Network Packet Analyzer

A Case Study of Uganda Christian University

By

Joseph Brian Kasozi Musanje

S09B23/323

Department of Information Technology

Faculty of Science and Technology

A Project Report Submitted to the Faculty of Science and Technology

For the Study Leading to a Project in Partial Fulfillment of the
Requirements for the Award of the Degree of Bachelor of
Science in computer science of Uganda Christian
University.

Supervisor
INNOCENT NDIBATYA

Department of Information Technology

Faculty of Science and Technology, Uganda Christian University.

April, 2012
Acknowledgement

Fist I give the Glory to God, the source of strength and grace for granting me both mental and physical
endurance, persistence and consistency to complete all the tasks assigned to me by my supervisor
during this research.
Credit is given to Mr. Ndibatya Innocent who has been a very strong pillar to the success of this
research following his guidance and advice as a supervisor it has created a lot of confidence and
persistence hence completion of the research.
Secondly I wish to acknowledge Mr. Wabwire John Bosco who has been a great inspiration during
the course of the research.
Special thanks go to my parents Mr. and Mrs. Musoke for the support and advice given to me
during the research, without them I would not have succeeded.
I can forget to acknowledge Kisakye Charles, Male henry Kenneth, Komugabe Maureen and
Kyambadde Michael they have been very good friends and have helped during the course of
research.
May the good Lord bless you all.

I
Declaration

I Joseph Brian Musanje Kasozi S09b23/323 hereby declare that this Research project report is my
original work. All that is in this report was researched and compiled by me. I did not copy and no one
copied my work.

……………………………… ………………………………….
Signature Date

II
Approval

I……………………………………………. Project Supervisor hereby approve this Research Project

Report by Joseph Brian Musanje Kasozi [S09B23/323] that it fulfills all the requirements as stated
by the Faculty of Science and Technology Uganda Christian University.

……………………………………… ………………………………………
Signature Date

III
Table of Contents
Acknowledgement......................................................................................................................................I
Declaration................................................................................................................................................II
Approval..................................................................................................................................................III
Table of Contents.....................................................................................................................................IV
List of Figures..........................................................................................................................................VI
ABSTRACT...........................................................................................................................................VII
LIST ACRONYMS...............................................................................................................................VIII
CHAPTER ONE:.......................................................................................................................................1
1.0 Introduction......................................................................................................................................1
1.1 Background......................................................................................................................................1
1.2 Problem Statement...........................................................................................................................1
1.3 OBJECTIVES..................................................................................................................................2
1.4 Significance......................................................................................................................................2
1.5 Scope................................................................................................................................................2
CHAPTER TWO: LITERATURE REVIEW............................................................................................3
2 Introduction.........................................................................................................................................3
2.0 Information and Network Security...................................................................................................3
2.1 Differentiating Data Security and Network Security.......................................................................3
2.2 Technology for Internet Security.....................................................................................................5
CHAPTER THREE: METHODOLOGY................................................................................................10
3.0 INTRODUCTION.............................................................................................................................10
3.1 ANALYSIS PHASE.......................................................................................................................10
3.1.1 SYSTEM ANALYSIS.................................................................................................................10
3.2 DESIGN PHASE...........................................................................................................................13
3.3 IMPLEMENTATION PHASE.......................................................................................................18
3.4 TESTING AND VALIDATION..................................................................................................19
CHAPTER FOUR: RESULTS AND SYSTEM IMPLEMENTATION..................................................20
4.2 Components of the Network Traffic Analysis Application............................................................22
CHAPTER FIVE: CONCLUSIONS.......................................................................................................25
5.1 Challenges......................................................................................................................................25
5.2 Solutions to the Challenges............................................................................................................25
5.3 Recommendations..........................................................................................................................25
5.4 Conclusion.....................................................................................................................................26
REFERENCES........................................................................................................................................27
APPENDICES.........................................................................................................................................28
APPEDIX 1: Admin login Code..............................................................................................................28
APPEDIX 2: HTTP Analyzer.................................................................................................................31
APPENDIX 3: Select Network Dialog Box............................................................................................33
APPENDIX 4: Line Graph......................................................................................................................33

IV
 List of Figures

Figure 3.1: CLASS DIAGRAM…………………..…………………………………..…...…14

Figure 3.2: Sequence Diagram………………………...………………………………………15
Figure 3.3 Use Case Diagrams …………………………...…………………………….…..…16
Figure 3.4 Data Flow Diagrams …………………………..…………………………………..17
Figure 4.1: Flow Chart……………………………………….………………………………..20
Figure 4.3: Shows The Interface……………………………….………………………...…....22
Figure 4.5 Pie Chart……………………………………………….……………….………..…23
APPENDIX 3: Select Network Dialog Box………………………….……………………..32
APPENDIX 4: Line Graph…………………………………………………………………….32

V
ABSTRACT

Uganda Christian University has adopted the use of Computer networks to easy the sharing of data
and other resources. This has improved on the service delivery and academics at large.

However they have faced a very fundamental threat of denial of service (DOS) where the network
is slowed down due to irrelevant usage .This would be solved by managing and monitoring of
packets that are communicated over the network using a network packet analyzer.

Network packets contain a lot of useful information about network activity that can be used as a
description of the general network behavior. Network packet analyzers become a useful tool for
system and network administrators to capture such kind of network information. In this report, an
implementation of java packet capture library [4], a popular network java library, is described.
This fully configurable tool concentrates particularly on its flexible input and output options so
that it can easily be incorporated into a network to perform more complicated tasks, such as real-
time online or offline network monitoring and management.

VI
LIST ACRONYMS

UDP Unified Datagram Protocol

TCP Transport Control Protocol
ICMP Internet Control Message Protocol
ARP Address Resolution Protocol
JPCAP Java Packet Capture
UCU Uganda Christian University
HTTP Hyper Text Transfer Protocol
GUI Graphical User Interface
FOST Faculty of science and technology
SSH Secure Shell

VII
CHAPTER ONE:

Introduction
In the modern society, computers are no longer treated as stand-alone machines instead, they are
communicating to share resources and data through computer networks. Network packets are units of
data traveling in these computer networks, and they carry all the important information from its source
to its final destination. There is a large amount of personal, commercial activities on the network
and security is becoming of great importance because of the internet. System and network
technology is a key technology for wide variety of applications. Security is crucial to networks and
applications. Although, network security is a critical requirement in emerging networks, there is a
significant lack of security methods that can be easily implemented to maximize its utilization.

1.1 Background
Uganda Christian University is located 23 kilometers from Kampala, in Mukono town, along Kampala
Jinja road. It is a private university, chartered and fully accredited by the President of the Republic of
Uganda, through the Ministry of Higher Education and Sports, and the National Council for Higher
Education. UCU is owned by the Province of the Church of Uganda, and has campuses in Eastern,
Western and Northern Uganda. The University was born in 1997 out of Bishop Tucker Theological
College which was founded in 1913.
Recent interest in security was fueled by the crime committed by Kevin Mitnick who committed the
largest computer‐related crime in U.S. history [3]. The losses were eighty million dollars in U.S.
intellectual property and source code from a variety of companies [3]. Since then, information security
came into the spotlight. Uganda Christian University has got Information technology policy which
manages all the Information technology assets under which there is the network resources which are
utilized by both students and staff who in the long run violet the policy.

1.2 Problem Statement

As technology is advancing, Uganda Christian University has adopted the use of networks to easy the
sharing of data and other resources. However they have faced a challenge and a very fundamental
1
 threat of denial of service (DOS) where the network is slowed down due to irrelevant usage by selfish
students and staff. This results into slow internet connection therefore it called for an investigation on
how the network is utilized thus development of network packet analyzer which will help in analyzing
and managing network traffic thus improving the efficiency of the network.

1.3 OBJECTIVES
1.3.1 Main Objectives

The purpose of this project was to come up with a network Packet Analyzer which will help in controlling,
monitoring and managing both wired and wireless Uganda Christian University networks thus
increasing or improving its efficiency.

1.3.2 Specific Objectives

i. To investigate the current network analyzer tools used at Uganda Christian University
ii. To design a prototype of a Network Packet Analyzer
iii. To implement the prototype of the application
iv. To test and validate the prototype

1.4 Significance
Personally this project improved on my skills of System analysis and design because it enabled me to
learn and it has shaped me for the tasks ahead. This project was also a Partial Fulfillment of the
Requirements for the Award of the Degree of Bachelor of Science in Computer Science of Uganda
Christian University.

The importance of this project to the students of the University is that it will enable them to learn more
about the Network traffic analysis and this will also broaden their knowledge and skills about networks
and protocols.

The system developed will help reduce the problem of network misuse, overload during peak hours
since it shows the administrators the statistics of all the traffic over the network reducing the chances of
slow Internet connection.

2
1.5 Scope
The project target scope was Uganda Christian University faculty of science and technology’ network
environment where the users of the network are over one hundred.

CHAPTER TWO: LITERATURE REVIEW

2 Introduction
Literature review is a process to search, collect, analyze all concluded debates and issues raised in the
work that has been done in the past. It also provide the examples, case studies and other relevant work
that has been done by other people in the past, it gives the chance to investigate areas and read the
subject that users may not have thought about before.

2.0 Information and Network Security.

Information system security processes and activities provide valuable input into managing IT systems
and their development, enabling risk identification, planning and mitigation.
Considering network security, it must be emphasized that the whole network is secure. Network
security does not only concern the security in the computers at each end of the communication
chain. When transmitting data, the communication channel should not be vulnerable to attack. A
possible hacker could target the communication channel obtain the data, decrypt it and then reinsert
false message. Securing a network is as important as securing the computers and encrypting messages
so as to achieve the fundamental and critical concepts of information that’s Availability, integrity,
confidentiality (CIA).

2.1 Differentiating Data Security and Network Security

Data security is the aspect of security that allows the client’s data to be transformed into unintelligible
data for transmission. Even if this unintelligible data is intercepted, a key is needed to decode the
message. This method of security is effective to a certain degree. Strong cryptography in the past can
be easily broken today. Cryptographic methods have to continue to advance due to the advancement of
the hackers as well. When transferring cipher text over a network, it is helpful to have a secure
3
network. This will allow for the cipher text to be protected, so that it is less likely for many people to
even attempt to break the code. A secure network will also prevent someone from inserting
unauthorized messages into the network. Therefore, hard ciphers are needed as well as attack‐hard
networks [7].

2.1.1 Common Network Attack Methods

Common internet attacks methods are broken down into categories. Some attacks gain system
knowledge or personal information, such as eavesdropping and phishing. Attacks can also interfere
with the system’s intended function, such as viruses, worms and Trojans. The other form of attack is
when the system’s resources are consumes uselessly, these can be caused by denial of service (DOS)
attack. Other forms of network intrusions also exist, such as land attacks, and teardrop attacks. These
attacks are not as well-known as DOS attacks, but they are used in some form or another even if they
aren’t mentioned by name.
i) Eavesdropping

Interception of communications by an unauthorized party is called eavesdropping. Passive

eavesdropping is when the person only secretly listens to the networked messages. On the other hand,
active eavesdropping is when the intruder listens and inserts something into the communication stream.
This can lead to the messages being distorted. Sensitive information can be stolen this way [8].
ii) Viruses
Viruses are self‐replication programs that use files to infect and propagate [8]. Once a file is opened,
the virus will activate within the system
iii) Worms
A worm is similar to a virus because they both are self‐replicating, but the worm does not require a file
to allow it to propagate [8]. There are two main types of worms, mass‐mailing worms and network
aware worms. Mass mailing worms use email as a means to infect other computers. Network‐aware
worms are a major problem for the Internet. A network‐aware worm selects a target and once the worm
accesses the target host, it can infect it by means of a Trojan or otherwise.
iv) Trojans
Trojans appear to be programs to the user, but will actually have some malicious purpose. Trojans
usually carry some payload such as a virus [8].
4
 v) Phishing
Phishing is an attempt to obtain confidential information from an individual, group, or organization [9].
Phishers trick users into disclosing personal data, such as credit card numbers, online banking
credentials, and other sensitive information.
vi) IP Spoofing Attacks
Spoofing means to have the address of the computer mirror the address of a trusted computer in order
to gain access to other computers. The identity of the intruder is hidden by different means making
detection and prevention difficult. With the current IP protocol technology, IP spoofed packets cannot
be eliminated [8].
vii) Denial of Service
Denial of Service is an attack when the system receiving too many requests cannot return
communication with the requestors [9]. The system then consumes resources waiting for the handshake
to complete. Eventually, the system cannot respond to any more requests rendering it without service.

2.2 Technology for Internet Security

Internet threats will continue to be a major issue in the global world as long as information is accessible
and transferred across the Internet. Different defense and detection mechanisms were developed to deal
with these attacks.

2.2.1 Cryptographic systems

Cryptography is a useful and widely used tool insecurity engineering today. It involved the use of codes
and ciphers to transform information into unintelligible data.

2.2.2 Firewall

A firewall is a typical border control mechanism or perimeter defense. The purpose of a firewall is to
block traffic from the outside, but it could also be used to block traffic from the inside. A firewall is the
front line defense mechanism against intruders. It is a system designed to prevent unauthorized access
to or from a private network. Firewalls can be implemented in both hardware and software, or a
combination of both [8].

5
2.2.3 Intrusion Detection Systems

An Intrusion Detection System (IDS) is an additional protection measure that helps ward off computer
intrusions. IDS systems can be software and hardware devices used to detect an attack. IDS products
are used to monitor connection in determining whether attacks are been launched. Some IDS systems
just monitor and alert of an attack, whereas others try to block the attack.

2.2.4 Anti‐Malware Software and scanners

Viruses, worms and Trojan horses are all examples of malicious software, or Malware for short. Special
so‐called anti‐Malware tools are used to detect them and cure an infected system.

2.2.5 Secure Socket Layer (SSL)

The Secure Socket Layer (SSL) is a suite of protocols that is a standard way to achieve a good level of
security between a web browser and a website. SSL is designed to create a secure channel, or tunnel,
between a web browser and the web server, so that any information exchanged is protected within the
secured tunnel. SSL provides authentication of clients to server through the use of certificates. Clients
present a certificate to the server to prove their identity.
Some of the security technologies that can be used on a local area network to mitigate risks include a
network analyzer also called a packet analyzer which is a combination of hardware and programming,
or in some cases a stand-alone hardware device that can be installed in a computer or network to
enhance protection against malicious activity. Network analyzers can also analyze the packets in real
time in order to alert the administrator about problems. A network analyzer also called a "packet
analyzer," "traffic analyzer" and "protocol analyzer," [5] plugs into a port on a network hub or switch in
real network and decodes one or more protocols into a human-readable format for the network
administrator. Network analyzers functionality is such as [6]:
i) Provide detailed statistics for current and recent activity on the network
ii) Detect unusual levels of network traffic.
iii) Detect unusual packet characteristics.
iv) Identify packet sources or destinations.
v) Configure alarms for defined threats.
vi) Search for specific data strings in packets.
6
 vii) Monitor bandwidth utilization as function of time.

2.2.5.1 A Study of Analyzing Network Traffic as Images in Real-Time

Employ packet header data collected at a network access point for traffic analysis. This data includes
source destination address, port numbers, traffic volume in bytes, packets and other useful information
[3]. The concept of end-to-end is used as a relative comparison with hop-by-hop. Data transmission
seldom occurs only between adjacent nodes, but via a path which may include many intermediate
nodes. End-to-end delay is the sum of delays experienced at each hop from the source to the
destination. The delay at each intermediate node has two components: axed delay which includes the
transmission at sender node and the propagation over the link to the next node and a variable delay
which includes the processing and queuing at sender node.

2.2.5.2 Enhancing Visual Analysis of Network Traffic Using a Knowledge

Representation

[4] The last decade has seen a rapid growth in both the volume and variety of network traffic, while at
the same time it is becoming even more important for analysts to understand network behaviors to
provide quality of service, security, and misuse monitoring. To aid analysts in these tasks, researchers
are seeking better visual analysis techniques for network traffic. These researchers present a network
traffic visualization system that enables previous visual discoveries to be used in analysis. The system
accomplishes this by allowing the analyst to interactively create models of observed patterns, which are
stored in a reusable knowledge base. The reuse of knowledge creates the analytical cycle;

Figure 2.0

7
From the cycle; (1) the analyst uses visualization enhanced with previous knowledge to discover
patterns in the data. (2) Once a pattern is discovered, the analyst creates a model for the pattern.

(3) The analyst commits the model into the knowledge base to reuse in future analysis.

The models discussed in this paper are useful in the development of my system as they create patterns
to be captured. For example: To capture the pattern exhibited by a web page load, the analyst selects
one horizontal sequence of marks from the visualization. The system then identifies predefined
predicates that are true for the selected events. In this example the following predicates are identified:
“from same IP”, “to same IP”, “temporal locality”, “source port locality”, “destination port HTTP”.
The analyst then engages in an interactive loop to create a clause describing the pattern from the
identified predicates

More existing applications include;

2.3 EXISTING APPLICATIONS

Wire shark
Wire shark also known as Ethereal until a trademark dispute in summer 2006 is a fantastic open source
multi-platform network protocol analyzer. It allows you to examine data from a live network or from a
capture file on disk. You can interactively browse the capture data, delving down into just the level of
packet detail you need. Wire shark has several powerful features, including a rich display filter
language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of
protocols and media types. A TCP dump-like console version named tshark is included. One word of
caution is that Wire shark has suffered from dozens of remotely exploitable security holes, so stay up-
to-date and be wary of running it on untrusted or hostile networks (such as security conferences).
Cain and Abel
UNIX users often smugly assert that the best free security tools support their platform first, and
Windows ports are often an afterthought. They are usually right, but Cain & Abel is a glaring
exception. This Windows-only password recovery tool handles an enormous variety of tasks. It can
recover passwords by sniffing the network, cracking encrypted passwords using dictionary, brute-force
8
and cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing
password boxes, uncovering cached passwords and analyzing routing protocols.
Kismet
Kismet is a console based 802.11 layer-2 wireless network detector, sniffer, and intrusion detection
system. It identifies networks by passively sniffing (as opposed to more active tools such as Nets
tumbler, and can even DE cloak hidden (non-beaconing) networks if they are in use. It can
automatically detect network IP blocks by sniffing TCP, UDP, ARP, and DHCP packets, log traffic in
Wire shark / tcpdump compatible format, and even plot detected networks and estimated ranges on
downloaded maps. As you might expect, this tool is commonly used for war driving.
KisMAC

This popular wireless stumbler for Mac OS X offers many of the features of its namesake Kismet,
though the code base is entirely different. Unlike console-based Kismet, KisMAC offers a pretty GUI
and was around before Kismet was ported to OS X. It also offers mapping, Pcap-format import and
logging, and even some decryption and de-authentication attacks.
Ettercap
Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections,
content filtering on the fly and many other interesting tricks. It supports active and passive dissection of
many protocols (even ciphered ones) and includes many features for network and host analysis.
Dsniff

This popular and well-engineered suite by Dug Song includes many tools: dsniff, filesnarf, mailsnarf,
msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail,
files, etcetera.); arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally
unavailable to an attacker (for example, due to layer-2 switching); and sshmitm and webmitm
implement active monkey-in-the-middle attacks against redirected ssh and https sessions by exploiting
weak bindings in ad-hoc PKI. [9].
All these tools just display the packet information without availability to change or control the packet
and for large networks, it would be necessary to store Gigabytes of event data every day. The new
program can capture the packet of internet in real time, display the field which we want, monitor any
field in the specific header, and control the incoming and outgoing packet. This will increase the
efficiency of the network.

9
CHAPTER THREE: METHODOLOGY

3.0 INTRODUCTION
The methodology used in developing this application was incremental development model where the
analysis, design and implementation were performed and a number of increments produced which were
later integrated to make a full system.

3.1 ANALYSIS PHASE

This phase answered the questions of who would use the system, what the system would do, where
and when it would be used and it included the following;
 Analysis of the current system.
 Gathering of required information that was used to develop the system.
 Characterized network traffic, this meant identifying the sources, destinations, direction,
volume of network traffic and type of flow between these points.

3.1.1 SYSTEM ANALYSIS

This involved gathering all information about the current system that was in use for analyzing and
monitoring network traffic and studying its strength and weaknesses. This analysis was to help in
designing the proposed system

3.1.1.0 Strength of the Current System

 The current system network Overload is identified manually where the administrator is notified
by the users that the network is slow.

 The current system limits the number of users on the network during peak hours by
disconnecting some.

10
3.1.1.1 Weaknesses of the Current System

 The current system fails to account for the network overload.

 The current system does not analyze the performance of the network.

 The current system does not report statistics of traffic for a given period.

3.1.1.2 The New Implemented System

The proposed system analyses and monitors the source and destination of traffic, Blocks Heavy
Websites, counts dropped packets during network overload and congestion, displays the packets traffic
with their respective protocols through filtering and displays the statistics of the traffic through
graphical presentations.

3.1.2 USER REQUIREMENTS

These are requirements that users expect the system to have to fulfill their needs. These are categorized
into two namely functional and non-functional requirements.

3.1.2.1 System Functional requirement

Functional requirements define what a system is supposed to do. Functional requirements are usually in
the form of system shall (do requirement).

The system performs the following functions for the users:

 The application allows the Administrator (user) to select the interface to capture.

 The application allows the user to select the protocols to filter.

 The application allows the user to change the interface to capture.

 The application allows the user to clear all details displayed.

 The application allows the user to stop capture.

 The application detects less priority destinations and drops the packets.

11
3.2.1.2 Non -function requirements

A non-functional requirement is a requirement that specifies criteria that can be used to judge the
operation of a system, rather than specific behaviors.  Non-functional requirements are in the form of
system shall be (requirement). Non-functional requirements are often called qualities of a system.
Other terms for non-functional requirements are constraints, quality attributes, quality goals, quality of
service requirements and non-behavioral requirements. Non –functional requirements can be divided
into two main categories.

I. Execution qualities, such as security and usability, which are observable at run time.

II. Evolution qualities, such as testability, maintainability, extensibility and scalability, which are
embodied in the static structure of the software system.

The system requires the user to have knowledge about networking and its principles.

The security of the Application is implemented in a way that one to get access to it he or she has to
have a user name and password plus administrative rights.

3.1.2 SYSTEM REQUIREMENTS

3.1.2 .1 Software requirement

This involves the unseen side of the system. This is the side which supports the system. It is also
referred to as the backbone of the system. The following are the tools that were used

Windows 7 Operating system for the client computer

Java development tool kit 6. (JDK 6).

Java programming language with Net Beans IDE.

Java packet capture library. This is a library of all packets captured from the interfaces and platform
independent (Operating systems).

Jpcap.dll file. This is a library of all classes used in coding. This library is moved to the JDK library
files.

3.1.2 .2Hardware Requirements

12
This involves what the system will run on. This allows the user to interact with the system and also
known as the physical components of the system. They include:

Hard disk of 20GB

Processor speed 1.66 GHz

Random Access Memory (RAM) 2G

3.2 DESIGN PHASE

Systems design is the process or art of defining the architecture, components, modules, interfaces, and
data for a system to satisfy specified requirements. One could see it as the application of systems theory
to product development. The following were the steps taken:
 Designed a flow chart Diagram of the system to show movement of data.
 Designed a Class Diagram to show relationship among the components in my system
 Data flow diagram was used to show how data flows from on process to another.
 Use case diagrams also were used to help identify the different functions a user can
perform.
 Entity Relationship Diagram was designed also to show the different tables linked to the
application and how they interrelate.

3.2.1 Conceptual design

The following models show different system components and how data flow from one component to
another to achieve the systems goal. They also show the unseen side of the system.

3.2.1 .1 Unified Modeling Language Class Diagram

The purpose of a class diagram is to depict the classes within a model. In an object oriented application,
classes have attributes (member variables), operations (member functions) and relation-ships with other
classes. In a class diagram we can show the member variables, and member functions of a class. We
can also show whether one class inherits from another, or whether it holds a reference to another.

13
14
Figure 3.1: CLASS DIAGRAM

3.2.1.2 Sequence Diagram

A sequence diagram in Unified Modeling Language (UML) is a kind of interaction diagram that
shows how processes operate with one another and in what order. It is a construct of a Message
Sequence Chart. A sequence diagram shows object interactions arranged in time sequence. It depicts
the objects and classes involved in the scenario and the sequence of messages exchanged between the
objects needed to carry out the functionality of the scenario. Sequence diagrams typically are
associated with use case realizations in the Logical View of the system under development.

start capture packet capture reports IP Address

button control

: administrator
press

invokes

generates

view

save/print

add/remove

15
Figure 3.2: Sequence Diagram

3.2.1.3 Use case Diagram

In software and systems engineering, a use case is a list of steps, typically defining interactions
between a role (actor) and a system, to achieve the system goal.

Start Monitoring

Start Capture

Capture Packets

Get Packet Header

User System

Get Packet Data

Display Graph

Save/Open Packets Monitor

destination

Figure 3.3 Use case diagrams Drop

Stop Capturing
16 packet
Figure 4.4 illustrates how the application and the user will interwork to achieve the desired goal. It
shows the different functionalities a user can do as well as the system.
User can start the capture, stop the capture, save logs while the application can start monitoring the
network, display graphs, get packet headers, destinations, drop unwanted packets and get packet data.

Data Flow Diagram

17
Figure 3.4 Data Flow diagrams

Data flow diagram illustrates the different process and how data flows
from one process to another.
Here the administrator runs the application then after he is required to login with valid username and
password. After he has to select the network interface whose traffic is to be captured. When the
interface is selected and the capture started, the host machine will be put in a promiscuous mode (a
network device is able to intercept and read each network packet that arrives in its entirety.).Now the
host machine is able to capture all network traffic on that particular interface.
Than the administrator is able to determine the network traffic flow and the different protocols used at
that particular time since the host machine or device is able to capture all traffic from and to the entire
hosts on the network.
The Administrator now is able to determine the different irrelevant destinations by matching the
different Internet Protocols captured and those stored in the database after which all packets to that
given destination can be blocked hence improving the efficiency of the network. After all the captures
the administrator is able to save the captures for further analysis.
On the management bit of it the administrator can also manage other users. He can add or delete any
new users as illustrated in figure 4.5.

18
3.3 IMPLEMENTATION PHASE
Under this phase the developed system was installed and tested and it performed as designed and
contained in this section is a post-implementation review of the system.

3.3.1 Java

Java was used because it is a general-purpose, concurrent, class-based, object-oriented language that is
specifically designed to help implement platform independent applications. It is intended to let
application developers "write once, run anywhere".

3.3.3 Simulation

Network simulation is a technique where a program simulates the behavior of a network. This
simulation was performed with the use of the Uganda Christian University LAN traffic

3.4 TESTING AND VALIDATION

3.4.1 Testing

The system was tested by compiling and running it using the Net bean integrated development
environment 6.9.1 and it was found bug free.

3.4.2 Validation

The application was availed to my project supervisor to interact with it and he validated it since it was
able to capture, monitor and block heavy or unwanted websites on the network.

19
CHAPTER FOUR: RESULTS AND SYSTEM IMPLEMENTATION
4.1 Introduction
This deals with result of the design and implementation of the system. The system is made up of
various components which help it to achieve its intended objectives as proposed in the earlier chapters.
In this chapter the application Graphical User Interface will be analyzed as well as its back logic.

4.1.1 System Flow

This is a diagrammatic representation that illustrates the sequence of operations to be performed to get
a solution to a problem. Different shaped symbols are used with different meanings. The symbols are
linked with directed lines (lines with arrows) showing the flow of data through the system.
When the application is started the user is prompted to select the network interface whose traffic is to
captured. Then the host machine will be put into promiscuous mode and it will be able to capture all the
traffic via its Network card.
All TCP, ARP, UDP and ICMP, traffic will be captured and executed thus transformed into
understandable language which will be displayed on the capture window.
If the number of packets to a given destination exceeds the set value they will be dropped .this is done
20
by blocking the destination name from communicating with the local hosts this is done using
AnyWebLock.

Start START APPLIATION

Select Interface SELECT INTERFACE

wired/wireless

Var x=TCP, Var b=ARP, Var

z=UDP, Var y=ICMP, Var set READ
Packets, Var b=ARP var VARIABLES
u=other

Is var X Execute
TCP
request
NO

YES
Is var Execute
Z
UDP
request
NO

YES
Is var Execute
Y
ICMP
request

NO YES
Is var
b Execute ARP request

Is no Drop
Capture packets
packets Packet
>=set
Packets

Capture statistics
21

Stop
Figure 4.1: Flow Chart

4.2 Components of the Network Traffic Analysis Application

The system is made up of the a number of modules namely Splash Panel, welcome Window, Main
Window, Graph Windows and packet capture Display panel.

Front End

4.2.1 Splash Panel, Login Page and Welcome Window

When the application is a started (run) first it will be the Splash image to display. This helps to give a
view of what the application is going to do and what is meant for as well as a copy right. The Welcome
window which illustrates a successful connection to the back end.
The login Frame will display to prompt the user to login using a valid username and password. If the
credentials are right the main window will be displayed but if they are wrong then the application will
exit.
4.2.2 Main Window
Appendix 22: shows the Graphical User Interface to be used by the user to capture and monitor
packets.
(a) Selecting Network Interface. The user has a choice to select which interface to snoop out of the two
interfaces which are; Ethernet interface and the wireless interface.

22
(b) Selecting Protocol Type. Through selecting the type of protocol to filter out, the user only snoops
only packets from filtered protocols. These include TCP, ARP, ICMP and UDP; two protocols can be
filtered at a time.

(c) Start Capture Button. The system has a start snooping button that helps to start the snooping on the
selected interface.

(d) Stop Capture Button. This is a button that prompts the user to stop snooping if he wishes to stop the
snooping.

(e) Change Network Interface Button. The system has a button that enables the user to change the
network interface to that of his choice.

(f) Clear All Button. This clears all the content that has been displayed after the snooping.

(g) About Button. This button displays brief information about the system and the developer of the
system.

(h) Help Menu Button. The system has a help menu with all the details on how to use this system. This
can take the user through all the steps and the description of the output.

(I) Network Interface details jText Area. This area displays the details of the interface selected. The
name of the interface, Mac address, IP address, subnet mask and broad cast address.

(j) All Packets details jText Area. This displays the packets snooped from the interface, their source and
destination addresses, packet length, protocol, priority, sequence number, number of hops plus the
packets dropped.

23
Figure 4.3: Shows the Interface with the capture table. Its this GUI which displays the real time
capture of the network traffic.

4.2.2 The Line Graph component

This component displays the statistics of the packets captured in graphical form. It plots the number of
packets captured per a second with an assumption that ten packets are captured every second. The lines
displayed are for the protocols selected for example; TCP, ICMP and UDP protocols respectively.

APPENDIX 4: Shows a plot of IPV4, IPV6 and ARP packets captured from the Ethernet interface,
presenting a higher number of TCP packets at some point being captured.

24
Figure 4.5 Pie Chart.
Figure 5.5 Shows the a pie chart that displays the ratio of the different Network layer protocol packets
captured at a given time

Back End
The back end of the application is the database which was build using Microsoft access 2003. It
comprises of tables that’s AdminLogin which stores administrator username and passwords, Webs
which stores Internet Protocols mapped to the respective Domain name.

CHAPTER FIVE: CONCLUSIONS

5.0 INTRODUCTION
This chapter explains the challenges, suggestions and recommendations during the course of the
project.

5.1 Challenges
There were some challenges I faced during the course of the project.
Accessing information concerning the network topology, performance and available tools used to
monitor the network traffic. The administrators considered this information as confidential.
The instability of the network connections made it had to make a conclusive study of the network. The
network was always on and off.

Building a platform to capture packets from the local area or wireless network. This involved
downloading Java packet capture library (JPCap) whose process of downloading was always
interrupted hence taking more time than planned.

Installing java packet capture library of classes to the JDK setup. Some setups would get corrupted
25
before installing.

5.2 Solutions to the Challenges

To access information required and making a conclusive study of the network, I used standard tools
like wire shark and solar winds to get the desired information.
Downloaded the library (JPCap) using modem to ease the process.

To test the local area network, I used the TP3 laboratory for wired and tech_staff network for wireless
network for my study.

5.3 Recommendations
Uganda Christian University being the case study for my research, I would like to recommend the
following;

The university authority should facilitate the improvement of this application so that it can be used to
monitor the network traffic prompting the network administrators to take affirmative action’s only at
times it’s needed.

From the study of the network topology, I recommend the university to eliminate the flat network and
acquire different routers for each faculty in order to avoid network congestion and bleach of security.

I recommend further research to be made on how to block traffic automatically during network
overload at peak hours. This would improve the system from being a passive system to an active
system.

The university should encourage students to develop applications that can improve service delivery at
the university. This will empower the faculty of science and technology to lead in technology
innovations.

5.4 Conclusion
Beginning with the research proposal and ending with the implementation of the project, this has been
an opportunity to discover my potential and be a part of the initiative to improve service delivery
through technology innovations.

26
REFERENCES
[1] Micheal Colline et al, (2006) ’ HANDBOOK SiLK version 0.10.3 , PA 15213-3890

[2] Shrirom Sarvotham et al, (2001) Connection-level Analysis and Modeling of network Traffic

[3] Seong Soo Kim et al (2004) A Study of Analyzing Network Traffic as Images in Real-Time
[4] Xiao et al (2004 )Enhancing Visual Analysis of Network Traffic Using a Knowledge
Representation.

[5] Jean-Francois Raymond (2000) Traffic Analysis: Protocols, Attacks, Design Issues and Open
Problems, Zero-Knowledge Systems, Inc.

[6] Lizhi Charlie Zhong et al (2003) Network Traffic Model

[7] Robert Geist and James Westal (2002) Simulation Modeling of self-similarity in Network Traffic
Department of Computer Science, Clemson University, Lucent Technologies.

[8] Steven L. Scott and Padhraic Smyth, “The Markov Modulated Poisson Process and Markov Poisson
Cascade with Applications to Web Traffic Modeling”
http://www.datalab.uci.edu/papers/ScottSmythV7.pdf

[9] Andrew S. Tanenbaum, Computer Networks, Third Edition, Prentice Hall International
Editions, 1996.http://ieeexplore.ieee.org/iel5/35/13111/00601746.pdf?isnumber=&arnumber=601746

[10] R.Jain (1991) The Art of Computer Systems Performance Analysis, John Wiley and sons New York

[11] Victor S. Frost and Benjamin Melamed, Traffic Modeling for Telecommunications Networks,

27
IEEE Communications, Mar. 1994. http://ieeexplore.ieee.org/iel1/35/6685/00267444.pdf

[12] Balakrishnan Chandrasekaran (2006) Survey of Network Traffic Models

http://www.cse.wustl.edu/~jain/cse567-06/ftp/traffic_models3/index.html

[13] X. Yang, A.P. Petropulu, "The Extended Alternating Fractal Renewal Process for Modeling
Traffic in High-Speed Communication Networks," IEEE Trans. Sig. Proc., vol. 49, no. 7, July 2001.
http://citeseer.ist.psu.edu/cache/papers/cs/30369/http:zSzzSzwww.ece.drexel.eduzSzCSPLzSzpublicati
onszSzEAFRP-final.pdf/yang01extended.pdf

APPENDICES

APPEDIX 1: Admin login Code

This is the code for capturing packets from the network, packets’ source and destination addresses,
protocol, hop and sequence number.

import java.awt.*;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.Statement;
import javax.swing.*;
import java.util.*;
public class JdcapLogin extends JFrame {
Date now=new Date();
JLabel username,password,time;
JPasswordField pass;
JTextField user;
JButton Login,Cancel; Connection con;
Dimension window = Toolkit.getDefaultToolkit().getScreenSize();
Connection connect;
public JdcapLogin(){
super("ADMINISTRATOR LOGIN");
this.setBackground(Color.green);
this.getContentPane().setLayout(null);
this.setSize(370, 250);
this.setResizable(false);
this .setBackground(Color.red);
this.setLocation((window.width - 700) / 2, ((window.height - 450) / 2));
this.setDefaultCloseOperation(EXIT_ON_CLOSE);
this.setResizable(false);

28
 username=new JLabel("USERNAME");
password=new JLabel("PASSWORD");
time=new JLabel("TODAY is:"+now + " ", JLabel.CENTER);
user=new JTextField();
pass=new JPasswordField();
Login=new JButton("LOGIN");
Cancel= new JButton("CANCEL");

username.setBounds(40,30 ,100 ,25);

password.setBounds(40, 65,100, 25);
//time.setBounds(130,200,100,30);
user.setBounds(150,30,160,25);
pass.setBounds(150,65 ,160,25);
Login.setBounds(70, 150, 100,25);
Cancel.setBounds(190,150, 100,25);

this.add(username);
this.add(password);
this.add(time);
this.add(user);
this.add(pass);
this.add(Login);
this.add(Cancel);
getContentPane().add(time, BorderLayout.PAGE_END, JLabel.CENTER);

ButtonListener listener = new ButtonListener();

Login.addActionListener(listener);
Cancel.addActionListener(listener);
con = loginconn.getDBConnection();
if (con == null) {
JOptionPane.showMessageDialog(null,
"Error on establishing database connection",
"Error",
JOptionPane.ERROR_MESSAGE);

this.dispose();
}
else{
JOptionPane.showMessageDialog(null, "WELCOME TO UCU \n "+"NETWORK PACKET
ANALYZER",null,
JOptionPane.INFORMATION_MESSAGE);
this.dispose();}
}//constructor closed

public void login() {

29
 String username = user.getText();
String password = pass.getText();
String SQL;
//String category = cmbCat.getSelectedItem().toString();
SQL = "SELECT username,password FROM AdminLog WHERE username='" +
username + "' AND password='" +
password + "'";
JpcapDumper r=new JpcapDumper();
this.dispose();
try {
Statement stmt = con.createStatement();
stmt.execute(SQL);
ResultSet rs = stmt.getResultSet();
boolean recordfound = rs.next();
if (recordfound==true) {
Splash_1 t=new Splash_1(9000,true);//splash
Class c=Class.forName("jpcap.JpcapCaptor");
JDPacketAnalyzerLoader.loadDefaultAnalyzer();
JDStatisticsTakerLoader.loadStatisticsTaker();
r.loadProperty();

r.openNewWindow();

} else {
JOptionPane.showMessageDialog(null,
"The system could not log you in.\n" +
" Please make sure your username and password are correct", "Login Failure",
JOptionPane.INFORMATION_MESSAGE);
user.setText("");
pass.setText("");
user.requestFocus();
}
} catch (Exception ex) {
JOptionPane.showMessageDialog(null, "Error on login operation",
"Login Error", JOptionPane.ERROR_MESSAGE);
}//try catch closed
}
private class ButtonListener implements ActionListener {

public void actionPerformed(ActionEvent e) {

if (e.getSource() == Login) {
if (user.getText() == null || user.getText().equals("")) {
JOptionPane.showMessageDialog(null, "Enter username",
"Missing field", JOptionPane.DEFAULT_OPTION);
user.requestFocus();

30
 return;
}
if (pass.getText() == null || pass.getText().equals("")) {
JOptionPane.showMessageDialog(null, "Enter password",
"Missing field", JOptionPane.DEFAULT_OPTION);
pass.requestFocus();
return;
}
login();

} else if (e.getSource() == Cancel) {

System.exit(0);
}//if else closed }/*actionPerformed() closed*/}/*ButtonListner class closed */ }

Appedix 2 :HTTP Analyzer

import jpcap.packet.*;
import java.util.*;
import java.io.*;

public class HTTPAnalyzer extends JDPacketAnalyzer

{
private static final String[] valueNames={
"Method",
"Header"
};
String method;
Vector headers=new Vector();

public HTTPAnalyzer(){
layer=APPLICATION_LAYER;
}

public boolean isAnalyzable(Packet p){

if(p instanceof TCPPacket &&
(((TCPPacket)p).src_port==80 || ((TCPPacket)p).dst_port==80))
return true;
else return false;
}

public String getProtocolName(){

return "HTTP";
}

public String[] getValueNames(){

return valueNames;
31
 }

public void analyze(Packet p){

method="";
headers.removeAllElements();
if(!isAnalyzable(p)) return;

try{
BufferedReader in=new BufferedReader(new StringReader(new String(p.data)));

method=in.readLine();
if(method==null || method.indexOf("HTTP")==-1){
// this packet doesn't contain HTTP header
method="Not HTTP Header";
return;
}

String l;
//read headers
while((l=in.readLine()).length()>0)
headers.addElement(l);
}catch(IOException e){}
}

public Object getValue(String valueName){

if(valueNames[0].equals(valueName)) return method;
if(valueNames[1].equals(valueName)) return headers;
return null;
}

Object getValueAt(int index){

if(index==0) return method;
if(index==1) return headers;
return null;
}

public Object[] getValues(){

Object[] values=new Object[2];
values[0]=method;
values[1]=headers;

return values;
}
}

32
APPENDIX 3: Select Network Dialog Box

APPENDIX 4: Line Graph

33