Software Monitoring Tool for IP Networks

By

May 2007

ii

iii

Project Report in

Partial Fulfillment of the

Requirement for the Award of a

Bachelor’s Degree in Telecommunications Engineering

Author OPIRA MOSES ALFONSE

Reg. NO 03/U/405/GV

Supervisor MR. GEORGE WALIGO

iv

Project Report in

Partial Fulfillment of the

Requirement for the Award of a

Bachelor’s Degree in Telecommunications Engineering

EE421 Individual Project

Author OPIRA MOSES ALFONSE

Reg. NO 03/U/405/GV

Supervisor MR. GEORGE WALIGO

Sign. ………….………… Date: ………...........

Coordinator MR. OKUONZI JOHN

Sign. ………….………… Date: ………...........

Head of Dept. MR. BUGA BEN

Sign. ………….………… Date: ………...........

Av 2nd

1st

v

DECLARATION

I, Opira Moses Alfonse, declare that this project is my original work achieved as a

result of having made intensive research about software-based monitoring tools. This

work has never been submitted in any academic institution for the award of a degree

or anything else whatsoever.

I thus hereby present this project as consideration for the partial fulfillment of the

award of a Bachelor‟s Degree in Telecommunications Engineering as my final year

project.

Author:

OPIRA MOSES ALFONSE

B. Eng. Telecom. Eng. /IV

03/U/405/GV

Sign.……………………………

Date: ……………………………

vi

APPROVAL

I hereby approve that Opira Moses Alfonse has solely undertaken the aforementioned

project as partial fulfillment for the award of a Bachelors Degree in

Telecommunications Engineering, fourth year.

Internal Supervisor:

MR. GEORGE WALIGO

KYAMBOGO UNIVERSITY

Sign. …………………………. .

Date ……………………………

External Supervisor:

MR. LUBEGA AHMED

HUAWEI TECHNOLOGIES CO. LTD.

Sign. …………………………. .

Date ……………………………

vii

DEDICATION

This project report is dedicated to my father, Mr. Moris Opira-P‟oria and mother Mrs.

Agnes Kaluba-Opira for all the constant support and undying love they have always

given me.

May the good lord bless them abundantly!

viii

TABLE OF CONTENTS

DECLARATION ................................................................................................................................... V

APPROVAL ..........................................................................................................................................VI

DEDICATION .................................................................................................................................... VII

TABLE OF CONTENTS ................................................................................................................. VIII

ACKNOWLEDGEMENTS .................................................................................................................. X

ABREVIATIONS AND ACRONYMS ...............................................................................................XI

LIST OF FIGURES .......................................................................................................................... XIII

LIST OF SYMBOLS ......................................................................................................................... XIV

LIST OF TABLES .............................................................................................................................. XV

ABSTRACT ....................................................................................................................................... XVI

CHAPTER ONE ..................................................................................................................................... 1

INTRODUCTION ................................................................................................................................... 1 1.0 Background to the Study ................................................................................................. 1 1.1 Problem Statement ........................................................................................................... 2 1.2 Aim ................................................................................................................................... 3 1.3 Objectives ......................................................................................................................... 3 1.4 Significance of the Study ................................................................................................. 3 1.5 Scope of the Study ............................................................................................................ 4 1.6 Methodology ..................................................................................................................... 4 1.7 Summary .......................................................................................................................... 5

CHAPTER TWO .................................................................................................................................... 6

THEORETICAL BACKGROUND ............................................................................................................ 6 2.0 Overview of Network Monitoring .................................................................................... 6 2.1 Network Monitoring Parameters ..................................................................................... 6

2.1.1 Importance of Bandwidth ........................................................................................................ 7 2.1.1.1 Bandwidth Measurements ............................................................................................. 7

2.2 Network Monitoring Modes ............................................................................................. 9 2.2.1 Passive Monitoring ................................................................................................................... 9 2.2.2 Active Monitoring: ................................................................................................................... 9

2.3 Network Architectures ..................................................................................................... 9 2.3.1 Local Area Networks .............................................................................................................. 10 2.3.2 Wide Area Networks .............................................................................................................. 10

2.4 Network Models ............................................................................................................. 10 2.4.1 OSI Reference model .............................................................................................................. 10 2.4.2 TCP/IP model ......................................................................................................................... 12 2.4.3 OSI Network Management model ......................................................................................... 13

2.5 Network Protocols .......................................................................................................... 14 2.5.1 Layer 4 Protocols .................................................................................................................... 15 2.5.2 Layer 3 Protocols .................................................................................................................... 16 2.5.3 Layer 2 Protocols .................................................................................................................... 16 2.5.4 Layer 1 Protocols .................................................................................................................... 16

2.6 Port Numbers ................................................................................................................. 17 2.6.1 Well-known port numbers ..................................................................................................... 17

2.7 Data Encapsulation and Decapsulation ........................................................................ 18 2.7.1 Encapsulation/Decapsulation Process ................................................................................... 18 2.7.2 Ethernet Frame Structure ..................................................................................................... 19

2.8 Approaches to Network Monitoring .............................................................................. 20 2.8.1 Software-based Monitoring Tools ......................................................................................... 20 2.8.2 Command-line utilities ........................................................................................................... 21 2.8.3 SNMP Approach .................................................................................................................... 22

2.9 WinPcap Architecture .................................................................................................... 22 2.9.1 Structure of the Capture Stack ............................................................................................. 23

ix

2.9.1.1 Network Level .............................................................................................................. 23 2.9.1.2 Kernel-Level ................................................................................................................. 23 2.9.1.3 User-Level ..................................................................................................................... 23

2.10 Application Programming Interface ............................................................................. 25 2.11 Summary ........................................................................................................................ 25

CHAPTER THREE .............................................................................................................................. 26

DESIGN AND IMPLEMENTATION ....................................................................................................... 26 3.0 Design Stages ................................................................................................................. 26 3.1 Dynamic Link Library ................................................................................................... 26

3.1.1 Loading the Dynamic Link Library ...................................................................................... 26 3.1.2 Getting Function Addresses ................................................................................................... 27

3.2 Program Algorithm ........................................................................................................ 28 3.3 High-Level Programming .............................................................................................. 29 3.4 Graphical User Interface ............................................................................................... 29 3.4 Summary ........................................................................................................................ 30

CHAPTER FOUR ................................................................................................................................ 31

TESTING AND EVALUATION .............................................................................................................. 31 4.0 Test Bed Design ............................................................................................................. 31 4.1 Evaluation of Results ..................................................................................................... 32

4.1.1 Captured Devices .................................................................................................................... 32 4.1.2 IP Information ........................................................................................................................ 33 4.1.3 Capture Statistics ................................................................................................................... 34

4.2 Applications.................................................................................................................... 34 4.3 Limitations ..................................................................................................................... 35 4.4 Scheduling of Tasks ....................................................................................................... 35 4.5 Project Costing ............................................................................................................... 35

CONCLUSION ..................................................................................................................................... 36

RECOMMENDATIONS ..................................................................................................................... 38

BIBLIOGRAPHY................................................................................................................................. 39

TEXTBOOK REFERENCES .................................................................................................................. 39 CATALOGUES .................................................................................................................................... 39 TECHNICAL REPORTS AND JOURNALS ............................................................................................. 39 MANUALS .......................................................................................................................................... 40

APPENDICES ...................................................................................................................................... 41

APPENDIX A: PROJECT COSTING ............................................................................................... 41 APPENDIX B: WORK BREAKDOWN STRUCTURE ........................................................................ 42 APPENDIX C: TRACKING GANTT CHART .................................................................................... 43 APPENDIX D: WELL KNOWN PORT NUMBERS ........................................................................... 44 AAPPPPEENNDDIIXX EE:: EEXXPPOORRTTEEDD WWIINNPPCCAAPP FFUUNNCCTTIIOONNSS ....................................................................... 46

x

ACKNOWLEDGEMENTS

Works of this nature cannot be created in a vacuum, and I am indebted to a number of

people for the help and support they have given me throughout the course of this

project.

First and foremost, I wish to extend my sincere thanks to the Almighty Lord for

having kept me well all throughout the entire period of the project work.

I also convey my sincere gratitude to my supervisor, Mr. George Waligo for being my

mentor and inspiring me to reaching greater heights.

Many thanks also go to my parents for their loving care and support they have always

shown in many ways more than one.

I am also grateful to my fellow colleagues, Kangabe Rebecca, Kalyango Moses,

Sserunjogi Solomon Micheal and Mugisha Moses for helping me brainstorm and

pointing out merits and flaws in my ideology.

Finally I wish to extend my acknowledgements to my external supervisor, Mr. Lubega

Ahmed for scrutinizing this work.

xi

ABREVIATIONS AND ACRONYMS

ANSI American National Standards Institute

API Application Programming Interface

ARP Address Resolution Protocol

BPF Berkeley Packet Filter

Bps Bits per second

CCITT Comité Consultatif International Téléphonique et Télégraphique

CMIP Common Management Information Protocol

CSMA/CD Carrier Sense Multiple Access/Collision Detection

DBMS Database Management System

DLL Dynamic Link Library

DNS Domain Name Server

DSL Digital subscriber line

EIA Electronic Industries Alliance/Association

FAQ's Frequently Asked Questions

FDDI Fiber Distributed Data Interface

FTP File Transfer Protocol

GL Graphics Library

GUI Graphical User Interface

HTTP HyperText Transfer Protocol

ICMP Internet Control Message Protocol

IDE Integrated Development Environment

IEEE Institute of Electrical and Electronic Engineers

IP Internet Protocol

ISDN Integrated Services Digital Network

ISO International Organization for Standardization

ITU International Telecommunications Union

Kbps Kilobits per second

LAN Local Area Network

MAC Media Access Controller

Mbps Megabits per second

MIB Management Information Base

xii

NDIS Network Driver Interface Specification)

NFS Network File System

NIC Network Interface Card

OSI Open System Interconnection

PDU Protocol Data Unit

PPP Point-to-Point Protocol

RARP Reverse Address Resolution Protocol

RFC Request for Comments

SDK Standard Development Kit

SLIP Serial Line Internet Protocol

RARP Reverse Address Resolution Protocol

SMTP Simple Mail Transfer Protocol

SNMP Simple Network Management Protocol

SONET Synchronous Optical Network

TCP Transmission Control Protocol

TFTP Trivial File Transfer Protocol

TIA Telecommunications Industry Association

UDP User Datagram Protocol

VoIP Voice over IP

WAN Wide Area Network

Win32 Windows 32-bit Operating System

WinPcap Windows Packet Capture

WWW World Wide Web

XP eXtreme Programming

xiii

LIST OF FIGURES

Figure 1: Theoretical/digital bandwidth formula ........................................................... 8

Figure 2: Throughput formula ....................................................................................... 8

Figure 3: Network Models ........................................................................................... 12

Figure 4: Protocols ....................................................................................................... 14

Figure 5: Encapsulation/decapsulation within a network stack ................................... 19

Figure 6: Capture Stack ............................................................................................... 24

Figure 7: Program Algorithm ....................................................................................... 28

Figure 8: Graphical User Interface .............................................................................. 29

Figure 9: Graphical Capture Statistics ......................................................................... 30

Figure 10: Test Bed Setup ............................................................................................ 31

Figure 13: Captured devices ........................................................................................ 32

Figure 14: IP address information ................................................................................ 33

Figure 15: Captured statistics information ................................................................... 34

xiv

LIST OF SYMBOLS

.EXE Executable file

BIN Binary Folder

COFF Visual C++ library format

E1 2.048 Mbps

E3 34.064 Mbps

Hz Hertz

IEEE 802.3 Ethernet

IEEE 802.5 Token Ring

IMPDEF Import Definition File

OMF Builder C++ library format

T1 1.544 Mbps

T3 44.736 Mbps

xv

LIST OF TABLES

Table 1: Table of Functions ......................................................................................... 27

Table 2: T568A Standard ............................................................................................. 31

Table 3: T568B Standard ............................................................................................. 31

xvi

ABSTRACT

Computer networks have been experiencing exponential growth over the past few

decades. As a result the need for network monitoring has become a vital aspect for

ensuring network efficiency. With over 50,000 networks, 6 million hosts, 30 million

users and still counting, the World Wide Web (WWW) has become the dominant

network accelerating Internet growth. This project analyzes the need to develop a

software-based monitoring tool capable of monitoring various network parameters

essential for optimizing network performance and ensuring efficient use of network

resources.

Such a tool should be able to aid network administrators in simplifying their daily

tasks of ensuring that network performance is achieved to desired standards. A large

set of network monitoring tools currently existing on the market today are generally

accessible only to network engineers and tend to be very expensive due to the

integration of hardware and/or are vendor specifications or limited in scope of the

parameters to which they monitor.

This project therefore sets out to design software tailored to specific user requirements

that can be easily upgraded to meet future needs or demands. The software-based

solution is meant to provide accurate, comprehensive, flexible, in-expensive and on-

demand, network monitoring capabilities throughout the entire network and inter-

connecting segments.

By Opira Moses Alfonse

Copyright© 2007, Opira Moses Alfonse.

[email protected]

1

CHAPTER ONE

Introduction

1.0 Background to the Study

The field of network management has become a vital aspect in modern computer

networks. Today‟s networks tend to be heterogeneous, comprising of a variety of

computers, hubs, switches, bridges, routers and various other network devices from

different manufacturers. Society is increasingly becoming more dependent on

computers linked to various types of networks (e.g. LANs, MANs, WANs) most

notably the Internet which has consequently resulted in the exponential growth of

networks. The task of monitoring and managing network resources has therefore

become more taxing and complex. Network administrators are consequently faced

with the challenge of ensuring that customer satisfaction is guaranteed through

constant monitoring and management of network resources.

There are two main types of network monitoring tools which exist on the market

today; the first being dedicated hardware monitoring tools. These provide high

performance characteristics, but lack flexibility and are generally more expensive.

The second option is software-based monitoring tools which are usually slower in

comparison to the former but are much cheaper and offer the added advantage of

flexibility in terms of software modifications and upgrades. The software-based

option is the preferred solution used in most modern networks and forms the basis of

this project.

Without information about a stream of data packets from intermediate hops within a

network, end-to-end systems (interconnected) are often unable to identify and

diagnose problems within the network. For network monitoring software to efficiently

monitor network performance, the application must first know the current network

properties and what is happening to its data. By capturing data packets and analyzing

them, information can be gathered about the source of the packets, their usefulness,

and quantity.

With such gathered information, a network administrator can thus be able to deduce

which client machines are utilizing extraordinary amounts of bandwidth at the

expense of other users, the presence of daemon software running on the network,

hacker intrusions and so on.

2

This project work sets out to identify several common problems that are not

adequately addressed by existing software monitoring tools and also addresses the

end-user side of the problem. The software development is intended to be open

source, implying that the source code is freely available to any interested

programmers wishing to enhance the scope of the software.

1.1 Problem Statement

With the rapid growth of the Internet and networks in general, network monitoring

has become a vital aspect in ensuring overall network performance efficiency

considering the economic costs of network downtime. End-users, network and system

administrators currently have very few, limited and expensive monitoring tools at

their disposal to aid them in efficiently monitoring IP network performance

parameters like bandwidth usage, data transfer rates and traffic distribution within the

entire network.

Imagine a network administrator running an Internet café and monitoring over a

hundred (100) computers from one terminal while various customers are utilizing the

shared bandwidth resource on both the LAN and Internet. One customer making

numerous downloads and bulky data transfers across the LAN significantly affects the

overall performance of the entire network at the expense of other users. On the other

hand, an experienced hacker half way across the globe can easily gain unauthorized

access to any one of the computers within the Internet café‟s LAN so as to conduct

malicious activity.

It is thus obvious that such a scenario would be hectic, if not impossible for the

network administrator to monitor and avert individually from each of the hundreds of

workstations in the Internet café.

Therefore, this project addresses this problem by designing a software-based network

monitoring tool capable of efficiently monitoring overall IP network performance

parameters from a single workstation.

3

1.2 Aim

The main aim of this project is to design and implement a software-based monitoring

tool for IP networks.

1.3 Objectives

The specific objectives of this project are as follows;

i) To design and develop a software-based tool capable of efficiently monitoring

IP network parameters.

ii) To design and develop a software tool capable of aiding network

administrators in carrying out their daily responsibilities.

iii) To design and develop software that has a user-friendly graphical user

interface (GUI).

iv) To design and develop software that is open source and easily upgradeable.

1.4 Significance of the Study

The software-based monitoring tool is meant to be able to assist network

administrators in making informed decisions about how to improve network

performance based on gathered statistics or information from the software. With such

a tool, network bandwidth usage (for example within corporate organizations) which

is a vital aspect for proper and efficient running of daily activities can be properly and

efficiently monitored with the aim of making informed decisions on how to optimize

network performance.

Another very crucial requirement for corporate organizations is data security within

Intranets and LANs. By analyzing different ports for intrusion detection (for example

hackers) and malicious daemon software like spyware, malware etcetera such

problems can be identified by the software and appropriate action taken by the

network administrator thereafter.

With this software, a network administrator should be able to ensure that network

uptime and efficiency are optimized to client satisfaction and in the event of

problems, informed troubleshooting measures taken based on information gathered by

the software.

4

1.5 Scope of the Study

The scope of this project included the following;

Intensive studying of how networks operate in general with the aid of network

models (for example OSI reference model and TCP/IP models) and also

research on various protocols, and Protocol Data Units (PDU's) like frames

structure, packets and their fields.

Research work on network programming using C++ (with ports and sockets)

on Win32 platforms.

Acquaintance with a public Application Programming Interface (API) called

WinPcap, which was be used to interface the software with the operating

system‟s kernel.

Designing and compilation of the source code using Borland‟s C++ Builder

6.0‟s Integrated Development Environment (IDE) and WinPcap.

Testing, analysis and evaluation of statistics gathered by the software on a

working LAN.

1.6 Methodology

The following categorical steps were carried out in order to achieve the aim of the

project;

a) Making comparative investigations and analysis of various software-based

monitoring tools available on the market today (that is; limitations, operation,

capabilities etcetera).

b) Researching from various sources about how networks operate (basing on the

TCP/IP and OSI reference models) and network monitoring from various

primary sources like the Internet, Textbooks and Journals.

c) Conducting consultative or informative meetings with internal and external

supervisors concerning the project scope.

d) Acquaintance with network programming in C++, with particular emphasis on

Borland‟s C++ Builder 6.0 as the chosen IDE to use for developing the

software application.

e) Obtaining a public Application Programming Interface (API) to use for

interfacing the compiled program with the Operating System‟s Kernel. An

open-source library was therefore obtained called “WinPcap” (Windows

Packet Capture) from the Internet site: http://www.winpcap.org.

http://www.winpcap.org/

5

f) Compiling source code with the aid of exported functions from the WinPcap

API for using gathered theory from various sources as elaborated above.

g) Participating in online discussion forums (blogs) on the internet and reading

FAQ‟s from various sites so as to get first hand assistance from other

programmers.

http://www.tcpdump.org/wpcap.html

http://winpcap.mirror.ethereal.com/misc/faq.html

http://netgroup/winpcap

h) Designing of a simple peer-to-peer network to use as a test bed for the

developed software application.

i) Analysis of captured data from the software program, so as to present it in an

easily comprehendible form using the software‟s GUI.

j) Carrying out various tests and evaluations of the software program on different

versions of Windows (Windows 95/98/2000/XP) and different network

protocols for example dial-up PPP and Ethernet to check for any compatibility

issues.

1.7 Summary

This chapter gives a brief introduction of what the project is all about and its

relevance in today‟s society. It also lays out a specified number of objectives and an

overall aim alongside giving the significance and scope of the project and how the

overall activities in the project were carried out.


http://winpcap.mirror.ethereal.com/misc/faq.htm

6

CHAPTER TWO

Theoretical Background

2.0 Overview of Network Monitoring

Networking basically refers to connecting two or more computers for the purpose of

sharing various hardware, software, and data resources.

According to wikipedia (en.wikipedia.org/wiki/networkmonitoring), the term network

monitoring describes the use of a system that constantly monitors a computer network

for slow or failing systems and that notifies the network administrator in case of

outages via email, pager or other alarms.

On the other hand, Guy Antony Halse (2003) refers to network monitoring as a system

that simply observes and reports on a network, without taking any corrective action of

its own accord.

Network monitoring is very often confused or taken as synonymous to network

management. However, network management according to www.100best-web-

hosting.com/termn.html refers to a set of activities (e.g. network monitoring, gathering

and analyzing the statistics, adjusting network configuration) performed in order to

increase the network performance and availability. This therefore implies that network

monitoring is a subset of network management.

2.1 Network Monitoring Parameters

Network monitoring parameters are essential in ensuring that optimal network

performance is achieved. There are several parameters that affect network

performance, the most important being bandwidth. Other factors affecting network

performance include the following;

Type of data being transferred

Network topology, Internetworking devices

Number of users on the network

User computer specifications, activity

In the interest of the project scope, bandwidth is elaborated in further detail.

http://www.google.co.ug/url?sa=X&start=0&oi=define&q=http://en.wikipedia.org/wiki/Network_monitoring&usg=AFrqEzfuJ0Fs1Ek4eqZmzjvIn_CJcQQiKQ

http://www.google.co.ug/url?sa=X&start=12&oi=define&q=http://www.100best-web-hosting.com/termn.html&usg=AFrqEzdG6f_pyDubVItSIfGXeWuX7nRzGw


7

2.1.1 Importance of Bandwidth

Bandwidth is defined as the amount of information that can flow through a network in

a given period of time. Bandwidth is a limited resource and it is important to

understand the concept of bandwidth for the following reasons.

Cost factor: the cost of bandwidth increases proportionally with cost. Very high

bandwidth is possible within LANs depending on the end-user equipment being used.

However, for WAN connections like the Internet, it is usually necessary to buy

bandwidth from a service provider along with the appropriate equipment which can be

quite costly. In such cases, individual users and businesses can save a lot of money if

they understand bandwidth and how its demand changes over time.

For analysis of network performance: bandwidth is an important factor that can be

used to analyze network performance of networks. A networking administrator must

understand the tremendous impact of bandwidth and throughput on a networks‟

performance. Information flows as a stream of bits from computer to computer

throughout the world. These bits represent massive amounts of information flowing

back and forth across the globe in seconds or less.

Limited capacity: regardless of the media being used to build a network, there are

limits on the network capacity to carry information. Bandwidth is limited by the laws

of physics and by the technologies used to place information on the media.

Increasing demand: as new technologies (for example Voice-Over IP, „VoIP‟),

streaming video conferencing) and infrastructure are built, new applications are

created which require greater bandwidth capacity consequently resulting in the

increased demand for bandwidth.

2.1.1.1 Bandwidth Measurements

Although the terms bandwidth and speed are often used interchangeably, they are not

exactly the same.

8

Digital bandwidth measures how much information can flow from one place to

another in a specified amount of time. The fundamental unit of measurement for

digital bandwidth is bits per second (bps). Since LANs are capable of speeds up to

thousands or millions of bits per second, measurements are normally expressed in

kilobits per second (kbps) or megabits per second (mbps). Physical media, current

technologies, and the laws of physics limit bandwidth. Digital Bandwidth varies

depending upon the type of media as well as the LAN and WAN technologies used.

The physical differences in the way signals travel result is a fundamental limitations

on the information carrying capacity of a given medium. However, the actual

bandwidth of a network is determined by a combination of the physical media and the

technologies chosen for signaling.

Analog bandwidth on the other hand refers to the frequency range of analog

electronic systems. Analog bandwidth can be used to describe the range of

frequencies transmitted by a radio station or an electronic amplifier. The unit of

measurement for analog bandwidth is hertz (Hz), the same as the unit of frequency.

For the purpose of the project, Digital Bandwidth was reviewed in further detail.

Figure 1: Theoretical/digital bandwidth formula

Throughput refers to the actual measured bandwidth, at specific times of the day,

using specific Internet routes, and while a specific set of data is transmitted on the

network.

Figure 2: Throughput formula

Note:

The result is an estimate only, because the file size does not include any

overhead (additional information) added by encapsulation process.

Throughput formula gives a more accurate value of bandwidth.

File Transfer

time (Seconds)

Theoretical

Bandwidth =

(Bps)

File Size (Bits)

Actual

Throughput =

(Bps)

File Size (Bits)

File Transfer

Time (Seconds)

9

2.2 Network Monitoring Modes

Network monitoring modes refer to the manner in which information is extracted by

monitoring tools. There are basically two modes for monitoring networks currently

adopted as follows;

2.2.1 Passive Monitoring

Many network monitoring tools are designed to passively monitor network traffic on a

particular subnet or passing through a particular gateway. Passive monitoring

sometimes called promiscuous monitoring is a mode which simple listens and

intercepts transiting traffic on a network. Passive monitoring is often the simplest

form of monitoring to implement, since it does not require any cooperation from the

monitored hosts. It looks directly at the traffic passing over the networks shared

media. Historical performance information of this sort may be used to determine

network growth and predict usage patterns.

2.2.2 Active Monitoring:

An alternative to passive monitoring is active monitoring. This refers to systems

which actively attempt to retrieve information (through probing or querying) from

remote hosts. Dedicated management protocols like SNMP (Simple Network

Management Protocol) and CMIP (Common Management Information Protocol) are

examples of forms of active network monitoring. Useful information about a network

can also be obtained by querying remote hosts using normal communication

protocols.

2.3 Network Architectures

Networks are categorized according to their geographical scope or area of coverage.

Various types of networks exist as follows;

Local area networks

Metropolitan area networks

Wide area networks

10

2.3.1 Local Area Networks

A Local Area Network (LAN) is a collection of computers that share hardware,

software, and data over a relatively smaller geographical area than usually limited to

buildings. Some common LAN technologies include the following;

Ethernet (IEEE 802.3): uses a bus topology and relies on Carrier Sense

Multiple Access/Collision Detection (CSMA/CD) to regulate traffic on a

network.

Token Ring (IEEE 802.5): uses a logical ring topology and relies on token

passing to control information flow.

Fiber Distributed Data Interface (FDDI): uses a logical ring topology to

control information flow and a physical dual-ring topology.

2.3.2 Wide Area Networks

A Wide Area Network (WAN) is a network of computers, terminals, and peripheral

devices that are located over a very large geographical area. WANs interconnect

LANs, which then provide access to computers or file servers in other locations. Some

common WAN technologies include the following:

Integrated Services Digital Network (ISDN)

Digital subscriber line (DSL)

Frame Relay

T1, E1, T3, and E3

Synchronous Optical Network (SONET)

2.4 Network Models

In order for one to properly understand the concept of network monitoring, a review

of networking models is of prime importance since it forms the basis for which the

task of monitoring networks effected. For the purpose of this work, the Open

Standards Interconnect (OSI) Reference model, OSI Network Management model and

TCP/IP models are reviewed.

2.4.1 OSI Reference model

According to, Todd Lammle, (2005), the OSI reference model was created in the late

1970s, by the ISO for standardization. The OSI model was meant to help vendors

create interoperable network devices and software in the form of protocols so that

different vendor networks could work with each other.

11

The OSI Reference model is an attempt by the International Standards Organization

(ISO) to standardize the way that computer systems communicate with each other.

Although there are several OSI models, the most widely used one is the OSI

Reference model (figure 3a). This seven layer model is intended to ensure

interoperability between different protocols and methods of communication.

The seven layers of the OSI reference model are as follows;

1. The Physical layer (layer one) is concerned with the transmission of raw binary

data over a communications channel using various media such as wires,

connectors, fiber. The Protocol Data Unit (PDU) at this layer is called the bit.

2. The Data link layer (layer two) takes the raw transmission function and

converts it into an error free transmission channel and ensures reliable transfer

of data across media, connectivity and path selection between host systems. The

PDU at this layer is called the frame.

3. The Network layer (layer three) is concerned with connectivity and routing or

best path selection of packets from source to destination. It also provides

reliable transfer of data across media. The PDU at this layer is called the packet.

4. The Transport layer (layer four) is concerned with the task of accepting data

from the session layer, breaking it into smaller fragments if necessary and

passing it to the network layer. This layer also reassembles the data fragments at

the destination and ensures that all parts are correctly received. Transmission

Control Protocol (TCP) and the User Datagram Protocol (UDP) operate at this

level.

5. The Session layer (layer five) allows users on differing machines to establish

sessions between the machines and also provides authentication.

6. The presentation layer (layer six) ensures that data is encoded in the correct

format for the application or transport that is being used.

7. The application layer (layer seven) is where all end-user applications sit. This

layer supports the hundreds of different user protocols used to perform various

tasks, such as e-mail, file transfer, etcetera.

12

Figure 3: Network Models

2.4.2 TCP/IP model

The OSI model is mostly used for educational purposes; a more practical model the

TCP/IP model (Figure 3b) is more often used to describe how the Internet operates.

Reference to this model is useful in order to understand the concept of network

monitoring.

Although some of the layers in the TCP/IP model have the same names as layers in

the OSI model, the layers of the two models do not correspond exactly. Most notably,

the application layer has different functions in each model.

The TCP/IP model has the following four layers as follows;

1. Application layer: this layer includes the OSI session and presentation

layer details. It also handles issues of representation, encoding, and dialog

control of data.

2. Transport layer: this layer deals with the quality of service issues of

reliability, flow control, and error correction. One of its protocols, the

TCP, provides excellent and flexible ways to create reliable, well-flowing,

7 APPLICATION

6 PRESENTATION

5 SESSION

4 TRANSPORT

3 NETWORK

2 DATA LINK

1 PHYSICAL

OSI Reference Model

1 NETWORK ACCESS

4 APPLICATION

2 INTERNET

3 TRANSPORT

TCP/IP Model

Bits

Frames

Data

Packets

Data

Segments

Protocol Data Units

13

low-error network communications. TCP is a connection-oriented protocol

meaning that it maintains a dialogue between source and destination while

packaging application layer information into units called segments.

Connection-oriented does not mean that a circuit exists between the

communicating computers.

3. Internet layer: the purpose of this layer is to divide TCP segments into

packets and send them from any network. The packets arrive at the

destination network independent of the path they took to get there. The

specific protocol that governs this layer is called the Internet Protocol (IP).

Best path determination and packet switching occur at this layer.

4. Network Access layer: this layer is also known as the host-to-network

layer. It is concerned with all of the components, both physical and logical,

that are required to make a physical link. It includes the networking

technology details, including all the details in the OSI physical and data

link layers.

2.4.3 OSI Network Management model

Another less commonly used OSI model; the OSI network management model is

specifically addresses the task of network monitoring. This model describes the tasks

associated with managing modern computer networks, and provides a way to define

relationships between various tasks. Although this model refers to network

management, a large proportion of the ideas it contains are applicable to the role of

network monitoring. This management model addresses five conceptual areas, being:

performance management, configuration management, accounting management, fault

management and security management Rose (1991).

With interest to the project scope, only the area of performance management

contained in the OSI Network Management model is examined.

Performance Monitoring: this looks at the current and expected performance of the

network. Elements of network performance that may be monitored include network

bandwidth/throughput, availability, and utilization. This information may be

compared to theoretical performance levels or historical averages in order to

determine how well the network is currently performing. Unusual changes in

performance may help to predict network faults before they occur, enabling network

monitoring.

14

2.5 Network Protocols

According to Tim Parker (2001), a protocol is a formal description of a set of rules

and conventions that govern a particular aspect of how devices on a network

communicate. Because telecommunications systems use a wide variety of hardware

and software, protocols are needed to coordinate communication.

Protocols determine the format, timing, sequencing, and error control in data

communication. Without protocols, computers cannot make or rebuild streams of

incoming bits from another computer into their original format. Protocol suites on the

other hand are collections of protocols that enable network communication between

hosts. Protocols control all aspects of data communication, including the following:

How the physical network is built

How computers connect to the network

How the data is formatted for transmission

How that data is sent

These network rules are created and maintained by many different organizations and

committees. Included in these groups are the Institute of Electrical and Electronic

Engineers (IEEE), American National Standards Institute (ANSI),

Telecommunications Industry Association (TIA), Electronic Industries Alliance (EIA)

and the International Telecommunications Union (ITU), formerly known as the

Comité Consultatif International Téléphonique et Télégraphique (CCITT).

Some examples of the most common protocols specified by the TCP/IP reference

model layers are illustrated in figure 4 below.

Figure 4: Protocols

Application

Layer 4

Transport

Layer 3

Internet

Layer 2

Network Access

Layer 1 Ethernet Token

Ring FDDI

IP

ICMP ARP RARP

15

2.5.1 Layer 4 Protocols

File Transfer Protocol (FTP) is a reliable, connection-oriented service that uses TCP

to transfer files between systems that support FTP. It supports bi-directional binary

file and ASCII file transfers.

Trivial File Transfer Protocol (TFTP) is a connectionless service that uses the UDP.

TFTP is used on the router to transfer configuration files and Cisco IOS images, and

to transfer files between systems that support TFTP. It is useful in some LANs

because it operates faster than FTP in a stable environment.

Network File System (NFS) is a distributed file system protocol suite developed by

Sun Microsystems that allows file access to a remote storage device such as a hard

disk across a network.

Simple Mail Transfer Protocol (SMTP) administers the transmission of e-mail over

computer networks. It does not provide support for transmission of data other than

plain text.

Telnet; Telnet provides the capability to remotely access another computer. It enables

a user to log into an Internet host and execute commands. A Telnet client is referred to

as a local host. A Telnet server is referred to as a remote host.

Simple Network Management Protocol (SNMP) is a protocol that provides a way to

monitor and control network devices. SNMP is also used to manage configurations,

statistics, performance, and security.

Domain Name System (DNS) is a system used on the Internet to translate domain

names and publicly advertised network nodes into IP addresses.

16


Transmission Control Protocol (TCP) is a communications protocol that provides

reliable (connection-oriented) transfer of data and defines how data is transferred

across the Internet. The functions of TCP are as follows:

Establishing end-to-end connectivity

Providing flow control

Ensuring reliability through the use of sequence numbers and

acknowledgments

Segment upper-layer application data

Send segments from one end device to another

User Datagram Protocol (UDP) is a connectionless-oriented protocol, meaning that

it does not provide for the retransmission of datagram‟s. UDP functions are as

follows;

Segment upper-layer application data

Send segments from one end device to another


Internet Protocol (IP) this is a connectionless protocol which defines how data is

divided into packets for transmission and also determines the best-effort path or route

for each packet to traverse between computers.

Internet Control Message Protocol (ICMP) provides control and messaging

capabilities.

Address Resolution Protocol (ARP) determines the data link layer address, or MAC

(Media Access Controller) address, for known IP addresses.

Reverse Address Resolution Protocol (RARP) determines the IP address for a

known MAC address.


Layer 1 is responsible for ensuring that IP packets make physical links with network

media. It includes the LAN and WAN technology details and all the details contained

in the OSI physical and data link layers.

17

Software drivers for software applications (including WinPcap), modem cards, and

other devices operate at the network access layer. The network access layer defines

the procedures used to interface with the network hardware and access the

transmission medium.

Serial Line Internet Protocol (SLIP); Modem protocol standards used to provide

network access through a modem connection.

Point-to-Point Protocol (PPP); Modem protocol standards used to provide network

access through a modem connection.

Network access layer protocols map IP addresses to physical hardware addresses and

encapsulate IP packets into frames. The network access layer defines the physical

media connection based on the hardware type and network interface.

2.6 Port Numbers

TCP and UDP must use port numbers to communicate with the upper layers, because

they‟re what keep track of different conversations crossing the network

simultaneously. Originating source port numbers are dynamically assigned by the

source host and are equal to some number starting at 1024. 1023 and below are

defined in RFC 3232 (www.iana.org). Virtual circuits that don‟t use an application

with a well-known port number are assigned port numbers randomly from a specific

range instead. These port numbers identify the source and destination application or

process in the TCP segment. The different port numbers that can be used are as

follows;

Numbers below 1024 are considered well-known port numbers and are

defined in RFC 3232 (refer to Appendix D)

Numbers 1024 and above are used by the upper layers to set up sessions with

other hosts, and by TCP to use as source and destination addresses in the TCP

segment.

2.6.1 Well-known port numbers

Both TCP and UDP use well-known ports, also known as service contact ports. The

port names reflect the specific TCP and UDP applications. Ports are the end points of

a connection, providing a convenient method for accessing and addressing the

connection end. Appendix D has a list of the well-known port numbers and their port

names.

http://www.iana.org/

18

2.7 Data Encapsulation and Decapsulation

According to Pastore M., Dulaney and Emmett A. (2004), all communications on a

network originate at a source, and are sent to a destination. The information sent on a

network is referred to as data or data packets. When one computer is sending data to

another computer, the data must first be packaged through a process known as

encapsulation. The receiving computer on the other hand does removes additional

information to extract the data through a process known as decapsulation.

In simple terms, the process of adding header information is termed encapsulation,

whereas removing header information is termed decapsulation.

2.7.1 Encapsulation/Decapsulation Process

Networking application programs send messages or streams of data to one of the

Internet transport Layer protocols, either the User Datagram Protocol (UDP) or the

Transmission Control Protocol (TCP). These protocols receive the data from the

application, divide it into smaller pieces called TCP segments or UDP packets, add a

destination address, and then pass the packets down to the next protocol layer, the

network layer. The network layer encloses the packet in an Internet Protocol (IP)

datagram, adds the datagram header, decides where to send the datagram (either

directly to the destination system or indirectly via a router or gateway), and passes the

datagram down to the data link layer. The data link layer accepts IP datagram‟s,

encapsulates them within frames that are specific to the network hardware such as

Ethernet, Token-Ring or FDDI, and transmits these over the network. Frames

received by a host are processed through the protocol layers in the reverse order. Each

layer strips off the corresponding header information, until the data ends up at the

application layer. Frames are received by the data link layer which strips off the frame

header and trailer, and sends the datagram up to the network layer. The network layer

strips off the IP header and sends the packet up to the transport layer. The transport

layer strips off the TCP or UDP header and sends the data up to the application. As

hosts on a network can send and receive information simultaneously, data may be

traveling both up and down the layers of the networking stack at the same time.

19

Figure 5 below illustrates how each layer adds (or removes) header information to

data traveling away from (or toward) the application layer.

Figure 5: Encapsulation/decapsulation within a network stack

2.7.2 Ethernet Frame Structure

Since data capture for the project occurs at Layer 2, the frame structure of the layer 2

PDU is reviewed in further detail. Framing is the Layer 2 encapsulation process.

Frames are used to send upper-layer data and ultimately the user application data from

a source to a destination. A single generic frame has sections called fields. Each field

is composed of several bytes as illustrated in figure 6 below.

Figure 6: Generic Frame Format

Preamble: an alternating pattern of ones and zeros used to time synchronization in 10

Mbps and slower implementations of Ethernet. Faster versions of Ethernet are

synchronous so this timing information is unnecessary but retained for compatibility.

Start Frame field (SOF): SOF delimiter consists of a one-octet field that marks the

end of the timing information and contains the bit sequence 10101011.

20

Destination Field: this contains the destination address which can be either a unicast,

multicast, or broadcast.

Source field: this contains the MAC source address.

Length/Type field: specifies the exact length of a frame in bytes and the Layer 3

protocol used by the device that wants to send data.

Data field: This field is used for inserting data into the frame. If there is not enough

user data to insert so as to meet the minimum frame length, extra data called padding

is inserted.

Frame Check Sequence (FCS) field: contains a four byte number used by the

destination computer to calculate errors in the frame. The FCS can be calculated using

either Cyclic Redundancy check (CRC), Two-dimensional parity checks or Internet

checksum.

2.8 Approaches to Network Monitoring

There are basically two approaches commonly used when monitoring networks as

follows;

Software monitoring approach

Hardware monitoring approach

The Hardware alternative will not be discussed here because it is beyond the scope of

this project.

2.8.1 Software-based Monitoring Tools

According to Erwan L. (2006), there are numerous commercial and free software-

based monitoring tools currently available which on the market which address the task

of network monitoring. The software solution to network monitoring often involves

interfacing the software with independent capture drivers like RawIP, NDIS and

WinPcap.

21

Some common high-level programs for monitoring networks include the following;

Smart Sniff allows you to capture TCP/IP packets that pass through your

network adapter, and view the captured data as sequence of conversations

between clients and servers. http://www.nirsoft.net.

IpSniffer: this is a suite of IP Tools built around a packet sniffer.

http://erwan.l.free.fr

WinSniff is an application for capturing packets on the network. It displays all

the packets that are transmitted on the local network and gives detailed

information about each header in the packet. http://www.codeproject.com

Solar Winds Network Performance Monitor: This is a real-time network

monitor that can track network latency, packet loss, availability, traffic,

bandwidth utilization, CPU load, disk space utilization and memory.

http://www.solarwinds.net/

TrafMeter is a Windows-based tool providing real-time traffic accounting

and monitoring. http://lastbit.com/trafmeter

2.8.2 Command-line utilities

These are normally integrated within operating systems and run via command-lines

like DOS, Linux Shells and so on. Examples are as follows;

TCPDump is a command-line tool found in UNIX and its variants used to

dump TCP packets transiting through a network. The Windows equivalent is

called WinDump but does not come integrated with the operating system.

Tracert for Windows operating systems or Traceroute for UNIX operating is

used to trace routes of various hosts within a network including number of

hops and timestamp values.

Ping is a tool commonly used to test for network connectivity of various hosts

and network devices.

http://www.nirsoft.net/

http://erwan.l.free.fr/

http://www.codeproject.com/

http://www.solarwinds.net/

http://lastbit.com/trafmeter

22

2.8.3 SNMP Approach

One of the most widely used approaches to network management is the Simple

Network Management Protocol (SNMP). This protocol was originally formulated in

1988 through RFC 1067. Since then it has undergone many changes and is currently

in version three of the protocol (as defined by RFC 1157).

The Simple Network Management Protocol (SNMP) is an application layer protocol

that facilitates the exchange of management information between network devices.

SNMP enables network administrators to manage network performance, find and

solve network problems, and plan for network growth. SNMP uses UDP as its

transport layer protocol. To retrieve network information, SNMP uses a technique

called MIB collection. This means that it goes from one network device to another

polling them about their status.

So far, low-level network monitoring applications have been examined. However,

many applications build on low-level protocols to provide a higher level view of the

network. Most often, these programs attempt to represent various aspects of the

network in a graphical format.

2.9 WinPcap Architecture

WinPcap is an architecture used for packet capture and network analysis for the

Win32 platforms, based on the model of Berkeley Packet Filter (BPF) and libpcap for

UNIX. WinPcap gives Win32 operating systems the capability to intercept and

capture packets transiting through a network with the aid of the local machines‟

network adapter. The architecture also has a high-level API that can be used to create

monitoring applications for Windows thus indirectly making it easier to use the

Wpcap‟s low-level capabilities.

WinPcap‟s architecture is subdivided into three separate components as follows:

a) Kernel-level Packet capture device driver.

b) Low-level dynamic library, Packet.dll.

c) High level and system independent dynamic library, Wpcap.dll.

Note: Although the term packet capture is synonymously with frame capture, but in

actual sense the latter is more appropriate, since the capture process is done at the

data-link layer of the OSI model.

23

2.9.1 Structure of the Capture Stack

In order for a software-based monitoring application to capture information, there is

need for direct interaction with the network hardware. For this reason the operating

system should offer a set of capture primitives to communicate and receive data

directly from the network adapter. Primitives are basically used to capture packets

from a network, and transfer them to the calling programs.

2.9.1.1 Network Level

At the lowest level of the capture stack is the network being monitored. The NIC

driver is used to capture packets that circulate within the network. During a capture

the network adapter usually works in either Active or Passive mode.

2.9.1.2 Kernel-Level

The packet capture section of the kernel should be quick and efficient because it must

be able to capture packets also on networks operating at various speeds like high-

speed LANs with heavy traffic, limiting losses of packets and using a small amount of

system resources. Packet Capture driver is the lowest level software module of the

capture stack. It is the part that works at kernel level and interacts with the network

adapter to obtain the packets. It supplies the applications a set of functions used to

read and write data from the network at data-link level. The Kernel also comprises a

filter which can be used to filter out various captured frames from the network

depending on the user‟s input.

2.9.1.3 User-Level

The user-level consists of the system independent dynamic link libraries wpcap.dll,

packet.dll and the capture application which receives packets from the system,

interprets, processes and outputs information to the user in an intelligible manner. The

Wpcap.dll is a system independent dynamic library that is used by the capture part of

the applications. It interacts with Packet.dll so as to provide the applications with a

higher level and powerful capture interface. Packet.dll works at the user level, but is

separated from the capture program. It is also dynamic link library that isolates the

capture programs from the driver providing a system-independent capture interface.

The software monitoring tool is the user interface of the capture program. It manages

the interaction with the user and displays the result of a capture.

24

The structure of the capture stack from the network adapter to an application level is

shown in figure 7 below.

Figure 7: Capture Stack

Note: Buffers are used at the Kernel and User-levels to provide a temporary store for

captured frames.

Packet Capture

Driver

Kernel Buffer

Filter

Packet.dll

NIC Driver

SOFTWARE

MONITORING

TOOL

Wpcap.dll

User Buffer USER LEVEL

KERNEL LEVEL

NETWORK LEVEL

TCP/IP

NETWORK

25

2.10 Application Programming Interface

According to nhse.cs.rice.edu/nhsereview/cms/chapter6.html, an API is a set of

library routine definitions with which third party software developers can write

portable programs. Examples are the Berkeley Sockets for applications to transfer

data over networks, those published by Microsoft for their Windows GUI and the

Open/GL graphics library initiated by Silicon Graphics Inc. for displaying three

dimensional rendered objects.

In simple terms an API is a set of interface definitions (functions, subroutines, data

structures or class descriptions) which together provide a convenient interface to the

functions of a subsystem and which insulate the application from the minutiae of the

implementation. WinPcap‟s API has a set of routines that an application uses to

request and carry out lower-level services performed by a computer's operating

system.

The WinPcap API consists of a dynamic link library containing a lists of the functions

(refer to Appendix E). According to www.sabc.co.za/manual/ibm/9agloss.html, a

DLLis a file containing executable code and data bound to a program at load time or

run time, rather than during linking and can be loaded and executed by programs

dynamically. Several applications can share the code and data in a dynamic link

library simultaneously.

2.11 Summary

This chapter gives an overview of the relevant theory involved in the design and

implementation of this project with their references. An in-depth knowledge of this

theoretical background is a pre-requisite before any programming can begin since it

forms the basis for the project work.

http://www.google.co.ug/url?sa=X&start=19&oi=define&q=http://nhse.cs.rice.edu/NHSEreview/CMS/Chapter6.html&usg=AFrqEzeCVy4HqKXo_mZn281KbpJIo8XeAA

http://www.google.co.ug/url?sa=X&start=0&oi=define&q=http://www.sabc.co.za/manual/ibm/9agloss.htm&usg=__WoFaa_VrLtfCnR2aoNKxIgprtZo=

26

CHAPTER THREE

Design and Implementation

3.0 Design Stages

The design and implementation of the software-based monitoring tool involved

several stages (some of which are elaborated in the chapter four) as outlined below;

1. Developing an algorithm to use for capturing frames and analyzing captured

data.

2. Loading the system independent dynamic link library (wpcap.dll) into run-

time memory so as to exploit its functions, subroutines and data structures or

class descriptions.

3. Getting addresses of the library routines.

4. Compiling the source code for the monitoring tool based on the algorithm

developed.

5. Debugging errors and exceptions in the program source code.

6. Designing a simple peer-to-peer network to use as a test bed for the developed

software.

7. Simulating traffic conditions (for example data transfers across the peer-to-

peer network) and using the developed software to perform various tests and

evaluations for analysis of captured data.

8. Designing a user friendly GUI for the end-user.

3.1 Dynamic Link Library

Before the actual compilation of the program source code could actually begin, the

WinPcap API had to be loaded into memory (i.e. at run-time) so as to interface the

software-based monitoring tool with the low-level dynamic link library, “packet.dll”.

3.1.1 Loading the Dynamic Link Library

The LoadLibrary function is an inbuilt Windows API function incorporated within

C++ Builder and was thus used to load the wpcap.dll into memory at run-time using

the following code snippet;

NB. All code in the program was compiled in C++ using Borland‟s C++ Builder

IDE.

HINSTANCE dllhandle = LoadLibrary(“wpcap.dll”);

27

3.1.2 Getting Function Addresses

Pointers to the individual DLL functions had to be declared in the function prototypes

since the DLL loads in a different memory space (i.e. run-time) as illustrated in the

code snippet below;

NB. The function prototypes were declared using pointers.

A list of all the functions exported by wpcap.dll is shown in Appendix E.

After declaring the individual functions to be exported by the DLL, function addresses

were obtained using the code snippet shown below for each individual function.

A brief summary of the functions exported from wpcap.dll is shown in table 1 below;

Function Name Function Description

pcap_compile( ) Compiles a packet filter by converting a high level filtering

expression in the Monitoring program to a form that can be

interpreted by the kernel-level filtering engine.

pcap_datalink( ) Returns the link layer of an adapter e.g. Dial-up or Network

Adapter (NIC).

pcap_dump( ) Saves the contents of frames to the disk i.e. dumping.

pcap_dump_open( ) Opens a file to write the contents of frames to.

pcap_findalldevs_ex( ) Creates a list of network devices to open with pcap_open

pcap_freealldevs( ) Frees an interface list returned by pcap_findalldevs

pcap_geterr( ) Returns the error text pertaining to the last pcap library error.

pcap_loop( ) Collects a group of frames.

pcap_next_ex( ) Reads a frame from an interface or from an offline capture

pcap_open( ) Opens a generic source in order to capture

pcap_setfilter( ) Associates a filter to a capture.

pcap_setmode( ) Sets the working mode of the interface.

pcap_stats_ex( ) Returns statistics on the current capture

Table 1: Table of Functions

int(*pcap_findalldevs_ex)(char *source, struct pcap_rmtauth *auth, pcap_if_t **alldevs, char *errbuf);

(FARPROC)(pcap_findalldevs_ex = GetProcAddress(“wpcap.dll”,"pcap_findalldevs_ex");

28

3.2 Program Algorithm

A program flowchart was developed as illustrated in figure 8 below to ease the task of

developing the source code.

Figure 8: Program Algorithm

Note: The dotted sections of the flow chart were not successfully implemented in the

program code as stated in the limitations in chapter four.

29

3.3 High-Level Programming

The source code for the program was developed using Borland‟s C++ Builder 6.0

Integrated Development Environment (IDE). An IDE is a GUI workbench for

developing code, featuring facilities like symbolic debugging, version control, and

data-structure browsing.

Borland‟s C++ Builder 6.0‟s IDE combines the editor, compiler, debugger and other

useful tools in the same software package. The source code was therefore compiled

with the aid of the algorithm illustrated previously in figure 8.

The debugging process was also simplified using Builders IDE and a list of imported

functions generated using the MS-DOS command-line tool IMPDEF.exe. Another

useful command-line tool used “COFF2OMF.exe” converts a COFF import library

file (Input File) to a corresponding OMF import library file (Output File). Both these

tools are located in the C++ Builder BIN directory.

3.4 Graphical User Interface

After ensuring that there were no compile/run-time errors and the code was

performing its design function, a GUI was designed as shown in figure 9 below.

Figure 9: Graphical User Interface

Example of list of interfaces

resident on machine obtained

using pcap_findalldevs_ex()

30

Figure 10 below is an illustration of how the graphical output statistics of a frame

capture session are displayed.

Figure 10: Graphical Capture Statistics

A plot of the Bytes Sent/Received as captured by the software against Time in

milliseconds is plotted for a Network Administrator to analyze.

The bandwidth formulas in figures 1 and 2 were used to calculate the throughput rate

obtained in figure 10 above. File sizes are extracted using software implementation

from the data fields of individually captured frames along with time stamp values.

3.4 Summary

This chapter summarizes how the design and implementation of the project was

undertaken so as to achieve the desired results. It also presents illustration of how the

GUI of the software interface appears alongside its functionality.

Capture statistics

displayed graphically

i.e. Bytes sent/received

versus Time (msec) Byte

s S

ent/

Rec

eiv

e

Time (milliseconds)

31

CHAPTER FOUR

Testing and Evaluation

4.0 Test Bed Design

The test bed used in carrying out tests and evaluating the software monitoring tools

performance as designed as illustrated in the peer-to-peer network shown in figure 11

below with the specified configuration settings.

Figure 11: Test Bed Setup

In order to run the Software-based Monitoring Tool and carry out a capture session,

WinPcap 4.0 had to be installed on the machine meant to monitor the network. A

cross-over cable was terminated using Cat5e Ethernet cable according to the cabling

standards (T568A and T568B) shown in tables 2 and 3 below.

Table 2: T568A Standard

Table 3: T568B Standard

IP address: 192.168.0.4

Subnet mask 255.255.255.0

Workgroup: TEST

IP address: 192.168.0.3

Subnet mask 255.255.255.0

Workgroup: TEST

Cat5e cross-over

Cable

RJ-45

Pins

32

One end of the RJ-45 pin was terminated using a crimping tool and T568A standard

whilst the other end was terminated using another RJ45 pin and T568B standard.

Thereafter a cable tester was used to verify that the cross-over cable had been

properly terminated.

4.1 Evaluation of Results

The Monitoring tools was tested on a peer-to-peer network which was set up as shown

previously in figure 11 and the WinPcap 4.0 driver installed on the machine where the

software was residing. Results were obtained as follows.

4.1.1 Captured Devices

Figure 12: Captured devices

From the illustration in figure 12 above, the software was able to capture the list of

Network Devices resident on the machine when run on a PC with the following

specifications;

33

System:

Microsoft Windows XP Professional

Version 2002

Computer:

Intel(R)

Celeron(R) CPU 2.40 GHz

384 MB of RAM

Network Cards

Realtek RTL8139/810X Family PCI Fast Ethernet NIC

4.1.2 IP Information

The Monitoring tool was also able to capture IP address information as illustrated in

figure13 below

Figure 13: IP address information

34

4.1.3 Capture Statistics

The actual capture session consisted of gathering statistics like time stamps, header

lengths and header time values as shown in the snapshot figure 14 below;

Figure 14: Captured statistics information

4.2 Applications

The developed software operates in mainly Ethernet and FDDI networks thereby

serving having a variety of applications.

Some practical applications of the software designed are as follows;

a) It can be used in Internet Café‟s by network administrators.

b) The software can also be used in corporate organizational intranets.

c) The software can be used to ensure network security.

d) End-users can also find the software useful in evaluating how the network is

performing.

35

4.3 Limitations

The limitations encountered while carrying out the design and implementation of the

project included the following;

The public API WinPcap had limited capabilities in terms of capturing data.

Since capturing of frames was limited to promiscuous mode, the software is

thus most efficient when implemented in networks utilizing shared media

devices like Hubs.

There was no readily available access of a TCP/IP network to use as a test bed

when analyzing the designed software‟s functionality.

WinPcap does not offer support for Token Ring networks.

Time and funds were also another limiting factor hindering the designer/researcher in

exploiting the software‟s potential to greater depths.

4.4 Scheduling of Tasks

The scheduling of tasks required for completion of the project was carried out

systematically using a work breakdown structure as illustrated in appendix B. A

Tracking Gantt chart is also included in Appendix C with a clearer picture of how the

activities were carried out and the allocation of resources.

4.5 Project Costing

The cost of the project activities in entirety from inception to completion amounted to

a total of UgX. 1. 051, 000. A detailed description of the costing for the project items

is included in Appendix A. Where necessary however, improvising was done so as not

to lose track of the project‟s time frame target.

Note: The reader must bear in mind that the costs involved in designing, testing and

implementing of all the project activities as stated is not representative of the

actual cost of the designed “Software-based Monitoring Tool”.

4.6 Summary

This chapter summarizes how the testing of the software and evaluation of the

captured data was carried out so as to ensure the monitoring tool was operating to the

desired or acceptable levels in accordance with its objectives. It also lists the possible

applications of the monitoring tool, its limitations and gives a summary how project

work was broken down to achieve the desired objectives.

36

CONCLUSION

In any network segment, it is expected that end-users will contribute equal or unequal

amounts of the overall bandwidth capacity available. However, because bandwidth is

a limited and costly resource, constant monitoring of its usage is essential in

maintaining optimal network performance efficiency. The Software-based Monitoring

tool designed was thus able to satisfy its aim and specific objectives though with some

limitations as earlier stated in Chapter four.

This software was tested on a peer-to-peer network and a shared dial-up internet

connection with the intention of discovering common network performance problems

and so as to develop innovative solutions to the problems that were identified. It must

be stated however that the Software-based Monitor is an informative tool meant for

network administrators to use in identifying network bottlenecks and thereafter take

corrective action.

The following are the achievements which have been made in this project using the

designed software. The monitoring tool was able to obtain;

i) IP address configuration information for the PC in use.

IP address of PC

Address Family number in use on PC

Address Family name in use on PC

Subnet mask of PC in both decimal and IP address form

Broadcast address of PC

ii) Frame capture statistics including the following:

Header lengths

Header time values

Time stamps of the frames transiting the network

iii) Extraction of source and destination information of PCs in a particular

network segment including the following

Active ports i.e. for the source and destination PC‟s

Source IP address

Destination IP Address

37

From the project costing (Appendix A) and comparative studies carried out about

existing monitoring solutions, it can thus be stated that the software-based monitoring

approach is generally much more cheater than the hardware alternative.

Software monitoring tools also offer the added advantage of flexibility in design and

maintenance work and costs. This is because software can be easily re-customized to

user-specific needs so as to meet future demands.

38

RECOMMENDATIONS

Considering the conclusions drawn from the project work, a number of

recommendations can be made as regards the project in question as follows;

Best results are obtained when the Software-based Monitoring tool is run on

network segments utilizing hubs or shared media.

Being a versatile tool with a user-friendly interface, I would recommend this

software to be used by network administrators monitoring various network

segments e.g. in Internet Café‟s.

Further Research

Shortfalls/limitations in the software-based approach were discussed in Chapter four‟s

limitations with the hope of laying out a framework for future development of this

project to set off and perhaps provide a more complete and robust solution to the

problem.

Since the software is intended to be open source, I recommend this project for further

research so as to exploit its full potential. The source code can be obtained upon

request in writing using the researchers email indicated at the end of the abstract.

39

BIBLIOGRAPHY

Textbook References

1. Allan Dix, (1996), UNIX Network Programming with TCP/IP

2. Aptech Worldwide, (2000), Logic Building with C, New Jersey.

3. H. Gilbert, (1995), Introduction to TCP/IP, PCLT.

4. Jesse Liberty, (1998), Teach Yourself C++ Programming in 21 Days, Sam‟s

Publishing, Indianapolis

5. Marshall T. Rose, (1991), The Simple Book: An introduction to management

of TCP/IP-based internets, Prentice-Hall.

6. Mike Pastore and Emmett Dulaney, (2004), Security+ Study Guide, (2nd

Edition), San Francisco.

7. Tim Parker, (2005), Teach Yourself TCP/IP in 14 Days, (2nd Ed.), (2nd

Edition), Sam‟s Publishing, Indianapolis.

8. Todd Lammle, (2005), CCNA: Cisco ®Certified Network Associate Study

Guide, (5th

Edition), San Francisco

9. V. Jacobson, C. Leres and S. McCanne (1994), Libpcap, (1st Edition),

Lawrence Berkeley Laboratory, Berkeley, California.

Catalogues

1. S. McCanne and V. Jacobson, (2003), The BSD Packet Filter: A New

Architecture for User-level Packet Capture, Proceedings of the 1993 Winter

USENIX Technical Conference, San Diego, CA.

Technical Reports and Journals

1. Guy Antony Halse, (2003), Novel Approaches to the Monitoring of Computer

Networks, Masters Thesis, Rhodes University, South Africa.

2. John Briscoe, (2000), Understanding the OSI 7-layer model

3. Loris Degioanni, (2000), Development of an Architecture for Packet Capture

and Network Traffic Analysis, Politecnico di Torino, Turin, Italy.

4. Loris Degioanni, Mario Baldi, Fulvio Risso and Gianluca Varenni, (2003),

Profiling and Optimization of Software-Based Network Analysis Applications,

Proceedings of the 15th

IEEE Symposium on Computer Architecture and High

Performance Computing, Sao Paulo, Brasil.

40

Websites

1. en.wikipedia.org/wiki/networkmonitoring

2. http://lastbit.com/trafmeter

3. http://netgroup/winpcap

4. http://winpcap.mirror.ethereal.com/misc/faq.htm

5. http://www.cisco.netacad.net

6. http://www.codeproject.comhttp://erwan.l.free.fr

7. http://www.hcibook.com/alan

8. http://www.hiraeth.com/alan/tutorials

9. http://www.iec.org

10. http://www.nirsoft.net. http://www.tcpdump.org/wpcap.html

11. http://www.solarwinds.net

12. http://www.tcpdump.org/wpcap.html

13. http://www.winpcap.org

14. http://www.winpcap.org/docs

15. nhse.cs.rice.edu/nhsereview/cms/chapter6.html

16. www.100best-web-hosting.com/termn.html

17. www.course.com/careers/glossary/programming.cfm

18. www.faqs.org/docs/artu/apa.html

19. www.sabc.co.za/manual/ibm/9agloss.html

Manuals

1. Borland‟s C++ Builder 6.0 Help Files

2. Microsoft/Windows Standard Development Kit (SDK)

3. The WinPcap Team, (2007), WinPcap Documentation 4.0, CACE

Technologies, Politecnico di Torino, Turin, Italy.

http://www.google.co.ug/url?sa=X&start=0&oi=define&q=http://en.wikipedia.org/wiki/Network_monitoring&usg=AFrqEzfuJ0Fs1Ek4eqZmzjvIn_CJcQQiKQ

http://lastbit.com/trafmeter

http://winpcap.mirror.ethereal.com/misc/faq.htm



http://www.iec.org/

http://www.nirsoft.net/



http://www.winpcap.org/


http://www.google.co.ug/url?sa=X&start=10&oi=define&q=http://www.course.com/careers/glossary/programming.cfm&usg=AFrqEzcFkjWXm0_MF2t9V4thiTZEZx8-1Q

http://www.google.co.ug/url?sa=X&start=6&oi=define&q=http://www.faqs.org/docs/artu/apa.html&usg=AFrqEzccu5YZ1MqFkbyZRSy0v_pse4sKTg

http://www.google.co.ug/url?sa=X&start=0&oi=define&q=http://www.sabc.co.za/manual/ibm/9agloss.htm&usg=__WoFaa_VrLtfCnR2aoNKxIgprtZo=

41

APPENDICES

Appendix A: Project Costing

Item Qty Unit (UgX) Total (UgX)

Computer 1 set 750,000 750,000

C++ Builder 1 100,000 100,000

RJ-45 pins 6 pcs 500 3,000

Ethernet cable (CAT 5e) 8 meters 1,000 8,000

Cable Tester 1 pc 55,000 60,000

Network Interface Cards 2 pcs 15,000 40,000

Crimping tool 1 pc 35,000 30,000

Internet time 20 hrs 25 30,000

Transport 1 30,000 30,000

TOTAL 1,051,000

42

Appendix B: Work Breakdown Structure

43

Appendix C: Tracking Gantt chart

44

Appendix D: Well Known Port Numbers

Port No Port Name

1 TCPMUX TCP Port Service Multiplexer

5 RJE Remote Job Entry

7 ECHO

9 DISCARD

11 USERS Active Users

13 DAYTIME

17 Quote of the Day

19 CHARGEN Character Generator

20 FTP-DATA File Transfer (Data Channel)

21 FTP File Transfer (Control Channel)

23 TELNET

25 SMTP Simple Mail Transfer

27 NSW-FE NSW User System FE

29 MSG-ICP

31 MSG-AUTH MSG Authentication

33 DSP Display Support Protocol

35 Private Printer Server

37 TIME

39 RLP Resource Location Protocol

41 GRAPHICS

42 NAMESERVER Host Name Server

43 NICNAME Who Is

49 LOGIN Host Protocol

53 DOMAIN Name Server

67 BOOTPS Bootstrap Protocol Server

68 BOOTPC Bootstrap Protocol Client

69 TFTP Trivial File Transfer Protocol

79 FINGER

101 HOSTNAMENIC Host Name Server

102 ISO-TSAP ISO TSAP

103 X400 X.400

104 X400SND X.400 SND

45

105 CSNET-NSCSNET Mailbox Name Server

109 POP2 Post Office Protocol v2

110 POP3 Post Office Protocol v3

111 SUNRPC SUN RPC Portmap

137 NETBIOS-NS NETBIOS Name Service

138 NETBIOS-DGMNET BIOS Datagram Service

139 NETBIOS-SSNNET BIOS Session Service

146 ISO-TP0

147 ISO-IP

150 SQL-NET

153 SGMP

156 SQLSRV SQL Service

160 SGMP-TRAP5 SGMP TRAPS

161 SNMP

162 SNMPTRAP

163 CMIP-MANAGE CMIP/TCP Manager

164 CMIP-AGENT CMIP/TCP Agent

165 XNS-COURIER Xerox Network

179 BGP Border Gateway Protocol

46

AAppppeennddiixx EE:: EExxppoorrtteedd WWiinnPPccaapp FFuunnccttiioonnss

FFuunnccttiioonn NNaammee FFuunnccttiioonn AAddddrreessss

bpf_dump @1 bpf_dump

bpf_filter @2 bpf_filter

bpf_image @3 bpf_image

bpf_validate @4 bpf_validate

endservent @5 endservent

eproto_db @6 eproto_db

getservent @7 getservent

install_bpf_program @8 install_bpf_program

pcap_breakloop @9 pcap_breakloop

pcap_close @10 pcap_close

pcap_compile @11 pcap_compile

pcap_compile_nopcap @12 pcap_compile_nopcap

pcap_createsrcstr @13 pcap_createsrcstr

pcap_datalink @14 pcap_datalink

pcap_datalink_name_to_val @15 pcap_datalink_name_to_val

pcap_datalink_val_to_description @16 pcap_datalink_val_to_description

pcap_datalink_val_to_name @17 pcap_datalink_val_to_name

pcap_dispatch @18 pcap_dispatch

pcap_dump @19 pcap_dump

pcap_dump_close @20 pcap_dump_close

pcap_dump_file @21 pcap_dump_file

pcap_dump_flush @22 pcap_dump_flush

pcap_dump_ftell @23 pcap_dump_ftell

pcap_dump_open @24 pcap_dump_open

pcap_file @25 pcap_file

pcap_fileno @26 pcap_fileno

pcap_findalldevs @27 pcap_findalldevs

pcap_findalldevs_ex @28 pcap_findalldevs_ex

pcap_freealldevs @29 pcap_freealldevs

pcap_freecode @30 pcap_freecode

pcap_get_airpcap_handle @31 pcap_get_airpcap_handle

pcap_geterr @32 pcap_geterr

47

pcap_getevent @33 pcap_getevent

pcap_getnonblock @34 pcap_getnonblock

pcap_is_swapped @35 pcap_is_swapped

pcap_lib_version @36 pcap_lib_version

pcap_list_datalinks @37 pcap_list_datalinks

pcap_live_dump @38 pcap_live_dump

pcap_live_dump_ended @39 pcap_live_dump_ended

pcap_lookupdev @40 pcap_lookupdev

pcap_lookupnet @41 pcap_lookupnet

pcap_loop @42 pcap_loop

pcap_major_version @43 pcap_major_version

pcap_minor_version @44 pcap_minor_version

pcap_next @45 pcap_next

pcap_next_etherent @46 pcap_next_etherent

pcap_next_ex @47 pcap_next_ex

pcap_offline_filter @48 pcap_offline_filter

pcap_offline_read @49 pcap_offline_read

pcap_open @50 pcap_open

pcap_open_dead @51 pcap_open_dead

pcap_open_live @52 pcap_open_live

pcap_open_offline @53 pcap_open_offline

pcap_parsesrcstr @54 pcap_parsesrcstr

pcap_perror @55 pcap_perror

pcap_read @56 pcap_read

pcap_remoteact_accept @57 pcap_remoteact_accept

pcap_remoteact_cleanup @58 pcap_remoteact_cleanup

pcap_remoteact_close @59 pcap_remoteact_close

pcap_remoteact_list @60 pcap_remoteact_list

pcap_sendpacket @61 pcap_sendpacket

pcap_sendqueue_alloc @62 pcap_sendqueue_alloc

pcap_sendqueue_destroy @63 pcap_sendqueue_destroy

pcap_sendqueue_queue @64 pcap_sendqueue_queue

pcap_sendqueue_transmit @65 pcap_sendqueue_transmit

pcap_set_datalink @66 pcap_set_datalink

pcap_setbuff @67 pcap_setbuff

pcap_setfilter @68 pcap_setfilter

48

pcap_setmintocopy @69 pcap_setmintocopy

pcap_setmode @70 pcap_setmode

pcap_setnonblock @71 pcap_setnonblock

pcap_setsampling @72 pcap_setsampling

pcap_setuserbuffer @73 pcap_setuserbuffer

pcap_snapshot @74 pcap_snapshot

pcap_stats @75 pcap_stats

pcap_stats_ex @76 pcap_stats_ex

pcap_strerror @77 pcap_strerror

wsockinit @78 wsockinit

Documents

Software Monitoring Tool for IP Networks