International Journal of Computer Trends and Technology (IJCTT) volume 5 number 2 Nov 2013

ISSN: 2231-2803 http://www.ijcttjournal.org Page95

Network Packet Analysis Through Visualization Systems
P.Mahesh Babu
Gudlavalleru Engineering
College,
Gudlavalleru.
Sri K.Srinivas
Associate Professor CSE Department,
Gudlavalleru Engineering College,
Gudlavalleru.


Abstract Network security is basically a major concern in
the realm of computer Science. Although great efforts have
been spent on security problems, the network is still
suffering from numerous attacks, which might lead to huge
damage and loss. Visualization systems for intrusion
detection have become more widespread with time, yet the a
shortage of an organizing framework for correct creation of
this technology is problematic. Log files are main sources
for security analysis. However, log files do not happen to be
easy to use created and it is a laborious of work to be find
helpful information from logs. Visualization system
designed for security purposes provides more perceptive
and great ways for security analysis. Most security
visualization systems are based upon data from log
files.With the multiplication of attacks against computer
networks, system administrators are required to monitor
carefully the traffic exchanged by the networks they
manage. However, that monitoring task is increasingly
laborious because of the augmentation of the amount of
data to analyze. And that trend is going to intensify with the
explosion of the number of devices connected to computer
networks along with the global rise of the available network
bandwidth[1]. Visualization mechanisms utilize the parallel
processing power of the human visual system to allow for
the identification of possible network activity. This research
details the development and use of a visualization system for
network security. All of the activity generated by an
attacker leaves traces, which can be seen by inspecting
network traffic. Log files are created in response to both
malicious and innocuous activity, depending on the logging
level. These logs and traces are what network security
professionals have to work with in order to detect, defend
against, and prevent security breaches. The first proposed
system focuses on increasing the utility of intrusion
detection systems by providing information rich displays of
network alerts. The second system provides new methods of
visualizing network packets that enable the analyst to
efficiently and effectively explore network traffic for
malicious activity.


Keywords Network,Port Visualize,Tcp Packets,Udp.

I. INTRODUCTION

The world wide web has changed our everyday lives.
You can find grown used to having everything online,
whether it be news or publications, map services,
timetables, translation services, social interaction,
personal communication, forums, encyclopedias,
entertainment, reservation services, banking, shopping, or
possibly a calendar. We're also commencing to want the
same services offered to us wherever we go and whatever



the time using the network devices of our choice.
Because the Internet has this sort of profound effect on
our lives in recent times, developers should recognize
how it works and just how the advice above are created
produced mobile. To understand the way in which
Internet works, the developer has got to know about
lower level services that enable the Internet, and
everything built besides it. The product or service
enabling the Internet are offered in the form of data
communications protocols, so understanding themwill be
the key. However, conducting a forensic examination of
an anomalous event can be remarkably difficult. It is
difficult to recognize relevant events because their
number is in most cases incredibly small compared to the
full number of events according to the network. Although
there are many research projects for classification of
network traffic, these solutions are faulty and cannot
performas well being a human expert. For example, a
recent systemfor network traffic classification achieved
up to 90% coverage with 95% accuracy . The problem is
the idea that automated systems should still generate a
great many of false positives, which must be inspected
by hand. Moreover, these systems are likely to only
screen out single events; the extraction of relevant
sequences remains a research problem. Since automatic
systems cannot extract these patterns effectively, we
developed visualization systems that may augment the
pattern-recognition abilities regarding a our analyst
engaged in the iterative means of forensic breakdown.
Some use parallel plots in which a vertical axis represents
the entire IP addresses space from 0.0.0.0 to
255.255.255.255 where lines between them show
connections. VisFlow Connect is different, in that it uses
parallel plots to show the connections between the inside
network to the outside network [46]. Lines thats how
links fade over time while line width shows traffic
volume. Filtering can be done for protocol, port, IP
address and traffic threshold. Possible signs of attack
were seen by dissymmetry in the plot by connections
where for e.g. an inside host connects to many outside
subnets. Also unusually large amounts of traffic going
back and forth are a possible indicator of malicious
activity. Rumint [3] also uses parallel plotsto show
connections. It also gives users the option of mapping
axes to other parameters, like port number.





International Journal of Computer Trends and Technology (IJCTT) volume 5 number 2 Nov 2013
ISSN: 2231-2803 http://www.ijcttjournal.org Page96

II. LITERATURE SURVEY


Rao and Card describe Table Lens (Figure 2.1), which
makes it possible for users to interactively set up large
tables files [48]. A user-chosen distortion maps a few of
the rows and columns to some graphical representation
which enables more rows and columns to get displayed
than possible with a text table. Siirtola describes an
implementation of interactive reordering which directly
converted Bertins example to a computer [5]. The pilot
study showed that novice users was willing to discover
some correlations within the data utilizing the tool.
Kincaid [2] explains VistaClara, a system to look into
correlations in microarray data by rearranging assortment
and columns. VistaClara comes with an extension to sort
rows and columns by diverse similarity metrics. The
primary difference between Isis and these systems is Isis
supports an iterative investigation process.

NVisionIP parses ow information from Netow. From
the ow statistics gathered, NVisionIP implements three
views which help to give an overall view of the network.
In the galaxy view, an entire classB IP space iss hown via
a 256x256 grid matrix, where each point reps a unique
class B IP address. Each points color represents how
many times that IP address was a source or destination of
a ow. Further detail is seen in the small multiple view
which shows a subset of the IP addresses and histograms
of ow port count for each IP. Choosing one IP address
to focus on gives the machine view where for that
address a User sees the ow port count for well-known
and dynamic ports. Some more recent work, a sin [3],
uses a 3D axisto show time, port numbers and number of
bytes or packets. The port axis is not xed; it is
dynamically allocated according to activity. To avoid
possible occlusion of port labels on the axis, the ports
represented are limited to those that have a certain
amount of activity. If a port scan occurs, such as large
scale scan.

Several tools have been developed to visualize and
process Snort IDS [4] alarmlog les. One is SnortView
[5] where a matrix view is used to show IP address
connections over time. Color is used to highlight user
selected communication paths, and color is also used to
encode the alarm severity (high, medium and low
priority). Glyphs are used to encode network protocol
type. Detailed information for the currently selected
alarmis given at the bottomof the display.

Host/Server Monitoring:

[2]In this class of visualization, the main display is
devoted to the representation of hosts and servers. The
intent is to display the current state of a network by
visualizing the number of users, system load, status, and
unusual or unexpected host or server activities.
Portall digs deeper into the monitored hosts and tends to
correlate TCP connections with the host processes that
generate them, allowing an end-to-end visualization of
communications between distributed processes. As
displayed in Fig, the main display consists of two parallel
axes with the left side representing clients and the right
side representing servers and their respective processes.
A line is drawn froma client to a server to depict a TCP
connection.







Internal/External Monitoring

Visualizations of this class are concerned with the
interaction of internal hosts with respect to external IPs.



port numbers are aggregated into multiple groups based
on the services provided in the network. Well-known
ports (<1;024) are assigned to major services on a system
making them more vulnerable to attacks. For this reason,
they are placed into bins of 100s, registered ports
(<50;000) are placed into bins of 10,000s, and the
remaining private/dynamic ports (50,000-65,535) are
placed into a single bin[3].

Attack Patterns
Visualizations of this class aid an administrator in not

International Journal of Computer Trends and Technology (IJCTT) volume 5 number 2 Nov 2013
ISSN: 2231-2803 http://www.ijcttjournal.org Page97

only the detection of attacks but also the display of
multistep attacks[2].




Drawbacks in Existing system:

Privacy issues disclosing network topologies and
security mechanisms
Probe response attacks triggering rare rules in
signature-based intrusion detection systems (IDSs),
employing rare ports combinations, etc. that can be later
recovered
Fingerprinting searching through patterns in the data
to identify hosts or devices
Data accuracy due to the vast amount of data and
collaborative analysis precision and accuracy is
scrutinized
Usability issues security conflicts with usability in
the aspect of obfuscating the IP
addresses that appear in alerts
Blending attacks submission of fake records in the
hopes that it produces a recognized pattern in released
data sets[2].

III. PROPOSED SYSTEM

1. Monitoring: monitoring attack alerts and identifying
potential attacks
2. Analysis: analyzing alerts and other data to diagnose
an at tack
3. Response: responding to the attack, documenting and
then reporting.


Algorithm to capture n/w packets

Step 1:Get list of all network interfaces and store themin
NetworkInterface[]
Step 2: Get each Network Interface name and its MAC
addresses in the NetworkInterface[]
Step 3: Choose NetworkInterface to capture packets in
promiscuous mode.
(In non-promiscuous mode, when a NIC receives a
frame, it normally drops it unless the frame is addressed
to that NIC's MAC address or is a broadcast or multicast
frame, thus in Promiscuous mode allowing the computer
to read frames intended for other machinesor network
devices)
Step 4: Set no.of Packets to capture. (Infinite -1)
Step 5: Print the packets in the console.
Step 6: End



Framework for design security visualization systems.
Security data flows through a series of intermediate
processing, encoding and filtering steps before being
visualized. After visualization, the results may be logged
graphically and tailored reports may be created.












International Journal of Computer Trends and Technology (IJCTT) volume 5 number 2 Nov 2013
ISSN: 2231-2803 http://www.ijcttjournal.org Page98


IV. EXPERIMENTAL RESULTS


Home page view of Network Visualizer




Network Systems View


Seqno Src Add Dest Add
262 192.168.2.1 239.255.255.250
261 192.168.2.1 239.255.255.250
260 192.168.2.1 239.255.255.250
259 192.168.2.1 239.255.255.250
258 192.168.2.1 239.255.255.250
257 192.168.2.1 239.255.255.250
256 192.168.2.1 239.255.255.250
255 192.168.2.1 239.255.255.250
254 192.168.2.1 239.255.255.250
253 192.168.2.1 239.255.255.250
252 192.168.2.1 192.168.2.4
251 192.168.2.4 192.168.2.1
250 77.67.10.140 192.168.2.4
249 192.168.2.4 192.168.2.1
248 192.168.2.4 77.67.10.140
247 74.125.236.69 192.168.2.4
246 173.194.38.151 192.168.2.4
245 192.168.2.1 192.168.2.4
244 192.168.2.4 192.168.2.1
243 192.168.2.1 192.168.2.4


Connecting to localhost network


Choosing network interface option



Capturing packets



International Journal of Computer Trends and Technology (IJCTT) volume 5 number 2 Nov 2013
ISSN: 2231-2803 http://www.ijcttjournal.org Page99


Displaying packets in gui visualizer


Tracerouting the client system


Traceroute1


Traceroute2

Performance Analysis:
Proposed Approach takes less time to visualize the
packets information between arriving and displaying each
packet on the screen. Proposed approach uses robust
normal distribution in order to get the statistical feature of
the users behavior.

0
200
400
Proposed
Existing
Propo
sed
3 345
Existi
ng
7 236
Tracebackti
me(ms)
NumberofP
ackets
Comparison between traceback time and number of
packets size.

0
10
20
30
Proposed
Existing
Proposed 23 21
Existing 17 27
Noofpackets
TraceRouteTim
e(ms)

Comparison between traceback time and number of
packets size.
0
100
200
300
400
Proposed
Existing
Proposed 235 234
Existing 235 375
Noofpackets PingTime(ms)
Comparison between pinging time and number of
packets

International Journal of Computer Trends and Technology (IJCTT) volume 5 number 2 Nov 2013
ISSN: 2231-2803 http://www.ijcttjournal.org Page100

V. CONCLUSION AND FUTURE SCOPE

Information Visualization is one way of effectively
communicating information. Deception is one way to
negatively affect this capability. Todays systems are
being used in critical applications to glean insights that are
difficult to see using traditional non-visual techniques.
Even carefully user-customized applications are
vulnerable due to incorrect defaults, limitations in the
visualizations themselves and weaknesses in the overall
system. To help counter these attacks this systemwill
gives better accuracy compare to existing approaches in
terms of ip tracing and packets visualization are consider.

REFERENCES

[1]. Toward a Scalable Visualization System for
Network Traffic Monitoring Erwan Le Malcot.

[2].A Survey of Visualization Systems for Network
Security Hadi Shiravi, Ali Shiravi, IEEE
TRANSACTIONS ON VISUALIZATION AND
COMPUTER GRAPHICS, VOL. 18, NO. 8, AUGUST
2012
[3] Conti, G. and Ahamad, M. Countering Denial of
Information Attacks. IEEE Security and Privacy.
(accepted, to be published)
[4] Army Battlefield Deception Operations. Air War
College, United States Air Force.
http://www.au.af.mil/au/awc/awcgate
/army/batdecep.htm
[5] Howard, M. and LeBlanc, D. Writing Secure Code.
Microsoft Press, 2002.
[6] Wilkinson, L. The Grammar of Graphics. Springer-
Verlag, 1999.
[7] Propaganda. Disinfopedia.
http://www.disinfopedia.org/wiki.phtml?title=Propagand
a
[8] Spence, R. Information Visualization. ACM Press,
2001.
[9] Tufte, E. Visual Explanations: Images and Quantities,
Evidence and Narrative. Graphics Press, 1997.
[10] Tufte, E. Envisioning Information. Graphics Press,
1990