Analyzer is a packets capture tool; it captures packets from network and it displays them through a graphical interface. The user can choose the network adapter (used for the capturing and monitoring process), specify an appropriate filter, select, copy and paste packets. Advanced features concern both the possibility to make (and plot) some advanced statistics on the captures packets and to plot statistics in real time (number of packets flowing through the network and so on).
Here it is a snapshot of the Analyzer interface:
The first window shows the packet index: it is the list of the packets belonging to the capture document. The window on the left shows the packet selected in the packet index; this packet is shown through a tree view; by expanding the branch you can see the packet fields. The window on the right shows the hexadecimal ("raw") view of the selected packet.
Analyzer is made up of several components:
A graphical interface, used for an user-friendly interaction.
A low-level packet capture library, used to capture packets, monitor network traffic. Analyzer uses the WinPcap library for that, a packet capture library developed at Politecnico di Torino; It main goal was to capture packets from the network and to create the capture file. Recently-added extensions include the possibility to set monitoring filters on network traffic (WinPcap statistic mode). We plan to insert these capabilities on off-line captures as well.
A legacy program, Query, that is a remaining of older versions of Analyzer. Query it is a standard console application which receives command lines and produces text lines as output; and it is located into the Analyzer folder; the commands help is available launching the command line 'help'. We hope to be able to replace this program with new ones soon. Query aims at:
read capture files created by Analyzer (aka. WinPcap); these files are interpreted by a special code (dynamically created) in order to decode packets, display protocols in the graphical interface. For instance, when the graphical interface asks Query for the packet number 34, then Query looks for the required packet in its packets list and returns the dump of the packet. Then it will interpret the packet and all the protocols contained in there, then the interface will format properly the text output in order to make it looking good. We plan to move this feature out of Query by creating a new external program (much more optimized) that will be able to do this;
provide off-line statistics on the capture files .We plan to move this feature in WinPcap soon.
Parsers: they are external programs that take text files as input and they generate "pseudo-code" used to interpret and display packets. For instance, protocol description is given in a special file (a PDF file, Protocol Description Format) that is dynamically recompiled in order to be used by the analysis engine. This "dynamic compiler" is one of the parser used by Analyzer.
Graphical Plug-ins: they are standard Windows DLL that aim at displaying graphics coming from the statistical and monitoring output. This part is completely customizable and the user can add its own graphics without recompiling Analyzer.
A general schema about the interactions among the components of Analyzer is given below:
Query is the Analysis engine, it reads the capture file created by the Capture engine (based on the WinPcap library); Query needs some configuration files (indicated in the figure with their abbreviations which are also their extensions) in order to read the capture file. These files describe: the format of the capture file (LFF - Log File Format), the protocols structure (PDF - Protocol Definition Format), which kind of information have to appear in the index of the first panel in the Analyzer window (IFF - Index File Format), the structure of the packet description which appears in the second panel (the tree view panel) (DFF - Definition File Format). These files are ordinary text file; an advanced user can modify these files in order to add a new protocol to the supported list or to enable a new capture file format recognition created for instance by an other network sniffer. Query does not directly receive the configuration files; it receives their object files created by three parsers which are applications separated from Analyzer. So Query has all the information to read the capture file and to create the output which is composed by text lines; these text lines contain all the information which are shown by the three panes of the graphical interface: the packets index, the packets description and the hexadecimal packets structure. For instance when the user clicks on a packet in the index the graphical interface requires to Query the description of the selected packet and then it uses the text description to update the second and the third panes. The configuration files names used by Query are settable through the graphical interface.
The capture engine is implemented calling the functions defined by the WinPcap library which is included in the interface project. Through these function the interface sets the capture parameters (Adapter, file name where the capture is stored, capture filter, number of packets which have to be captured,...) and launches the capture. The capture file, which is created using the ACP format, is passed to the Analysis engine which reads it.
Besides the interface uses the WinPcap in order to show, in real time, the network traffic situation. Through the interface the user can set which type of traffic has to be monitored, then the choosen parameters are sent to WinPcap through the pcap_xxx functions calls. The results of the network monitoring are directly returned to the interface which shows them through the graphic engine.
The graphic engine is implemented through a group of DLL files - the plug-ins - which are stored in a folder reserved folder. Each plug-in represents a graph (pie, column, line,...); it receives from the interface the data which have to be represented and the 'device context' where the graph has to be drawn.