REPORT ON PACKET SNIFFER INTRODUCTION: Packet sniffer is used to sniff network packets.

Packet sniffers are used by network administrators to manage network traffic and firewall applications to authenticate requested URLs. CONCEPT: Packet sniffer discussed in this report is used for Ethernet network. Ethernet is a broadcasting protocol. Every packet is broadcasted over the Ethernet hub. Node-Promiscuous mode: Since every packet is broadcasted over the Ethernet hub, it is responsibility of the particular host to check whether the broadcasted packet is destined for them. The host network card checks the destination MAC address in the Ethernet frame with its own MAC address (Every single network adapter will have unique MAC ID), if it matches the particular Ethernet frame will be accepted. This is called Non-Promiscuous mode of operation. Promiscuous mode: Non-promiscuous mode is default in all network adapters. But it can be changed to promiscuous mode. In promiscuous mode, the host will accept all broadcasted packets. By this, we can able to sniff packets meant for other IPs on the network. WORKING: The project coding is done on C using libraries supplied by WinPcap (Windows version of LibPcap). The Ethernet frame will be captured by using pcap_next_ex() function. The header and payload of the captured frame is separated by projecting a suitable header structure over the frame.

Fig.1 Captured Ethernet frame (String data type)

typedef struct mac_header { u_char d_mac[6]; u_char s_mac[6]; u_short eth_type; }mac_header;
Fig.2 Ethernet header mask (structure data type) 07/2/14 Page 1

The same method is repeated in Network and transport layer also to remove corresponding layer headers. Header fields are stored in structure data members for subsequent layer analyzing and user reference. I.e. Ethertype field in Ethernet frame is used for network layer classification, value of Ethertype field for IPV4 is 0x0800 and for ARP is 0x0806.

Fig.3 Layer hierarchy

FEATURES: The features implemented in the program are shown below 1. The packet capturing is multi-threaded. Hence captured packets can be viewed without affecting subsequent capture. 2. Checksum calculation is done for IP, TCP and UDP packets. Packets with checksum failed will not allowed for successive processing. 3. HTTP - Whenever a user is accessing a webpage, an HTTP GET request will be generated. The typical structure of the GET request is shown below. GET _______________ Requested URL_______________________ HTTPV 1.1\r\n Accept: */*Referer: _______Referrer URL_______________ etc.. Every GET requests are processed to filter out the requested URL. This provides a way to log all the URLs accessed in the network. 4. Packets window A comma separated value file for analyzing each packets using Microsoft excel is provided. The file will contains necessary informations like sender and Target IP addresses, port numbers, payload data and a brief comment about the packet. 5. Device summary Informations like name of the Network adapter, description, IP addresses associated with it will be displayed.

07/2/14

Page 2

5. Overall summary Informations like Time elapsed, total packets captured, average packet size, average packet per sec and average bytes per sec can be obtained. 6. Protocol summary Total number of packets captured, and total bytes of data of TCP, UDP and ARP are displayed. POTENTIAL APPLICATIONS: Packet sniffers are used by network administrators for network traffic management. They can be used as a firewall for restricting particular URLs and IPs inside a network. LIMITATION: The application shown above can sniff packets within the physical network only. It can be extended to an application which will be placed in remote network, captures the packets within the network and transmit the packet log to the server which lies outside the network.

07/2/14

Page 3