<h1xmlns="http://www.w3.org/1999/html"> What is Network Analyzer </h1>
Network Analyzer is a web based raw traffic analyzer. It is started during the GSoC 2012 period as a <ahref="https://www.honeynet.org/">Honeynet</a> project.
The Honeynet Project is a leading international 501c3 non-profit security research organization, dedicated to
investigating the latest attacks and developing open source security tools to improve Internet security.
With Chapters around the world, our volunteers have contributed to fight again malware (such as Confickr),
discovering new attacks and creating security tools used by businesses and government agencies all over the world.
The organization continues to be on the cutting edge of security research by working to analyze the latest attacks and educating the
public about threats to information systems across the world. More details can be found at the <ahref="https://www.honeynet.org/about">Honeynet page</a>.
The aim of the network analyzer project is to supply an open source visual network traffic analyzer to the community. It can handle uploaded
traffic data, analyze them and let the results be seen in a visual manner. The development process of the project can be seen at the <ahref="https://www.honeynet.org/gsoc/slot13">project Honeynet page.</a>
<h1> Architecture </h1>
Network Analyzer is mainly compound of a mixture of handlers. Handlers can be thought of plugins.
It lets additional plugin definitions and usages.
The process at the network analyzer starts with an upload of a raw traffic data. Protocol handlers
detect the type of it, either TCP or UDP, and process the related information. The information
includes IP numbers, payload data, port numbers, packet length, start and stop time. To process TCP
and UDP information <ahref="http://code.google.com/p/dpkt/">dpkt</a> is used.
After the IP level information handling, application level handlers are run. <ahref="http://bro-ids.org/">Bro</a> and <ahref="http://www.wireshark.org/docs/man-pages/tshark.html">tshark</a> are used
to detect the application level protocol. Bro and <ahref="https://github.com/simsong/tcpflow/wiki/tcpflow-%E2%80%94-A-tcp-ip-session-reassembler">tcpflow</a> are used to process the application level information.
This information include reassembling of flow data, mainly. The aim is to extract human readable information
from the traffic flow.
Current release of Network Analyzer support HTTP, DNS and SMTP traffic. For HTTP, request and response
headers, returned responses are displayed. For DNS, it is possible to display the DNS query sent.
For SMTP traffic, it is possible to see the mail sent, attached files, see the virus analyze results.
The results are seen in a visual way. Each uploaded traffic is displayed in a separated way.
The unique pages display the scatter plot display, with the distribution of traffic at the raw traffic.
Summary page displays the timeline information about the traffic with application level data on it.
Clicking on the circles, let one sees the flow information.
<h1> Source Code </h1>
The development is going on <ahref="https://github.com/oguzy/ovizart">Github</a>. The project name will change from openwitness to something else we like more and that won't cause tradae mark problems.
The demo site can be observed at <ahref="http://ow.comu.edu.tr">http://ow.comu.edu.tr</a> address.
<p> Reach me from the email address <ahref="mailto:email@example.com">oguzyarimtepe at gmail.com</a></p>