Network Traffic Analysis and Intrusion Detection using Packet Sniffer Mohammed Abdul Qadeer Dept. of Computer Engineering, Aligarh Muslim University, Aligarh- 202002, India maqadeer@ieee.org Arshad Iqbal Scientist B, GTRE, DRDO, Bangalore, India arshadamu@gmail.com Mohammad Zahid Asst. System Engineer, Tata Consultancy Services, Trivandrum, India md.zahid@tcs.com MisbahurRahman Siddiqui Univ. Women’s Polytechnic, Aligarh Muslim University, Aligarh- 202002, India misbahurrahman@gmail.com Abstract- Computer software that can intercept and log traffic passing over a digital network or part of a network is better known as packet sniffer. The sniffer captures these packets by setting the NIC card in the promiscuous mode and eventually decodes them. The decoded information can be used in any way depending upon the intention of the person concerned who decodes the data (i.e. malicious or beneficial purpose). Depending on the network structure one can sniff all or just parts of the traffic from a single machine within the network. However, there are some methods to avoid traffic narrowing by switches to gain access to traffic from other systems on the network. This paper focuses on the basics of packet sniffer and its working, development of the tool on Linux platform and its use for Intrusion Detection. It also discusses ways to detect the presence of such software on the network and to handle them in an efficient way. Focus has also been laid to analyze the bottleneck scenario arising in the network, using this self developed packet sniffer. Before the development of this indigenous software, minute observation has been made on the working behavior of already existing sniffer software such as wireshark (formerly known as ethereal), tcpdump, and snort, which serve as the base for the development of our sniffer software. For the capture of the packets, a library known as libpcap has been used. The development of such software gives a chance to the developer to incorporate the additional features that are not in the existing one. Keywords: Packet capture, traffic analysis, libpcap, network monitoring, NIC, promiscuous mode, Berkeley Packet Filter, Network analyzer, packet sniffer, intrusion detection. I. INTRODUCTION Packet sniffer is a program running in a network attached device that passively receives all data link layer frames passing through the device’s network adapter. It is also known as Network or Protocol Analyzer or Ethernet Sniffer. The packet sniffer captures the data that is addressed to other machines, saving it for later analysis. It can be used legitimately by a network or system administrator to monitor and troubleshoot network traffic. Using the information captured by the packet sniffer an administrator can identify erroneous packets and use the data to pinpoint bottlenecks and help maintain efficient network data transmission. Packet Sniffers were never made to hack or steal information. They had a different goal, to make things secure. But then everything has a dark side. Figure 1 shows the output captured by the Wireshark (packet sniffer software formerly known as Ethereal). In figure 2 we have shown that how the data travels from application layer to the network interface card. Fig 1: Screen shot of wireshark Fig 2: Flow of packets 2010 Second International Conference on Communication Software and Networks 978-0-7695-3961-4/10 $26.00 © 2010 IEEE DOI 10.1109/ICCSN.2010.104 313