Upload
hoangnhi
View
226
Download
1
Embed Size (px)
Citation preview
ONLINE TEST MONITORING TOOL USING KISMET (A PACKET SNIFFER)
Submitted September 2011, in partial fulfillment of
the conditions of the award of the degree [M.Sc. in IT]
POONAM SHAH
School of Computer Science
University of Nottingham
I hereby declare that this dissertation is all my own work, except as indicated in the text:
Date 07/09/2011
I hereby declare that I have all necessary rights and consents to publicly distribute this
dissertation via the University of Nottingham's e-dissertation archive.
1
Acknowledgements
I would like to express my thanks to my supervisor, Dr. Steven Bagley for his assistance, helpful
advice and encouragement throughout the project.
I would also like to thank my parents and my brother for their encouragement and support
throughout the Master’s program.
I would like to thank all my friends without whom I could not complete this project.
2
Abstract
The number of colleges and universities that are opting for online test is increasing every day. It is
a perfect way of real time evaluation of the performance of the students. It also facilitates the
students to take test on their own PC. Most likely there are chances of students cheating while
taking the test. This is where it becomes very essential to track student activities while they are
taking the online test.
The main objective of this project is to allow students take online test having complete internet
access but still keep an eye on them. Although they have internet access but they can and should
use only the few sites that are recommended by the tutor and should not use any other searching
sites.
The application developed for this project can track student’s activity while they give online test
using a packet sniffing tool. An application was developed on top of it which uses the
functionalities of this sniffing tool and generates notifications & logs. A mobile application was also
designed using Android to help the professor get these notifications and logs on his smart phone
while he/she is roaming in examination hall. With this mobile application, the professor can also
set and conduct the exams remotely.
The application designed will keep a track of all the websites accessed by students while they were
taking the online test. It can notify the tutor when a student tries to cheat by either opening a site
which was not allowed or even by connecting a new device to the network and trying to look for
answers.
3
Table of Contents
Acknowledgements ................................................................................................................................................................................ 1
Abstract ....................................................................................................................................................................................................... 2
Chapter 1 - Introduction ................................................................................................................................................................... 7
1. Introduction .................................................................................................................................................................................... 7
1.1. Facts of Online Test........................................................................................................................................................... 7
1.2. Research Motivation......................................................................................................................................................... 8
1.3. Aim and objective ........................................................................................................................................................... 10
1.4. Dissertation Structure .................................................................................................................................................. 10
1.5. Summary ............................................................................................................................................................................ 11
Chapter 2 – Literature Review ................................................................................................................................................... 12
2. Introduction ................................................................................................................................................................................. 12
2.1. Type of Online Test ........................................................................................................................................................ 12
2.2. Various types of cheating that may occur in online test ............................................................................... 13
2.2.1. Spyware Technique............................................................................................................................................. 14
2.2.2. Sniffers & other hacking techniques............................................................................................................ 14
2.2.3. Using Mac address changing software ....................................................................................................... 14
2.2.4. Using proxy ............................................................................................................................................................. 15
2.2.5. Using IP address ................................................................................................................................................... 17
2.2.6. Using forensics technique ................................................................................................................................ 17
2.3. Introduction to Sniffing ................................................................................................................................................ 17
2.4. Packet sniffing .................................................................................................................................................................. 18
2.5. Types of packet sniffing ............................................................................................................................................... 18
2.6. Different type of sniffing tools .................................................................................................................................. 19
2.6.1. Ethereal .................................................................................................................................................................... 19
2.6.2. TCPDump ................................................................................................................................................................. 20
2.6.3. NetSumbler ............................................................................................................................................................. 21
2.6.4. Kismet ....................................................................................................................................................................... 23
2.7. Wireless Sniffing techniques ..................................................................................................................................... 23
2.8. Related work ..................................................................................................................................................................... 24
2.9. Summary ............................................................................................................................................................................ 30
Chapter 3 – Design ............................................................................................................................................................................ 32
3. Introduction ................................................................................................................................................................................. 32
3.1. Approach ............................................................................................................................................................................ 32
3.2. Development Tools ........................................................................................................................................................ 33
3.2.1. Kismet ....................................................................................................................................................................... 33
3.2.2. .netxml file explanation ..................................................................................................................................... 36
4
3.2.3. Wirehsark ................................................................................................................................................................ 37
3.3. User Requirements ........................................................................................................................................................ 40
3.4. Software Design............................................................................................................................................................... 41
3.4.1. User story ................................................................................................................................................................ 41
3.4.2. System Architecture ........................................................................................................................................... 42
3.4.3. Class Diagram ........................................................................................................................................................ 46
3.4.4. ER Diagram ............................................................................................................................................................. 48
3.4.5. UI layout for the mobile application ............................................................................................................ 49
3.5. Summary ............................................................................................................................................................................ 51
Chapter 4 - Implementation ........................................................................................................................................................ 52
4. Introduction ................................................................................................................................................................................. 52
4.1. Parsing files Package ..................................................................................................................................................... 52
4.1.1. ParseNetXmlFile ................................................................................................................................................... 52
4.1.2. ReadFile .................................................................................................................................................................... 54
4.2. Online Test Monitoring Tool Package ................................................................................................................... 57
4.2.1. Activities package ................................................................................................................................................ 57
4.2.2. Services package .................................................................................................................................................. 63
4.2.3. Database helper package .................................................................................................................................. 64
4.3. PHP Script .......................................................................................................................................................................... 64
4.4. Packet analysis using wireshark .............................................................................................................................. 66
4.5. Summary ............................................................................................................................................................................ 75
Chapter 5- Testing and Evaluation .......................................................................................................................................... 76
5. Introduction ................................................................................................................................................................................. 76
5.1. Testing Android Application ...................................................................................................................................... 76
5.1.1. Student Details Icon ............................................................................................................................................ 76
5.1.2. View Whitelist site ............................................................................................................................................... 77
5.1.3. Delete Whitelist site ............................................................................................................................................ 77
5.1.4. Student Logs Icon ................................................................................................................................................. 78
5.1.5. Notification Screen .............................................................................................................................................. 79
5.1.6. Help Screen ............................................................................................................................................................. 80
5.2. Further Research ............................................................................................................................................................ 81
5.3. Summary ............................................................................................................................................................................ 83
Chapter 6- Conclusion ..................................................................................................................................................................... 84
Benefits of the Research .............................................................................................................................................................. 84
Potential Limitations ..................................................................................................................................................................... 85
Future Scope ..................................................................................................................................................................................... 85
Bibliography ......................................................................................................................................................................................... 87
5
List of Figures
Figure 2.1 Mac Address changing technique 15
Figure 2.2 Screen shot for setting proxy 16
Figure 2.4 Example of TCPdump packet capture 20
Figure 2.5 The main screen of NetStumbler 22
Figure 2.6 Netstumbler wardriving graph 22
Figure 2.7 System Architecture of SeCOnE 25
Figure 2.8 Configuration of the U-learning on Ubiquitous learning environment (ULE) 26
Figure 2.9 Student cheating by taking help from outside recourse 28
Figure 2.10 Students cheating being at a particular distance 28
Figure 2.11 Student trying to cheat by communicating with neighbor student 29
Figure 3.1 Kismet architecture 34
Figure 3.2 Kismet GUI screen 35
Figure 3.3 Adding source 35
Figure 3.4 Packet capturing screen 36
Figure 3.5 Card type information in .netxml file 36
Figure 3.6 Wireless network information in .netxml file 36
Figure 3.8 Wireshark filtering .pcapdump file 38
Figure 3.9 Online test monitoring development tools 39
Figure 3.11 MAC address notification 43
Figure 3.12 Displaying list of websites accessed by student 44
Figure 3.13 Class Diagram 46
Figure 3.14 Entity Relationship Diagram 48
Figure 3.15 Screen 1 & Screen 2 49
Figure 3.16 Screen 3 & Screen 4 50
Figure 3.17 Screen 5 50
Figure 4.1 SAXParser code 53
Figure 4.2 MacTable attributes 53
Figure 4.3 Output of ParseFile showing list of Mac address obtained 54
Figure 4.4 New array having list of student’s IP address 55
Figure 4.5 Output obtained from ReadFile 56
Figure 4.6 Relationship between StudentDetails and TextLogs table 56
Figure 4.7 Main menu screen 57
Figure 4.8 Help Screen 58
Figure 4.9 Adding list of sites screen 58
Figure 4.10 Add white listed sites screen 59
Figure 4.11 View Whitelist site 59
Figure 4.13 Student data 60
Figure 4.14 Php script for android application to fetch data from MySql 61
Figure 4.15 Android application establishing connection to MySql database 61
Figure 4.16 Screen displaying list of students detected cheating 62
Figure 4.17 List of websites viewed by student 63
Figure 4.18 Notification of new device joining the wireless network 64
Figure 4.19 Login screen of Computer security online test 65
Figure 4.20 Home page of online test 65
Figure 4.22 Wireshark screen displaying all protocols 67
Figure 4.23 Using display filter to get only HTTP protocol 67
Figure 4.24 Creating new capture filter 68
6
Figure 4.25 Selecting the new capture filter defined 68
Figure 4.26 Output after parsing .txt file 69
Figure 4.27 No localhost url observed 69
Figure 4.28 Using lo interface to capture localhost packets 70
Figure 4.29 Local host packets captured using lo interface 70
Figure 4.30 Using IP address to capture online test url 71
Figure 4.31 The result of log files obtained while giving online test and visiting other sites 72
Figure 4.32 List of student’s cheating in test 73
Figure 4.33 List of websites visited by student 73
Figure 4.34 Notification screen 74
Figure 5.1 Output for Student Data icon 76
Figure 5.2 Output for Add list Icon 77
Figure 5.3 Output screen after deleting the whiltelist site 78
Figure 5.4 Output screen on click of Student Logs icon 79
Figure 5.5 Output screen on click of username kismet15 79
Figure 5.6 Notification screen 80
Figure 5.7 Help screen output 80
Figure 5.8 Lab experiment set up 81
List of Tables
Table 3.1 Logical data design specification for the database 48 Table 4.1 Logical data representation of database 64 Table 4.2 Summary of the test cases 75
Introduction
7
Chapter 1 - Introduction
1. Introduction
The primary goal of this project is to develop an application which can be used by
professor/tutor to monitor an online exam. The application should monitor the student’s
activities in the exam. Since the student would be allowed only to open some websites, all the
other websites, if opened would be logged for each student and the professor would be notified.
The application developed will also enable tutor and professor to get notification either on his
iPad or mobile phone about the student activities from the log while they are giving exam. This
can be treated as the basic functionality of the project.
The goal mentioned in the project seems to be simple and straightforward. But, as we read this
report further, we will see that there were a lot of challenges involved in this project.
In this section, firstly, a brief introduction to online test will be given. The various challenges
involved in the online test will be described and the motivation behind this project would be
highlighted. Then the scope of this project would be defined and finally, the dissertation
structure will give the short description of all the following sections of this report.
1.1. Facts of Online Test
The test which is given on a computer connected to a test server is called an online test also
known as Computer Assisted Assessments (CAA). This type of test is really fast and removes a
lot of problems which the paper based exam might have. With the advancement of internet and
computers the number of universities that are encouraging online test is growing. It is a perfect
way of real time evaluation of the performance of the students. It can give the results to
students really fast if the exam is multiple choice types. It also facilitates the students to take
their test on their own laptop.
Online exam can also be defined as a tool wherein students can answer the questions of their
exam and submit those answers online. These submitted answers are then evaluated by a
software tool and immediate feedback is available on submission.
Online examinations in an academic institute are conducted either using internet or using
intranet. Such exams are conducted by giving limited time to the students to answer the
questions and the exam is automatically terminated after the time given has expired. Evaluation
of such type of exam can be either an automated process or manual based on the type of online
exam.
Introduction
8
There are many benefits of the online test and the most important ones that influence the
decisions to use Computer Assisted Assessments (CAA) are as follows:
Using Computer Assisted Assessments the time taken to conduct exam is faster. The
exams are more efficient and fair. There are many research & experiments done to make
the assessments system more robust, taking student performance into account.
Greater importance is given to the security of the exam while conducting Computer
Assisted Assessments CAA. Many universities express concern about cheating and other
activities noticed in the exams. There are many technologies used while designing such
system, so as to avoid cheating and fulfil the universities requirements.
The administrative task can be automated to reduce the pressure on the staff of the
university to monitor the exam. There are various measures taken to increase
automation and reduce the administrative tasks for the exams. This not only reduces the
manpower but also cut down the cost to maintain the system (Nigavekar & Harris,
2010).
The online exam system can help students in many ways. Students can attend their
classes and the entrance exams on the same day, as they do not need to travel at
different locations to take the exam. This automation process and other facilities
available make it easier for the university and students to save their time.
And the most important benefit of the online exams is its paper free. It saves a lot of
paper and also saves the students from the trouble of the exam answer paper being lost
or gone bad like papers accidently getting burned. It also helps the teacher by securing
the exam paper so that it doesn’t leak through the guys who print the question paper.
The above features and advantages really prove that online exams are useful.
1.2. Research Motivation
The main motivation behind using any online exam is the real time fast evaluation which saves
time. Professor and business employer prefer online test due to real time evaluation of
performance and its time saving too. But at the same time it gives students a chance to cheat by
taking such online test.
There are many ways through which a student can cheat in these online exams. Since the
students are giving the exam online on their computer, it becomes very important to monitor
their activity online as most likely there are chances of students cheating while giving test. The
students can search the answer of the question on the internet through the computer on which
they are giving the exam. This is where it is very essential to track student activities. For this
many researches are done to prevent student from cheating while giving online test.
Introduction
9
In December 2010 a student at San Jose State University (California USA) had designed software
which does the same thing i.e. it tries to capture the student’s activities while they are giving
online exam. This software was compatible only for Windows. The aim of this project was to
develop such a tool using client/server architecture (Anandan, 2010). The tool would display
the student's hostname and the website visited during unauthorized web activity. The project
was implemented using Windy31 wireless USB router. The students must connect to the
wireless network created by it for giving exam. It also included a lot of configurations on each
student’s laptop in order to run the tool which is not feasible in real time environment
(Anandan, 2010).
These restrictions on students to connect to one particular wireless network and give their
exam could be problematic. The network could be down or the student might get disconnected
from the network or there may be a limited number of people who can connect to the network.
Due to these shortcomings, I am allowing the students to connect to the network using any OS
on their laptop and connect to the test server. I would be using Kismet (an open source network
sniffer) to add more functionality and enhance the efficiency of the software. By adding features
like students can give test on any Operating System not particularly on windows, students can
connect to any wireless network in the college to give exam, and more students can take online
test at the same time, we can really improve the software usability and it could be used in any
online exam inside college campus.
The report concentrates more on preventing the various type of cheating that is observed in
online test. Students are normally more familiar with computers than the instructor. So they are
smart enough to find answers using various types of cheating techniques.
To avoid cheating when students are giving online test, there are various measures that are
taken by universities. The software developed in this report helps professor to track students by
getting notifications on their mobile phones regarding these cheatings.
Introduction
10
1.3. Aim and objective
The main objective of this project is to allow students to give online test having internet access.
Although they have internet access but they can and should use only the few sites that are
recommended by the professor and should not use any other searching sites. So now students
are allowed to access internet but for limited sites. Students are also informed that they are
being tracked via monitoring tool and they will be penalized for accessing sites other than the
one mentioned by the professor.
This monitoring tool should track the following student activities when they are giving test.
It should keep a log of the various sites that are being visited by the student, while giving
their online exam.
It should notify the tutor when a student tries to cheat by connecting a new device to the
network. For example, if student is trying to connect internet through his/her ipad or
mobile device etc. the tutor or examiner will be notified that a new device has been
connected to the network.
This monitoring tool is designed using Kismet and the mobile application is designed for
Android, to help facilitate professor get notifications and logs while he/she is roaming in
examination hall. He can also conduct the exams remotely through this mobile application.
The main approach of this monitoring application is to track student’s activity while giving
online test using sniffing tool like Kismet and Wireshark. If someone is trying to cheat in the
exam, the software will notify professor about the same.
1.4. Dissertation Structure
This dissertation is divided into many chapters. A brief description about each chapter is as
follows:
The second chapter introduces the background about the types of online tests and the
advantages of having them in educational institutes. There are few challenges discussed while
conducting online test. It also discusses about the various types of sniffing methods and
different tool available to sniff packets.
Next chapter takes a closer look on the two sniffing tool used in this project i.e. Kismet and
Wireshark. It also points on the various development tools used to implement the online test
monitoring tool. It also describes the major tools used for developing the mobile application.
Introduction
11
The fourth chapter discusses in detail how software is implemented using various technologies.
It gives brief overview of several software packages that have been used to carry out the
monitoring of online test.
Chapter 5 discusses the evaluation of software by performing a handful of test cases. It also
describes the lab experiment set up in detail that will be held in future for real time testing of
the software.
The final chapter presents the various benefits of the tool designed as discussed. It also
highlights few limitations of the tools and future work for making the tool more efficient.
1.5. Summary
This section of the report gives a brief overview on online test and their benefits in today’s
world. The research motivation discussed in this section highlights the major challenges
involved in conducting online test, when student are giving test on their own laptop. Lastly, the
overview of the structure of the dissertation is briefly summarized.
Literature Review
12
Chapter 2 – Literature Review
2. Introduction
To design and implement a good online test monitoring tool, it is important to have background
knowledge of various components involved like types of online test, sniffers, packet sniffing etc.
This section will discuss about the types of online test, the various types of cheating observed in
online test, the concept of packet sniffing and the different types of tools used for packet
sniffing. It also discusses, the various methods used by different authors to avoid cheating in
online exam.
2.1. Type of Online Test
There are different types of online tests. Online test can be categorized as those designed for
administrating like formative or summative test, or for both of them. Test designed for
formative system should allow tutor to give feedback to student in case of selecting wrong
option, while those test designed for summative one’s should be more secured for executing
proctored laboratory exams (Costagliola & Fuccella, 2009).
The functionalities provided by general online test software include various components which
are as follows (Costagliola & Fuccella, 2009).
Question Types: There are different types of question included in online test. It can be
either multiple choice, selecting one answer from few choices given, fill in the blanks,
writing essays, writing piece of code for programming, matching, ordering etc. The
number of question type to be included in the test and also the support for custom
question types makes the main component of the online exam
Random question selection: By providing the facility to randomly select questions
present in the repository to design tests also makes a test more dynamic and adds to the
strength of the overall exam
Multimedia support: The support of multimedia files such as images, graphs etc. while
preparing questions repository is also an important component as it will give a good
understanding of the questions to the students
Equations: Many subjects like maths; physics etc includes the formulation of equations
on which the student might be tested. Thus the support of equations to be introduced in
the questions also becomes an important component in various subject’s exam
Feedback: The possibility for students and examiner to get and give instant feedback
immediately after the test or later via email is also an important feature of online test
Literature Review
13
Proctored Tests: The support of tools and security for executing laboratory exam are
important for certain exams too
Test Analysis: The availability of statistics on tests and questions asked in various
exams can also prove to be beneficial. It can help students to study different topics in the
subject based on the pattern of the previous exams
Standards: The support of standard functionalities for online testing (QTI and/or CMI)
Exam time: In almost all the online exams, they are given specific times for making test
available on a particular date to the students
Authentication: To design a test or to give a test, both require a different type of login.
Thus there are different types of authentication made available. There are separate
logins for student as well as the system administrator to maintain the online test.
A large number of online examination system tools are available today in the market which will
help in managing the whole test system.
There are number of online exams software’s available but the three major components that
require more attention to administer an online examination are as follows (Gujarathi, 2010):
1. Creating a secure online exam, where the contents of the test are not disclosed to the
students until the exam starts.
2. Supervising, controlling and managing online examination so that all the students give a
fair exam with the same level of difficulty of questions.
3. Automated marking facility for the examination such that the students get their
feedback instantaneously.
2.2. Various types of cheating that may occur in online test
The major issue with all these online assessments is that students can try to cheat and obtain
marks. This discourages those students, who study hard and are honestly giving the online
exam. From practical point of view, it’s often easier for students to cheat in the online exams.
Many students have a good knowledge of computers than the tutor and they might know many
potential ways of cheating using computer. This cheating raises serious issues for the teachers
and they should take measures to prevent them. Many methods of cheating are observed, some
are quite new while some are increasingly automated and distributed ones. There are
countermeasures taken to prevent such types of cheating, while some of them are unavoidable
(Rowe, 2004).
Literature Review
14
The various methods used by students to cheat in online test are as follows:
2.1.1. Spyware Technique
Spyware is a type of malware which can secretly sneak into any computer and collect
important information about the user using that computer. Since its presence is hidden
to the user, it can be used by students to have a look at how other students are
responding to the questions during a test. It can also be used to spy on the
tutor’s/professor’s computer which might contain the exam questions set by them.
These spyware can be secretly installed on user’s machine. It can also be installed on shared
network and spyware such as keyloggers can secretly monitor other users. The main benefits of
such type of software’s are that, the owner of the machine is not aware of the software installed.
It’s hidden from user and difficult to detect. So student can easily steal test questions and
perform well in their exam or they might even try to sell them to other students (Rowe, 2004).
2.1.2. Sniffers & other hacking techniques
Students can also use sniffing technique to cheat in an online exam. They can use
sniffers to sniff the packets passing through the local network. This local network can be
used by tutor or fellow student to either set their passwords for exam or answer the
questions in the exam. They can use the password to gain access to tutor’s machine
where they might find the exam papers. Students can also use hacking techniques to gain
server and administrator privileges on the test-server machine. It is as good as obtaining tutor’s
password for the online test being set. Students don’t have to be expert to perform such type of
action, as there are so many ready to use software that can do these things for them. Even the
installation instructions for these software’s are available on web site. They can download
software online and follow their simple installation and configuration instructions to attack
computer system (Rowe, 2004).
2.1.3. Using Mac address changing software
The MAC address is a unique value or ID associated to the network adapter. It is also
known as physical address or the hardware address. It helps in uniquely identifying an
adapter on LAN. MAC addresses are 6-byte i.e. 12 digits in length, and written in the
format “MM:MM:MM:SS:SS:SS/MM-MM-MM-SS-SS-SS”.
MAC address of a computer is always stored by the server so that they can pin point a computer
in the network. So now if anyone has accessed an illegal website with a fake MAC address and
change it back later then he/she can’t be tracked.
Literature Review
15
Although mac address is written in the hardware level, there are still ways to change the
MAC address of device. One such example is shown as below. Technitium MAC
Address Changer: It basically helps a user to change their MAC address which hides
their real identity. So by using a MAC address changer a student can try to access restricted
computer and files and then become untraceable.
Figure 2.1 Mac Address changing technique
2.1.4. Using proxy
By using a proxy we can redirect our internet traffic through a specific router or computer. This
method is very common and is used by many people to bypass the firewall to open blacklisted
sites in colleges. By using proxy, the students can also redirect their internet traffic through
other computers or routers and can find answers for the online exam and then resume their
online exam through the original channel. It can be done in different ways; the common way is
to edit the windows internet setting so that all traffic passes through a proxy server or by using
VPN (virtual private network)
Literature Review
16
Figure 2.2 Screen shot for setting proxy
The above diagram shows the Internet Settings in the web browser where we can configure the
proxy to be used for certain sites.
Figure 2.3 VPN Connection
The last method which is the easiest one is using free proxy. Some websites provide free proxy
services like www.newip.us which allows you to encode not only URL but also any page content.
Using these sites, any student can encode the whole page if what he is surfing and it can’t be
tracked.
Literature Review
17
2.1.5. Using IP address
We know that every domain name on the interface is mapped to an IP address. Direct use of IP
address can bypass keyword filters. For example if www.facebook.com is blocked by the
router/proxy server by keyword filter it can still be accessed with http://66.220.158.47/.
2.1.6. Using forensics technique
Computer forensics is a branch of forensic science pertaining to legal evidences found in
computers. This technique is used to examine the digital media with the motive of finding
relevant information. It is mainly used to investigate computer crime but people with its
knowledge can use it to get important information from any computer system. For example
students can use the tools used for forensic examination of computer to get information about
the data the computer has. Even if students are not using special software’s like sniffing or
software to change MAC address, they can easily track down all the activities of tutor, by using
computer forensics tools (Philipp et al., 2010). Whenever user logs off a computer, they leave
much information behind while they were working on one particular computer. That
information is left mostly in memory or on a disk they have been working on. This information
can be easily retrieved using built-in tools and free software’s. For example, Instructor working
on an online test may leave the final version of page being downloaded, with the answers, in the
cache of their Web browser. So, even when the power is turned off, the cache will still remain on
disk, and even if the files are requested for deletion the operating system keeps them in a
“recycle bin” before deleting them permanently (Rowe, 2004).
The different types of challenges described in this section are few common types of cheating
that are observed while students are giving online exams. To avoid such type of cheating when
students are giving online test there are various measures that are taken by universities. The
software developed in this report helps professor to track students by getting notifications on
their mobile phones too.
2.3. Introduction to Sniffing
Sniffing is a technique which is used in any network to capture the data which is flowing
through the network. Sniffer is a tool which can intercept the packets floating in the network. It
can then analyze those packets for its content which can lead to important information leak if
the packets are not encrypted. In networking protocols, the data transmitted gets split into
small packets and the IP address of destination computer is written in header of each packet.
Those packets will pass via router and eventually reach the network address containing the
destination address of computer. While the packets are travelling to the destination computer,
the network card residing in the computer will examine the address in the header of each
Literature Review
18
packet. Now, if the destination address on each packet is same as IP address of the computer
then, the network card will keep the packet in the host computer. If the destination address on a
packet is different than the IP address of the machine then that packet is rejected (King, 2002).
2.4. Packet sniffing
Packet sniffing is the process of monitoring packets passing through the network. A packet
sniffer is either a piece of software or hardware that can be used to monitor all network traffic.
Sniffers are able to capture all incoming and outgoing packets, including user name and
passwords and other sensitive details which are basically the content of the packets. Most of the
packet sniffers operate in stealth mode meaning they only listen to all the packets being passed
in the network and records them. This way they remain passive yet able to capture all the
packets. In theory, it is impossible to detect such type of sniffing tools, as they are passive in
nature. It can only be detected when they are not fully passive.
Packet sniffing has a slightly different mechanism; it picks the address present on packet and
also set the network card in “promiscuous mode” and copies each and every detail of packet
that passes through the network. So, in short this lets packet sniffer to listen all the details of
data traffic on the network to which they are attached. They can also be able to trace network
traffic that includes some interesting details for attackers, such as user name and passwords,
some confidential data which is not in encrypted format etc. This technique can be used by
network engineers to detect and diagnose network faults. Hackers can use this technique to
analyze the confidential data flowing through the traffic (Spangler, 2003).
Sniffers can be used for both to maintain networks and attack networks.
1. Commercial type of packet sniffers is used to manage networks.
2. Packet sniffers can be used by attackers to get unauthorized access to remote hosts too.
2.5. Types of packet sniffing
There are mainly three types of sniffing methods as mentioned below (Spangler, 2003).
IP-based sniffing: This is the exact way of sniffing packets. In this type of sniffing, the network
card is put into promiscuous mode and sniffing is done by matching the IP address. This method
can work in non-switched network too.
MAC-based sniffing: This method can also work by putting the network card in promiscuous
mode. The packets are sniffed by matching the entire MAC address filter.
Literature Review
19
ARP-based sniffing: In this type of sniffing there is no need to put the network card in
promiscuous mode. It’s because ARP packets are sent to the computer sniffing packets and the
ARP protocol are stateless. Such method is used in switched network. In this the ARP cache
needs to be poisoned on the host computers that we need to sniff. Once ARP cache is poisoned,
all the packets instead of sending the traffic directly will be send to the host computer that is
sniffing packets. Such traffic is then logged and real time data is captured by the computer
intending to sniff packets. This type of sniffing is also known as man in middle attack.
2.6. Different type of sniffing tools
There are various types of sniffer applications which are mostly used to trace the network
communication that is occurring between the client machine and server. Such type of network
communication can be HTTP, LDAP, or telnet etc. There are different application used for
sniffing, it can be open source, http header sniffers, terminal sniffers and many other.
All the sniffing application has its own interface and usability. The following sections will
attempt to identify few of the common sniffer applications that is recommended and the
advantages and disadvantages of each.
2.6.1. Ethereal
Ethereal is an open source network protocol analyzer, commonly known as sniffer application.
It can be used with operating systems like windows, Linux, and Solaris environment.
There is an advantageous feature in ethereal known as “Follow TCP Stream”, this allows filtering
all the network traffic once the TCP packets are identified that we are looking for. This feature
allows cutting all the other layers of network communication and tracks only the http headers
and content. This feature is very useful for quickly identifying and analyzing a specific packet
sequence. Additional features of ethereal include performing capture filter and display filter
(McRee, 2006).
Capture filter is used to define what packets need to be captured before you start sniffing. In
addition, ethereal is also used for offline packet analysis. Ethereal supports different capture
filter file formats like .tcpdump, .pcapdump etc. These files are then being sent over ethereal for
offline analysis of packets.
Display filter is used when all the packets are captured to filter them by categories. Display
filters can be used to limit what you want to display on the screen, and then modify based on
packets that you have after sniffing.
Literature Review
20
There are three basic frames displayed with ethereal GUI.
1. Packet by packet overview. It can display the following information like grouping source
and destination IP address, packet number observed by network card interface.
2. Packet breakdown screen displays important information to determine the network layers.
This packet breakdown will be displayed in second middle frame by highlighting the first top
frames. It includes information like Ethernet, IP, tcp and other layers in the packet.
3. The final frame will be display raw data of the highlighted packets.
Overall ethereal has cross platform compatibility wherein it can be used in both Windows and
Linux and it is most commonly used sniffing tool.
2.6.2. TCPDump
TCPdump was introduced in the early 1990s. It’s a UNIX based tool and a similar tool which
works on windows is called WinDump. This tool is used for packet sniffing, and works on same
line as ethereal works (Fuentes & Kar,2005).
TCPdump is a network analyzer which was developed by Van Jacobson and is mainly operated
using its command line interface. It analyses all important network protocols such as TCP, UDP,
IPV4, ICMPv4, IPv6, ICMPv6, SNMP etc.
The figure 2.4 below shows an example of TCPdump captures (Fuentes & Kar, 2005).
Source: (Fuentes & Kar, 2005)
Figure 2.4 Example of TCPdump packet capture
In the above figure, the bold face letters indicate the timestamp, 15:14:54.281059
corresponding to 15:14PM and 54.281059 seconds.
If the frame is in IP datagram, the tcpdump will display source and destination information of
packets being transferred over the network.
Literature Review
21
Here 10.0.1.11.33129 represents the sender’s IP address is 10.0.1.11 and its application port
number as 33129 while 10.0.1.12 is the destination IP address and application port is ftp. The
symbol “S” indicates synchronization packet.
Now in the following sequence of number “2860245706:2860245706(0)” the first 10 digits -
2860245706 indicates initial synchronization number (ISN) and 0 indicates that no data is
passed in the packet.
While the entry “win 5840 <mss 1460” indicates the TCP window size where 5840 bytes is the
available TCP window size and maximum segment size is 1460 bytes.
The remaining line contains “nop” which indicates no option.
Although tcpdump seems to be a very powerful tool but as seen from the above explanation,
tcpdump becomes very tedious to analyze. By, simply typing tcpdump command, all the traffic
will be dumped wherein all the data might not be of interest for the users. So, using filter
expression can help limiting the traffic to be captured for a specific data of interest but then it
requires a lot of effort (Fuentes & Kar, 2005).
2.6.3. NetSumbler
This tool is specifically designed for windows operating system and is contrary to kismet. This
tool is used for detecting wireless local area networks (WLANs) using 802.11b, 802.11a,
802.11g. It also provides RF signal information. Netstumbler basically, sends a “probe request”
every second and capture responses with useful information such as the Service Set Identifier
(SSID) and the Media Access Control (MAC) numbers of the wireless networks present in the
nearest vicinity. Such type of sniffing is called active sniffing. It is active because the probe
request sent to the wireless network can be easily identified and can be tracked. One of the
drawbacks of Netstumbler is that it cannot identify hidden SSIDs. Also it can be easily identified
as it is sending probe request to the network every second. However, it can represent very
useful graphical representation of signal strength shown in green colour and noise ration shown
in red color that might be very useful for finding Wireless LANs (Villegas, 2008).
Literature Review
22
Figure 2.6 below displays the main screen of Netstumbler.
Source: (Villegas, 2008)
Figure 2.5 The main screen of NetStumbler
Source: (Villegas, 2008)
Figure 2.6 Netstumbler wardriving graph
Even Netstumbler can identify the location of WLANs using GPS device. It creates .ns1 file that
can be imported into Microsoft’s MapPoint software to display any Wardriving in the form of
graph as shown in figure 2.7. Netstumber send broadcasted probe request to WLAN and most of
the access points respond to such broadcast request by default. But there are some access
Literature Review
23
points that do not respond to such request. In such cases Netstumbler cannot detect such access
point. Since, Netstumbler cannot find the wireless access points who are not broadcasting their
SSID, another wireless sniffer called Kismet can be used to overcome this drawback (Villegas,
2008).
2.6.4. Kismet
Kismet is an open source 802.11 wireless network detector and analyzer, sniffer and
intrusion detection system. Kismet will work with any wireless card which supports
raw monitoring (rfmon mode) and can sniff types of network traffic like 802.11b,
802.11g and 802.11n (Hurley, 2007). Kismet is extremely configurable. It can be easily
configured to hop through all the channels and analyze the entire wireless network. It
can also be configured in a manner to work for only one dedicated channel in order to
analyze traffic for single channel. Kismet is completely passive in operation unlike other
sniffing tools like NetStumbler. It identifies network by collecting packets passively and
detecting named networks, detecting hidden networks, and concluding the presence of
nonbeaconing networks via data traffic. Kismet is also undetectable while it is sniffing packets
(Kershaw, 2009).
2.7. Wireless Sniffing techniques
The term wireless technology is referred as enabling two or more computers to
communicate with each other using wireless network and not connecting using wired
cable. It is also referred as wireless LANs. The peer to peer wireless network or ad-hoc
network comprises of many computer each equipped with wireless interface card. Each
computer can communicate directly with all the other computers and can share files
and printers connected to the network. A wireless network can also use access point, or
base station. Such access point acts as a hub providing wireless connectivity to the
computers. Also, Wireless LANs can be connected to wired LAN using a bridge. Wired
networks can be easily sniffed unlike wireless networks (King, 2002).
In shared environment, wireless sniffing can be easily achieved by putting the network card
in promiscuous mode and using sniffing tool like Wireshark to sniff those packets flowing in the
shared network. Even in case of switched environment, we can sniff by using the concept of
man in middle attack. Common techniques used are ARP spoofing, MAC flooding, MAC
duplicating, ICMP redirection, DHCP spoofing and port stealing.
Literature Review
24
In both the cases of shared and switched environment, it’s easy to run packet sniffing
tool and start collecting packets from the network for analysis. But when its wireless
analysis, the sniffing procedure becomes complicated and requires additional decisions
making skills to best support the analysis that needs to be performed while sniffing. The
sniffing station must also be equipped with appropriate hardware and software.
Hardware Requirements:
Hardware requirements depend on wireless network interface card like CF, PCI, USB, PCMCIA
based and on board of wireless NICs/chipsets. Based on device drivers as well as capability of
each chipset, the software required may differ. Let’s suppose we use Kismet
(http://www.kismetwireless.net) as sniffing tool and ethereal (http://www.ethereal.com) to
analyze the sniffed packets. Kismet works with any wireless card that supports raw monitoring
(rfmon) mode and for other operating systems like MAC OSX and OpenBSD, it includes a
“detection selection” of cards. In case of GPS available, kismet can also log the location of
packets being transmitted. It comes with “gpsmap” to plot the data graphically on downloaded
maps.
Normally the wireless NIC card is placed in monitor mode for sending and receiving packets.
The wireless NIC card will not pick up any other packet other than the one destined to itself
until and unless the card is placed in rfmon mode. The only problem with kismet is that in
windows it’s difficult to get the wireless NIC into rfmon mode. Win32 drivers don’t support the
rfmon mode by default.
2.8. Related work
There are various process implemented aiming at detecting cheating in online exams.
According to Costagliola et al. (2009), the project aims at recording student’s habits during
online tests without informing them to yield the realistic behavior. This report also mentioned
about the aspects of cheating detection. The ultimate aim of the project was to present an
approach and a system to let tutor monitor learner’s strategies during online tests. The result is
represented in the form of chart using Log analyzer. They also mention about deep exploration
of cheating detection in future work. There are few steps taken in (Eplion & Keefe, 2005) project
to minimize cheating. This project aims at minimizing the impact of cheating by taking various
cheating aspects into account in online test. They aim at providing limited time for each
question to engage them in the test like 45 seconds/question i.e. timing the test. Even the orders
Literature Review
25
of exam questions are scrambled so as to prevent student asking each other the answer of the
common questions.
In Castella-Roca et al. (2006), this project aims at secure e-exam management system based on
cryptographic protocols that offers high security for all exam stages. It covers cheating aspects
such as authenticity, privacy, correction and secrecy. This exam is conducted in supervised area,
where student uses a computer to take the exam. It mentions about further research where
students will be allowed to hold exams in less restricted environment.
The distributed firewall techniques in Pan et al. (2004) were used to control network packets of
all machines, and centralized security policy, to control the security policies of all machines.
Since its using distributed firewall, security is the most important part of this project. It can be
attacked by forging, duplication and distortion etc. the brute force mechanism is used to prevent
cheating against attacks like forging. In future work this project aims at enhancing the cheating
detection in the form of logs.
The research work conducted by Jung and Yeom (2009) aims at monitoring students giving
online test remotely where proctor is not present at the same location where the examination is
being held. This paper aims at removing human presence completely in secure online exam
management. It uses enhanced security control system in the online exam (SeCOnE) based on
group cryptography.
Cheating Prevention and Detection through E-monitoring
Source: (Jung & Yeom, 2009)
Figure 2.7 System Architecture of SeCOnE
Literature Review
26
The SeCOnE system adopts five methods to prevent and detect cheating.
1. Use of Webcam to identify student, the photos taken during registration process and
current image displayed on webcam is verified for authentication purpose. The verified
data is then saved during exam.
2. Continuous recording is performed both audio and video, to capture data while
examinees are giving test. These data is then saved during exam. This is mainly
performed to reduce the chance of cheating while exam is in progress and even after the
exam.
3. Since each and every screen shot of a student has been saved in parallel with videos, it is
easy for proctor to determine what exactly an examinee is doing on his or her computer.
4. All the ports except the port required for online exam are disabled. This prevents
examinee from accessing internet and avoids cheating using fixed port. The only port
open is used to send IP address of online exam client to the exam administrator.
5. All other programs except online exam client are deactivated by controlling input
triggered by examinees.
In short, this method uses webcam to capture examinees activities and all the ports are
disabled so that student cannot access internet.
In (Sung, 2009), the project aims at providing u-learning environment to students using
mobile phones, portable computers, PDAs and tablet PDAs. It has been developed to only
provide internet based e-learning and wireless facilities. It provides any time any place
concept of e-learning, without requiring any permanent connection to physical network.
Source: (Sung, 2009)
Figure 2.8 Configuration of the U-learning on Ubiquitous learning environment (ULE)
Literature Review
27
It uses 7 phases for developing framework as mentioned below:
1. Input
2. Authentication
3. Distribution
4. Monitor
5. Gathering
6. Grading
7. Inquiry
In these stages the monitoring stage uses the audio/video/chatting to conduct online exam
monitoring. It includes three modes synchronous, asynchronous and hybrid mode. The
synchronous mode is mainly used to conduct online examination and also includes examination
to be taken from remote site. So, it facilities the student to take the examination anytime,
anywhere within a specified time limit. The system is designed to provide students with an
interactive user interface, encouraging them to use it for learning purposes too.
In (Frandsen, 2010), the author prevents cheating when students give online exam on their own
laptop. When students are allowed to use their own laptop, the risk of cheating is the major
issue to resolve. It opens up new ways for student to cheat. The first half of the report
concentrates on the different possible ways that a student can use to cheat in examination. The
second half of the report concentrates on finding solutions to prevent the cheating detected. The
author uses directional antennas and triangulation and many small experiments to test the
methods. It considers students as attacker in the network security model and specifies different
type of attacks.
It includes various cheating scenarios like:
Students taking help from outside resource. The outside resource may be wireless
access point proving internet, or an expert hired to help in examination.
Literature Review
28
Source: (Frandsen, 2010)
Figure 2.9 Student cheating by taking help from outside recourse
Students communicating with other student seated in same examination hall at some
distance apart from each other. It can include various cheating like comparing answers
or helping each other or discuss the questions related to exam.
Source: (Frandsen, 2010)
Figure 2.10 Students cheating being at a particular distance
Students communicating with neighbour student seated in the same examination hall. It
is same situation as mentioned above where they are communicating to each other but
not with outside world.
Literature Review
29
Source: (Frandsen, 2010)
Figure 2.11 Student trying to cheat by communicating with neighbor student
All this 3 types of attack mentioned above are resolved using Triangulation. Triangulation is the
method used for detecting the location of a particular student using triangle geometry. Using
different types of antennas the location of transmitting wireless node can be detected.
After setting antenna and an external USB Wifi card, the signal strength is measured using
Linux. Kismet is used for capturing packets. The packets captured by kismet are saved in
.pcapdump format. Wireshark is used to filter the captured packets based on MAC address of
NIC and signal strength of each of the packets is stored in file. The file is then opened in Excel to
calculate the averages and draw graph accordingly.
There are some of the software’s that does take into account the security issues in online test,
like Nottingham University’s Course master system. This system makes traffic encrypted
between the administrator and the server, and uses a “cross-checking session key system” to
avoid students communicating with server from packet sniffing (Truong et al., 2002).
There are few more issues addressed by this software like, in HTML the answers of the
questions are can be easily viewed by clicking on view source. Such type of issue is addressed by
using more capable commercial software. This software also dynamically links to the marking
software where the computer can automatically mark the solutions using the same course
master tool. The framework provides the two main functionality one is to conduct exam online
and second to automatically mark the solutions (Higgins et al., 2002).
Literature Review
30
2.9. Summary
This section gives the background knowledge of online test and the various types of cheating
seen in online test. It also describes the basics of packet sniffing and different tools that can be
used for sniffing packets. Each sniffing tool has its own property, some of them can be used to
sniff switched network while some of them can be used for sniffing wireless network. The
various approach taken in past to avoid cheating are also discussed in this section.
Design
32
Chapter 3 – Design
3. Introduction
This section describes the different process involved in designing the software. It starts with
describing the primary approach used to build software presenting a general overview on how
to build software. Then a brief description of the development tools used for implementing the
software is given. Finally, the software design is presented taking into account the standard
designing process.
3.1. Approach
This section will discuss the approach for building the application. The goal of the project is to
build an online test monitoring tool which considers that the students are giving the exam on
their own laptop and they are allowed to access only a few recommended websites. This
monitoring tool should detect if any student tries to cheat. Now the students can cheat by either
opening the websites which are not allowed on their own laptop or they can use some other
device to connect to the wireless network to open those websites. In either case they would be
opening the restricted websites with some device.
So the main approach for making the Online Test Monitoring tool is:
1. To notify the tutor when a new MAC address has joined the network
2. To display log files with list of sites viewed by each student
This was achieved by sniffing packets in the network which is used by students to give the test.
Sniffing the packets is done by using a tool called “Kismet”. “Kismet” as described in the
previous sections, is a wireless sniffer and IDS which can help in monitoring the wireless
network which is used by the students to give the online test. Since “Kismet” can detect what an
IP/MAC address is doing on the network, it still can’t detect which IP/MAC address belongs to
which student. This is where the login page of the online test plays an important role.
This login page of the online test designed for this project retrieves the IP & MAC address of the
machine associated with the username of the student giving exam. Thus now we have a
mapping of which IP/MAC address belongs to which student and now Kismet log files can
specifically point out a student.
The above can be done by inserting the Mac & IP address obtained from login page into a MySQL
database. This Mac address can later be retrieved from the database and can be compared
against the “.netxml” obtained from Kismet tool having list of all the “wireless clients” connected
Design
33
to that network. The IP address obtained from MySQL database can also be matched with the IP
address present in the logs obtained from kismet. Since the log files from Kismet can’t directly
be processed to obtain the IP address we have to use another tool “Wireshark” to read the log. It
will then tell us the details of all the activities of every IP address. Based on the activities of
every IP address, the list of websites viewed by each student can be extracted from log files.
Now the data extracted from the two different files can then be displayed in the online test
monitoring application. The new Mac address joining the network is displayed in the form of
notification. And the list of websites viewed by each student is represented in the form of list
view.
Hence, the preliminary approach taken is to use the wireless sniffing tool “Kismet” to capture
packets, filter those packets using “Wireshark” and display the information in the tool.
3.2. Development Tools
3.2.1. Kismet
Kismet is an open source 802.11 wireless network detector and analyzer, sniffer and intrusion
detection system. Kismet will work with any wireless card which supports raw monitoring
(rfmon mode) and can sniff types of network traffic like 802.11b, 802.11g and 802.11n. It can be
easily configured to hop through all the channels and analyze the entire wireless network. It can
also be configured in a manner to work for only one dedicated channel in order to analyze
traffic for single network (Haines et al., 2008).
Kismet is completely passive in operation unlike other sniffing tools like NetStumbler. It
identifies network by collecting packets passively and detecting named networks, detecting
hidden networks, and concluding the presence of nonbeaconing networks via data traffic.
Kismet is also undetectable while it is sniffing packets.
Kismet has a distributed architecture. It comprises of a server called “kismet_server” and a
client components called “kismet_client” that can be connected to many servers. There is a
drone component also, which can be used for listening devices remotely that is sending traffic to
the central server (Murray, 2009) .
Design
34
Source: (Murray, 2009)
Figure 3.1 Kismet architecture
Kismet is able to generate several log files like “.dump”, “.csv”, “.xml”, “.netxml”, “.nettxt” and
“.pcapdump”.
Summary of all the features on Kismet (Etter, 2002):
It scans the wireless access points passively
It can detect hidden access points that do not emit beacon frames. In short it can detect
“cloaked” access points
It also provides GPS support to locate one particular access points
It logs all the access point information in the form of log files (.csv, .netxml, .nettext, .gps)
All the raw data packets transmitted over the network are recorded in .pcapdump file
It also includes ‘Kismet to CWGD’ converter program and gpsmap mapping program
Running Kismet (on Ubuntu 11.04)
1. If Kismet is not installed as root, then type command “sudo kismet” in the
terminal.
2. A GUI will open in the terminal, which will prompt user to start the Kismet server,
choose “Yes”.
Design
35
Figure 3.2 Kismet GUI screen
3. Next, it will prompt the user to “Add Sources”, if you are not sure of the sources, you
can use the “iwconfig” command to find the sources and add the source type. In this
project we are using the wireless interface so the source will become “wlan0”.
Figure 3.3 Adding source
4. The sources also needs to be defined in “kismet.conf” file as follows:
“ncsource=wlan0:option1=foo, option2=bar” if the source is wireless card.
5. Once the source is added, Kismet will start capturing packets as shown in the figure
3.4 below:
Design
36
Figure 3.4 Packet capturing screen
3.2.2. .netxml file explanation
When Kismet is run it generates a “.netxml” file which basically comprised of three parts:
1. Wireless card type information
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE detection-run SYSTEM "http://kismetwireless.net/kismet-3.1.0.dtd">
<detection-run kismet-version="2011.03.R2" start-time="Sat Aug 13 17:50:38 2011">
<card-source uuid="5f97bfac-c5cc-11e0-8dae-49049a1ce201">
<card-source>wlan0:name=intel,hop=false,channel=11</card-source>
<card-name>intel</card-name>
<card-interface>wlan0</card-interface>
<card-type>mac80211</card-type>
<card-packets>12687</card-packets>
<card-hop>false</card-hop>
<card-channels>1,5,9,13,2,6,10,3,7,11,4,8,12</card-channels>
</card-source>
This part of xml informs about the
card interface, name of the card
and channel used
Figure 3.5 Card type information in .netxml file
This part of XML highlights the information of the wireless card of the computer running
kismet in it. In this case, wlan0 is the card interface and intel is the card name. The other
information of the NIC card is shown in figure 3.5.
2. List of wireless network
<wireless-network number="1" type="data" first-time="Sat Aug 13 17:54:44 2011" last-time="Sat Aug 13
17:54:44 2011">
<BSSID>00:15:6D:A6:DA:9C</BSSID>
<manuf>UbiquitiNe</manuf>
<channel>0</channel>
<freqmhz>0 1</freqmhz>
<maxseenrate>0</maxseenrate>
<packets>
<LLC>0</LLC>
<data>1</data>
<crypt>0</crypt>
<total>1</total>
<fragments>0</fragments>
<retries>0</retries>
</packets>
<datasize>78</datasize>
<bsstimestamp>0</bsstimestamp>
<cdp-device></cdp-device>
<cdp-portid></cdp-portid>
<seen-card>
<seen-uuid>5f97bfac-c5cc-11e0-8dae-49049a1ce201</seen-uuid>
<seen-time>Sat Aug 13 17:54:44 2011</seen-time>
<seen-packets>1</seen-packets>
</seen-card>
List of Wireless
networks example
Figure 3.6 Wireless network information in .netxml file
Design
37
This part of XML gives information about the list of wireless network being captured by
kismet with data and time of capture. It also provides information like the BSSID and
UUID of the network, whether the network is encrypted or not etc.
3. List of wireless client connected
<wireless-client number="1" type="fromds" first-time="Sat Aug 13 17:54:44 2011" last-time="Sat
Aug 13 17:54:44 2011">
<client-mac>00:19:99:36:18:26</client-mac>
<client-manuf>FujitsuTec</client-manuf>
<channel>0</channel>
<freqmhz>0 1</freqmhz>
<maxseenrate>0</maxseenrate>
<packets>
<LLC>0</LLC>
<data>1</data>
<crypt>0</crypt>
<total>1</total>
<fragments>0</fragments>
<retries>0</retries>
</packets>
<datasize>78</datasize>
<ip-address type="ARP">
<ip-block>172.16.3.1</ip-block>
<ip-netmask>0.0.0.0</ip-netmask>
<ip-gateway>0.0.0.0</ip-gateway>
</ip-address>
<seen-card>
<seen-uuid>5f97bfac-c5cc-11e0-8dae-49049a1ce201</seen-uuid>
<seen-time>Sat Aug 13 17:54:44 2011</seen-time>
<seen-packets>1</seen-packets>
</seen-card>
</wireless-client>
</wireless-network>
</detection-run>
Indicating the Wireless Client
connected to the network
Mac Address of the client
Figure 3.7 Wireless client information in .netxml file
This part of the XML is of main interest for the application. It gives the information of the
list of wireless client connected to the network.
As shown in the figure 3.7, there is a wireless client number 1 connected to the wireless
network no. 1. There can be many wireless clients connected to the wireless network 1.
The second highlighted part of the XML displays the MAC address of the wireless client
connected to the network. This MAC address is of great interest from the point of view of
detecting the new device connected to the network.
3.2.3. Wirehsark
Kismet while capturing the packets also generates a “.pcapdump” file. This .pcapdump file
contains the raw packets captured from the network. The information present in .pcapdump file
is not in a readable format. This file is opened using Wireshark to analyze the data. Wireshark is
used to filter the .pcapdump file and show the packet contents.
Design
38
The diagram below shows the screen shot of the .pcapdump file opened in wireshark.
Figure 3.8 Wireshark filtering .pcapdump file
Wireshark is used to filter only the HTTP and TCP protocols by using display filter. After
filtering the file is saved as .pcap file. This .pcap file obtained from Wireshrak is converted into
.txt file using tshark.
The following command is used to convert .pcap file into .txt file.
C:\>"c:\program files\wireshark\tshark.exe" -r "C:\Kismet-20110811-21-53-10-1.pc
ap">"c:\studentlogs.txt".
All the above development tools can be summarized in the main building block of the online test
monitoring tool. The diagram as shown in figure 3.10 summarizes how the tool is structured to
generate and read the log files.
With the help of sniffing tools like Kismet and Wireshark, the .netxml and .txt file are generated.
These file are then parsed using a SAX parser and File Reader using JAVA technology. The MAC
address is obtained from Parsing .netxml file and the website visited by each IP address is
obtained from .txt file. Both of them are then stored in a MySQL database.
Design
39
Figure 3.9 Online test monitoring development tools
Now the students who login to the online test, their IP address and MAC address along with the
username is also stored in a MySQL database. These stored values in MySQL database are then
fetched by Android application to display the useful information to the tutor. This information
includes notifying tutor about any new device connecting to the network and the list of websites
visited by each students other than the one recommended by tutor.
Sniffing Tools
PHP pages
Android App
Java Technology
Technology
Design
40
3.3. User Requirements
This section discusses the research method which is used to evaluate the User interface design.
A study was conducted in the form of interviews to collect the features desired by the people.
The participants were chosen keeping in mind the usability of tool. As this tool monitors
cheating while giving online test, the immediate users identified were system administrator,
students and professor. There were 6 students, 1 system administration and 1 professor who
were interviewed. The interview gave many useful inputs that helped to improve the design
layout.
System Administrator:
The participant was the system administrator of University of Nottingham. He is responsible for
setting up the online exams for various modules like programming. Online test in this university
does not allow internet access. It was observed that system administrator has to ensure the
confinement of the system in order to ensure that students are unable to access any external
information.
Student:
The participants in this category were excited to get an online test system with Internet access.
They were in agreement to have such an online test where in one or two sites are allowed to
refer. They argued that the concept of blacklist of sites introduced in the layout was not a
feasible feature because there are hundreds of sites available and making professor add all
those sites will be an additional overhead.
Professor:
According to this participant, the overall technology used was exciting to implement this tool.
He suggested that the log files obtained from kismet must be presented to the professor after
the completion of test and not in the middle of the test. This will help him to mark the students
by referring the logs flies obtained at the end.
These interviews helped in introducing few more features to the tool as mentioned below:
Less overhead on system administrator
Introducing the concept of only white listed sites
Presenting the log files to the instructor/tutor after online test is completed
Design
41
3.4. Software Design
In this section the User Story was created to highlight the functionality of the monitoring
application. Then the system was designed which helped in deciding the architecture of the
application. The application features were then broken into the classes and class diagram was
drawn which will later be used for writing code. The database design for the application was
also studied and an ER diagram was made. Then the layout of the android application was
designed and the various screens were mocked as per the functionality desired.
3.4.1. User story
User story is mostly used for making the just in time analysis of the software. It’s a very high
level definition of the requirement containing basic information about the reasonable estimate
of the efforts required to implement the software.
When an online exam is held in the lab or in the examination hall, the professor will inform
students that they are allowed to view only few sites. To design the system the following states
of the application were thought of:
For example, if the Mobile Device programming test is going on, then students are
allowed to visit site named “http://developer.android.com/index.html”.
Students will also be informed that they are being tracked and if they visit any site other
than android then strict action would be taken against them.
The professor will have the mobile application installed on his mobile phone to get
notification from the tool about any such activity by a student.
There will be online test login system which will allow all the students to login into the
system and in the backend the MAC address and the login ID of the students associated
to each computer will be stored in database.
The sniffing tool Kismet will be running on one of the computer and will track all the
activities of students in that network while they are giving online test.
While the exam is going on, if the student tries to connect to internet via his/her mobile,
then the professor will be notified that a new device has been connected to the network.
If the student is trying to access any other site other than the one specified by professor,
the application will log the student name into the log files. This will also notify the
professor about such an activity of the student.
Design
42
3.4.2. System Architecture
MySQL
Database
Student 1
Student 3
Student 2
Monitoring
wireless
traffic using
Kismet
Online Test
Monitoring Tool
Log file
received
from kismet
Android
Application
Laptop
Figure 3.10 System Architecture
Description: Students will give exam in their on laptop. They will login to the online test system
provided by the professor which will store the MAC address and the user name of the student in
the database. One of the computers in the examination hall will have Kismet installed, which will
log each and every activity of student and also keep a track of new devices connecting to the
system. These log files would then be analysed by the designed application for results.
Design
43
The analysis of log files generated from kismet can be divided into two parts
A. Notifying the tutor about the new devices joining the network
XML File
MySQL
Sending
notification to
end user
Fetching MAC
address from
XML
Polling Mac
address from
database at
certain polling
interval
Parsing XML
file using SAX
parser
Laptop running
Kismet
Figure 3.11 MAC address notification
The first part is to notify the professor about any new devices connected to the network while
examination is going on.
This part of coding is implemented as follows.
The computer having kismet installed will start capturing packets. Kismet generates
.xml file which contains the list of MAC addresses connected to the network.
This .xml file is parsed using a SAX parser and the MAC address retrieved after parsing
the xml is stored in MySQL database.
These MAC addresses are inserted into the database every 5 minutes. So the entry of
new MAC address found in the XML is inserted into the database every 5 minutes.
The android application will then fetch the list of Mac addresses from the database using
json technology.
The database will be polled every 5 minutes to find the new entry inserted into the
database by using Notification scheduler.
If the new entry is found, the notification service will notify the professor about the new
device joining the network with the MAC address.
Design
44
B. Analysing Log files
Figure 3.12 Displaying list of websites accessed by student
In this second part, the aim is to analyze the log files and display the list of student logs. This
student log comprises of the username and the list of websites visited by each student.
The figure shown above displays the logic behind implementing the analysis of log files.
The login page of Online Test will allow students to login to the test and in the backend
the details of students like username, IP address and Mac address of the machine being
used will be stored in a MySQL database.
The JDBC interface is used to make connection with MySQL database. Once the driver of
the MySQL server is installed, the java application can then communicate with the server
and access the database.
This java class will then fetch all the student details present in Student table and store it
in the array.
Design
45
The text file obtained from wireshark is then parsed to fetch the websites corresponding
to each IP address. These values are also stored in the MySQL database in the table
named Text.
Now the android application will make connection to the MySQL server.
In order to fetch data from the MySQL DB, PHP script is used to output the JSON file. The
PHP script written will basically have the SELECT query “SELECT * FROM Student”.
The android application then reads the JSON file using BufferReader and outputs the
result.
The result obtained from the database is then displayed in the android activity using list
view.
Design
46
3.4.3. Class Diagram
Figure 3.13 Class Diagram
Design
47
The figure above shows the overview of the dependency of the various classes in the android
project.
ParseFile.java and ReadFile.java are used for parsing the log files obtained from Kismet and
Wireshark respectively.
The rest of the classes mentioned in the class diagram are part of Android Application described
as follows:
OnlineTestMonitoringActvity: This class is responsible for displaying main screen to the user.
StudentDataActivity: This class is responsible for displaying student details like username, IP
address and MAC address of the machine.
StudentLogsActivity : This class is responsible for displaying the list of username caught
cheating in online test.
HelpActivity : This class will display the guidelines to use the application.
DBHelper: This class is responsible for creating database to maintain student data.
AddlistActivity: This class will allow user to add the list of whitelisted site.
NotificationService: This class is responsible for displaying the notification about the new mac
address joining the wireless network.
The classes mentioned above are the main classes of the application.
Design
48
3.4.4. ER Diagram
In this section the structure of table present in the MySQL database is discussed.
Figure 3.14 Entity Relationship Diagram
Figure 3.18 shows the entity relationship diagram of the tables present in online test database.
Detailed description of each table is shown in the table below:
Entity Name Attributes Data Type Size Description
Users user_id username user_password user_regdate
INTEGER VARCHAR VARCHAR INTEGER
11 30 40 11
Primary key for user identification
MacTable ID mac_address
INTEGER VARCHAR
11 40
Primary key of MacTable
StudentDetails username ID ip_address mac_address
VARCHAR INTEGER VARCHAR VARCHAR
40 40 40 40
Primary key for student identification
TextLogs ID username ip_address url
INTEGER VARCHAR VARCHAR VARCHAR
11 40 40 500
Primary key to identify each user Foreign key to StudentDetails
Table 3.1 Logical data design specification for the database
Design
49
3.4.5. UI layout for the mobile application
The screens shown below have been deigned to make the application simple and interactive.
Screen 1 is the menu screen of the online test monitoring tool, it comprises of the following four
functionalities.
Figure 3.15 Screen 1 & Screen 2
1. Add List Of Sites: This section will allow tutor to add the list of blacklisted and
whitelisted sites.
2. Student’s Data: This section will allow user to see the list of student giving test along
with their ID, IP address and MAC address.
3. Student Logs: This section will allow the tutor to view the list of websites viewed by
each student.
4. Help: This section will have the information about how to use the application.
Screen 2 is opened when user clicks on “Add List Of Sites” button. It will allow user to add the
whitelisted and blacklisted sites.
Design
50
Figure 3.16 Screen 3 & Screen 4
Screen 3 is opened on clicking the Add Whitelisted sites. User can enter the list of whitelisted
sites and click on submit button. This will add the list of whitelisted sites into database.
Screen 4 is opened on clicking Add Blacklisted sites. The user can add the blacklisted sites and
click on submit button to add the list to database.
Figure 3.17 Screen 5
Design
51
Screen 5 is displayed when user clicks on Student logs icon in the main menu. This screen will
display the list of student’s username who were cheating in the exam.
Figure 3.18 Screen 6 & Screen 7
Screen 6 is displayed when user clicks on one particular username for e.g. pxs00m, this screen
basically gives the list of sites visited by student while giving online test.
Screen 7 is opened on clicking Help button in the main menu. These screens will display all the
information about using the tool.
3.5. Summary
This section discusses the features and property of the sniffing tools like Kismet and Wireshark
to get the useful data related to online test. The study conducted in the form of interviews show,
how the features of the tool were decided. Finally, the different software designing techniques
were used to find out the challenges that may be encountered while developing the software.
Implementation
52
Chapter 4 - Implementation
4. Introduction
This section of the report discusses about the implementation of the application developed. The
basic functionality of each class is discussed in this chapter. The steps of implementation are:
Kismet was installed and configured on one of the system. It was started to capture the
packets flowing in the network
The students were then allowed to join the network and login to the test server
After login the students were given instructions to use only few sites
The test begun and the application started recording all the data
The xml files generated were parsed to generate reports.
The various packages used in the project are described as follows:
4.1. Parsing files Package
This package contains the main program for parsing the files. A class-by-class description is
given for all the files in the parser package as follows:
4.1.1. ParseNetXmlFile
This class resides under the package named com.pxs00m.parsefile. The .netxml generated
from Kismet in real time is parsed by this class. The main functionality of this class is as follows:
1. To parse .netxml file and extract Mac addresses from the file
2. Connect to MySql database ’OnlineTest’
3. Insert Mac address obtained after parsing into the table ’MacTable’
4. Avoid duplication of data while inserting
Explanation:
The .netxml obtained from Kismet comprises of a node element called client-mac which
contains the MAC address of the wireless client connected to the network. The function
getMacAddress() returns the list of MAC address in the form of string array.
The .netxml file is parsed using a SAX parser that reads the XML formatted data into Java
objects.
A SAX parser is used because it has smaller code size and executable memory compared to
DOM parser. It also uses event driven mechanism for processing the XML file, which means
it does not need to load entire XML tree in the memory and the XML is parsed in the
sequential order (Choi, Hong, & Ju, 2003). Example of parsing is as shown below:
Implementation
53
public ArrayList<String> db_results_xml;
DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
Document doc = docBuilder.parse (new File("Kismet-20110813-22-55-38-1.netxml"));
// normalize text representation
doc.getDocumentElement ().normalize ();
System.out.println ("Root element of the doc is " +
doc.getDocumentElement().getNodeName());
NodeList listOfMac = doc.getElementsByTagName("wireless-client");
int totalMacAddress = listOfMac.getLength();
System.out.println("Total no of MAC Address : " + totalMacAddress);
int count = listOfMac.getLength();
for(int s=0; s<listOfMac.getLength() ; s++)
{
db_results_xml = new ArrayList<String>();
Node firstPersonNode = listOfMac.item(s);
if(firstPersonNode.getNodeType() == Node.ELEMENT_NODE)
{
Element firstPersonElement =(Element)firstPersonNode;
NodeList firstNameList = firstPersonElement.getElementsByTagName("client-mac");
Element firstNameElement = (Element)firstNameList.item(0);
NodeList textFNList = firstNameElement.getChildNodes();
nodeValue = ((Node)textFNList.item(0)).getNodeValue().trim();
}
db_results_xml.add(nodeValue);
}
Fetching total number of
wireless client connected.
Fetching the MAC address
of client network
E.g: 00-B0-D0-86-BB-F7
File path that needs to be
parsed
Figure 4.1 SAXParser code
The second method of the class getConnection() will connect to the MySql database using
JDBC interface.
Once the connection is established, using PreparedStatment, the list of MAC address stored
in an array is inserted into the MySql database table named “mactable”.
MacTable
PK ID
mac_address
Figure 4.2 MacTable attributes
Since, file is parsed in real time, the parsing of file, getting connection to the database and
inserting query into the database is run in a thread. The file is parsed every 5000
milliseconds to see if a new MAC address joins the wireless network. This new address
needs to be inserted to the database. A “for” loop is used in the run() method to perform all
the necessary functions.
There are chances that the same lists of MAC address are inserted into database more than once.
This is not desired as we need to insert only when a new MAC address is obtained from file. This
was done by comparing the list of MAC addresses obtained from parsing the xml file and the
database.
Implementation
54
The list of MAC addresses obtained after parsing the .netxml file is stored in an array String
file_array[ ] and the list of MAC addresses obtained from the database is stored in String
database_array[ ]. All the elements of database_array[] is then compared and removed from
the file_array[]. Now either the file_array[] would be empty if no new device has joined the
network or it will contain the list of all the new MAC addresses that have joined the network.
These new MAC addresses will then be inserted into the database. The insert query will only be
executed when file_array size is greater than zero which means only the new entries will be
inserted to the database if any.
The screen shot of the output is as shown below:
Figure 4.3 Output of ParseFile showing list of Mac address obtained
Finally, the new addresses fetched by the application are notified to the user.
4.1.2. ReadFile
This class reside under package named com.pxs00m.readfile.
Wireshark filters the .pcapdump file generated by Kismet and produces a text file. The class
ReadFile is used to read this text file. The main functionalities of this class are as follows:
1. Read the IP address and the url from the text file
2. Fetch username of student based on IP address
3. Insert all the information into MySql database
Implementation
55
Explanation:
The very first function of the class named readFile() will read the file using standard java
classes like FileInputStream, DataInputStream , BufferReader and InputStreamReader.
List and Hashmap are used to store the data obtained from the text file. The main purpose of
reading the file is to get the IP address and the URL corresponding to each IP address. The study
done on the text file from wireshark shows that only the line containing “GET” keyword gives
the information about the website being viewed by student.
So using readLine() function, the lines containing GET keyword are extracted. After these lines
are extracted split() function is used to extract the IP Address, and URL. The IP Address and
URL are then stored in a hashmap. Then using Iterator, IP address is stored in the string using
like this
String IPAddress = iterator.next().toString()
While the URL are stored in the form of list corresponding to IP address as follows
List<String> url = (List) map.get(IPAddress)
It will extract the URL of only those IP addresses that are present in the StudentsDetail table.
The list of IP address is fetched by making connection to the database and this list of IP address
is compared with the list of IP address obtained from text file. Only the list of URL
corresponding to those IP addresses found from the database are considered.
The list of IP addresses obtained from database is stored in an array Ip_address_array[]. The
list of IP addresses obtained from reading text file is stored in an array Ip_address_text[]. The
following piece of code finds the IP addresses common in both the array and extracts the URL.
Figure 4.4 New array having list of student’s IP address
This is how only URL of those IP address are fetched from text file that are related to the IP
address of those student giving online test.
Implementation
56
The screenshot of output is as shown in figure:
Figure 4.5 Output obtained from ReadFile
Now the function named insertIntoDatabase() will insert the following values in the table
named “TextLogs”:
username, ip_address and url.
The relationship of two tables is as shown below:
StudentDetails
PK username
ID ip_address mac_address
TextLogs
PK ID
FK1 username ip_address url
Figure 4.6 Relationship between StudentDetails and TextLogs table
username: is the foreign key of TextLogs table and is related to the username field of the
StudentDetails table. “username” is inserted into the TextLogs table by executing the query
mentioned below.
insert into table TextLogs (ID, username, ip_address, url) values (ID, username, ip_address, url);
The username is obtained by executing the following query:
SELECT username FROM StudentDetails where ip_address =’ IPAddress’ ;
The rest of the fields like ip_address and url are obtained by reading text file as mentioned in
above section ReadFile.
Implementation
57
All the attributes are inserted into the TextLogs table using PrepareStatement.
The challenging part in this particular class is to fetch the list of URL for a particular IP address
based on the key word GET. The above two packages discusses about how to parse the file and
extract data as per the requirements.
The next section gives the detailed information the challenges involved in displaying this data to
the user having a tablet or an android phone.
4.2. Online Test Monitoring Tool Package
4.2.1. Activities package
The online test monitoring tool is an Android application designed for the android smart phone.
The android application consists of many activities and the com.pxs00m.activities package
comprises of the list of activity classes as below:
1. OnlineTestMonitoringActvity
This is the main activity which is responsible for displaying the main menu of the Online
Test Monitoring Tool to the user. It includes four basic icons – Add List of sites, Student
Data, Student Logs & Help.
This activity is also responsible to trigger the NotificationService as soon as the activity
starts using Intent. This allows the user to get notification whenever a new wireless client
joins the network.
The screen of the main menu is as shown in figure.
Figure 4.7 Main menu screen
Implementation
58
2. HelpActivity
This activity displays the Help screen to the new users. It provides help with most of the
basic steps that needs to be done when this application is used. The information displayed
in the help screen is extracted from a text file stored in the res folder of android project.
Figure 4.8 Help Screen
3. AddListOfSitesActivity
This activity is responsible for displaying the menu for the list of sites. User can click on any
of the buttons to perform the desired operation. The buttons are self-explanatory for e.g.
when user clicks on Add list of Whitelisted sites, user can add the list of sites that student
are allowed to view and likewise for the other button.
Figure 4.9 Adding list of sites screen
Implementation
59
4. AddWhitelistedSitesActivity
The main functionality of this activity class is to allow user to add whitelisted sites. These
whitelisted sites are then stored into the Whitelisted sites table of SQLite database named
“OnlineTest”. The data stored in the table is later used to display the list of students who
were using sites other than the whitelisted sites.
Below is the screen shot showing how we can add whitelisted sites:
Figure 4.10 Add white listed sites screen
5. ViewWhitelistedSitesActivity
This particular activity will display the list of whitelisted sites added by user.
The main functionalities of this class are as follows:
1. Display list in the form of ListView –
This function is implemented using the ListView in layout. The Whitelisted table is
queried for fetching the list of all the whitelisted sites inserted by user and is stored in
an array. The list is then displayed by setAdapter function which will set the data in the
ListView on the UI. It will produce a view to represent the list of all whitelisted sites in
the data set.
Figure 4.11 View Whitelist site
The default layout provided by android is used in adapter:
android.R.layout.simple_list_item1
Implementation
60
2. Allow user to delete a particular site if needed –
This functionality is achieved by using setOnItemClickListener method. This method is
called when the item in the AdapterView is clicked. On click of an item, an alert dialogue
box is displayed to user. This dialogue box will ask the user whether he/she wants to
delete a record. If yes is clicked, then delete query is executed to delete that particular
record from database.
Figure 4.12 Alert dialogue box to delete selected site
6. StudentDataActivity
This activity is responsible for fetching student details from the StudentDetails table and
displays the list to the user in the form of ListView. The main challenge in displaying the
information was to establish connection with MySQL database.
Figure 4.13 Student data
Android application cannot directly connect to MySql database. So, to establish connection
a simple web service is created that will send request to MySql database and get the
response via web service. This can be achieved by writing php script as a webservice which
Implementation
61
will run on the same server where the database is stored. In our case it is apache server.
The data obtained from the php script is stored in JSON format. The example of php script
used to query the StudentDetails present in the MySql database is shown below:
Figure 4.14 Php script for android application to fetch data from MySql
This php script will manage the content obtained from database. The getConnection()
method is responsible for executing the php script mentioned in the figure.
The main problem encountered while making connection is that HttpPost class in the code
below does not accept “http://localhost”. Even if the server is running along with the
android SDK on the same machine and the same wireless network, it cannot connect to the
apache server. So, we need to write the IP address of the machine instead of
“http://localhost”. The code mentioned below establishes the connection with MySQL
database.
Figure 4.15 Android application establishing connection to MySql database
The highlighted text in the code above makes connection to MySQL database. InputStream
is used to get the data fetched by HttpEntity which is encoded in json format. Using
BufferReader and StringBuilder the output of the sql query is stored in JSONArray. Then
Implementation
62
the username, ip_address and mac address is fetched and displayed on the screen using
ListView.
7. StudentLogsActivity
This is very important activity of the online test monitoring tool. This class is responsible for
displaying the list of students and the corresponding URL accessed by them while giving
online test.
The main functionalities of this class are as follows:
1. Establishing connection with MySQl database –
The connection to MySQL database is established in the similar way as discussed in
StudentDataActivity class but this time data is fetched from the table ‘TextLogs’.
2. Storing data obtained from external data to the SQLite database –
The data obtained from JSONArray, is stored in the internal table named Logs. The
reason behind storing into the internal database is that it is easier to query. This class
will display only the list of student’s username. Now, when user clicks on one particular
username, the user is routed to another activity named ListofSitesActivity using Intent.
The username clicked by user is stored using putExtra(“username”, username) method
in the intent.
3. Preventing duplication of data –
Every time user clicks on Student Logs icon, the data will be inserted into internal
database. To avoid this duplication of data, similar logic is applied as discussed in
section 4.1.1. If the array of internal database is equal to the array of external database,
then empty the internal database. The insert query will be executed only when the size
of the array of internal database is greater than zero.
Figure 4.16 Screen displaying list of students detected cheating
8. ListofSitesActivity
This class is responsible for displaying the list of web sites visited by student. The value of
username passed from StudentLogsActivity class using putExtra() is fetched in this class
using Bundle by getIntent().getExtras() function. Based on this username obtained, the
internal database named Logs is queried for list of URL. The advantage of storing data
Implementation
63
obtained from MySql to internal database is that, there is no need of making connection
multiple times.
Figure 4.17 List of websites viewed by student
4.2.2. Services package
The com.pxs00m.services package comprises of the list of activity class listed below.
1. NotificationScheduler
This class is responsible to schedule alarm to run the NotificationService at a particular
interval. The main functionality of this class is to allow Notification service to poll the
database at certain interval. The scheduleAlarm() method is used to set the polling
interval time. In this method AlarmManager sets the repeating alarm by running
ALARM_SERVICE in the background.
The assumption is that, if the online test is held for an hour then the polling interval is set
to 5 minutes. That means the NotificationService will poll the MySQL database for a new
MAC address every 5 minutes.
2. NotificationService
This class is responsible for notifying the user about new mac address joining the wireless
network.
The main functionality of this class is as follows:
1. Making connection to MySql database
2. Notifying user about the new Mac address.
The connection is made to MySQl database in the similar way as mentioned in
StudentDataActivity class using php script. The only difference is the php script. In the
script, the table named “mactable” is queried to fetch the list of Mac address. Now, the
Implementation
64
notification is sent to user only when new Mac address is joining the network using this
class. The notification is as shown below:
Figure 4.18 Notification of new device joining the wireless network
4.2.3. Database helper package
The com.pxs00m.dbhelper package comprises of class listed below.
DBHelper
The main functionality of this class is to create database and tables. It creates database named
OnlineTest and creates 2 tables (WhitelistSite, Logs). The attributes of the each table are as
shown in the figure below.
Entity
Name
Attributes Data
Type
Size Description
WhitelistSite ID sitename
INTEGER VARCHAR VARCHAR INTEGER
11 30 40 11
Primary key for sitename identification.
Logs username ID ip_address mac_address
VARCHAR INTEGER VARCHAR VARCHAR
40 40 40 40
Primary key for user identification.
Table 4.1 Logical data representation of database
4.3. PHP Script
Online test framework is designed for student has a login feature in the interface. The main role
of this online test is to get the MAC address and IP address associated to each student’s
username. This is achieved by retrieving the IP address and Mac Address form the backend
when student will logs in to the test. The screen shot of the login page is shown below. It will
retrieve the required information along with username of the student. The rest of the pages of
online test including the quiz are similar to an ordinary online test conducted in any educational
system. The code for online test created by Skudaev (2005) was used to test the online test
Implementation
65
monitoring application. The login page was modified to embedd the code for getting IP address
and MAC address of the student’s machine. The screen shot of the login screen and home page
are as shown in the figure 4.19 and 4.20. The main purpose of using online exam quiz was to
test the application by answering few of the questions without referring internet while
answering some of them by using internet.
Figure 4.19 Login screen of Computer security online test
Figure 4.20 Home page of online test
Implementation
66
4.4. Packet analysis using wireshark
This part of the section will focus on the various experiments done for the software developed.
There are few tests conducted to see how the data is displayed. The main screen of this software
is the list of websites viewed by one student while giving online test.
The capturing of data is done in a step by step manner to analyze the data obtained from the log
file.
Test 1: In this test case, data is captured by surfing few websites on the browser and see how
the packets are captured and then represented in the form of text file
Wireshark is used to collect data by using wlan0 for sniffing the own packets and analyzing
those packets. Wireshark will capture data by placing NIC card in promiscuous mode (Orebaugh
et al., 2007). The capture options screen is as shown in the figure below:
Figure 4.21 Capture options screen
It is observed that it contains all protocol like HTTP, TCP, DNS, and ARP etc.
Implementation
67
Figure 4.22 Wireshark screen displaying all protocols
In this particular file the only protocol that is of main interest is to analyse is the HTTP protocol.
So, in order to simplify the analysis of data that is captured by wireshark, we use display filter.
But display filter is just to see the HTTP data. While saving this particular capture even if it
displays only HTTP data, it will save all the packets.
Figure 4.23 Using display filter to get only HTTP protocol
There is difference between display filter and capture filter. So to only capture and save HTTP
protocol related packets. We need to create a capture filter.
The Capture filter screen shot is as shown in the screen shot below:
Implementation
68
Figure 4.24 Creating new capture filter
Figure 4.25 Selecting the new capture filter defined
After the capture filter is selected, only the HTTP protocols will be captured while sniffing, that
are of main interest for analysis of cheating. Now, the packets captured are saved as .pcap file
and converted into the text file using the command mentioned below.
C:\>"c:\program files\wireshark\tshark.exe" -r "C:\TestCase.pcapdump">"c:\test.txt"
The text file analyzed shows that the “GET” keyword in the text file is the main websites the user
has requested. GET is the response to a particular website requested by user. While the POST
means requesting for a particular data. In order to track the particular website accessed by user,
we look for the GET keyword.
The result in the Android application is as shown in figure after parsing this particular file.
Implementation
69
Figure 4.26 Output after parsing .txt file
Test 2: This part of test case will test the type of URL displayed while online test is running on
browser. The interface used is similar to the one discussed in test case 1 i.e wlan0.
The packets obtained after capturing are shown in the screen shot below:
Figure 4.27 No localhost url observed
As, we can see that, there are no url’s captured related to online test. This is because local host
packets cannot be captured using interface named wlan0. To capture local host packets, we
need to use loopback interface.
Test 3: This part of test case is used to capture local host packets of the online test running in
the browser. To achieve this, the loopback (lo) interface is used in wireshark. The screen shot is
shown below.
Implementation
70
Figure 4.28 Using lo interface to capture localhost packets
The only drawback of using loopback is that, the rest of the HTTP protocols are not captured.
Figure 4.29 Local host packets captured using lo interface
Test 4: This part of the test will analyse the packets for online test by typing the IP address in
the browser (http://10.50.10.160/exam/index.php) for running the online test. The packets are
captured again using wlan0. The packets captured are as shown in the figure.
Implementation
71
Figure 4.30 Using IP address to capture online test url
Implementation
72
Test 5: In this part of the tests, the online test website is opened in the browser. While giving this test, few of the questions are answered by
searching on internet.
The result of the packets captured and the file obtained are as shown below:
Figure 4.31 The result of log files obtained while giving online test and visiting other sites
No Cheating detected
Cheating detected
No Cheating detected
No Cheating detected
Implementation
73
It is observed that there is huge amount of traffic flowing before submitting one particular
answer. There is the POST url observed at the line “/exam/index.php?boxaction=quiz1 HTTP
1.1” .There are also many lines containing “GET” keyword in the middle. And then the answer is
submitted which can be observed at this line
“POST http://10.50.10.160/exam/index.php?boxaction =savegrade HTTP 1.1”
If some of the questions are answered without searching into the internet. This can be observed
by finding no GET keywords between two POST keywords having URL –
http://10.50.160/exam/index.php?boxaction =savegrade.
The final output can be seen by clicking on the student logs icon in the Online Test Monitoring
Tool Android application is as follows:
Figure 4.32 List of student’s cheating in test
Figure 4.33 List of websites visited by student
As seen in figure, when we click on username kismet16, we can observe the list of websites
accessed by the student kismet16. The examination url can be seen at serial number 7. And
serial number 9 URL indicates that the student started cheating by opening google.co.uk site.
Implementation
74
The other important result obtained from this tool is the notification given to the instructor
about the new device joining the network. This notification helps tutor to detect, if someone in
the examination hall is trying to cheat. It can either be a student trying to connect to internet by
using mobile device or any other external device.
The screen shot of the notification is as shown below:
Figure 4.34 Notification screen
Testing and Evaluation
75
The below table summarizes the final results achieved by performing various test cases.
Test
Cases
Description Analysis of Results Steps to achieve
better result
1 Analyzing packets captured by
normally surfing few websites
All the protocols were
observed in the
wireshark window.
The name of website
being accessed was
observed in HTTP
protocol.
Create capture
filter to capture
only HTTP
protocol.
2 Analyzing packets by opening
Online test in browser
No packets observed
related to the online
test.
Use lo interface to
capture local host
packets.
3 Analyzing packets by using lo
interface
Only local host
websites were
observed.
Use wlan0
interface.
Write IP address
instead of local host
to see packets
other than local
host
4 Analyzing packets by using IP
address to open online test
Online test url were
observed along with
the IP address.
Create another test
case to observe
both online test url
and other website
accessed.
5 Analyzing packets by opening
online test and other websites
while answering the test
Online test url and
other websites
accessed to answer
the question were
observed.
Table 4.2 Summary of the test cases
4.5. Summary
This chapter describes the basic functionality of each class in detail. The main motive of the
whole system is to analyze the log files and present it to the tutor in a very simplified format.
The logs files must be able to show the amount of data traffic flowing before one particular
answer is submitted. The detailed description of the log files analysis is discussed using various
steps to get the actual output.
Testing and Evaluation
76
Chapter 5- Testing and Evaluation
5. Introduction
This section of report describes the different test cases implemented to test the software
developed. The lab experiment for further research is stated for further analysis of the tool.
5.1. Testing Android Application
5.1.1. Student Details Icon
To verify, if the list of students giving online test is displayed on this icon.
Steps
1. Start apache server
2. Open the online test url as mentioned: http://localhost:8080/onlineexam/login.php
3. Use userid as kismet 12 and password as root
4. Once login is done, run the android application
5. Click on student details icon
Output
The output screen is as displayed in the screen shot below:
Figure 5.1 Output for Student Data icon
The screen shown above shows the userid of the student and the ip address and the mac
address of the machine on which student is taking the online test.
Testing and Evaluation
77
5.1.2. View Whitelist site
The list of whitelist site enetered by user is verified using this screen.
Steps
1. Run the android application
2. Click on Add list icon from the main menu
3. Add list of whitelistsite for e.g. www.android.com
4. Click on View Whitelist sites
Output
The output screen is as displayed in the screen shot below:
Figure 5.2 Output for Add list Icon
The screen shot below shows the whitelist site entered by user.
5.1.3. Delete Whitelist site
The list of whitelist sites deleted by user is verified in this section.
Steps
1. Click on Add list icon
2. Click on view whitelist site
3. Click on the whitelist site displayed, one pop up will be displayed
4. Click on Yes
5. Again click on view whitelist site
Testing and Evaluation
78
Output
The output screen is as displayed in the screen shot below:
Figure 5.3 Output screen after deleting the whiltelist site
The screen shot shows that the whitelist site is deleted from the database
5.1.4. Student Logs Icon
To check if the list of username accessing illegal sites is being displayed on student logs screen.
Steps
1. Open online test website in browser using the url,
“http://10.50.248.97//onlineexam/login.php”
2. Run wireshrak in promiscuous mode.
3. Login to the online test using the username let’s say kismet16.
4. Answer the questions mentioned in the online test using internet.
5. Stop the wireshark after 10 mins.
6. Save the data captured by wireshark in .pcap format.
7. Covert this .pcap file to txt file using tshark as discussed in section 3.2.4.
8. This txt file is read for getting list of url corresponding to ip address of the username
kismet15 by compiling ReadFile.java
9. Run the android application and click on Student logs icon.
Output
The output screen is as displayed in the screen shot below:
Testing and Evaluation
79
Figure 5.4 Output screen on click of Student Logs icon
Figure 5.5 Output screen on click of username kismet15
The figure 5.4 displays the username being blacklisted and the figure 5.5 displays the list of
websites opened by user kismet15 to answer the question while doing online test.
5.1.5. Notification Screen
This screen is used to test, if the new MAC address joining the network is notified to the user.
Steps
1. Run Kismet by putting NIC card in monitor mode
2. Compile ParseFIle.java for storing the list of Mac address joining the network
3. Run the android application
4. Use another laptop/mobile device to connect to the wireless network
5. The notification of the new mac address will be seen
Testing and Evaluation
80
Output
Figure 5.6 Notification screen
The screen shot above shows the new mac address joining the network.
5.1.6. Help Screen
To test, if the help screen is displayed on click of Help icon.
Steps
1. Run the android application
2. Click on Help icon
Output
Figure 5.7 Help screen output
Testing and Evaluation
81
5.2. Further Research
Participant 1
Participant 2
Participant 3
Participant 4
Wireless Router
Laptop running Kismet
Wireless access point
Ethernet
Connected to internet via ethernet
Instructor
Tablet with online test monitoring tool installed
Internet
Figure 5.8 Lab experiment set up
Due to time constraints and unavailability of the resources, the lab experiment was not
conducted. For further research and evaluation of the software developed, the lab experiment
can be conducted as described in below section.
The aim of the study: The main aim of this experiment is to identify the participant who is
cheating while taking the online test, when they are allowed to access the internet.
Description:
The participants will be informed that it’s a fake online test and it is conducted for the purpose
of testing the online test monitoring tool.
It is assumed that participants will give online test on their own laptop. All the participants will
connect their machine to the wireless router having internet connection. A fake online exam will
be held in the lab, where the students will login to the fake online test website. The participants
Testing and Evaluation
82
will be provided with the username and the password for logging into the online test. This
online test will have 20 question based on computer security module. The test will be held for
30 minutes.
There will be a laptop having Kismet installed in it. As Kismet runs only when NIC card is put
into monitor mode, the laptop cannot connect to internet. The other NIC card of the laptop is
used to connect internet using Ethernet (eth0) interface.
It is important for this laptop to connect to internet for two reasons. One is that the online test
server resides on this machine where the IP address and MAC address of each user will be
stored once the participants login to the online test. Secondly, the .netxml file generated in run
time will be processed for notifying about the new MAC address joining the network.
The Kismet tool will monitor the traffic passing through the wireless router. It will also track all
the activities of participants while they are giving the online test. The participants will be
allowed to refer to one website recommended by instructor to answer the question. Some of the
participants will be instructed to ‘cheat’ while they are taking test while some of them will be
informed to take the test sincerely. Those participants allowed to cheat will access internet to
search the answers. Those participants taking test without cheating will only refer to the site
recommended. The participants have been informed that their activity is tracked while they are
giving the test.
The Android application developed will be installed on one of the tablet which will be used to
track the activities of students. This is a fake online exam to test how cheating can be detected
using kismet. There will be no disclosure of participant’s personal data. Participants will be
allowed to read and sign the consent form provided prior taking the online test.
The sample consent form is attached in the appendix.
Expected results
The instructor having online test monitoring tool installed in his/her tablet will get the
notification of the new wireless network mac address joining the network. After all the
participants have completed their online test, the log files generated by kismet will be processed
offline. These log files will be filtered using wireshark to get only HTTP packets. This file is then
converted into .txt file using tshark. After the offline analysis is completed, the instructor can see
the list of participants who cheated in the exam. The tool will also display the list of url’s
accessed by each participant while cheating.
Testing and Evaluation
83
5.3. Summary
This section of the report shows the various outcomes of the software’s based on the steps
followed to achieve them. It also describes the types of resources and procedures involved in
the set up of the lab experiment to be held in future.
Conclusion
84
Chapter 6- Conclusion
Benefits of the Research
The Online test monitoring tool offers great advantage to tutor in terms of monitoring the online
test without much effort. This tool facilitates tutor with two great advantages. One is the
notification in real time which helps the tutor to identify the new device getting connected to
the network. Second is the log files that detects the list of student caught while accessing illegal
sites.
The main benefits of this tool includes, less overhead on system administrator and tutor on
setting up the online test. Students can take online test, where in they are allowed to access one
or more site for reference. This monitoring tool is a mobile application to help facilitate
professor get notifications and logs while tutor is roaming in examination hall. It can also help
the professor to conduct the exams remotely. The report generated at the end makes it easier
for tutor to analyze the results and take appropriate action against it. The report also gives
detail information of the students activity who were being dishonest in the exam.
The sniffing tools used for tracking student activities have their own advantage and
disadvantages. Kismet generates .netxml file comprising of the list of mac_address, which can be
parsed in real time. While the .pcamp dump file generated by Kismet is not a readable format
and here comes the need of wireshark to filter the log file obtained from Kismet.
Various test cases were implemented to check the efficiency of the tool. The sniffing tool,
wireshark is used to capture various types of log files. This log files comprises of all the
information about the different wireless network. While examining the log files captured, it was
clear that, only HTTP protocol is of the main concern. The log files are then converted into text
files to display only the useful information about each wireless network. The second part of the
evaluation includes examining the tool for giving real time notification. To achieve this, Kismet
is used to capture the list of wireless client getting connected to the network in real time. At the
same time, the .netxml file being processed by Kismet, is parsed and the newly joined wireless
devices are recorded and the user notified.
Few of the challenging issues that were rectified using this tool are mentioned below:
If someone tries to change the MAC address of their machine by using technique
mentioned in the section 2.4.3. This tool will identify the new MAC address with the help
of Kismet and notify the details of new MAC address. Once the student login into the
Conclusion
85
online test, the MAC address notified earlier, will be displayed in the student details
screen.
Even, if the student tries to access any of the websites using the proxy technique as
mentioned in the section 2.4.5. The initial proxy url used by the student, for e.g.
www.newip.us will be captured by Kismet and student userid will get automatically
blacklisted with the details of websites accessed.
The forensics technique mentioned in the section 2.4.6 cannot be used. As the students
are giving online test on their own machine.
Potential Limitations
The most important limitation in this project is that the student website access log is not parsed
in run time. It is seen that the process of displaying the list of sites in the student logs screen is
done manually after the exam. The log file obtained from kismet is processed offline for filtering
purpose. The logs file requires conversion into .txt file using tshark. This leads to an additional
overhead for administrator to process the log files.
There is huge amount of traffic being displayed, even if the student tries to open one single
websites. Filtering of this websites is essential to display one particular websites accessed. The
tool can only display the list of websites accessed by student while they were cheating in the
exam. But this tool cannot take any action against the illegal websites accessed by students
during the exam.
It is seen that the analysis of software done is limited. A good understanding of the tool can only
come when a live online examination is held in the lab. Only after the lab experiment, the actual
output and functionality of the tool could be evaluated. At this point, due to lack of resources
and time, it was not possible to conduct this experiment.
Future Scope
To conclude, it is essential to encourage the instructors to engage in the evaluation part of this
tool. The benefits of online test are plentiful; unless it is assured that the instructor and system
administrator are convinced with the accuracy of the tool to minimize cheating. By continuing to
explore more about the type of traffic obtained from sniffing tool, the problem of cheating can
be minimized. The result displayed can also be improved by enhancing the evaluation of
software.
Conclusion
86
This dissertation has encouraged me to learn the various steps required for undertaking an
individual project, including researching about the basics of packet sniffing, steps required to
design and implements the project and finally evaluation of project to test the feasibility of the
software developed. Overall, the project requirements are satisfied and project has been
successful in analyzing the log files for detecting the cheating while students are giving the
online test.
87
Bibliography
1. Anandan, S. (2010). Online Application Monitoring Tool. San Jose: San Jose State University
SJSU Scholar Works.
2. Castella-Roca, J., Herrera-Joancomarti, J., & Dorca-Josa, A. (2006). A secure e-exam
management system. First International Conference on Availability Reliability and Security
ARES06, 5-8.
3. Choi, M., Hong, J., & Ju, H. (2003). XML-Based Network Management for IP Networks. ETRI
Journal, 25, 450-451.
4. Cluskey, G., Ehlen, C., & Raiborn, M. (2011). Thwarting online exam cheating without proctor
supervision. Journal of Academic and Business Ethics, 1-6.
5. Costagliola, G., & Fuccella, V. (2009). Online testing, current issues and future trends. Journal
of e-Learning and Knowledge Society, V, 81-83.
6. Costagliola, G., Fuccella, V., Giordano, M., & Polese, G. (2009). Monitoring Online Tests
through Data Visualization. Knowledge and Data Engineering IEEE Transactions on, 21(6),
773,778,782.
7. Eplion, D., & Keefe, T. (2005). On-line Exams: Strategies to Detect Cheating and Minimize Its
Impact. New Albany: Indiana University Southeast.
8. Etter, A. (2002). A Guide to Wardriving and Detecting Wardrivers. SANS Institute, 8-9.
9. Frandsen, M. (2010). Detection of cheating when students use their own computers during
examinations. Denmark: Technical University of Denmark (DTU).
10. Fuentes, F., & Kar, D. (2005). ETHEREAL VS. TCPDUMP: A COMPARATIVE STUDY ON PACKET
SNIFFING TOOLS FOR EDUCATIONAL PURPOSE. Texas: Texas A&M University-Corpus Christi.
11. Gujarathi, D., & Gosai, P. (2010). ONLINE EXAMINATION SYSTEM. Retrieved July 11, 2011,
from Scribd: http://www.scribd.com/doc/24751893/online-examination-system-
Presentation
12. Haines, B., Thornton, F., & Schearer, M. (2008). Kismet Hacking. Massachusetts: Syngress.
13. Higgins, C., Symeonidis, P., & Tsintsifas, A. (2002). The Marking System for CourseMaster.
ITiCSE’02, 46-48.
14. Hurley, C. (2007). Penetration Tester's Open Source Toolkit. Burlington: Syngress Publishing,
Inc.
15. Jung, I., & Yeom, H. (2009). Enhanced Security for Online Exams Using Group Cryptography.
IEEE TRANSACTIONS ON EDUCATION, 52, 341-343.
16. Kershaw, M. (2009). Kismet Documentation. Retrieved July 11, 2011, from
http://www.kismetwireless.net
88
17. King, T. (2002). Packet Sniffing In a Switched Environment. Information Security, 1-6.
18. McRee, R. (2006). Security Analysis with Wireshark. ISSA Journal, 39-45.
19. Murray, J. (2009). An Inexpensive wireless IDS using Kismet and OpenWRT. SANS Institute,
8-9.
20. Nigavekar, A., & Harris, W. (2010). Examinations and the Role of Technology: Emerging
Directions. New Delhi: EDGE-ValueNotes.
21. Orebaugh, A., Ramirez, G., & Burke, J. (2007). Wireshark and Ethereal network protocol
analyzer toolkit. Massachusetts: Syngress Publishing, Inc.
22. Pan, C., Yang, K., & Lee, T. (2004). Secure Online Examination Architecture Based on
Distributed Firewall. IEEE Intenational Conference on e-Technology, e-Commerce and e-
Service, 533-536.
23. Philipp, A., Cowen, D., & Davis, C. (2010). Hacking Exposed Computer Forensics. United States
of America: Mc Graw Hill.
24. Rowe, N. (2004). Cheating in Online Student Assessment : Beyond Plagiarism. Online Journal
Of Distance Learning Administration, 7(II), 4.
25. Skudaev, S. (2005). Computer Programming Web programming Tips. Retrieved 08 11, 2011,
from Online Quiz Code Example in PHP: http://www.configure-all.com/fusebox.php
26. Spangler, R. (2003). Packet Sniffer Detection with AntiSniff. Wisconsin: University of
Wisconsin - Whitewater.
27. Sung, J. (2009). U-Learning Model Design Based on Ubiquitous Environment. International
Journal of Advanced Science and Technology, 77-86.
28. Truong, N., Bancroft, P., & Roe, P. (2002). A Web Based Environment for Learning to
Program. TwentySixth Australasian Computer Science Conference ACSC2003, 7.
29. Villegas, G. (2008). Analysis of Tool for conducting Wireless Penetrartion Testing. Texas:
Texas A&M University-Corpus Christi.