Network Monitor And Protocol Analysis Based On Dual Stack Model Of IPv4 And IPv6

With the widespread use of Internet, the scale of networks and the networktrafficareincreasinglylarge.Andbecauseacongenital IPv4networksecuritywiththeright support and address a small and limited space defects, IETF agencies on a newgeneration of network applies protocol IPv6 protocol to replace the existing IPv4protocol. Therefore, in the future IPv6 protocol will be more and more widely used.Research and application of IPv6 protocol are very important. Meanwhile, theproblems of network security such as network attack is increasingly sever, whichdraw great concerns of people. Network traffic monitoring can offer importantinformation for network administrators by monitoring traffic in order to make theadministrators to find the reasons of influencing the network quality. Therefore,network traffic monitoring has become an important research direction of networkapplication. Currently, the network traffic monitoring and analyzing system based onIPv4 protocol can not satisfy the actual need, so it has higher value to detect andanalyzetrafficofIPv6andIPv4dualstack.Howtomonitortheactionsofhostindualstack, manage the whole local network and offer abnormal information to the hostmanagerhasbecomeanimportantresearchtopic.This paper proposed a compatible dual IPv4 and IPv6 network protocolsframework model of detection and analysis system based on researching lots ofproducts and related information of network traffic detection and analysis system inorder to comply with the direction. This study also analyzed and described detailedlytherealizationofeverymoduleinthissystem.We design a compatible LAN IPv4 and IPv6 double-stack traffic monitor andprotocol analysis system based on the existing traffic monitoring and protocolanalysis system. The LAN data packets can be intercepted by libpcap. Then thesystem will analyze protocol and count traffic in order to offer important informationfornetworkadministrators.Thissystemneedstoachievespecificobjectives:1. The system can do layered protocol analysis for captured packets. And it canalso extract important information and store the results of analysis for the IPv6 and IPv4 network packets based on dual-stack mode. The above operation is easy foruserstoquery.2. The system can support the daily traffic statistics function. It can monitornetwork traffic instantly and do data statistics for various protocols and display theinformation.ItwillshowtheratesofIPv6,IPv4andotherprotocolssuchasEthernet.3. The system should have good scalability and better support for IPv6. And itcanalsoexpandthesupportedprotocolandthecapturefilterrulesatanytime.4. The system can achieve abnormal traffic monitoring function, mainly on theDDOS attack, ARP attacks and SMURF attack monitoring. And the results will beshownontheuser-friendlymanner.Network packets must be captured firstly if we want to monitor network data.And we must confirm the operation system (OS) if we plan to capture packets.Nowadays, windows OS and linux OS are more popular. Windows are used by thelargest number of people, however, it is also studied most by hackers and it also hasmany loopholes. Compared with windows, Linux, which is open source, has fewloopholes and is studied by few hackers. Hence, security software is generallydeveloped on the platform of Linux. So our system is also developed in Linux. Thispaper introduced the principle of sniffing in diverse network. Then the softwaredevelopment packet (libpcap)forcapturingnetworkpackets inlinux OSisintroduced.Specifically,libpcapconsists ofthecomponents, filteralgorithms, capture mechanismandfunctioninterfacesoflibpcap.This paper described the thought and architecture of our system. The systemmainly includes three modules: packets capture module, network analysis module,abnormally analysis module. The paper introduced details of everymodule,operatingprincipleandconjunctionamongmodulesdetailedly.Themoduleofnetworkpacketscaptureandanalysisisthekernelmoduleofoursystem. This paper described the packets capture in realisticlevel and packing andunpackingofpackets in principle.Andweanalyzedthepopular protocols ofdatalinklayer, network layer, transport layer and application layer including the commonframe formats, related data structure and so on. Especially, we described analysisprocessofdoubleprotocolstacks,whichisdifferentfromtraditionalsystems.With the rapid development of internet technology and the openness of TCP/IPprotocol, the network security problem is becoming severer. Especially, a wide rangeof network attacks have done great harm to companies and cyber citizen. Traditional network monitoring and analyzing systems do not pay attention to network attacksand just get the header information from the captured packets on the internet. If themonitoring and analyzing system can detect the typical attacks during the process ofunpacking packets, undoubtedly, it will strengthen the system and also relieve thestress to firewall and network intrusion detection system (NIDS). We do someattemptsinthisarea.Byanalyzingthenormalandabnormalnetworkenvironment,werespectively analysis the denial of service attacks and ARP attacks with the networkflowandthedistributionofvariousprotocolsintheIPv4andIPv6dualstackmodes.By a series of experiments show that: the capturing of data packet, traffic andprotocol analysis is effective to the detection of attacks. Experiments were dividedinto two parts: (1)normal traffic and protocol analysis; (2)the abnormal flow analysisof different types of attacks. The results show that flows of abnormal and normaltraffic are significantly different; the number of packets of different protocols is alsodifferent.EspeciallyinIPv6mode,resultsonSmurfattackareobvious.This studywill contribute to network data monitoringand protocols analysis andthefutureworkwillbeasfollows:1. This system will integrate artificial intelligence methods, such as cluster andclassification methods in data mining, in order to design intelligent networkmonitoringandanalysissystem.2. We will carry out experiments in large scale network in order to prove oursystemrobustandaccurate.3. We will compare our system with other systems and integrate with othersystemsaspossibleascould.4. We will integrate our system with NIDS technologies in order to NIDS basedonnetworktrafficmonitoring.5. We will combine our system with NIDS and firewall. Specifically, we willdesigntheinterfacestoNIDSandfirewallinordertosupportabnormalinformationtoNIDSandfirewall.