Packet Sniffer Project Document

February 8, 2017 | Author: Ashish Katlam | Category: N/A
Share Embed Donate

Short Description

Download Packet Sniffer Project Document...


1. INTRODUCTION 1.1 ABSTRACT This project is intended to develop a tool called Packet Sniffer. The Packet Sniffer allows the computer to examine and analyze all the traffic passing by its network connection. It decodes the network traffic and makes sense of it. When it is set up on a computer, the network interface of the computer is set to promiscuous mode, listening to all the traffic on the network rather than just those packets destined for it. Packet Sniffer is a tool that sniffs without modifying the network’s packet in anyway. It merely makes a copy of each packet flowing through the network interface and finds the source and destination Ethernet addresses of the packets. It decodes the protocols in the packets given below: IP (Internet Protocol), TCP (Transmission Control Protocol), UDP (User Datagram Protocol). The output is appended into normal text file, so that the network administrator can understand the network traffic and later analyze it.


1.2 ORGANIZATION PROFILE Vijay technologies established in 2009. It has registered office at Dwaraka Nagar, Visakhapatnam-16. It has three strategic service groups specifically Software Development, Web Hosting and Training. Vijay technologies development division has attained reputation for providing customized business applications for RDBMS applications offering a full range of IT solutions on various platforms. It is specialized in providing Business solutions for industries of varied sizes, simple solutions that is the result of combining technology with the best personnel. Our technology expertise is in the design and development of applications software in Client Server and ERP-computing environment under various RDBMS platforms such as Oracle, Oracle DBA and Sql Server, using GUI Tools like Developer 2000, Visual Basic, VB.Net, ASP.Net, C#.Net, Java, Reusable Active A component and Web applications. We also participate in a number of Vendors – testing Programs allowing us to evaluate emerging technologies and their application to our clients need for the entire project life cycle. Vijay Technologies has been designed by leading Academicians and software Professionals from the IT industries keeping in view the increasing demand for software professionals. Requirements of the IT industry the curriculum is built in away to bridge the gap between the technology and resources. As the industries are focusing on Vijay Technologies Resources planning, Vijay Technologies have started training its student in the Web Technologies and internet concepts giving orientation towards e-commerce. Vijay Technologies offers training programs in products of Microsoft, Oracle, Borland and Sun. On average, 100-150 students graduate from our institute every month. 2

2. SYSTEM STUDY 2.1 Introduction to Packet Sniffers: A Packet Sniffer is a program that can see all of the information passing over the network it is connected to. A Packet Sniffer is a Wire-tapping device that plugs into computer Networks and eavesdrop on the network traffic. A packet sniffer (also known as a network analyzer or protocol analyzer or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is computer software that can intercept and log traffic passing over a digital network or part of a network. As data streams flow across the network, the sniffer captures each packet and eventually decodes and analyzes its content. Most Ethernet networks use to be of a common bus topology, using either coax cable or twisted pair wire and a hub. All of the nodes (computers and other devices) on the network could communicate over the same wires and take turns sending data using a scheme known as carrier sense multiple access with collision detection (CSMA/CD). Think of CSMA/CD as being like a conversation at a loud party, you may have to wait for quite a spell for your chance to get your words in during a lull in everybody else’s conversation. All of the nodes on the network have their own unique MAC (media access control) address that they use to send packets of information to each other. Normally a node would only look at the packets that are destined for its MAC address. However, if the network card is put into what is known as “promiscuous mode” it will look at all of the packets on the wires it is hooked to.

2.2 TCP/IP Protocols: Background: The Internet protocols are the world's most popular open-system (nonproprietary) protocol suite because they can be used to communicate across any set of interconnected networks and are equally well suited for LAN and WAN communications. The Internet protocols consist of a suite of communication protocols, of which the two best known are the Transmission Control Protocol (TCP) and the Internet Protocol (IP). The Internet protocol suite not only includes lower3

layer protocols (such as TCP and IP), but it also specifies common applications such as electronic mail, terminal emulation, and file transfer. This document provides a broad introduction to specifications that comprise the Internet protocols. Internet protocols were first developed in the mid-1970s, when the Defense Advanced Research Projects Agency (DARPA) became interested in establishing a packet-switched network that would facilitate communication between dissimilar computer systems at research institutions. With the goal of heterogeneous connectivity in mind, DARPA funded research by Stanford University and Bolt, Beranek, and Newman (BBN). The result of this development effort was the Internet protocol suite, completed in the late 1970s. Documentation of the Internet protocols (including new or revised protocols) and policies are specified in technical reports called Request for Comments (RFCs), which are published and then reviewed and analyzed by the Internet community. Protocol refinements are published in the new RFCs. To illustrate the scope of the Internet protocols, Figure 1. Maps many of the protocols of the Internet protocol suite and their corresponding OSI layers.


OSI model

Internet protocol suite


Application FTP, Presentation Session Transport Network Data Link Physical


Telnet, XDR






Not Specified

Fig 1: Internet protocols span the complete range of OSI model layers. The Internet Protocol (IP) is a network-layer (Layer 3) protocol that contains addressing information and some control information that enables packets to be routed. IP is the primary network-layer protocol in the Internet protocol suite. Along with the Transmission Control Protocol (TCP), IP represents the heart of the Internet protocols. IP has two primary responsibilities: providing connectionless, best-effort delivery of data grams through an inter-network; and providing fragmentation and reassembly of data grams to support data links with different maximum-transmission unit (MTU) sizes.

IP Packet Format: An IP packet contains several types of information, as illustrated in 5



Time to live

Type of Service Protocol


Total length

Header checksum Flags Fragment Offset

Source Address Destination Address Options (+padding) Data (variable)

Fig 2: Fourteen fields comprise an IP packet. The following discussion describes the IP packet fields illustrated in Figure.2 

Version— Indicates the version of IP currently used.

IP Header Length (IHL) — Indicates the datagram header length in 32-bit words.

Type-of-Service— Specifies how an upper-layer protocol would like a current datagram to be handled, and assigns data grams various levels of importance.

Total Length — Specifies the length, in bytes, of the entire IP packet, including the data and header.

Identification — Contains an integer that identifies the current datagram. This field is used to help piece together datagram fragments.

Flags — Consists of a 3-bit field of which the two low-order (leastsignificant) bits control fragmentation. The low-order bit specifies whether the packet can be fragmented. The middle bit specifies whether the packet is the last fragment in a series of fragmented packets. The third or high-order bit is not used.


Fragment Offset — Indicates the position of the fragment's data relative to the beginning of the data in the original datagram, which allows the destination IP process to properly reconstruct the original datagram.

Time-to-Live — Maintains a counter that gradually decrements down to zero, at which point the datagram is discarded. This keeps packets from looping endlessly.

Protocol — Indicates which upper-layer protocol receives incoming packets after IP processing is complete.

Header Checksum— Helps ensure IP header integrity.

Source Address — Specifies the sending node.

Destination Address — Specifies the receiving node.

Options — Allows IP to support various options, such as security.

Data — Contains upper-layer information.

IP Addressing: As with any other network-layer protocol, the IP addressing scheme is integral to the process of routing IP datagram through an inter-network. Each IP address has specific components and follows a basic format. These IP addresses can be subdivided and used to create addresses for sub-networks. Each host on a TCP/IP network is assigned a unique 32-bit logical address that is divided into two main parts: the network number and the host number. The network number identifies a network and must be assigned by the Internet Network Information Center (InterNIC) if the network is to be part of the Internet. An Internet Service Provider (ISP) can obtain blocks of network addresses from the InterNIC and can itself assign address space as necessary. The host number identifies a host on a network and is assigned by the local network administrator.


IP Address Format: The 32-bit IP address is grouped eight bits at a time, separated by dots, and represented in decimal format (known as dotted decimal notation). Each bit in the octet has a binary weight (128, 64, 32, 16, 8, 4, 2, 1). The minimum value for an octet is 0, and the maximum value for an octet is 255. Figure.3 illustrates the basic format of an IP address. Fig 3: An IP address consists of 32 bits, grouped into four octets. 32Bits Network






IP Address Classes: IP addressing supports five different address classes: A, B, C, D, and E. only classes A, B, and C are available for commercial use. The left-most (high-order) bits indicate the network class. Fig 4: IP address formats A, B, and C are available for commercial use. No. of bits Class A Class B



0 Networks 1 0 Network







14 Class C

1 1 0 Network

16 Network





The class of address can be determined easily by examining the first octet of the address and mapping that value to a class range in the following table. In an IP address of, for example, the first octet is 172. Because 172 falls between 8

128 and 191, is a Class B address. Figure 5 summarizes the range of possible values for the first octet of each address class. Fig 5: A range of possible values exists for the first octet of each address class. Address Class

First Octet in

High-order Bits

Decimal Class A

1 D 126


Class B

128 D 191


Class C

192 D 223


Class D

224 D 239


Class E

240 D 254


IP Subnet Addressing: IP networks can be divided into smaller networks called sub-networks (or subnets). Sub-netting provides the network administrator with several benefits, including extra flexibility, more efficient use of network addresses, and the capability to contain broadcast traffic (a broadcast will not cross a router). Subnets are under local administration. As such, the outside world sees an organization as a single network and has no detailed knowledge of the organization's internal structure. A given network address can be broken up into many sub networks. For example,,,, and are all subnets within network (All 0s in the host portion of an address specifies the entire network.) Address Resolution Protocol (ARP) Overview: For two machines on a given network to communicate, they must know the other machine's physical (or MAC) addresses. By broadcasting Address Resolution


Protocols (ARPs), a host can dynamically discover the MAC-layer address corresponding to a particular IP network-layer address. After receiving a MAC-layer address, IP devices create an ARP cache to store the recently acquired IP-to-MAC address mapping, thus avoiding having to broadcast ARPS when they want to re-contact a device. If the device does not respond within a specified time frame, the cache entry is flushed. In addition to the Reverse Address Resolution Protocol (RARP) is used to map MAC-layer addresses to IP addresses. RARP, which is the logical inverse of ARP, might be used by diskless workstations that do not know their IP addresses when they boot. RARP relies on the presence of a RARP server with table entries of MAC-layerto-IP address mappings. Internet Routing: Internet routing devices traditionally have been called gateways. In today's terminology, however, the term gateway refers specifically to a device that performs application-layer protocol translation between devices. Interior gateways refer to devices that perform these protocol functions between machines or networks under the same administrative control or authority, such as a corporation's internal network. These are known as autonomous systems. Exterior gateways perform protocol functions between independent networks. Routers within the Internet are organized hierarchically. Routers used for information exchange within autonomous systems are called interior routers, which use a variety of Interior Gateway Protocols (IGPs) to accomplish this purpose. The Routing Information Protocol (RIP) is an example of an IGP.

Routers that move information between autonomous systems are called exterior routers. These routers use an exterior gateway protocol to exchange information between autonomous systems. The Border Gateway Protocol (BGP) is an example of an exterior gateway protocol.


IP Routing: IP routing protocols are dynamic. Dynamic routing calls for routes to be calculated automatically at regular intervals by software in routing devices. This contrasts with static routing, where routers are established by the network administrator and do not change until the network administrator changes them. An IP routing table, which consists of destination address/next hop pairs, is used to enable dynamic routing. An entry in this table, for example, would be interpreted as follows: to get to network, send the packet out Ethernet interface 0 (E0). IP routing specifies that IP datagrams travel through internetworks one hop at a time. The entire route is not known at the onset of the journey, however. Instead, at each stop, the next destination is calculated by matching the destination address within the datagram with an entry in the current node's routing table. Each node's involvement in the routing process is limited to forwarding packets based on internal information. The nodes do not monitor whether the packets get to their final destination, nor does IP provide for error reporting back to the source when routing anomalies occur. This task is left to another Internet protocol, the Internet Control-Message Protocol (ICMP), which is discussed in the following section. Internet Control Message Protocol (ICMP): The Internet Control Message Protocol (ICMP) is a network-layer Internet protocol that provides message packets to report errors and other information regarding IP packet processing back to the source. ICMP is documented in RFC 792. ICMP Messages: ICMPs generate several kinds of useful messages, including Destination Unreachable, Echo Request and Reply, Redirect, Time Exceeded, and Router Advertisement and Router Solicitation. If an ICMP message cannot be delivered, no second one is generated. This is to avoid an endless flood of ICMP messages. 11

When an ICMP destination-unreachable message is sent by a router, it means that the router is unable to send the package to its final destination. The router then discards the original packet. Two reasons exist for why a destination might be unreachable. Most commonly, the source host has specified a nonexistent address. Less frequently, the router does not have a route to the destination. Destination-unreachable messages include four basic types: network unreachable, host unreachable, protocol unreachable and port unreachable. Networkunreachable messages usually mean that a failure has occurred in the routing or addressing of a packet. Host-unreachable messages usually indicate delivery failure, such as a wrong subnet mask. Protocol-unreachable messages generally mean that the destination does not support the upper-layer protocol specified in the packet. Portunreachable messages imply that the TCP socket or port is not available. An ICMP echo-request message, which is generated by the ping command, is sent by any host to test node reachability across an inter network. The ICMP echoreply message indicates that the node can be successfully reached. An ICMP Redirect message is sent by the router to the source host to stimulate more efficient routing. The router still forwards the original packet to the destination. ICMP redirects allow host routing tables to remain small because it is necessary to know the address of only one router, even if that router does not provide the best path. Even after receiving an ICMP Redirect message, some devices might continue using the less-efficient route. The router sends an ICMP Time-exceeded message if an IP packet's Time-toLive field (expressed in hops or seconds) reaches zero. The Time-to-Live field prevents packets from continuously circulating the internetwork if the internetwork contains a routing loop. The router then discards the original packet. Transmission Control Protocol (TCP): The TCP provides reliable transmission of data in an IP environment. TCP corresponds to the transport layer (Layer 4) of the OSI reference model. Among the services TCP provides are stream data transfer, reliability, efficient flow control, fullduplex operation, and multiplexing. 12

With stream data transfer, TCP delivers an unstructured stream of bytes identified by sequence numbers. This service benefits applications because they do not have to chop data into blocks before handing it off to TCP. Instead, TCP groups bytes into segments and passes them to IP for delivery. TCP offers reliability by providing connection-oriented, end-to-end reliable packet delivery through an internetwork. It does this by sequencing bytes with a forwarding acknowledgment number that indicates to the destination the next byte the source expects to receive. Bytes not acknowledged within a specified time period are retransmitted. The reliability mechanism of TCP allows devices to deal with lost, delayed, duplicate, or misread packets. A time-out mechanism allows devices to detect lost packets and request retransmission. TCP offers efficient flow control, which means that, when sending acknowledgments back to the source, the receiving TCP process indicates the highest sequence number it can receive without overflowing its internal buffers. Full-duplex operation means that TCP processes can both send and receive at the same time. Finally, TCP's multiplexing means that numerous simultaneous upper-layer conversations can be multiplexed over a single connection. TCP Connection Establishment: To use reliable transport services, TCP hosts must establish a connectionoriented session with one another. Connection establishment is performed by using a "three-way handshake" mechanism. A three-way handshake synchronizes both ends of a connection by allowing both sides to agree upon initial sequence numbers. This mechanism also guarantees that both sides are ready to transmit data and know that the other side is ready to transmit as well. This is necessary so that packets are not transmitted or retransmitted during session establishment or after session termination.


Each host randomly chooses a sequence number used to track bytes within the stream it is sending and receiving. Then, the three-way handshake proceeds in the following manner: The first host (Host A) initiates a connection by sending a packet with the initial sequence number (X) and SYN bit set to indicate a connection request. The second host (Host B) receives the SYN, records the sequence number X, and replies by acknowledging the SYN (with an ACK = X + 1). Host B includes its own initial sequence number (SEQ = Y). An ACK = 20 means the host has received bytes 0 through 19 and expects byte 20 next. This technique is called forward acknowledgment. Host A then acknowledges all bytes Host B sent with a forward acknowledgment indicating the next byte Host A expects to receive (ACK = Y + 1). Data transfer then can begin. Positive Acknowledgment and Retransmission (PAR): A simple transport protocol might implement a reliability-and-flow-control technique where the source sends one packet, starts a timer, and waits for an acknowledgment before sending a new packet. If the acknowledgment is not received before the timer expires, the source retransmits the packet. Such a technique is called positive acknowledgment and retransmission (PAR). By assigning each packet a sequence number, PAR enables hosts to track lost or duplicate packets caused by network delays that result in premature retransmission. The sequence numbers are sent back in the acknowledgments so that the acknowledgments can be tracked. PAR is an inefficient use of bandwidth, however, because a host must wait for an acknowledgment before sending a new packet, and only one packet can be sent at a time. TCP Sliding Window: A TCP sliding window provides more efficient use of network bandwidth than PAR because it enables hosts to send multiple bytes or packets before waiting for an acknowledgment. 14

In TCP, the receiver specifies the current window size in every packet. Because TCP provides a byte-stream connection, window sizes are expressed in bytes. This means that a window is the number of data bytes that the sender is allowed to send before waiting for an acknowledgment. Initial window sizes are indicated at connection setup, but might vary throughout the data transfer to provide flow control. A window size of zero, for instance, means "Send no data." In a TCP sliding-window operation, for example, the sender might have a sequence of bytes to send (numbered 1 to 10) to a receiver who has a window size of five. The sender then would place a window around the first five bytes and transmit them together. It would then wait for an acknowledgment. The receiver would respond with an ACK = 6, indicating that it has received bytes 1 to 5 and is expecting byte 6 next. In the same packet, the receiver would indicate that its window size is 5. The sender then would move the sliding window five bytes to the right and transmit bytes 6 to 10. The receiver would respond with an ACK = 11, indicating that it is expecting sequenced byte 11 next. In this packet, the receiver might indicate that its window size is 0 (because, for example, its internal buffers are full). At this point, the sender cannot send any more bytes until the receiver sends another packet with a window size greater than 0.

TCP Packet Format: Figure 6 illustrate the fields and overall format of a TCP packet. Twelve fields comprise a TCP packet.

Source port

Destination port

Sequence number Acknowledge number Data offset




Window Urgent pointer

Options (+padding) Data (variable)


TCP Packet Field Descriptions: The following descriptions summarize the TCP packet fields illustrated in Figure. 6 Source Port and Destination Port — Identifies points at which upper-layer source and destination processes receive TCP services. Sequence Number — Usually specifies the number assigned to the first byte of data in the current message. In the connection-establishment phase, this field also can be used to identify an initial sequence number to be used in an upcoming transmission. Acknowledgment Number — Contains the sequence number of the next byte of data the sender of the packet expects to receive. Data Offset — Indicates the number of 32-bit words in the TCP header. Reserved—Remains reserved for future use. Flags — Carries a variety of control information, including the SYN and ACK bits used for connection establishment, and the FIN bit used for connection termination. Window — Specifies the size of the sender's receive window (that is, the buffer space available for incoming data). Checksum — Indicates whether the header was damaged in transit. Urgent Pointer — Points to the first urgent data byte in the packet. Options — Specifies various TCP options. Data — Contains upper-layer information. 16

User Datagram Protocol (UDP): The User Datagram Protocol (UDP) is a connectionless transport-layer protocol (Layer 4) that belongs to the Internet protocol family. UDP is basically an interface between IP and upper-layer processes. UDP protocol ports distinguish multiple applications running on a single device from one another. Unlike the TCP, UDP adds no reliability, flow-control, or error-recovery functions to IP. Because of UDP's simplicity, UDP headers contain fewer bytes and consume less network overhead than TCP. UDP is useful in situations where the reliability mechanisms of TCP are not necessary, such as in cases where a higher-layer protocol might provide error and flow control. UDP is the transport protocol for several well-known application-layer protocols, including Network File System (NFS), Simple Network Management Protocol (SNMP), Domain Name System (DNS), and Trivial File Transfer Protocol (TFTP). The UDP packet format contains four fields, as shown in Figure 7. These include source and destination ports, length, and checksum fields.

A UDP packet consists of four fields. 32 bits Source Port

Destination Port



Source and destination ports contain the 16-bit UDP protocol port numbers Length Checksum used to de-multiplex datagrams for receiving application-layer processes. A length field specifies the length of the UDP header and data. Checksum provides an (optional) integrity check on the UDP header and data.


Internet Protocols: Application Layer Protocols The Internet protocol suite includes many application-layer protocols that represent a wide variety of applications, including the following: File Transfer Protocol (FTP)—Moves files between devices Simple Network-Management Protocol (SNMP)—Primarily reports anomalous network conditions and sets network threshold values Telnet—Serves as a terminal emulation protocol X Windows—Serves as a distributed windowing and graphics system used for communication between X terminals and UNIX workstations Network File System (NFS), External Data Representation (XDR), and Remote Procedure Call (RPC)—Work together to enable transparent access to remote network resources Simple Mail Transfer Protocol (SMTP)—Provides electronic mail services Domain Name System (DNS)—Translates the names of network nodes into network addresses. The list of the higher-layer protocols and the applications that they support is as follows: Application


File transfer


Terminal emulation


Electronic mail


Network management


Distributed file services

NFS, XDR, RPC, X Windows

2.3 Importance of Packet Sniffers: 18

Computer administrators need Packet Sniffer to monitor their networks and perform diagnostic tests or trouble shoot problems. It can be used to analyze the load on the network and according to that administrator can redirect the traffic so that packets flow across networks without leading to congestion. It is also used for debugging by Programmers developing network related software. Anyone interested in having a full picture of the traffic going through one’s LAN segment can use the Packet Sniffer. Packet Sniffer converts the data flowing in the network into human readable format, so that people can read the traffic and understand it. On wired broadcast LANs, depending on the network structure (hub or switch), one can capture traffic on all or just parts of the traffic from a single machine within the network; however, there are some methods to avoid traffic narrowing by switches to gain access to traffic from other systems on the network (e.g. ARP spoofing). For network monitoring purposes it may also be desirable to monitor all data packets in a LAN by using a network switch with a so-called monitoring port, whose purpose is to mirror all packets passing through all ports of the switch. When systems (computers) are connected to a switch port rather than a hub the analyzer will be unable to read the data due to the intrinsic nature of switched networks. In this case a shadow port must be created in order for the sniffer to capture the data. On wireless LANs, one can capture traffic on a particular channel. On wired broadcast and wireless LANs, in order to capture traffic other than unicast traffic sent to the machine running the sniffer software, multicast traffic sent to a multicast group to which that machine is listening, and broadcast traffic, the network adapter being used to capture the traffic must be put into promiscuous mode; some sniffers support this, others don't. On wireless LANs, even if the adapter is in promiscuous mode, packets not for the service set for which the adapter is configured will usually be ignored; in order to see those packets, the adapter must be put into monitor mode. Uses of Sniffers: Sniffing programs have been around for a long time in two forms. Commercial packet sniffers are used to help maintain networks. 19

Typical uses of such programs include: 

Automatic sniffing of clear-text passwords and usernames from the network.

Conversion of data to human readable formats so that people can read the traffic.

Fault analysis to discover problems in the network, such as why computer A can’t talk to computer B.

Performance analysis to discover network bottlenecks.

Network intrusion detection in order to discover hackers/crackers.

Network traffic logging, to create logs that hacker's can't break into and erase.

Monitor network usage.

Debug client/server communications.

Debug network protocol implementations.

Example Uses: 

A packet sniffer for a token ring network could detect that the token has been lost or the presence of too many tokens (verifying the protocol).

A packet sniffer could detect that messages are being sent to a network adapter; if the network adapter did not report receiving the messages then this would localize the failure to the adapter.

A packet sniffer could detect excessive messages being sent by a port, detecting an error in the implementation.

A packet sniffer could collect statistics on the amount of traffic (number of messages) from a process detecting the need for more bandwidth or a better method.

A packet sniffer could be used to extract messages and reassemble into a complete form the traffic from a process, allowing it to be reverse engineered. 20

A packet sniffer could be used to diagnose operating system connectivity issues like web, ftp, sql, active directory, etc.

A packet sniffer could be used to analyze data sent to and from secure systems in order to understand and circumvent security measures, for the purposes of penetration testing or illegal activities.

A packet sniffer can passively capture data going between a web visitor and the web servers decode it at the HTTP and HTML level and create web log files as a substitute for server logs and page tagging for web analytics.

2.4 Existing System: In present as there are many sniffers are available in the market. They can be freely downloaded from the internet. Some sniffers uses winpcap, others use libpcap according to the platform on which they are working. If the platform is windows then they are using winpcap, and if the platform is UNIX then they are using libpcap.

2.5 Proposed System: Proposed system uses jpcap API in order to capture packets from the network. Jpcap is a java library for capturing and sending network packets. Using Jpcap, you can develop applications to capture packets from a network interface and visualize/analyze them. Jpcap can capture Ethernet, IPv4, IPv6, ARP/RARP, TCP, UDP, and ICMPv4 packets. Jpcap has been tested on Microsoft Windows (98/2000/XP/Vista), Linux (Fedora, Mandriva, Ubuntu), Mac OS X (Darwin), FreeBSD, and Solaris. We can observe the old packets those were passed through the network in the past. We can observe the DOS attacks.


3. SYSTEM ANALYSIS 3.1 Project Description: This Project deals with a packet capture utility and Network monitoring. This Project is useful to the Network Administrators to observe each and every incoming packet for security enhancements. Irrespective of the Destination IP of incoming packet the machine on which this project is running captures all packets .This Project Keeps on differentiating the type of the entities which are there in Ethernet header. The main program will have an infinite loop which keeps an eye on each and every incoming packet. The moment it collects that packet it starts invoking respective modules and those modules will internally redirects that information to respective text files. The utilities used in this project are WinPcap and PacketX. WinPcap:


In the field of computer network administration, pcap consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library; Windows uses a port of libpcap known as WinPcap. Monitoring software may use libpcap and/or WinPcap to capture packets traveling over a network and, in newer versions, to transmit packets on a network at the link layer, as well as to get a list of network interfaces for possible use with libpcap or WinPcap. Libpcap and WinPcap also support saving captured packets to a file, and reading files containing saved packets; applications can be written, using libpcap or WinPcap, to be able to capture network traffic and analyze it, or to read a saved capture and analyze it, using the same analysis code. A capture file saved in the format that libpcap and WinPcap use can be read by applications that understand that format. Libpcap and WinPcap provide the packet-capture and filtering engines of many open-source and commercial network tools, including protocol analyzers (packet sniffers), network monitors, network intrusion detection systems, trafficgenerators and network-testers. WinPcap consists of:  drivers for Windows 95/98/Me, and for the Windows NT family (Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, etc.), which use NDIS to read packets directly from a network adapter;  Implementations of a lower-level library for the listed operating systems, to communicate with those drivers;  A port of libpcap that uses the API offered by the low-level library implementations. Programmers at the Politecnico di Torino wrote the original code; as of 2008 CACE Technologies, a company set up by some of the WinPcap developers, develops and maintains the product. 23

PacketX: PacketX class library integrates WinPcap packet capture functionality with ActiveX programming and scripting languages. PacketX hides the low level programming details by implementing simple class framework that can be used to build networking applications with minimum effort and time. In brief, PacketX uses WinPcap libraries to capture (and optionally filter) network packets. In addition to standard capture mode you can collect network statistics and send raw packets. All captured packets or statistics are encapsulated inside wrapper class and returned to client as events. PacketX uses WinPcap Packet Driver API implemented by packet.dll and BPF filtering support from pcap.dll. This means that you can use PacketX to capture, send (and optionally filter) packets and collect network statistics. PacketX cannot be used to block network traffic to build a firewall. The library contains an ActiveX control that can be used from RAD development tools like Microsoft Visual Basic or Borland Delphi. For scripting languages there are corresponding lightweight COM classes. Some of the classes are PacketXClass AdapterCollection Adapter Packet _IPktXPacketXEvents_OnPacketEventHandler

3.2 Modules: 3.2.1

Login/logout for Admin: Required to login and logout before and after access the Application for

Admin. Required username and password for security purpose just to identify them selves. 3.2.2

Connecting with Different Server:


This is for the Admin, member of the Application have access to the management administration Form. Management Admin can provide the IP Addresses or Domain Name (Example to connect Network news transfer Protocol server, 3.2.3

Ping Information: The ping utility is essentially a system administrator's tool that is used to see if

a computer is operating and if network connections are intact. Ping uses the Internet Control Message Protocol (ICMP) Echo function which The ping utility verifies connections to a remote computer or computers. You can use ping to test both the computer name and the IP address. If the IP address is verified, but the computer name is not, you may have a name resolution problem. In this case, make sure the computer name you are querying is in either the local host file or in the DNS database.


Hop Information: Definition: In computer networking, a hop represents one portion of the path

between source and destination. When communicating over the Internet, for example, data passes through a number of intermediate devices (like routers) rather than flowing directly over a single wire. Each such device causes data to "hop" between one point-to-point network connection and another. 3.2.5

Packet Information: A packet is the unit of data that is routed between an origin and a destination on

the Internet or any other packet-switched network. When any file (e-mail message, HTML file, Graphics Interchange Format file, Uniform Resource Locator request, and so forth) is sent from one place to another on the Internet, the Transmission Control Protocol (TCP) layer of TCP/IP divides the file into "chunks" of an efficient size for routing. Each of these packets is separately numbered and includes the Internet address of the destination. The individual packets for a given file may travel different


routes through the Internet. When they have all arrived, they are reassembled into the original file (by the TCP layer at the receiving end). 3.2.6

NetStat Information: The netstat command displays the protocol statistics and current TCP/IP

connections on the local system. Used without any switches, the netstat command shows the active connections for all outbound TCP/IP connections. In addition, several switches are available that change the type of information netstat displays. Table 5 shows the various switches available for the netstat utility. 3.2.7 Trace Route Information: The traceroute application will print the route that packets take in order to arrive at a network host. It works by trying to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to a particular host. For this reason, the times, which are actually returned

in the traceroute readout, are not actually reflective of the times that it requires packets from another protocol such as telnet, SMTP, or FTP to arrive at the destination and gateways along the route. Usage: This application is useful for determining whether a host is up and running on the network and/or whether there is a host or gateway along the path that is not passing along packets properly.

3.3 Software Requirements Specification: This is the requirements document for the project. The system to be developed is for capturing the packets flowing in the network and analyzes them. The information in the various headers of the packets is to be extracted and saved into the output file.


Introduction: Purpose: To develop a tool that easily analyzes the network traffic flow on that particular system and to show the information for the administrator in human readable format. Scope: This can be used by network administrators, organizations and by common man who want to know the network flow, in and out, of the system and also save the file for later analysis such as load on the system, network intrusion detection etc. Developer’s Responsibilities Overview: The developer is responsible for: 

Developing the system.

Installing the software on the client’s hardware.

General Description: Product Functions Overview: In a computer network every system can see all the packets flowing in the network, but can capture the packets that are addressed to that particular system only. But the product must be able to make a copy of all the packets flowing in the network, which are address to it and also not address to it. The packet copied must be stored in a buffer. Each packet has headers in which information about the packet will be stored in a specified format. This information must be extracted and if necessary covert into human readable form and store it in the output files. User Characteristics: The user of the system will be the systems administrator who controls and configures the network traffic through the server. 27

General Constraints: The system should have winpcap & packetx installed. General assumptions and dependencies: The assumption is that the packets moving in the networking are coming from only Ethernet and not from any other like FDDI, etc. 3.3.1 Specific Requirements: Inputs and Outputs: Inputs: Raw packets flowing in the network of the system on which the Packet Sniffer is installed. Outputs: The output is stored in a file. Functional Requirements: Capture the packets in the network at the data link layer before they are passed to the protocols implemented in the kernel. Strip off the various headers in each packet and analyze the information in it. Append the information in the headers of the packet into output file in a specified format. Performance Constraints: The maximum size of the buffer to hold the packet is 2000 bytes. The speed of the networks should not exceed 100Mbps if it exceeds this speed all the packets may not be analyzed.

3.4 Feasibility Study: It is necessary and prudent to evaluate the feasibility of a project at the earliest possible time. There may be different ways of checking whether a system is feasible or not. Feasibility study can be divided into three basic forms as follows. 28

Operational feasibility: In this test, the operational scope of the system is checked. The system under consideration should have enough operational research. It is observed that proposed system is very user friendly and since the system is built with enough help, even persons with little knowledge of windows can find the system very easy. Technical feasibility: This test includes a study of function, performance and constraints that may affect the ability to achieve an acceptable system. This test begins with an assessment of the technical viability of the proposed system. One of the main factors to be accessed is the need of various kinds of resources for the successful implementation of the proposed system. Economical feasibility: An evaluation of development cost weighed against the ultimate income of benefit from the development of the proposed system is made. Care must be taken regarding the costs that incur in the development process of the proposed system.

3.5 Requirements Specification: Software Environment: The system will run under .net Framework that is to be installed on the system. Operating Platform



Front End


Visual Studio .NET

Back End


SQL Server 2000






Pentium IV




Hardware Environment:




5 GB




Acceptance Criteria: Before accepting the system, the developer will have to demonstrate how the system works on the given data. The developer will have to show by suitable test cases that all conditions are satisfied.

4. SYSTEM DESIGN Software Engineering is the systematic approach to the development, operation, maintenance, and retirement of software. All Software products can be developed with the help of a Software Process i.e. Software Life Cycle. This Software Process is nothing but a series of identifiable stages that a software product undergoes during its lifetime. And this series basically starts with a Feasibility Study Stage, Requirement Analysis and Specification, Design, Coding, Testing and Maintenance. Each of these phases is called the Life Cycle Phase. And this Software process is achieved, with the help of software life cycle model (or process model). A Process Model is a descriptive and diagrammatical model of a software Process. A process model identity all the activities required to develop and maintain a software product, and establish a precedence ordering among the different activities.


A process model defines entry and exit criteria for every phase. e.g. the corresponding phase-entry criteria for the Software Requirement Specification phase can be that the software Requirement Specification document has been completed, internally reviewed, and approved by the customer. With such well-defined entry and exit criteria for various phases, it becomes easier to manage and monitor the progress of the project. Thus, we can say that life cycle models encourage development of software in a systematic and disciplined manner. Due to the above fact, the developer should adhere to well-defined life cycle model. Thus, a major advantage of adhering to a well-defined life cycle model is that it helps to control and organize systematically various activities of the product, which is taken to develop. When a life cycle model is adhered to, the developer can easily tell at which stage (e.g. design, code, testing) of development, the project currently is. If no life cycle model is adhered to, it becomes very difficulty to chart the progress of the project and the developer may face a problem known as the 99% complete syndrome. In this syndrome, which appears when there is no definite way to access the progress of the project, the optimistic developer feels that the project is 99% complete, even when the project is far from its completion. Success or completion of project is heavily dependent upon which type of life cycle model the developer is going to adhere. So a life cycle model plays an important role in the successful completion of a project. Basically five types of life cycle models are used, while developing a software product. 

Classical waterfall Model.

Iterative waterfall Model.

Evolutionary Model

Prototyping Model.

Spiral Model.

During the development of the project Packet Sniffer, I followed the Classical Waterfall Model. This model divides the life cycle of a software development process into the phases, shown below:


Development phase = Feasibility Study + Requirement Analysis and Specification + Design + Coding and Unit Testing + Integration and system testing.

4.1 Problem Specification: Network Administrators have to maintain the network to meet the needs of the users. For this they should have the information of the network traffic so that they can fine tune their systems according to the traffic on the network and enhance the performance of the servers to provide efficient and reliable facilities to the users. So they want a utility that can monitor the traffic on their network. The parties involved are: Client/End-users: Network administrator To transmit data from host A to host B, the data has to travel via x,y, hosts in the network. So every host will see all the packets, but in normal operation it will take only the packets, which are addressed to it, and the packets are passed to the kernel where further analysis of the packet takes place. So our problem now is to make a copy of all the packets flowing in the network even though they are not addressed to our host and pass them directly to our application program without passing them to the kernel. The proposed system should not disturb the network traffic or modify any of the packets. It should merely make a copy of the packets. Each packet must be analyzed in detail. This information must be stored in output file so that the administrator can later take printouts. Also time and date of arrival of the packet must be found and stored in the output files.

4.2 Data Flow Diagrams: Data flow diagrams are made up of a number of symbols, which represent system components. Most data flow modeling methods use four kinds of symbols. These symbols are used to represent four kinds of system components: processes, data stores, data flows and external entities. The data flow diagrams for the current project are show in the following figure. It is the data flow diagram for the entire process. It specifies the major transform centers in the approach to be followed for producing the software. This is 32

the first step in the structured design method. In the project, the inputs are the packets that are flowing in the network interface that is set to promiscuous mode. The output is the information contained in the packets in human readable form, which is stored in the output file. The context diagram and data flow diagram of the proposed system are given as follows:

Network interface card




Repor ts

Administrato r

Promiscuous mode

Fig: Context Diagram

Ip header

. packets

Separat e headers dtl header

dtl header analysi s

dtl header info

ip header analysi s

ip &dtl Headers Info

tl heade r analys is

Transport layer header

Fig: DFD for the Protocol Analyzer process



The data flow diagrams for the current project are show in the following figure. It is the data flow diagram for the entire process. It specifies the major transform centers in the approach to be followed for producing the software. This is the first step in the structured design method. In the project, the inputs are the packets that are flowing in the network interface that is set to promiscuous mode. The output is the information contained in the packets in human readable form, which is stored in the output file.


Get packet s

Buffer with packets

Separat e headers


Analyz e header s

Info in headers

Update output file

Fig: Data flow diagram for Packet Sniffer

Explanation: In the diagram the input is obtained as packets from the network interface by the ‘Get packets’ process. For that this process defines a packet socket and obtains the raw packets from the network interface and stores them into a buffer. The buffer containing the packets is passed to the ‘separate header’ process, which strips off various headers of the packet and passes them to ‘analyze headers’ process where they will be analyzed and the information is passed on to the ‘update output file’ process. Here the output file will be updated with the latest information obtained from the later processes. The most abstract inputs are the stripped off headers and the most abstract output is the information in the headers in human readable form.

4.3 Structure Charts: For a function-oriented design, structure charts can represent the design graphically. The structure of a program is made up of modules of the program 34

together with the interconnections between modules. The structure chart of a program is a graphic representation of its structure. In a structure chart, a box represents a module with the module name written in the box. The parameters returned as output by a module. MAIN


info info hdr’s

Get Input

Protocol Analysis


Fig: Structure Chart In the structure chart, there are three modules: - one for input, one for output and another is called the central transform module which performs the basic transformation for the system, taking the most abstract input and transforming it into the most abstract output. The main module’s job is to invoke the subordinates. Here, there is one input module, which returns the headers in the packet to the main module. The main module passes these headers to the protocol analysis module, which transforms them into human readable information. This information is passed to the main module. The main module passes this information to the output module, which updates the output files.

hdr ’s Get Input

hdr ’s

buf buf Adapter


Strip off


packetf d

packetf d

Fig. Input Module In the input module, the network interface is turned into promiscuous mode so that all the packets can be captured even though they are not intended to it. This is done by defining an adapter object and reading all the packets into a buffer. Then each packet is taken and the various headers are stripped off and sent to the main module.

hdr’ s


Protocol Analyzer

ip hdr arp or rarp hdr ARP &RARP









UDP 36

Fig: Protocol Analysis Module The central transform module is shown in figure. In the central transform module i.e. protocol analysis system, the process is split into three modules viz. ip, arp and rarp. Here the major decision is taken about which module to be invoked by the central module basing on the type of header sent by the main module. The ip module takes a further decision as which module to be invoked based on the type of header passed to it. IP module is further divided into icmp, igmp, tcp and udp modules. The modules are named after the type of headers they handle. Each module knows the specified format in which the information in that particular header is stored, so they convert it into required format by which we can easily understand and know about the packets in detail. This information is passed to the main module.





Append into file

Print reports

Fig: Output Module This module gets the information stored in the headers of the packets as input from the main module. The output module is split into two sub-modules. The first 37

module updates the output files with the input obtained by the main module and passes back the file pointers to the ’output’ module. These file streams are passed to the ‘print reports’ module where the reports are printed.

4.4 UML Diagrams: Unified Modeling Language This mapping permits forward engineering: The generation of code from a UML model into a programming language. The reverse is also possible: You can reconstruct a model from an implementation back into the UML. Reverse engineering is not magic. Unless you encode that information in the implementation, information is lost when moving forward from models to code. Reverse engineering thus requires tool support with human intervention. Combining these two paths of forward code generation and reverse engineering yields round-trip engineering, meaning the ability to work in either a graphical or a textual view, while tools keep the two views consistent. In addition to this direct mapping, the UML is sufficiently expressive and unambiguous to permit the direct execution of models, the simulation of systems, and the instrumentation of running systems. The UML is a Language for Documenting: A healthy software organization produces all sorts of artifacts in addition to raw executable code. These artifacts include (but are not limited to) 




Source code

Project plans



Releases 38

Depending on the development culture, some of these artifacts are treated more or less formally than others. Such artifacts are not only the deliverables of a project, they are also critical in controlling, measuring, and communicating about a system during its development and after its deployment. The UML addresses the documentation of a system's architecture and all of its details. The UML also provides a language for expressing requirements and for tests. Finally, the UML provides a language for modeling the activities of project planning and release management Applications The UML is intended primarily for software-intensive systems. It has been used effectively for such domains as 

Enterprise information systems

Banking and financial services





Medical electronics


Distributed Web-based services The UML is not limited to modeling software. In fact, it is expressive enough

to model non-software systems, such as workflow in the legal system, the structure and behavior of a patient healthcare system, and the design of hardware. A Conceptual Model of the UML: To understand the UML, you need to form a conceptual model of the language, and this requires learning three major elements: the UML's basic building blocks, the rules that dictate how those building blocks may be put together, and some common mechanisms that apply throughout the UML. Once you have grasped these ideas, you will be able to read UML models and create some basic ones. As you gain


more experience in applying the UML, you can build on this conceptual model, using more advanced features of the language. Building Blocks of the UML: The vocabulary of the UML encompasses three kinds of building blocks: 




Things are the abstractions that are first-class citizens in a model; relationships tie these things together; diagrams group interesting collections of things. Things in the UML: There are four kinds of things in the UML: 

Structural things

Behavioral things

Grouping things

Annotational things

These things are the basic object-oriented building blocks of the UML. You use them to write well-formed models. Structural Things: Structural things are the nouns of UML models. These are the mostly static parts of a model, representing elements that are either conceptual or physical. In all, there are seven kinds of structural things. First, a class is a description of a set of objects that share the same attributes, operations, relationships, and semantics. A class implements one or more interfaces. Graphically, a class is rendered as a rectangle, usually including its name, attributes, and operations. 40

CLASS: NewClass window origin size open() close() move()

Second, an interface is a collection of operations that specify a service of a class or component. An interface therefore describes the externally visible behavior of that element. An interface might represent the complete behavior of a class or component or only a part of that behavior. An interface defines a set of operation specifications (that is, their signatures) but never a set of operation implementations. Graphically, an interface is rendered as a circle together with its name. An interface rarely stands alone. Rather, it is typically attached to the class or component that realizes the interface. INTERFACE:

NewInterfac e

Third, a collaboration defines an interaction and is a society of roles and other elements that work together to provide some cooperative behavior that's bigger than the sum of all the elements. Therefore, collaborations have structural, as well as behavioral, dimensions. A given class might participate in several collaborations. These collaborations therefore represent the implementation of patterns that make up a system. Graphically, collaboration is rendered as an ellipse with dashed lines, usually including only its name. Fourth, a use case is a description of set of sequence of actions that a system performs that yields an observable result of value to a particular actor. A use case is 41

used to structure the behavioral things in a model. A use case is realized by collaboration. Graphically, a use case is rendered as an ellipse with solid lines, usually including only its name.


The remaining three things—active classes, components, and nodes—are all class-like, meaning they also describe a set of objects that share the same attributes, operations, relationships, and semantics. However, these three are different enough and are necessary for modeling certain aspects of an object-oriented system, and so they warrant special treatment. Fifth, an active class is a class whose objects own one or more processes or threads and therefore can initiate control activity. An active class is just like a class except that its objects represent elements whose behavior is concurrent with other elements. Graphically, an active class is rendered just like a class, but with heavy lines, usually including its name, attributes, and operations. The remaining two elements—component, and nodes—are also different. They represent physical things, whereas the previous five things represent conceptual or logical things. Sixth, a component is a physical and replaceable part of a system that conforms to and provides the realization of a set of interfaces. In a system, you'll encounter different kinds of deployment components, such as COM+ components or Java Beans, as well as components that are artifacts of the development process, such as source code files. A component typically represents the physical packaging of otherwise logical elements, such as classes, interfaces, and collaborations. Graphically, a component is rendered as a rectangle with tabs, usually including only its name. COMPONENT: 42


Seventh, a node is a physical element that exists at run time and represents a computational resource, generally having at least some memory and, often, processing capability. A set of components may reside on a node and may also migrate from node to node. Graphically, a node is rendered as a cube, usually including only its name.

Behavioral Things: Behavioral things are the dynamic parts of UML models. These are the verbs of a model, representing behavior over time and space. In all, there are two primary kinds of behavioral things. First, an interaction is a behavior that comprises a set of messages exchanged among a set of objects within a particular context to accomplish a specific purpose. The behavior of a society of objects or of an individual operation may be specified with an interaction. An interaction involves a number of other elements, including messages, action sequences (the behavior invoked by a message), and links (the connection between objects). Graphically, a message is rendered as a directed line, almost always including the name of its operation. Second, a state machine is a behavior that specifies the sequences of states an object or an interaction goes through during its lifetime in response to events, together with its responses to those events. The behavior of an individual class or a collaboration of classes may be specified with a state machine. A state machine involves a number of other elements, including states, transitions (the flow from state to state), events (things that trigger a transition), and 43

activities (the response to a transition). Graphically, a state is rendered as a rounded rectangle, usually including its name and its sub states, if any. STATE: NewState

These two elements—interactions and state machines—are the basic behavioral things that you may include in a UML model. Semantically, these elements are usually connected to various structural elements, primarily classes, collaborations, and objects.

Grouping Things: Grouping things are the organizational parts of UML models. These are the boxes into which a model can be decomposed. In all, there is one primary kind of grouping thing, namely, packages. A package is a general-purpose mechanism for organizing elements into groups. Structural things, behavioral things, and even other grouping things may be placed in a package. Unlike components (which exist at run time), a package is purely conceptual (meaning that it exists only at development time). Graphically, a package is rendered as a tabbed folder, usually including only its name and, sometimes, its contents. PACKAGE:

Packages are the basic grouping things with which you may organize a UML model. There are also variations, such as frameworks, models, and subsystems (kinds of packages). Annotational Things: 44

Annotational things are the explanatory parts of UML models. These are the comments you may apply to describe, illuminate, and remark about any element in a model. There is one primary kind of annotational thing, called a note. A note is simply a symbol for rendering constraints and comments attached to an element or a collection of elements. Graphically, a note is rendered as a rectangle with a dog-eared corner, together with a textual graphical comment.


This element is the one basic annotational thing you may include in a UML model. You'll typically use notes to adorn your diagrams with constraints or comments that are best expressed in informal or formal text. There are also variations on this element, such as requirements (which specify some desired behavior from the perspective of outside the model). Relationships in the UML : There are four kinds of relationships in the UML: 1. Dependency 2. Association 3. Generalization 4. Realization These relationships are the basic relational building blocks of the UML. You use them to write well-formed models. First, a dependency is a semantic relationship between two things in which a change to one thing (the independent thing) may affect the semantics of the other thing (the dependent thing). Graphically, a dependency is rendered as a dashed line, possibly directed, and occasionally including a label. 45





Second, an association is a structural relationship that describes a set of links, a link being a connection among objects. Aggregation is a special kind of association, representing a structural relationship between a whole and its parts. Graphically, an association is rendered as a solid line, possibly directed, occasionally including a label, and often containing other adornments, such as multiplicity and role names. Third, a generalization is a specialization/generalization relationship in which objects of the specialized element (the child) are substitutable for objects of the generalized element (the parent). In this way, the child shares the structure and the behavior of the parent. Graphically, a generalization relationship is rendered as a solid line with a hollow arrowhead pointing to the parent. GENERALIZATION: . Fourth, a realization is a semantic relationship between classifiers, wherein one classifier specifies a contract that another classifier guarantees to carry out. You'll encounter realization relationships in two places: between interfaces and the classes or components that realize them, and between use cases and the collaborations that realize them. Graphically, a realization relationship is rendered as a cross between a generalization and a dependency relationship. REALIZATION: These four elements are the basic relational things you may include in a UML model. There are also variations on these four, such as refinement, trace, include, and extend (for dependencies). 46

The five views of architecture are discussed in the following section. Rules of the UML: The UML's building blocks can't simply be thrown together in a random fashion. Like any language, the UML has a number of rules that specify what a wellformed model should look like. A well-formed model is one that is semantically selfconsistent and in harmony with all its related models. The UML has semantic rules for Table 2.1 Semantic rules

• Names

What you can call things, relationships, and diagrams

• Scope

The context that gives specific meaning to a name

• Visibility

How those names can be seen and used by others

• Integrity

How things properly and consistently relate to one another

• Execution

What it means to run or simulate a dynamic model

Models built during the development of a software-intensive system tend to evolve and may be viewed by many stakeholders in different ways and at different times. For this reason, it is common for the development team to not only build models that are well-formed, but also to build models that are Table 2.2 Models

• Elided

Certain elements are hidden to simplify the view

• Incomplete

Certain elements may be missing

• Inconsistent

The integrity of the model is not guaranteed 47

These less-than-well-formed models are unavoidable as the details of a system unfold and churn during the software development life cycle. The rules of the UML encourage you—but do not force you—to address the most important analysis, design, and implementation questions that push such models to become well-formed over time. Diagrams in the UML: A diagram is the graphical presentation of a set of elements, most often rendered as a connected graph of vertices (things) and arcs (relationships). You draw diagrams to visualize a system from different perspectives, so a diagram is a projection into a system. For all but the most trivial systems, a diagram represents an elided view of the elements that make up a system. The same element may appear in all diagrams, only a few diagrams (the most common case), or in no diagrams at all (a very rare case). In theory, a diagram may contain any combination of things and relationships. In practice, however, a small number of common combinations arise, which are consistent with the five most useful views that comprise the architecture of a software-intensive system. For this reason, the UML includes nine such diagrams: 

Use case diagram

Class diagram

Sequence diagram

Collaboration diagram

State chart diagram

Activity diagram

Component diagram

Deployment diagram

Object diagram

A class diagram shows a set of classes, interfaces, and collaborations and their relationships. These diagrams are the most common diagram found in modeling object-oriented systems. Class diagrams address the static design view of a system. Class diagrams that include active classes address the static process view of a system.


A use case diagram shows a set of use cases and actors (a special kind of class) and their relationships. Use case diagrams address the static use case view of a system. These diagrams are especially important in organizing and modeling the behaviors of a system. Both sequence diagrams and collaboration diagrams are kinds of interaction diagrams. Shows an interaction, consisting of a set of objects and their relationships, including the messages that may be dispatched among them. Interaction diagrams address the dynamic view of a system. A sequence diagram is an interaction diagram that emphasizes the timeordering of messages; a collaboration diagram is an interaction diagram that emphasizes the structural organization of the objects that send and receive messages. Sequence diagrams and collaboration diagrams are isomorphic, meaning that you can take one and transform it into the other. A state chart diagram shows a state machine, consisting of states, transitions, events, and activities. State chart diagrams address the dynamic view of a system. They are especially important in modeling the behavior of an interface, class, or collaboration and emphasize the event-ordered behavior of an object, which is especially useful in modeling reactive systems. An activity diagram is a special kind of a state chart diagram that shows the flow from activity to activity within a system. Activity diagrams address the dynamic view of a system. They are especially important in modeling the function of a system and emphasize the flow of control among objects. A component diagram shows the organizations and dependencies among a set of components. Component diagrams address the static implementation view of a system. They are related to class diagrams in that a component typically maps to one or more classes, interfaces, or collaborations. A deployment diagram shows the configuration of run-time processing nodes and the components that live on them. Deployment diagrams address the static deployment view of architecture. They are related to component diagrams in that a node typically encloses one or more components.


An object diagram shows a set of objects and their relationships. Object diagrams represent static snapshots of instances of the things found in class diagrams. These diagrams address the static design view or static process view of a system as do class diagrams, but from the perspective of real or prototypical cases. This is not a closed list of diagrams. Tools may use the UML to provide other kinds of diagrams, although these nine are by far the most common you will encounter in practice. USE CASE DIAGRAMS: A use case describes a sequence of actions that provide something measurable value to an actor and is drawn as a horizontal ellipse an actor is a person, organization or external system that plays a role in one or more interactions with your system.

Start Monitoring

Start Capture

Capture Packets


Get Packet Header System

Get Packet Data

Display Graph

Save/Open Packets

Stop Capturing



Administrator can add or remove ip addresses from the database to block or allow receiving packets from that particular system on the domain.

View report:

Administrator can view the information of the decoded packets in the user interface of the tool.

Save/print reports:

Administrator can save the information on to file system or can print the information through the printer if connected.

Use case scenario:

Use case name:

Admin functions




Flow of events:

1. System Starts Monitoring. 2. User presses the capture button. 3. System Captures the Packets. 4. System gets the Packet header and Packet Data. 5. System Saves and Opens the packets data. 6. User presses the Stop capturing button.

Class diagram: 51

A class diagram describes the static structure of the symbols in your new system. It is a graphical presentation of the static view that shows a collection of declarative (static) model elements, such as classes, types, and their contents and relationships.

PacketSniffer tcp header ip header ethernet header data

Dynamic graph surf surfing()

get() separate headers()

Surface ascent descent ptnum thread usedstr getminimumsize() getprefferedsize() getmaxsize() surface()

Sequence diagram: 52

UML sequence diagrams model the flow of logic within your system in a visual manner, enabling you both to document and validate your logic, and are commonly used for both analysis and design purposes. Sequence diagrams are the most popular UML artifacts for dynamic modeling, which focuses on identifying the behavior within your system. Sequence diagram for Administrator:

start capture button

packet capture control


IP Address

: administrator press invokes generates view save/print add/remove

Collaboration diagram for Administrator:


A collaboration diagram is an interaction diagram that emphasizes the structural organization of the objects that send and receive messages. Collaboration diagrams are isomorphic, meaning that you can take one and transform it into the other.

1: press start capture button : administrator 6: add/remove IP Address 2: invokes

4: view 5: save/print


packet capture control 3: generates


5.4.5 State chart Diagram:

open tool

open saved file do/ view do/ print

start new session entry/ press start capture button do/ view report do/ Block IP address do/ save/print report exit/ press end capture button


Front End Language: C Sharp Language: C# is a new programming language created by Microsoft and introduced with the release of Visual Studio .NET (also known as Visual Studio .NET 7.0). C# lets you write programs that enable you to manipulate the computer to perform certain tasks. The Birth of C#: As a recent birth in the programming language family, C# has two programming language parents: C++ and Java. C# contains many C++ features but also adds the object-oriented features from Java. C# contains many different components, including: •

Versioning support, so that your base and derived classes — templates that define how an object performs — remain compatible as you develop them.

Events, so that your program can notify clients of a class about something that has happened to an object.

Type safety and verification that increases reliability and ensures code security.

Garbage collection, so that your program can identify objects that your program can no longer reach.

Unsafe mode, where you can use pointers to manipulate memory outside the garbage collector’s control, including methods and properties.

Close Relations with C and C++: C# is built on the C++ language, so it behaves much like the language. Like C++, C# lets you write enterprise applications, and C# contains many C++ features, including statements and operators. C# also provides access to common Application Program Interface (API) styles including Component Object Model (COM) and Cstyle APIs. 56

C# Versus Visual Basic .NET: The premise of the .NET Framework is that all languages are created equal. To paraphrase George Orwell, however, some languages are more equal than others. C# is an excellent language for .NET development. You will find it is an extremely versatile, robust and well-designed language. It is also currently the language most often used in articles and tutorials about .NET programming. It is likely that many VB programmers will choose to learn C#, rather than upgrading their skills to VB .NET. This would not be surprising because the transition from VB6 to VB .NET is, arguably, nearly as difficult as from VB6 to C#—and, whether it's fair or not, historically, C-family programmers have had higher earning potential than VB programmers. C# versus Java: Java Programmers may look at C# with a mixture of trepidation, glee, and resentment. It has been suggested that C# is somehow a "rip-off" of Java. C# certainly learned a great deal from Java. But then Java learned a great deal from C++, which owed its syntax to C, which in turn was built on lessons learned in other languages. We all stand on the shoulders of giants. C# offers an easy transition for Java programmers; the syntax is very similar and the semantics are familiar and comfortable. Differences between C# and C++: Microsoft includes Visual C++ and C# in Visual Studio .NET. On the surface, C# has few differences from Visual C++. When you look carefully and start programming, you will notice that C# differs in several important respects from Visual C++: •

C# has an alternate method of accessing the C++ initialization list when constructing the base class.

A class can inherit implementation from only one base class.

You can call overridden base class members from derived classes. 57

C# has a different syntax for declaring C# arrays.

There are differences in several different types including bool, struct, and delegate.

The Main method is declared differently.

Support of the new ref and out method parameters that are used instead of pointers for passing parameters by reference.

New keywords including extern and static.

New statements including switch and finally.

New operators including is and typeof.

Different functionality for some operators and for overloading operators.

Microsoft .NET: Microsoft announced the .NET initiative in July 2000. The .NET platform is a new development framework with a new programming interface to Windows services and APIs, integrating a number of technologies that emerged from Microsoft during the late 1990s. Incorporated into .NET are COM+ component services; the ASP web development framework; a commitment to XML and object-oriented design; support for new web services protocols such as SOAP, WSDL, and UDDI; and a focus on the Internet. The platform consists of four separate product groups: Development tools: A set of languages, including C# and VB.NET; a set of development tools, including Visual Studio.NET; a comprehensive class library for building web services and web and Windows applications; as well as the Common Language Runtime to execute objects built within this framework. 58

Specialized servers: A set of .NET Enterprise Servers, formerly known as SQL Server 2000, Exchange 2000, BizTalk 2000, and so on, that provide specialized functionality for relational data storage, email, and B2B commerce. Web services: An offering of commercial web services, recently announced as project Hailstorm; for a fee, developers can use these services in building applications that require knowledge of user identity. Devices: New .NET-enabled non-PC devices, from cell phones to game boxes. The .NET Platform: The Microsoft .NET Platform consists of five main components, as shown in Figure 1 -1. At the lowest layer lies the operating system (OS), which can be one of a variety of Windows platforms, including Windows XP, Windows 2000, Windows Me, and Windows CE. As part of the .NET strategy, Microsoft has promised to deliver more .NET device software to facilitate a new generation of smart devices. On top of the operating system is a series of .NET Enterprise Server products that simplify and shorten the time required to develop and manage large-scale business systems. These server products include Application Center 2000, BizTalk Server 2000, Commerce Server 2000, Exchange Server 2000, Host Integration Server 2000, Internet Security and Acceleration Server 2000, and SQL Server 2000. Since Web Services are highly reusable across the Web, Microsoft plans to provide a number of building-block services that application developers can use, for a fee. An example of building –block service is Microsoft Passport, which allows you to use a single username and password at all web sites that support Passport authentication. On March 19, 2001, Microsoft announced another set of Web Services with the codename Hailstorm. This product encompasses a set of building –block 59

services that support personalization, centered entirely on consistent user experiences. Microsoft plans to add newer services, such as calendar, directory, and search services. Third-party vendors are also creating new Web services of their own. Fig. The Microsoft .NET platform

At the top layer of the .NET architecture is a brand new development tool called Visual Studio.NET (VS.NET), which makes possible the rapid development of Web Services and other applications. A successor of Microsoft Visual Studio 6.0, VS.NET is an Integrated Development Environment (IDE) that supports four different languages and features such as cross-language debugging and the XML Schema Editor. And at the center of .NET is the Microsoft .NET Framework—the main focus of this book. The .NET Framework is a new development and runtime infrastructure that will change the development of business applications on the Windows platform. It includes the Common Language Runtime (CLR) and a common framework of classes that can be used by all .NET languages. Visual Studio .net: Visual Studio .NET contains a graphical programming environment called the Microsoft Development Environment (MDE). The MDE enables you to create programs in Visual C# and other Visual Studio .NET languages.



Computer networks let programmers share Visual Studio .NET code including C# programs across the network. This collaborative effort lets you and your programming team creates C# programs much more quickly than one person alone. The problem with collaborating over a network is that unauthorized users from within or outside your network may try to gain access to your C# program code. Visual Studio .NET provides built-in security features so you or the leader of your programming team can determine who on your network gets access to your C# program code and resources. You can also set different levels of security for different people in case you want only certain people to have access to certain program code. DLLs: The advent of Windows brought dynamic link libraries (DLLs) to programmers. DLLs are small, independent programs that contain executable routines that programs can use to produce a certain result in Windows. For example, if a program needs to open a file, you can write your C# program that uses the code in the DLL to open the file. Using DLLs frees up your time to work on your program without having to reprogram the same code in your C# program over and over again. You can access DLLs from your C# program, and create DLLs in C# for your C# program to refer to when necessary. C# has full COM/Platform support, so you can integrate C# code with any programming language that can produce COM DLLs such as Visual C++. XML: Extensible Markup Language (XML) is a more powerful version of Hypertext Markup Language (HTML), the standard Web page language. Visual Studio .NET and C# let you document your program using XML and then extract the XML code into a separate file. Visual Studio .NET supports XML so that you can integrate your C# programs with the World Wide Web. You can document your C# code using XML and then use XML for creating Web Services and Web controls that let you and your code interact with a Web site. For example, you may have an inventory system written in C# that interacts with the order-taking page on your company’s Web site. Windows Operating System: 61

Windows operating system is no longer a stranger to people; it is a fast growing fully fledged powerful operating system with enhanced networking features, popular among home hobbyists and small network users. Connecting a Windows operating system to the networks is much like advertising an open house to the public, leaving your front door wide open and going on an extended vacation. Without precautions unwanted intruders will enter in both cases, and it will happen sooner than later. Microsoft Windows is the name of several families of software operating systems by Microsoft. Microsoft first introduced an operating environment named Windows in November 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces (GUIs). Microsoft Windows eventually came to dominate the world's personal computer market, overtaking Mac OS, which had been introduced previously. At the 2004 IDC Directions conference, IDC Vice President Avneesh Saxena stated that Windows had approximately 90% of the client operating system market.


using System; using System.Drawing; using System.Collections; using System.ComponentModel; using System.Windows.Forms; using System.Net; using System.Net.Sockets; using Sniffer; using System.Threading; using System.Text; namespace SnifferUI { public delegate void DoubleClickCallback(); public delegate void TabPageCallback(TabPage tp); /// /// Summary description for SnifferUI. /// public class SnifferUI : System.Windows.Forms.Form { private Thread thrdTrv; private Thread thrd; private Thread thrdC; bool isPaused = false; int MouseX=0; int MouseY=0; int totalCount=0,tcpCount=0,udpCount=0,icmpCount=0,otherCount=0; int totalByte=0,tcpByte=0,udpByte=0,icmpByte=0,otherByte=0; private treeViewFuncs objTVF; private SnifferSocket Socket_ public Hashtable

= null;

Counter_ =null; 63

public Hashtable

IdentTable_ =null;

private Hashtable

TabPageTable_ =null;

private Hashtable


private Hashtable ForCounter=null; private string thisComputerIp =""; private IPv4Datagram tempDatagram; private System.Windows.Forms.StatusBar statusBar1; private System.Windows.Forms.ColumnHeader Source; private System.Windows.Forms.MenuItem miStopSniffing; private System.Windows.Forms.Label label3; private System.Windows.Forms.Label label4; private System.Windows.Forms.Label label5; private System.Windows.Forms.Label label6; private System.Windows.Forms.Label label7; private System.Windows.Forms.Label lblb5; private System.Windows.Forms.Label lblb4; private System.Windows.Forms.Label lblb3; private System.Windows.Forms.Label lblb2; private System.Windows.Forms.Label lblb1; private System.Windows.Forms.MenuItem miExit; private System.Diagnostics.Process scanner; private System.Windows.Forms.ColumnHeader Destination_; private NotifyIcon notifyIcon1; private ContextMenuStrip contextMenuStrip1; private ToolStripMenuItem sHOWToolStripMenuItem; private ToolStripMenuItem qUITToolStripMenuItem; private TabPage tabPage1; private ListBox lbsuspectdata; private MenuItem menuItem2; private MenuItem menuItem3; 64

private System.Windows.Forms.Timer timer1; private MenuItem menuItem5; private System.ComponentModel.IContainer components; public SnifferUI() { InitializeComponent(); objTVF = new treeViewFuncs(); IdentTable_= new Hashtable(); Counter_=new Hashtable(); TabPageTable_ = new Hashtable(); CurrentSniffing_= new Hashtable(); ForCounter=new Hashtable(); lstwMain.FullRowSelect=true; lstwMain.GridLines=true; // create temp ipv4 datagram object tempDatagram =new IPv4Datagram(); // retrieve local system ip address [name] thisComputerIp =Dns.GetHostByName(Dns.GetHostName()).AddressList[0].ToString( ); bool enterence = true; while (enterence) { if ( thisComputerIp != null ) { // create SnifferSocket object Socket_ = new SnifferSocket(); try {


// call sniff method of SnifferSocket with this ComputerIP as parameter Socket_.Sniff(thisComputerIp); Socket_.IPs.Add(thisComputerIp); enterence=false; } catch(SnifferException e) { HandleSnifferError(e); thisComputerIp=GetIPToSniff(); } // call LoadOptions => links LoadOptions(); } else { thisComputerIp=GetIPToSniff(); } } thrd = new Thread(new ThreadStart(Counter)); thrd.IsBackground = true; thrd.Start(); thrdC = new Thread(new ThreadStart(Counter2)); thrdC.IsBackground = true; thrdC.Start(); } /// /// Clean up any resources being used. /// protected override void Dispose( bool disposing ) 66

{ if( disposing ) { if(components != null) { components.Dispose(); } } base.Dispose( disposing ); }

#region Windows Form Designer generated code /// /// Required method for Designer support - do not modify /// the contents of this method with the code editor. /// private void InitializeComponent() { this.components = new System.ComponentModel.Container(); System.ComponentModel.ComponentResourceManager resources = new System.ComponentModel.ComponentResourceManager(typeof(Sniffe rUI)); System.Configuration.AppSettingsReader configurationAppSettings = new System.Configuration.AppSettingsReader(); this.lstwMain = new System.Windows.Forms.ListView(); this.Count_ = new System.Windows.Forms.ColumnHeader(); this.Source_ = new System.Windows.Forms.ColumnHeader(); this.SourceName_ = new System.Windows.Forms.ColumnHeader(); this.SPort_ = new System.Windows.Forms.ColumnHeader(); this.Destination_ = new System.Windows.Forms.ColumnHeader(); this.DestName_ = new System.Windows.Forms.ColumnHeader(); 67

this.DPort_ = new System.Windows.Forms.ColumnHeader(); this.Protocol_ = new System.Windows.Forms.ColumnHeader(); this.Process_ = new System.Windows.Forms.ColumnHeader(); this.ProcessId_ = new System.Windows.Forms.ColumnHeader(); this.CnmLstwMain = new System.Windows.Forms.ContextMenu(); this.miStartSniffing = new System.Windows.Forms.MenuItem(); this.miStopSniffing = new System.Windows.Forms.MenuItem(); this.miConCheck = new System.Windows.Forms.MenuItem(); this.midelete = new System.Windows.Forms.MenuItem(); this.mideleteall = new System.Windows.Forms.MenuItem(); this.imlMain = new System.Windows.Forms.ImageList(this.components); this.imltblTreeView = new System.Windows.Forms.ImageList(this.components); this.statusBar1 = new System.Windows.Forms.StatusBar(); this.Source = new System.Windows.Forms.ColumnHeader(); this.Destination = new System.Windows.Forms.ColumnHeader(); this.Identification = new System.Windows.Forms.ColumnHeader(); this.Protocal = new System.Windows.Forms.ColumnHeader(); this.tcSniffing = new System.Windows.Forms.TabControl(); this.timer1 = new System.Windows.Forms.Timer(this.components); this.tcMain.SuspendLayout(); this.tpSniffing.SuspendLayout(); this.pnlSniffing.SuspendLayout(); this.pnlSubTab.SuspendLayout(); this.pnlToolBarTab.SuspendLayout(); this.tpCtrl.SuspendLayout(); this.pnlError.SuspendLayout(); this.pnlIcmpTlb.SuspendLayout(); this.tabPage1.SuspendLayout(); this.pnlMain.SuspendLayout(); this.pnlbottom.SuspendLayout(); 68

this.pnlBottomRight.SuspendLayout(); this.pnlBottomRightSub.SuspendLayout(); this.pnlRichText.SuspendLayout(); this.pnlPacket.SuspendLayout(); this.pnlAscii.SuspendLayout(); this.pnlTV.SuspendLayout(); this.pnlBottomLeft.SuspendLayout(); this.pnlUp.SuspendLayout(); this.pnlUpRight.SuspendLayout(); this.pnlUpLeft.SuspendLayout(); this.contextMenuStrip1.SuspendLayout(); this.SuspendLayout(); // // lstwMain // this.lstwMain.Columns.AddRange(new System.Windows.Forms.ColumnHeader[] { this.Count_, this.Source_, this.SourceName_, this.SPort_, this.Destination_, this.DestName_, this.DPort_, this.Protocol_, this.Process_, this.ProcessId_}); this.lstwMain.ContextMenu = this.CnmLstwMain; this.lstwMain.Dock = System.Windows.Forms.DockStyle.Fill; this.lstwMain.Location = new System.Drawing.Point(0, 0); this.lstwMain.MultiSelect = false; this.lstwMain.Name = "lstwMain"; this.lstwMain.Size = new System.Drawing.Size(904, 176); 69

this.lstwMain.SmallImageList = this.imlMain; this.lstwMain.TabIndex = 5; this.lstwMain.UseCompatibleStateImageBehavior = false; this.lstwMain.View = System.Windows.Forms.View.Details; this.lstwMain.SelectedIndexChanged += new System.EventHandler(this.lstwMain_SelectedIndexChanged); this.lstwMain.DoubleClick += new System.EventHandler(this.lstwMain_DoubleClick); this.lstwMain.ColumnClick += new System.Windows.Forms.ColumnClickEventHandler(this.lstwMain_ColumnClick); // // Count_ // this.Count_.Text = "Count"; this.Count_.Width = 56; // // Source_ // this.Source_.Text = "Source"; this.Source_.Width = 94; // // SourceName_ // this.SourceName_.Text = "Name"; this.SourceName_.Width = 68; // // SPort_ // this.SPort_.Text = "Source Port"; this.SPort_.Width = 150; // // Destination_ // 70

this.Destination_.Text = "Destination"; this.Destination_.Width = 102; // // DestName_ // this.DestName_.Text = "Name"; this.DestName_.Width = 64; // // DPort_ // this.DPort_.Text = "Dest. Port"; this.DPort_.Width = 162; // // Protocol_ // this.Protocol_.Text = "Protocol"; // // Process_ // this.Process_.Text = "Process"; this.Process_.Width = 74; // // ProcessId_ // this.ProcessId_.Text = "PID"; this.ProcessId_.Width = 50; // // CnmLstwMain // this.CnmLstwMain.MenuItems.AddRange(new System.Windows.Forms.MenuItem[] { this.miStartSniffing, this.miStopSniffing, 71

this.miConCheck, this.midelete, this.mideleteall}); // // miStartSniffing // this.miStartSniffing.DefaultItem = true; this.miStartSniffing.Index = 0; this.miStartSniffing.Text = "Start Sniffing"; this.miStartSniffing.Click += new System.EventHandler(this.miStartSniffing_Click); // // miStopSniffing // this.miStopSniffing.Index = 1; this.miStopSniffing.Text = "Stop Sniffing"; this.miStopSniffing.Click += new System.EventHandler(this.miStopSniffing_Click); // // miConCheck // this.miConCheck.Index = 2; this.miConCheck.Text = "Check Connection"; this.miConCheck.Click += new System.EventHandler(this.miConCheck_Click); // // midelete // this.midelete.Index = 3; this.midelete.Text = "Delete"; this.midelete.Click += new System.EventHandler(this.midelete_Click); // // mideleteall 72

// this.mideleteall.Index = 4; this.mideleteall.Text = "Delete All"; this.mideleteall.Click += new System.EventHandler(this.mideleteall_Click); // // imlMain // this.imlMain.ImageStream = ((System.Windows.Forms.ImageListStreamer) (resources.GetObject("imlMain.ImageStream"))); this.imlMain.TransparentColor = System.Drawing.Color.Transparent; this.imlMain.Images.SetKeyName(0, ""); this.imlMain.Images.SetKeyName(1, ""); this.imlMain.Images.SetKeyName(2, ""); this.imlMain.Images.SetKeyName(3, ""); this.imlMain.Images.SetKeyName(4, ""); this.imlMain.Images.SetKeyName(5, ""); this.imlMain.Images.SetKeyName(6, ""); this.imlMain.Images.SetKeyName(7, ""); this.imlMain.Images.SetKeyName(8, ""); this.imlMain.Images.SetKeyName(9, ""); this.imlMain.Images.SetKeyName(10, ""); this.imlMain.Images.SetKeyName(11, ""); // // imltblTreeView // this.imltblTreeView.ImageStream = ((System.Windows.Forms.ImageListStreamer) (resources.GetObject("imltblTreeView.ImageStream"))); this.imltblTreeView.TransparentColor = System.Drawing.Color.Transparent; this.imltblTreeView.Images.SetKeyName(0, ""); this.imltblTreeView.Images.SetKeyName(1, ""); this.imltblTreeView.Images.SetKeyName(2, ""); this.imltblTreeView.Images.SetKeyName(3, ""); 73

this.imltblTreeView.Images.SetKeyName(4, ""); this.imltblTreeView.Images.SetKeyName(5, ""); this.imltblTreeView.Images.SetKeyName(6, ""); // // statusBar1 // this.statusBar1.Location = new System.Drawing.Point(0, 428); this.statusBar1.Name = "statusBar1"; this.statusBar1.Size = new System.Drawing.Size(1190, 22); this.statusBar1.TabIndex = 8; // // Source // this.Source.Text = "Source"; this.Source.Width = 98; // // Destination // this.Destination.Text = "Destination"; this.Destination.Width = 115; // // Identification // this.Identification.Text = "Identification"; this.Identification.Width = 111; // // Protocal // this.Protocal.Text = "Protocal"; this.Protocal.Width = 130; // // tcSniffing // 74

this.tcSniffing.Dock = System.Windows.Forms.DockStyle.Fill; this.tcSniffing.Location = new System.Drawing.Point(0, 0); this.tcSniffing.Name = "tcSniffing"; this.tcSniffing.SelectedIndex = 0; this.tcSniffing.Size = new System.Drawing.Size(536, 191); this.tcSniffing.TabIndex = 11; // // tcMain // this.tcMain.Controls.Add(this.tpSniffing); this.tcMain.Controls.Add(this.tpCtrl); this.tcMain.Controls.Add(this.tabPage1); this.tcMain.Dock = System.Windows.Forms.DockStyle.Fill; this.tcMain.Location = new System.Drawing.Point(0, 0); this.tcMain.Name = "tcMain"; this.tcMain.SelectedIndex = 0; this.tcMain.Size = new System.Drawing.Size(544, 249); this.tcMain.TabIndex = 12; this.tcMain.SelectedIndexChanged += new System.EventHandler(this.tcMain_SelectedIndexChanged); // // tpSniffing // this.tpSniffing.Controls.Add(this.pnlSniffing); this.tpSniffing.Location = new System.Drawing.Point(4, 22); this.tpSniffing.Name = "tpSniffing"; this.tpSniffing.Size = new System.Drawing.Size(536, 223); this.tpSniffing.TabIndex = 0; this.tpSniffing.Text = "Current Sniffing"; this.tpSniffing.UseVisualStyleBackColor = true; // // pnlSniffing // 75

this.pnlSniffing.Controls.Add(this.pnlSubTab); this.pnlSniffing.Controls.Add(this.pnlToolBarTab); this.pnlSniffing.Dock = System.Windows.Forms.DockStyle.Fill; this.pnlSniffing.Location = new System.Drawing.Point(0, 0); this.pnlSniffing.Name = "pnlSniffing"; this.pnlSniffing.Size = new System.Drawing.Size(536, 223); this.pnlSniffing.TabIndex = 0; // // pnlSubTab // this.pnlSubTab.Controls.Add(this.tcSniffing); this.pnlSubTab.Dock = System.Windows.Forms.DockStyle.Fill; this.pnlSubTab.Location = new System.Drawing.Point(0, 32); this.pnlSubTab.Name = "pnlSubTab"; this.pnlSubTab.Size = new System.Drawing.Size(536, 191); this.pnlSubTab.TabIndex = 14; // // pnlToolBarTab // this.pnlToolBarTab.Controls.Add(this.tlbSniffing); this.pnlToolBarTab.Dock = System.Windows.Forms.DockStyle.Top; this.pnlToolBarTab.Location = new System.Drawing.Point(0, 0); this.pnlToolBarTab.Name = "pnlToolBarTab"; this.pnlToolBarTab.Size = new System.Drawing.Size(536, 32); this.pnlToolBarTab.TabIndex = 13; }

7. TESTING 7.1 Introduction: 76

Testing is a process, which reveals errors in the program. It is the major quality measure employed during software development. During testing, the program is executed with a set of test cases and the output of the program for the test cases is evaluated to determine if the program is performing as it is expected to perform. Testing performs a critical role in quality assurance and for ensuring the reliability of software. To accomplish the task of testing software, this is done under two categories of test case design techniques. 

White Box Testing (Structural testing)

Black Box Testing (Functional testing)

White box testing: This test focuses on the program control structure. Test cases are derived to ensure that all the statements in the program have been executed at least once during testing and that all logical conditions have been exercised. Black box testing: These tests are designed to validate functional requirements without regard to working of the program. Black box testing technique focuses on the information domain of the software, deriving test cases by partitioning input and output in a manner that provides though test coverage.

7.2 Levels of Testing: In order to make sure that the system does not have errors, the different levels of testing strategies that are applied at differing phases of software development are:

Unit Testing: Unit Testing is done on individual modules as they are completed and become executable. It is confined only to the designer's requirements. Unit Testing focuses on 77

verification of the smallest unit of software design module. Using the detailed design description as a guide, important control paths are tested to uncover errors within the boundary of the module .Unit testing is essentially for verification of the code produced during the coding phase and hence the goal is to test the internal logic of the module. Integrating Testing: Integration testing ensures that software and subsystems work together as a whole. It tests the interface of all the modules to make sure that the modules behave properly when integrated together. System Testing: System testing involves in-house testing of the entire system before delivery to the user. Its aim is to satisfy the user the system meets all requirements of the client's specifications. Acceptance Testing: It is a pre-delivery testing in which entire system is tested at client's site on real world data to find errors.


7.3 Test-Cases (Unit test-plan and integrated test-plan): No.

Test case Title


Expected Outcome

The requirement in RS that is being tested



Test the functionality of a file downloaded from internet Test that GUI is able to show network traffic Test the mapping of files to the destination IP address Test the functionality of a file downloaded from internet Test the functionality of a file downloaded from internet Test the decoded information of the selected file.

User saves the file and views it later

File is saved



User sees the traffic in graphical form.

Successful representation of traffic. Correct IP address is mapped to the file





User opens the saved file for viewing it.

File is opened



User prints the file.

The file is printed on the default printer.



User chooses from the list to view packet information.

The output is displayed correctly








User views the destination IP address attached to each file.

Validation: The system has been tested and implemented successfully and thus ensured that all the requirements as listed in the software requirements specification are completely fulfilled. In case of erroneous input corresponding error messages are displayed.













In practice, there is not a typical network problem that can’t be discovered and solved using packet sniffer technology. Sniffers can be used as the first method of attack on a number of issues that vary from overloaded networks to unresponsive switches to lost packets. As a number of networks and nodes continue to grow and as network speeds accelerate, it becomes more and more difficult to monitor a LAN by using traditional tools, such as RMON (Remote Monitoring) probes. Packet sniffers, by contrast, monitor traffic on network right down to the Header information on each series of data. This means that u can actually track data from starting point to its end point. Packet sniffers can also be used to identify the types of packets on a network and discover whether or not the specific packet has any errors.


 .Net: The Complete Reference 

Elsevier Inc, Network programming .NET with C# and VB.NET - Fiach Reid

O'Reilly - Programming C#

Sub main Dot NET Coding Guidelines - Steve Sartain

Websites -

 TCP/IP Protocol Suite

- Behrouz A. Forouzan

 Object-Oriented Software Engineering -Bernd Bruegge -Allen H. Dutoit


View more...


Copyright ©2017 KUPDF Inc.