DEVELOPING A WEB-BASED PACKET MONITORING TOOL

DEVELOPING A WEB-BASED PACKET MONITORING TOOL Hamsiah bt. Mohamed Said 2003192664 Bachelor of Science (Hons) Data Communication and Networking Faculty of Information Technology and Quantitative Sciences Mara University of Technology Shah Alam May 2006

Title: DEVELOPING A WEB-BASED PACKET MONITORING TOOL By: HAMSIAH BT. MOHAMED SAID (2003192664) A project paper submitted to FACULTY OF INFORMATION TECHNOLOGY AND QUANTITATIVE SCIENCES MARA UNIVERSITY OF TECHNOLOGY In partial fulfillment of requirement for the BACHELOR OF SCIENCE (Hons) IN DATA COMMUNICATION AND NETWORKING Approved by Examining Committee: Major Area: MARA UNIVERSITY OF TECHNOLOGY SHAH ALAM, SELANGOR MAY 2006 i

CERTIFICATION OF ORIGINALITY This is certify that I am responsible for the work submitted in this project that the original work is my own except as specified in the references and acknowledgement and that the original work contained herein have not been taken or done by unspecified sources or persons. (HAMSIAH BT MOHAMED SAID) ii

ACKNOWLEDGEMENT BISMILLAHIRRAHMANIRRAHIM In the name of Allah, the most gracious and the most merciful. Alhamdulillah, thanks to the Almighty for the blessing me with strength and courage to complete this report. In the midst of preparing and completing this report, I have the privilege of obtaining assistance and guidance from various sources. Therefore, I would like to express my deepest appreciation to those involved in this thesis. First and foremost, I would like to express my appreciations and millions of thanks to my project supervisor, Pn. Zarina binti Zainol, who had sacrificed time and effort in providing me with ideas and guidance through this semester in order to complete this thesis. Other than that, a special thanks to Assoc Prof. Dr Saadiah bt. Yahya for her support, advice, tips and ideas to do my report and project. I also would like to thank for my examiner, En. Jamaluddin b. Md. Yusof for his support and guidance in this project. A great thank to all SIG group, CTN lecturers and staff FTMSK that have guided and providing me with valuable of information and support during construct this project. Special thanks to my family for understanding, encouragement and support my study. To my fellow friends whose name is remaining anonymous, I would like to thank for their help, friendship and countless support to me. May Allah S.W.T. bless all of them for their support. Thank you to all of you from the deepest of my heart. iii

ABSTRACT This project is an effort in to develop a web-based program to monitor the network traffic over a local host and a local network based on the flow of the User Datagram Protocol. This system was developed to have the feature that can show packet traffic in detail such as source and destination IP address, source and destination port number, total number of packets transferred, session and other data. Besides, it capable to capture traffic from multiple network adapters simultaneously. This monitoring tool uses the web interface so users can easily access traffic information via generic and easy to use Web browser. It also has the ability to sort and retrieve the information from database. This program will be written in java language on background process and PHP on foreground process based on Window XP Operating System platform. Throughout this report, there will be altogether 5 chapters. The first chapter will be explaining the scope and objective of this project. Second chapter focus on some definition of pertinent terminologies and other projects related to this project. The third chapter will be discussing the method being used to develop the system or program. The fourth chapter will present the results from this project and finally the overall progress and achievement of this project will be discussed in chapter five. iv

TABLE OF CONTENTS PAGE CHAPTER 1: INTRODUCTION 1.1 PREFACE..1 1.2 PROBLEM STATEMENT 2 1.3 PROJECT OBJECTIVE 2 1.4 PROJECT SCOPE.3 1.5 SIGNIFICANCE OF THE PROJECT......3 CHAPTER 2: LITERATURE REVIEW 2.1 INTRODUCTION.4 2.2 DEFINITION OF PERTINENT TERMINOLOGIES 2.2.1 Web-based application..4 2.2.2 Packet 4 2.2.3 Transmission Control Protocol (TCP)..7 2.2.4 User Datagram Protocol (UDP) 9 2.2.5 Port Number 10 2.3 DIFFERENT APPROACHES TO SOLVE THE SIMILAR PROBLEM 2.3.1 Developing TCP/IP and UDP Traffic Monitoring Tool.11 2.3.2 Network Traffic Monitoring Analysis-SITARA Quality of Service Works 5000TM...11 2.3.3 Developing A Packet Capturing Program..12 2.3.4 Developing Port Scanning Detector Program 12 2.4 CONCLUSION... 12 CHAPTER 3: METHODOLOGY 3.1 INTRODUCTION..13 3.2 RESEARCH METHODOLOGY 3.2.1 Data Collection..13 v

3.2.2 Design and Development 3.2.2.1 Planning.15 3.2.2.2 Analysis.15 3.2.2.3 Design...15 3.2.2.4 Implementation..17 3.2.2.5 Testing 20 3.3 HARDWARE AND SOFTWARE REQUIREMENT 3.3.1 Hardware Requirement..20 3.3.2 Software Requirement 21 3.4 CONCLUSION..22 CHAPTER 4: FINDINGS AND DISCUSSIONS 4.1 INTRODUCTION.. 23 4.2 MONITORING THE PACKET 4.2.1 Background Process...23 4.2.2 Foreground Process 27 4.3 DISCUSSION.....32 CHAPTER 5: CONCLUSION AND RECOMMENDATION 5.1 CONCLUSION.33 5.2 BENEFITS 33 5.3 RECOMMENDATION FOR FUTURE WORK..34 BIBLIOGRAPHY.35 vi

APPENDIX A: Installation of J2SDK & NetBeans IDE..36 APPENDIX B: Installation of Apache..39 APPENDIX C: Installation of PHP...41 APPENDIX D: Program Source Code a) Java Monitor Program...44 b) Create Database 51 c) PHP Script.53 GANTT CHART.68 vii

LIST OF FIGURES FIGURES NUMBER NAME PAGES 3.1 Methodology Flow..14 3.2 Flowchart of Background Process..18 3.3 Flowchart of Foreground Process...19 4.1 Input Dialog for Username..24 4.2 Input Dialog for Password...24 4.3 Table of Adapter Type.25 4.4 Table of UDP...26 4.5 Exit Button...27 4.6 The Main Page.28 4.7 Record on Device 1..29 4.8 Record on Device 2..30 4.9 Delete Button 31 5.0 Confirmation Delete Button.32 viii

LIST OF TABLE TABLE NUMBER NAME PAGES 1.0 TCP Packet Format...7 2.0 UDP Packet Format.10 ix

CHAPTER 1 INTRODUCTION 1.1 PREFACE As a network evolves and grows, it becomes a more critical and indispensable resource to the organization. As more network resources are available to users, the network becomes more complex, and maintaining the network becomes more complicated. Loss of network resources and poor performance are results of increased complexity and are not acceptable to the users. The network administrator must actively manage the network, diagnose problems, prevent situations from occurring, and provide the best performance of the network for the users. Effective management of LANs and WANs is the key element to maintaining a productive environment in the networking world. As more services become available to more users, the performances of networks suffer. Network administrators, through constant monitoring, must recognize and be able to rectify problems before they become noticeable to the end users. Various tools and protocols are available to monitor the network on a local and remote basis. A comprehensive understanding of these tools is critical to effective network management. So, the first step to solve this problem is by monitoring the traffic with suitable and cost effective tool. The proposed tool is by packet monitoring tool that will be developing by us. This tool will be used to monitor the packet in the network and make an analysis about the packet in the network. This tool will be used to monitor and track the record packet connection traffic. It can view detailed statistics for IP connections: IP addresses, ports, sessions, etc. Besides that this tool can capture traffic form multiple adapters simultaneously. This monitoring tool also has the ability to sort and retrieve the tracked data in a database access and 1

provide statistical information to the user. This data can be access quickly and easily. Thus, the information obtained can be used to monitor and address trends in network utilization before they become problem. 1.2 PROBLEM STATEMENT In the communication networks, traffic is the common problem that always occurs to the end users. As the network expands, traffic become heavy, thus possibilities for the networks to congest is very high. The rapidly growing number of users and application and especially the growth in recreational traffic, has led to application slow downs and user complaints. Network administrators are under pressure to fix these problems despite tight budgets and limited staff. Network administrator needs cost-effective, intuitive tools that can be used to monitor the traffic in the network and make an analysis about the traffic utilization before they become problem. Furthermore, there are problems to get a tool to monitor traffic in windows platform. Many tools already are provided for the Linux and FreeBSD platform. So, this tool is developing to operate in Windows environment. Besides that, other tool stores all record into the log file and not into database access. So, this tool will track the record in the database access and make it easy for network administrator to analyst the traffic. Regarding to this matter, this project was carried out in order to fulfill this requirement. Furthermore, this program is open source or proprietary software. So all the users can use this program without license and it is free. 1.3 PROJECT OBJECTIVE 2

By looking at brief introduction and problem statement before, the main objectives of this project are: i. To develop a tool that can be used to monitor the flow of packet connection traffic in a network, where it can: a) Track the record of packet connection traffic via web-based application. b) Keep the data tracked in a database access and provides statistical information to the Network Administrator. 1.4 PROJECT SCOPE In completing this project, several scopes have been taken as a guideline. The scopes are as follows: a) This tool can be used to monitor the network traffic between Local Area Network. b) This project will be used in a Windows environment. 1.5 PROJECT SIGNIFICANCE By completing this project we hope that the tool can be used to monitor the flow of traffic in order to give important statistical information to network administrator to manage the network flow and performance. By managing the traffic, the network productivity can be enhanced by giving the priority to the work related application. As for the user, they will be receiving a better performance if the network performance has been well monitored and managed. This monitoring tool uses the web interface so users can easily access traffic information via generic and easy to use Web browser. This project also gives significance to researcher because it gives an experience about how to develop a program that can monitor packets over the network. 3

CHAPTER 2 LITERATURE REVIEW 2.1 INTRODUCTION Literature review is the beginning of the framework that will be used as reference or guideline to researchers. In this chapter, we will review all information related to get better understanding. Besides that we will review the concept of TCP/IP and UDP and state a few things that should be understand to develop this web-based packet monitoring tool. 2.2 DEFINITION OF PERTINENT TERMINOLOGIES 2.2.1 Web-based application Web-based application is a program that runs on computer that connects to the Internet and control using the simple Web browser (like Netscape or Internet Explorer) provides. The interface consists of all of the various objects that a browser can display, like text, images, text boxes, check boxes, radio buttons, and push buttons. Though the underlying language that describes how a web page should appear - called HTML - is somewhat restrictive in regards to exact layout specifications and sizing, Web browser can conceivably act as an interface to just about any program that exists. The browser retrieves and displays a starting Web page which usually has built-in connections to other documents. (Discovering Computers, Shelly Cashman Series, 2005) 2.2.2 Packet 4

A packet is the unit of data that is routed between an origin and a destination on the internet or any other packet-switched network. When any file (e-mail message, HTML file, Uniform Resource Locator (URL), and so fourth) is sent from one place to another, the Transmission Control Protocol (TCP) layer of TCP/IP divides the file into chunks of an efficient size for routing. Each of these packets is separately numbered and includes the Internet address of the destination. The individual packets for a given file may travel different routes through the network or Internet. When they have all arrived, they are reassembled into the original file by the TCP layer at the receiving end. On the Internet, the network breaks an e-mail message into parts of a certain size in bytes. These are the packets. Each packet carries the information that will help it get to its destination -- the sender's IP address, the intended receiver's IP address, something that tells the network how many packets this e-mail message has been broken into and the number of this particular packet. The packets carry the data in the protocols that the Internet uses: Transmission Control Protocol/Internet Protocol (TCP/IP). Each packet contains part of the body of your message. A typical packet contains perhaps 1,000 or 1,500 bytes. Each packet is then sent off to its destination by the best available route -- a route that might be taken by all the other packets in the message or by none of the other packets in the message. This makes the network more efficient. First, the network can balance the load across various pieces of equipment on a millisecond-by-millisecond basis. Second, if there is a problem with one piece of equipment in the network while a message is being transferred, packets can be routed around the problem, ensuring the delivery of the entire message. Depending on the type of network, packets may be referred to by another name: frame block cell segment Most packets are split into three parts: 5

Header - The header contains instructions about the data carried by the packet. These instructions may include: o Length of packet (some networks have fixed-length packets, while others rely on the header to contain this information) o Synchronization (a few bits that help the packet match up to the network) o Packet number (which packet this is in a sequence of packets) o Protocol (on networks that carry multiple types of information, the protocol defines what type of packet is being transmitted: e-mail, Web page, streaming video) o Destination address (where the packet is going) o Originating address (where the packet came from) Payload - Also called the body or data of a packet. This is the actual data that the packet is delivering to the destination. If a packet is fixed-length, then the payload may be padded with blank information to make it the right size. Trailer - The trailer, sometimes called the footer, typically contains a couple of bits that tell the receiving device that it has reached the end of the packet. It may also have some type of error checking. The most common error checking used in packets is Cyclic Redundancy Check (CRC). CRC is pretty neat. Here is how it works in certain computer networks: It takes the sum of all the 1s in the payload and adds them together. The result is stored as a hexadecimal value in the trailer. The receiving device adds up the 1s in the payload and compares the result to the value stored in the trailer. If the values match, the packet is good. But if the values do not match, the receiving device sends a request to the originating device to resend the packet. Each packet's header will contain the proper protocols, the originating address, the destination, and the packet number (1, 2, 3 or 4 since there are 4 packets). Routers in the network will look at the destination address in the header and compare it to their lookup table to find out where to send the packet. Once the packet arrives at its destination, computer will strip the header and trailer off each packet and reassemble the e-mail based on the numbered sequence of the packets. 6

2.2.3 Transmission Control Protocol (TCP) The Transmission Control Protocol (TCP) is a reliable connection protocol. Computers that communicate using this type of protocol must establish a mutual connection between them and keep the two way conversation alive to ensure full data connectivity. ( Behrouz A. Forouzan, 2003). TCP maintains the reliability of data flow by implementing a kind of flow control mechanism known as windowing or sliding window. This mechanism helps to avoid the sender from overwhelming the receiver with packets or data that cannot be stored by the receiver s memory. In addition, TCP uses acknowledgement to ensure that the data sender sends reach safely on the receiver side. A TCP packet looks like this: Source port address (16 bits) Destination port address (16 bits) Sequence number (32 bits) Acknowledgement number (32 bits) Header Reserved Control Window size length (6 bits) (6 bits) (16 bits) (4 bits) Checksum Urgent pointer (16 bits) (16 bits) Options and padding Table 1: TCP Packet Format 7

The segment consists of a 20-60 byes header, followed by data from the application program. The header is 20 bytes if there is no option and up to 60 bytes if it contains options. The meaning and purpose of these header fields are: Source port address This is a 16-bit field that defines the port number of the application program in the host that is sending the segment. Destination port address This is 16-bit field that defines the port number of the application program in the host that is receiving the segment. Sequence number This 32-bit field defines the number assigned to the first byte of data contained in this segment. The sequence number tells the destination which byte in this sequence comprises the first byte in the segment. Acknowledgment number This 32-bit field defines the byte number that the receiver of the segment is expecting to receive from the other party. Header length This 4-bit field indicates the number of 4-byte words in the TCP header. Reserved This is a 6 bit field reserved for future use. Control This field defines control bits to enable flow control, connection establishment and termination, connection abortion and the mode of data transfer in TCP. 8

Window size This field defines the size of the window, in bytes, that the other party must maintain. Checksum This 16-bit field contains the checksum whereas the inclusion of the checksum for TCP is mandatory. Urgent pointer This is 16-bit field, which is valid only if the urgent flag is set, is used when the segment contains urgent data. Option There can be up to 40 bytes of optional information in the TCP header. 2.2.4 User Datagram Protocol (UDP) The User Datagram Protocol (UDP) is a process-to-process protocol that adds only port addresses, checksum error control, and length information to the data from the upper layer. UDP transmits much less information and UDP packets are both simpler and smaller than TCP packets. It is connectionless and does not provide a reliable transport. User Datagram Protocol provides a mechanism for applications to send encapsulated raw IP datagram and send them without having to establish a connection. UDP gives an application a direct access to the datagram service of the IP layer. (Cisco Networking Academy Program, 2th edition. Cisco Press. 2001). The following lists some uses of the UDP protocol: 9

UDP is suitable for a process that requires simple request-response communication with little concern for flow and error control. It is not usually used for a process that needs to send bulk data such as FTP. UDP is suitable for a process with internal flow and error control mechanism. For example, the Trivial File Transfer Protocol (TFTP) process includes flow and error-control. UDP is suitable transport protocolfor multicasting and broadcasting capabilities are embedded in the UDP software but not in TCP software. UDP is used for management process such as SNMP. UDP is used for some route updating protocols such as Routing Information Protocol. A UDP packet looks like this: Source port number Destination port number (16 bits) (16 bits) Total length Checksum (16 bits) (16 bits) Table 2: UDP Packet Format 2.2.5 PORT NUMBER Ports are transport layer (TCP and UDP) connection points numbered from 0 to 65,535. According to Internet Assigned Number Authority (IANA) classification, the port space of 0 to 65,535 actually breaks down into three ranges. The first 1024 ports (0-1023) are system-reserved ports or well known ports. They are used only by the system or root process and programs executed by privileged users. The next group of ports is called registered ports. This group ranges from 1024 to 49151. The last groups of ports range from 49152 to 65535. This group is referred to as dynamic or private ports. Ports are used by the operating system to make connections to remote systems. Through ports, the system can identify which service it is requesting from another 10

system. There are more than hundreds of TCP and UDP ports, but in this project we will implement the standard port. 2.3 DIFFERENT APPROACHES TO SOLVE THE SIMILAR PROBLEM This section briefly discussed any similarity and differences on our project. 2.3.1 Developing TCP/IP and UDP Traffic Monitoring Tool. This project is done by Rafiq B. Che Mat, CS 225 April 2005. The main objective is to develop a tool to monitor the TCP/IP and UDP traffic. The implementation is done by using basic language (Visual Basic 6.0) program. Methodology used is an analysis, design, implementation and testing. The differences with our project are the development of this tool is use PHP program. 2.3.2 Network Traffic Monitoring Analysis-SITARA Quality of Service Works 5000TM This research is done by Mashitah Bt. Mohd. Ghazali, CS225 May 2003. The background and objective is to make analysis from monitoring network traffic by application or protocol : HTTP, FTP, Telnet, SMTPUDP and SMTPTCP. The finding in this project is the best way to improve the network performance is by implementing the Quality of Service Solution. 2.3.3 Developing A Packet Capturing Program This research was done by Norizah Bt. Hamzah in May 2001. Her project is develop a program to capture packet from the network interface card. and analyze same protocol such as ICMP, TCP and UDP. The differences with our project that her packet-capturing program written in C language based on Linux Operating System platform. 11

2.3.4 Developing Port Scanning Detector Program This project is done by Muhammad Fendi B. Osman. The main objective of this project is to develop a host base Port Scanning Detector Program that is able to detect various port scanning activities. The program written in C programming language and run in Linux RedHat 9.0 operating system. 2.4 CONCLUSION As a conclusion, the preliminary study before the research is performed is important as it will provide the information needed in the next stage of designing the algorithm and detailing the problem scope. In this chapter the information about the traffic monitoring tool gathered and its problem scope and parameter involved and the past study done on problem area should lead to better understanding on the problem. It also gives new ideas to be applied into this research. 12

CHAPTER 3 RESEARCH METHODOLOGY 3.1 INTRODUCTION In order to accomplish this research, a sequence of methodologies is to be needed. It is a crucial to organize the phases systematically as it is a vital role in ensuring the process of finishing this project paper is well planned. Below is the list of processes involved in this research methodology. 3.2 RESEARCH METHODOLOGY There are a few phases involved in this project such as: Data Collection Design and Development o Planning o Analysis o Design o Implementation o Testing Evaluation and Finding 13

Figure 3.1: Methodology Flow 3.2.1 Data Collection Data collection is needed to gather information including getting the literature review about a particular topic. Beside that, another approach to solve the similar problem also is findings as references. All the data are collected from the references books and others sources such as surfing internet. In addition, the latest software that can capture the data traffic 14