IMPLEMENTATION OF PACKET SNIFFING IN JAVA USING JPCAP LIBRARY

Project Report Submitted in Partial Fulfillment of the Requirement for the Award of Degree of Bachelor of Engineering in Computer Science Engineering of Rajiv Gandhi Proudyogiki Vishwavidalaya, Bhopal (MP)

By

Siddharth Pateriya Swarna Swaminathan (0131CS081077) (0131CS081084)

Department of Computer Science Engineering
Jai Narain College of Technology, Bhopal
June – 2012

DECLARATION

We, Siddharth Pateriya and Swarna Swaminathan, the students of Bachelor of Engineering (Computer Science Engineering), Jai Narain College of Technology, Bhopal hereby declare that the work presented in this Major Project is an authentic record of our own and has been carried out taking care of Engineering Ethics under the guidance of Prof. Manish Mishra.

Siddharth Pateriya Swarna Swaminathan (0131CS081077) (0131CS081084)

CERTIFICATE

This is to certify that the work embodied in this Major Project entitled “Implementation of Packet Sniffing in Java using Jpcap Library” has been satisfactorily completed by the students of final year, Mr. Siddharth Pateriya and Ms.Swarna Swaminathan. The work was carried out satisfactorily under the supervision and guidance of the undersigned in the Department of Computer Science Engineering, Jai Narain College of Technology and Science, Bhopal for the partial fulfillment of the requirement of degree of Bachelor of Engineering during the Academic year 2011-2012

Manish Mishra
Professor and Project Guide Computer Science Engineering Department

Approved By

Dr. Bhupesh Gour Dr.D.A.Hindoliya Professor and Head Principal/ Director
Computer Science Engineering Department JNCT, Bhopal JNCT, Bhopal

ACKNOWLEDGEMENT

This gives us a great pleasure to express our deep sense of gratitude to our project supervisor Prof. Vishwa Gupta, Associate Professor of Computer Science Engineering for guidance, suggestion, support, help and constructive criticisms throughout the period of project work. Without his able guidance it would not have been possible to complete the project in time.

We are greatly indebted to Prof. Bhupesh Gaur, Head, Department of Computer Science Engineering for his keen interest in this work and time to time guidance, encouragement and providing required facilities for completing the project work. We are grateful to Dr. D. A. Hindoliya, Principal, JaiNarain College of Technology for his guidance and critical comments which improved the quality of this report. Thanks are due to Dr. Vijay Kumar, Director, JNCT for providing necessary help and time to time necessary guidance in completion of this task.

We would also like to thank Prof. Manish Mishra, our Project Guide for his valuable help and guidance in the project.

Siddharth Pateriya Swarna Swaminathan (0131CS081077) (0131CS081084)

CONTENTS

DECLARATION … ii
CERTIFICATE … iii
ACKNOWLEDGEMENT … iv
LIST OF FIGURES … vi
1. INTRODUCTION ... 01
2. REVIEW OF LITERATURE … 06
2.1 TCP/IP Protocols … 06
2.2 IP Addressing … 09
2.3 Internet Routing … 12
2.4 IP Routing … 12
2.5 Transmission Control Protocol … 13
2.6 User Datagram Protocol (UDP) … 16
2.7 Address Resolution Protocol (ARP) … 18
2.8 Internet Control Message Protocol (ICMP) … 20
2.9 Importance of Packet Sniffers … 22
2.10 Uses of Sniffers … 23
3. MATERIALS AND METHODS … 25
3.1 Technology Used … 25
3.2 Software Model … 34
3.3 Hardware and Software Requirements … 39
3.4 Control Flow Diagram … 40
3.5 Data Flow Diagram … 41
3.6 Coding … 42
4. RESULTS AND DISCUSSION … 89
5. REFERENCES … 98

vi

LIST OF FIGURES

Figure 2.1 Internet protocols span the complete range of OSI model layers … 07
Figure 2.2 Fourteen fields comprise an IP packet. … 08
Figure 2.3 An IP address consists of 32 bits, grouped into four octets … 10
Figure 2.4 IP address formats A, B, and C are available for commercial use … 10
Figure 2.5 A range of possible values exists for the first octet of each address class … 11 Figure 2.6 TCP Packet Format … 15 Figure 2.7 UDP Packet Format … 17 Figure 2.8 ARP Packet Format … 20 Figure 2.9 ICMP Packet Format … 22 Figure 3.1 NetBeans IDE … 33 Figure 3.2 Incremental Model … 34 Figure 3.3 Iterative Development … 36 Figure 3.4 Waterfall Model … 37 Figure 3.5 Control Flow Diagram … 40 Figure 3.6 Data Flow Diagram … 41 Figure 4.1 Window of our project … 90 Figure 4.2 Displaying NIC information … 91 Figure 4.3 Options under the “Options” menu … 92 Figure 4.4 Showing options under the menu item Display Output … 93 Figure 4.5 Showing the information of the captured packets in the table and the … 94 data of the selected packet in characters in the text area below it. Figure 4.6 Showing the information of the captured packets in the table and the … 95 data of the selected packet in hexadecimals in the text area below it Figure 4.7 Showing the options under “Save to File” menu item … 96 Figure 4.8 Showing saved file containing selected packet … 97

1. INTRODUCTION

This project is intended to develop a tool called Packet Sniffer. The Packet Sniffer allows the computer to examine and analyze all the traffic passing by its network connection. Packet sniffing is a technique of monitoring every packet that crosses the network. A packet sniffer is a piece of software or hardware that monitors all network traffic. When it is set up on a computer, the network interface of the computer is set to promiscuous mode, listening to all the traffic on the network rather than just those packets destined for it. It is a tool that sniffs without modifying the network’s packet in anyway. It merely makes a copy of each packet flowing through the network interface and finds the source and destination. It decodes the protocols in the packets given below: i) IP (Internet Protocol), ii) TCP (Transmission Control Protocol), iii) UDP (User Datagram Protocol), iv) ICMP ( Internet Control Message Protocol), v) ARP (Address Resolution Protocol). The output is appended into normal text file, so that the network administrator can understand the network traffic and later analyze it. Most Ethernet networks use to be of a common bus topology, using either coax cable or twisted pair wire and a hub. All of the nodes (computers and other devices) on the network could communicate over the same wires and take turns sending data using a scheme known as carrier sense multiple access with collision detection (CSMA/CD). All of the nodes on the network have their own unique MAC (media access control) address that they use to send packets of information to each other. Normally a node would only look at the packets that are destined for its MAC address. However, if the network card is put into what is known as “promiscuous mode” it will look at all of the packets on the wires it is hooked to. Packet Sniffers operate differently for a Shared Ethernet and Switched Ethernet. i. Shared Ethernet - a) All packets are transmitted to all computers on a network within a shared Ethernet. b) Computers quietly discard data packets that do not match their MAC and IP address. c) A machine running a sniffer breaks this rule and accepts all data packets. d) Sniffing in a shared Ethernet is totally passive and very hard to detect. ii. Switched Ethernet- a) In a switched Ethernet a switch maintains a table of each computers MAC address and the physical port on the switch to which the MAC address is connected and delivers packets destined for that machine. This happens because switches have CAM tables. These tables store information like MAC addresses, switch ports, and VLAN information. Before sending traffic from one host to another on the same local area network, the host ARP cache is first checked. If the destination host isn’t in the ARP cache, the source host sends a broadcast ARP request looking for the host. When the host replies, the traffic can be sent to it. The traffic goes from the source host to the switch, and then directly to the destination host. This description shows that traffic isn’t broadcast out to every host, but only to the destination host, therefore it’s harder to sniff traffic. b) This makes the switched network more secure, but there are still two methods for packet sniffing in a switched Ethernet. i.) ARP Spoofing ii.) MAC Flooding ARP Spoofing: Address Resolution Protocol is used on the network layer to map IP addresses to MAC addresses. ARP is stateless, therefore, a computer at anytime can respond with its MAC address belonging to an IP address. In ARP Spoofing, you poison the ARP cache of a transmitting machine thereby forcing all traffic to route through your machine with the installed packet sniffer. MAC Flooding: This is when the attacking computer bombards the switch with fake MAC addresses. The switch will become overloaded and fail into the “failopen mode”. Once the switch is operating in failopen mode if operates exactly like a hub, transmitting all packets to all addresses in the network. Packet sniffer has the following components: i. Hardware Most sniffing products can work by standard adapters. Some sniffers only support Ethernet or wireless adapters whereas some others support multi adapters and allow users to customize. ii. Drive program This is the core of a sniffer. Each sniffing product has its own drive program, only after completing installation can a sniffer start to capture traffic and data from network. iii. Capture filter This is the most important part. It captures the network traffic from the wire, filters it for the particular traffic you want, and then stores the data in the buffer. iv.Buffer A buffer is a storage device for captured data from network. In general, there are two modes of buffers: keep capturing until the storage place full, or keep capturing and overflowing as the latest captured data keep replacing the oldest data. The size of a buffer depends on a computer's EMS memory that is, the bigger EMS memory is, the more data can be stored in the buffer. v. Packets analysis Capture and analysis are both the most basic and important features of a sniffer. Most sniffing products can provide real-time analysis of captured packets, which is the main reason why they are good assistants of network administrators: record the errors and abnormity while they happening. There are three types of sniffing methods. Some methods work in non-switched networks while others work in switched networks. The sniffing methods are: IP-based sniffing, MAC-based sniffing, and ARP-based sniffing.

i. IP-based sniffing- This is the original way of packet sniffing. It works by putting the network card into promiscuous mode and sniffing all packets matching the IP address filter. Normally, the IP address filter isn’t set so it can capture all the packets. This method only works in non-switched networks. ii) MAC-based sniffing- This method works by putting the network card into promiscuous mode and sniffing all packets matching the MAC address filter. iii) ARP-based sniffing- This method works a little different. It doesn’t put the network card into promiscuous mode. This isn’t necessary because ARP packets will be sent to us. This happens because the ARP protocol is stateless. Because of this, sniffing can be done on a switched network. To perform this kind of sniffing, you first have to poison the ARP cache1 of the two hosts that you want to sniff, identifying yourself as the other host in the connection. Once the ARP caches are poisoned, the two hosts start their connection, but instead of sending the traffic directly to the other host it gets sent to us. We then log the traffic and forward it to the real intended host on the other side of the connection. This is called a man-in-the-middle attack. Sniffing programs are found in two forms - i) Commercial packet sniffers are used to help maintain networks. ii) Underground packet sniffers are used by attackers to gain unauthorized access to remote hosts. Listed below are some common uses of sniffing programs: • Searching for clear-text usernames and passwords from the network.
• Conversion of network traffic into human readable form.
• Network analysis to find bottlenecks.
• Network intrusion detection to monitor for attackers. Using a sniffer in an illegitimate way is considered a passive attack. It does not directly interface or connect to any other systems on the network. However, the computer that the sniffer is installed on could have been compromised using an active attack. The passive nature of sniffers is what makes detecting them so difficult.The security threat presented by sniffers is their ability to capture all incoming and outgoing traffic, including clear-text passwords and user names or other sensitive material. In theory, it’s impossible to detect these sniffing tools because they are passive in nature, meaning that they only collect data. While they can be fully passive, some aren’t therefore they can be detected. The following list describes a few reasons why intruders are using sniffers on the network: 1. Capturing clear-text usernames and passwords 2. Compromising proprietary information 3. Capturing and replaying Voice over IP telephone conversations 4. Mapping a network 5. Passive OS fingerprinting

2. REVIEW OF LITERATURE

Packet Sniffing In Various Networks

Introduction

For most organizations, packet sniffing is largely an internal threat. A third party on the Internet, for instance, could not easily use packet sniffing software to eavesdrop on traffic on a corporate LAN. But since the greatest threat to corporate systems frequently is internal [1], we should not take comfort from this. There are many reasons that businesses are updating their network infrastructure, replacing aging hubs with new switches. A frequently stated driver for moving to a switched environment is that “it increases security”. However, the thinking behind this is somewhat flawed. Packet sniffing in a switched environment is possible -- anyone equipped with a laptop (and armed with a selection of freely available software) may be able to monitor communication between machines on a switched network. Packet sniffing tools have been available from the early days of networked computing environments. The tools are powerful software, which facilitate troubleshooting for network administrators. However, in the hands of a malicious third party, they are a devastating hacking tool, which can be used to glean passwords and other sensitive information from a LAN.

Traditionally, packet sniffers have been regarded as fairly obscure tools that require a certain technical competence to operate -– dangerous utilities, perhaps, but not easy to guide or operate. All this has changed in the last few years, with specialized, easy to use password-detecting sniffers becoming widely obtainable. Many of these “new generation”, specially tailored tools are freely available on the Internet. With built-in logic allowing many network protocols to be decoded, they have the capability to filter the sniffed traffic on the fly, and highlight sensitive information such as usernames and passwords. Packet sniffing in a non-switched environment is a well understood technology. A large number of commercial and non-commercial tools enable eavesdropping of network traffic. The idea is that to eavesdrop on network traffic, a computer’s network card is put into a special “promiscuous” mode. Once in this mode, all network traffic (irrespective of its destination) that reaches the network card can be accessed by an application (such as a packet sniffing program). A detailed explanation of how packet sniffing works may be found in Robert Graham’s excellent FAQ on sniffing [2].
In a switched environment, it is more of a challenge to eavesdrop on network traffic. This is because usually switches will only send network traffic to the machine that it is destined for [3]. However, there are a number of techniques that enable this functionality to be usurped. Tools exist that combine the ability of sniffing on a switched network with the capability of filtering the traffic to highlight sensitive information.

Packet Sniffing in a non-switched environment

In a non-switched environment, the latest generation of packet sniffing tools is highly effective at reaping passwords and other sensitive information from the network. A large number of commonly used protocols either transmit data in plaintext (which can easily be sniffed), or they do not use strong enough encryption to prevent a sniffing and cracking attack. Examples of plaintext protocols include smtp, pop3, snmp, ftp, telnet and http. Perhaps the best known encrypted protocol that is vulnerable to sniffing and cracking attacks is Microsoft’s LM (LAN Manager) protocol, used for authenticating Windows clients. Microsoft has tried to address the glaring weaknesses in LM, with the introduction of NTLM (V1 and V2). NTLM is an improvement, but is still susceptible to a sniffing and cracking attack. Hidenobu Seki, the author of ScoopLM and BeatLM tools (qv) gave a fascinating presentation [4] covering the detail of LM, NTLM v1 and v2 and how it can be cracked at BlackHat’s “Windows Security 2002 Briefings and Training”. Since the first draft of this paper, Kerberos has become widely used as the authentication protocol of choice in modern Windows environments (Windows XP clients, Windows 2003 servers). The move from LANMAN/ NTLM to Kerberos was widely thought to cure the problem of sniffing (then cracking) Microsoft passwords [5]. This is not the case, however. Tools such as KerbCrack [6] enable cracking of Kerberos logins.

Tools to sniff in a non-switched environment

A quick search on the Internet will reveal a large number of freely available sniffing tools. In this section, I focus on two tools, dsniff and ScoopLM, which excel at sniffing sensitive information.

Dsniff

For plaintext protocols, to eavesdrop on username, password and other sensitive information, a very useful tool is dsniff from Dug Song [7]. The dsniff tool is available for various flavours of Unix, and there is a port (of an older version of the software) for Windows [8]. In addition to sniffing the plaintext protocols mentioned above (and others), dsniff is exceptionally good at filtering the sniffed traffic to display only “interesting” information such as usernames and passwords. In their esteemed Hacking Exposed book [9], McClure, Scambray and Kurtz describe dsniff as offering “passwords on a silver platter”. It makes eavesdropping on sensitive information a trivial exercise. A sample run of dsniff is depicted in Figure 1, showing the Windows port of dsniff harvesting passwords on a small network.

Figure 1 - dsniff sniffing plaintext protocols in a non-switched environment

ScoopLM

L0phtcrack is a well-known password sniffing and cracking tool, which is capable of eavesdropping Windows NT/ 2000 usernames and encrypted passwords from a network. It is a commercial tool, available from @Stake [10]. However, there are other freely available tools that can perform a similar job, and are very simple to use. A great example is the ScoopLM tool [11], which is freeware and downloadable from the Internet. ScoopLM will sniff NT/ 2000 usernames and LM/ NTLM encrypted passwords. Its brother, BeatLM [12], enables cracking of encrypted passwords that ScoopLM has harvested by brute-force or dictionary attacks. Together, they are a significant threat to the security of Microsoft networking in a non-switched environment.

Figure 2 shows a sample run of ScoopLM, sniffing NT usernames and encrypted passwords. The sniffed usernames and passwords can then be saved to a temporary file, and loaded into BeatLM to be cracked.

Figure 2 - ScoopLM in action, sniffing NT usernames and encrypted passwords

The above examples demonstrate how simple it is to discover sensitive information by eavesdropping on a non-switched network. This fact has helped drive businesses to replace hubs in their network by switches. There are many other good reasons for doing this -- increasing network performance, for example. Replacing hubs by switches in the belief that it will cure the problem of sniffing is misguided. The following section will demonstrate why.

Packet Sniffing in a switched environment

Switches

On the surface, it would seem that replacing hubs by switches will mitigate the packet sniffing threat to a large extent. The fact that switches will only send network traffic to the machine that it is destined for implies that if machine A is communicating with machine B, machine C will not be able to eavesdrop on their conversation.

In the situation depicted above, Machine C cannot easily see the network traffic for the telnet session passing between machines A and B. The switch ensures that this traffic does not travel over any unnecessary ports – it only flows over the ports that machines A and B are connected to. However, a number of techniques exist that will subvert the above, enabling C to snoop on the network traffic between A and B.

Ettercap

First, we cover ettercap, a tool that describes itself as “a powerful and flexible tool for man-in-the-middle attacks”. It runs on many of the leading platforms including Windows, Linux, xBSD and Mac OS X. ettercap was downloaded from http://ettercap.sourceforge.net/download.php then installed on machine C. Before running ettercap, the ARP cache on machines A and B were checked, via the arp /a command. As expected, the ARP cache on A was storing the true IP and MAC addresses of B and C:

Figure 5 - the ARP cache on machine A prior to running ettercap

Similarly, the ARP cache on B was storing the true IP and MAC addresses of A and C.

Figure 6 - the ARP cache on machine B prior to running ettercap
Next, ettercap was run on machine C, and set to sniff traffic between A and B. At this stage, ettercap performs ARP spoofing to set up the man-in-the-middle attack. Re-examining the ARP caches on A and B is illuminating: note how machine
C’s MAC address replaces the true MAC addresses for machines A and B:

Figure 7 - the ARP cache on machine A now ettercap is running

Now traffic between A and B was being intercepted by C. Similar to dsniff, ettercap has in-built knowledge of a large number of network protocols. It can highlight interesting areas of sniffed traffic, such as usernames and passwords. The following diagram depicts ettercap eavesdropping the start of a telnet session between A and B:

Figure 8 - ettercap sniffing a telnet session between A and B

During a sniffing session, ettercap may detect a large number of usernames and passwords. The data may be saved to a simple ASCII file for examination at a later date. Cain
Another tool that is capable of sniffing in a switched environment is Cain23. Available for Windows only, this tool can do far more than just sniff traffic on a switched network.
In a similar vein to dsniff and ettercap, Cain has built-in knowledge of various network protocols, and can highlight interesting areas of sniffed traffic. Cain also has built in cracking technology to enable brute-force and dictionary attacks against encrypted passwords that it sniffs from the network. In a similar manner to BeatLM, Cain can attempt attacks against Microsoft’s authentication protocols (including LM, NTLMv1, NTLMv2). However, it goes further than BeatLM by offering the facility of cracking Cisco MD5 hashes, encrypted APOP passwords and others.

Highlights of other facilities built in to Cain include various networking utilities (including traceroute and tools to analyze routing protocols), and the capability of enumerating NT users and shares from remote machines. The breadth of functionality covered by Cain is impressive. It is amazing that a single tool can cover most of the key roles offered by better known sniffing/ enumeration/ password cracking tools such as L0phtcrack, Revelation24, userdump25, pwltool26, john the ripper27 and ettercap. Cain was downloaded from http://www.oxid.it, and installed onto machine C. The ARP caches on machines A and B were checked, and found to contain the expected data (as in Figures 5 and 6). Next, Cain was configured to use ARP spoofing - referred to as APR (ARP poisoned routing) within the application – to intercept network traffic between machines A and B. This is depicted in Figure 9:

Figure 9 - Cain uses ARP spoofing to intercept data between machines A and B

Once this had been done, Cain used its built-in knowledge of network protocols to enable key data to be displayed. As with the test with ettercap, a telnet session between machines A and B was initiated. For many protocols, Cain simply captures the username and password. For telnet sessions, the entire session (including the username and password) is captured and logged to a text file.

Figure 10 - Cain recording a telnet session between two machines

The above tests demonstrate that tools such as ettercap and Cain present a very real threat to many network environments.

Wireshark

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.
Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user interface, and using pcap to capture packets; it runs on various Unix-like operating systems including Linux, Mac OS X, BSD, and Solaris, and on Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License.

Functionality

Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options. Wireshark allows the user to put the network interfaces that support promiscuous mode into that mode, in order to see all traffic visible on that interface, not just traffic addressed to one of the interface's configured addresses and broadcast/multicast traffic. However, when capturing with a packet analyzer in promiscuous mode on a port on a network switch, not all of the traffic traveling through the switch will necessarily be sent to the port on which the capture is being done, so capturing in promiscuous mode will not necessarily be sufficient to see all traffic on the network. Port mirroring or various network taps extend capture to any point on net; simple passive taps are extremely resistant to malware tampering.
On Linux, BSD, and Mac OS X, with libpcap 1.0.0 or later, Wireshark 1.4 and later can also put Wi-Fi adapters into monitor mode.

History

In the late 1990s, Gerald Combs, a computer science graduate of the University of Missouri-Kansas City, was working for a small Internet service provider. The commercial protocol analysis products at the time were priced around $1500 and did not run on the company's primary platforms (Solaris and Linux), so Gerald began writing Ethereal and released the first version around 1998.The Ethereal trademark is owned by Network Integration Services.
In May 2006, Combs accepted a job with CACE Technologies. Combs still held copyright on most of Ethereal's source code (and the rest was re-distributable under the GNU GPL), so he used the contents of the Ethereal Subversion repository as the basis for the Wireshark repository. However, he did not own the Ethereal trademark, so he changed the name to Wireshark. In 2010 Riverbed Technology purchased CACE and took over as the primary sponsor of Wireshark. Ethereal development has ceased, and an Ethereal security advisory recommended switching to Wireshark.

Wireshark has won several industry awards over the years, including eWeek,InfoWorld, and PC Magazine. It is also the top-rated packet sniffer in the Insecure.Org network security tools survey and was the SourceForge Project of the Month in August 2010.
Combs continues to maintain the overall code of Wireshark and issue releases of new versions of the software. The product website lists over 600 additional contributing authors.

Features

Wireshark is software that "understands" the structure of different networking protocols. Thus, it is able to display the encapsulation and the fields along with their meanings of different packets specified by different networking protocols. Wireshark uses pcap to capture packets, so it can only capture the packets on the types of networks that pcap supports. 1. Data can be captured "from the wire" from a live network connection or read from a file that recorded already-captured packets. 2. Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loopback. 3. Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, TShark. 4. Captured files can be programmatically edited or converted via command-line switches to the "editcap" program. 5. Data display can be refined using a display filter. 6. Plug-ins can be created for dissecting new protocols. 7. VoIP calls in the captured traffic can be detected. If encoded in a compatible encoding, the media flow can even be played. 8. Raw USB traffic can be captured.

Wireshark's native network trace file format is the libpcap format supported by libpcap and WinPcap, so it can exchange files of captured network traces with other applications using the same format, including tcpdump and CA NetMaster. It can also read captures from other network analyzers, such as snoop, Network General's Sniffer, and Microsoft Network Monitor.

3. MATERIALS AND METHODS
3.1 Technology Used
3.1.1 Java:
A high-level programming language developed by Sun Microsystems. Java was originally called OAK, and was designed for handheld devices and set-top boxes. Oak was unsuccessful so in 1995 Sun changed the name to Java and modified the language to take advantage of the burgeoning World Wide Web. It implements a strong security model, which prevents compiled Java programs from illicitly accessing resources on the system where they execute or on the network. Almost all major operating system developers (IBM, Microsoft, and others) have added Java compilers as part of their product offerings.

Java is an object-oriented language similar to C++, but simplified to eliminate language features that cause common programming errors. Java source code file (files with a .java extension) are compiled into a format called bytecode (files with a .class extension), which can then be executed by a Java interpreter. Compiled Java code can run on most computers because Java interpreters and runtime environments, known as Java Virtual Machines (JVMs), exist for most operating systems, including UNIX, the Macintosh OS, and Windows. Bytecode can also be converted directly into machine language instructions by a just-in-time compiler (JIT).

Following are some of the features of java -
i) PORTABILITY: The programs you create are portable in a network. Your source program is compiled into what Java calls bytecode, which can be run anywhere in a network on a server or client that has a Java virtual machine. The Java virtual machine interprets the bytecode into code that will run on the real computer hardware. This means that individual computer platform differences such as instruction lengths can be recognized and accommodated locally just as the program is being executed. Platform-specific versions of your program are no longer needed. ii) DISTRIBUTED:
Java is a programming language expressly designed for use in the distributed environment of the Internet. It was designed to have the "look and feel" of the C++ language, but it is simpler to use than C++ and enforces an object-oriented programming model. Java can be used to create complete applications that may run on a single computer or be distributed among servers and clients in a network. iii) ROBUST:
The code is robust, here meaning that, unlike programs written in C++ and perhaps some other languages, the Java objects can contain no references to data external to themselves or other known objects. This ensures that an instruction cannot contain the address of data storage in another application or in the operating system itself, either of which would cause the program and perhaps the operating system itself to terminate or "crash." The Java virtual machine makes a number of checks on each object to ensure integrity. iv) SIMPLE:
Relative to C++, Java is easier to learn.
v) TRUE OOPS:
Java is object-oriented, which means that, among other characteristics, an object can take advantage of being part of a class of objects and inherit code that is common to the class. Objects are thought of as "nouns" that a user might relate to rather than the traditional procedural "verbs." A method can be thought of as one of the object's capabilities or behaviors vi) APPLET:
Applets are small programs written in java executed in browser. Most common example is yahoo chatting box. In addition to being executed at the client rather than the server, a Java applet has other characteristics designed to make it run fast. It makes it possible for a Web page user to interact with the page.

3.1.2 Netbeans
NetBeans refers to both a platform framework for Java desktop applications, and anintegrated development environment (IDE) for developing with Java, JavaScript, PHP,Python (no longer supported after NetBeans 7), Groovy, C, C++, Scala , Clojure, and others.
NetBeans began in 1996 as Xelfi, a Java IDE student project under the guidance of the Faculty of Mathematics and Physics at Charles University in Prague. In 1997 Roman Staněk formed a company around the project and produced commercial versions of the NetBeans IDE until it was bought by Sun Microsystems in 1999. Sun open-sourced the NetBeans IDE in June of the following year. Since then, the NetBeans community has continued to grow.[9] In 2010, Sun (and thus NetBeans) was acquired by Oracle.
The NetBeans IDE is written in Java and can run on Windows, Mac OS, Linux, Solaris and other platforms supporting a compatible JVM. A pre-existing JVM or a JDK is not required.TheNetBeans platform allows applications to be developed from a set of modular software components called modules. Applications based on the NetBeans platform (including the NetBeans IDE) can be extended by third party developers.[5]
i) NetBeans Platform
The NetBeans Platform is a reusable framework for simplifying the development of Java Swing desktop applications. The NetBeans IDE bundle for Java SE contains what is needed to start developing NetBeans plugins and NetBeans Platform based applications; no additional SDK is required.
Applications can install modules dynamically. Any application can include the Update Center module to allow users of the application to download digitally-signed upgrades and new features directly into the running application. Reinstalling an upgrade or a new release does not force users to download the entire application again.
The platform offers reusable services common to desktop applications, allowing developers to focus on the logic specific to their application. Among the features of the platform are: i. User interface management (e.g. menus and toolbars) ii. User settings management iii. Storage management (saving and loading any kind of data) iv. Window management v. Wizard framework (supports step-by-step dialogs) vi. NetBeans Visual Library vii. Integrated Development Tools

ii)Netbeans IDE
Netbeans IDE is a free, open-source, cross-platform IDE with built-in-support for Java Programming Language.
NetBeans IDE is an open-source integrated development environment. NetBeans IDE supports development of all Java application types Java SE including JavaFX, Java ME ME web, EJB andmobile applications) out of the box.
Modularity: All the functions of the IDE are provided by modules. Each module provides a well defined function, such as support for the Java language, editing, or support for the CVS versioning system, and SVN. NetBeans contains all the modules needed for Java development in a single download, allowing the user to start working immediately. Modules also allow NetBeans to be extended. New features, such as support for other programming languages, can be added by installing additional modules. For instance, Sun Studio, Sun Java Studio Enterprise, and Sun Java Studio Creator from Sun Microsystems are all based on the NetBeans IDE.
License: From July 2006 through 2007, NetBeans IDE was licensed under Sun's Common Development and Distribution License (CDDL), a license based on the Mozilla Public License (MPL). In October 2007, Sun announced that NetBeans would henceforth be offered under a dual license of the CDDL and the GPL version 2 licenses, with the GPL linking exception for GNU Classpath.

Fig. 3.1NetBeans IDE

3.2 ALGORITHM

Step no. 1 Get the list of available Network Interface Devices on the system.
When you want to capture packets from a network, the first thing you have to do is to obtain the list of network interfaces on your machine. To do so, Jpcap provides JpcapCaptor.getDeviceList() method. It returns an array of NetworkInterface objects.

NetworkInterface[] devices = JpcapCaptor.getDeviceList();

Step no. 2 Open the selected device for capturing of packets.
Once you obtain the list of network interfaces and choose which network interface to capture packets from, you can open the interface by using JpcapCaptor.openDevice() method.

captor = JpcapCaptor.openDevice(devices[index], 65535, promisc, -1);

Step no. 3 (optional) Turn on the promiscuous mode.
Set the parameter ‘promisc’ to true if you want to open the interface in promiscuous mode, and otherwise false.In promiscuous mode, you can capture packets every packet from the wire, i.e., even if its source or destination MAC address is not same as the MAC address of the interface you are opening.

Step no.4 (optional) Set capture filter.
Set the filter so that Jpcap doesn't capture unwanted packets.By properly setting a filter, you can reduce the number of packets to examine, and thus can improve the performance of your application. captor.setFilter(filter, true);

Step no. 5 Capture the packets.
Once an instance of JpcapCaptor is obtained, you can capture packets from the interface.There are two major approaches to capture packets using a JpcapCaptor instance: using a callback method, and capturing packets one-by-one.
You implement a callback method to process captured packets, and then pass the callback method to Jpcap so that Jpcap calls it back every time it captures a packet. Callback method can be implemented by defining a new class which implements the PacketReceiver interface. public class PacketPrinter implements PacketReceiver{}
The PacketReceiver interface defines a receivePacket() method, so you need to implement a receivePacket() method in your class. public void receivePacket(Packet packet) {}
Then, either processPacket() or loopPacket() methods can be called to start capturing using the callback method. When calling processPacket() or loopPacket() method, you can also specify the number of packets to capture before the method returns. You can specify -1 to continue capturing packets infinitely. captor.loopPacket(-1,new PacketPrinter());

Step no. 6 Stop capturing packets
Capturing of packets can be stopped by breaking the loop by calling the breakLoop() method. captor.breakLoop(); Step no.7 Convert binary data to charactersor hexadecimals form.
Since the data in the packets are in binary form which is not understandable, convert the data of the packets into characters or hexadecimals so that it becomes human readable.
Step no. 8 Save the packets into a file.
Captured packets can be saved into a file containing both characters and hexadecimals, so that they can be used for later analysis.

START
Get Device List
Select NIC
Select Filter

Promiscuous Mode ON/OFF

Start Capture
Save Packet(s)

Stop Capture
RESET
3.3 Control Flow Diagram

Fig 3.2 Control Flow Diagram 3.4 Data Flow Diagram

Update output file
Packets
Buffer with packets
Get packets

Separate headers
Analyze headers
Info in headers

Fig 3.3 Data Flow Diagram

3.5 SOFTWARE MODEL

Iterative and Incremental development is at the heart of a cyclic software development process developed in response to the weaknesses of the waterfall model. It starts with an initial planning and ends with deployment with the cyclic interactions in between.

Fig. 3.4 Incremental Model

Iterative and incremental development are essential parts of the Rational Unified Process, Extreme Programming and generally the various agile software development frameworks.It follows a similar process to the plan-do-check-act cycle of business process improvement. A common mistake is to consider "iterative" and "incremental" as synonyms, which they are not. In software/systems development, however, they typically go hand in hand. The basic idea is to develop a system through repeated cycles (iterative) and in smaller portions at a time (incremental), allowing software developers to take advantage of what was learned during development of earlier parts or versions of the system. Learning comes from both the development and use of the system, where possible key steps in the process start with a simple implementation of a subset of the software requirements and iteratively enhance the evolving versions until the full system is implemented.

The procedure itself consists of the initialization step, the iteration step, and the Project Control List. The initialization step creates a base version of the system. The goal for this initial implementation is to create a product to which the user can react. It should offer a sampling of the key aspects of the problem and provide a solution that is simple enough to understand and implement easily. To guide the iteration process, a project control list is created that contains a record of all tasks that need to be performed. It includes such items as new features to be implemented and areas of redesign of the existing solution. The control list is constantly being revised as a result of the analysis phase.

The iteration involves the redesign and implementation of a task from the project control list, and the analysis of the current version of the system. The goal for the design and implementation of any iteration is to be simple, straightforward, and modular, supporting redesign at that stage or as a task added to the project control list. The level of design detail is not dictated by the interactive approach. In a light-weight iterative project the code may represent the major source of documentation of the system; however, in a critical iterative project a formal Software Design Document may be used.

The analysis of iteration is based upon user feedback, and the program analysis facilities available. It involves analysis of the structure, modularity, usability, reliability, efficiency, & achievement of goals. The project control list is modified in light of the analysis results.

3.6 DEVELOPMENT OF PROJECT IN STEPS/INCREMENTS

Fig 3.5The first look of our project

This figure shows the main window of our project. On this window, following elements are present- i. Title bar- which displays the title of our project “Basic Application Example”. ii. Menu Bar- contains two menus: Fileand Help. iii. Buttons- There are buttons for: Get Device List, Start Capture, Save output to file. iv. Choice Box- which displays a list for NICs on the computer. v. Text area- for displaying the captured packets’ data.

On clicking on the Start capture button, 20 packets will be captured and the data will be displayed in the text box. To save the data in a file, the button ‘save output to file’ have to be clicked.

Fig 3.6 Addition of some features to the previous one

Additional features include –

i. A button to set Filter. In the text field, type in the type of packet you want to capture and then click on Filter. ii. The number of packets to be captured is not fixed, as the packets are captured, the data will be displayed in the text area simultaneously. iii. A button to Stop Capture. Clicking on this button will stop the capturing of packets. iv. A button to Clear Output. Clicking on this button will clear the choice box, text field and the text area.

Fig 3.7 Window of our final project

This figure shows the main window of our project. On this window, following elements are present- i. Title bar- which displays the title of our project “Implementation of Packet Sniffing in JAVA using Jpcap library”. ii. Menu Bar- contains three menus: File, Options and Help. iii. Buttons- There are buttons for: Get Device List, Start Capture, Stop Capture and Reset. iv. Choice Box- which displays a list for NICs on the computer. v. Table- which displays the information of the captured packets under respective column headings. vi. Text areas- There are two text areas- one for displaying the information about the selected NIC and for displaying the selected packet’s data.

Fig 3.8 Displaying NIC information

This figure shows the Choice Box containing a list of NICs on the system, and the information about the selected NIC in the Text Area below the list.
By clicking on the button “Get Device List”, we get the names of all the NICs on the system listed in the choice box. User may select any of the NIC from the displayed ones.
On selecting one the NIC from the list displayed, the information of the selected NIC will be displayed in the text area which is black in color. The information consists of the MAC address and IP address of the system.

Fig 3.9 Options under the “Options” menu

On clicking on the Options menu, three menu items appear- i. Set filter ii. Display output iii. Promiscuous mode

The Set Filter menu contains various Filter options which may be used to set the filter while capturing the packets. The various filter options are- i. No filter – which is selected by default. If this is selected, then all type of packets will be captured. ii. TCP – If this is selected, then only TCP packets will be captured. iii. UDP – If this is selected, then only UDP packets will be captured. iv. ARP – If this is selected, then only ARP packets will be captured. v. ICMP – If this is selected, then only ICMP packets will be captured. vi. TCP & UDP – If this is selected, then both TCP & UDP packets will be captured.

The third item under the Options menu is the Promiscuous mode. On selecting this, the promiscuous mode will be turned ON, and all the packets in the network will be captured.

Fig 3.10 Showing options under the menu item Display Output

The menu item Display Output under the Options menu contains two ways to display the output. These are as under – i. Show Characters – This option is selected by default. If this one is selected, then the data of the selected packet from the table will be displayed in characters in the text area below the table. ii. Show Hexadecimals – If this is selected, then the data of the selected packet from the table will be displayed in hexadecimals in the text area below the table. Fig 3.11Showing the information of the captured packets in the table and the data of the selected packet in characters in the text area below it.

After selecting one of the NIC from the list of NICs, the information about the MAC address and IP address is displayed in the black text area.
Then, on clicking on the Start Capture button, the capturing of the packets will start. As the packets will be captured, the information about them will be displayed in the table under the respective headings.
The table consists of the following column headings – i. No. – This displays the packet number. ii. Source MAC – This displays the source MAC address of the packet. iii. Destination MAC – This displays the destination MAC address of the packet. iv. Source IP – This displays the source IP address of the packet. v. Destination IP – This displays destination IP address of the packet. vi. Captured Time – This shows the date and the time at which the packet is captured. vii. Length – This displays the length of the captured packet. On selecting a packet from the table, the data of the selected packet will be displayed in the text area below it. In the above fig., the 29th packet is selected, and the data of this packet is shown in characters in the text area.

Fig 3.12 Showing the information of the captured packets in the table and the data of the selected packet in hexadecimals in the text area below it.

For displaying the data in hexadecimals, the “show hexadecimals” option under the menu item Display Output have to be selected.
Then on selecting one of the packets form the table, the data of the selected packet will be shown in hexadecimals in the text area below it. In the above fig., the 29th packet is selected, and the data of this packet is shown in hexadecimals in the text area. Fig 3.13 Showing the options under “Save to File” menu item

On clicking on File menu, four menu items appear- i. Start Capture – by clicking on it, the capturing of the packets will start. ii. Stop Capture – By clicking on it, the capturing of packets will be stopped. iii. Save to File – This menu item gives further options for saving the packets to file. iv. Exit – By clicking on it, the user will exit from the software.
The “Save to File” menu item further contains two options – a) Save Selected Packet – By selecting this option, only the selected packet will be saved to file. b) Save All Packets – By selecting this option, all the captures packets will be saved to file.
Fig 3.14 Showing saved file containing selected packet

This figure shows the file which contains the data of the selected packet. The file will be saved in .rtf format and will open with MS Word by default.