20-04-2011, 02:09 PM
chapter1.doc (Size: 352.5 KB / Downloads: 93)
1. INTRODUCTION
This section is going to introduce the new system “Automation of network protocol analysis”, which is being developed. It includes the Introduction, literature survey, motivation to the project, problem statement, objective of the study, limitations of the study and organization of the document. This section specifies the over all view of the system with which the brief idea of the system is understood.
1.1 OVERVIEW
When packets are transmitted out of a system in streams or frames, we generally use tools like Ethereal/Wireshark to sniff the packets and analyze its contents to check the accuracy of it. These open source tools (i.e. Ethereal/Wireshark) are known as network protocol analyzers and they are very useful during development of software projects that are into networking domain.
Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, all that has changed.
Wireshark is perhaps one of the best open source packet analyzers available today. It allows the user to see all traffic being passed over the network (us0ually an Ethernet network but support is being added for others) by putting the network interface into promiscuous mode.
This project is mainly aimed to automate the entire process. Starting from sniffing the network packets till the validation of it has been taken care. Here we have automated the logging part through a C program. Whenever packets will be transmitted from a system, Ethereal/Wireshark will be automatically invoked and start capturing the network packets. That will be stored in .pcap format automatically. To validate the contents the logic has been implemented to check particular pattern of packets or any specific string. The .pcap format will be converted into a text format so that the validation can be accomplished through parsing the entire Ethereal/Wireshark log. Based upon the parsing logic, success or failure verdict will be indicated to user. The logic can always be extended depending upon the project requirements.
1.2 MOTIVATION
Since Wireshark should be invoked manually and even network packet analysis is manual user finds it difficult for analysis. So our project is aimed to eliminate the manual effort where the developers or test engineers analyze the network packets manually. Here we are automating the entire process right from capturing the network packets till the analysis of it.
This project as a module can save project cost as well as the duration to a major extent when integrated to the software development life cycle (SDLC). The logic can always be extended depending upon the project requirements. Along with analyzing the packets, we are also analyzing the performance of the network.
1.3 AIM OF THE PROJECT
The aim of the project is to eliminate the manual effort and provide the user with an efficient automated system for analyzing the network packets.
1.3.1 Problem Definition
The project is aimed to capture the network packets that are going out of the system and analyzing them. Pcap header is appended to the network packets so that the Wireshark can recognize it. The pcap file is converted to the text file and is used for parsing. Based on the parsing logic, pass/fail verdict is displayed to the user.
1.3.2 Problem Description
Proposed system consists of client and server module. Client interacts with server by entering an option. Based upon the option, the server calls a corresponding function. The functions implemented are based on three logics. One for UDP, SIP and QoS parameters each . Another module is implemented to convert raw data packets to .pcap format by appending the pcap header.
UDP and SIP modules implement the parsing logic, the result(success/failure) of which is sent back to the client. The QoS module displays the network performance parameters like delay and speed.
1.4 OBJECTIVE OF THE STUDY
Using this project following goals can be met:
a. Capture live packet data from a network interface.
b. Display packets with very detailed protocol information.
c. Open and Save packet data captured.
d. Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, tshark.
e. Filter packets on many criteria.
f. Search for packets on many criteria.
g. Hundreds of protocols can be dissected.
1.5 LITERATURE SURVEY
This project can be better understood on knowing few concepts and tools used. They are as described below.
1.5.1 Network Protocol Analysis
Network protocol analysis is a process for a program or a device to decode network protocol headers and trailers to understand the data and information inside the packet encapsulated by the protocol. To conduct protocol analysis, packets must be captured at real time for line speed analysis or later analysis. Such program or device is called a Protocol Analyzer. The basic concept of packet analyzing is dealt by first understanding the actual meaning of packet capturing and its types.
Packet capture is the act of capturing data packets crossing a network. Deep packet capture (DPC) is the act of capturing complete network packets (header and payload) crossing a network. Once captured and stored, either in short-term memory or long-term storage, software tools can perform Deep packet inspection (DPI) to review network packet data, perform forensics analysis to uncover the root cause of network problems, identify security threats, and ensure data communications and network usage complies with outlined policy. Some DPCs can be coupled with DPI and can as a result manage, inspect, and analyze all network traffic in real-time at wire speeds while keeping a historical archive of all network traffic for further analysis.
The packet analyzer (also known as a network analyzer, protocol analyzer or sniffer or for particular types of networks, an Ethernet sniffer or wireless sniffer) is computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network. As data streams flow across the network, the sniffer captures each packet and eventually decodes and analyzes its content according to the appropriate RFC or other specifications. The following are the few notable packets analyzers: Carnivore, dSniff, Ettercap, Fluke Lanmeter, Microsoft Network Monitor, OPNET Technologies ACE Analyst, Network Instruments Observer, PacketTrap pt360, Tool Suite, snoop (part of Solaris), tcpdump, WildPackets OmniPeek (old name AiroPeek, EtherPeek), Wireshark (formerly known as Ethereal), NetworkActiv PIAFCTM, Capsa, Cain and abel.
1.5.2 Wireshark
Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, all that has changed.
1.5.2.1 History
Wireshark is a free packet analyzer computer application. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues. Wireshark is very similar to tcpdump, but it has graphical front-end, and many more information sorting and filtering options. It allows the user to see all traffic being passed over the network by putting the network interface into promiscuous mode (In computing, promiscuous mode is a configuration of a network card or NIC that makes the card pass all traffic it receives to the central processing unit rather than just packets addressed to it — a feature normally used for packet sniffing).
Out of necessity, Gerald Combs (a computer science graduate of the University of Missouri-Kansas City) started writing a program called Ethereal so that he could have a tool to capture and analyze packets; he released the first version around 1998. As of now there are over 500 contributing authors while Gerald continues to maintain the overall code and issues releases of new versions; the entire list of authors is available from Wireshark's web-site.
The name was changed to Wireshark in May, 2006, because creator and lead developer Gerald Combs could not keep using the Ethereal trademark (which was then owned by his old employer, Network Integration Services) when he changed jobs. He still held copyright on most of the source code (and the rest was redistributable under the GNU GPL), so he took the Subversion repository for Ethereal and used it as the basis for the Subversion repository of Wireshark.
e-WEEK Labs named Wireshark one of "The Most Important Open-Source Apps of All Time" as of May 2, 2007.
1.5.2.2 Comparison of Wireshark and Other Network Analyzers
The first and much known advantage to the user of the Wireshark tool is that it can be operated using either GUI or console. No other network analyzer has got both the options provided for the user, they usually support any one of the two- GUI and console