporting using Winpcap Tool a packet
                                              capturing API ”
                           Navneet Kaur Dhillon[1] , Dept- CSE, C.S.V.T.U, Raipur(C.G) , India, Mob- 09504975229.

                        Mrs. Uzma Ansari[2] Reader, Dept-CSE , C.S.V.T.U , Raipur(C.G) , India , Mob - 09179544414



                               Abstract                                       Networks are most easily managed in terms of the entities we seek to
                                                                              control—such as users, hosts, and access points rather than in terms of
Today’s enterprise networks are composed of multiple types of
                                                                              low-level and often dynamically-allocated addresses. For example, it is
interconnected networks. Operations and management staff must
                                                                              convenient to declare which services a user is allowed to use and to
provide an efficient, reliable and secure operating environment to
                                                                              which machines they can connect. Network policies dictate the nature of
support an organization’s daily activities. Enterprise networks must be
                                                                              connectivity between communicating entities and therefore naturally
monitored for performance, security, and fault management .Current
                                                                              affect the paths that packets take.
management uses the complex, hard-to-learn and hard-to-use tools. We
need a simple, uniform, easy tools for managing networks. Client server
based management promises to provide such solutions. This paper               This is in contrast to today’s networks in which forwarding and filtering
focuses on the use of packet capturing technology like WinPcap and            use different mechanisms rather than a single integrated approach. A
JPcap for the purposes of enterprise network traffic monitoring and           policy might require packets to pass through an intermediate middlebox.
reporting. In this paper, we first examine the requirements for enterprise    Traffic can receive more appropriate service if its path is controlled
network traffic monitoring, analysis and reporting, and then present the      directing real-time communications over lightly loaded paths, important
design and implementation of a network traffic monitoring and                 communications over redundant paths, and private communications over
reporting system.                                                             paths inside a trusted boundary would all lead to better service.

Network traffic Monitoring is a network diagnostic tool that monitors         Today, it is notoriously difficult to reliably determine the origin of a
local area networks and provides a graphical display of network               packet: Addresses are dynamic and change frequently, and they are
statistics.                                                                   easily spoofed. The loose binding between users and their traffic is a
                                                                              constant target for attacks in enterprise networks. This requires a strong
                                                                              binding between a user, and the machine they are using, and the
While collecting information from the network's data stream, Network
                                                                              addresses in the packets they generate.
Monitor displays the following types of information:
                                                                              The purpose of this paper is to provide efficient and reliable secure
       The source address of the computer that sent a frame onto the         enterprise network which will lead to the protected working
        network.                                                              environment

       The destination address of the computer that received the frame.

                                                                              2            REQUIREMENTS
       The protocols used to send the frame.

The process by which Network Monitor collects this information is             In this section we examine some of the most important requirements
called capturing. By default, Network Monitor gathers statistics on all       needed for a client-server based enterprise network monitoring and
the frames it detects on the network into a capture buffer, which is a        reporting system.
reserved storage area in memory. To capture statistics on only a specific
subset of frames, we can single out these frames by designing a capture       Enterprise networks typically consist of network devices such as routers,
filter. To use Network Monitor, our computer must have a network card         bridges, switches, hubs and so on. A network management system must
that supports promiscuous mode.                                               be able to automatically detect all the network devices in an enterprise
                                                                              network. Although the topologies of enterprise networks do not change
Keywords:-      Jpcap , Network traffic , Packet capture , Winpcap .          frequently, they do change occasionally. When the topology changes,
                                                                              the network management system must detect the change and modify the
                                                                              necessary information for proper monitoring and control.

1          INTRODUCTION                                                       The major requirements of this project are

                                                                                      1)   A LAN connection in an enterprise network ( IEEE 802.3
Enterprise networks are corporate computer networks composed of
network devices, systems, and services supporting various corporate                        ethernet connection).
applications. Enterprise networks are growing rapidly in size and                     2)   WinPcap packet capturing library for windows.
complexity because more systems and sophisticated applications run on
them. The most challenging tasks facing network and system                            3)   JPcap Java Packet capture java library.
administrative staff today is to provide an efficient, reliable and secure
computing environment. Administrators today typically use a
management tool to monitor and control their networks. A management           2.1          IEEE 802.3 Ethernet
tool that is easy to learn and operate in a short period of time is
desperately needed.                                                           2.1.1        Definition

                                                                               Ethernet is a family of computer networking technologies for local area
                                                                              networks (LANs) commercially introduced in 1980. Standardized in
Enterprise networks are often large, run a wide variety of applications
                                                                              IEEE 802.3[5], Ethernet has largely replaced competing wired LAN
and protocols, and typically operate under strict reliability and security
                                                                              technologies. Systems communicating over Ethernet divide a stream of
constraints; thus, they represent a challenging environment for network
                                                                              data into individual packets called frames. Each frame contains source
management. Indeed, most networks today require substantial manual
                                                                              and destination addresses and error-checking data so that damaged data
configuration by trained operators to achieve even moderate security .
                                                                              can be detected and re-transmitted. The standards define several wiring


                                                   All Rights Reserved © 2012 IJARCSEE
                                                                                                                                        19
ISSN: 2277 – 9043
                     International Journal of Advanced Research in Computer Science and Electronics Engineering
                                                                                 Volume 1, Issue 6, August 2012

and signaling variants. Data rates were periodically increased from the        Jpcap is an open source library for capturing and sending network
original 10 megabits per second, to 100 gigabits per second.                   packets from Java applications. It provides facilities to:

2.1.2        Ethernet frames                                                             capture raw packets live from the wire.
                                                                                         save captured packets to an offline file, and read captured
A data packet on the wire is called a frame. A frame begins with                          packets from an offline file.
preamble and start frame delimiter, followed by an Ethernet header                       automatically identify packet types and generate
featuring source and destination MAC addresses. The middle section of                     corresponding Java objects (for Ethernet, IPv4, IPv6,
the frame consists of payload data including any headers for other                        ARP/RARP, TCP, UDP, and ICMPv4 packets).
protocols (e.g., Internet Protocol) carried in the frame. The frame ends
with a 32-bit cyclic redundancy check, which is used to detect                           filter the packets according to user-specified rules before
corruption of data in transit.                                                            dispatching them to the application.
                                                                                         send raw packets to the network
2.2          Windows packet capture ( WinPcap )


WinPcap[3]             is the industry-standard tool for link-layer            3          INTRODUCTION TO WINPCAP
network access in Windows environments it allows applications to
capture and transmit network packets bypassing the protocol stack, and
has additional useful features, including kernel-level packet filtering, a
                                                                               The software architecture for packet capture and network analysis for
network statistics engine and support for remote packet capture.
                                                                               Win32 platforms we intend to describe in this paper contains a library
WinPcap consists of a driver, that extends the operating system to
                                                                               (WinPCap)[8], which adds to the operating system the ability to capture
provide low-level network access, and a library that is used to easily
                                                                               efficiently the traffic from different kinds of networks using the network
access the low-level network layers. This library also contains the
                                                                               adapter of the machine. The systems based on Unix platform contain a
Windows version of the well known libpcap Unix API.
                                                                               kernel component used as a capture driver named BPF (Berkeley
                                                                               Packet Filter)[8]. This part of the kernel is the base of the libpcap [9]
WinPcap is the packet capture and filtering engine of many open source         library.
and commercial network tools, including protocol analyzers, network
monitors, network intrusion detection systems[1], sniffers, traffic            Unlike Unix platforms, Windows operating systems haven’t such a
generators and network testers. Some of these tools, like (Wireshark,          component. The implementation of a similar library used to capture data
Nmap, Snort, ntop)[2] are known and used throughout the networking             is more difficult to realize because it calls for an interaction with the
community                                                                      networking part of the kernel. This is more difficult in the ―Microsoft
                                                                               world‖ where kernel source code is not available.
Winpcap.org[3] is also the home of WinDump[3] , the Windows
version of the popular tcpdump[4] tool. WinDump can be used to watch,
diagnose and save to disk network traffic according to various complex
rules. In the field of computer network administration, pcap (packet
capture) consists of an application programming interface (API) for
capturing network traffic. Unix-like systems implement pcap in the
libpcap[9] library; Windows uses a port of libpcap known as WinPcap.

WinPcap consists of:


       x86 and x86-64 drivers for the Windows NT family (Windows NT
        4.0, Windows 2000, Windows XP, Windows Server 2003,
        Windows Vista, Windows 7, etc.), which use NDIS (Network
        Driver Interface Specification) to read packets directly from a
        network adapter;
       implementations of a lower-level library for the listed operating
        systems, to communicate with those drivers;
       a port of libpcap that uses the API offered by the low-level library
        implementations.

2.3          Java packet capture ( JPcap )


Jpcap[14] is based on libpcap/Winpcap, and is implemented in C and
Java Jpcap is a Java library for capturing and sending network packets.
Using Jpcap, we can develop applications to capture packets from a
network interface and visualize/analyze them in Java. Jpcap can capture
Ethernet, IPv4, IPv6, ARP/RARP, TCP, UDP, and ICMPv4 packets[15].

Jpcap is a set of Java classes that provide an interface and system for
network packet capture and also a protocol library and tool for
visualizing         network           traffic       is         included.
Jpcap hides the low-level details of network packet capture by
abstracting many network packet types and protocols into Java classes.
Internally, Jpcap implements bindings to the libpcap system library                      Figure :-1 Logical Structure of WinPcap
through        JNI        (the       Java       Native        Interface).




                                                          All Rights Reserved © 2012 IJARCSEE
                                                                                                                                                        20
ISSN: 2277 – 9043
                    International Journal of Advanced Research in Computer Science and Electronics Engineering
                                                                                Volume 1, Issue 6, August 2012


3.1        WinPCap Structure:-

To capture data from the network, a capture application must directly
interact with the network adapter. Therefore the operating system must
offer a set of primitives for capture with a view to communicate with the
adapter. The purpose of these primitives is to capture network packets
transparently from the point of view of the user and to transfer them to
the calling application.

This part of the kernel should be quick and efficient in order to capture
all the packets in real time without losing information.

The logical architecture of Winpcap is a hierarchical structure on 3
levels (from the network adapter to an application), shown in figure 1.

The Packet Capture Driver is the lowest software level of the capture
structure. It is a part of the kernel and interacts with the network adapter
to obtain captured packets. It supplies the application a set of functions
used to read /write data from the network at data-link level.

Packet.dll[12] works at user level, but it is detached from the capture
application. It is a dynamic link library that separates the application
from capture driver providing a system-independent capture interface. It
allows user’s application to be executed on different Windows operating
systems without being recompiled. It represents a set of API functions
used to access the capture driver directly.

WinPCap.dll[13] (the third level) is a static library that is used by the
packet captures part of the application. It uses the services exported by
Packet.dll, and provides the applications a higher level and a powerful
capture interface. It is statically linked; it means it is part of the
application that uses it.

The user interface is the highest part of the capture application. It
manages the interaction with the user and displays the result of a
capture.

3.3        The working of a WinPCap

The WinPCap action is based on packets capture at the network adapter
level. Therefore, any application using WinPCap must follow the steps
summarized below:

          Specify the network adapter which will be used for capture
          Initialize winpcap (mention the network adapter if the
           capture is on-line)
          Offer a pattern for the captured data (a TCP/IP structure for
           example), so it can be done a cast at this pattern and obtain
           significant information (complex applications offer patterns
           for majority protocols)
           Analyze captured data according with the application type
           (captured data can be saved and processed off-line)
          Close the capture session
                                                                               Figure:- 2 Flow Chart describing the working of Winpcap

                                                                               The second technique uses the function pcap_lookupdev() to extract the
                                                                               list of all the adapters presented on current machine:
The main functions performed by winPcap are :-
                                                                               int main()
The first step in using the WinPCap Library is to select a network             {
adapter. This adapter can be specified in two ways. The first way is by        char *dev, errbuf[PCAP_ERRBUF_SIZE];
adding its name as argument in the command line (this works with a             dev = pcap_lookupdev(errbuf);
trivial application).
                                                                               printf("Network Adapters:%sn", dev);
int main(int argc, char *argv[])                                               return(0);
{                                                                              }
char *dev = argv[1];
printf("Network Adapter: %sn", dev);                                          pcap_open_live() this WinPCap function opens a capture session. It
return(0);                                                                     returns a handler to the current session and it is used for on-line capture.
}                                                                              A similar function is used to retrieve saved datapcap_ open_offline().




                                                         All Rights Reserved © 2012 IJARCSEE
                                                                                                                                                       21
ISSN: 2277 – 9043
                     International Journal of Advanced Research in Computer Science and Electronics Engineering
                                                                                 Volume 1, Issue 6, August 2012

The pcap_open_live() function specifies the network adapter(dev) and
sets it to normal/ promiscuous mode .

An important feature of WinPCap Library is that it can filter the traffic.

To filter the traffic, WinPCap Library offers two functions:
pcap_compile() and pcap_setfilter().

The WinPCap Library contains the function pcap_lookupnet() which
retrieves IP address and mask of a specified network adapter.

There are two techniques for capture data. The first technique uses the
function pcap_next() to capture only one packet.

The second technique uses a loop to capture all packets received this
time. pcap_dispatch() or pcap_loop().

The call pcap_loop() is used in simple applications, while
pcap_dispatch() is normally preferred in a more complex program.

In the process_packet() function, we could get the size of TCP payload
one of our sampled parameters.

The working of WinPcap is shown in figure 2.

3.4           The Network traffic monitoring Application

The network traffic monitoring application is an interactive tool which           Figure:- 2 Snap Short Showing captured packets report
uses the WinPCap architecture and C/C++ calls for packet captures.
Although we used for its interface the MFC (Microsoft Foundation              The following figure is the main application part of the interface. Which
Class) functions, the network traffic monitoring has a certain degree of      shows the captured packets in a network. The processes of packet
independence from the OS, by using the ―compatible‖ calls of WinPCap.         capturing discussed in previous section is implemented here and shows
Use of threads reduces somehow the predictability of application              the result of application. Which displays the port number , the type of a
behaviour only to systems similar to Windows NT, 2000 or XP.
                                                                              packet to be captured and this field can be selected according to the use
                                                                              with the help of a filter provided by the interface. The use of this filter is
                                                                              to select the particular type of Packet type which we want to capture.
The tool is just a preliminary step; it achieves the capture of all packets   This interface shows the source MAC address , Destination MAC
in the network and the specification of their type. For ―standard‖ packet     address , source IP address and port and destination IP address and port
types like TCP/IP and UDP the component fields of the headers are             number. The snap short in figure 4 shows the spoofed packets
specified, shaped as a tree structure.                                        In the network

A snapshot obtained during a capture session is shown in figure 3.




3.5           Report Generation

         1)     Traffic monitoring graphs.
         2)     Reports generating detection of spoofed packets




                                                                                  Figure:- 3 Snap Short showing spoofed packets report




                                                         All Rights Reserved © 2012 IJARCSEE
                                                                                                                                                        22
ISSN: 2277 – 9043
                    International Journal of Advanced Research in Computer Science and Electronics Engineering
                                                                                Volume 1, Issue 6, August 2012

4          CONCLUSION                                                         ABOUT THE AUTHORS

This application has been used to test the capturing capabilities of API      Navneet Kaur Dhillon[1]
and the result of the monitoring is up to mark as it captures all types of    M.tech Scholar at RITEE
packets demanded by the interface. The article presents a simple way of       AFFILATED TO CSVTU
capturing the network traffic using the functions supplied by the
WinPCap Architecture. This application contains a lot of useful               Mrs. Uzma Ansari[2]
primitives and it also provide facilities to capture the spoofed packets      ( Reader H.O.D CSE at RITEE)
and analyze them and to protect our network from intrusions. This paper       AFFILATED TO CSVTU
focuses on the overall load in a particular node the traffic coming to the
particular node is reported in figure 3 and also the capturing of spoofed
packets that can cause harm to our enterprise is reported in figure 4.

5          Refrences:-

[1]iac.dtic.mil/iatac/download/intrusion_detection.pdf

[2] sectools.org/tag/sniffers/

[3] www.winpcap.org/

[4]www.carnal0wnage.com/papers/TCPdumpBasics.pdf

[5]en.wikipedia.org/wiki/IEEE_802.3

[6] Rethinking Enterprise Network Control Mart´ın Casado, Member,
IEEE, Michael J.    Freedman, Member, IEEE, Justin Pettit, Member,
IEEE, Jianying Luo, Member, IEEE, Natasha Gude, Member, IEEE,
Nick McKeown, Fellow, IEEE, and Scott Shenker, Fellow, IEEE.

[7]A SIMPLE WAY TO CAPTURE NETWORK TRAFFIC: THE
WINDOWS PACKET CAPTURE (WINPCAP) ARCHITECTURE
Mihai Dorobanţu, M.Sc., Mihai L. Mocanu, Ph.D.

[8] An Architecture for High Performance Network Analysis Fulvio
Risso and Loris Degioanni Dipartimento di Automatica e Informatica –
Politecnico di Torino

[9] Plab: a packet capture and analysis architecture Alberto Dainotti and
     Antonio Pescap.

[10] NetCap: A Packet Sniffer in Java 1Rajan Parmar, 2Hetal Patel
      1,2Nirma University, Ahmedabad, India.

[11] Detecting Spoofed Packets Steven J. Templeton, Karl E. Levitt
Department of Computer Science U.C. Davis

[12]www.winpcap.org/docs/docs_41b5/html/group__packetapi.html

[13]dll.paretologic.com/detail.php/wpcap

[14]netresearch.ics.uci.edu/kfujii/Jpcap/doc/tutorial/index.html

[15] IP Monitoring and Filtering By Gnanambal Chithambaram,
       Sandeep Dubey Smrithi Barrenkula , Subraja Krishnamurthy ,
       Sucheta P Kodali




                                                         All Rights Reserved © 2012 IJARCSEE
                                                                                                             23

Más contenido relacionado

La actualidad más candente

IRJET- Security Analysis and Improvements to IoT Communication Protocols ...
IRJET-  	  Security Analysis and Improvements to IoT Communication Protocols ...IRJET-  	  Security Analysis and Improvements to IoT Communication Protocols ...
IRJET- Security Analysis and Improvements to IoT Communication Protocols ...IRJET Journal
 
A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...
A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...
A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...DMV SAI
 
Ijartes v1-i2-007
Ijartes v1-i2-007Ijartes v1-i2-007
Ijartes v1-i2-007IJARTES
 
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...IJNSA Journal
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...ijceronline
 
Performance Analysis of Wireless Trusted Software Defined Networks
Performance Analysis of Wireless Trusted Software Defined NetworksPerformance Analysis of Wireless Trusted Software Defined Networks
Performance Analysis of Wireless Trusted Software Defined NetworksIRJET Journal
 
Routing security in ad hoc wireless network
Routing security in ad hoc wireless networkRouting security in ad hoc wireless network
Routing security in ad hoc wireless networkElanthendral Mariappan
 
Enhancing Data Transmission and Protection in Wireless Sensor Node- A Review
Enhancing Data Transmission and Protection in Wireless Sensor Node- A ReviewEnhancing Data Transmission and Protection in Wireless Sensor Node- A Review
Enhancing Data Transmission and Protection in Wireless Sensor Node- A ReviewIRJET Journal
 
Efficient radio resource allocation scheme for 5G networks with device-to-devi...
Efficient radio resource allocation scheme for 5G networks with device-to-devi...Efficient radio resource allocation scheme for 5G networks with device-to-devi...
Efficient radio resource allocation scheme for 5G networks with device-to-devi...IJECEIAES
 
A honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network securityA honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network securityIAEME Publication
 
710201940
710201940710201940
710201940IJRAT
 
IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...
IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...
IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...IRJET Journal
 

La actualidad más candente (20)

20 74-1-pb
20 74-1-pb20 74-1-pb
20 74-1-pb
 
IRJET- Security Analysis and Improvements to IoT Communication Protocols ...
IRJET-  	  Security Analysis and Improvements to IoT Communication Protocols ...IRJET-  	  Security Analysis and Improvements to IoT Communication Protocols ...
IRJET- Security Analysis and Improvements to IoT Communication Protocols ...
 
557 562
557 562557 562
557 562
 
A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...
A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...
A PROJECT REPORT ON SECURED FUZZY BASED ROUTING FRAMEWORK FOR DYNAMIC WIRELES...
 
Ijartes v1-i2-007
Ijartes v1-i2-007Ijartes v1-i2-007
Ijartes v1-i2-007
 
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...
 
Cloud Models
Cloud ModelsCloud Models
Cloud Models
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
 
Secure final
Secure finalSecure final
Secure final
 
Final report
Final reportFinal report
Final report
 
Performance Analysis of Wireless Trusted Software Defined Networks
Performance Analysis of Wireless Trusted Software Defined NetworksPerformance Analysis of Wireless Trusted Software Defined Networks
Performance Analysis of Wireless Trusted Software Defined Networks
 
Routing security in ad hoc wireless network
Routing security in ad hoc wireless networkRouting security in ad hoc wireless network
Routing security in ad hoc wireless network
 
Is3116341640
Is3116341640Is3116341640
Is3116341640
 
middleware
middlewaremiddleware
middleware
 
395 401
395 401395 401
395 401
 
Enhancing Data Transmission and Protection in Wireless Sensor Node- A Review
Enhancing Data Transmission and Protection in Wireless Sensor Node- A ReviewEnhancing Data Transmission and Protection in Wireless Sensor Node- A Review
Enhancing Data Transmission and Protection in Wireless Sensor Node- A Review
 
Efficient radio resource allocation scheme for 5G networks with device-to-devi...
Efficient radio resource allocation scheme for 5G networks with device-to-devi...Efficient radio resource allocation scheme for 5G networks with device-to-devi...
Efficient radio resource allocation scheme for 5G networks with device-to-devi...
 
A honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network securityA honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network security
 
710201940
710201940710201940
710201940
 
IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...
IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...
IRJET- Detection and Prevention Methodology for Dos Attack in Mobile Ad-Hoc N...
 

Similar a 19 23

A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICEA SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICEKate Campbell
 
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICEA SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICEIRJET Journal
 
Multi port network ethernet performance improvement techniques
Multi port network ethernet performance improvement techniquesMulti port network ethernet performance improvement techniques
Multi port network ethernet performance improvement techniquesIJARIIT
 
Networking tutorial
Networking tutorialNetworking tutorial
Networking tutorialajaymane22
 
Basic networking tutorial
Basic networking tutorialBasic networking tutorial
Basic networking tutorialRodel Morales
 
fmxhnkmcjbg,lBasics of network
fmxhnkmcjbg,lBasics of networkfmxhnkmcjbg,lBasics of network
fmxhnkmcjbg,lBasics of networkammulu99
 
Crypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
Crypto Mark Scheme for Fast Pollution Detection and Resistance over NetworkingCrypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
Crypto Mark Scheme for Fast Pollution Detection and Resistance over NetworkingIRJET Journal
 
Design Issues and Challenges in Wireless Sensor Networks
Design Issues and Challenges in Wireless Sensor NetworksDesign Issues and Challenges in Wireless Sensor Networks
Design Issues and Challenges in Wireless Sensor NetworksKhushbooGupta145
 
A Decentralized Application for Secure Private and Group Messaging in a Peer-...
A Decentralized Application for Secure Private and Group Messaging in a Peer-...A Decentralized Application for Secure Private and Group Messaging in a Peer-...
A Decentralized Application for Secure Private and Group Messaging in a Peer-...IRJET Journal
 

Similar a 19 23 (20)

A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICEA SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
 
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICEA SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
A SURVEY OF COMPUTER NETWORKING THEORY AND PRACTICE
 
Final_Report
Final_ReportFinal_Report
Final_Report
 
Essay On Ethernet
Essay On EthernetEssay On Ethernet
Essay On Ethernet
 
Smart x
Smart xSmart x
Smart x
 
En35793797
En35793797En35793797
En35793797
 
Multi port network ethernet performance improvement techniques
Multi port network ethernet performance improvement techniquesMulti port network ethernet performance improvement techniques
Multi port network ethernet performance improvement techniques
 
Networking tutorial
Networking tutorialNetworking tutorial
Networking tutorial
 
Basic lecture
Basic lectureBasic lecture
Basic lecture
 
Jq2416671672
Jq2416671672Jq2416671672
Jq2416671672
 
Ii2514901494
Ii2514901494Ii2514901494
Ii2514901494
 
Cn
CnCn
Cn
 
Cnetworks
CnetworksCnetworks
Cnetworks
 
Basic networking tutorial
Basic networking tutorialBasic networking tutorial
Basic networking tutorial
 
fmxhnkmcjbg,lBasics of network
fmxhnkmcjbg,lBasics of networkfmxhnkmcjbg,lBasics of network
fmxhnkmcjbg,lBasics of network
 
Crypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
Crypto Mark Scheme for Fast Pollution Detection and Resistance over NetworkingCrypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
Crypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
 
Dos unit1
Dos unit1Dos unit1
Dos unit1
 
Design Issues and Challenges in Wireless Sensor Networks
Design Issues and Challenges in Wireless Sensor NetworksDesign Issues and Challenges in Wireless Sensor Networks
Design Issues and Challenges in Wireless Sensor Networks
 
A Decentralized Application for Secure Private and Group Messaging in a Peer-...
A Decentralized Application for Secure Private and Group Messaging in a Peer-...A Decentralized Application for Secure Private and Group Messaging in a Peer-...
A Decentralized Application for Secure Private and Group Messaging in a Peer-...
 
Fe24972976
Fe24972976Fe24972976
Fe24972976
 

Más de Ijarcsee Journal (20)

130 133
130 133130 133
130 133
 
122 129
122 129122 129
122 129
 
116 121
116 121116 121
116 121
 
109 115
109 115109 115
109 115
 
104 108
104 108104 108
104 108
 
99 103
99 10399 103
99 103
 
93 98
93 9893 98
93 98
 
88 92
88 9288 92
88 92
 
82 87
82 8782 87
82 87
 
78 81
78 8178 81
78 81
 
73 77
73 7773 77
73 77
 
65 72
65 7265 72
65 72
 
58 64
58 6458 64
58 64
 
52 57
52 5752 57
52 57
 
46 51
46 5146 51
46 51
 
41 45
41 4541 45
41 45
 
36 40
36 4036 40
36 40
 
28 35
28 3528 35
28 35
 
24 27
24 2724 27
24 27
 
16 18
16 1816 18
16 18
 

Último

VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 

Último (20)

VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 

19 23

  • 1. ISSN: 2277 – 9043 International Journal of Advanced Research in Computer Science and Electronics Engineering Volume 1, Issue 6, August 2012 “Enterprise Network Traffic Monitoring, Analysis, and Reporting using Winpcap Tool a packet capturing API ” Navneet Kaur Dhillon[1] , Dept- CSE, C.S.V.T.U, Raipur(C.G) , India, Mob- 09504975229. Mrs. Uzma Ansari[2] Reader, Dept-CSE , C.S.V.T.U , Raipur(C.G) , India , Mob - 09179544414 Abstract Networks are most easily managed in terms of the entities we seek to control—such as users, hosts, and access points rather than in terms of Today’s enterprise networks are composed of multiple types of low-level and often dynamically-allocated addresses. For example, it is interconnected networks. Operations and management staff must convenient to declare which services a user is allowed to use and to provide an efficient, reliable and secure operating environment to which machines they can connect. Network policies dictate the nature of support an organization’s daily activities. Enterprise networks must be connectivity between communicating entities and therefore naturally monitored for performance, security, and fault management .Current affect the paths that packets take. management uses the complex, hard-to-learn and hard-to-use tools. We need a simple, uniform, easy tools for managing networks. Client server based management promises to provide such solutions. This paper This is in contrast to today’s networks in which forwarding and filtering focuses on the use of packet capturing technology like WinPcap and use different mechanisms rather than a single integrated approach. A JPcap for the purposes of enterprise network traffic monitoring and policy might require packets to pass through an intermediate middlebox. reporting. In this paper, we first examine the requirements for enterprise Traffic can receive more appropriate service if its path is controlled network traffic monitoring, analysis and reporting, and then present the directing real-time communications over lightly loaded paths, important design and implementation of a network traffic monitoring and communications over redundant paths, and private communications over reporting system. paths inside a trusted boundary would all lead to better service. Network traffic Monitoring is a network diagnostic tool that monitors Today, it is notoriously difficult to reliably determine the origin of a local area networks and provides a graphical display of network packet: Addresses are dynamic and change frequently, and they are statistics. easily spoofed. The loose binding between users and their traffic is a constant target for attacks in enterprise networks. This requires a strong binding between a user, and the machine they are using, and the While collecting information from the network's data stream, Network addresses in the packets they generate. Monitor displays the following types of information: The purpose of this paper is to provide efficient and reliable secure  The source address of the computer that sent a frame onto the enterprise network which will lead to the protected working network. environment  The destination address of the computer that received the frame. 2 REQUIREMENTS  The protocols used to send the frame. The process by which Network Monitor collects this information is In this section we examine some of the most important requirements called capturing. By default, Network Monitor gathers statistics on all needed for a client-server based enterprise network monitoring and the frames it detects on the network into a capture buffer, which is a reporting system. reserved storage area in memory. To capture statistics on only a specific subset of frames, we can single out these frames by designing a capture Enterprise networks typically consist of network devices such as routers, filter. To use Network Monitor, our computer must have a network card bridges, switches, hubs and so on. A network management system must that supports promiscuous mode. be able to automatically detect all the network devices in an enterprise network. Although the topologies of enterprise networks do not change Keywords:- Jpcap , Network traffic , Packet capture , Winpcap . frequently, they do change occasionally. When the topology changes, the network management system must detect the change and modify the necessary information for proper monitoring and control. 1 INTRODUCTION The major requirements of this project are 1) A LAN connection in an enterprise network ( IEEE 802.3 Enterprise networks are corporate computer networks composed of network devices, systems, and services supporting various corporate ethernet connection). applications. Enterprise networks are growing rapidly in size and 2) WinPcap packet capturing library for windows. complexity because more systems and sophisticated applications run on them. The most challenging tasks facing network and system 3) JPcap Java Packet capture java library. administrative staff today is to provide an efficient, reliable and secure computing environment. Administrators today typically use a management tool to monitor and control their networks. A management 2.1 IEEE 802.3 Ethernet tool that is easy to learn and operate in a short period of time is desperately needed. 2.1.1 Definition Ethernet is a family of computer networking technologies for local area networks (LANs) commercially introduced in 1980. Standardized in Enterprise networks are often large, run a wide variety of applications IEEE 802.3[5], Ethernet has largely replaced competing wired LAN and protocols, and typically operate under strict reliability and security technologies. Systems communicating over Ethernet divide a stream of constraints; thus, they represent a challenging environment for network data into individual packets called frames. Each frame contains source management. Indeed, most networks today require substantial manual and destination addresses and error-checking data so that damaged data configuration by trained operators to achieve even moderate security . can be detected and re-transmitted. The standards define several wiring All Rights Reserved © 2012 IJARCSEE 19
  • 2. ISSN: 2277 – 9043 International Journal of Advanced Research in Computer Science and Electronics Engineering Volume 1, Issue 6, August 2012 and signaling variants. Data rates were periodically increased from the Jpcap is an open source library for capturing and sending network original 10 megabits per second, to 100 gigabits per second. packets from Java applications. It provides facilities to: 2.1.2 Ethernet frames  capture raw packets live from the wire.  save captured packets to an offline file, and read captured A data packet on the wire is called a frame. A frame begins with packets from an offline file. preamble and start frame delimiter, followed by an Ethernet header  automatically identify packet types and generate featuring source and destination MAC addresses. The middle section of corresponding Java objects (for Ethernet, IPv4, IPv6, the frame consists of payload data including any headers for other ARP/RARP, TCP, UDP, and ICMPv4 packets). protocols (e.g., Internet Protocol) carried in the frame. The frame ends with a 32-bit cyclic redundancy check, which is used to detect  filter the packets according to user-specified rules before corruption of data in transit. dispatching them to the application.  send raw packets to the network 2.2 Windows packet capture ( WinPcap ) WinPcap[3] is the industry-standard tool for link-layer 3 INTRODUCTION TO WINPCAP network access in Windows environments it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a The software architecture for packet capture and network analysis for network statistics engine and support for remote packet capture. Win32 platforms we intend to describe in this paper contains a library WinPcap consists of a driver, that extends the operating system to (WinPCap)[8], which adds to the operating system the ability to capture provide low-level network access, and a library that is used to easily efficiently the traffic from different kinds of networks using the network access the low-level network layers. This library also contains the adapter of the machine. The systems based on Unix platform contain a Windows version of the well known libpcap Unix API. kernel component used as a capture driver named BPF (Berkeley Packet Filter)[8]. This part of the kernel is the base of the libpcap [9] WinPcap is the packet capture and filtering engine of many open source library. and commercial network tools, including protocol analyzers, network monitors, network intrusion detection systems[1], sniffers, traffic Unlike Unix platforms, Windows operating systems haven’t such a generators and network testers. Some of these tools, like (Wireshark, component. The implementation of a similar library used to capture data Nmap, Snort, ntop)[2] are known and used throughout the networking is more difficult to realize because it calls for an interaction with the community networking part of the kernel. This is more difficult in the ―Microsoft world‖ where kernel source code is not available. Winpcap.org[3] is also the home of WinDump[3] , the Windows version of the popular tcpdump[4] tool. WinDump can be used to watch, diagnose and save to disk network traffic according to various complex rules. In the field of computer network administration, pcap (packet capture) consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap[9] library; Windows uses a port of libpcap known as WinPcap. WinPcap consists of:  x86 and x86-64 drivers for the Windows NT family (Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7, etc.), which use NDIS (Network Driver Interface Specification) to read packets directly from a network adapter;  implementations of a lower-level library for the listed operating systems, to communicate with those drivers;  a port of libpcap that uses the API offered by the low-level library implementations. 2.3 Java packet capture ( JPcap ) Jpcap[14] is based on libpcap/Winpcap, and is implemented in C and Java Jpcap is a Java library for capturing and sending network packets. Using Jpcap, we can develop applications to capture packets from a network interface and visualize/analyze them in Java. Jpcap can capture Ethernet, IPv4, IPv6, ARP/RARP, TCP, UDP, and ICMPv4 packets[15]. Jpcap is a set of Java classes that provide an interface and system for network packet capture and also a protocol library and tool for visualizing network traffic is included. Jpcap hides the low-level details of network packet capture by abstracting many network packet types and protocols into Java classes. Internally, Jpcap implements bindings to the libpcap system library Figure :-1 Logical Structure of WinPcap through JNI (the Java Native Interface). All Rights Reserved © 2012 IJARCSEE 20
  • 3. ISSN: 2277 – 9043 International Journal of Advanced Research in Computer Science and Electronics Engineering Volume 1, Issue 6, August 2012 3.1 WinPCap Structure:- To capture data from the network, a capture application must directly interact with the network adapter. Therefore the operating system must offer a set of primitives for capture with a view to communicate with the adapter. The purpose of these primitives is to capture network packets transparently from the point of view of the user and to transfer them to the calling application. This part of the kernel should be quick and efficient in order to capture all the packets in real time without losing information. The logical architecture of Winpcap is a hierarchical structure on 3 levels (from the network adapter to an application), shown in figure 1. The Packet Capture Driver is the lowest software level of the capture structure. It is a part of the kernel and interacts with the network adapter to obtain captured packets. It supplies the application a set of functions used to read /write data from the network at data-link level. Packet.dll[12] works at user level, but it is detached from the capture application. It is a dynamic link library that separates the application from capture driver providing a system-independent capture interface. It allows user’s application to be executed on different Windows operating systems without being recompiled. It represents a set of API functions used to access the capture driver directly. WinPCap.dll[13] (the third level) is a static library that is used by the packet captures part of the application. It uses the services exported by Packet.dll, and provides the applications a higher level and a powerful capture interface. It is statically linked; it means it is part of the application that uses it. The user interface is the highest part of the capture application. It manages the interaction with the user and displays the result of a capture. 3.3 The working of a WinPCap The WinPCap action is based on packets capture at the network adapter level. Therefore, any application using WinPCap must follow the steps summarized below:  Specify the network adapter which will be used for capture  Initialize winpcap (mention the network adapter if the capture is on-line)  Offer a pattern for the captured data (a TCP/IP structure for example), so it can be done a cast at this pattern and obtain significant information (complex applications offer patterns for majority protocols) Analyze captured data according with the application type (captured data can be saved and processed off-line)  Close the capture session Figure:- 2 Flow Chart describing the working of Winpcap The second technique uses the function pcap_lookupdev() to extract the list of all the adapters presented on current machine: The main functions performed by winPcap are :- int main() The first step in using the WinPCap Library is to select a network { adapter. This adapter can be specified in two ways. The first way is by char *dev, errbuf[PCAP_ERRBUF_SIZE]; adding its name as argument in the command line (this works with a dev = pcap_lookupdev(errbuf); trivial application). printf("Network Adapters:%sn", dev); int main(int argc, char *argv[]) return(0); { } char *dev = argv[1]; printf("Network Adapter: %sn", dev); pcap_open_live() this WinPCap function opens a capture session. It return(0); returns a handler to the current session and it is used for on-line capture. } A similar function is used to retrieve saved datapcap_ open_offline(). All Rights Reserved © 2012 IJARCSEE 21
  • 4. ISSN: 2277 – 9043 International Journal of Advanced Research in Computer Science and Electronics Engineering Volume 1, Issue 6, August 2012 The pcap_open_live() function specifies the network adapter(dev) and sets it to normal/ promiscuous mode . An important feature of WinPCap Library is that it can filter the traffic. To filter the traffic, WinPCap Library offers two functions: pcap_compile() and pcap_setfilter(). The WinPCap Library contains the function pcap_lookupnet() which retrieves IP address and mask of a specified network adapter. There are two techniques for capture data. The first technique uses the function pcap_next() to capture only one packet. The second technique uses a loop to capture all packets received this time. pcap_dispatch() or pcap_loop(). The call pcap_loop() is used in simple applications, while pcap_dispatch() is normally preferred in a more complex program. In the process_packet() function, we could get the size of TCP payload one of our sampled parameters. The working of WinPcap is shown in figure 2. 3.4 The Network traffic monitoring Application The network traffic monitoring application is an interactive tool which Figure:- 2 Snap Short Showing captured packets report uses the WinPCap architecture and C/C++ calls for packet captures. Although we used for its interface the MFC (Microsoft Foundation The following figure is the main application part of the interface. Which Class) functions, the network traffic monitoring has a certain degree of shows the captured packets in a network. The processes of packet independence from the OS, by using the ―compatible‖ calls of WinPCap. capturing discussed in previous section is implemented here and shows Use of threads reduces somehow the predictability of application the result of application. Which displays the port number , the type of a behaviour only to systems similar to Windows NT, 2000 or XP. packet to be captured and this field can be selected according to the use with the help of a filter provided by the interface. The use of this filter is to select the particular type of Packet type which we want to capture. The tool is just a preliminary step; it achieves the capture of all packets This interface shows the source MAC address , Destination MAC in the network and the specification of their type. For ―standard‖ packet address , source IP address and port and destination IP address and port types like TCP/IP and UDP the component fields of the headers are number. The snap short in figure 4 shows the spoofed packets specified, shaped as a tree structure. In the network A snapshot obtained during a capture session is shown in figure 3. 3.5 Report Generation 1) Traffic monitoring graphs. 2) Reports generating detection of spoofed packets Figure:- 3 Snap Short showing spoofed packets report All Rights Reserved © 2012 IJARCSEE 22
  • 5. ISSN: 2277 – 9043 International Journal of Advanced Research in Computer Science and Electronics Engineering Volume 1, Issue 6, August 2012 4 CONCLUSION ABOUT THE AUTHORS This application has been used to test the capturing capabilities of API Navneet Kaur Dhillon[1] and the result of the monitoring is up to mark as it captures all types of M.tech Scholar at RITEE packets demanded by the interface. The article presents a simple way of AFFILATED TO CSVTU capturing the network traffic using the functions supplied by the WinPCap Architecture. This application contains a lot of useful Mrs. Uzma Ansari[2] primitives and it also provide facilities to capture the spoofed packets ( Reader H.O.D CSE at RITEE) and analyze them and to protect our network from intrusions. This paper AFFILATED TO CSVTU focuses on the overall load in a particular node the traffic coming to the particular node is reported in figure 3 and also the capturing of spoofed packets that can cause harm to our enterprise is reported in figure 4. 5 Refrences:- [1]iac.dtic.mil/iatac/download/intrusion_detection.pdf [2] sectools.org/tag/sniffers/ [3] www.winpcap.org/ [4]www.carnal0wnage.com/papers/TCPdumpBasics.pdf [5]en.wikipedia.org/wiki/IEEE_802.3 [6] Rethinking Enterprise Network Control Mart´ın Casado, Member, IEEE, Michael J. Freedman, Member, IEEE, Justin Pettit, Member, IEEE, Jianying Luo, Member, IEEE, Natasha Gude, Member, IEEE, Nick McKeown, Fellow, IEEE, and Scott Shenker, Fellow, IEEE. [7]A SIMPLE WAY TO CAPTURE NETWORK TRAFFIC: THE WINDOWS PACKET CAPTURE (WINPCAP) ARCHITECTURE Mihai Dorobanţu, M.Sc., Mihai L. Mocanu, Ph.D. [8] An Architecture for High Performance Network Analysis Fulvio Risso and Loris Degioanni Dipartimento di Automatica e Informatica – Politecnico di Torino [9] Plab: a packet capture and analysis architecture Alberto Dainotti and Antonio Pescap. [10] NetCap: A Packet Sniffer in Java 1Rajan Parmar, 2Hetal Patel 1,2Nirma University, Ahmedabad, India. [11] Detecting Spoofed Packets Steven J. Templeton, Karl E. Levitt Department of Computer Science U.C. Davis [12]www.winpcap.org/docs/docs_41b5/html/group__packetapi.html [13]dll.paretologic.com/detail.php/wpcap [14]netresearch.ics.uci.edu/kfujii/Jpcap/doc/tutorial/index.html [15] IP Monitoring and Filtering By Gnanambal Chithambaram, Sandeep Dubey Smrithi Barrenkula , Subraja Krishnamurthy , Sucheta P Kodali All Rights Reserved © 2012 IJARCSEE 23