Design Implementation Of Network Protocol Analyzer Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Abstract - Network Protocol Analyzer (NPA) is also known as packet analyzer, network analyzer, packet sniffer. NPA monitors exactly what is happening on Network & observes what other users are doing. It is easy to use tool to capture the traffic on the Subnet & display real time statistics while capturing packets. Features are:-

Analyze network problems, Display list of IP addresses that are active on the network, Display different protocol information sent and received between every two communicating machines. Details of these communications are split and displayed into server. Display statically information of protocol analysis. Displays graphical representation of protocol analysis.

Network Protocol analyzers should provide three main sources of information about your LAN in addition; various protocols including TCP/IP are used in conjunction with networks. In order to detect protocol misbehaviors and failures in networks, it is required to analyze these protocols and inspect interactions among them. This project presents detailed design and implementation of our protocol analyzer for IP based networks.

Keywords: Packet sniffer, traffic analysis, packet capture, promiscuous mode, network monitoring, protocol analysis.


Network Protocol Analyzers (NPA) is a diagnostic tool for displaying and analyzing communications protocols. A protocol analyzer is the only tool that shows you exactly what is happening, with respect to flow on your LAN. Once a problem is isolated and recorded, there can be no denying which vendor, or which system is the cause. While protocol analyzers can be used by the (LAN) network a developer to view the exact contents of

network conversation, a modern protocol analyzer with a graphical user interface provides many other types of information beyond the bits and bytes of the actual protocols.

NPA is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.

Promiscuous Mode

The packets are received by network interface card (NIC), which works in two modes either it Non promiscuous mode (normal mode) or Promiscuous mode. When a packet is received by a NIC, it first compares the MAC address of the packet to its own. If the MAC address matches, it accepts the packet otherwise filters it. This is due to the network card discarding all the packets that do not contain its own MAC address, an operation mode called non promiscuous, which basically means that each network card is minding its own business and reading only the frames directed to it. In order to capture the packets, NIC has to be set in the promiscuous mode. Packet sniffers which do sniffing by setting the NIC card of its own system to promiscuous mode, and hence receives all packets even they are not intended for it. So,

Packet sniffer captures the packets by setting the NIC card into promiscuous mode.

Figure 1: Network Interface Card (NIC)

To set a network card to promiscuous mode, all we have to do is issue a particular ioctl ( ) call to an open socket on that card and the packets are passed to the kernel. In figure 1 we can see network interface card (NIC).

Packet Sniffer working Mechanism

When the packets are sent from one node to another in the network, a packet has to pass through many intermediate nodes. A node whose NIC is set in the promiscuous mode tends to receives the packet. The packet arriving at the NIC are copied to the device driver memory, which is then passed to the kernel buffer from where it is used by the user application. In Linux kernel, libpcap uses "PF_PACKET" socket which bypasses most packet protocol processing done by the kernel. Each socket has two kernel buffers associated with it for reading and writing. By default in Fedora core 6, the size of each buffer is 109568 bytes. In our packet sniffer, at user level the packets are copied from the kernel buffer into a buffer created by libpcap when a live capture session is created.

Design Fundamentals of NPA

The NPA is constructed as an java program composed of a set of concurrent processes. Each process has a set of input and output channels, and for each channel there is a

defined protocol specifying the set of messages allowed on that channel. The TCP/IP PA can be executed, either in graphics mode, or in no-graphics mode (text mode). In the former case, it provides a user friendly interface, which involves the use of hierarchically organised menus combined with explanatory and error messages The NPA records and displays the following kinds of statistical information about the use of the network:

a) Traffic / Throughput: The traffic measured examining the transmitted packets.

b) Throughput of user data: The traffic measured examining the transmitted packets, but ignoring packet headers. It is traffic initiated from the user.

c) Traffic and source / destination addresses: The percentage of traffic related with the ten most popular source / destination addresses. An address consists of an IP address (in dotted form) and a port.

d) Traffic and protocols: The percentage of traffic related with UDP, TCP, and ICMP.

e) Traffic and source / destination IP addresses: The percentage of traffic related with the ten most popular source / destination IP addresses. It given in their dotted form.

f) Traffic and source / destination ports: The percentage of traffic related with the ten most popular source / destination ports (TCP or UDP).

g) Distribution of packet sizes: The size distribution of the examined packets, etc

Implementation Issues

During the implementation phase of the NPA, emphasis was given at the correctness, efficiency, understandability, and maintainability of the code. These objectives were partly supported by the inherent characteristics of java. Additionally, special care was taken in the following manner:

1) In all expressions/type conversions are explicitly.

2) Operator precedence is explicitly indicated by the use of brackets.

3) Suitable and meaningful variable and constant identifiers are used throughout the program, and make it more readable.

4) A folding editor was used for the implementation of the program. The folding editor, not only increased the ease with which program indentation was handled, but also provides a visible hierarchical structure which reflects that of the program The chosen process decomposition and the appropriate buffering of data flowing through the system, ensures the efficiency of the program and increases its maintainability.

5) The trade-off between computation and communication was carefully taken into account.

6) The exploitation of the inherent parallelism of the program was attempted.

7) Abbreviations are used where necessary to improve the efficiency of data access.


Configure and apply capture filters: Protocol analyzers typically store captured data in a capture buffer which is part of RAM memory. Because RAM memory is limited, the capture buffer can be quickly filled when promiscuously monitoring an active LAN. You may configure the analyzer to either stop capturing when the buffer becomes full, or to over right the oldest data. But the best way to utilize the capture buffer involves capturing only the frames that are relevant to your current task. This is accomplished thru the use of capture filters. Capture filters affect what frames are allowed to enter your capture buffer. By selectively filling the buffer with only relevant frames, better use of the limited space is possible. Capture filters are defined and applied in Ethereal using the "Capture Filters…" item located under the "Edit" menu and the "Filters" setting in the "Ethereal: Capture Options: window which appears just prior to capturing traffic.

Configure and apply decode filters: Even when using capture filters, the amount of captured data can be overwhelming. When trying to analyze the data, frequently it's helpful to look at a capture from several different angles. Sometimes patterns can be more easily spotted by focusing on only a portion of traffic, such as that between a particular pair of stations, or a particular protocol type, and temporarily eliminate other distracting traffic. Yet, if an analysis requires more than one perspective, you still have the relevant data captured and can simply apply a different display filter without having to recapture data. This "post processing" of the captured data is more forgiving than a capture filter for that reason. If capture buffer space allows, it's frequently helpful to capture all traffic, and simply use decode filters later to look at only what you're interested in.

Intrusion Detection Using NPA

The term "Intrusion Detection" implies discovering attacks and threats throughout an enterprise or organization, and responding to those discoveries. In context to our paper, as we know that packet sniffer can be used for malicious purpose the same can be used for intrusion detection also. Using this methodology, the Intrusion Detection software is placed on the system, which puts the Ethernet card in "promiscuous mode" so that the software can read and analyze all traffic. It does this by examining both the packet header fields and packet contents. The Intrusion Detection software like packet sniffers includes an engine, which looks for specific types of network attacks, such as IP spoofing and packet floods. When the packet sniffer detects a potential problem it responds immediately by notifying to the administrator by various mode such as console, beeping a pager, sending an e-mail, or even shutting

down the network session. The diagram below shows a typical deployment of sniffers for doing packet analysis. A sniffer is placed outside the firewall to detect attack attempts coming from the Internet. A sniffer is also placed inside the network to detect internet attacks, which penetrate the firewall and to assist in detecting internal attacks and threats.

Figure 2: Intrusion Detection over LAN.


A protocol analyzer is the only tool that shows you exactly what is happening, with respect to traffic flow on your LAN. A packet analyzer (also known as a network analyzer or sniffer) is computer software or computer hardware that can intercept data streams flow across the network, the sniffer captures each packet and eventually analyzes its content / other specifications. The versatility of packet sniffers means they can be used to:

Analyze network problems, Gain information for effecting a network intrusion, Monitor network usage, Gather and report network statistics, Network probe will let you see all the network protocols in use on your network.

It will show you the protocol names, ports, and descriptions, the amount of traffic seen, the throughput, and the number of hosts and conversation using each protocol. It also displays graphical representation of communication between clients.