1.

INTRODUCTION
1.1 ABSTRACT
This project is intended to develop a tool called Packet Sniffer. The Packet
Sniffer allows the computer to examine and analyze all the traffic passing by its
network connection. It decodes the network traffic and makes sense of it.
When it is set up on a computer, the network interface of the computer is set
to promiscuous mode, listening to all the traffic on the network rather than just those
packets destined for it. Packet Sniffer is a tool that sniffs without modifying the
networks packet in anyway. It merely makes a copy of each packet flowing through
the network interface and finds the source and destination Ethernet addresses of the
packets. It decodes the protocols in the packets given below:
IP (Internet Protocol), TCP (Transmission Control Protocol), UDP (User
Datagram Protocol).
The output is appended into normal text file, so that the network administrator
can understand the network traffic and later analyze it.

1.2 ORGANIZATION PROFILE

Vijay technologies established in 2009. It has registered office at Dwaraka
Nagar, Visakhapatnam-16. It has three strategic service groups specifically Software
Development, Web Hosting and Training.
Vijay technologies development division has attained reputation for providing
customized business applications for RDBMS applications offering a full range of IT
solutions on various platforms. It is specialized in providing Business solutions for
industries of varied sizes, simple solutions that is the result of combining technology
with the best personnel.
Our technology expertise is in the design and development of applications
software in Client Server and ERP-computing environment under various RDBMS
platforms such as Oracle, Oracle DBA and Sql Server, using GUI Tools like
Developer 2000, Visual Basic, VB.Net, ASP.Net, C#.Net, Java, Reusable Active A
component and Web applications.
We also participate in a number of Vendors testing Programs allowing us to
evaluate emerging technologies and their application to our clients need for the entire
project life cycle.
Vijay Technologies has been designed by leading Academicians and software
Professionals from the IT industries keeping in view the increasing demand for
software professionals.
Requirements of the IT industry the curriculum is built in away to bridge the
gap between the technology and resources.
As the industries are focusing on Vijay Technologies Resources planning,
Vijay Technologies have started training its student in the Web Technologies and
internet concepts giving orientation towards e-commerce.
Vijay Technologies offers training programs in products of Microsoft, Oracle,
Borland and Sun. On average, 100-150 students graduate from our institute every
month.
2

2. SYSTEM STUDY
2.1 Introduction to Packet Sniffers:
A Packet Sniffer is a program that can see all of the information passing over
the network it is connected to. A Packet Sniffer is a Wire-tapping device that plugs
into computer Networks and eavesdrop on the network traffic.
A packet sniffer (also known as a network analyzer or protocol analyzer or, for
particular types of networks, an Ethernet sniffer or wireless sniffer) is computer
software that can intercept and log traffic passing over a digital network or part of a
network. As data streams flow across the network, the sniffer captures each packet
and eventually decodes and analyzes its content.
Most Ethernet networks use to be of a common bus topology, using either
coax cable or twisted pair wire and a hub. All of the nodes (computers and other
devices) on the network could communicate over the same wires and take turns
sending data using a scheme known as carrier sense multiple access with collision
detection (CSMA/CD). Think of CSMA/CD as being like a conversation at a loud
party, you may have to wait for quite a spell for your chance to get your words in
during a lull in everybody elses conversation. All of the nodes on the network have
their own unique MAC (media access control) address that they use to send packets of
information to each other. Normally a node would only look at the packets that are
destined for its MAC address. However, if the network card is put into what is known
as promiscuous mode it will look at all of the packets on the wires it is hooked to.

2.2 TCP/IP Protocols:

Background:
The Internet protocols are the world's most popular open-system
(nonproprietary) protocol suite because they can be used to communicate across any
set of interconnected networks and are equally well suited for LAN and WAN
communications. The Internet protocols consist of a suite of communication
protocols, of which the two best known are the Transmission Control Protocol (TCP)
and the Internet Protocol (IP). The Internet protocol suite not only includes lower3

layer protocols (such as TCP and IP), but it also specifies common applications such
as electronic mail, terminal emulation, and file transfer. This document provides a
broad introduction to specifications that comprise the Internet protocols.
Internet protocols were first developed in the mid-1970s, when the Defense
Advanced Research Projects Agency (DARPA) became interested in establishing a
packet-switched network that would facilitate communication between dissimilar
computer systems at research institutions. With the goal of heterogeneous
connectivity in mind, DARPA funded research by Stanford University and Bolt,
Beranek, and Newman (BBN). The result of this development effort was the Internet
protocol suite, completed in the late 1970s.
Documentation of the Internet protocols (including new or revised protocols)
and policies are specified in technical reports called Request for Comments (RFCs),
which are published and then reviewed and analyzed by the Internet community.
Protocol refinements are published in the new RFCs. To illustrate the scope of the
Internet protocols, Figure 1. Maps many of the protocols of the Internet protocol suite
and their corresponding OSI layers.

OSI model

Internet protocol suite

NFS

Application
FTP,
Presentation
Session
Transport
Network
Data Link
Physical

RPC

Telnet,
XDR

SMTP,
SNMP

TCP, UDP

IP

ICMP
ARP

RARP

Not Specified

Fig 1: Internet protocols span the complete range of OSI model layers.
The Internet Protocol (IP) is a network-layer (Layer 3) protocol that contains
addressing information and some control information that enables packets to be
routed. IP is the primary network-layer protocol in the Internet protocol suite. Along
with the Transmission Control Protocol (TCP), IP represents the heart of the Internet
protocols. IP has two primary responsibilities: providing connectionless, best-effort
delivery of data grams through an inter-network; and providing fragmentation and
reassembly of data grams to support data links with different maximum-transmission
unit (MTU) sizes.

IP Packet Format:
An IP packet contains several types of information, as illustrated in
5

Version

IHL

Time to live

Type of Service
Protocol

Identification

Total length

Header checksum
Flags Fragment Offset

Source Address
Destination Address
Options (+padding)
Data (variable)

Fig 2: Fourteen fields comprise an IP packet.

The following discussion describes the IP packet fields illustrated in Figure.2

Version Indicates the version of IP currently used.

IP Header Length (IHL) Indicates the datagram header length in 32-bit

words.

Type-of-Service Specifies how an upper-layer protocol would like a current

datagram to be handled, and assigns data grams various levels of importance.

Total Length Specifies the length, in bytes, of the entire IP packet,

including the data and header.

Identification Contains an integer that identifies the current datagram. This

field is used to help piece together datagram fragments.

Flags Consists of a 3-bit field of which the two low-order (leastsignificant) bits control fragmentation. The low-order bit specifies whether the
packet can be fragmented. The middle bit specifies whether the packet is the
last fragment in a series of fragmented packets. The third or high-order bit is
not used.

Fragment Offset Indicates the position of the fragment's data relative to the
beginning of the data in the original datagram, which allows the destination IP
process to properly reconstruct the original datagram.

Time-to-Live Maintains a counter that gradually decrements down to zero,

at which point the datagram is discarded. This keeps packets from looping
endlessly.

Protocol Indicates which upper-layer protocol receives incoming packets

after IP processing is complete.

Header Checksum Helps ensure IP header integrity.

Source Address Specifies the sending node.

Destination Address Specifies the receiving node.

Options Allows IP to support various options, such as security.

Data Contains upper-layer information.

IP Addressing:
As with any other network-layer protocol, the IP addressing scheme is integral
to the process of routing IP datagram through an inter-network. Each IP address has
specific components and follows a basic format. These IP addresses can be subdivided
and used to create addresses for sub-networks.
Each host on a TCP/IP network is assigned a unique 32-bit logical address that
is divided into two main parts: the network number and the host number. The network
number identifies a network and must be assigned by the Internet Network
Information Center (InterNIC) if the network is to be part of the Internet. An Internet
Service Provider (ISP) can obtain blocks of network addresses from the InterNIC and
can itself assign address space as necessary. The host number identifies a host on a
network and is assigned by the local network administrator.

IP Address Format:
The 32-bit IP address is grouped eight bits at a time, separated by dots, and
represented in decimal format (known as dotted decimal notation). Each bit in the
octet has a binary weight (128, 64, 32, 16, 8, 4, 2, 1). The minimum value for an octet
is 0, and the maximum value for an octet is 255. Figure.3 illustrates the basic format
of an IP address.
Fig 3: An IP address consists of 32 bits, grouped into four octets.
32Bits
Network

Host

8bits

8bits

8bits

8bits

IP Address Classes:
IP addressing supports five different address classes: A, B, C, D, and E. only
classes A, B, and C are available for commercial use. The left-most (high-order) bits
indicate the network class.
Fig 4: IP address formats A, B, and C are available for commercial use.
No. of bits
Class A
Class B

24

0 Networks
1 0 Network

Host

Host

Host

Network

Host

Host

14
Class C

1 1 0 Network

16
Network

Network

21

Host

The class of address can be determined easily by examining the first octet of
the address and mapping that value to a class range in the following table. In an IP
address of 172.31.1.2, for example, the first octet is 172. Because 172 falls between
8

128 and 191, 172.31.1.2 is a Class B address. Figure 5 summarizes the range of
possible values for the first octet of each address class.
Fig 5: A range of possible values exists for the first octet of each address class.
Address Class

First Octet in

High-order Bits

Decimal
Class A

1 D 126

Class B

128 D 191

10

Class C

192 D 223

110

Class D

224 D 239

1110

Class E

240 D 254

1111

IP Subnet Addressing:
IP networks can be divided into smaller networks called sub-networks (or
subnets). Sub-netting provides the network administrator with several benefits,
including extra flexibility, more efficient use of network addresses, and the capability
to contain broadcast traffic (a broadcast will not cross a router).
Subnets are under local administration. As such, the outside world sees an
organization as a single network and has no detailed knowledge of the organization's
internal structure.
A given network address can be broken up into many sub networks. For
example, 172.16.1.0, 172.16.2.0, 172.16.3.0, and 172.16.4.0 are all subnets within
network 171.16.0.0. (All 0s in the host portion of an address specifies the entire
network.)
Address Resolution Protocol (ARP) Overview:
For two machines on a given network to communicate, they must know the
other machine's physical (or MAC) addresses. By broadcasting Address Resolution

Protocols (ARPs), a host can dynamically discover the MAC-layer address

corresponding to a particular IP network-layer address.
After receiving a MAC-layer address, IP devices create an ARP cache to store
the recently acquired IP-to-MAC address mapping, thus avoiding having to broadcast
ARPS when they want to re-contact a device. If the device does not respond within a
specified time frame, the cache entry is flushed.
In addition to the Reverse Address Resolution Protocol (RARP) is used to map
MAC-layer addresses to IP addresses. RARP, which is the logical inverse of ARP,
might be used by diskless workstations that do not know their IP addresses when they
boot. RARP relies on the presence of a RARP server with table entries of MAC-layerto-IP address mappings.
Internet Routing:
Internet routing devices traditionally have been called gateways. In today's
terminology, however, the term gateway refers specifically to a device that performs
application-layer protocol translation between devices. Interior gateways refer to
devices that perform these protocol functions between machines or networks under
the same administrative control or authority, such as a corporation's internal network.
These are known as autonomous systems. Exterior gateways perform protocol
functions between independent networks.
Routers within the Internet are organized hierarchically. Routers used for
information exchange within autonomous systems are called interior routers, which
use a variety of Interior Gateway Protocols (IGPs) to accomplish this purpose. The
Routing Information Protocol (RIP) is an example of an IGP.

Routers that move information between autonomous systems are called

exterior routers. These routers use an exterior gateway protocol to exchange
information between autonomous systems. The Border Gateway Protocol (BGP) is an
example of an exterior gateway protocol.

10

IP Routing:
IP routing protocols are dynamic. Dynamic routing calls for routes to be
calculated automatically at regular intervals by software in routing devices. This
contrasts with static routing, where routers are established by the network
administrator and do not change until the network administrator changes them.
An IP routing table, which consists of destination address/next hop pairs, is
used to enable dynamic routing. An entry in this table, for example, would be
interpreted as follows: to get to network 172.31.0.0, send the packet out Ethernet
interface 0 (E0).
IP routing specifies that IP datagrams travel through internetworks one hop at
a time. The entire route is not known at the onset of the journey, however. Instead, at
each stop, the next destination is calculated by matching the destination address
within the datagram with an entry in the current node's routing table.
Each node's involvement in the routing process is limited to forwarding
packets based on internal information. The nodes do not monitor whether the packets
get to their final destination, nor does IP provide for error reporting back to the source
when routing anomalies occur. This task is left to another Internet protocol, the
Internet Control-Message Protocol (ICMP), which is discussed in the following
section.
Internet Control Message Protocol (ICMP):
The Internet Control Message Protocol (ICMP) is a network-layer Internet
protocol that provides message packets to report errors and other information
regarding IP packet processing back to the source. ICMP is documented in RFC 792.
ICMP Messages:
ICMPs generate several kinds of useful messages, including Destination
Unreachable, Echo Request and Reply, Redirect, Time Exceeded, and Router
Advertisement and Router Solicitation. If an ICMP message cannot be delivered, no
second one is generated. This is to avoid an endless flood of ICMP messages.
11

When an ICMP destination-unreachable message is sent by a router, it means

that the router is unable to send the package to its final destination. The router then
discards the original packet. Two reasons exist for why a destination might be
unreachable. Most commonly, the source host has specified a nonexistent address.
Less frequently, the router does not have a route to the destination.
Destination-unreachable messages include four basic types: network
unreachable, host unreachable, protocol unreachable and port unreachable. Networkunreachable messages usually mean that a failure has occurred in the routing or
addressing of a packet. Host-unreachable messages usually indicate delivery failure,
such as a wrong subnet mask. Protocol-unreachable messages generally mean that the
destination does not support the upper-layer protocol specified in the packet. Portunreachable messages imply that the TCP socket or port is not available.
An ICMP echo-request message, which is generated by the ping command, is
sent by any host to test node reachability across an inter network. The ICMP echoreply message indicates that the node can be successfully reached.
An ICMP Redirect message is sent by the router to the source host to stimulate
more efficient routing. The router still forwards the original packet to the destination.
ICMP redirects allow host routing tables to remain small because it is necessary to
know the address of only one router, even if that router does not provide the best path.
Even after receiving an ICMP Redirect message, some devices might continue using
the less-efficient route.
The router sends an ICMP Time-exceeded message if an IP packet's Time-toLive field (expressed in hops or seconds) reaches zero. The Time-to-Live field
prevents packets from continuously circulating the internetwork if the internetwork
contains a routing loop. The router then discards the original packet.
Transmission Control Protocol (TCP):
The TCP provides reliable transmission of data in an IP environment. TCP
corresponds to the transport layer (Layer 4) of the OSI reference model. Among the
services TCP provides are stream data transfer, reliability, efficient flow control, fullduplex operation, and multiplexing.
12

With stream data transfer, TCP delivers an unstructured stream of bytes

identified by sequence numbers. This service benefits applications because they do
not have to chop data into blocks before handing it off to TCP. Instead, TCP groups
bytes into segments and passes them to IP for delivery.
TCP offers reliability by providing connection-oriented, end-to-end reliable
packet delivery through an internetwork. It does this by sequencing bytes with a
forwarding acknowledgment number that indicates to the destination the next byte the
source expects to receive. Bytes not acknowledged within a specified time period are
retransmitted. The reliability mechanism of TCP allows devices to deal with lost,
delayed, duplicate, or misread packets. A time-out mechanism allows devices to detect
lost packets and request retransmission.
TCP offers efficient flow control, which means that, when sending
acknowledgments back to the source, the receiving TCP process indicates the highest
sequence number it can receive without overflowing its internal buffers.
Full-duplex operation means that TCP processes can both send and receive at the
same time.
Finally, TCP's multiplexing means that numerous simultaneous upper-layer
conversations can be multiplexed over a single connection.
TCP Connection Establishment:
To use reliable transport services, TCP hosts must establish a connectionoriented session with one another. Connection establishment is performed by using a
"three-way handshake" mechanism.
A three-way handshake synchronizes both ends of a connection by allowing
both sides to agree upon initial sequence numbers. This mechanism also guarantees
that both sides are ready to transmit data and know that the other side is ready to
transmit as well. This is necessary so that packets are not transmitted or retransmitted
during session establishment or after session termination.

13

Each host randomly chooses a sequence number used to track bytes within the
stream it is sending and receiving. Then, the three-way handshake proceeds in the
following manner:
The first host (Host A) initiates a connection by sending a packet with the
initial sequence number (X) and SYN bit set to indicate a connection request. The
second host (Host B) receives the SYN, records the sequence number X, and replies
by acknowledging the SYN (with an ACK = X + 1). Host B includes its own initial
sequence number (SEQ = Y). An ACK = 20 means the host has received bytes 0
through 19 and expects byte 20 next. This technique is called forward
acknowledgment. Host A then acknowledges all bytes Host B sent with a forward
acknowledgment indicating the next byte Host A expects to receive (ACK = Y + 1).
Data transfer then can begin.
Positive Acknowledgment and Retransmission (PAR):
A simple transport protocol might implement a reliability-and-flow-control
technique where the source sends one packet, starts a timer, and waits for an
acknowledgment before sending a new packet. If the acknowledgment is not received
before the timer expires, the source retransmits the packet. Such a technique is called
positive acknowledgment and retransmission (PAR).
By assigning each packet a sequence number, PAR enables hosts to track lost
or duplicate packets caused by network delays that result in premature retransmission.
The sequence numbers are sent back in the acknowledgments so that the
acknowledgments can be tracked.
PAR is an inefficient use of bandwidth, however, because a host must wait for
an acknowledgment before sending a new packet, and only one packet can be sent at a
time.
TCP Sliding Window:
A TCP sliding window provides more efficient use of network bandwidth than
PAR because it enables hosts to send multiple bytes or packets before waiting for an
acknowledgment.
14

In TCP, the receiver specifies the current window size in every packet.
Because TCP provides a byte-stream connection, window sizes are expressed in bytes.
This means that a window is the number of data bytes that the sender is allowed to
send before waiting for an acknowledgment. Initial window sizes are indicated at
connection setup, but might vary throughout the data transfer to provide flow control.
A window size of zero, for instance, means "Send no data."
In a TCP sliding-window operation, for example, the sender might have a
sequence of bytes to send (numbered 1 to 10) to a receiver who has a window size of
five. The sender then would place a window around the first five bytes and transmit
them together. It would then wait for an acknowledgment.
The receiver would respond with an ACK = 6, indicating that it has received
bytes 1 to 5 and is expecting byte 6 next. In the same packet, the receiver would
indicate that its window size is 5. The sender then would move the sliding window
five bytes to the right and transmit bytes 6 to 10. The receiver would respond with an
ACK = 11, indicating that it is expecting sequenced byte 11 next. In this packet, the
receiver might indicate that its window size is 0 (because, for example, its internal
buffers are full). At this point, the sender cannot send any more bytes until the
receiver sends another packet with a window size greater than 0.

TCP Packet Format:

Figure 6 illustrate the fields and overall format of a TCP packet.
Twelve fields comprise a TCP packet.

Source port

Destination port

Sequence number
Acknowledge number
Data offset

Reserved

Flags

Checksum

Window
Urgent pointer

Options (+padding)
Data (variable)

15

TCP Packet Field Descriptions:

The following descriptions summarize the TCP packet fields illustrated in
Figure. 6
Source Port and Destination Port Identifies points at which upper-layer source
and destination processes receive TCP services.
Sequence Number Usually specifies the number assigned to the first byte of data
in the current message. In the connection-establishment phase, this field also can be
used to identify an initial sequence number to be used in an upcoming transmission.
Acknowledgment Number Contains the sequence number of the next byte of data
the sender of the packet expects to receive.
Data Offset Indicates the number of 32-bit words in the TCP header.
ReservedRemains reserved for future use.
Flags Carries a variety of control information, including the SYN and ACK bits
used for connection establishment, and the FIN bit used for connection termination.
Window Specifies the size of the sender's receive window (that is, the buffer space
available for incoming data).
Checksum Indicates whether the header was damaged in transit.
Urgent Pointer Points to the first urgent data byte in the packet.
Options Specifies various TCP options.
Data Contains upper-layer information.
16

User Datagram Protocol (UDP):

The User Datagram Protocol (UDP) is a connectionless transport-layer
protocol (Layer 4) that belongs to the Internet protocol family. UDP is basically an
interface between IP and upper-layer processes. UDP protocol ports distinguish
multiple applications running on a single device from one another.
Unlike the TCP, UDP adds no reliability, flow-control, or error-recovery
functions to IP. Because of UDP's simplicity, UDP headers contain fewer bytes and
consume less network overhead than TCP.
UDP is useful in situations where the reliability mechanisms of TCP are not
necessary, such as in cases where a higher-layer protocol might provide error and flow
control.
UDP is the transport protocol for several well-known application-layer
protocols, including Network File System (NFS), Simple Network Management
Protocol (SNMP), Domain Name System (DNS), and Trivial File Transfer Protocol
(TFTP).
The UDP packet format contains four fields, as shown in Figure 7. These
include source and destination ports, length, and checksum fields.

A UDP packet consists of four fields.

32 bits
Source Port

Destination Port

Length

checksum

Source and destination

ports contain the 16-bit
UDP protocol port numbers
Length
Checksum
used to de-multiplex datagrams for receiving application-layer processes. A length
field specifies the length of the UDP header and data. Checksum provides an
(optional) integrity check on the UDP header and data.

17

Internet Protocols: Application Layer Protocols

The Internet protocol suite includes many application-layer protocols that
represent a wide variety of applications, including the following:
File Transfer Protocol (FTP)Moves files between devices
Simple Network-Management Protocol (SNMP)Primarily reports anomalous
network conditions and sets network threshold values
TelnetServes as a terminal emulation protocol
X WindowsServes as a distributed windowing and graphics system used for
communication between X terminals and UNIX workstations
Network File System (NFS), External Data Representation (XDR), and Remote
Procedure Call (RPC)Work together to enable transparent access to remote
network resources
Simple Mail Transfer Protocol (SMTP)Provides electronic mail services
Domain Name System (DNS)Translates the names of network nodes into network
addresses.
The list of the higher-layer protocols and the applications that they support is as
follows:
Application

Protocols

File transfer

FTP

Terminal emulation

Telnet

Electronic mail

SMTP

Network management

SNMP

Distributed file services

NFS, XDR, RPC, X Windows

2.3 Importance of Packet Sniffers:

18

Computer administrators need Packet Sniffer to monitor their networks and

perform diagnostic tests or trouble shoot problems. It can be used to analyze the load
on the network and according to that administrator can redirect the traffic so that
packets flow across networks without leading to congestion. It is also used for
debugging by Programmers developing network related software. Anyone interested
in having a full picture of the traffic going through ones LAN segment can use the
Packet Sniffer. Packet Sniffer converts the data flowing in the network into human
readable format, so that people can read the traffic and understand it.
On wired broadcast LANs, depending on the network structure (hub or
switch), one can capture traffic on all or just parts of the traffic from a single machine
within the network; however, there are some methods to avoid traffic narrowing by
switches to gain access to traffic from other systems on the network (e.g. ARP
spoofing). For network monitoring purposes it may also be desirable to monitor all
data packets in a LAN by using a network switch with a so-called monitoring port,
whose purpose is to mirror all packets passing through all ports of the switch. When
systems (computers) are connected to a switch port rather than a hub the analyzer will
be unable to read the data due to the intrinsic nature of switched networks. In this case
a shadow port must be created in order for the sniffer to capture the data.
On wireless LANs, one can capture traffic on a particular channel.
On wired broadcast and wireless LANs, in order to capture traffic other than
unicast traffic sent to the machine running the sniffer software, multicast traffic sent to
a multicast group to which that machine is listening, and broadcast traffic, the
network adapter being used to capture the traffic must be put into promiscuous mode;
some sniffers support this, others don't. On wireless LANs, even if the adapter is in
promiscuous mode, packets not for the service set for which the adapter is configured
will usually be ignored; in order to see those packets, the adapter must be put into
monitor mode.
Uses of Sniffers:
Sniffing programs have been around for a long time in two forms. Commercial
packet sniffers are used to help maintain networks.
19

Typical uses of such programs include:

Automatic sniffing of clear-text passwords and usernames from the

network.

Conversion of data to human readable formats so that people can read the
traffic.

Fault analysis to discover problems in the network, such as why computer

A cant talk to computer B.

Performance analysis to discover network bottlenecks.

Network intrusion detection in order to discover hackers/crackers.

Network traffic logging, to create logs that hacker's can't break into and
erase.

Monitor network usage.

Debug client/server communications.

Debug network protocol implementations.

Example Uses:

A packet sniffer for a token ring network could detect that the token has
been lost or the presence of too many tokens (verifying the protocol).

A packet sniffer could detect that messages are being sent to a network
adapter; if the network adapter did not report receiving the messages then
this would localize the failure to the adapter.

A packet sniffer could detect excessive messages being sent by a port,

detecting an error in the implementation.

A packet sniffer could collect statistics on the amount of traffic (number

of messages) from a process detecting the need for more bandwidth or a
better method.

A packet sniffer could be used to extract messages and reassemble into a

complete form the traffic from a process, allowing it to be reverse
engineered.
20

A packet sniffer could be used to diagnose operating system connectivity

issues like web, ftp, sql, active directory, etc.

A packet sniffer could be used to analyze data sent to and from secure
systems in order to understand and circumvent security measures, for the
purposes of penetration testing or illegal activities.

A packet sniffer can passively capture data going between a web visitor
and the web servers decode it at the HTTP and HTML level and create
web log files as a substitute for server logs and page tagging for web
analytics.

2.4 Existing System:

In present as there are many sniffers are available in the market. They can be
freely downloaded from the internet. Some sniffers uses winpcap, others use libpcap
according to the platform on which they are working. If the platform is windows then
they are using winpcap, and if the platform is UNIX then they are using libpcap.

2.5 Proposed System:

Proposed system uses jpcap API in order to capture packets from the network.
Jpcap is a java library for capturing and sending network packets. Using Jpcap, you
can develop applications to capture packets from a network interface and
visualize/analyze them. Jpcap can capture Ethernet, IPv4, IPv6, ARP/RARP, TCP,
UDP, and ICMPv4 packets. Jpcap has been tested on Microsoft Windows
(98/2000/XP/Vista), Linux (Fedora, Mandriva, Ubuntu), Mac OS X (Darwin),
FreeBSD, and Solaris.
We can observe the old packets those were passed through the network in the
past. We can observe the DOS attacks.

21

3. SYSTEM ANALYSIS
3.1 Project Description:
This Project deals with a packet capture utility and Network monitoring. This
Project is useful to the Network Administrators to observe each and every incoming
packet for security enhancements. Irrespective of the Destination IP of incoming
packet the machine on which this project is running captures all packets .This Project
Keeps on differentiating the type of the entities which are there in Ethernet header.
The main program will have an infinite loop which keeps an eye on each and
every incoming packet. The moment it collects that packet it starts invoking
respective modules and those modules will internally redirects that information to
respective text files. The utilities used in this project are WinPcap and PacketX.
WinPcap:

22

In the field of computer network administration, pcap consists of an

application programming interface (API) for capturing network
traffic. Unix-like systems implement pcap in the libpcap library;
Windows uses a port of libpcap known as WinPcap.
Monitoring software may use libpcap and/or WinPcap to capture packets
traveling over a network and, in newer versions, to transmit packets on a network at
the link layer, as well as to get a list of network interfaces for possible use with
libpcap or WinPcap.
Libpcap and WinPcap also support saving captured packets to a file, and
reading files containing saved packets; applications can be written, using libpcap or
WinPcap, to be able to capture network traffic and analyze it, or to read a saved
capture and analyze it, using the same analysis code. A capture file saved in the
format that libpcap and WinPcap use can be read by applications that understand that
format.
Libpcap and WinPcap provide the packet-capture and filtering engines of
many open-source and commercial network tools, including protocol analyzers
(packet sniffers), network monitors, network intrusion detection systems, trafficgenerators and network-testers.
WinPcap consists of:
drivers for Windows 95/98/Me, and for the Windows NT family (Windows NT
4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista,
etc.), which use NDIS to read packets directly from a network adapter;
Implementations of a lower-level library for the listed operating systems, to
communicate with those drivers;
A port of libpcap that uses the API offered by the low-level library
implementations.
Programmers at the Politecnico di Torino wrote the original code; as of 2008
CACE Technologies, a company set up by some of the WinPcap developers, develops
and maintains the product.
23

PacketX:
PacketX class library integrates WinPcap packet capture functionality with
ActiveX programming and scripting languages. PacketX hides the low level
programming details by implementing simple class framework that can be used to
build networking applications with minimum effort and time. In brief, PacketX uses
WinPcap libraries to capture (and optionally filter) network packets. In addition to
standard capture mode you can collect network statistics and send raw packets. All
captured packets or statistics are encapsulated inside wrapper class and returned to
client as events. PacketX uses WinPcap Packet Driver API implemented by packet.dll
and BPF filtering support from pcap.dll. This means that you can use PacketX to
capture, send (and optionally filter) packets and collect network statistics. PacketX
cannot be used to block network traffic to build a firewall. The library contains an
ActiveX control that can be used from
RAD development tools like Microsoft Visual Basic or Borland Delphi. For
scripting languages there are corresponding lightweight COM classes.
Some of the classes are
PacketXClass
AdapterCollection
Adapter
Packet
_IPktXPacketXEvents_OnPacketEventHandler

3.2 Modules:
3.2.1

Login/logout for Admin:

Required to login and logout before and after access the Application for

Admin. Required username and password for security purpose just to identify them
selves.
3.2.2

Connecting with Different Server:

24

This is for the Admin, member of the Application have access to the
management administration Form. Management Admin can provide the IP Addresses
or Domain Name (Example news.microsoft.com) to connect Network news transfer
Protocol server,
3.2.3

Ping Information:
The ping utility is essentially a system administrator's tool that is used to see if

a computer is operating and if network connections are intact. Ping uses the Internet
Control Message Protocol (ICMP) Echo function which The ping utility verifies
connections to a remote computer or computers. You can use ping to test both the
computer name and the IP address. If the IP address is verified, but the computer
name is not, you may have a name resolution problem. In this case, make sure the
computer name you are querying is in either the local host file or in the DNS
database.

3.2.4

Hop Information:
Definition: In computer networking, a hop represents one portion of the path

between source and destination. When communicating over the Internet, for example,
data passes through a number of intermediate devices (like routers) rather than
flowing directly over a single wire. Each such device causes data to "hop" between
one point-to-point network connection and another.
3.2.5

Packet Information:
A packet is the unit of data that is routed between an origin and a destination on

the Internet or any other packet-switched network. When any file (e-mail message,
HTML file, Graphics Interchange Format file, Uniform Resource Locator request, and
so forth) is sent from one place to another on the Internet, the Transmission Control
Protocol (TCP) layer of TCP/IP divides the file into "chunks" of an efficient size for
routing. Each of these packets is separately numbered and includes the Internet
address of the destination. The individual packets for a given file may travel different

25

routes through the Internet. When they have all arrived, they are reassembled into the
original file (by the TCP layer at the receiving end).
3.2.6

NetStat Information:
The netstat command displays the protocol statistics and current TCP/IP

connections on the local system. Used without any switches, the netstat command
shows the active connections for all outbound TCP/IP connections. In addition,
several switches are available that change the type of information netstat displays.
Table 5 shows the various switches available for the netstat utility.
3.2.7 Trace Route Information:
The traceroute application will print the route that packets take in order to
arrive at a network host. It works by trying to elicit an ICMP TIME_EXCEEDED
response from each gateway along the path to a particular host. For this reason, the
times, which are actually returned

in the traceroute readout, are not actually reflective of the times that it requires
packets from another protocol such as telnet, SMTP, or FTP to arrive at the
destination and gateways along the route.
Usage:
This application is useful for determining whether a host is up and running on
the network and/or whether there is a host or gateway along the path that is not
passing along packets properly.

3.3 Software Requirements Specification:

This is the requirements document for the project. The system to be developed
is for capturing the packets flowing in the network and analyzes them. The
information in the various headers of the packets is to be extracted and saved into the
output file.

26

Introduction:
Purpose:
To develop a tool that easily analyzes the network traffic flow on that
particular system and to show the information for the administrator in human readable
format.
Scope:
This can be used by network administrators, organizations and by common
man who want to know the network flow, in and out, of the system and also save the
file for later analysis such as load on the system, network intrusion detection etc.
Developers Responsibilities Overview:
The developer is responsible for:

Developing the system.

Installing the software on the clients hardware.

General Description:
Product Functions Overview:
In a computer network every system can see all the packets flowing in the
network, but can capture the packets that are addressed to that particular system only.
But the product must be able to make a copy of all the packets flowing in the network,
which are address to it and also not address to it. The packet copied must be stored in
a buffer. Each packet has headers in which information about the packet will be stored
in a specified format. This information must be extracted and if necessary covert into
human readable form and store it in the output files.
User Characteristics:
The user of the system will be the systems administrator who controls and
configures the network traffic through the server.
27

General Constraints:
The system should have winpcap & packetx installed.
General assumptions and dependencies:
The assumption is that the packets moving in the networking are coming from
only Ethernet and not from any other like FDDI, etc.
3.3.1 Specific Requirements:
Inputs and Outputs:
Inputs: Raw packets flowing in the network of the system on which the Packet
Sniffer is installed.
Outputs: The output is stored in a file.
Functional Requirements:
Capture the packets in the network at the data link layer before they are passed
to the protocols implemented in the kernel.
Strip off the various headers in each packet and analyze the information in it.
Append the information in the headers of the packet into output file in a specified
format.
Performance Constraints:
The maximum size of the buffer to hold the packet is 2000 bytes. The speed of
the networks should not exceed 100Mbps if it exceeds this speed all the packets may
not be analyzed.

3.4 Feasibility Study:

It is necessary and prudent to evaluate the feasibility of a project at the earliest
possible time. There may be different ways of checking whether a system is feasible
or not. Feasibility study can be divided into three basic forms as follows.
28

Operational feasibility:
In this test, the operational scope of the system is checked. The system under
consideration should have enough operational research. It is observed that proposed
system is very user friendly and since the system is built with enough help, even
persons with little knowledge of windows can find the system very easy.
Technical feasibility:
This test includes a study of function, performance and constraints that may
affect the ability to achieve an acceptable system. This test begins with an assessment
of the technical viability of the proposed system. One of the main factors to be
accessed is the need of various kinds of resources for the successful implementation
of the proposed system.
Economical feasibility:
An evaluation of development cost weighed against the ultimate income of
benefit from the development of the proposed system is made. Care must be taken
regarding the costs that incur in the development process of the proposed system.

3.5 Requirements Specification:

Software Environment:
The system will run under .net Framework that is to be installed on the system.
Operating Platform

WINDOWS XP

Front End

Visual Studio .NET

Back End

SQL Server 2000

Language

C# .NET

Processor

Pentium IV

RAM

512MB RAM

Hardware Environment:

29

HDD

5 GB

LAN

Enabled

Acceptance Criteria:
Before accepting the system, the developer will have to demonstrate how the
system works on the given data. The developer will have to show by suitable test
cases that all conditions are satisfied.

4. SYSTEM DESIGN
Software Engineering is the systematic approach to the development,
operation, maintenance, and retirement of software.
All Software products can be developed with the help of a Software Process
i.e. Software Life Cycle. This Software Process is nothing but a series of identifiable
stages that a software product undergoes during its lifetime. And this series basically
starts with a Feasibility Study Stage, Requirement Analysis and Specification, Design,
Coding, Testing and Maintenance. Each of these phases is called the Life Cycle
Phase. And this Software process is achieved, with the help of software life cycle
model (or process model). A Process Model is a descriptive and diagrammatical
model of a software Process. A process model identity all the activities required to
develop and maintain a software product, and establish a precedence ordering among
the different activities.

30

A process model defines entry and exit criteria for every phase. e.g. the
corresponding phase-entry criteria for the Software Requirement Specification phase
can be that the software Requirement Specification document has been completed,
internally reviewed, and approved by the customer. With such well-defined entry and
exit criteria for various phases, it becomes easier to manage and monitor the progress
of the project. Thus, we can say that life cycle models encourage development of
software in a systematic and disciplined manner. Due to the above fact, the developer
should adhere to well-defined life cycle model. Thus, a major advantage of adhering
to a well-defined life cycle model is that it helps to control and organize
systematically various activities of the product, which is taken to develop. When a life
cycle model is adhered to, the developer can easily tell at which stage (e.g. design,
code, testing) of development, the project currently is. If no life cycle model is
adhered to, it becomes very difficulty to chart the progress of the project and the
developer may face a problem known as the 99% complete syndrome. In this
syndrome, which appears when there is no definite way to access the progress of the
project, the optimistic developer feels that the project is 99% complete, even when the
project is far from its completion. Success or completion of project is heavily
dependent upon which type of life cycle model the developer is going to adhere. So a
life cycle model plays an important role in the successful completion of a project.
Basically five types of life cycle models are used, while developing a software
product.

Classical waterfall Model.

Iterative waterfall Model.

Evolutionary Model

Prototyping Model.

Spiral Model.

During the development of the project Packet Sniffer, I followed the Classical
Waterfall Model. This model divides the life cycle of a software development process
into the phases, shown below:

31

Development phase = Feasibility Study + Requirement Analysis and

Specification + Design + Coding and Unit Testing + Integration and system testing.

4.1 Problem Specification:

Network Administrators have to maintain the network to meet the needs of the
users. For this they should have the information of the network traffic so that they can
fine tune their systems according to the traffic on the network and enhance the
performance of the servers to provide efficient and reliable facilities to the users. So
they want a utility that can monitor the traffic on their network. The parties involved
are:
Client/End-users: Network administrator
To transmit data from host A to host B, the data has to travel via x,y, hosts in
the network. So every host will see all the packets, but in normal operation it will take
only the packets, which are addressed to it, and the packets are passed to the kernel
where further analysis of the packet takes place. So our problem now is to make a
copy of all the packets flowing in the network even though they are not addressed to
our host and pass them directly to our application program without passing them to
the kernel. The proposed system should not disturb the network traffic or modify any
of the packets. It should merely make a copy of the packets. Each packet must be
analyzed in detail. This information must be stored in output file so that the
administrator can later take printouts. Also time and date of arrival of the packet must
be found and stored in the output files.

4.2 Data Flow Diagrams:

Data flow diagrams are made up of a number of symbols, which represent
system components. Most data flow modeling methods use four kinds of symbols.
These symbols are used to represent four kinds of system components: processes, data
stores, data flows and external entities.
The data flow diagrams for the current project are show in the following
figure. It is the data flow diagram for the entire process. It specifies the major
transform centers in the approach to be followed for producing the software. This is
32

the first step in the structured design method. In the project, the inputs are the packets
that are flowing in the network interface that is set to promiscuous mode. The output
is the information contained in the packets in human readable form, which is stored in
the output file.
The context diagram and data flow diagram of the proposed system are given
as follows:

Network
interface
card

Protocol

Packets

Analyzer

Repor
ts

Administrato
r

Promiscuous
mode

Fig: Context Diagram

Ip
header

.
packets

Separat
e
headers
dtl
header

dtl
header
analysi
s

dtl header
info

ip
header
analysi
s

ip &dtl
Headers
Info

tl
heade
r
analys
is

Transport layer
header

Fig: DFD for the Protocol Analyzer process

33

output

The data flow diagrams for the current project are show in the following
figure. It is the data flow diagram for the entire process. It specifies the major
transform centers in the approach to be followed for producing the software. This is
the first step in the structured design method. In the project, the inputs are the packets
that are flowing in the network interface that is set to promiscuous mode. The output
is the information contained in the packets in human readable form, which is stored in
the output file.

Packets

Get
packet
s

Buffer
with
packets

Separat
e
headers

hdrs

Analyz
e
header
s

Info in
headers

Update
output
file

Fig: Data flow diagram for Packet Sniffer

Explanation:
In the diagram the input is obtained as packets from the network interface by
the Get packets process. For that this process defines a packet socket and obtains the
raw packets from the network interface and stores them into a buffer. The buffer
containing the packets is passed to the separate header process, which strips off
various headers of the packet and passes them to analyze headers process where they
will be analyzed and the information is passed on to the update output file process.
Here the output file will be updated with the latest information obtained from the later
processes.
The most abstract inputs are the stripped off headers and the most abstract
output is the information in the headers in human readable form.

4.3 Structure Charts:

For a function-oriented design, structure charts can represent the design
graphically. The structure of a program is made up of modules of the program
34

together with the interconnections between modules. The structure chart of a program
is a graphic representation of its structure. In a structure chart, a box represents a
module with the module name written in the box. The parameters returned as output
by a module.
MAIN

hdrs

info
info
hdrs

Get Input

Protocol Analysis

Output

Fig: Structure Chart

In the structure chart, there are three modules: - one for input, one for output
and another is called the central transform module which performs the basic
transformation for the system, taking the most abstract input and transforming it into
the most abstract output. The main modules job is to invoke the subordinates.
Here, there is one input module, which returns the headers in the packet to the
main module. The main module passes these headers to the protocol analysis module,
which transforms them into human readable information. This information is passed
to the main module. The main module passes this information to the output module,
which updates the output files.

hdr
s
Get Input

hdr
s

buf
buf
Adapter

receive

Strip off

35

packetf
d

packetf
d

Fig. Input Module

In the input module, the network interface is turned into promiscuous mode so
that all the packets can be captured even though they are not intended to it. This is
done by defining an adapter object and reading all the packets into a buffer. Then each
packet is taken and the various headers are stripped off and sent to the main module.

hdr
s

info

Protocol Analyzer

ip hdr
arp or rarp
hdr
ARP &RARP

ip

info

info

info

info

ICMP

IGMP

TCP

UDP
36

Fig: Protocol Analysis Module

The central transform module is shown in figure. In the central transform
module i.e. protocol analysis system, the process is split into three modules viz. ip,
arp and rarp. Here the major decision is taken about which module to be invoked by
the central module basing on the type of header sent by the main module. The ip
module takes a further decision as which module to be invoked based on the type of
header passed to it. IP module is further divided into icmp, igmp, tcp and udp
modules. The modules are named after the type of headers they handle. Each module
knows the specified format in which the information in that particular header is
stored, so they convert it into required format by which we can easily understand and
know about the packets in detail. This information is passed to the main module.

info

Output

ofstream

ofstream

Append into file

Print reports

Fig: Output Module

This module gets the information stored in the headers of the packets as input
from the main module. The output module is split into two sub-modules. The first
37

module updates the output files with the input obtained by the main module and
passes back the file pointers to the output module. These file streams are passed to
the print reports module where the reports are printed.

4.4 UML Diagrams:

Unified Modeling Language
This mapping permits forward engineering: The generation of code from a
UML model into a programming language. The reverse is also possible: You can
reconstruct a model from an implementation back into the UML. Reverse engineering
is not magic. Unless you encode that information in the implementation, information
is lost when moving forward from models to code. Reverse engineering thus requires
tool support with human intervention. Combining these two paths of forward code
generation and reverse engineering yields round-trip engineering, meaning the ability
to work in either a graphical or a textual view, while tools keep the two views
consistent.
In addition to this direct mapping, the UML is sufficiently expressive and
unambiguous to permit the direct execution of models, the simulation of systems, and
the instrumentation of running systems.
The UML is a Language for Documenting:
A healthy software organization produces all sorts of artifacts in addition to
raw executable code. These artifacts include (but are not limited to)

Requirements

Architecture

Design

Source code

Project plans

Tests

Prototypes

Releases
38

Depending on the development culture, some of these artifacts are treated

more or less formally than others. Such artifacts are not only the deliverables of a
project, they are also critical in controlling, measuring, and communicating about a
system during its development and after its deployment.
The UML addresses the documentation of a system's architecture and all of its
details. The UML also provides a language for expressing requirements and for tests.
Finally, the UML provides a language for modeling the activities of project planning
and release management Applications
The UML is intended primarily for software-intensive systems. It has been
used effectively for such domains as

Enterprise information systems

Banking and financial services

Telecommunications

Transportation

Defense/aerospace

Retail

Medical electronics

Scientific

Distributed Web-based services

The UML is not limited to modeling software. In fact, it is expressive enough

to model non-software systems, such as workflow in the legal system, the structure
and behavior of a patient healthcare system, and the design of hardware.
A Conceptual Model of the UML:
To understand the UML, you need to form a conceptual model of the
language, and this requires learning three major elements: the UML's basic building
blocks, the rules that dictate how those building blocks may be put together, and some
common mechanisms that apply throughout the UML. Once you have grasped these
ideas, you will be able to read UML models and create some basic ones. As you gain

39

more experience in applying the UML, you can build on this conceptual model, using
more advanced features of the language.
Building Blocks of the UML:
The vocabulary of the UML encompasses three kinds of building blocks:

Things

Relationships

Diagrams

Things are the abstractions that are first-class citizens in a model; relationships
tie these things together; diagrams group interesting collections of things.
Things in the UML:
There are four kinds of things in the UML:

Structural things

Behavioral things

Grouping things

Annotational things

These things are the basic object-oriented building blocks of the UML. You
use them to write well-formed models.
Structural Things:
Structural things are the nouns of UML models. These are the mostly static
parts of a model, representing elements that are either conceptual or physical. In all,
there are seven kinds of structural things.
First, a class is a description of a set of objects that share the same attributes,
operations, relationships, and semantics. A class implements one or more interfaces.
Graphically, a class is rendered as a rectangle, usually including its name, attributes,
and operations.
40

CLASS:
NewClass
window
origin
size
open()
close()
move()

Second, an interface is a collection of operations that specify a service of a

class or component. An interface therefore describes the externally visible behavior of
that element. An interface might represent the complete behavior of a class or
component or only a part of that behavior. An interface defines a set of operation
specifications (that is, their signatures) but never a set of operation implementations.
Graphically, an interface is rendered as a circle together with its name. An interface
rarely stands alone. Rather, it is typically attached to the class or component that
realizes the interface.
INTERFACE:

NewInterfac
e

Third, a collaboration defines an interaction and is a society of roles and other

elements that work together to provide some cooperative behavior that's bigger than
the sum of all the elements. Therefore, collaborations have structural, as well as
behavioral, dimensions. A given class might participate in several collaborations.
These collaborations therefore represent the implementation of patterns that make up
a system. Graphically, collaboration is rendered as an ellipse with dashed lines,
usually including only its name.
Fourth, a use case is a description of set of sequence of actions that a system
performs that yields an observable result of value to a particular actor. A use case is
41

used to structure the behavioral things in a model. A use case is realized by

collaboration. Graphically, a use case is rendered as an ellipse with solid lines, usually
including only its name.

UseCase

The remaining three thingsactive classes, components, and nodesare all

class-like, meaning they also describe a set of objects that share the same attributes,
operations, relationships, and semantics. However, these three are different enough
and are necessary for modeling certain aspects of an object-oriented system, and so
they warrant special treatment.
Fifth, an active class is a class whose objects own one or more processes or
threads and therefore can initiate control activity. An active class is just like a class
except that its objects represent elements whose behavior is concurrent with other
elements. Graphically, an active class is rendered just like a class, but with heavy
lines, usually including its name, attributes, and operations.
The remaining two elementscomponent, and nodesare also different.
They represent physical things, whereas the previous five things represent conceptual
or logical things.
Sixth, a component is a physical and replaceable part of a system that
conforms to and provides the realization of a set of interfaces. In a system, you'll
encounter different kinds of deployment components, such as COM+ components or
Java Beans, as well as components that are artifacts of the development process, such
as source code files. A component typically represents the physical packaging of
otherwise logical elements, such as classes, interfaces, and collaborations.
Graphically, a component is rendered as a rectangle with tabs, usually including only
its name.
COMPONENT:
42

NewComponent

Seventh, a node is a physical element that exists at run time and represents a
computational resource, generally having at least some memory and, often, processing
capability. A set of components may reside on a node and may also migrate from node
to node. Graphically, a node is rendered as a cube, usually including only its name.

Behavioral Things:
Behavioral things are the dynamic parts of UML models. These are the verbs
of a model, representing behavior over time and space. In all, there are two primary
kinds of behavioral things.
First, an interaction is a behavior that comprises a set of messages exchanged
among a set of objects within a particular context to accomplish a specific purpose.
The behavior of a society of objects or of an individual operation may be specified
with an interaction. An interaction involves a number of other elements, including
messages, action sequences (the behavior invoked by a message), and links (the
connection between objects). Graphically, a message is rendered as a directed line,
almost always including the name of its operation.
Second, a state machine is a behavior that specifies the sequences of states an
object or an interaction goes through during its lifetime in response to events, together
with its responses to those events. The behavior of an individual class or a
collaboration of classes may be specified with a state machine.
A state machine involves a number of other elements, including states,
transitions (the flow from state to state), events (things that trigger a transition), and
43

activities (the response to a transition). Graphically, a state is rendered as a rounded

rectangle, usually including its name and its sub states, if any.
STATE:
NewState

These two elementsinteractions and state machinesare the basic

behavioral things that you may include in a UML model. Semantically, these elements
are usually connected to various structural elements, primarily classes, collaborations,
and objects.

Grouping Things:
Grouping things are the organizational parts of UML models. These are the
boxes into which a model can be decomposed. In all, there is one primary kind of
grouping thing, namely, packages.
A package is a general-purpose mechanism for organizing elements into
groups. Structural things, behavioral things, and even other grouping things may be
placed in a package. Unlike components (which exist at run time), a package is purely
conceptual (meaning that it exists only at development time). Graphically, a package
is rendered as a tabbed folder, usually including only its name and, sometimes, its
contents.
PACKAGE:

Packages are the basic grouping things with which you may organize a UML
model. There are also variations, such as frameworks, models, and subsystems (kinds
of packages).
Annotational Things:
44

Annotational things are the explanatory parts of UML models. These are the
comments you may apply to describe, illuminate, and remark about any element in a
model. There is one primary kind of annotational thing, called a note. A note is simply
a symbol for rendering constraints and comments attached to an element or a
collection of elements. Graphically, a note is rendered as a rectangle with a dog-eared
corner, together with a textual graphical comment.

NOTES:

This element is the one basic annotational thing you may include in a UML
model. You'll typically use notes to adorn your diagrams with constraints or
comments that are best expressed in informal or formal text. There are also variations
on this element, such as requirements (which specify some desired behavior from the
perspective of outside the model).
Relationships in the UML :
There are four kinds of relationships in the UML:
1. Dependency
2. Association
3. Generalization
4. Realization
These relationships are the basic relational building blocks of the UML. You
use them to write well-formed models.
First, a dependency is a semantic relationship between two things in which a
change to one thing (the independent thing) may affect the semantics of the other
thing (the dependent thing). Graphically, a dependency is rendered as a dashed line,
possibly directed, and occasionally including a label.
45

DEPENDANCY:

ASSOCIATION:

Employer

employee

Second, an association is a structural relationship that describes a set of links,

a link being a connection among objects. Aggregation is a special kind of association,
representing a structural relationship between a whole and its parts. Graphically, an
association is rendered as a solid line, possibly directed, occasionally including a
label, and often containing other adornments, such as multiplicity and role names.
Third, a generalization is a specialization/generalization relationship in which
objects of the specialized element (the child) are substitutable for objects of the
generalized element (the parent). In this way, the child shares the structure and the
behavior of the parent. Graphically, a generalization relationship is rendered as a solid
line with a hollow arrowhead pointing to the parent.
GENERALIZATION:
. Fourth, a realization is a semantic relationship between classifiers, wherein
one classifier specifies a contract that another classifier guarantees to carry out. You'll
encounter realization relationships in two places: between interfaces and the classes or
components that realize them, and between use cases and the collaborations that
realize them. Graphically, a realization relationship is rendered as a cross between a
generalization and a dependency relationship.
REALIZATION:
These four elements are the basic relational things you may include in a UML
model. There are also variations on these four, such as refinement, trace, include, and
extend (for dependencies).
46

The five views of architecture are discussed in the following section.

Rules of the UML:
The UML's building blocks can't simply be thrown together in a random
fashion. Like any language, the UML has a number of rules that specify what a wellformed model should look like. A well-formed model is one that is semantically selfconsistent and in harmony with all its related models.
The UML has semantic rules for
Table 2.1 Semantic rules

Names

What you can call things, relationships, and diagrams

Scope

The context that gives specific meaning to a name

Visibility

How those names can be seen and used by others

Integrity

How things properly and consistently relate to one another

Execution

What it means to run or simulate a dynamic model

Models built during the development of a software-intensive system tend to

evolve and may be viewed by many stakeholders in different ways and at different
times. For this reason, it is common for the development team to not only build
models that are well-formed, but also to build models that are
Table 2.2 Models

Elided

Certain elements are hidden to simplify the view

Incomplete

Certain elements may be missing

Inconsistent

The integrity of the model is not guaranteed

47

These less-than-well-formed models are unavoidable as the details of a system

unfold and churn during the software development life cycle. The rules of the UML
encourage youbut do not force youto address the most important analysis,
design, and implementation questions that push such models to become well-formed
over time.
Diagrams in the UML:
A diagram is the graphical presentation of a set of elements, most often
rendered as a connected graph of vertices (things) and arcs (relationships). You draw
diagrams to visualize a system from different perspectives, so a diagram is a
projection into a system. For all but the most trivial systems, a diagram represents an
elided view of the elements that make up a system. The same element may appear in
all diagrams, only a few diagrams (the most common case), or in no diagrams at all (a
very rare case). In theory, a diagram may contain any combination of things and
relationships. In practice, however, a small number of common combinations arise,
which are consistent with the five most useful views that comprise the architecture of
a software-intensive system. For this reason, the UML includes nine such diagrams:

Use case diagram

Class diagram

Sequence diagram

Collaboration diagram

State chart diagram

Activity diagram

Component diagram

Deployment diagram

Object diagram

A class diagram shows a set of classes, interfaces, and collaborations and their
relationships. These diagrams are the most common diagram found in modeling
object-oriented systems. Class diagrams address the static design view of a system.
Class diagrams that include active classes address the static process view of a system.

48

A use case diagram shows a set of use cases and actors (a special kind of class)
and their relationships. Use case diagrams address the static use case view of a
system. These diagrams are especially important in organizing and modeling the
behaviors of a system. Both sequence diagrams and collaboration diagrams are kinds
of interaction diagrams. Shows an interaction, consisting of a set of objects and their
relationships, including the messages that may be dispatched among them. Interaction
diagrams address the dynamic view of a system.
A sequence diagram is an interaction diagram that emphasizes the timeordering of messages; a collaboration diagram is an interaction diagram that
emphasizes the structural organization of the objects that send and receive messages.
Sequence diagrams and collaboration diagrams are isomorphic, meaning that you can
take one and transform it into the other.
A state chart diagram shows a state machine, consisting of states, transitions,
events, and activities. State chart diagrams address the dynamic view of a system.
They are especially important in modeling the behavior of an interface, class, or
collaboration and emphasize the event-ordered behavior of an object, which is
especially useful in modeling reactive systems.
An activity diagram is a special kind of a state chart diagram that shows the
flow from activity to activity within a system. Activity diagrams address the dynamic
view of a system. They are especially important in modeling the function of a system
and emphasize the flow of control among objects.
A component diagram shows the organizations and dependencies among a set
of components. Component diagrams address the static implementation view of a
system. They are related to class diagrams in that a component typically maps to one
or more classes, interfaces, or collaborations.
A deployment diagram shows the configuration of run-time processing nodes
and the components that live on them. Deployment diagrams address the static
deployment view of architecture. They are related to component diagrams in that a
node typically encloses one or more components.

49

An object diagram shows a set of objects and their relationships. Object

diagrams represent static snapshots of instances of the things found in class diagrams.
These diagrams address the static design view or static process view of a system as do
class diagrams, but from the perspective of real or prototypical cases.
This is not a closed list of diagrams. Tools may use the UML to provide other
kinds of diagrams, although these nine are by far the most common you will
encounter in practice.
USE CASE DIAGRAMS:
A use case describes a sequence of actions that provide something measurable
value to an actor and is drawn as a horizontal ellipse an actor is a person, organization
or external system that plays a role in one or more interactions with your system.

Start Monitoring

Start Capture

Capture Packets

User

Get Packet Header

System

Get Packet Data

Display Graph

Save/Open Packets

Stop Capturing

50

Add/removeIPs:

Administrator can add or remove ip addresses from the

database to block or allow receiving packets from that
particular system on the domain.

View report:

Administrator can view the information of the decoded

packets in the user interface of the tool.

Save/print reports:

Administrator can save the information on to file system or

can print the information through the printer if connected.

Use case scenario:

Use case name:

Admin functions

Participant

Administrator

actor:

Flow of events:

1. System Starts Monitoring.

2. User presses the capture button.
3. System Captures the Packets.
4. System gets the Packet header
and Packet Data.
5. System Saves and Opens the
packets data.
6. User presses the Stop capturing
button.

Class diagram:
51

A class diagram describes the static structure of the symbols in your new
system. It is a graphical presentation of the static view that shows a collection of
declarative (static) model elements, such as classes, types, and their contents and
relationships.

PacketSniffer
tcp header
ip header
ethernet header
data

Dynamic graph
surf
surfing()

get()
separate headers()

Surface
ascent
descent
ptnum
thread
usedstr
getminimumsize()
getprefferedsize()
getmaxsize()
surface()

Sequence diagram:
52

UML sequence diagrams model the flow of logic within your system in a
visual manner, enabling you both to document and validate your logic, and are
commonly used for both analysis and design purposes. Sequence diagrams are the
most popular UML artifacts for dynamic modeling, which focuses on identifying the
behavior within your system.
Sequence diagram for Administrator:

start capture
button

packet capture
control

reports

IP Address

: administrator
press
invokes
generates
view
save/print
add/remove

Collaboration diagram for Administrator:

53

A collaboration diagram is an interaction diagram that emphasizes the

structural organization of the objects that send and receive messages. Collaboration
diagrams are isomorphic, meaning that you can take one and transform it into the
other.

1: press
start capture
button
: administrator
6: add/remove
IP
Address
2: invokes

4: view
5: save/print

reports

packet capture
control
3: generates

54

5.4.5 State chart Diagram:

open tool

open saved file

do/ view
do/ print

start new session

entry/ press start capture button
do/ view report
do/ Block IP address
do/ save/print report
exit/ press end capture button

5. SOFTWARE OVERVIEW
55

Front End Language:

C Sharp Language:
C# is a new programming language created by Microsoft and introduced with
the release of Visual Studio .NET (also known as Visual Studio .NET 7.0). C# lets
you write programs that enable you to manipulate the computer to perform certain
tasks.
The Birth of C#:
As a recent birth in the programming language family, C# has two
programming language parents: C++ and Java. C# contains many C++ features but
also adds the object-oriented features from Java.
C# contains many different components, including:

Versioning support, so that your base and derived classes templates that
define how an object performs remain compatible as you develop them.

Events, so that your program can notify clients of a class about something
that has happened to an object.

Type safety and verification that increases reliability and ensures code
security.

Garbage collection, so that your program can identify objects that your
program can no longer reach.

Unsafe mode, where you can use pointers to manipulate memory outside
the garbage collectors control, including methods and properties.

Close Relations with C and C++:

C# is built on the C++ language, so it behaves much like the language. Like
C++, C# lets you write enterprise applications, and C# contains many C++ features,
including statements and operators. C# also provides access to common Application
Program Interface (API) styles including Component Object Model (COM) and Cstyle APIs.
56

C# Versus Visual Basic .NET:

The premise of the .NET Framework is that all languages are created equal. To
paraphrase George Orwell, however, some languages are more equal than others. C#
is an excellent language for .NET development. You will find it is an extremely
versatile, robust and well-designed language. It is also currently the language most
often used in articles and tutorials about .NET programming. It is likely that many VB
programmers will choose to learn C#, rather than upgrading their skills to VB .NET.
This would not be surprising because the transition from VB6 to VB .NET is,
arguably, nearly as difficult as from VB6 to C#and, whether it's fair or not,
historically, C-family programmers have had higher earning potential than VB
programmers.
C# versus Java:
Java Programmers may look at C# with a mixture of trepidation, glee, and
resentment. It has been suggested that C# is somehow a "rip-off" of Java. C# certainly
learned a great deal from Java. But then Java learned a great deal from C++, which
owed its syntax to C, which in turn was built on lessons learned in other languages.
We all stand on the shoulders of giants. C# offers an easy transition for Java
programmers; the syntax is very similar and the semantics are familiar and
comfortable.
Differences between C# and C++:
Microsoft includes Visual C++ and C# in Visual Studio .NET. On the surface,
C# has few differences from Visual C++. When you look carefully and start
programming, you will notice that C# differs in several important respects from
Visual C++:

C# has an alternate method of accessing the C++ initialization list when

constructing the base class.

A class can inherit implementation from only one base class.

You can call overridden base class members from derived classes.
57

C# has a different syntax for declaring C# arrays.

There are differences in several different types including bool, struct,

and delegate.

The Main method is declared differently.

Support of the new ref and out method parameters that are used instead
of pointers for passing parameters by reference.

New keywords including extern and static.

New statements including switch and finally.

New operators including is and typeof.

Different functionality for some operators and for overloading

operators.

Microsoft .NET:
Microsoft announced the .NET initiative in July 2000. The .NET
platform is a new development framework with a new programming
interface to Windows services and APIs, integrating a number of
technologies that emerged from Microsoft during the late 1990s.
Incorporated into .NET are COM+ component services; the ASP web
development framework; a commitment to XML and object-oriented
design; support for new web services protocols such as SOAP,
WSDL, and UDDI; and a focus on the Internet.
The platform consists of four separate product groups:
Development tools:
A set of languages, including C# and VB.NET; a set of development
tools, including Visual Studio.NET; a comprehensive class library for
building web services and web and Windows applications; as well as
the Common Language Runtime to execute objects built within this
framework.
58

Specialized servers:
A set of .NET Enterprise Servers, formerly known as SQL Server
2000, Exchange 2000, BizTalk 2000, and so on, that provide
specialized functionality for relational data storage, email, and B2B
commerce.
Web services:
An offering of commercial web services, recently announced as
project Hailstorm; for a fee, developers can use these services in
building applications that require knowledge of user identity.
Devices:
New .NET-enabled non-PC devices, from cell phones to game boxes.
The .NET Platform:
The Microsoft .NET Platform consists of five main components, as shown in
Figure 1 -1. At the lowest layer lies the operating system (OS), which can be one of a
variety of Windows platforms, including Windows XP, Windows 2000, Windows Me,
and Windows CE. As part of the .NET strategy, Microsoft has promised to deliver
more .NET device software to facilitate a new generation of smart devices.
On top of the operating system is a series of .NET Enterprise Server products
that simplify and shorten the time required to develop and manage large-scale
business systems. These server products include Application Center 2000, BizTalk
Server 2000, Commerce Server 2000, Exchange Server 2000, Host Integration Server
2000, Internet Security and Acceleration Server 2000, and SQL Server 2000.
Since Web Services are highly reusable across the Web, Microsoft plans to
provide a number of building-block services that application developers can use, for a
fee. An example of building block service is Microsoft Passport, which allows you to
use a single username and password at all web sites that support Passport
authentication. On March 19, 2001, Microsoft announced another set of Web Services
with the codename Hailstorm. This product encompasses a set of building block
59

services that support personalization, centered entirely on consistent user experiences.

Microsoft plans to add newer services, such as calendar, directory, and search
services. Third-party vendors are also creating new Web services of their own.
Fig. The Microsoft .NET platform

At the top layer of the .NET architecture is a brand new development tool
called Visual Studio.NET (VS.NET), which makes possible the rapid development of
Web Services and other applications. A successor of Microsoft Visual Studio 6.0,
VS.NET is an Integrated Development Environment (IDE) that supports four different
languages and features such as cross-language debugging and the XML Schema
Editor.
And at the center of .NET is the Microsoft .NET Frameworkthe main focus
of this book. The .NET Framework is a new development and runtime infrastructure
that will change the development of business applications on the Windows platform.
It includes the Common Language Runtime (CLR) and a common framework of
classes that can be used by all .NET languages.
Visual Studio .net:
Visual Studio .NET contains a graphical programming environment called the
Microsoft Development Environment (MDE). The MDE enables you to create
programs in Visual C# and other Visual Studio .NET languages.

Security:

60

Computer networks let programmers share Visual Studio .NET code including
C# programs across the network. This collaborative effort lets you and your
programming team creates C# programs much more quickly than one person alone.
The problem with collaborating over a network is that unauthorized users from within
or outside your network may try to gain access to your C# program code. Visual
Studio .NET provides built-in security features so you or the leader of your
programming team can determine who on your network gets access to your C#
program code and resources. You can also set different levels of security for different
people in case you want only certain people to have access to certain program code.
DLLs:
The advent of Windows brought dynamic link libraries (DLLs) to
programmers. DLLs are small, independent programs that contain executable routines
that programs can use to produce a certain result in Windows. For example, if a
program needs to open a file, you can write your C# program that uses the code in the
DLL to open the file. Using DLLs frees up your time to work on your program
without having to reprogram the same code in your C# program over and over again.
You can access DLLs from your C# program, and create DLLs in C# for your C#
program to refer to when necessary. C# has full COM/Platform support, so you can
integrate C# code with any programming language that can produce COM DLLs such
as Visual C++.
XML:
Extensible Markup Language (XML) is a more powerful version of Hypertext
Markup Language (HTML), the standard Web page language. Visual Studio .NET and
C# let you document your program using XML and then extract the XML code into a
separate file. Visual Studio .NET supports XML so that you can integrate your C#
programs with the World Wide Web. You can document your C# code using XML and
then use XML for creating Web Services and Web controls that let you and your code
interact with a Web site. For example, you may have an inventory system written in
C# that interacts with the order-taking page on your companys Web site.
Windows Operating System:
61

Windows operating system is no longer a stranger to people; it is a fast

growing fully fledged powerful operating system with enhanced networking features,
popular among home hobbyists and small network users. Connecting a Windows
operating system to the networks is much like advertising an open house to the public,
leaving your front door wide open and going on an extended vacation. Without
precautions unwanted intruders will enter in both cases, and it will happen sooner than
later.
Microsoft Windows is the name of several families of software operating
systems by Microsoft. Microsoft first introduced an operating environment named
Windows in November 1985 as an add-on to MS-DOS in response to the growing
interest in graphical user interfaces (GUIs). Microsoft Windows eventually came to
dominate the world's personal computer market, overtaking Mac OS, which had been
introduced previously. At the 2004 IDC Directions conference, IDC Vice President
Avneesh Saxena stated that Windows had approximately 90% of the client operating
system market.

6. SAMPLE CODING
62

using System;
using System.Drawing;
using System.Collections;
using System.ComponentModel;
using System.Windows.Forms;
using System.Net;
using System.Net.Sockets;
using Sniffer;
using System.Threading;
using System.Text;
namespace SnifferUI
{
public delegate void DoubleClickCallback();
public delegate void TabPageCallback(TabPage tp);
/// <summary>
/// Summary description for SnifferUI.
/// </summary>
public class SnifferUI : System.Windows.Forms.Form
{
private Thread thrdTrv;
private Thread thrd;
private Thread thrdC;
bool isPaused = false;
int MouseX=0;
int MouseY=0;
int
totalCount=0,tcpCount=0,udpCount=0,icmpCount=0,otherCount=0;
int totalByte=0,tcpByte=0,udpByte=0,icmpByte=0,otherByte=0;
private treeViewFuncs objTVF;
private SnifferSocket Socket_
public Hashtable

= null;

Counter_ =null;
63

public Hashtable

IdentTable_ =null;

private Hashtable

TabPageTable_ =null;

private Hashtable

CurrentSniffing_=null;

private Hashtable ForCounter=null;

private string thisComputerIp ="";
private IPv4Datagram tempDatagram;
private System.Windows.Forms.StatusBar statusBar1;
private System.Windows.Forms.ColumnHeader Source;
private System.Windows.Forms.MenuItem miStopSniffing;
private System.Windows.Forms.Label label3;
private System.Windows.Forms.Label label4;
private System.Windows.Forms.Label label5;
private System.Windows.Forms.Label label6;
private System.Windows.Forms.Label label7;
private System.Windows.Forms.Label lblb5;
private System.Windows.Forms.Label lblb4;
private System.Windows.Forms.Label lblb3;
private System.Windows.Forms.Label lblb2;
private System.Windows.Forms.Label lblb1;
private System.Windows.Forms.MenuItem miExit;
private System.Diagnostics.Process scanner;
private System.Windows.Forms.ColumnHeader Destination_;
private NotifyIcon notifyIcon1;
private ContextMenuStrip contextMenuStrip1;
private ToolStripMenuItem sHOWToolStripMenuItem;
private ToolStripMenuItem qUITToolStripMenuItem;
private TabPage tabPage1;
private ListBox lbsuspectdata;
private MenuItem menuItem2;
private MenuItem menuItem3;
64

private System.Windows.Forms.Timer timer1;

private MenuItem menuItem5;
private System.ComponentModel.IContainer components;
public SnifferUI()
{
InitializeComponent();
objTVF = new treeViewFuncs();
IdentTable_= new Hashtable();
Counter_=new Hashtable();
TabPageTable_ = new Hashtable();
CurrentSniffing_= new Hashtable();
ForCounter=new Hashtable();
lstwMain.FullRowSelect=true;
lstwMain.GridLines=true;
// create temp ipv4 datagram object
tempDatagram =new IPv4Datagram();
// retrieve local system ip address [name]
thisComputerIp
=Dns.GetHostByName(Dns.GetHostName()).AddressList[0].ToString(
);
bool enterence = true;
while (enterence)
{
if ( thisComputerIp != null )
{
// create SnifferSocket object
Socket_ = new SnifferSocket();
try
{

65

// call sniff method of SnifferSocket with this

ComputerIP as parameter
Socket_.Sniff(thisComputerIp);
Socket_.IPs.Add(thisComputerIp);
enterence=false;
}
catch(SnifferException e)
{
HandleSnifferError(e);
thisComputerIp=GetIPToSniff();
}
// call LoadOptions => links
LoadOptions();
}
else
{
thisComputerIp=GetIPToSniff();
}
}
thrd = new Thread(new ThreadStart(Counter));
thrd.IsBackground = true;
thrd.Start();
thrdC = new Thread(new ThreadStart(Counter2));
thrdC.IsBackground = true;
thrdC.Start();
}
/// <summary>
/// Clean up any resources being used.
/// </summary>
protected override void Dispose( bool disposing )
66

{
if( disposing )
{
if(components != null)
{
components.Dispose();
}
}
base.Dispose( disposing );
}

#region Windows Form Designer generated code

/// <summary>
/// Required method for Designer support - do not modify
/// the contents of this method with the code editor.
/// </summary>
private void InitializeComponent()
{
this.components = new System.ComponentModel.Container();
System.ComponentModel.ComponentResourceManager
resources = new
System.ComponentModel.ComponentResourceManager(typeof(Sniffe
rUI));
System.Configuration.AppSettingsReader configurationAppSettings =
new System.Configuration.AppSettingsReader();
this.lstwMain = new System.Windows.Forms.ListView();
this.Count_ = new System.Windows.Forms.ColumnHeader();
this.Source_ = new System.Windows.Forms.ColumnHeader();
this.SourceName_ = new System.Windows.Forms.ColumnHeader();
this.SPort_ = new System.Windows.Forms.ColumnHeader();
this.Destination_ = new System.Windows.Forms.ColumnHeader();
this.DestName_ = new System.Windows.Forms.ColumnHeader();
67

this.DPort_ = new System.Windows.Forms.ColumnHeader();

this.Protocol_ = new System.Windows.Forms.ColumnHeader();
this.Process_ = new System.Windows.Forms.ColumnHeader();
this.ProcessId_ = new System.Windows.Forms.ColumnHeader();
this.CnmLstwMain = new System.Windows.Forms.ContextMenu();
this.miStartSniffing = new System.Windows.Forms.MenuItem();
this.miStopSniffing = new System.Windows.Forms.MenuItem();
this.miConCheck = new System.Windows.Forms.MenuItem();
this.midelete = new System.Windows.Forms.MenuItem();
this.mideleteall = new System.Windows.Forms.MenuItem();
this.imlMain = new
System.Windows.Forms.ImageList(this.components);
this.imltblTreeView = new
System.Windows.Forms.ImageList(this.components);
this.statusBar1 = new System.Windows.Forms.StatusBar();
this.Source = new System.Windows.Forms.ColumnHeader();
this.Destination = new System.Windows.Forms.ColumnHeader();
this.Identification = new System.Windows.Forms.ColumnHeader();
this.Protocal = new System.Windows.Forms.ColumnHeader();
this.tcSniffing = new System.Windows.Forms.TabControl();
this.timer1 = new System.Windows.Forms.Timer(this.components);
this.tcMain.SuspendLayout();
this.tpSniffing.SuspendLayout();
this.pnlSniffing.SuspendLayout();
this.pnlSubTab.SuspendLayout();
this.pnlToolBarTab.SuspendLayout();
this.tpCtrl.SuspendLayout();
this.pnlError.SuspendLayout();
this.pnlIcmpTlb.SuspendLayout();
this.tabPage1.SuspendLayout();
this.pnlMain.SuspendLayout();
this.pnlbottom.SuspendLayout();
68

this.pnlBottomRight.SuspendLayout();
this.pnlBottomRightSub.SuspendLayout();
this.pnlRichText.SuspendLayout();
this.pnlPacket.SuspendLayout();
this.pnlAscii.SuspendLayout();
this.pnlTV.SuspendLayout();
this.pnlBottomLeft.SuspendLayout();
this.pnlUp.SuspendLayout();
this.pnlUpRight.SuspendLayout();
this.pnlUpLeft.SuspendLayout();
this.contextMenuStrip1.SuspendLayout();
this.SuspendLayout();
//
// lstwMain
//
this.lstwMain.Columns.AddRange(new
System.Windows.Forms.ColumnHeader[] {
this.Count_,
this.Source_,
this.SourceName_,
this.SPort_,
this.Destination_,
this.DestName_,
this.DPort_,
this.Protocol_,
this.Process_,
this.ProcessId_});
this.lstwMain.ContextMenu = this.CnmLstwMain;
this.lstwMain.Dock = System.Windows.Forms.DockStyle.Fill;
this.lstwMain.Location = new System.Drawing.Point(0, 0);
this.lstwMain.MultiSelect = false;
this.lstwMain.Name = "lstwMain";
this.lstwMain.Size = new System.Drawing.Size(904, 176);
69

this.lstwMain.SmallImageList = this.imlMain;
this.lstwMain.TabIndex = 5;
this.lstwMain.UseCompatibleStateImageBehavior = false;
this.lstwMain.View = System.Windows.Forms.View.Details;
this.lstwMain.SelectedIndexChanged += new
System.EventHandler(this.lstwMain_SelectedIndexChanged);
this.lstwMain.DoubleClick += new
System.EventHandler(this.lstwMain_DoubleClick);
this.lstwMain.ColumnClick += new
System.Windows.Forms.ColumnClickEventHandler(this.lstwMain_ColumnClick);
//
// Count_
//
this.Count_.Text = "Count";
this.Count_.Width = 56;
//
// Source_
//
this.Source_.Text = "Source";
this.Source_.Width = 94;
//
// SourceName_
//
this.SourceName_.Text = "Name";
this.SourceName_.Width = 68;
//
// SPort_
//
this.SPort_.Text = "Source Port";
this.SPort_.Width = 150;
//
// Destination_
//
70

this.Destination_.Text = "Destination";
this.Destination_.Width = 102;
//
// DestName_
//
this.DestName_.Text = "Name";
this.DestName_.Width = 64;
//
// DPort_
//
this.DPort_.Text = "Dest. Port";
this.DPort_.Width = 162;
//
// Protocol_
//
this.Protocol_.Text = "Protocol";
//
// Process_
//
this.Process_.Text = "Process";
this.Process_.Width = 74;
//
// ProcessId_
//
this.ProcessId_.Text = "PID";
this.ProcessId_.Width = 50;
//
// CnmLstwMain
//
this.CnmLstwMain.MenuItems.AddRange(new
System.Windows.Forms.MenuItem[] {
this.miStartSniffing,
this.miStopSniffing,
71

this.miConCheck,
this.midelete,
this.mideleteall});
//
// miStartSniffing
//
this.miStartSniffing.DefaultItem = true;
this.miStartSniffing.Index = 0;
this.miStartSniffing.Text = "Start Sniffing";
this.miStartSniffing.Click += new
System.EventHandler(this.miStartSniffing_Click);
//
// miStopSniffing
//
this.miStopSniffing.Index = 1;
this.miStopSniffing.Text = "Stop Sniffing";
this.miStopSniffing.Click += new
System.EventHandler(this.miStopSniffing_Click);
//
// miConCheck
//
this.miConCheck.Index = 2;
this.miConCheck.Text = "Check Connection";
this.miConCheck.Click += new
System.EventHandler(this.miConCheck_Click);
//
// midelete
//
this.midelete.Index = 3;
this.midelete.Text = "Delete";
this.midelete.Click += new System.EventHandler(this.midelete_Click);
//
// mideleteall
72

//
this.mideleteall.Index = 4;
this.mideleteall.Text = "Delete All";
this.mideleteall.Click += new System.EventHandler(this.mideleteall_Click);
//
// imlMain
//
this.imlMain.ImageStream = ((System.Windows.Forms.ImageListStreamer)
(resources.GetObject("imlMain.ImageStream")));
this.imlMain.TransparentColor = System.Drawing.Color.Transparent;
this.imlMain.Images.SetKeyName(0, "");
this.imlMain.Images.SetKeyName(1, "");
this.imlMain.Images.SetKeyName(2, "");
this.imlMain.Images.SetKeyName(3, "");
this.imlMain.Images.SetKeyName(4, "");
this.imlMain.Images.SetKeyName(5, "");
this.imlMain.Images.SetKeyName(6, "");
this.imlMain.Images.SetKeyName(7, "");
this.imlMain.Images.SetKeyName(8, "");
this.imlMain.Images.SetKeyName(9, "");
this.imlMain.Images.SetKeyName(10, "");
this.imlMain.Images.SetKeyName(11, "");
//
// imltblTreeView
//
this.imltblTreeView.ImageStream =
((System.Windows.Forms.ImageListStreamer)
(resources.GetObject("imltblTreeView.ImageStream")));
this.imltblTreeView.TransparentColor = System.Drawing.Color.Transparent;
this.imltblTreeView.Images.SetKeyName(0, "");
this.imltblTreeView.Images.SetKeyName(1, "");
this.imltblTreeView.Images.SetKeyName(2, "");
this.imltblTreeView.Images.SetKeyName(3, "");
73

this.imltblTreeView.Images.SetKeyName(4, "");
this.imltblTreeView.Images.SetKeyName(5, "");
this.imltblTreeView.Images.SetKeyName(6, "");
//
// statusBar1
//
this.statusBar1.Location = new System.Drawing.Point(0, 428);
this.statusBar1.Name = "statusBar1";
this.statusBar1.Size = new System.Drawing.Size(1190, 22);
this.statusBar1.TabIndex = 8;
//
// Source
//
this.Source.Text = "Source";
this.Source.Width = 98;
//
// Destination
//
this.Destination.Text = "Destination";
this.Destination.Width = 115;
//
// Identification
//
this.Identification.Text = "Identification";
this.Identification.Width = 111;
//
// Protocal
//
this.Protocal.Text = "Protocal";
this.Protocal.Width = 130;
//
// tcSniffing
//
74

this.tcSniffing.Dock = System.Windows.Forms.DockStyle.Fill;
this.tcSniffing.Location = new System.Drawing.Point(0, 0);
this.tcSniffing.Name = "tcSniffing";
this.tcSniffing.SelectedIndex = 0;
this.tcSniffing.Size = new System.Drawing.Size(536, 191);
this.tcSniffing.TabIndex = 11;
//
// tcMain
//
this.tcMain.Controls.Add(this.tpSniffing);
this.tcMain.Controls.Add(this.tpCtrl);
this.tcMain.Controls.Add(this.tabPage1);
this.tcMain.Dock = System.Windows.Forms.DockStyle.Fill;
this.tcMain.Location = new System.Drawing.Point(0, 0);
this.tcMain.Name = "tcMain";
this.tcMain.SelectedIndex = 0;
this.tcMain.Size = new System.Drawing.Size(544, 249);
this.tcMain.TabIndex = 12;
this.tcMain.SelectedIndexChanged += new
System.EventHandler(this.tcMain_SelectedIndexChanged);
//
// tpSniffing
//
this.tpSniffing.Controls.Add(this.pnlSniffing);
this.tpSniffing.Location = new System.Drawing.Point(4, 22);
this.tpSniffing.Name = "tpSniffing";
this.tpSniffing.Size = new System.Drawing.Size(536, 223);
this.tpSniffing.TabIndex = 0;
this.tpSniffing.Text = "Current Sniffing";
this.tpSniffing.UseVisualStyleBackColor = true;
//
// pnlSniffing
//
75

this.pnlSniffing.Controls.Add(this.pnlSubTab);
this.pnlSniffing.Controls.Add(this.pnlToolBarTab);
this.pnlSniffing.Dock = System.Windows.Forms.DockStyle.Fill;
this.pnlSniffing.Location = new System.Drawing.Point(0, 0);
this.pnlSniffing.Name = "pnlSniffing";
this.pnlSniffing.Size = new System.Drawing.Size(536, 223);
this.pnlSniffing.TabIndex = 0;
//
// pnlSubTab
//
this.pnlSubTab.Controls.Add(this.tcSniffing);
this.pnlSubTab.Dock = System.Windows.Forms.DockStyle.Fill;
this.pnlSubTab.Location = new System.Drawing.Point(0, 32);
this.pnlSubTab.Name = "pnlSubTab";
this.pnlSubTab.Size = new System.Drawing.Size(536, 191);
this.pnlSubTab.TabIndex = 14;
//
// pnlToolBarTab
//
this.pnlToolBarTab.Controls.Add(this.tlbSniffing);
this.pnlToolBarTab.Dock = System.Windows.Forms.DockStyle.Top;
this.pnlToolBarTab.Location = new System.Drawing.Point(0, 0);
this.pnlToolBarTab.Name = "pnlToolBarTab";
this.pnlToolBarTab.Size = new System.Drawing.Size(536, 32);
this.pnlToolBarTab.TabIndex = 13;
}

7. TESTING
7.1 Introduction:
76

Testing is a process, which reveals errors in the program. It is the major

quality measure employed during software development. During testing, the program
is executed with a set of test cases and the output of the program for the test cases is
evaluated to determine if the program is performing as it is expected to perform.
Testing performs a critical role in quality assurance and for ensuring the
reliability of software. To accomplish the task of testing software, this is done under
two categories of test case design techniques.

White Box Testing (Structural testing)

Black Box Testing (Functional testing)

White box testing:

This test focuses on the program control structure. Test cases are derived to
ensure that all the statements in the program have been executed at least once during
testing and that all logical conditions have been exercised.
Black box testing:
These tests are designed to validate functional requirements without regard to
working of the program. Black box testing technique focuses on the information
domain of the software, deriving test cases by partitioning input and output in a
manner that provides though test coverage.

7.2 Levels of Testing:

In order to make sure that the system does not have errors, the different levels
of testing strategies that are applied at differing phases of software development are:

Unit Testing:
Unit Testing is done on individual modules as they are completed and become
executable. It is confined only to the designer's requirements. Unit Testing focuses on
77

verification of the smallest unit of software design module. Using the detailed design
description as a guide, important control paths are tested to uncover errors within the
boundary of the module .Unit testing is essentially for verification of the code
produced during the coding phase and hence the goal is to test the internal logic of the
module.
Integrating Testing:
Integration testing ensures that software and subsystems work together as a
whole. It tests the interface of all the modules to make sure that the modules behave
properly when integrated together.
System Testing:
System testing involves in-house testing of the entire system before delivery to
the user. Its aim is to satisfy the user the system meets all requirements of the client's
specifications.
Acceptance Testing:
It is a pre-delivery testing in which entire system is tested at client's site on
real world data to find errors.

78

7.3 Test-Cases (Unit test-plan and integrated test-plan):

No.

Test case Title

Description

Expected
Outcome

The
requirement
in RS that is
being tested

Result

Test the
functionality of
a file
downloaded
from internet
Test that GUI is
able to show
network traffic
Test the
mapping of files
to the
destination IP
address
Test the
functionality of
a file
downloaded
from internet
Test the
functionality of
a file
downloaded
from internet
Test the
decoded
information of
the selected file.

User saves the file

and views it later

File is saved

RS4

Passed

User sees the traffic

in graphical form.

Successful
representation
of traffic.
Correct IP
address is
mapped to the
file

RS1

Passed

RS2

Passed

User opens the

saved file for
viewing it.

File is opened

RS5

Passed

User prints the file.

The file is
printed on the
default printer.

RS6

Passed

User chooses from

the list to view
packet information.

The output is
displayed
correctly

RS3

Passed

User views the

destination IP
address attached to
each file.

Validation:
The system has been tested and implemented successfully and thus ensured
that all the requirements as listed in the software requirements specification are
completely fulfilled. In case of erroneous input corresponding error messages are
displayed.

79

8. SAMPLE SCREENS

80

81

82

83

84

85

86

87

9. CONCLUSION

88

In practice, there is not a typical network problem that cant be discovered

and solved using packet sniffer technology. Sniffers can be used as the first method of
attack on a number of issues that vary from overloaded networks to unresponsive
switches to lost packets. As a number of networks and nodes continue to grow and as
network speeds accelerate, it becomes more and more difficult to monitor a LAN by
using traditional tools, such as RMON (Remote Monitoring) probes. Packet sniffers,
by contrast, monitor traffic on network right down to the Header information on each
series of data. This means that u can actually track data from starting point to its end
point. Packet sniffers can also be used to identify the types of packets on a network
and discover whether or not the specific packet has any errors.

10. BIBLIOGRAPHY
89

 .Net: The Complete Reference

Elsevier Inc, Network programming .NET with C# and VB.NET

- Fiach Reid

O'Reilly - Programming C#

Sub main Dot NET Coding Guidelines

- Steve Sartain

Websites
-www.beesync.com
- www.cacetech.com

TCP/IP Protocol Suite

- Behrouz A. Forouzan

Object-Oriented Software Engineering

-Bernd Bruegge
-Allen H. Dutoit

90