ANALYZING TRAFFIC ON A NETWORK USING NETLOG SERVER

Shreyak Garg1, Vaibhav Jain1, Shweta Bhardwaj1 Amity University, Noida, Uttar Pradesh shreyak.garg@gmail.com, vaib2033@gmail.com, sbhardwaj1@amity.edu Abstract Tcpdump is a network monitoring application in Linux that is used for packet sniffing. It takes the record of all the
traffic those have visited on the server. But the output it gives is not in a very synergizing form. This paper gives an idea of tcpdump and a way of gathering meaningful information from the synthesized tcpdump output. Further, the implementation of the entire project is undertaken in Linux environment through its popular command line interface- Terminal.

Keywords: tcpdump, libpcap, awk, packet, sniffing, mySql, php, Xampp

1. Introduction
Network Sniffing is the concept that involves monitoring of the values coming and going out of the network server with the aim of extracting useful information and keeping the server working. This prevents the server from any malicious attempt of hacking. Tcpdump scans the packets passing to and from the network, and shows each transaction made by the network. It captures the packets by listening to the packet filter of the host. This command is bundled as a part of libpcap library. Libpcap is a feature that comes bundled with the operating system. Developed by the tcpdump developers in the Network Research Group at Lawrence Berkeley Laboratory, libpcap is a standard library for packet capture which was initially developed for use with the BPF (Berkeley Packet Filter). [2] The only issue is that the output is cumbersome for the end-user to comprehend[1]. The valuable information must be extracted to maintain the integrity of the network. This paper gives an insight as to how this command can be implemented. Netlog server is a tool made for the analysis of the traffic on the server. Actually in this front end tool the traffic is regulated by analyzing it. By this tool we can read and search the information stored in the database which takes the input directly from the tcpdump. Through this tool, one can look on the server that the traffic is coming on which server and from where? The owner can make analysis of which port, through which protocol and from which IP the communication is taking place. Here, the data used for this analysis consists of headers of 13507 packets which were captured and stored into a 300 Kilobyte file over a thirteen second period. The time period spanned from 09:14:52 pm to 09:15:05 pm.

2. Methodology
The basic idea to make the Netlog Server tool was for network sniffing [12]. In this, the application named tcpdump is used which came in tool box with Linux and is basically used for the packet sniffing. The output from the tcpdump is taken in time intervals and is kept in the temporary files. Then Linux shell scripting is used to make them written in the mysql database. So by this, the database is ready and now all our data stored in database. Then php is used as the front end thing to make the results displayed and things are searched in mysql. By the php an interface is provided to operate thing in this project and how to make the things go in this project. By these methods, the user interface to the tcpdump is provided and there are easy regulations for the traffic on the server. The two command tcpdump and awk form the basis of this tool each of which is described below: Syntax of tcpdump command[9]: tcpdump [options] [expression] Following is a list of options that are available: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -y datalink type ] [ -Z user ]

[ 'expression' ] -e Display the data link/ethernet header layer. -F Filter expression in file. -i Listen on specific interface only -n Don't resolve DNS names -nn Don't resolve DNS names or Port names -r Read packets from file -s Get snaplen bytes from each packet -S Print absolute sequence numbers -t No timestamp -v, -vv, -vvv Verbosity (can be used multiple times for increased verbosity) -w Write captured packets to a file -x Display packets in hex -X Display packets in ascii & hex Syntax of awk command[11]: awk 'pattern {action}' input-file > output-file

Fig 1. Diagrammatic representation of netlog tool

3. Analysis 3.1 A Sample Packet

Let's take a look at a typical packet you might capture using tcpdump. This output was captured without any command-line options given to tcpdump. 22:26:07.157728 IP 91.189.89.76.443 > 192.168.42.31.48256: Flags [P.], seq 2839131016:2839131106, ack 2649204596, win 79, options [nop,nop,TS val 466570176 ecr 448426], length 90 This packet is a download session from a web server. After breaking the packet into more detail, we get:

Fig 2. Packet Analysis[3] Notice the source port is 443, ie https://. Therefore, this is a web session. Notice that the source and destination addresses are unresolved. One can restrict the output to show IP addresses and numbers instead of the resolved host name (use the -n option) or cannot show some things such as the time (use the -t option). 3.2 Algorithm For Shell Scripting[8] Steps: Prepare and run a shell script code in Terminal on the basis of the following: a Select a suitable time interval t b Input time from user as a multiple of t c For each multiple of t, run tcpdump command and store the output in a separate numbered file. The options used with the command are -n (avoid DNS conversion), -i any (selects the interface, any states that all available interfaces must be listened to. d Create a database using mySql in Xampp to store the entries. e Run awk command for each of the entries in the tcpdump output file and store the separate entities like time, source address & port, destination address & port etc into separate files for easy access. All the entries should be numbered in such a way that they correspond to other entries in corresponding files. f Link php page to the database and input query from user. g Find the corresponding match and display it to user.

4. Results and Discussion

Fig 3. Output of shell script The following output displays the output of tcpdump command for different time intervals as required by the user. The data as acquired by tcpdump is as it is taken and saved in a file. The file strictly follows the format of a typical packet captured using tcpdump. This data includes time instant, source address & port, direction of traffic, destination address & port, sequence number, acknowledgement number, window size, bytes required by packet and other options. The data can be stored in multiple files if the user wishes to analyze data for larger amount of time. It is then this file which is made accessible to the database and acquires its data from it. The data from this file is organized in relational form with suitable labels for each field.

Fig 4. Extracted entries from database as per user preference Figure 4 shows a user interface php page that displays the entries from the database according to users preference. The user can choose from various options like Source ip, Source Port, Destination ip and Destination Port. The figure gives details pertaining to a particular Destination ip: 182.79.253.143. All the entries are arranged in a periodical order with the earliest entries in the beginning. If the user does not choose any option, all the entries in the database are shown to the user.

5. References:
[1] tcpdump/libpcap, http.//www.tcpdump.org/ [2] M.A Qadeer, M. Zahid, A.Iqbal, M.Siddiqui, Network Traffic Analysis and Intrusion Detection using Packet Sniffer, 2010 Second International Conference on Communication Software and Networks. [3] Interpreting TCPDUMP Output, http://www.process.com/techsupport/multinet/788/6.html [4] S. Ansari, Rajeev S.G. and Chandrasekhar H.S, Packet Sniffing: A brief Introduction, IEEE Potentials, Dec 2002- Jan 2003, Volume:21, Issue:5 [5] A. Bagri, M. Mundhra, A. Pathak, B. Raman, WiFiDump - A Novel Architecture for Wireless Network Debugging [6] Daiji Sanai, Detection of Promiscuous Nodes Using ARP Packet, http://www.securityfriday.com/ [7] Yurcik, William ; Woolam, Clay ; Hellings, Greg ; Khan, Latifur; Thuraisingham, Bhavani M., SCRUBtcpdump: A multi-level packet anonymizer demonstrating privacy/analysis tradeoffs, in Security and Privacy in Communications Networks and the Workshops, 2007. SecureComm 2007. [8] tcpdump tutorial, danielmiessler.com/study/tcpdump/ [9] tcpdump Mikiwiki, mikiwiki.org/wiki/tcpdump [10] linux-wlan Project, http://www.linux-wlan.org [11] Arnold Robbins, Nelson H.F. Beebe, Classic Shell Scripting, OReilly, 2005 [12] A Growing Trend: Systematic Surveillance, http://computer.howstuffworks.com/workplace-surveillance1.htm. [13] Andrew S. Tanenbaum, Computer Networks, Third Edition, Prentice Hall International Editions, 1996. [14] Van Jacobson, Craig Leres and Steven McCanne, tcpdump, Lawrence Berkeley National Laboratory, 1991, http://www.nrg.ee.lbl.gov/. [15] Dilip Antony Joseph, Vern Paxson, Sukun Kim, tcpdump Tutorial, EE122 Fall 2006. [16] Network Analyzer for Ethernet Networks Reference Manual, Novell, Inc, September 1990 [17] V. Jacobson, C. Leres, and S McCanne, Tcpdump, June 1989, Available via anonymous FTP from ftp.ee.lbl.gov. [18] Wan, Ming-Han ; Horng, Mong-Fong F., An Intelligent Monitoring System for Local-AreaNetwork Traffic, in Intelligent Systems Design and Applications, 2008. [19] S. Ansari, Rajeev S.G. and Chandrasekhar H.S, "Packet Sniffing: A brief Introduction", IEEE Potentials, Dec 2002-Jan 2003, Volume:21, Issue:5 [20] Joseph, D. A., Paxson, V., & Kim, S. (2006). tcpdump Tutorial. University of California.