WIRELESS PACKET ANALYZER TOOL WITH IP TRACEROUTE
H. Abdul Rauf,
Dean (CSE/IT), V.L.B. Janakiammal College of Engineering & Technology, Coimbatore
A. Ebenezer Jeyakumar
Principal, Government College of Engineering, Salem
The ability to characterize IP traffic and understand how and where it flows is
critical for network availability, performance, security and troubleshooting.
Monitoring IP traffic flows facilitates more accurate capacity planning and ensures
that resources are used appropriately in support of organizational goals. It helps to
determine where to apply Quality of Service (QoS), optimize resource usage and it
plays a vital role in network security to detect Denial-of-Service (DoS) attacks,
network propagated worms, and other undesirable network events. The proposed
Wireless Packet Analyzer Tool (WPAT) facilitates solutions to many common Wi-
Fi threats like DoS attack, Mis-associated systems from neighboring premises,
Rogue APs etc., encountered by wireless networks. The attacks were simulated in
an experimental set-up and WPAT is tested for required performance. A scheme
that may effectively and efficiently combine detection, defense, and traceback may
significantly enhance performance and mitigate false positives. The WPAT is used
to identify the new IP and its route is traced by IP Traceback tool. The route
contains the details such as the total number of hops, time taken for each hops in
milliseconds and the IP address of the intermediate routers. The traced route is
used for plotting the graph.
Keywords: : Denial-of-Service, Wireless Packet Analyzer Tool, IP Traceback.
1 INTRODUCTION coupled with filtering and post processing tools. This
paper discusses the mechanics of the proposed
The rapid increase in the use of computers “Wireless Packet Analyzer Tool” which is a post
coupled with the exponential growth of the Internet processing tool coupled to an already available
has also had ramifications on the growth of crime. sniffer.
Effective tools that can analyze and monitor the
network traffic and can also keep up with the The IP Traceback is the process of identifying
growing bandwidth speeds are required. Such the actual source of attack packets. It helps in
monitoring tools help network administrators in mitigating DoS attacks by isolating the identified
evaluating and diagnosing performance problem with attack sources. IP Traceback is a challenging
servers, the network, hubs and applications. Careful problem because of the Distributed anonymous
and judicious monitoring of data flowing across the nature of DDoS attacks, the stateless nature of the
network can help detect and prevent crime and internet, the destination oriented IP routing and the
protect intellectual property as well as privacy of fact of having million of hosts connected to the
individuals. internet. All these factors help attackers to stay
behind the scenes and hence complicate the process
Network monitoring tools can monitor the of traceback.
network at various levels of the network stack. Some
tools monitor only at the MAC layer whereas others The remainder of the paper is organized as
can also monitor the network layer. Some tools can follows: Section (2) details the theory and
extend to the application level as well. There are background of the paper. Section (3) focuses on
only limited tools that can attempt to monitor based Network Monitoring Tool. Section (4) emphasizes
on filtering the content of applications. Network on IP Traceback Tool and graphical output. Section
monitoring tools are mostly “sniffers” optionally (5) the conclusion and future scope of the paper.
Ubiquitous Computing and Communication Journal 1
for eavesdropping on network traffic.
Sniffers usually provide some form of protocol-
Carnivore (Smith 2000) is a tool developed by the level analysis that allows them to decode the data
Federal Bureau of Investigation (FBI). This tool is flowing across the network, according to the needs of
developed for the sole purpose of directed the user. This analysis is often done on a packet by
surveillance and it can capture packets based on a packet basis, as data flows in the network in packets.
wide range of application layer based criteria. It Sniffing programs have been traditionally used for
functions through wire-taps across gateways and helping in managing and administering networks.
Internet Service Provider (ISPs). Carnivore is also Recently, sniffers have also found use with law
capable of monitoring dynamic IP address based enforcement agencies for gathering intelligence and
networks. The capabilities of string searches in helping in crime prevention and detection. Typically
application level content seem limited in this such programs can be used for evaluating and
package. It can also capture E-Mail messages to and diagnosing network related problems, debugging
from a specific user’s account and all network traffic applications, rendering captured data, network
to and from a specific user or IP address. It can also intrusion detection and network traffic logging.
capture headers for various protocols.
3.1 Design and Development
PickPacket (Neeraj 2002) and (Pande and Sanghi
2005) is a monitoring tool similar to Carnivore. This Sniffers normally dump the packets that they
tool can filter packets across the levels of the Open capture directly to the disk. These packets usually
Systems Interconnection (OSI) network stack for require post capture processing to render them
selected applications. Criteria for filtering can be human readable. Most sniffers provide post-
specified for network layer and application layer for processing and rendering tools. Sniffers that provide
applications. It also supports real-time searching for statistics about the data captured with the sole
text string in applications and packet content. The purpose of helping network managers in diagnosing
criteria for selecting packets in PickPacket can be and evaluating performance problems with servers,
specified at several layers of the protocol stack. The the network media, switches and applications are
filtering component of this tool does not inject any IP usually called network monitoring tools.
packets onto the network. Once the IP packets have Traditionally such tools setup alerts on various
been selected based on these criteria, they are events, show trends of network traffic over a time
dumped to permanent storages. The tool has been period and maintain some history information.
demonstrated to work over a 100 Mbps link. The
extensibility and the modular design of PickPacket Each packet that is forwarded within a router or
makes it more generalized and it can be used as a switch is examined for a set of IP packet attributes.
simple tcpdump like application and can also be These attributes are the IP packet identity or
extended to become an intrusion detection tool. fingerprint of the packet and determine if the packet
is unique or similar to other packets. Traditionally,
Cisco Netflow Tool (2007) identifies new an IP flow is based on a set of seven and up to nine
application network loads such as VoIP or remote IP packet attributes. IP packet attributes used by
site additions. This tool use NetFlow statistics to WPAT are IP source address, IP destination address,
measure WAN traffic improvement from Source port, Destination port, Protocol type, Packet
application-policy changes; understand who is Size, date and time of packet flow.
utilizing the network and the network top talkers.
Diagnose slow network performance, bandwidth All packets with the same source/destination IP
hogs and bandwidth utilization quickly with address, source/destination ports, protocol interface
command line interface or reporting tools. It also has and class of service are grouped into a flow and then
facilities to avoid costly upgrades by identifying the packets and bytes are tallied. This methodology of
applications causing congestion. NetFlow can be fingerprinting or determining a flow is scalable
used for anomaly detection and worm diagnosis. It because a large amount of network information is
confirms that appropriate bandwidth has been condensed into a database.
allocated to each Class of Service (CoS) and that no
CoS is over - or under - subscribed. This flow information is extremely useful for
understanding network behavior like:
3 WIRELESS PACKET ANALYSER TOOL • Source address allows the understanding of
who is originating the traffic
Network monitoring tools are often called • Destination address tells who is receiving
sniffers. Network sniffers are software applications the traffic
often bundled with hardware devices and are used • Ports characterize the application utilizing
Ubiquitous Computing and Communication Journal 2
the traffic 3.2 Implementation
• Tallied packets and bytes show the amount
of traffic The implementation is done using the
• Flow timestamps to understand the life of a experimental set-up shown in Figure 2. A honeypot
flow; timestamps are useful for calculating system is also implemented using the same
packets and bytes per second. experimental set-up. The experiments were carried
out several times until satisfactory results were
The WPAT software creates real-time or obtained.
historical reports from the captured data.
A sniffer tool is used to capture the raw packets
The proposed wireless packet analyzer tool from the network and connected to the database. The
(WPAT) as shown in the Figure 1 links with the sniffer tool used is set to capture the packets flowing
packet sniffer tool and updates all packets already through the specified system.
captured by the sniffer tool for every 30 seconds.
The sniffer tool is set to capture the raw packets and 3.3 Experiment 1-To Study the Packet Flow
store it in text format. The proposed WPAT links to Information
the captured data and displays the data as shown in
the Figure 1. The analyzer tool displays another two The experiment is conducted using the
windows showing the sum of packet flow between experimental set-up shown in the Figure 2. Initially
starting time of capture to ending time of capture and packets are generated from various clients, and sent
the enterprise network intruder to a honeypot server which is placed in an Enterprise
premises as shown in the Figure 2. A data set is
The sum of packet flow gives consolidated generated and a valid stream is transmitted from
details about packets captured between any time clients to the wireless honeypot server. The data
period and further analysis of data can be made by received by the honeypot server is captured using a
selecting any source IP and clicking the packet flow sniffing tool and linked to the database.
details button shown in the Figure 1. The results
shown in Table 1 are produced by the report
produced by the “Packet Flow Details” button.
The graphs shown in Figure 3 to Figure 6 are
obtained by selecting any IP address in the packet
flow between starting time of capture to ending time
window and by the report produced by graphs
button. Like wise graphs for any source IP address
can be displayed if there is any abnormality noticed
in the packet flow. These graphs show a clear picture
of the packet flow between any source IP address to
the honeypot server system.
The “enterprise master” button is used to enter
the IP address, the MAC address and the system
name permitted to be used inside the enterprise
Figure 2. Experimental Set-up and IP Connected
The Figure 3 shows packets generated from
“update” client and sent to the “honeypot_server” as
valid stream. Likewise Figure 4 shows packets
generated from “update1” client and sent to
“honeypot_server” as valid stream. Likewise similar
valid stream generated from “update4” and
“update5wireless_client” were sent to the
“honeypot_server”. The Table 1 shows the captured
data over a period of time. The Figure 3 and Figure 4
shows a graph with packets transmitted from
Figure 1. Wireless Packet Analyzer Tool “update” and “update1” client over a period of time.
Ubiquitous Computing and Communication Journal 3
Table 1 illustrates the details of the packets captured
by the Honeypot server. The second column shows
the packet size captured at various instant of time.
The packets received from all connected clients by
the server like Source IP, Destination IP, Source port
and destination port are tabulated.
Table 1 Details of the sample packets captured by
the Honeypot server.
No Size Source(S) IP Destination S D Time
Figure 5 Packets from Permitted IP 192.168.1.112
1 162 192.168.1.111 192.168.1.113 1088 7000 12:32:52
2 52 192.168.1.113 192.168.1.111 7000 1088 12:32:53
5 40 192.168.1.112 192.168.1.113 1424 7000 12:32:53
6 72 192.168.1.113 192.168.1.112 7000 1424 12:32:53
7 1500 192.168.1.111 192.168.1.113 1088 7000 12:32:53
10 1500 192.168.1.111 192.168.1.113 1088 7000 12:32:53
13 1500 192.168.1.113 192.168.1.112 7000 1424 12:32:53
14 645 192.168.1.113 192.168.1.112 7000 1424 12:32:53
16 1500 192.168.1.113 192.168.1.112 7000 1424 12:32:53
13288 46 192.168.1.117 192.168.1.113 1041 7000 01:45:36
13291 46 192.168.1.113 192.168.1.117 7000 1041 01:45:36
13292 40 192.168.1.117 192.168.1.113 1041 7000 01:45:37
13293 65 192.168.1.113 192.168.1.117 7000 1041 01:45:37
13294 40 192.168.1.117 192.168.1.113 1041 7000 01:45:37
Figure 6 Packets from Permitted IP 192.168.1.117
3.4 Experiment 2- To Simulate and Detect
In this experiment a DoS attack is detected
using the following experimental set-up. For Dos
Attack an experimental set-up as shown in the Figure
7 is created. The Figure 8 shows packets generated
from “update5wireless_client” client and sent to
honeypot server as invalid stream. The Figure 9
shows a graph with packets transmitted from
“update5wireless_client” over a period of time.
Figure 3 Packets from Permitted IP 192.168.1.110
The Figure 9 and Figure 6 are compared and the
graph shows very large packets received from
“update5wireless” client than compared to packets
received from “update” client over a period of time.
This graphically represents attack packets sent from
“update5wireless” client to honeypot server
Figure 4 Packets from Permitted IP 192.168.1.111
Figure 7 DoS Attack Experimental Set-up
Ubiquitous Computing and Communication Journal 4
Figure 8 Packets from “update5wireless_client”
Figure10 Experimental Set-up for Wi-Fi Threats
Table 2 Permitted and Mis-Associated IPs
No. IP Address MAC ADDRESS SYSTEM NAME PERMISSION
1 192.168.1.110 00:A0:B0:00:0D:FF Update4
2 192.168.1.111 00:E0:20:72:36:27 Update
3 192.168.1.112 00:E0:20:75:31:42 Update1
4 192.168.1.113 00:12:F0:09:55:C9 Honeypot_Server
Figure 9 Packets from DoS attacking IP
192.168.1.116 5 192.168.1.116 Not Permitted
6 192.168.1.117 00:17:9A:77:FC:E5 Update6_wireless
3.5 Experiment 3- To Simulate and Detect Mis-
Associated IPs from the Neighboring
Premises 3.6 Experiment 4- To Simulate and Detect a
In this experiment a Wi-Fi threats in a no Wi-Fi
network is detected using the following experimental In this experiment a Wi-Fi threats in a no Wi-Fi
set-up. For Mis-Associated IPs from neighboring network is detected using the following experimental
premises an experimental set-up is created as shown set-up. For detecting a Rogue AP an experimental
in the Figure 10. set-up is created as shown in the Figure 11. A Rogue
AP is detected and auto classified from the permitted
The Figure 10 illustrates an attack lures in IP’s.
multiple laptops to mis-associate. Even if there is no
IEEE 802.11 AP’s most of the laptops have IEEE Even if there is no IEEE 802.11 AP, hackers
802.11 cards and the laptop radio is default through known or unknown sources place Rogue
configured to automatically associate with the IEEE 802.11 AP’s in the Enterprise premises and get
strongest signal from a list of SSIDs. Hackers simply connected to the Enterprise Network and attack the
sit outside the building with an AP configured to a laptops which have IEEE 802.11 cards. Hackers
common SSID and wait for a number of laptops to simply sit outside the building and attack the
connect. The Table 2 classifies the permitted IPs and Enterprise Network. The Table 3 shows the Intruder
mis-associated IPs. IP Connected to Enterprise Network.
Ubiquitous Computing and Communication Journal 5
The WPAT is used to find the unknown IP
address as shown in Table 4 and 5. A database is
maintained which contains all the IP addresses that
have been previously traversed.
Table 4 WPAT Output
TYPE SIZE SOURCE IP DESTINATION IP
TCP 54 220.127.116.11 18.104.22.168
TCP 477 22.214.171.124 126.96.36.199
TCP 1086 188.8.131.52 184.108.40.206
TCP 453 220.127.116.11 18.104.22.168
Table 5 New IP Addresses
Figure 11 Experimental Set-up to Prevent Rogue AP
and Threats 22.214.171.124
Table 3 Intruder IPs Connected to Enterprise
Source IP Source Dest IP Date Time
4.2 Tracing the route of new IP address
192.168.1.116 192.168.1.111 28:05:2007 01:06:56
This module traces the route of new IP address.
4 TRACING CYBER ATTACKS BY THE IP The route contains the number of hops, time in
TRACEBACK TOOL milliseconds and the IP address of the intermediate
routers. Traceroute displays all the routers through
The IP traceback may identify attack sources. which data packets pass on way to the destination
However, IP traceback itself is not a detection or system from the source system. However, the path
defense scheme. Integrating IP traceback with other displayed by Traceroute for any IP addresses like the
functionalities such as detection and defense is the same source to the same destination in two different
topic of interest which is experimented in this IP sessions may or may not vary. The operations
Traceback tool. performed during the tracing process are depicted as
a flowchart as shown in the Figure 12 and block
4.1Finding the New IP Address diagram of Trace route concept in Figure 13.
This module finds the new IP address whose The first step in the traceroute command is that it
route has to be traced. The sniffer output is used in creates a packet with a TTL value of 1 and sends it to
this module. The sniffer is used to sniff both Data the destination system. The first router on way to the
packets and Control packets. The control packet does destination system from the source system will
not contain any information and hence their size is discard the data packet, as the TTL value of this
small. While the data packets contain some data and received data packet is 1. In addition, this first router
they have large size (say greater than 100 bytes). For will also send back a "Time exceeded" error message
example, while downloading a web page or files say to the source system. Since this “Time exceeded”
from yahoo.com or google.com, it may request for error message received by the source system, has its
information. In that case the web server may send the source IP Address as that of the first router. As a
packet to the host system that requested for it. Thus result the traceroute running on the source system
the web server becomes the source and the host will come to know this IP address of the first router.
system requesting for a packet becomes the In this way, the traceroute command identifies the
destination. address of the first router on the path to the
destination system and displays it on the screen.
Ubiquitous Computing and Communication Journal 6
If Ttl <=255
Send UDP A
Datagram to Router Figure13 Block Diagram of Traceroute Concept
If Router = Destination
When the TTL value is high enough for the data
packet to reach the destination system, its TTL value
would have been decremented to 1 by the time the
Print Trace Route
Complete data packets reaches its destination. However, even
though the destination system will receive a data
packet having a TTL value of 1, it will not discard
the packet. This is because the destination has been
reached. Since the destination system does not
discard the data packet that it receives, it means that
Stop the destination system does not generate a “Time
exceeded” error message. As a result, since no "Time
Exceeded" error message is generated, the source
If ipo.tt1=0 NO system does not have any way by which it can ensure
A that the destination system has been reached. Hence,
all new IP addresses are traced and if there is any
intruder, it is considered as a new IP address and its
route is also traced. Thus the intruder is traced.
Packet 4.3 Graphical Representation
Print Router IP The output shown in the Table 6 is the route of
the new IP address which is used for drawing the
graph. The Table 6 contains the fields such as
ipo.ttl++ number of hops, time taken by each hops and the IP
address of the intermediate routers.
Table 6 Traceroute Table
Figure 12 Flowchart for Traceroute
NO.OF TIME TAKEN INTERMEDIATE
Similarly, in the next step, traceroute sends a HOPS ROUTERS
data packet with a TTL value of 2 to the destination Hop 1 38 ms 126.96.36.199
system. The first router receiving this data packet Hop 2 45 ms 188.8.131.52
will decrement the TTL value of the packet by 1 and Hop 3 46 ms 184.108.40.206
then it would forward the packet to the second router Hop 4 46 ms 220.127.116.11
on path to the destination system. This second router
Hop 5 62 ms 18.104.22.168
would in turn, discard this packet and send back a
"Time Exceeded" error message to the source system, Hop 6 280 ms 22.214.171.124
revealing its IP Address. This process of sending Hop 7 280 ms 126.96.36.199
packets with increasing TTL values is carried out, Hop 8 280 ms 188.8.131.52
until the data packet has a TTL value high enough to Hop 9 286 ms 184.108.40.206
make sure that it reaches the destination system. Hop 10 296 ms 220.127.116.11
Ubiquitous Computing and Communication Journal 7
The route traced by the Traceroute tool is Information Assurance, West Point, New York,
enhanced by the graphical representation which is pp. 326-332 (2002).
shown in the Figure 14. The hops are plotted against  A.C. Snoeren, C. Partridge, L.A. Sanchez, C.E.
the milliseconds. Jones, F. Tchakountio, B. Schwartz, S.T. Kent
and W.T. Strayer: ‘Single Packet IP Traceback’,
IEEE/ACM Transactions on Networking, Vol.
Traceroute Graph 10, pp. 721-734 (2002).
 A.C. Snoeren, C. Patriridge, L.A. Sanchez, C.E.
350 Jones, S.T. Kent, F. Tehhakountio and W.T.
300 Strayer: ‘Hash-Based IP Traceback’,
Proceedings of ACM Conference on
Applications, Technologies, Architectures, and
Time - ms
Protocols for Computer Communication, San
150 Diego, California, USA (2001).
100  K. Park and H. Lee: ‘On the Effectiveness of
50 Probabilistic Packet Marking for IP Traceback
under DoS Attack’, Proceedings of 20th Annual
1 2 3 4 5 6 7 8 9 10
Joint Conference of the IEEE Computer and
Communication Society, Vol. 1, pp. 338-347.
 A. Mankin, D. Massey, S.F. Chien-Lung Wu
Figure 14 Traceroute graph Wu and Lixia Zhang: ‘On Design and
Evaluation of 'Intention-driven' ICMP
5 CONCLUSION Traceback’, Proceedings of 10th International
Conference on Computer Communication and
The post processing tool proposed through Networks, Scottsdale, USA, pp. 159-65 (2001).
various experimental results shows that it can  J. Li, M. Sung, J. Xu and L. Li: ‘Large-Scale IP
measure the packets flowing across an enterprise Traceback in High-Speed Internet: Practical
network considering the wireless threats on-the-fly. Techniques and Theoretical Foundation’,
So a specific approach is undertaken to present a new Proceedings of IEEE Symposium on Security
experimental set-up for the precise measurement of and Privacy, Oakland, California, pp. 115-129
packets across an enterprise network with or without (2004).
Wi-Fi using a sniffer and a WPAT.  C. Gong and K. Sarac: ‘IP Traceback based on
Packet Marking and Logging’, Proceedings of
Thus, WPAT using a IP Traceback tool is more IEEE International Conference on
effective, when any new IP address and if the IP Communication, Vol. 2, pp. 1043-1047 (2005).
address is not available in the database then its route  M.T. Goodrich: ‘Probabilistic Packet Marking
is traced back. Thus, when an intruder attacks with for Large-Scale IP Traceback’, IEEE/ACM
an IP address that is not available in the database Transactions on Networking, Vol. 16, No.1,
then that IP address is also considered as a new IP pp.15 - 24 (2008).
and the route is traced. The IP Traceback tool is  Z. Gao and N. Ansari: ‘Tracing Cyber Attacks
enabled in real time and this tool based on the ICMP from the Practical Perspective’, IEEE
concept proves to be efficient. Communications Magazine, Vol. 43, No. 5, pp.
 A. Belenky and N. Ansari: ‘On IP Traceback’,
IEEE Communications Magazine, Vol. 41, No.
 M. Sung and J. Xu: ‘IP Traceback-based 7, pp. 142-153. (2003).
Intelligent Packet Filtering: A Novel Technique  A. Belenky and N. Ansari: ‘Tracing Multiple
for Defending Against Internet DDoS Attacks’, Attackers with Deterministic Packet Marking
IEEE Transactions on Parallel and Distributed (DPM)’, Proceedings of IEEE Pacific Rim
System, Vol. 14, No. 9, pp. 861-872 (2003). Conference Communication, Computer and
 Y.Tseng, H. Chen and Hsieh W: ‘Probabilistic Signal Processing, Victoria BC, Canada, pp. 49-
Packet Marking with Non-Preemptive 52 (2003).
Compensation’, IEEE Communications Letters,  A. Belenky and N. Ansari: ‘IP Traceback with
Vol. 8, No. 6, pp. 359-361 (2004). Deterministic Packet Marking’, IEEE
 D. Wei and N. Ansari: ‘Implementing IP Communications Letters, Vol. 7, No. 4, pp.
Traceback in the Internet - An ISP Perspective’, 162-164 (2003).
Proceedings of 3rd Annual IEEE Workshop on  C. Beak, J.A. Chaudhry, K. Lee, S. Park and M.
Kim: ‘A Novel Packet Marketing Method in
Ubiquitous Computing and Communication Journal 8
DDoS Attack Detection’, Proceedings of
American Journal of Applied Sciences, Vol. 4,
No. 10, pp. 741-754 (2007)..
 Brajesh Pande: ‘Network Monitoring Tool’,
Computer Society of India, Communications,
November 2006, pp. 27-29. (2006).
 B. Pande, D. Gupta, D. Sanghi and S.K. Jain:
‘The Network Monitoring Tool–Pick Packet’,
Proceedings of 3rd International Conference on
Information Technology and Applications, Vol.
2, pp. 191-196. (2005).
 P. Stephen, J. Smith and Allen Crider:
‘Independent Review of the Carnivore System’,
Final Report, IIT Research Institute, Lanham,
H.A.Rauf received the Bachelors Degree in
Electrical and Electronics Engineering in 1987. He
completed his Masters degree in Business
Administration (M.B.A) Degree in the year 1996 and
his masters degree in Computer Science and
Engineering in the year 1999.He is currently a PhD
candidate in the faculty of Information and
Communication Engineering, Anna University of
Chennai. His research interests includes mobile
computing, Computer Networks, Network Security,
Advanced Networks and Performance Evaluation of
Computer Networks. He is currently the
Dean (CSE/IT), V.L.B. Janakiammal College of
Engineering & Technology, Coimbatore, India
Dr. Ebenezer Jeyakumar is currently the Principal of
Government College of Engineering, Salem, India.
Being an eminent professor of Anna University,
there are many students doing their research under
his guidance in various fields. Some of main areas
of research are Networking, mobile computing, high
voltage engineering and other related areas.
Ubiquitous Computing and Communication Journal 9