US Software Capstone Design Project

GNAT - Graphical Network Analysis Tool

Specifications Document

 

 

Design Team:

Matt Ericson

John Kobinski

Matt Petro

Rob Waltz

 

 

Client:

Rich Ames, US Software

 

 

 

 

v1.7

January 1, 1998

Last revision: 1/5/98

TABLE OF CONTENTS

EXECUTIVE SUMMARY *

FUNCTIONAL SPECIFICATIONS *

NON-FUNCTIONAL SPECIFICATIONS *

FEASIBILITY ISSUES *

REFERENCES *

 

 

EXECUTIVE SUMMARY

This document explicitly describes the workings of a network analyzing software package. This package is to be developed by an NAU senior design team for the use of their sponsor, US Software. It will meet the listed specifications and perform all designated tasks. The software has four main requirements:

  1. Packet Disassembly – The software must interpret TCP, IP, and Ethernet headers from a network packet log file in the Snoop2 format.
  2. Statistical Analysis – Compile statistics from parsed packet.
  3. Graphical Interpretation – Display results of statistics in readily interpretable from.
  4. GUI – Provide an easy-to-use graphical interface.

FUNCTIONAL SPECIFICATIONS

  1. Packet Disassembly - The software will disassemble network packets and compile a list of packet attributes (to be graphically displayed, see 1.2 below). As the lists of these attributes will be held in a data structure(s), system limits will determine the size of log file that can be disassembled. The following fields will be obtained from the TCP and IP headers (stored in the Snoop2 log file) to allow for the necessary statistical compilation:
    1. The disassembled elements of each packet will be made available in a standard graphical "form," with the element names constituting field headers, and element values filling in the field body.
  1. Statistical Compilation - The aforementioned packet elements will be used to compile statistics for a given Snoop2 log file. These statistics will be used to understand and troubleshoot network operation and traffic flow. The statistics to be compiled fall into three major categories:
    1. Retransmission – The software package will view retransmissions from two angles, the number of retransmissions and the character of retransmitted packets.
      1. Number of retransmissions
        1. The number of retransmissions per log file will be tallied in a 32-bit integer.
        2. The percentage of retransmissions/(total transmissions) in a log file will be computed.
        3. Both of these numbers will be displayed in a typical Windows screen at the user’s request.
      2. Characteristics of retransmissions
        1. The average size (in bytes) of retransmitted TCP packets will be computed from the disassembled list of packet sizes.
        2. The time environment of retransmission (i.e. burstiness, measured in retransmitted bytes sent/speed (in bytes/sec) - see references – TCP Packet Trace Analysis by Shepard).
        3. The average window size (in bytes) of retransmitted packets will be computed from the disassembled list of window sizes.
        4. Sockets which generate and receive retransmissions will be listed, along with the number of retransmissions generated, in one of several orders. The order will be determined by the user’s choice a list of options:
        1. Retransmissions will be categorized as lost vs. corrupted.
        2. Retransmission characteristics will be displayed on in a typical Windows screen at the user’s request.
    1. Check sums – The packets in a log file, individually or as an entire file, will have their check sums verified. The IP checksum will be verified, as will the TCP or UDP checksum.
      1. If the user desires to verify an individual packet’s checksum result, the packet can be displayed (see 1.2) and the "Check sum verification" option selected. The results of the verification will be displayed below the option button.
      2. If the user selects the entire file for check sum verification, the results will be displayed in a typical Windows screen.
    2. General Statistics – The following general statistics will be computed from disassembled packet lists:
      1. Network traffic, in bytes/sec.
      2. Network throughput, in bytes/sec. This will be computed using network bytes and subtracting any retransmissions.
      3. Network burstiness, in bytes/(bytes/sec) (see 2.1.2.2).
      4. Network packet sequence number/time (this is a graph developed by Timothy J. Shepard and explained at length in his thesis on TCP packet trace analysis. See references).
      5. Average network delay time between send and acknowledge. This can be determined for the network as a whole, or from two IP addresses that the user inputs.
      6. All general statistics will be displayed in a typical Windows screen.
    3. Also, upon opening a Snoop2 file, the program will analyze the file and present a screen of the following summary statistics and unusual activity.
      1. Summary Statistics
        1. 32-bit integer number of Ethernet frames in the Snoop2 file.
        2. Time stamp in microsecond resolution of first and last frame in the file.
        3. Average frame rate in frames/sec.
        4. Time of maximum frame rate in microsecond resolution (timestamp of frame transmitted at time of maximum rate).
        5. 32-bit integer number of connections detected.
        6. For each connection:
          1. Time the connection was established and terminated in microsecond resolution.
          2. Amount of application data transferred in each direction in bytes.
          3. Average throughput in each direction in bytes/sec.
      2. Unusual Activity
        1. For each connection:
          1. 32-bit integer number of retransmissions.
          2. 32-bit integer number of zero window packets.
          3. 32-bit integer number of delayed acknowledgement.
    4. The user will be able to generate graphs of sequence number versus time.
    5. The user will be able to graphically specify an arbitrary frame and display this frame and the surrounding frames in details.
    6. The user will be able to load a new log file and displace any file which is currently loaded.
  1. GUI – All graphical display options will be accessed through a simple graphical interface. This interface will allow a user to step through a log file packet by packet and/or display any of the statistical graphics pages. The GUI will be modeled on the looks-like prototype which has been demonstrated to Rich Ames at US Software. The prototype features a standard windows interface with pull-down menus. It also has rudimentary graphical display features.
  2. Output – The software will generate a text file of the concatenated disassembled packets, in ascending order of the Snoop2 time stamp.

NON-FUNCTIONAL SPECIFICATIONS

  1. Must be built on a 32-bit architecture.
  2. Must be able to run on the Java Virtual Machine.
  3. Software must accept input in Snoop 2 format (RFC 1761, see references).

FEASIBILITY ISSUES

  1. Programmers intend to follow US Software coding conventions, but acceptance of any restrictions and/or recommendations awaits review of the coding convention documents.
  2. The software packet should accept the output of a network sniffer program, to be provided by US Software. This output is assumed to be in the Snoop2 format, and will be simulated with log files until the sniffer is available.
  3. The design team would like the software to run in an "auto" mode, where the software analyzes the log file and suggests areas of interest to the user. This option will be built in to the product once it meets all the above specification, and if time permits.

REFERENCES

  1. InterNIC – Network Information Center; URL: http://ds.internic.net/
  2. RFC 791 – Internet Protocol specification; URL: http://ds.internic.net/rfc/rfc791.txt
  3. RFC 792 – Internet Control Message Protocol specification; URL: http://ds.internic.net/rfc/rfc792.txt
  4. RFC 793 – Transmission Control Protocol specification; URL: http://ds.internic.net/rfc/rfc793.txt
  5. RFC 826 – Address Routing Protocol specification; URL: http://ds.internic.net/rfc/rfc826.txt
  6. RFC 1761 – Snoop 2 specification; URL: http://ds.internic.net/rfc/rfc1761.txt
  7. TCP Packet Trace Analysis by Timothy J. Shepard; URL: http://ana-www.lcs.mit.edu/anaweb/pdf-papers/_TR_494.pdf
  8. Sun Microsystems – Java Home Page; URL: http://java.sun.com