The Network Traffic Analysis Information Technology Essay

August 28, 2017 Information Technology

Network Analysis involves capturing transcripts of informations traffic as they flow through the web for the intent of careful review in order to find what is go oning in the web. Network monitoring and analysis are indispensable facets of Network disposal. This is because computing machine webs do non run at an optimized province boundlessly, as do all human innovations. Networks need to be monitored for belongingss such as throughput, hold, congestion, velocity, security breaches etc. To execute these undertakings, the decision maker must do usage of specialised tools called Network Monitoring/Analysis tools. These tools check the wellness of the web by capturing the information packages that flow in them and inspecting them. This map is carried out by analysing the common communicating protocols in the packages. Examples of such protocols are HTTP, TCP, UDP, DNS, FTP, ARP, IMCP etc. Information gotten from this analysis can now be applied for different intents.

Network analysing tools come in either hardware or package format and can be used to supervise both wired and wireless webs. Network supervising takes either of two signifiers [ HYPERLINK l “ Les01 ” 1 ] :

Passive Monitoring: this attack uses devices to gaining control and position existent information packages traveling through the web.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

Active Monitoring: Unlike inactive monitoring, active monitoring takes a different attack by presenting trial packages into the web and following them as they flow through the web, while roll uping informations from them.

Optimum consequences can be achieved if both methods are used to complement each other. In this paper, we use the inactive attack because Wireshark and tcpdump do non bring forth excess traffic in the web but simply capture packages already traveling through the web.

web analysis tools

Network analysis tools are ample and while some are available commercially, others are free. They range from simple bid line tools like ping to more sophisticated tools with Graphical User Interfaces. They can be grouped into different classs viz. :

Package Sniffers e.g. Wireshark, Tcpdump, Ettercap, IP Sniffer, Cain & A ; Abel, Dsniff, Netstumbler etc.

Vulnerability tools e.g. Nessus, Nikto, Paros placeholder, Retina, GFI LANguard etc.

Port Scanners e.g. Superscan, Scanrand, Unicornscan etc.

applications of web analysis tools

Network analysis tools as mentioned earlier are indispensable because they help the web decision maker to transport out his maps. Below are the assorted ways that these tools can be applied:

Monitoring of bandwidth use

Trouble-shooting web jobs e.g. nexus failure, dropped packages, congestion etc.

Confirmation of existent use of resources.

Acquisition of information to assist calculate substructure upgrades etc.

Designation of authorised and unauthorised clients and waiters on the web.

Probe of security breaches e.g. DoS onslaughts

Documenting user activities for record intents.

Determining the location of users accessing resources on the web and how they are been accessed.

Determining the resources that are been accessed and when they were accessed.

Determining the web topology.

Learn the interior workings of web protocols.

latest development in web analysis tools

Most popular Network analysis tools are software-based, running on a host computing machine. They leverage the host computing machines Network Interface Card ( NIC ) as the hardware to catch the digital signals ( packages ) fluxing through the web. This can present a job as typical NICs are non designed to run at full nexus capacity as they begin to drop packages when used above a given information rate. A typical Fast Ethernet NIC can cover with traffic rate of up to 90Mbps without dropping packages while 600-700Mbps is the scope a Gigabit Ethernet NIC can manage before dropping packets2 ] . Another job associated with NICs is inaccurate timestamping of packages as they arrive. DAG cards [ HYPERLINK l “ Don10 ” 3 ] , developed by Endace Technology, are specialized hardware which can be installed in standard computing machines and are designed to work out the jobs mentioned supra. They can be used for web links of any velocity up to 10Gbps but because of their high cost, they are best used for broadband networks2 ] .

Tools like tcpdump and Wireshark are designed to give a low-level, powdered item of the information contained in the packages that are captured. Wireshark although it gives a more user-friendly end product than tcpdump still lacks the capableness to bring forth a high-ranking image of the web in contrast to merely exposing inside informations of single packages. The format of end products from these tools is proficient in nature and can merely be interpreted by a Network Professional. In recent times, visual image techniques are been incorporated into Network Analysis tools to help even the place user to hold an apprehension of web analysis. With tools like Ocular Information Security Utility for Administration Live ( VISUAL ) , the Network Administrator can see and measure communicating webs between internal and external hosts. VISUAL uses informations from tcpdump or Wireshark log files to bring forth its informations visual images [ HYPERLINK l “ Ten09 ” 4 ] . VISUAL maps place hosts with affiliated external hosts with connexion lines. With this, the decision maker can see which place hosts are connected to which external hosts4 ] .

Network Analysis Visualization ( NAV ) is another tool that incorporates visual image techniques to supply an overview and item of IP references and services [ HYPERLINK l “ All09 ” 5 ] . The web informations is displayed in different colorss and text, which are based on the different ports, IP addresses, and services. NAV besides provides the capableness to unite and take connexions.

Figure 1: An overview of NAV demoing connexions between local IP references ( LHS ) and distant IP references ( RHS )

capturing traffic with wireshark

How Wireshark works

Wireshark, once known as Ethereal is an open-source package analyser. On its ain, it can non capture packages hence to accomplish this it takes advantage of the capablenesss of libpcap in a UNIX-based system or the Windows version of libpcap, WinPcap if running on a Windows OS6 ] . Libpcap is a platform-independent package gaining control driver that besides provides filtering options based on the Berkeley Packet Filtering ( BPF ) linguistic communication [ HYPERLINK l “ Ore04 ” 7 ] .

Wireshark ‘s Graphical User Interface if divided into three chief window glasss: The Packet list window glass, the Packet inside informations, and the Packet bytes window glass. Figure 2 shows a screenshot of the Wireshark GUI.

Figure 2: Wireshark GUI demoing three window glasss.

Capturing and Analyzing Traffic Between Web Client and Server

When carry oning the practical facet of this paper, we used Wireshark running on a Linux OS to capture traffic between a web client ( Konqueror ) with IP reference on our host machine and a web waiter ( ) . The aim of this experiment was to place the DNS minutess between our host machine and the DNS waiter and the TCP tripartite handshaking connexion constitution between the web client and waiter.

We run Wireshark in non-promiscuous manner to enable us gaining control traffic that is intended entirely for our host machine ‘s NIC while using a show filter in Wireshark ‘s filter toolbar. The filter sentence structure used is as shown:


The filter allows us to see merely traffic from HTTP, which runs on TCP port 80, and DNS traffic, which uses UDP port 53. From the consequences we obtained we were able to place different facets of the communicating procedure.

Location of DNS question: Frames 10494 and 10571 of the Wireshark gaining control file display the DNS question and response messages. Frame 10494 is the IPv4 DNS question message from our host to the DNS waiter while Frame 10571 is the DNS response from the DNS waiter to our host machine demoing the resolved IP reference. See Appendix A, Figure 1.

The beginning and finish port can be located in Frame 10494. By look intoing in the Packets inside informations window glass under the User Datagram Protocol check, we identify the Destination port of the DNS question message as 53 which is consistent with standard UDP port for DNS waiters. From Frame 10571, the beginning port of the DNS response message is identified as 53. See Appendix A, Figure 1 and 2.

From Frame 10494, the DNS question message is sent to IP reference To find the IP reference of our local DNS waiter we issue the undermentioned bid in the terminus: cat /etc/resolv.conf

The IP reference of the nameserver is displayed as This confirms that the finish IP reference in the DNS question message is the same as the IP reference of our local DNS waiter. See Appendix A, Figure 2.

From frame 10494, under the Domain Name System check in the Packets Details window glass, the DNS question can be identified as a Type ‘A ‘ question which harmonizing to RFC 10358 ] , returns a 32-bit IPv4 host reference. See Appendix A, Figure 2.

From frame 10494, we checked the Flags check under the Domain Name System check and identified that the DNS question message does non incorporate any replies. See Appendix A, Figure 2.

From frame 10571, we checked the Flags check under the Domain Name System check and identified that DNS response message contains three replies.

The first reply provides the common name of as The 2nd reply provides the common name of as The 3rd reply supplies the single-minded IP reference of as See Appendix A, Figure 1.

The TCP SYN package sent by our host machine is contained in Frame 10572. The finish IP reference of the SYN package is, which corresponds to the resolved IP reference of as supplied by the DNS waiter. See Appendix A, Figure 2.

capturing traffic with tcpdump

How Tcpdump Works

Tcpdump is a command-line based web analysis tool that runs on UNIX-based runing systems like Linux etc. Just like Wireshark, it uses libpcap to capture packages and has a Windows version called Windump, which uses WinPcap.

Tcpdump can be invoked by publishing the tcpdump on the terminus. However, this means that tcpdump selects the default interface and all mode of traffic will be captured so there is demand to implement some of the filtering options.

Capturing and Analyzing Traffic Between Web Client and Server

As in our old traffic gaining control with Wireshark, we besides use tcpdump to capture traffic between a Web Browser ( Konqueror ) with IP reference on our host machine and a Web waiter ( ) . tcpdump runs on promiscuous manner natively and we let it run so because of deficiency of root privilege on our host machine to disenable it. Tcpdump provides a big array of options to filtrate and expose its end product to accommodate the user. For the intent of this experiment, we use the undermentioned bid and below is a brief account on the maps of the each option.

tcpdump -nnvXSs 1514 port 53 or tcp

— nn specifies that tcpdump should non decide the hostnames or port names

V specifies an addition in sum of verboseness of information to be displayed from the packages.

Ten specifies that the package contents be displayed in both ASCII and HEX

S specifies that absolute sequence Numberss be printed

s sets the snaplength, which is the sum of informations to be captured in bytes. In this instance it is set to 1514 which really grabs everything in the package.

port 53 or tcp sets the filter to capture lone packages coming on port 53, which is standard for DNS packages, and TCP since HTTP traffic runs on TCP.

We were able to infer the undermentioned consequences from the end product of tcpdump.

Location of DNS question: the first frame with ID 9343 is the DNS question message from our host machine to the DNS waiter bespeaking name declaration of The 2nd frame with ID 44442 is the DNS response message from the DNS waiter with the resolved IP reference. See appendix B

From the first frame, the finish port of the DNS question message is larboard 53, which is the standard UDP port for DNS Servers. From the 2nd frame, we identified the beginning port of the DNS response message to be larboard 53. See Appendix B

From the first frame, the DNS question message is sent to IP reference antecedently we had determined the IP reference of our local DNS waiter to be utilizing the cat /etc/resolv.conf bid. See Appendix B.

The DNS question message is a Type ‘A ‘ question as indicated in the first package. See Appendix B

The DNS question message contains no replies but alternatively has a inquiry as indicated by ‘A? ‘ in the first frame. See Appendix B.

Upon analyzing the DNS response message in frame 2, we identify three replies. The first reply provides the common name of as The 2nd reply provides the common name of as The 3rd reply provides the single-minded IP reference of as

Frame 3 is the TCP SYN message from our host machine to the web waiter the finish IP reference of the package is which is the same as the resolved IP reference supplied by the DNS waiter

differences and similarities between wireshark and tcpdump

Having used both tools to capture traffic and analyse them, we compared both tools and ascertained similarities between them and of class differences.


Both tools are low-level package analysers i.e. they analyze packages separately instead than the full web as a whole. This makes them utile tools for analyzing the intrinsic make-up of communicating protocols.

Both tools leverage the capablenesss of libpcap in order to capture packages and they both implement the Berkeley Packet Filter linguistic communication [ HYPERLINK l “ Bur07 ” 6 ] . Both tools gaining control traffic from both wired and wireless webs and operate in both UNIX and Windows environments. Wireshark and tcpdump can expose information from packages in both ASCII and Hexadecimal formats.

They are both inactive sniffers as neither tool can alter the information on the web ; they simply display the information as it flows through the web in an unadulterated signifier. They can non besides execute invasion sensing, as they will non alarm the web decision maker if there is a security breach. They merely provide the decision maker with the information to make up one’s mind for himself if there is a job or non.


The obvious difference to anyone is that Wireshark has a Graphical User Interface while tcpdump is command-line based. Wireshark ‘s GUI makes it more user-friendly and intuitive whereas tcpdump produces end product that are non so human-readable. This nevertheless does non do Wireshark any longer powerful than tcpdump.

Tcpdump is more of a packet-capturing tool than a package analyser since it simply displays the package as it is and leaves the user to make the analysis. It has a really limited apprehension of protocols and for illustration will non distinguish the difference between HTTP and FTP packages. Wireshark on the other manus performs both packet gaining control and analysis and has a broader apprehension of the different protocols. It assigns different coloring materials codifications to different protocols thereby doing them easy recognizable. Wireshark understands informations encapsulation from the application layer down to the data-link bed doing it utile for analyzing the TCP/IP theoretical account.

Wireshark can expose both package heading information and the existent information in the packages including usernames and watchwords in clear text whereas tcpdump shows merely header information. Refering privateness and security, this makes tcpdump less invasive when used on public webs where privateness is a major concern.

decision and recommendation

Having used both tools to capture and analyse traffic, we have come to a decision that in a acquisition environment, Wireshark will assist pupils to derive a faster apprehension of the construction of web protocols than tcpdump. Though because of its deeper disclosure of the contents of the informations, it should be restricted to stray research lab environments where privateness concerns are negligible.

Tcpdump on the other manus, can be used in more unfastened environments to capture informations and thenceforth, the end products can be transferred to Wireshark for better analysis. Tcpdump besides allows the user more flexibilty in exposing the information from captured packages.


The undermentioned parts to this paper were made by Adetunji Adebayo: Aims and applications of web analysis tools and comparing of tcpdump and Wireshark.

Ugochukwu Nkwocha performed the laborotory Sessionss with Wiresshark and tcpdump and besides researched the latest developments in Network Analysis tools.


I'm Amanda

Would you like to get a custom essay? How about receiving a customized one?

Check it out