An Effective Wireless Monitoring Tool (EWMT)

As computer net workin g ha s expa nded and matured, there ha s been a growing requirement to collect traffic statistics for understanding the current loa d a nd planning future connectivity. This requirement leads to consider the general problem of a sof tware packet monitor for anal yzing traffic patterns and gathering statistics. This Paper presents a software monitoring system named "Effective Wireless M onitoring T ool" (EW MT) w hich has bee n built to help the network administrator to discover network problems as soon as possible. The proposed s ystem ac hieves its goal by s niffing, capturing, a nd analyzing t he network traf fic data packets us ing a passive m onitoring scheme without affecting or interfering with the network information flow. This is achieved by configuring the Network Interface Card (NIC) in promiscuous mode. T he EWMT e xtracts and views di fferent valuable detailed information concerning the network in human-readable format. It taps network protocols t hat run at t he IP le vel, TCP l evel and other protocols at the application level as DNS, HTTP, and FTP. EWMT sy stem is c onstructed using Microsoft V isual C++ V 8.0 development environment along with 3.5.NET framework.


‫‪‬ﺎل‬ ‫ﻓﻌ‬ ‫ﻻﺴﻠﻜﻴﺔ‬ ‫ﺸﺒﻜﺔ‬ ‫ﻤﺭﺍﻗﺒﺔ‬ ‫ﻨﻅﺎﻡ‬
Wireless communication uses the wavelengths from the radio frequency (RF) band up to the Infrared (IR) band [3].
The most popular network in the wireless domain is the IEEE 802.11 wireless local area network.This is mainly because of the advantages that its systems possess.Its key characteristics, such as interoperability, mobility, flexibility, and cost-effective deployment, have led to its gaining vast support across enterprises, the public sector, homes, and data service providers [4].Because of the complexity of networks and attacks on networks, analysts require as much information as possible about their own network infrastructure.Knowledge of host connectivity and traffic details is essential when one must analyze, investigate or react to computer or network performance or security attacks therefore EWMT (Effective Wireless Monitoring Tool) is proposed.

Related works
Several related network monitoring systems are presented in this field.
-Ngo et al [5] proposed a novel resource usage monitoring tool for adhoc wireless Ethernet networks, called WANMon (Wireless Ad-hoc Network Monitoring Tool).WANMon can be installed on a wireless node to monitor resource usage (such as network usage , power usage, memory usage, and CPU usage) at the node.
-Pande et al [6] designed a network monitoring tool that handles the conflicting issues of network monitoring and privacy through its judicious use.PickPacket has four components "The PickPacket Configuration File Generator" for assisting the user in setting up the parameters for capturing packets, the "PickPacket Packet Filter" for capturing packets, the "PickPacket Post-Processor" for analyzing packets, and the "PickPacket Data Viewer" for showing the captured data to the user.
-Karygiannis et al [7] presented a collection of host-based kernel modules for the GNU/Linux operating system.These kernel modules monitor the network traffic traversing the host's wireless network interface and write a number of network traffic metrics into the Linux"/proc" virtual directory. -

Promiscuous Mode
Normally, a computer's network interface hardware checks the destination address of each incoming frame to determine whether the frame should be accepted.However, a computer's network interface hardware can be configured by software into promiscuous mode, which overrides the conventional address checking.Once in promiscuous mode, the network interface does not check the destination address of the incoming frame, but accepts all frames [11].

Mirror Port
A switch operates very differently from a hub.When a switch receives information from a computer it does not just blindly send it to all other computers; instead it sends unicast traffic to the desired destination computer.Therefore, the sniffer does not see this traffic but configuring a switch with a mirror port makes this possible.Most switches come with a feature known as port mirroring, or port spanning [12].To mirror ports, we need to configure the switch to duplicate the traffic from a port we want to monitor to a port we are connected to with our network analyzer.
This feature was implemented just for this purpose that is to analyze the network traffic for troubleshooting.

Proposed Network Layout Architecture
The proposed network layout architecture relies on tapping EWMT into the monitored network.Connecting the EWMT host on a mirror port would make it possible to capture the packets being sent and received through the access point.The NIC of EWMT host is configured in the promiscuous mode in order to capture all packets going and coming inside the network without caring if packets are destined to its IP address or not.A network layout illustrating this architecture is shown in figure 1.

EWMT Hierarchy
The EWMT is built on a network library (Netlib), which has been designed and implemented for the proposed framework.To build a network library (Netlib); .Net Socket class of System and .Net namespace are used.This system consists of three PDF created with pdfFactory Pro trial version www.pdffactory.commodules: GUI which is responsible for all user interface related operation, Mainwindow that is responsible for all the client area related operations, and Tools which deals with all none GUI operations.
These modules collaborate with each other to aggregate the system.Figure 2 demonstrates the main system modules.

EWMT Processing Stages
The EWMT comprises four basic processing stages as demonstrated in figure 3. Through these basic stages the EWMT will satisfy the system goals in network monitoring.Each stage includes several functions that are implemented in sequence or are synchronism on executing.

Initialization Stage:
This stage is responsible for creation and initialization of sockets.A socket is the programming technique used in EWMT for packet capturing.This stage involves the following functions: 1-Create socket, using the specified address family and a socket type, enables the network to receive the designated packets.

Socket (Address Family, Socket Type, Protocol Type)
•

Store and Display Stage:
The third stage of EWMT includes the following functions:

Statistical Viewer Stage:
This stage demonstrates how statisticals are calculated.This is achieved by using a brief packet information for each captured packet which is stored in a database list and calling some functions and methods of data store class that perform particular calculations out of this information.This stage includes the following: 1-Create the main IPchart of type PIE graph by using Add Chart ( ) function.2-For each element in a brief packet information that is stored in database list, get list of captured IPs by using

List Of IP ( ) function: List <String^>^ List Of IP ( ).
3-For each element in a brief packet information, calculate counts of all available ports using CountOfPortsPacket ( ) method.Get a list of available ports and return their counts for each port to be stored in ports Packets Counts hashtable (.Net class).The hashtable class represents a collection of key/value pairs that are organized based on the hash code of the key.The key represents port's number and value represents its count:

CountOfportsPacket(). Hashtable^ portsPacketsCounts.
4-For each pair of key/value in portsPacketsCounts hashtable: • get the name of the port as a string by calling GetPorts ( )function ,which uses the port number as a parameter and returns its name as a string.String^ Get Ports (int port) • Update IP chart by calling Update IP Chart()function which creates a list of chart items.Each chart item has a port count and its name where these chart items are added to the IP chart.5-For each element of a brief packet information that is stored in the database list, the number of packets of TCP protocol is calculated by using Count Of Packet ( ) method, which returns the number of packets of TCP protocol.Also UDP and ICMP protocols are calculated.6-If statistical icon is selected, then clear all charts and all steps above are repeated.

EWMT Interface Components
EWMT is so easy to be used through its friendly user interface that consists of two parts as shown in figure 4.

ToolBar
This includes three buttons which are self explanatory: • Run.

Main Window
It consists of three parts: A. Main Project Component Panel has been built with three option Icons: • Network Information.It is used to view all the detailed information for each network interface card (NIC) that exists in the EWMT host machine.In addition it gives information about the network availability, updates current interface information whenever selection changes, determines if the network is available at startup and its operational status.
Details of the captured packet will appear in four types of tap pages; each page has a list view and details viewer to view packet in Hexa format as shown in Figure 5.

• Statisticals
This Icon is selected from the Main Project Component Panel to display all the possible collected statistical information concerning protocols for all the captured packets in the network.This is implemented dynamically in a PI graph in the main chart as shown in figure 6.In addition the relations between each IP and every protocol are displayed in a dynamic single bar chart as shown in figures 7. It is possible to display more protocols depending on the type of the captured packets.
In both PI graph chart and single bar chart, by right clicking on the image in each chart, the following features will be available: • Image can be copied to clipboard.• Image can be saved.
PDF created with pdfFactory Pro trial version www.pdffactory.comEWMT is based on monitoring the traffic between wireless stations and Internet using a standard, non-wireless monitor on a mirror port.This would make it possible to capture the packets being sent and received through the access point.In addition EWMT is used to monitor packets in both wire and wireless networks while the above mentioned tools are used only for wireless network.Using a switch with mirror port makes it possible to monitor switched network as well as hub network.

Conclusions
Promiscuous monitoring of wireless networks has often been a source of confusion.It appears logical that if any Ethernet adapter can be used for promiscuous mode monitoring in a wired Ethernet network, then any Wireless Ethernet adapter is equally good for doing the same in a 802.11 a, b, or g network.Theoretically, this is true, but in practice, this is very far from reality because not all wireless NICs support promiscuous mode.Therefore the dilemma is to monitor the traffic between wireless stations and Internet.The proposed system presents a specific layout by using a standard, non-wireless monitor on a mirror port, which would make it possible to capture the packets being sent and received through the access point.

To Byte (array <Byte> datagram, int offset, int length); this
Extract IP header's information for each field such as type of service PDF created with pdfFactory Pro trial version www.pdffactory.comTool (EWMT) PDF created with pdfFactory Pro trial version www.pdffactory.com PDF created with pdfFactory Pro trial version www.pdffactory.comTool (EWMT)