Professional Documents
Culture Documents
Network Traffic Analyzer Project 05082013054125 Network Trafffic Analyser
Network Traffic Analyzer Project 05082013054125 Network Trafffic Analyser
Network Traffic Analyzer Project 05082013054125 Network Trafffic Analyser
Summer Training
Date:- 03/06/2013 to 29/06/2013
Project on
Network traffic anallyser
Submitted By:-
Abstract:-
The rapid growth of Internet Traffic has emerged as a major issue due to the rapid
development of various network applications and Internet services. One of the
challenges facing Internet Service Providers (ISPs) is to optimize the performance
of their networks in the face of continuously increasing amounts of IP traffic while
guaranteeing some specific Quality of Services (QoS). Therefore it is necessary for
ISPs to study the traffic patterns and user behaviors in different localities, to
estimatethe application usage trends, and thereby to come up with solutions that
caneffectively, efficiently, and economically support their users’ traffic.
The main objective of this thesis is to analyze and characterize traffic in a local
multi-service residential IP network in Sweden (referred to in this report as
“Network North”). The data about the amount of traffic was measured using a real-
time traffic-monitoring tool from Packet Logic. Traffic from the monitored
network to various destinations was captured and classified into 5 ring-wise
locality levels in accordance with the traffic’s geographic destinations: traffic
within Network North and traffic to the remainder of the North of Sweden,
Sweden, Europe, and World.
Parameters such as traffic patterns (e.g., traffic volume distribution,
application usage, and application popularity) and user behavior (e.g., usage habits,
user interests,
etc.) at different geographic localities were studied in this project. As a result of a
systematic and in-depth measurement and the fact that the number of content
servers at the World, Europe, and Sweden levels are quite large, we recommend
that an intelligent content distribution system be positioned at Level 1 localities in
order to reduce the amount of duplicate traffic in the network and thereby
removing this traffic load from the core network.
The results of these measurements provide a temporal reference for ISPs of
their present traffic and should allow them to better manage their network.
However, due to certain circumstances the analysis was limited due to the set of
available daily traffic traces. To provide a more trustworthy solution, a relatively
longer-term, periodic, and seasonal traffic analysis could be done in the future
based on the established measurement framework.
CERTIFICATE
SDE (TF)
ARTTC Ranchi
Acknowledgements:-
First and foremost, I would like to express my sincere gratitude to my
lecturer and SDE incharge,BSNL Ranchi Mr. Ranjan Kumar Ram for the
valuable guidance which inspired me throughout the whole thesis work. Without
his consistent, precise and illuminating feedbacks and suggestions, this thesis could
not reach its present form. I cherished every comment from him which was vital
for me to improve my work, and even the future study would ever been.
Furthermore, I would like to thank Sir G.Manjhi SDE incharge,BSNL
Ranchi for his advices and sharing knowledge during this project work. In
addition, I want to show my special appreciation to my parents. Thank you for
always supporting behind me. I could not success without your understanding and
encouragement.
Finally, I would like to thank all my group members who helped me
during the entire project.
Introduction:-
internet traffic has been constantly increasing with the revolutionary
developments in communication networks and applications. Global IP traffic is
predicted to increase threefold over the next 5 years in Cisco’s report on global IP
traffic forecast for 2011–2016[1] . The diversified development of communication
methods has not only increased demand for Internet access, but also brought
heavier network traffic loads. As revealed in [1], most IP traffic originating with
PC devices has a tendency to continue to generate increasing traffic loads,
meanwhile the traffic generating by non-PC devices would will double in the next
few years.
The greatly increased user demands have caused the Internet to successfully
evolve into a mainstream market from an esoteric niche. The Internet service
providers (ISPs), on one hand, have realized the business opportunities and rapidly
developed a wide variety of network applications and Internet services, which in
turn brought in considerable revenue while generating increasing traffic loads. On
the other hand, ISPs are obsessed with the traffic stress associated with offering
various services. Therefore, there is a need to consider potential network
management solutions.
The question of how to avoid traffic bottlenecks is obsessing ISPs all of the
time. An efficient method to address network traffic issue is to monitor the
network performance based upon real time continuous data collection, and by
understanding the network traffic patterns to propose effective and economical
solutions to support the expected traffic.
ISPs connect end users to the Internet. Additionally, these ISPs exchange
traffic with other ISPs so that the users connected to different ISPs can
communicate with each other. This is called interconnection [2]. The growing
amount of network traffic transiting the Internet has required tremendous
expenditures by ISPs. However, the ISPs want to minimize the cost of operating
their business.
A common way to reduce the network traffic and cost for ISPs is to use
peering between two or among several ISPs[3]. Figure 1-1 shows the basic
topology of these network interconnections, in which transiting and peering are the
two main functions.
Transiting is a simple service that forward packets from one user to the
upstream ISP, and the upstream ISP decides where these packets should be
forwarded based upon entries in its routing table. ISPs need to defray certain
expenses to obtain access to the upstream ISP’s routing[4]. When two service
providers have nearly same network scale, cost, and traffic volumes, it is
unnecessary for each of them to pay a transit fee in both directions, as they would
be paying each other equal amounts of money. In this case the service providers
will implement a peering solution.
Problem Statement :
Design a software which can analyse the traffic in the network. It should provide
an interface by which one can filter packets using different criterias like protocol,
Source address, port etc.
Understanding of the problem:
We are asked to analyze the traffic in the network. We are also asked to filter the
packets using different criterias like protocol,Source address etc. These can be
easily achieved if we can
1. Capture all the packets that are owing through the network interface and if
we can
2. Capture these packets as a whole i.e before stripping of the packet begins.
(Our packet should contain the data along with the other headers)
Tools Used:
1. Raw Socket Programming( Sniffing ) in C for capturing and filtering the
packets.
2. Gtk, a C Library, for building the Graphical User Interface (GUI).
Problem formulation:
The picture given above explains the stripping of the packet clearly:
How to solve the problem:
Promiscous Mode:
Tells the network driver to accept all packets irrespective of whom the
packets are addressed to.
We can do this in UNIX sytem by using the ifconfig utility - `ifconfig
interface name promisc' (try `sudo ifconfig interface name promisc' if
`ifconfig interface name promisc' does not work)
Raw Sockets:
Raw sockets provide a way to bypass the whole network stack traversal of a
packet and deliver
it directly to an application.
We will concentrate on the PF PACKET interface for creating raw sockets.
Coding:
Sniffer.h
/*
Group Members:
* Shubham Toshniwal
* Sanjay Kumar
* Guruprasad Nayak
* A Chaitanya
*/
#include<linux/if_packet.h>
#include<linux/if_ether.h>
#include<stdio.h>
#include<stdlib.h>
#include<sys/socket.h>
#include<features.h>
#include<errno.h>
#include<sys/ioctl.h>
#include<net/if.h>
#include<string.h>
#include <time.h>
//Fills the fields of the "packe" structure in case of ARP and returns 1 if all the
fields required by user are satisfied
int PrintPacketInformation_ARP(unsigned char *, int);
//Dump the hex code of packet into the hex_dump field of "packe"
void Printhexdump(unsigned char *,int);
sniffer.c
#include "sniffer.h"
// Global variables
// Packet Sniffer that takes the argument name of interface on which trafic is to
analysed
int main(int argc, char **argv)
{
// declaration of variables
int rawsock; // raw socket
descriptor
int len; // length of
packet
int proto;
int state = 1; // Continue sniffing packet
till state != 0
char buffer[MAXLENGTH];
struct sockaddr_ll sll; // structure of type
sock address
struct ifreq req; // structure
required to request a particular interface for socket ioctl commands
int t; // Variable
to chaeck whether the packet captured was according to our needs
struct timeval tv1, tv2; // Variables required to
calculate the time of arrival of packet w.r.t starting the capture
count_printed = 0;
// Set the protocol family which are to be captured in the protocol field of
Socket
// All Protocol
if (strcmp(protocol,"all") == 0)
proto = ETH_P_ALL;
// IPv4 Protocol
if (strcmp(protocol,"ipv4") == 0 || strcmp(protocol,"ipv4|udp") == 0 ||
strcmp(protocol,"ipv4|tcp") == 0 || strcmp(protocol,"ipv4|icmp") == 0)
proto = ETH_P_IP;
// IPv6 Protocol
if (strcmp(protocol,"ipv6") == 0 || strcmp(protocol,"ipv6|udp") == 0 ||
strcmp(protocol,"ipv6|tcp") == 0 || strcmp(protocol,"ipv6|icmp") == 0)
proto = ETH_P_IPV6;
// ARP Protocol
if (strcmp(protocol,"arp") == 0)
proto = ETH_P_ARP;
* Only a root owner can run this line because only have the capability to
open packet sockets(that is why we CAN RUN THIS
CODE ONLY WITH ROOT PERMISSIONS).
* Packet Sockets with socket_type to be SOCK_RAW allow us to bypass
the network stack so that we get the packet directly
delivered to us(without any header ripped off).
* PF_PACKET interface allows us to send/receive packets directly at the
device driver level, thus all packets received
will be complete with header and data
* The third argument of creating a socket specifies the protocol of which
packets are to be filtered
*/
bzero(&sll, sizeof(sll));
bzero(&req, sizeof(req));
sll.sll_family = AF_PACKET;
/* For binding the device to some interface, we need to the sll_ifindex field
of sockaddr_ll structure to the interface
index of the device*/
sll.sll_ifindex = req.ifr_ifindex;
sll.sll_protocol = htons(proto);
// Record this time i.e. the time just before we start capturing the packets
gettimeofday(&tv1, NULL);
if (count_printed == MAX_PACKETS)
// Stop printing the packets beyond MAX_PACKETS
state = 0;
sprintf(packet_struct[count_printed].less_relevant,"Frame Size :
%d bytes \n",len);
// Call the function to put the relevant details into the packet
fields
t = PrintPacketInformation(buffer, len);
// Packet has been received successfully and is according to
filters set by the User!!
if (t)
{
packet_struct[count_printed].size = len;
packet_struct[count_printed].index = count_printed + 1;
packet_struct[count_printed].arrival_time = ((double)
(tv2.tv_usec - tv1.tv_usec)/1000000 + (double) (tv2.tv_sec - tv1.tv_sec));
Printpacket();
Printhexdump(buffer,len);
count_printed ++;
}
else
{
bzero(packet_struct,sizeof(pack));
}
}
shutdown(rawsock,2);
return 0;
}
int xtod(char c) {
if (c >= '0' && c <= '9')
return c - '0';
if (c >= 'A' && c <= 'F')
return c - 'A' + 10;
if (c >= 'a' && c <= 'f')
return c - 'a' + 10;
else
return c = 0; // Not in hexadecimal
}
void Printpacket(){
printf("\n............Packet Information starts here.........\n\n");
printf("Index : %d Time : %f Source : %s Destination : %s Protocol : %s
Info : %s \nEncapsulation : %s\nLess Relevant : %s",
count_printed,packet_struct[count_printed].arrival_time,packet_struct[count_print
ed].source,packet_struct[count_printed].destination,
packet_struct[count_printed].protocol,packet_struct[count_printed].relevant,packet
_struct[count_printed].protocol_hierarchy,
packet_struct[count_printed].less_relevant);
printf("\n............Packet Information ends here.........\n\n");
}
// Temporary Storage
int size = 100;
char temp[5];
char temp1[size];
char temp2[size];
sprintf(temp,"%02x",packet[14]);
IP_header_length = xtod(temp[1]);
IP_header_length = 4*IP_header_length;
// Relevant to UDP
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[14 + IP_header_length],packet[35 +
IP_header_length]);
s_port = hextoint(temp,4);
sprintf(packet_struct[count_printed].relevant,"Source Port : %d",s_port);
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[16 + IP_header_length],packet[17 +
IP_header_length]);
d_port = hextoint(temp,4);
if (d_port == 2008) {
sprintf(packet_struct[count_printed].relevant,"%s Destination Port :
terminaldb",packet_struct[count_printed].relevant);
return;
}
// Simple Service Discovery Protocol -
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:SSDP",packet_struct[
count_printed].protocol_hierarchy);
if (s_port == 1900)
sprintf(packet_struct[count_printed].relevant,"NOTIFY *
HTTP/1.1");
else
sprintf(packet_struct[count_printed].relevant,"%s M-SEARCH
* HTTP/1.1",packet_struct[count_printed].relevant);
return;
}
else {
sprintf(packet_struct[count_printed].relevant,"%s Destination Port :
%d",packet_struct[count_printed].relevant,d_port);
return;
}
}
void PrintPacketInformation_UDP_IPv6(unsigned char *packet,int len)
{
int s_port;
int d_port;
char temp[5];
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[54],packet[55]);
s_port = hextoint(temp,4);
sprintf(packet_struct[count_printed].relevant,"Source Port : %d",s_port);
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[56],packet[57]);
d_port = hextoint(temp,4);
/* The WS-Discovery protocol uses the UDP port 3702. The multicast
address used is 239.255.255.250 on IPV4 networks and
[FF02::C] on IPV6 networks. The WS-Discovery protocol uses SOAP and
UDP (User Datagram Protocol) multicast to enable
services to be discovered by a client */
if (d_port == 3702){
sprintf(packet_struct[count_printed].relevant,"%s Destination Port :
ws-discovery",packet_struct[count_printed].relevant);
return;
}
if (d_port == 2008) {
sprintf(packet_struct[count_printed].relevant,"%s Destination Port :
terminaldb",packet_struct[count_printed].relevant);
return;
}
else {
sprintf(packet_struct[count_printed].relevant,"%s Destination Port :
%d",packet_struct[count_printed].relevant,d_port);
return;
}
}
char temp[5];
int window_size;
int IP_header_length;
int s_port;
int d_port;
int time_to_live;
//Header length field - The check is necessary because it is not necessary that
the length is always 20 bytes
sprintf(temp,"%02x",packet[14]);
IP_header_length = xtod(temp[1]);
IP_header_length = 4*IP_header_length;
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[14 + IP_header_length],packet[15 +
IP_header_length]);
s_port = hextoint(temp,4);
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[16 + IP_header_length],packet[17 +
IP_header_length]);
d_port = hextoint(temp,4);
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:FTP",packet_struct[c
ount_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:Echo",packet_struct[c
ount_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:Telnet",packet_struct[
count_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:IMAP",packet_struct[
count_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:HTTP",packet_struct[
count_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:Pop3",packet_struct[c
ount_printed].protocol_hierarchy);
}
//Check for https
else if (s_port == 443){
sprintf(packet_struct[count_printed].protocol,"HTTPS");
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:HTTPS",packet_struc
t[count_printed].protocol_hierarchy);
}
bzero(temp,5);
sprintf(temp,"%02x",packet[22]);
time_to_live = hextoint(temp,2);
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[28 + IP_header_length],packet[29 +
IP_header_length]);
window_size = hextoint(temp,4);
char temp[5];
int window_size;
int s_port;
int d_port;
int time_to_live;
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[54],packet[55]);
s_port = hextoint(temp,4);
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[56],packet[57]);
d_port = hextoint(temp,4);
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:FTP",packet_struct[c
ount_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:Echo",packet_struct[c
ount_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:SSH",packet_struct[c
ount_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:Telnet",packet_struct[
count_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:IMAP",packet_struct[
count_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:HTTP",packet_struct[
count_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:Pop3",packet_struct[c
ount_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:HTTPS",packet_struc
t[count_printed].protocol_hierarchy);
}
bzero(temp,5);
sprintf(temp,"%02x",packet[42]);
time_to_live = hextoint(temp,2);
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[68],packet[69]);
window_size = hextoint(temp,4);
char temp[5];
int IP_header_length;
int type; // Type of ICMP request
// Not so relevant
bzero(temp,5);
sprintf(temp,"%02x",packet[14]);
IP_header_length = xtod(temp[1]);
IP_header_length = 4*IP_header_length;
bzero(temp,5);
sprintf(temp,"%02x",packet[14 + IP_header_length]);
type = hextoint(temp,2);
if (type == 0) {
sprintf(packet_struct[count_printed].relevant,"Echo reply");
return;
}
if (type == 8) {
sprintf(packet_struct[count_printed].relevant,"Echo request");
return;
}
if (type == 9) {
sprintf(packet_struct[count_printed].relevant,"Router
discovery/selection/solicitation");
return;
}
else {
sprintf(packet_struct[count_printed].relevant,"ICMP packet of type
%d\n",type);
return;
}
}
char temp[5];
int type; // Type of ICMP request
// Not so relevant
bzero(temp,5);
sprintf(temp,"%02x",packet[54]);
type = hextoint(temp,2);
if (type == 128) {
sprintf(packet_struct[count_printed].relevant,"Echo Request");
return;
}
if (type == 129) {
sprintf(packet_struct[count_printed].relevant,"Echo Reply");
return;
}
if (type == 133) {
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:NDP",packet_struct[c
ount_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"NDP");
sprintf(packet_struct[count_printed].relevant,"Router Soclicitation");
return;
}
if (type == 134) {
sprintf(packet_struct[count_printed].relevant,"Router
Advertisement");
return;
}
if (type == 135) {
sprintf(packet_struct[count_printed].relevant,"Neighbour
solicitation");
return;
}
else {
sprintf(packet_struct[count_printed].relevant,"ICMPv6 packet of type
%d\n",type);
return;
}
}
char opcode[3];
// Temporary Storage
int size = 100;
char temp1[size];
char temp2[size];
sprintf(opcode,"%02x%02x",packet[20],packet[21]);
if (strcmp(opcode,"0001")==0){
// ARP Request
// Destination MAC
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Destination MAC address: ");
sprintf(temp2,"%02x:%02x:%02x:%02x:%02x:%02x", packet[0],
packet[1], packet[2], packet[3], packet[4], packet[5]);
if ((strcmp(destination_MAC,"") != 0) &&
(strcmp(destination_MAC,temp2) != 0))
return 0;
sprintf(packet_struct[count_printed].less_relevant,"%s
%s\n",temp1,temp2);
// Source MAC
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Source MAC address: ");
sprintf(temp2,"%02x:%02x:%02x:%02x:%02x:%02x", packet[6],
packet[7], packet[8], packet[9], packet[10], packet[11]);
if ((strcmp(source_MAC,"") != 0) && (strcmp(source_MAC,temp2) !
= 0))
return 0;
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
//Source
sprintf(packet_struct[count_printed].source,"%s",temp2);
// Source IP-compare
bzero(temp2,size);
sprintf(temp2,"%d.%d.%d.
%d",packet[28],packet[29],packet[30],packet[31]);
if (strcmp(temp2,source_ip)!= 0)
return 0;
// Destination IP -Compare
sprintf(packet_struct[count_printed].destination,"%d.%d.%d.
%d",packet[38],packet[39],packet[40],packet[41]);
if (strcmp(packet_struct[count_printed].destination,destination_ip) !=
0){
return 0;
}
// Destination
sprintf(packet_struct[count_printed].destination,"Broadcast");
// Relevant Information
sprintf(packet_struct[count_printed].relevant,"Who has %d.%d.%d.
%d ? Tell %d.%d.%d.
%d",packet[38],packet[39],packet[40],packet[41],packet[28],packet[29],packet[30]
,packet[31]);
}
if (strcmp(opcode,"0002")==0){
// ARP reply
// Destination MAC
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Destination MAC address: ");
sprintf(temp2,"%02x:%02x:%02x:%02x:%02x:%02x", packet[0],
packet[1], packet[2], packet[3], packet[4], packet[5]);
if ((strcmp(destination_MAC,"") != 0) &&
(strcmp(destination_MAC,temp2) != 0))
return 0;
sprintf(packet_struct[count_printed].less_relevant,"%s
%s\n",temp1,temp2);
// Destination
sprintf(packet_struct[count_printed].destination,"%s",temp2);
// Source MAC
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Source MAC address: ");
sprintf(temp2,"%02x:%02x:%02x:%02x:%02x:%02x", packet[6],
packet[7], packet[8], packet[9], packet[10], packet[11]);
if ((strcmp(source_MAC,"") != 0) && (strcmp(source_MAC,temp2) !
= 0))
return 0;
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
// Source
sprintf(packet_struct[count_printed].source,"%s",temp2);
// Relevant Information
sprintf(packet_struct[count_printed].relevant,"%d.%d.%d.%d has
MAC address %02x:%02x:%02x:%02x:%02x:
%02x\n",packet[28],packet[29],packet[30],packet[31],packet[22],packet[23],packe
t[24],packet[25],packet[26],packet[27]);
// Source IP-compare
bzero(temp2,size);
sprintf(temp2,"%d.%d.%d.
%d",packet[28],packet[29],packet[30],packet[31]);
if (strcmp(temp2,source_ip)!= 0)
return 0;
// Destination IP-comapare
bzero(temp2,size);
sprintf(temp2,"%d.%d.%d.
%d",packet[38],packet[39],packet[40],packet[41]);
if (strcmp(temp2,destination_ip)!= 0)
return 0;
}
return 1;
// Temporary Storage
int size = 100;
char temp1[size];
char temp2[size];
int t = 0;
sprintf(eth_type, "%02x%02x",packet[12],packet[13]);
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:IPv4",packet_struct[c
ount_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"IPv4");
// Destination MAC
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Destination MAC address: ");
sprintf(temp2,"%02x:%02x:%02x:%02x:%02x:%02x", packet[0],
packet[1], packet[2], packet[3], packet[4], packet[5]);
if ((strcmp(destination_MAC,"") != 0) &&
(strcmp(destination_MAC,temp2) != 0))
return 0;
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
// Source MAC
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Source MAC address: ");
sprintf(temp2,"%02x:%02x:%02x:%02x:%02x:%02x", packet[6],
packet[7], packet[8], packet[9], packet[10], packet[11]);
if ((strcmp(source_MAC,"") != 0) && (strcmp(source_MAC,temp2) !
= 0))
return 0;
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
// Source IP
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Source IP address: ");
sprintf(temp2,"%d.%d.%d.%d", packet[26], packet[27], packet[28],
packet[29]);
if ((strcmp(source_ip,"") != 0) && (strcmp(source_ip,temp2) != 0))
return 0;
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
// Source
sprintf(packet_struct[count_printed].source,"%s",temp2);
// Destination IP
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Destination IP address: ");
sprintf(temp2,"%d.%d.%d.%d", packet[30], packet[31], packet[32],
packet[33]);
if ((strcmp(destination_ip,"") != 0) && (strcmp(destination_ip,temp2)
!= 0))
return 0;
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
// Destination
sprintf(packet_struct[count_printed].destination,"%s",temp2);
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:TCP",packet_struct[c
ount_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"TCP");
PrintPacketInformation_TCP(packet, len);
return 1;
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:UDP",packet_struct[c
ount_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"UDP");
PrintPacketInformation_UDP(packet, len);
return 1;
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:ICMP",packet_struct[
count_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"ICMP");
PrintPacketInformation_ICMP(packet, len);
return 1;
}
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:ARP",packet_struct[c
ount_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"ARP");
return PrintPacketInformation_ARP(packet,len);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:IPv6",packet_struct[c
ount_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"IPv6");
// Destination MAC
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Destination MAC address: ");
sprintf(temp2,"%02x:%02x:%02x:%02x:%02x:%02x", packet[0],
packet[1], packet[2], packet[3], packet[4], packet[5]);
if ((strcmp(destination_MAC,"") != 0) &&
(strcmp(destination_MAC,temp2) != 0))
return 0;
sprintf(packet_struct[count_printed].less_relevant,"%s
%s\n",temp1,temp2);
// Source MAC
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Source MAC address: ");
sprintf(temp2,"%02x:%02x:%02x:%02x:%02x:%02x", packet[6],
packet[7], packet[8], packet[9], packet[10], packet[11]);
if ((strcmp(source_MAC,"") != 0) && (strcmp(source_MAC,temp2) !
= 0))
return 0;
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
// Source IPv6
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Source IPv6 address: ");
sprintf(temp2,"%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x
%02x:%02x%02x:%02x%02x:%02x%02x", packet[22], packet[23], packet[24],
packet[25], packet[26], packet[27], packet[28], packet[29], packet[30], packet[31],
packet[32], packet[33], packet[34], packet[35], packet[36], packet[37]);
if ((strcmp(source_ip,"") != 0) && (strcmp(source_ip,temp2) != 0))
return 0;
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
// Destination IPv6
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Destination IPv6 address: ");
sprintf(temp2,"%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x
%02x:%02x%02x:%02x%02x:%02x%02x", packet[38], packet[39], packet[40],
packet[41], packet[42], packet[43], packet[44], packet[45], packet[46], packet[47],
packet[48], packet[49], packet[50], packet[51], packet[52], packet[53]);
if ((strcmp(destination_ip,"") != 0) && (strcmp(destination_ip,temp2)
!= 0))
return 0;
sprintf(packet_struct[count_printed].destination,"%s",temp2);
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
// Destination
sprintf(packet_struct[count_printed].destination,"%s",temp2);
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:UDP",packet_struct[c
ount_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"UDP");
PrintPacketInformation_UDP_IPv6(packet,len);
return 1;
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:TCP",packet_struct[c
ount_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"TCP");
PrintPacketInformation_TCP_IPv6(packet,len);
return 1;
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:ICMPv6",packet_stru
ct[count_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"ICMPv6");
PrintPacketInformation_ICMP_IPv6(packet,len);
return 1;
}
// If the packet is of none of the above types then fill the entries with
"Unknown"
else{
sprintf(packet_struct[count_printed].source,"Unknown");
sprintf(packet_struct[count_printed].destination,"Unknown");
sprintf(packet_struct[count_printed].protocol,"Unknown");
sprintf(packet_struct[count_printed].relevant,"Packet of unknown
type");
sprintf(packet_struct[count_printed].less_relevant,"Packet of
unknown type, not identified by our software");
return 1;
}
if (strcmp(protocol,"all") == 0)
return 1;
return 0;
}
interfaces.py
import os
import platform
import subprocess
import string
def findalldev():
'''Returns a list of network interfaces'''
##Since the method we are using to get the list of network interfaces it
##helps to check the Platform we are workking on
##(2)
subprocess.call("cat /proc/net/dev > /tmp/devicenames",shell=True)
##(3)
f = open('/tmp/devicenames','r')
##(4)
for line in f:
if ":" in line:
t = line.split(':')
t[0] = t[0].strip()
if t[0] != "lo":
list_of_devices.append(t[0])
##(5)
f.close()
##(6)
subprocess.call("rm /tmp/devicenames",shell=True)
p = findalldev()
count = 0
for j in p:
if count == 0:
f = open('./interfaces.txt','w')
f.write(j + "\n")
f.close()
else:
f = open('./interfaces.txt','a')
f.write(j + "\n")
count = count + 1
f.close()
gui.c
#include "sniffer.h"
#include <pthread.h>
#include <gtk/gtk.h>
#include <time.h>
pthread_t thread1,thread2;
int count_captured; // Number of
packets captured till now
int count_print_anyways;
int count_printed;
pack packet_struct[MAX_PACKETS];
int glob_index=0;
void Inames(){
system("python interfaces.py");
int i,j;
char line[IFNAMSIZ];
int t = 0;
static const char filename[] = "interfaces.txt";
// Global variable
number_of_interfaces = 0;
FILE *file;
file = fopen(filename, "r");
if ( file != NULL )
{
while (fgets(line,IFNAMSIZ,file) != NULL)
{
number_of_interfaces ++;
}
else
{
perror(filename);
}
//basic code to bring up a pop up window to display some message with some title
void popup_window (gchar *message,gchar * title) {
GtkWidget *dialog, *label, *content_area;
dialog = gtk_dialog_new_with_buttons (title,NULL,
GTK_DIALOG_DESTROY_WITH_PARENT,GTK_STOCK_OK,GTK_RESPO
NSE_NONE,NULL);
content_area = gtk_dialog_get_content_area (GTK_DIALOG (dialog));
label = gtk_label_new (message);
//close the pop up window once the user responds with an "OK"
g_signal_connect_swapped (dialog,"response",G_CALLBACK
(gtk_widget_destroy),dialog);
gtk_container_add (GTK_CONTAINER (content_area), label);
gtk_widget_show_all (dialog);
}
//Call this function whenever the user selects a value from the drop down box
// This is for the first drop down box
void combo_selected(GtkWidget *widget, gpointer window){
gchar *text = gtk_combo_box_get_active_text(GTK_COMBO_BOX(widget));
sprintf(protocol,"%s",text);
printf("selected option is : %s\n",protocol);
return;
}
//Same function as the previous one, but now for the second drop down box
void combo_selected2(GtkWidget *widget, gpointer window)
{
gchar *text = gtk_combo_box_get_active_text(GTK_COMBO_BOX(widget));
sprintf(interface,"%s",text);
printf("selected option is : %s\n",interface);
return;
}
//set the global variable DUMMY to false once the user decides to stop the capture
//we use this variable DUMMY while capturing packets, deciding whether to
display them or not
void stop_capture(gpointer data){
DUMMY = FALSE;
return ;
}
int got()
{
// declaration of variables
int rawsock; // raw socket
descriptor
int len; // length of
packet
int proto;
int state = 1; // Continue sniffing packet
till state != 0
//char interface[10];
char buffer[MAXLENGTH];
struct sockaddr_ll sll; // structure of type
sock address
struct ifreq req; // structure
required to request a particular interface for socket ioctl commands
int t; // Variable
to chaeck whether the packet captured was according to our needs
struct timeval tv1, tv2; // Variables required to
calculate the time of arrival of packet w.r.t starting the capture
count_printed = 0;
// Set the protocol family which are to be captured in the protocol field of
Socket
// All Protocol
if (strcmp(protocol,"all") == 0)
proto = ETH_P_ALL;
// IPv4 Protocol
if (strcmp(protocol,"ipv4") == 0 || strcmp(protocol,"ipv4|udp") == 0 ||
strcmp(protocol,"ipv4|tcp") == 0 || strcmp(protocol,"ipv4|icmp") == 0)
proto = ETH_P_IP;
// IPv6 Protocol
if (strcmp(protocol,"ipv6") == 0 || strcmp(protocol,"ipv6|udp") == 0 ||
strcmp(protocol,"ipv6|tcp") == 0 || strcmp(protocol,"ipv6|icmp") == 0)
proto = ETH_P_IPV6;
// ARP Protocol
if (strcmp(protocol,"arp") == 0)
proto = ETH_P_ARP;
* Only a root owner can run this line because only have the capability to
open packet sockets(that is why we CAN RUN THIS
CODE ONLY WITH ROOT PERMISSIONS).
* Packet Sockets with socket_type to be SOCK_RAW allow us to bypass
the network stack so that we get the packet directly
delivered to us(without any header ripped off).
* PF_PACKET interface allows us to send/receive packets directly at the
device driver level, thus all packets received
will be complete with header and data
* The third argument of creating a socket specifies the protocol of which
packets are to be filtered
*/
bzero(&sll, sizeof(sll));
bzero(&req, sizeof(req));
sll.sll_family = AF_PACKET;
/* For binding the device to some interface, we need to the sll_ifindex field
of sockaddr_ll structure to the interface
index of the device*/
sll.sll_ifindex = req.ifr_ifindex;
sll.sll_protocol = htons(proto);
// Record this time i.e. the time just before we start capturing the packets
gettimeofday(&tv1, NULL);
if (count_printed == MAX_PACKETS)
// Stop printing the packets beyond MAX_PACKETS
state = 0;
sprintf(packet_struct[count_printed].less_relevant,"Frame Size :
%d bytes \n",len);
// Call the function to put the relevant details into the packet
fields
t = PrintPacketInformation(buffer, len);
// Packet has been received successfully and is according to
filters set by the User!!
if (t)
{
packet_struct[count_printed].size = len;
packet_struct[count_printed].index = count_printed + 1;
packet_struct[count_printed].arrival_time = ((double)
(tv2.tv_usec - tv1.tv_usec)/1000000 + (double) (tv2.tv_sec - tv1.tv_sec));
Printpacket();
Printhexdump(buffer,len);
count_printed ++;
}
else
{
bzero(packet_struct,sizeof(pack));
}
}
shutdown(rawsock,2);
return 0;
}
int xtod(char c) {
if (c >= '0' && c <= '9')
return c - '0';
if (c >= 'A' && c <= 'F')
return c - 'A' + 10;
if (c >= 'a' && c <= 'f')
return c - 'a' + 10;
else
return c = 0; // Not in hexadecimal
}
void Printpacket(){
printf("\n............Packet Information starts here.........\n\n");
printf("Index : %d Time : %f Source : %s Destination : %s Protocol : %s
Info : %s \nEncapsulation : %s\nLess Relevant : %s",
count_printed,packet_struct[count_printed].arrival_time,packet_struct[count_print
ed].source,packet_struct[count_printed].destination,
packet_struct[count_printed].protocol,packet_struct[count_printed].relevant,packet
_struct[count_printed].protocol_hierarchy,
packet_struct[count_printed].less_relevant);
printf("\n............Packet Information ends here.........\n\n");
char temp[len1+30];
for(i=0;i<len1;i++){
if(i/55 - j != 0){
temp[i+j] = '\n';
j++;
}
temp[i+j] = packet_struct[count_printed].hex_dump[i];
}
sprintf(packet_struct[count_printed].hex_dump,"%s",temp);
}
// Temporary Storage
int size = 100;
char temp[5];
char temp1[size];
char temp2[size];
sprintf(temp,"%02x",packet[14]);
IP_header_length = xtod(temp[1]);
IP_header_length = 4*IP_header_length;
// Relevant to UDP
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[14 + IP_header_length],packet[35 +
IP_header_length]);
s_port = hextoint(temp,4);
sprintf(packet_struct[count_printed].relevant,"Source Port : %d",s_port);
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[16 + IP_header_length],packet[17 +
IP_header_length]);
d_port = hextoint(temp,4);
//Checking for some commonly used dest_ports
if (d_port == 2008) {
sprintf(packet_struct[count_printed].relevant,"%s Destination Port :
terminaldb",packet_struct[count_printed].relevant);
return;
}
// Simple Service Discovery Protocol -
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:SSDP",packet_struct[
count_printed].protocol_hierarchy);
if (s_port == 1900)
sprintf(packet_struct[count_printed].relevant,"NOTIFY *
HTTP/1.1");
else
sprintf(packet_struct[count_printed].relevant,"%s M-SEARCH
* HTTP/1.1",packet_struct[count_printed].relevant);
return;
}
else {
sprintf(packet_struct[count_printed].relevant,"%s Destination Port :
%d",packet_struct[count_printed].relevant,d_port);
return;
}
}
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[54],packet[55]);
s_port = hextoint(temp,4);
sprintf(packet_struct[count_printed].relevant,"Source Port : %d",s_port);
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[56],packet[57]);
d_port = hextoint(temp,4);
/* The WS-Discovery protocol uses the UDP port 3702. The multicast
address used is 239.255.255.250 on IPV4 networks and
[FF02::C] on IPV6 networks. The WS-Discovery protocol uses SOAP and
UDP (User Datagram Protocol) multicast to enable
services to be discovered by a client */
if (d_port == 3702){
sprintf(packet_struct[count_printed].relevant,"%s Destination Port :
ws-discovery",packet_struct[count_printed].relevant);
return;
}
if (d_port == 2008) {
sprintf(packet_struct[count_printed].relevant,"%s Destination Port :
terminaldb",packet_struct[count_printed].relevant);
return;
}
// Simple Service Discovery Protocol -
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:SSDP",packet_struct[
count_printed].protocol_hierarchy);
if (s_port == 1900)
sprintf(packet_struct[count_printed].relevant,"NOTIFY *
HTTP/1.1");
else
sprintf(packet_struct[count_printed].relevant,"%s M-SEARCH
* HTTP/1.1",packet_struct[count_printed].relevant);
return;
}
else {
sprintf(packet_struct[count_printed].relevant,"%s Destination Port :
%d",packet_struct[count_printed].relevant,d_port);
return;
}
}
//Header length field - The check is necessary because it is not necessary that
the length is always 20 bytes
sprintf(temp,"%02x",packet[14]);
IP_header_length = xtod(temp[1]);
IP_header_length = 4*IP_header_length;
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[14 + IP_header_length],packet[15 +
IP_header_length]);
s_port = hextoint(temp,4);
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[16 + IP_header_length],packet[17 +
IP_header_length]);
d_port = hextoint(temp,4);
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:FTP",packet_struct[c
ount_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:Echo",packet_struct[c
ount_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:SSH",packet_struct[c
ount_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:Telnet",packet_struct[
count_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:IMAP",packet_struct[
count_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:HTTP",packet_struct[
count_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:HTTPS",packet_struc
t[count_printed].protocol_hierarchy);
}
bzero(temp,5);
sprintf(temp,"%02x",packet[22]);
time_to_live = hextoint(temp,2);
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[28 + IP_header_length],packet[29 +
IP_header_length]);
window_size = hextoint(temp,4);
char temp[5];
int window_size;
int s_port;
int d_port;
int time_to_live;
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[54],packet[55]);
s_port = hextoint(temp,4);
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[56],packet[57]);
d_port = hextoint(temp,4);
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:FTP",packet_struct[c
ount_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:Echo",packet_struct[c
ount_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:SSH",packet_struct[c
ount_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:Telnet",packet_struct[
count_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:IMAP",packet_struct[
count_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:HTTP",packet_struct[
count_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:Pop3",packet_struct[c
ount_printed].protocol_hierarchy);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:HTTPS",packet_struc
t[count_printed].protocol_hierarchy);
}
// None of the above protocols
else{
sprintf(packet_struct[count_printed].less_relevant,"%sSource Port :
%d Destination Port :
%d",packet_struct[count_printed].less_relevant,s_port,d_port);
}
bzero(temp,5);
sprintf(temp,"%02x",packet[42]);
time_to_live = hextoint(temp,2);
bzero(temp,5);
sprintf(temp,"%02x%02x",packet[68],packet[69]);
window_size = hextoint(temp,4);
char temp[5];
int IP_header_length;
int type; // Type of ICMP request
// Not so relevant
bzero(temp,5);
sprintf(temp,"%02x",packet[14]);
IP_header_length = xtod(temp[1]);
IP_header_length = 4*IP_header_length;
bzero(temp,5);
sprintf(temp,"%02x",packet[14 + IP_header_length]);
type = hextoint(temp,2);
if (type == 0) {
sprintf(packet_struct[count_printed].relevant,"Echo reply");
return;
}
if (type == 8) {
sprintf(packet_struct[count_printed].relevant,"Echo request");
return;
}
if (type == 9) {
sprintf(packet_struct[count_printed].relevant,"Router
discovery/selection/solicitation");
return;
}
else {
sprintf(packet_struct[count_printed].relevant,"ICMP packet of type
%d\n",type);
return;
}
}
char temp[5];
int type; // Type of ICMP request
// Not so relevant
bzero(temp,5);
sprintf(temp,"%02x",packet[54]);
type = hextoint(temp,2);
if (type == 128) {
sprintf(packet_struct[count_printed].relevant,"Echo Request");
return;
}
if (type == 129) {
sprintf(packet_struct[count_printed].relevant,"Echo Reply");
return;
}
if (type == 133) {
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:NDP",packet_struct[c
ount_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"NDP");
sprintf(packet_struct[count_printed].relevant,"Router Soclicitation");
return;
}
if (type == 134) {
sprintf(packet_struct[count_printed].relevant,"Router
Advertisement");
return;
}
if (type == 135) {
sprintf(packet_struct[count_printed].relevant,"Neighbour
solicitation");
return;
}
else {
sprintf(packet_struct[count_printed].relevant,"ICMPv6 packet of type
%d\n",type);
return;
}
}
char opcode[3];
// Temporary Storage
int size = 100;
char temp1[size];
char temp2[size];
sprintf(opcode,"%02x%02x",packet[20],packet[21]);
if (strcmp(opcode,"0001")==0){
// ARP Request
// Destination MAC
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Destination MAC address: ");
sprintf(temp2,"%02x:%02x:%02x:%02x:%02x:%02x", packet[0],
packet[1], packet[2], packet[3], packet[4], packet[5]);
if ((strcmp(destination_MAC,"") != 0) &&
(strcmp(destination_MAC,temp2) != 0))
return 0;
sprintf(packet_struct[count_printed].less_relevant,"%s
%s\n",temp1,temp2);
// Source MAC
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Source MAC address: ");
sprintf(temp2,"%02x:%02x:%02x:%02x:%02x:%02x", packet[6],
packet[7], packet[8], packet[9], packet[10], packet[11]);
if ((strcmp(source_MAC,"") != 0) && (strcmp(source_MAC,temp2) !
= 0))
return 0;
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
//Source
sprintf(packet_struct[count_printed].source,"%s",temp2);
// Source IP-compare
bzero(temp2,size);
sprintf(temp2,"%d.%d.%d.
%d",packet[28],packet[29],packet[30],packet[31]);
if (strcmp(temp2,source_ip)!= 0)
return 0;
// Destination IP -Compare
sprintf(packet_struct[count_printed].destination,"%d.%d.%d.
%d",packet[38],packet[39],packet[40],packet[41]);
if (strcmp(packet_struct[count_printed].destination,destination_ip) !=
0){
return 0;
}
// Destination
sprintf(packet_struct[count_printed].destination,"Broadcast");
// Relevant Information
sprintf(packet_struct[count_printed].relevant,"Who has %d.%d.%d.
%d ? Tell %d.%d.%d.
%d",packet[38],packet[39],packet[40],packet[41],packet[28],packet[29],packet[30]
,packet[31]);
}
if (strcmp(opcode,"0002")==0){
// ARP reply
// Destination MAC
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Destination MAC address: ");
sprintf(temp2,"%02x:%02x:%02x:%02x:%02x:%02x", packet[0],
packet[1], packet[2], packet[3], packet[4], packet[5]);
if ((strcmp(destination_MAC,"") != 0) &&
(strcmp(destination_MAC,temp2) != 0))
return 0;
sprintf(packet_struct[count_printed].less_relevant,"%s
%s\n",temp1,temp2);
// Destination
sprintf(packet_struct[count_printed].destination,"%s",temp2);
// Source MAC
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Source MAC address: ");
sprintf(temp2,"%02x:%02x:%02x:%02x:%02x:%02x", packet[6],
packet[7], packet[8], packet[9], packet[10], packet[11]);
if ((strcmp(source_MAC,"") != 0) && (strcmp(source_MAC,temp2) !
= 0))
return 0;
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
// Source
sprintf(packet_struct[count_printed].source,"%s",temp2);
// Relevant Information
sprintf(packet_struct[count_printed].relevant,"%d.%d.%d.%d has
MAC address %02x:%02x:%02x:%02x:%02x:
%02x\n",packet[28],packet[29],packet[30],packet[31],packet[22],packet[23],packe
t[24],packet[25],packet[26],packet[27]);
// Source IP-compare
bzero(temp2,size);
sprintf(temp2,"%d.%d.%d.
%d",packet[28],packet[29],packet[30],packet[31]);
if (strcmp(temp2,source_ip)!= 0)
return 0;
// Destination IP-comapare
bzero(temp2,size);
sprintf(temp2,"%d.%d.%d.
%d",packet[38],packet[39],packet[40],packet[41]);
if (strcmp(temp2,destination_ip)!= 0)
return 0;
}
return 1;
sprintf(eth_type, "%02x%02x",packet[12],packet[13]);
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:IPv4",packet_struct[c
ount_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"IPv4");
// Destination MAC
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Destination MAC address: ");
sprintf(temp2,"%02x:%02x:%02x:%02x:%02x:%02x", packet[0],
packet[1], packet[2], packet[3], packet[4], packet[5]);
if ((strcmp(destination_MAC,"") != 0) &&
(strcmp(destination_MAC,temp2) != 0))
return 0;
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
// Source MAC
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Source MAC address: ");
sprintf(temp2,"%02x:%02x:%02x:%02x:%02x:%02x", packet[6],
packet[7], packet[8], packet[9], packet[10], packet[11]);
if ((strcmp(source_MAC,"") != 0) && (strcmp(source_MAC,temp2) !
= 0))
return 0;
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
// Source IP
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Source IP address: ");
sprintf(temp2,"%d.%d.%d.%d", packet[26], packet[27], packet[28],
packet[29]);
if ((strcmp(source_ip,"") != 0) && (strcmp(source_ip,temp2) != 0))
return 0;
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
// Source
sprintf(packet_struct[count_printed].source,"%s",temp2);
// Destination IP
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Destination IP address: ");
sprintf(temp2,"%d.%d.%d.%d", packet[30], packet[31], packet[32],
packet[33]);
if ((strcmp(destination_ip,"") != 0) && (strcmp(destination_ip,temp2)
!= 0))
return 0;
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
// Destination
sprintf(packet_struct[count_printed].destination,"%s",temp2);
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:UDP",packet_struct[c
ount_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"UDP");
PrintPacketInformation_UDP(packet, len);
return 1;
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:ICMP",packet_struct[
count_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"ICMP");
PrintPacketInformation_ICMP(packet, len);
return 1;
}
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:ARP",packet_struct[c
ount_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"ARP");
return PrintPacketInformation_ARP(packet,len);
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:IPv6",packet_struct[c
ount_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"IPv6");
// Destination MAC
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Destination MAC address: ");
sprintf(temp2,"%02x:%02x:%02x:%02x:%02x:%02x", packet[0],
packet[1], packet[2], packet[3], packet[4], packet[5]);
if ((strcmp(destination_MAC,"") != 0) &&
(strcmp(destination_MAC,temp2) != 0))
return 0;
sprintf(packet_struct[count_printed].less_relevant,"%s
%s\n",temp1,temp2);
// Source MAC
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Source MAC address: ");
sprintf(temp2,"%02x:%02x:%02x:%02x:%02x:%02x", packet[6],
packet[7], packet[8], packet[9], packet[10], packet[11]);
if ((strcmp(source_MAC,"") != 0) && (strcmp(source_MAC,temp2) !
= 0))
return 0;
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
// Source IPv6
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Source IPv6 address: ");
sprintf(temp2,"%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x
%02x:%02x%02x:%02x%02x:%02x%02x", packet[22], packet[23], packet[24],
packet[25], packet[26], packet[27], packet[28], packet[29], packet[30], packet[31],
packet[32], packet[33], packet[34], packet[35], packet[36], packet[37]);
if ((strcmp(source_ip,"") != 0) && (strcmp(source_ip,temp2) != 0))
return 0;
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
// Source
sprintf(packet_struct[count_printed].source,"%s",temp2);
// Destination IPv6
bzero(temp1,size);
bzero(temp2,size);
sprintf(temp1,"Destination IPv6 address: ");
sprintf(temp2,"%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x
%02x:%02x%02x:%02x%02x:%02x%02x", packet[38], packet[39], packet[40],
packet[41], packet[42], packet[43], packet[44], packet[45], packet[46], packet[47],
packet[48], packet[49], packet[50], packet[51], packet[52], packet[53]);
if ((strcmp(destination_ip,"") != 0) && (strcmp(destination_ip,temp2)
!= 0))
return 0;
sprintf(temp1,"%s%s\n",temp1,temp2);
strcat(packet_struct[count_printed].less_relevant,temp1);
// Destination
sprintf(packet_struct[count_printed].destination,"%s",temp2);
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:TCP",packet_struct[c
ount_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"TCP");
PrintPacketInformation_TCP_IPv6(packet,len);
return 1;
}
sprintf(packet_struct[count_printed].protocol_hierarchy,"%s:ICMPv6",packet_stru
ct[count_printed].protocol_hierarchy);
sprintf(packet_struct[count_printed].protocol,"ICMPv6");
PrintPacketInformation_ICMP_IPv6(packet,len);
return 1;
}
// If the packet is of none of the above types then fill the entries with
"Unknown"
else{
sprintf(packet_struct[count_printed].source,"Unknown");
sprintf(packet_struct[count_printed].destination,"Unknown");
sprintf(packet_struct[count_printed].protocol,"Unknown");
sprintf(packet_struct[count_printed].relevant,"Packet of unknown
type");
sprintf(packet_struct[count_printed].less_relevant,"Packet of
unknown type, not identified by our software");
return 1;
}
if (strcmp(protocol,"all") == 0)
return 1;
return 0;
}
//We run two threads one to keep sniffing packets and the other one to run the GUI
and to cater to
// the user requests
//Run the sniffer function (got()) on the second thread
int tempthread()
{
int j;
j= pthread_create( &thread2, NULL, got, NULL);
}
return;
}
sprintf(message,"Index : %d\n"
"Time of arrival : %f\n"
"Source IP : %s\n"
"Destination IP : %s\n"
"Protocol : %s\n"
"%s\n"
"Encapsulation : %s\n"
"%s\n"
"Hexdump : %s\n",i,
packet_struct[i].arrival_time,
packet_struct[i].source,
packet_struct[i].destination,
packet_struct[i].protocol,
packet_struct[i].relevant,
packet_struct[i].protocol_hierarchy,
packet_struct[i].less_relevant,
packet_struct[i].hex_dump);
int i;
//define the widgets needed
GtkWidget *scrolled_window; //the scroll window
GtkWidget *vbox;
GtkWidget * window; //the main
window
GtkLabel* entry_l; //label
GtkWidget * box;
GtkWidget * box1;
GtkWidget * box2;
GtkWidget * box3;
GtkWidget * box4;
GtkWidget * boxbig;
GtkWidget * titleimage; //Header Image
GtkWidget * button1;
GtkWidget * button2;
GtkWidget * button3;
GtkWidget * button4;
GtkWidget * boxone;
GtkWidget * labeltext;
GtkWidget *combo; //The drop down
menu
GtkWidget * combo2; //The drop down
menu
GtkWidget * labeltext2;
GtkWidget * boxone2;
GtkEntry *entry; //Textbox
GtkEntry *entry2; //Textbox
window = gtk_window_new (GTK_WINDOW_TOPLEVEL);
gtk_window_set_title(GTK_WINDOW(window),"Project");
gboolean homogeneous= FALSE,expand = FALSE,fill = FALSE;
gint spacing = 0,padding =0;
box = gtk_hbox_new (homogeneous, padding);
box1 = gtk_vbox_new (homogeneous, padding);
box2 = gtk_vbox_new (homogeneous, padding);
box3 = gtk_vbox_new (homogeneous, padding);
box4 = gtk_vbox_new (homogeneous, padding);
boxbig = gtk_vbox_new (homogeneous, padding);
titleimage = gtk_vbox_new(homogeneous, padding);
titleimage = Image_plus_text("header.png","Project ID - 18");
gtk_widget_show(titleimage);
box1 = Image_plus_text("up.bmp", "Credits");
gtk_widget_show(box1);
button1 = gtk_button_new(); //Create Button
gtk_widget_set_size_request(GTK_WIDGET(button1),300,30);
gtk_container_add(GTK_CONTAINER(button1),box1);
box2 = Image_plus_text("hand.png", "Capture Packets");
gtk_widget_show(box2);
button2 = gtk_button_new();
gtk_widget_set_size_request(GTK_WIDGET(button2),300,30);
gtk_container_add(GTK_CONTAINER(button2),box2);
box3 = Image_plus_text("up.bmp", "Open File");
gtk_widget_show(box3);
button3 = gtk_button_new();
gtk_widget_set_size_request(GTK_WIDGET(button3),30,30);
gtk_container_add(GTK_CONTAINER(button3),box3);
box4 = Image_plus_text("up.bmp", "Documentation");
gtk_widget_show(box4);
button4 = gtk_button_new();
gtk_widget_set_size_request(GTK_WIDGET(button4),300,30);
gtk_container_add(GTK_CONTAINER(button4),box4);
gtk_box_pack_start (GTK_BOX (box), button1, expand, fill, padding);
gtk_box_pack_start (GTK_BOX (box), button2, expand, fill, padding);
gtk_box_pack_start (GTK_BOX (box), button4, expand, fill, padding);
g_signal_connect(window,"delete
event",GTK_SIGNAL_FUNC(gtk_main_quit),NULL);
g_signal_connect(button1,"clicked",G_CALLBACK(credits),NULL);
g_signal_connect(button2,"clicked",G_CALLBACK(capture),NULL);
g_signal_connect(button2,"clicked",G_CALLBACK(tempthread),NULL);
g_signal_connect(button4,"clicked",G_CALLBACK(documentation),NULL);
gtk_widget_show (button1);
gtk_widget_show (button2);
gtk_widget_show (button3);
gtk_widget_show (button4);
gtk_widget_show(boxbig);
combo = gtk_combo_box_new_text();
boxone = gtk_hbox_new(TRUE,5);
//add all protocols to the list
gtk_combo_box_append_text(GTK_COMBO_BOX(combo), "tcp");
gtk_combo_box_append_text(GTK_COMBO_BOX(combo), "udp");
gtk_combo_box_append_text(GTK_COMBO_BOX(combo), "icmp");
gtk_combo_box_append_text(GTK_COMBO_BOX(combo), "arp");
gtk_combo_box_append_text(GTK_COMBO_BOX(combo), "ipv4");
gtk_combo_box_append_text(GTK_COMBO_BOX(combo), "ipv6");
gtk_combo_box_append_text(GTK_COMBO_BOX(combo), "ipv6|udp");
gtk_combo_box_append_text(GTK_COMBO_BOX(combo), "ipv6|tcp");
gtk_combo_box_append_text(GTK_COMBO_BOX(combo), "ipv6|icmp");
gtk_combo_box_append_text(GTK_COMBO_BOX(combo), "all");
g_signal_connect(G_OBJECT(combo), "changed",
G_CALLBACK(combo_selected), NULL);
gtk_widget_show(combo);
gtk_widget_show(boxone);
boxone2 = gtk_hbox_new(TRUE,0);
combo2 = gtk_combo_box_new_text();
int alpha;
Inames(); // the function to get all the interfaces on the system
for(alpha=0;alpha<number_of_interfaces;alpha++){
gtk_combo_box_append_text(GTK_COMBO_BOX(combo2),
interface_names[alpha]);
}
g_signal_connect(G_OBJECT(combo2), "changed",
G_CALLBACK(combo_selected2), NULL);
gtk_widget_show(combo2);
gtk_widget_show(boxone2);
GtkWidget * boxtext;
GtkWidget * buttonsubmit1;
boxtext = gtk_hbox_new(TRUE,5);
gtk_widget_show(boxtext);
entry_l = (GtkLabel *)gtk_label_new("Insert Source IP");
gtk_widget_show(GTK_WIDGET(entry_l));
buttonsubmit1 = gtk_button_new_with_label("submit");
gtk_widget_show(buttonsubmit1);
entry = (GtkEntry *)gtk_entry_new();
g_signal_connect(G_OBJECT(buttonsubmit1),"clicked",G_CALLBACK(submitte
xt1),GTK_WIDGET(entry));
gtk_box_pack_start(GTK_BOX(boxtext),GTK_WIDGET(entry_l),expand,fill,pad
ding);
gtk_box_pack_start(GTK_BOX(boxtext),GTK_WIDGET(entry),expand,fill,paddi
ng);
gtk_box_pack_start(GTK_BOX(boxtext),GTK_WIDGET(buttonsubmit1),expand,
fill,padding);
gtk_widget_show(GTK_WIDGET(entry));
GtkWidget * boxtext2;
GtkWidget * buttonsubmit2;
GtkLabel * entry_l2;
boxtext2 = gtk_hbox_new(TRUE,5);
gtk_widget_show(boxtext2);
entry_l2 = (GtkLabel *)gtk_label_new("Insert Destination IP");
gtk_widget_show(GTK_WIDGET(entry_l2));
buttonsubmit2 = gtk_button_new_with_label("submit");
gtk_widget_show(buttonsubmit2);
entry2 = (GtkEntry *)gtk_entry_new();
g_signal_connect(G_OBJECT(buttonsubmit2),"clicked",G_CALLBACK(submitte
xt2),GTK_WIDGET(entry2));
gtk_box_pack_start(GTK_BOX(boxtext2),GTK_WIDGET(entry_l2),expand,fill,p
adding);
gtk_box_pack_start(GTK_BOX(boxtext2),GTK_WIDGET(entry2),expand,fill,pad
ding);
gtk_box_pack_start(GTK_BOX(boxtext2),GTK_WIDGET(buttonsubmit2),expand
,fill,padding);
gtk_widget_show(GTK_WIDGET(entry2));
gtk_box_pack_start (GTK_BOX (boxbig),titleimage, expand, fill, padding);
gtk_box_pack_start (GTK_BOX (boxbig),GTK_WIDGET(boxtext),
expand, fill, padding);
gtk_box_pack_start (GTK_BOX (boxbig),GTK_WIDGET(boxtext2),
expand, fill, padding);
gtk_box_pack_start (GTK_BOX (boxbig),GTK_WIDGET(boxone), expand,
fill, padding);
gtk_box_pack_start (GTK_BOX (boxbig),GTK_WIDGET(boxone2),
expand, fill, padding);
gtk_box_pack_start (GTK_BOX (boxbig), box, expand, fill, padding);
gtk_widget_show(box);
GtkWidget *hbox;
GtkWidget *clist;
GtkWidget *button_stop, *color_info, *button_hide_show;
gchar *titles[6] = { "Index","Time",
"Source","Destination","Protocol","Encapsulation"};
vbox=gtk_vbox_new(FALSE, 5);
gtk_container_set_border_width(GTK_CONTAINER(vbox), 5);
gtk_box_pack_start (GTK_BOX (boxbig), vbox, expand, fill, padding);
gtk_widget_show(vbox);
scrolled_window = gtk_scrolled_window_new (NULL, NULL);
gtk_scrolled_window_set_policy (GTK_SCROLLED_WINDOW
(scrolled_window),GTK_POLICY_ALWAYS, GTK_POLICY_AUTOMATIC);
gtk_widget_set_usize (GTK_WIDGET(scrolled_window), 110, 330);
gtk_box_pack_start(GTK_BOX(vbox), scrolled_window, TRUE, TRUE, 0);
gtk_widget_show (scrolled_window);
clist = gtk_clist_new_with_titles( 6, titles);
gtk_signal_connect(GTK_OBJECT(clist), "select_row",
GTK_SIGNAL_FUNC(select_packet),NULL);
gtk_clist_set_shadow_type (GTK_CLIST(clist), GTK_SHADOW_OUT);
gtk_clist_set_column_width (GTK_CLIST(clist), 0, 50);
gtk_clist_set_column_width (GTK_CLIST(clist), 1, 150);
gtk_clist_set_column_width (GTK_CLIST(clist), 2, 375);
gtk_clist_set_column_width (GTK_CLIST(clist), 3, 375);
gtk_clist_set_column_width (GTK_CLIST(clist), 4, 200);
gtk_clist_set_column_width (GTK_CLIST(clist), 5, 350);
gtk_container_add(GTK_CONTAINER(scrolled_window), clist);
gtk_widget_show(clist);
hbox = gtk_hbox_new(FALSE, 0);
gtk_box_pack_start(GTK_BOX(vbox), hbox, FALSE, TRUE, 0);
gtk_widget_show(hbox);
gtk_widget_show(button_stop);
gtk_widget_show(color_info);
gtk_widget_show(button_hide_show);
g_timeout_add(TIMEOUT, stop_capture1, (gpointer) clist);
gtk_container_add (GTK_CONTAINER (window), boxbig);
gtk_widget_show(window);
gtk_main();
return 0;
}
gtk_init(&argc, &argv);
int i;
i = pthread_create( &thread1, NULL, fft, NULL);
pthread_join(thread1,NULL);
pthread_join(thread2,NULL);
return 0;
}
Run.sh
gcc sniffer.h
gcc -pthread -w gui.c -o gui.o `pkg-config --cflags --libs gtk+-2.0`sudo ./gui.o
Explaining the Code:
Sniffer.h
Contains the various header files, which are standard C libraries
Has important macros defined in it like MAXLENGTH, MAX PACKETS,
TIMEOUT, MAX-INTERFACES
Has the declaration of the various functions used in sniffer.c
Definition of the structure packet, which will help in storing the packet fields
and some additional data
sniffer.c
Useful if you want to see the output on terminal or output to any file
Execute it like $ sudo ./sniffer.o interface_name(For example, $ sudo
./sniffer.o eth0)
First of all we create a raw socket and bind it to the interface you gave as
argument
With the use of recvfrom we get the raw packet
By calling the function int PrintPacketInformation(unsigned char *,int),
you fill the packet structure and if the value returned is 0, then the captured
packet shouldn't be displayed to the user and shouldn't be stored otherwise
display the captured packet to the user.
If number of packets captured reaches more than MAX PACKETS stop
capturing packets
interfaces.py
Writes the network interfaces to which the system is connected to a file
named `interfaces.txt', which would later be read by the function void
Iname() in the file `gui.c'
Does this for both Linux and Windows
Linux : Just parse the file /proc/dev/net to get the list of interfaces
Windows : Parse the output of the Command line utility ipconfig /all
run.sh
Just compiles the code in the sequence, interfaces.py to update the
`interfaces.txt' file, then compiles sniffer.h and then gui.c with appropriate
ags and finally execute the code.
gui.c
GUI created in GTK is patched with code of sniffer.c
Provided coloring feature depending upon the protocol of the packet.
Basic information is provided in a tabular form.
For more information you can click on the row presenting the packet.
Detailed Information: