(NHA)

The Laboratory of The Laboratory of Computer Computer

Communication and Communication and NetworkingNetworking

Network HostNetwork HostAnalyzerAnalyzer

Project TeamProject Team

Members:Members:

Arie Abramovici Arie Abramovici sarie@t2sarie@t2

Yonatan EldarYonatan Eldar seldary@t2seldary@t2

Gil NitzanGil Nitzan sgilnit@t2sgilnit@t2

Instructor:Instructor:

Izik AlperonIzik Alperon izik@csizik@cs

Supervisor:Supervisor:

Itay DabranItay Dabran idabran@csidabran@cs

Project GoalProject Goal

Develop an application that will be Develop an application that will be used in order to monitor a large used in order to monitor a large number of hosts on a network, number of hosts on a network, running different operating systems. running different operating systems.

BackgroundBackground

A big part of the job of any network A big part of the job of any network administrator is the actual administrator is the actual management and administration of management and administration of the network.the network.

One of the most valuable assets an One of the most valuable assets an administrator can own in order to administrator can own in order to manage a network, is a detailed manage a network, is a detailed report about each device the report about each device the network contains. network contains.

Background (cont.)Background (cont.)

• The information required for such a report can be The information required for such a report can be gathered by connecting to the network gathered by connecting to the network components (e.g. the routers and switches), and components (e.g. the routers and switches), and the computers which we want to monitor.the computers which we want to monitor.

• However, for large networks, it is hard to However, for large networks, it is hard to manually get such information, as there is too manually get such information, as there is too much information in the system.much information in the system.

• Therefore, there is a need for a tool that can Therefore, there is a need for a tool that can generate the information automatically, and generate the information automatically, and present it to the administrator in a way that can present it to the administrator in a way that can be easily read.be easily read.

Background (cont.)Background (cont.)

Moreover, sometimes some information about the Moreover, sometimes some information about the network is stored out of the network (for example network is stored out of the network (for example a list of users, or a list of computers which may a list of users, or a list of computers which may exist somewhere)exist somewhere)

So, in order to properly protect the network for So, in order to properly protect the network for malfunctions and attacks, there is a need for a malfunctions and attacks, there is a need for a tool that can gather information from different tool that can gather information from different sources in order to ensure reliability and sources in order to ensure reliability and correctness of the information shown.correctness of the information shown.

Project DescriptionProject Description

The NHA project monitors a The NHA project monitors a network, by gathering information network, by gathering information from different sources.from different sources.

These sources are: These sources are: 1.1. The network routersThe network routers

2.2. The network switchesThe network switches

3.3. An agent on the hostsAn agent on the hosts

4.4. A list of users on the internetA list of users on the internet

Project Description Project Description (cont.)(cont.)

The application was written in c++ with The application was written in c++ with MFC support for the GUI module.MFC support for the GUI module.

The agent was written in Java in order to The agent was written in Java in order to ensure portability between different ensure portability between different platforms.platforms.

In the different modules you may find In the different modules you may find code dealing with TCP connections, UDP code dealing with TCP connections, UDP messages, multiple threads, MFC gui messages, multiple threads, MFC gui and many more three letter buzzwords.and many more three letter buzzwords.

Application FeaturesApplication Features

In the main window there are 3 options:In the main window there are 3 options: Refresh button: once pressed, the manager Refresh button: once pressed, the manager

module gathers all the information from the module gathers all the information from the network simultaneously, it may take several network simultaneously, it may take several secondsseconds

(approx. 10).(approx. 10). Map button: after the database was first Map button: after the database was first

refreshed the map button will open a dialog refreshed the map button will open a dialog presenting the map of the network.presenting the map of the network.

Configuration: opens configuration window.Configuration: opens configuration window.

Application Features Application Features (cont.)(cont.)

In addition, in the main window once the In addition, in the main window once the database has been refreshed, a list of all database has been refreshed, a list of all hosts will appear, showing all information hosts will appear, showing all information gathered.gathered.

Double clicking a host will open an Double clicking a host will open an information dialog containing the information dialog containing the information described above.information described above.

The user can receive a list of hosts on a The user can receive a list of hosts on a certain switch.certain switch.

The user can also search the list for a The user can also search the list for a certain ip, mac or hostname.certain ip, mac or hostname.

Application Feat. Map Application Feat. Map dialogdialog

While cruising the map dialog you may While cruising the map dialog you may click on each device.click on each device.

Clicking a device icon will pop an Clicking a device icon will pop an information box containing its IP, name information box containing its IP, name and level.and level.

Also, the box will present information Also, the box will present information about each device port such as speed, about each device port such as speed, bandwidth (half or full), etc.bandwidth (half or full), etc.

Application Feat. – Application Feat. – configuration configuration

In this screen the user can specify In this screen the user can specify what routers and switches IP’s to what routers and switches IP’s to use in the search, and what use in the search, and what username and password to use.username and password to use.

This information will be saved for This information will be saved for the next time the user launches the next time the user launches NHA.NHA.

Project Description Project Description (cont.)(cont.)

The NHA project, on demand, gathers The NHA project, on demand, gathers the information about the network, and the information about the network, and then displays it in a graphical interface.then displays it in a graphical interface.

The project consists of two applications, The project consists of two applications, a manager and an agent.a manager and an agent.

The manager is made of 6 main modules:The manager is made of 6 main modules:1.1. NHA TelnetNHA Telnet2.2. NHA DatabaseNHA Database3.3. NHA ParsingNHA Parsing4.4. NHA ServerNHA Server5.5. NHA GUINHA GUI6.6. NHA InternetNHA Internet

NHA Agent DescriptionNHA Agent Description

The NHA agent is installed on each The NHA agent is installed on each computer on the network (in the main gui computer on the network (in the main gui interface the admin can see what interface the admin can see what computers don’t have agents in order to computers don’t have agents in order to help this process)help this process)

After being installed, the After being installed, the agent waitsagent waits until it is approached and until it is approached and only thenonly then sends back information about the platform sends back information about the platform and the user which is logged on. and the user which is logged on.

NHA manager- TelnetNHA manager- Telnet The Telnet interface opens a telnet connection to The Telnet interface opens a telnet connection to

every router and switch.every router and switch. On this connection the interface asks for the On this connection the interface asks for the

needed tables from each router and switch, and needed tables from each router and switch, and then parses the tables, using the Parsing module.then parses the tables, using the Parsing module.

The tables we use are:The tables we use are: Router & Switch Macs (For each port)Router & Switch Macs (For each port) Arp tables (For router)Arp tables (For router) Switch tables (For analyzing hosts) Switch tables (For analyzing hosts)

Note: for each device there are 2 telnet Note: for each device there are 2 telnet approaches. One for attaching each port to approaches. One for attaching each port to specific MAC address, only then the second specific MAC address, only then the second approach may occur to learn from the arp and approach may occur to learn from the arp and switch tables.switch tables.

NHA manager- DatabaseNHA manager- Database

The Database module holds all the The Database module holds all the shown information about the hosts in shown information about the hosts in several hash tables, in order to several hash tables, in order to ensure fast searching.ensure fast searching.

All the information about the routers All the information about the routers and switches is stored in the and switches is stored in the database.database.

NHA manager- ParsingNHA manager- Parsing

The Parsing module gets the tables The Parsing module gets the tables from the switches and routers and from the switches and routers and parses the useful information into parses the useful information into the database.the database.

The Parsing module also parses the The Parsing module also parses the incoming messages from the agents, incoming messages from the agents, and the users table from the and the users table from the internet.internet.

NHA manager- Agent InterfaceNHA manager- Agent Interface

The agent interface is activated after the router The agent interface is activated after the router and switches interface.and switches interface.

Thus, when we use the agent interface we Thus, when we use the agent interface we already know all the hosts on the network, and so already know all the hosts on the network, and so we can send them messages directly.we can send them messages directly.

The agent interface sends udp messages to each The agent interface sends udp messages to each host. Then, each host replies with information host. Then, each host replies with information about the users:about the users: Login (retrieved automatically)Login (retrieved automatically) The platform used (retrieved automatically)The platform used (retrieved automatically) Hostname (retrieved automatically)Hostname (retrieved automatically) Port (manually entered by user)Port (manually entered by user)

NHA manager – ServerNHA manager – Server The server gets from the agents the port name of The server gets from the agents the port name of

the host, and the login name, and extracts from the host, and the login name, and extracts from them the level of the host and more.them the level of the host and more.

The following information is sent by the agent, The following information is sent by the agent, but if the information from the internet can be but if the information from the internet can be retrieved (using the login name), the manager retrieved (using the login name), the manager takes the information from the internettakes the information from the internet Phone Phone EmailEmail NameName RoomRoom LevelLevel

NHA manager- GUINHA manager- GUI

The graphical user interface shows The graphical user interface shows all the gathered information in a list, all the gathered information in a list, ensuring the user fast and easy way ensuring the user fast and easy way to review the network hosts.to review the network hosts.

Using the information gathered on Using the information gathered on the routers and switches, a the routers and switches, a (realtime) map of the network can (realtime) map of the network can be shown, enabling fast access to be shown, enabling fast access to information about a device.information about a device.

NHA manager- Internet NHA manager- Internet InterfaceInterface

The internet interface is designed in order to The internet interface is designed in order to receive a table of users, their room, phone receive a table of users, their room, phone number and email.number and email.

Such a table exists for CS network at Such a table exists for CS network at http://www.cs.technion.ac.il/People/Directoryhttp://www.cs.technion.ac.il/People/Directory/index.html/index.html

The interface downloads this page and The interface downloads this page and parses this information.parses this information.

Note: the parsing of the file matches Note: the parsing of the file matches specifically the format of CS faculty directory specifically the format of CS faculty directory file, However, in case such file doesn't exist file, However, in case such file doesn't exist the program may still run without it.the program may still run without it.

And now…And now…

Live Live DemonstratiDemonstrati

onon