Title: DEVELOPING TCP/IP AND UDP TRAFFIC MONITORING TOOL. RAFIQ BIN CHE MAT (2003285011)

Title: DEVELOPING TCP/IP AND UDP TRAFFIC MONITORING TOOL. By RAFIQ BIN CHE MAT (2003285011) A project paper submitted to FACULTY OF INFRMATION TECHNOLOGY AND QUANTITATIVE SCIENCES MARA UNIVERSITY OF TECHNOLOGY In partialfiilfillmentof requirement for the BACHELOR OF SCIENCE (Hons) IN DATA COMMUNICATION AND NETWORKING Major Area: Commvmication Approved by the Examining Committee: : : ^.. : Pn. Zarina Binti Zainol Project Supervisor En/. Jamaluddin Bin MDi usof Examiner MARA UNIVERSITY OF TECHNOLOGY SHAH ALAM, SELANGOR APRIL 2005

CERTIFICATION OF ORIGINALITY This is to certify that I am responsible for the work submitted in this project that the original work is my own except as specified in the references and acknowledgement and that the original work contained herein have not been taken r done by unspecified sources or persons. (RAFLQBINCHEMAT)

ACKNOWLEDGEMENT First and foremost, in the name of ALLAH, the Most Generous and Merciful. Praise to ALLAH S.W.T, the one and only that give me a blessing and a healthy condition to finish this final year project in the dateline submission. A special thank to all individual that help me to complete this final year project. The TCP/IP and UDP traffic monitoring tool would and could not finished without this help, dedication and contribution of all people which I shall announce their name shortly. I would like to take this opportunity to express my gratitude towards to my lecturer supervisor, Pn. Zarina binti Zainol for her untiring guidance, ideas, support, effort and concern towards in this project. Other than that, a special thanks to Assoc Prof Dr Saadiah binti Yahya for her support, advice, tips and ideas to do my report and project. I also would like to thank for my examiner. En. Jamaluddin Bin MD Yusof for his support and guidance in this project. A great thank to all SIG group, Computer Technology and Networking (CTN) lecturers and staff FTMSK that have guided and providing me with valuable of information and support during construct this project. Special thank to my family for understanding, encouragement and support my study. To my fellow friends whose name is remaining anonymous, that always gives their support and unconditional advice to complete this final year project. Without their brilliant idea and knowledge, this final year project would not be finished and incomplete. Thank to all. Ill

ABSTRACT The main purpose of this project is to develop a program that uses Windows XP to monitor the flow of the Transmission Control Protocol / Internet Protocol (TCP/IP) and User Datagram Protocol (UDP) traffic over the Local Area Network (LAN) and internet. The purpose of the program is to monitor and track the record of TCP/IP and UDP cormection traffic, such as the amount of traffic being transmitted from or received by the host machine, based on different applications. For example, in the case of usage of file transfer, the TCP/IP and UDP Traffic monitor checks the details of the data transmission including the size of messages transmitted or received during a given period of time, the source IP address and MAC address, the destination IP address and MAC address, the source and destination port number, the type of protocol that have been used and etc. The monitoring will also have the ability to keep the tracked data in a database access file and provide some statistical information to the user such as a report, total number of TCP/IP and UDP protocol and etc. The last result is presented from the testing phase in this project. IV

TABLE OF CONTENTS CONTENTS PAGES CERTIFICATION OF ORIGINALITY ACKNOWLEDMENT ABSTRACT TABLE OF CONTENTS LIST OF TABLE LIST OF FIGURES ii iii iv v viii ix CHAPTER 1: INTRODUCTION 1.1 PREFACE 1 1.2 PROBLEM STATEMENT 2 1.3 PROJECT OBJECTIVE 2 1.4 PROJECT SCOPE 3 1.5 PROJECT SIGNIFICANCE 4 1.6 OUTLINE OF THE FOLLOWING CHAPTERS 4 1.7 CONCLUSION 5 CHAPTER 2: LITERATURE REVIEW 2.1 INTRODUCTION 6 2.2 DEFINITION OF PERTINENT TERMINOLOGIES 2.2.1 Transmission Control Protocol (TCP) Concept 6 2.2.2 User Datagram Protocol (UDP) Concept 10 2.2.3 Internet Protocol (IP) Concept 12 2.3 DIFFERENT APPROACHES TO SOLVE THE SIMILAR PROBLEM 2.3.1 Pandora: A Flexible Network Monitoring Platform... 14

2.3.2 BLT: Bi-Layer Tracing of HTTP and TCP/IP 14 2.3.3 ENMA: The World Wide Web (WWW) Server Performance Measurement System via Packet Monitoring 15 2.3.4 Developing TCP/IP Port Scanning Tool 15 2.3.5 Network Traffic Monitoring Analysis - SITARA Quality of Service WORKS 5000TM 15 2.3.6 Wide Area Network Packet Capture and Analysis 16 2.4 CONCLUSION 16 CHAPTER 3: RESEARCH METHODOLOGY 3.1 INTRODUCTION 17 3.2 RESEARCH METHODOLOGY 3.2.1 Data Collection 18 3.2.2 Design and Development 3.2.2.1 Planning 21 3.2.2.2 Analysis 21 3.2.2.3 Design 21 3.2.2.4 Implementation 23 3.2.2.5 Maintenance and Support 26 3.2.3 Evaluation and Finding 27 3.3 HARDWARE AND SOFTWARE REQUIREMENT 3.3.1 Hardware requirement 27 3.3.2 Software requirement 28 3.4 CONCLUSION 29 CHAPTER 4: FINDINGS AND DISCUSSION 4.1 INTRODUCTION 30 4.2 SCREEN DESIGN AND USER MANUAL 4.2.1 Type of Adapter 30 VI

4.2.2 Main Page 31 4.2.2.1 Start button 31 4.2.2.2 Stop button 33 4.2.2.3 Refresh button 35 4.2.2.4 View All Data button 37 4.2.2.5 Save button 39 4.2.2.6 Search By Date button 40 4.2.2.7 Search By Protocol Type button 42 4.2.2.8 Total_Packet button 44 4.2.2.9 Report button 45 4.2.2.10 User Manual button 46 4.2.2.11 New Scan button 47 4.2.2.12 Exit button 48 4.2.3 Database Access Table 49 4.2.4 User Manual 50 4.3 DISCUSSION 52 4.4 CONCLUSION 52 CHAPTER 5: CONCLUSION AND RECOMMENDATION 5.1 CONCLUSION 53 5.2 BENEFITS 53 5.3 RECOMMENDATION FOR FUTURE WORK 54 BIBLIOGRAPHY 55 APPENDIX A 57 APPENDIX B 59 APPENDIX C 63 APPENDIX D 100 vn

LIST OF TABLE TABLE NUMBER NAME PAGES 2.1 TCP/IP protocol description 12 Vlll

LIST OF FIGURES FIGURES NUMBER NAME PAGES 2.1 Encapsulation of TCP data in an IP datagram 7 2.2 TCP Header Format 8 2.3 UDP Encapsulation 11 2.4 UDP Header Format 11 2.5 IP Datagram 13 3.1 Methodology Flow 18 3.2 Process Flow 20 3.3 Importing The PacketX Type Library 24 3.4 Entity Diagram 26 4.1 Message will be displayed to inform the type of adapter has been used 31 4.2 Main Menu Page 32 4.3 Process of capturing data packet from the life Network 33 4.4 Message will be displayed after the Stop button on the Option Menu was clicked 34 4.5 Message will be displayed after the Stop Menu on the Menu List was clicked 34 4.6 Message will be displayed after the Refi"esh button on the Option Menu was clicked 35 4.7 Message will be displayed after the Refresh Menu On the Menu List was clicked 36 4.8 Process of capturing data packet from the life network was continuing after Refresh button was clicked 36 IX

4.9 Message will be displayed after the View All Data Menu on the Menu List was clicked 37 4.10 Message will be displayed after the View All button on the Option Menu was clicked 38 4.11 All data in the database access file displayed after the Network Administrator proceeds to view all data 38 4.12 Message will be displayed after the Save button on the Option Menu was clicked 39 4.13 Message will be displayed after the Save Menu on the Menu List was clicked 40 4.14 The Input Query will be displayed after the Search By Date Menu on the Menu List was clicked 41 4.15 Sample Result Search By Date 41 4.16 The Input Query will be displayed after the Search By Protocol Menu on the Menu List was clicked 42 4.17 Sample Resuh after Search By TCP Protocol type 43 4.18 Sample Result after Search By IP Protocol type 43 4.19 Sample Resuh after Search By UDP Protocol type 44 4.20 Total number of TCP/IP and UDP data packet during testing phase 45 4.21 Full report about the data packet that has been stored in the database access file during testing phase....46 4.22 User Manual 47 4.23 New_Scan Menu was clicked to create a new process of capturing data packet from the life network 48 4.24 Exit from the TCP/IP and UDP traffic monitoring tool...49 4.25 The table of contents in the database access files during the testing phase 50

CHAPTER 1 INTRODUCTION 1.8 PREFACE Networks connect the servers to computers which from a client-server environment and it is becoming an important aspect in our life today. But, the rapid growth of the internetworking population nowadays has caused traffic on the network. The server system must be capable to handle the burstness of network traffic especially in peak hours. Many computer networks of today are based predominantly on the Transmission Control Protocol/Internet Protocol (TCP/IP), and User Datagram Protocol (UDP) that provides best effort service. So, the TCP/IP and UDP traffic monitoring tool is introduced to monitor the flow of the traffic on the network. Same with other network monitoring tools, this tool will be used to monitor the traffic in the network and make an analysis about the traffic in the network. The feature in this tool allows the Network Administrator to connect and retrieve the current state of the network and further compare it to historical data collected previously. Thus, the information obtained can be used to monitor and address trends in network utilization before they become problems. The idea is that, the program will be run in Visual Basic 6.0 and the information will be gathered from Network Interface Card (NIC). The following sections will briefly explain on the objectives of the project, followed by an overview of the project itself and the Transmission Control Protocol/Internet Protocol (TCP/IP), and User Datagram Protocol (UDP), which is the primary protocol being analyzed in this project, and the methodology used in this project.

1.9 PROBLEM STATEMENT As we know, many Transmission Control Protocol/Internet Protocol (TCPAP), and User Datagram Protocol (UDP) tools stores records into the log file and not into the database access. So, this tool will track the record of TCP/IP and UDP connection traffic, such as the amount of traffic being transmitted from or received by the host machine, based on different applications in the database access. For example, in the case of usage of file transfer, the TCP/IP and UDP traffic monitor checks the details of the data transmission including the number of messages transmitted or received during a given period of time and the size of message, whether it has an attachment or not. Besides that, there are problems to get a tool to monitor the traffic and network especially in windows platform. Many tools in the internet are provided for the Linux and FreeBSD platform. So, this project will come out a tool to solve the problem especially for the Network Administrator that need to monitor the flow of traffic on the network using a windows environment. Furthermore, this program is an open source or proprietary software. So all the users can use this program without license and it is free. It is also not a complicated or a large program, it will give an experience about how to develop a program that can monitor packets over the network. LIO PROJECT OBJECTIVE Every project must have objectives as guidance before implementing the project. So, we have defined our objectives based on our research and by considering

several constraints in order for us to make that piece of work a success, if possible. The main objectives of this project are: i. To develop a tool that can be used to monitor the flow of TCP/IP and UDP traffic in a network, where it can: a) track the record of TCP/IP and UDP connection traffic such as the amount of traffic being transmitted from or received by the host. b) keep the data tracked in a database access and provides some statistical information to the Network Administrator. 1.11 PROJECT SCOPE The focus of this project is to develop a tool that can be used to monitor the network traffic between Local Area Network (LAN). All the information in the network traffic will be tracked and recorded and then will be stored in the database access. Besides that, this project will be used in a Windows environment. At the end of research, the simulation and screen design will be shown. Even though, this tool can capture five protocol types in the life network but we have decided to concentrate to only three main protocols. Local Area Network (LAN) segment will be tested for monitoring and analyzing process in order to archive the second objective of this project. The three main protocols that will be concentrated in this tool are: i. Transmission Control Protocol (TCP) ii. Internet Protocol (IP) iii. User Datagram Protocol (UDP)

1.5 PROJECT SIGNIFICANCE The main significance of this project is that the tool can be used to monitor the flow of traffic between Local Area Network (LAN), especially in a windows environment. In addition, the Network Administrator can learn about a basic packet monitoring in the live network. Other significance is, more than information can be tracked and get from the network traffic using this tool. All the information that has been stored in the database file can be used to provide some statistical information by the Network Administrator. This tool also provides a Graphical User Interface (GUI) and more convenience and is user friendly to use by the Network Administrator. Furthermore this program can be used as a guideline on how to build a better program by the beginner programmer. 1.6 OUTLINE OF THE FOLLOWING CHAPTERS 1.6.1 Chapter 2: Literature Review This chapter will be explained about the related literature review. We have explained about the concept of TCP/IP and UDP in the real network today. We also becoming with the study in a different approaches to solve the similar problem. 1.6.2 Chapter 3: Research Methodology In this chapter, we will discuss about our approaches or methodology that have been used from beginning until the end of the project. It is also included the System Development Life Cycle (SDLC) phase in order to develop the TCP/IP and UDP traffic monitoring tool.

1.6.3 Chapter 4: Finding and Discussion The last result of this project will be discussed and the screen layouts are show in this chapter. 1.6.4 Chapter 5: Conclusion and Recommendation The conclusion of this project will be explained and discussed in this chapter. In addition, the recommendation for future work also will be discussed. 1.7 CONCLUSION In this chapter, we explain about the introduction regarding the background of the problem, statement of the problem, objective of the project, scope of the project and significance of the project that have been discussed. This chapter also gives a rough of idea about the problem that is to be solved.

CHAPTER 2 LITERATURE REVIEW 2.3 INTRODUCTION Literature review is the beginning of the framework that will be used as reference or guideline for the researchers. It can give a lot of good ideas to make a great research. In this project, the internetworking needs a long time to grow like today. From the DARPA military project in the late 1960's, the evolution of the Internet makes what is impossible become a reality. At that time it is only used by U.S. Military and several local universities for research development. After the invention of the World Wide Web in the 1990's, the world saw a rapid growth of Internet with million of users worldwide. The rapid growth of the Internet users globally causes the traffic to congest in the internetworking environment. 2.4 DEFINITION OF PERTINENT TERMINOLOGIES 2.4.1 Transmission Control Protocol (TCP) Concept Transmission Control Protocol (TCP) is the most important connectionoriented protocol. It provides reliable information transfer service for higher layer applications (Cisco Networking Academy Program, 2th edition. Cisco Press.2001). Furthermore, TCP is a connection establishment, error recovery, and have a flow control for avoiding errors. Error recovery is

implemented by retransmissions and packet reordering. Usually, TCP provides two main functions for the dynamic flow control. First, a retransmission timer is used for determining a lost packet at the sending TCP host. The second approach is to control the window size for the sent but unacknowledged packets. Beside that, TCP have a header that contains various fields including the source and destination ports, sequence and acknowledgment numbers, window size, TCP flags, urgent pointer, and reserved bits. (Karen Kent Frederick, 2001) IP datagram TCP segment IP header TCP header TCP data 20 bytes 20 bytes Figure 2.1: Encapsulationof TCP data in an IP datagram.

16 bits 16 bits 16 bits source port number 16 bits destination port number 32 bits sequence number 32 bits acknowledgent number 4 bits headei lenght Reserved; (6 bits) LAF F 9F RC 16 bits window size 16 bits TCP checksum 16 bits urgent pointer Options (if any) Data (if any) Figure 2.2: TCP Header Format TCP also provides reliable connection service to pairs of processes. It does not assume reliability from the lower-level protocol such as IP. TCP assigns a sequence number to each byte transmitted, and expects a positive acknowledgement (ACK) from receiving TCP. If the

ACK is not received within the timeout interval, the data are retransmitted. As data are transmitted in blocks, namely, TCP segments, the sequence number of the first data byte in the segment is sent to the destination host. The receiving TCP uses the sequence numbers to rearrange the segments when they arrive out of order, and eliminate duplicate segments. The receiving TCP when sending an ACK back to the sender, also indicates to the sender the number of bytes it can receive beyond the last received TCP segments, without causing overrun and overflow in its internal buffers. This number sent in the ACK is actually the highest sequence number it can receive without problems. This mechanism is also referred to as a window-mechanism. (Pompan Tadthong, 1999) In a multi-network environment, TCP is intended to provide a reliable process-to-process communication service. The TCP is intended to be a host-to-host protocol in common use in multiple networks. A few categories that is important in the TCP. First is a Basic Data Transfer. The TCP is able to transfer a continuous stream of octets in each direction between its users. In general, the TCP decide when to block and forward data at their own convenience. The second is reliability. TCP must recover from data that is damaged, lost, duplicated, or delivered out of order. TCP assigning a sequence number to each octet transmitted, and requiring a positive acknowledgment (ACK) from the receiving TCP. If the ACK is not received within a timeout interval, the data is retransmitted. At the receiver, the sequence numbers are used to correctly order segments that may be received out of order and to eliminate duplicates. Damage is

handled by adding a checksum to each segment transmitted, checking it at the receiver, and discarding damaged segments. The next categories are Flow Control. TCP provides a means for the receiver to receive the amount of data sent by the sender. ACK is send by a sender to the receiver. The window indicates an allowed number of octets that the sender may transmit before receiving further permission. In the Multiplexing TCP allow for many processes within a single Host. The TCP provides a set of addresses or ports within each host. A pair of sockets uniquely identifies each connection. That is, a socket may be simultaneously used in multiple connections. (Information Science Institute, University of Southern California, 1981) 2,2,2 User Datagram Protocol (UDP) Concept User Datagram Protocol (UDP) provides a mechanism for applications to send encapsulated raw IP datagrams and send them without having to establish a connection. Thus, it adds low overhead but requires the application to take responsibility for error recovery. (Pompan Tadthong, 1999) In addition, UDP is functionally at transport layer protocol. It is connectionless, and does not provide a reliable transport. On the other hand, UDP gives an application a direct access to the datagram service of the IP layer. The multicast and broadcast services are available by using UDP. (Cisco Networking Academy Program, 2th edition. Cisco Press.2001). 10

The UDP packet is called a user datagram and has no flow-control mechanism. UDP only attempt at error control is the checksum. The UDP header contains the source port number, destination port number, total length and checksum. (Cisco Networking Academy Program, 2th edition. Cisco Press.2001). IP datagram UDP segment IP header UDP header UDP data Figure 2.3: UDP encapsulation. 8 bytes 16 bits source port number 16 bits destination port number 16 bits Total Lenght 16 bits Checksum Figure 2.4: UDP Header Format 11

2,2.3 Internet Protocol (IP) Concept IP is an unreliable and connectionless datagram protocol. It is the best effort delivery service. IP provide no error checking or tracking but it has an error detection method called checksum. IP is functionally at Network layer protocol. Packet in the IP layer is called datagram. Each datagram is handled independently, and can follow different route to the destination. The maximum number length of datagram is 65,535 bytes. The IP header contains the version number, header length, differentiated services, datagram length, identification number, fragmentation flags, fragmentation offset, time to live, user of the protocol, checksum, source address and destination address. (Behrouz A. Forouzan & Sophia Chung Fegan, 2003) Protocol TCP (Transmission Control Protocol) UDP (User Datagram Protocol) temet Protocol) Description The protocol used t exchange data between applications The protocol used to exchange data between applications, but more simpler and less reliable than TCP The protocol used t exchange raw data between remote hosts. Table 2.1: TCP/IP protocol description 12

^ -- '«-I- f_ t-tw^tnr ' '' ~ T- ^ / K < 20-60 bytes ) N V VER 4 bits HLEN 4 bits DS 8 bits Total Length 16 bits Identification 16 bits Flags 3 bits Fragmentation offset 13 bits Time to live 8 bits Protocol 8 bits Header checksum 16 bits Source IP address Destination IP address Option Figure 2.5: IP Datagram 13

2.3 DIFFERENT APPROACHES TO SOLVE THE SIMILAR PROBLEM 2.3.1 Pandora: A Flexible Network Monitoring Platform This project is done by Simon Patarin and Mesaac Makpangou from Inra Sor Group Rocquencourt, France. The main objective in this project is developing a netw^ork monitoring platform that captures packets using purely passive techniques. The methodology is performed by stacking the appropriate components. Then the evaluations were conducted to show the overheads due to Pandora's flexibility do not significantly affect performance. They find that the layering structure of Pandora has little impact on performance in comparison with the tcpdump. Furthermore, they also get a result that the Pandora is not fast enough to monitor high bandwidth network, dedicated to HTTP. In addition, Pandora is an efficient flexible continuous monitoring tool that can be can run at 24 hours a day, 7 days a week. 2.3.2 BLT: Bi-Layer Tracing of HTTP and TCP/IP According to Anja Feldmann from Universitaat des Saarlandes, Saarbrucken, Germany, this project is to develop software that allows collecting traces continuously, online, and at any point in the network. It used Dec Alpha platform to implementing the packet collection from the network. The methodology that is used in gathering the information from the user that is running modified Web Browsers; from Web content provider logging information about which data is retrieved from their Web server; from Web proxies logging information about which data is requested by the users of the Web proxy; and from the wire via packet monitoring. The finding from this project is no notion of files and requests, responses pairs will be properly matched among others. 14