ONLINE TEST MONITORING TOOL USING KISMET (A PACKET SNIFFER)

Submitted September 2011, in partial fulfillment of

the conditions of the award of the degree [M.Sc. in IT]

POONAM SHAH

School of Computer Science

University of Nottingham

I hereby declare that this dissertation is all my own work, except as indicated in the text:

Date 07/09/2011

I hereby declare that I have all necessary rights and consents to publicly distribute this

dissertation via the University of Nottingham's e-dissertation archive.

1

Acknowledgements

I would like to express my thanks to my supervisor, Dr. Steven Bagley for his assistance, helpful

advice and encouragement throughout the project.

I would also like to thank my parents and my brother for their encouragement and support

throughout the Master’s program.

I would like to thank all my friends without whom I could not complete this project.

2

Abstract

The number of colleges and universities that are opting for online test is increasing every day. It is

a perfect way of real time evaluation of the performance of the students. It also facilitates the

students to take test on their own PC. Most likely there are chances of students cheating while

taking the test. This is where it becomes very essential to track student activities while they are

taking the online test.

The main objective of this project is to allow students take online test having complete internet

access but still keep an eye on them. Although they have internet access but they can and should

use only the few sites that are recommended by the tutor and should not use any other searching

sites.

The application developed for this project can track student’s activity while they give online test

using a packet sniffing tool. An application was developed on top of it which uses the

functionalities of this sniffing tool and generates notifications & logs. A mobile application was also

designed using Android to help the professor get these notifications and logs on his smart phone

while he/she is roaming in examination hall. With this mobile application, the professor can also

set and conduct the exams remotely.

The application designed will keep a track of all the websites accessed by students while they were

taking the online test. It can notify the tutor when a student tries to cheat by either opening a site

which was not allowed or even by connecting a new device to the network and trying to look for

answers.

3

Table of Contents

Acknowledgements ................................................................................................................................................................................ 1

Abstract ....................................................................................................................................................................................................... 2

Chapter 1 - Introduction ................................................................................................................................................................... 7

1. Introduction .................................................................................................................................................................................... 7

1.1. Facts of Online Test........................................................................................................................................................... 7

1.2. Research Motivation......................................................................................................................................................... 8

1.3. Aim and objective ........................................................................................................................................................... 10

1.4. Dissertation Structure .................................................................................................................................................. 10

1.5. Summary ............................................................................................................................................................................ 11

Chapter 2 – Literature Review ................................................................................................................................................... 12

2. Introduction ................................................................................................................................................................................. 12

2.1. Type of Online Test ........................................................................................................................................................ 12

2.2. Various types of cheating that may occur in online test ............................................................................... 13

2.2.1. Spyware Technique............................................................................................................................................. 14

2.2.2. Sniffers & other hacking techniques............................................................................................................ 14

2.2.3. Using Mac address changing software ....................................................................................................... 14

2.2.4. Using proxy ............................................................................................................................................................. 15

2.2.5. Using IP address ................................................................................................................................................... 17

2.2.6. Using forensics technique ................................................................................................................................ 17

2.3. Introduction to Sniffing ................................................................................................................................................ 17

2.4. Packet sniffing .................................................................................................................................................................. 18

2.5. Types of packet sniffing ............................................................................................................................................... 18

2.6. Different type of sniffing tools .................................................................................................................................. 19

2.6.1. Ethereal .................................................................................................................................................................... 19

2.6.2. TCPDump ................................................................................................................................................................. 20

2.6.3. NetSumbler ............................................................................................................................................................. 21

2.6.4. Kismet ....................................................................................................................................................................... 23

2.7. Wireless Sniffing techniques ..................................................................................................................................... 23

2.8. Related work ..................................................................................................................................................................... 24

2.9. Summary ............................................................................................................................................................................ 30

Chapter 3 – Design ............................................................................................................................................................................ 32

3. Introduction ................................................................................................................................................................................. 32

3.1. Approach ............................................................................................................................................................................ 32

3.2. Development Tools ........................................................................................................................................................ 33

3.2.1. Kismet ....................................................................................................................................................................... 33

3.2.2. .netxml file explanation ..................................................................................................................................... 36

4

3.2.3. Wirehsark ................................................................................................................................................................ 37

3.3. User Requirements ........................................................................................................................................................ 40

3.4. Software Design............................................................................................................................................................... 41

3.4.1. User story ................................................................................................................................................................ 41

3.4.2. System Architecture ........................................................................................................................................... 42

3.4.3. Class Diagram ........................................................................................................................................................ 46

3.4.4. ER Diagram ............................................................................................................................................................. 48

3.4.5. UI layout for the mobile application ............................................................................................................ 49

3.5. Summary ............................................................................................................................................................................ 51

Chapter 4 - Implementation ........................................................................................................................................................ 52

4. Introduction ................................................................................................................................................................................. 52

4.1. Parsing files Package ..................................................................................................................................................... 52

4.1.1. ParseNetXmlFile ................................................................................................................................................... 52

4.1.2. ReadFile .................................................................................................................................................................... 54

4.2. Online Test Monitoring Tool Package ................................................................................................................... 57

4.2.1. Activities package ................................................................................................................................................ 57

4.2.2. Services package .................................................................................................................................................. 63

4.2.3. Database helper package .................................................................................................................................. 64

4.3. PHP Script .......................................................................................................................................................................... 64

4.4. Packet analysis using wireshark .............................................................................................................................. 66

4.5. Summary ............................................................................................................................................................................ 75

Chapter 5- Testing and Evaluation .......................................................................................................................................... 76

5. Introduction ................................................................................................................................................................................. 76

5.1. Testing Android Application ...................................................................................................................................... 76

5.1.1. Student Details Icon ............................................................................................................................................ 76

5.1.2. View Whitelist site ............................................................................................................................................... 77

5.1.3. Delete Whitelist site ............................................................................................................................................ 77

5.1.4. Student Logs Icon ................................................................................................................................................. 78

5.1.5. Notification Screen .............................................................................................................................................. 79

5.1.6. Help Screen ............................................................................................................................................................. 80

5.2. Further Research ............................................................................................................................................................ 81

5.3. Summary ............................................................................................................................................................................ 83

Chapter 6- Conclusion ..................................................................................................................................................................... 84

Benefits of the Research .............................................................................................................................................................. 84

Potential Limitations ..................................................................................................................................................................... 85

Future Scope ..................................................................................................................................................................................... 85

Bibliography ......................................................................................................................................................................................... 87

5

List of Figures

Figure 2.1 Mac Address changing technique 15

Figure 2.2 Screen shot for setting proxy 16

Figure 2.4 Example of TCPdump packet capture 20

Figure 2.5 The main screen of NetStumbler 22

Figure 2.6 Netstumbler wardriving graph 22

Figure 2.7 System Architecture of SeCOnE 25

Figure 2.8 Configuration of the U-learning on Ubiquitous learning environment (ULE) 26

Figure 2.9 Student cheating by taking help from outside recourse 28

Figure 2.10 Students cheating being at a particular distance 28

Figure 2.11 Student trying to cheat by communicating with neighbor student 29

Figure 3.1 Kismet architecture 34

Figure 3.2 Kismet GUI screen 35

Figure 3.3 Adding source 35

Figure 3.4 Packet capturing screen 36

Figure 3.5 Card type information in .netxml file 36

Figure 3.6 Wireless network information in .netxml file 36

Figure 3.8 Wireshark filtering .pcapdump file 38

Figure 3.9 Online test monitoring development tools 39

Figure 3.11 MAC address notification 43

Figure 3.12 Displaying list of websites accessed by student 44

Figure 3.13 Class Diagram 46

Figure 3.14 Entity Relationship Diagram 48

Figure 3.15 Screen 1 & Screen 2 49

Figure 3.16 Screen 3 & Screen 4 50

Figure 3.17 Screen 5 50

Figure 4.1 SAXParser code 53

Figure 4.2 MacTable attributes 53

Figure 4.3 Output of ParseFile showing list of Mac address obtained 54

Figure 4.4 New array having list of student’s IP address 55

Figure 4.5 Output obtained from ReadFile 56

Figure 4.6 Relationship between StudentDetails and TextLogs table 56

Figure 4.7 Main menu screen 57

Figure 4.8 Help Screen 58

Figure 4.9 Adding list of sites screen 58

Figure 4.10 Add white listed sites screen 59

Figure 4.11 View Whitelist site 59

Figure 4.13 Student data 60

Figure 4.14 Php script for android application to fetch data from MySql 61

Figure 4.15 Android application establishing connection to MySql database 61

Figure 4.16 Screen displaying list of students detected cheating 62

Figure 4.17 List of websites viewed by student 63

Figure 4.18 Notification of new device joining the wireless network 64

Figure 4.19 Login screen of Computer security online test 65

Figure 4.20 Home page of online test 65

Figure 4.22 Wireshark screen displaying all protocols 67

Figure 4.23 Using display filter to get only HTTP protocol 67

Figure 4.24 Creating new capture filter 68

6

Figure 4.25 Selecting the new capture filter defined 68

Figure 4.26 Output after parsing .txt file 69

Figure 4.27 No localhost url observed 69

Figure 4.28 Using lo interface to capture localhost packets 70

Figure 4.29 Local host packets captured using lo interface 70

Figure 4.30 Using IP address to capture online test url 71

Figure 4.31 The result of log files obtained while giving online test and visiting other sites 72

Figure 4.32 List of student’s cheating in test 73

Figure 4.33 List of websites visited by student 73

Figure 4.34 Notification screen 74

Figure 5.1 Output for Student Data icon 76

Figure 5.2 Output for Add list Icon 77

Figure 5.3 Output screen after deleting the whiltelist site 78

Figure 5.4 Output screen on click of Student Logs icon 79

Figure 5.5 Output screen on click of username kismet15 79

Figure 5.6 Notification screen 80

Figure 5.7 Help screen output 80

Figure 5.8 Lab experiment set up 81

List of Tables

Table 3.1 Logical data design specification for the database 48 Table 4.1 Logical data representation of database 64 Table 4.2 Summary of the test cases 75

Introduction

7

Chapter 1 - Introduction

1. Introduction

The primary goal of this project is to develop an application which can be used by

professor/tutor to monitor an online exam. The application should monitor the student’s

activities in the exam. Since the student would be allowed only to open some websites, all the

other websites, if opened would be logged for each student and the professor would be notified.

The application developed will also enable tutor and professor to get notification either on his

iPad or mobile phone about the student activities from the log while they are giving exam. This

can be treated as the basic functionality of the project.

The goal mentioned in the project seems to be simple and straightforward. But, as we read this

report further, we will see that there were a lot of challenges involved in this project.

In this section, firstly, a brief introduction to online test will be given. The various challenges

involved in the online test will be described and the motivation behind this project would be

highlighted. Then the scope of this project would be defined and finally, the dissertation

structure will give the short description of all the following sections of this report.

1.1. Facts of Online Test

The test which is given on a computer connected to a test server is called an online test also

known as Computer Assisted Assessments (CAA). This type of test is really fast and removes a

lot of problems which the paper based exam might have. With the advancement of internet and

computers the number of universities that are encouraging online test is growing. It is a perfect

way of real time evaluation of the performance of the students. It can give the results to

students really fast if the exam is multiple choice types. It also facilitates the students to take

their test on their own laptop.

Online exam can also be defined as a tool wherein students can answer the questions of their

exam and submit those answers online. These submitted answers are then evaluated by a

software tool and immediate feedback is available on submission.

Online examinations in an academic institute are conducted either using internet or using

intranet. Such exams are conducted by giving limited time to the students to answer the

questions and the exam is automatically terminated after the time given has expired. Evaluation

of such type of exam can be either an automated process or manual based on the type of online

exam.

Introduction

8

There are many benefits of the online test and the most important ones that influence the

decisions to use Computer Assisted Assessments (CAA) are as follows:

Using Computer Assisted Assessments the time taken to conduct exam is faster. The

exams are more efficient and fair. There are many research & experiments done to make

the assessments system more robust, taking student performance into account.

Greater importance is given to the security of the exam while conducting Computer

Assisted Assessments CAA. Many universities express concern about cheating and other

activities noticed in the exams. There are many technologies used while designing such

system, so as to avoid cheating and fulfil the universities requirements.

The administrative task can be automated to reduce the pressure on the staff of the

university to monitor the exam. There are various measures taken to increase

automation and reduce the administrative tasks for the exams. This not only reduces the

manpower but also cut down the cost to maintain the system (Nigavekar & Harris,

2010).

The online exam system can help students in many ways. Students can attend their

classes and the entrance exams on the same day, as they do not need to travel at

different locations to take the exam. This automation process and other facilities

available make it easier for the university and students to save their time.

And the most important benefit of the online exams is its paper free. It saves a lot of

paper and also saves the students from the trouble of the exam answer paper being lost

or gone bad like papers accidently getting burned. It also helps the teacher by securing

the exam paper so that it doesn’t leak through the guys who print the question paper.

The above features and advantages really prove that online exams are useful.

1.2. Research Motivation

The main motivation behind using any online exam is the real time fast evaluation which saves

time. Professor and business employer prefer online test due to real time evaluation of

performance and its time saving too. But at the same time it gives students a chance to cheat by

taking such online test.

There are many ways through which a student can cheat in these online exams. Since the

students are giving the exam online on their computer, it becomes very important to monitor

their activity online as most likely there are chances of students cheating while giving test. The

students can search the answer of the question on the internet through the computer on which

they are giving the exam. This is where it is very essential to track student activities. For this

many researches are done to prevent student from cheating while giving online test.

Introduction

9

In December 2010 a student at San Jose State University (California USA) had designed software

which does the same thing i.e. it tries to capture the student’s activities while they are giving

online exam. This software was compatible only for Windows. The aim of this project was to

develop such a tool using client/server architecture (Anandan, 2010). The tool would display

the student's hostname and the website visited during unauthorized web activity. The project

was implemented using Windy31 wireless USB router. The students must connect to the

wireless network created by it for giving exam. It also included a lot of configurations on each

student’s laptop in order to run the tool which is not feasible in real time environment

(Anandan, 2010).

These restrictions on students to connect to one particular wireless network and give their

exam could be problematic. The network could be down or the student might get disconnected

from the network or there may be a limited number of people who can connect to the network.

Due to these shortcomings, I am allowing the students to connect to the network using any OS

on their laptop and connect to the test server. I would be using Kismet (an open source network

sniffer) to add more functionality and enhance the efficiency of the software. By adding features

like students can give test on any Operating System not particularly on windows, students can

connect to any wireless network in the college to give exam, and more students can take online

test at the same time, we can really improve the software usability and it could be used in any

online exam inside college campus.

The report concentrates more on preventing the various type of cheating that is observed in

online test. Students are normally more familiar with computers than the instructor. So they are

smart enough to find answers using various types of cheating techniques.

To avoid cheating when students are giving online test, there are various measures that are

taken by universities. The software developed in this report helps professor to track students by

getting notifications on their mobile phones regarding these cheatings.

Introduction

10

1.3. Aim and objective

The main objective of this project is to allow students to give online test having internet access.

Although they have internet access but they can and should use only the few sites that are

recommended by the professor and should not use any other searching sites. So now students

are allowed to access internet but for limited sites. Students are also informed that they are

being tracked via monitoring tool and they will be penalized for accessing sites other than the

one mentioned by the professor.

This monitoring tool should track the following student activities when they are giving test.

It should keep a log of the various sites that are being visited by the student, while giving

their online exam.

It should notify the tutor when a student tries to cheat by connecting a new device to the

network. For example, if student is trying to connect internet through his/her ipad or

mobile device etc. the tutor or examiner will be notified that a new device has been

connected to the network.

This monitoring tool is designed using Kismet and the mobile application is designed for

Android, to help facilitate professor get notifications and logs while he/she is roaming in

examination hall. He can also conduct the exams remotely through this mobile application.

The main approach of this monitoring application is to track student’s activity while giving

online test using sniffing tool like Kismet and Wireshark. If someone is trying to cheat in the

exam, the software will notify professor about the same.

1.4. Dissertation Structure

This dissertation is divided into many chapters. A brief description about each chapter is as

follows:

The second chapter introduces the background about the types of online tests and the

advantages of having them in educational institutes. There are few challenges discussed while

conducting online test. It also discusses about the various types of sniffing methods and

different tool available to sniff packets.

Next chapter takes a closer look on the two sniffing tool used in this project i.e. Kismet and

Wireshark. It also points on the various development tools used to implement the online test

monitoring tool. It also describes the major tools used for developing the mobile application.

Introduction

11

The fourth chapter discusses in detail how software is implemented using various technologies.

It gives brief overview of several software packages that have been used to carry out the

monitoring of online test.

Chapter 5 discusses the evaluation of software by performing a handful of test cases. It also

describes the lab experiment set up in detail that will be held in future for real time testing of

the software.

The final chapter presents the various benefits of the tool designed as discussed. It also

highlights few limitations of the tools and future work for making the tool more efficient.

1.5. Summary

This section of the report gives a brief overview on online test and their benefits in today’s

world. The research motivation discussed in this section highlights the major challenges

involved in conducting online test, when student are giving test on their own laptop. Lastly, the

overview of the structure of the dissertation is briefly summarized.

Literature Review

12

Chapter 2 – Literature Review

2. Introduction

To design and implement a good online test monitoring tool, it is important to have background

knowledge of various components involved like types of online test, sniffers, packet sniffing etc.

This section will discuss about the types of online test, the various types of cheating observed in

online test, the concept of packet sniffing and the different types of tools used for packet

sniffing. It also discusses, the various methods used by different authors to avoid cheating in

online exam.

2.1. Type of Online Test

There are different types of online tests. Online test can be categorized as those designed for

administrating like formative or summative test, or for both of them. Test designed for

formative system should allow tutor to give feedback to student in case of selecting wrong

option, while those test designed for summative one’s should be more secured for executing

proctored laboratory exams (Costagliola & Fuccella, 2009).

The functionalities provided by general online test software include various components which

are as follows (Costagliola & Fuccella, 2009).

Question Types: There are different types of question included in online test. It can be

either multiple choice, selecting one answer from few choices given, fill in the blanks,

writing essays, writing piece of code for programming, matching, ordering etc. The

number of question type to be included in the test and also the support for custom

question types makes the main component of the online exam

Random question selection: By providing the facility to randomly select questions

present in the repository to design tests also makes a test more dynamic and adds to the

strength of the overall exam

Multimedia support: The support of multimedia files such as images, graphs etc. while

preparing questions repository is also an important component as it will give a good

understanding of the questions to the students

Equations: Many subjects like maths; physics etc includes the formulation of equations

on which the student might be tested. Thus the support of equations to be introduced in

the questions also becomes an important component in various subject’s exam

Feedback: The possibility for students and examiner to get and give instant feedback

immediately after the test or later via email is also an important feature of online test

Literature Review

13

Proctored Tests: The support of tools and security for executing laboratory exam are

important for certain exams too

Test Analysis: The availability of statistics on tests and questions asked in various

exams can also prove to be beneficial. It can help students to study different topics in the

subject based on the pattern of the previous exams

Standards: The support of standard functionalities for online testing (QTI and/or CMI)

Exam time: In almost all the online exams, they are given specific times for making test

available on a particular date to the students

Authentication: To design a test or to give a test, both require a different type of login.

Thus there are different types of authentication made available. There are separate

logins for student as well as the system administrator to maintain the online test.

A large number of online examination system tools are available today in the market which will

help in managing the whole test system.

There are number of online exams software’s available but the three major components that

require more attention to administer an online examination are as follows (Gujarathi, 2010):

1. Creating a secure online exam, where the contents of the test are not disclosed to the

students until the exam starts.

2. Supervising, controlling and managing online examination so that all the students give a

fair exam with the same level of difficulty of questions.

3. Automated marking facility for the examination such that the students get their

feedback instantaneously.

2.2. Various types of cheating that may occur in online test

The major issue with all these online assessments is that students can try to cheat and obtain

marks. This discourages those students, who study hard and are honestly giving the online

exam. From practical point of view, it’s often easier for students to cheat in the online exams.

Many students have a good knowledge of computers than the tutor and they might know many

potential ways of cheating using computer. This cheating raises serious issues for the teachers

and they should take measures to prevent them. Many methods of cheating are observed, some

are quite new while some are increasingly automated and distributed ones. There are

countermeasures taken to prevent such types of cheating, while some of them are unavoidable

(Rowe, 2004).

Literature Review

14

The various methods used by students to cheat in online test are as follows:

2.1.1. Spyware Technique

Spyware is a type of malware which can secretly sneak into any computer and collect

important information about the user using that computer. Since its presence is hidden

to the user, it can be used by students to have a look at how other students are

responding to the questions during a test. It can also be used to spy on the

tutor’s/professor’s computer which might contain the exam questions set by them.

These spyware can be secretly installed on user’s machine. It can also be installed on shared

network and spyware such as keyloggers can secretly monitor other users. The main benefits of

such type of software’s are that, the owner of the machine is not aware of the software installed.

It’s hidden from user and difficult to detect. So student can easily steal test questions and

perform well in their exam or they might even try to sell them to other students (Rowe, 2004).

2.1.2. Sniffers & other hacking techniques

Students can also use sniffing technique to cheat in an online exam. They can use

sniffers to sniff the packets passing through the local network. This local network can be

used by tutor or fellow student to either set their passwords for exam or answer the

questions in the exam. They can use the password to gain access to tutor’s machine

where they might find the exam papers. Students can also use hacking techniques to gain

server and administrator privileges on the test-server machine. It is as good as obtaining tutor’s

password for the online test being set. Students don’t have to be expert to perform such type of

action, as there are so many ready to use software that can do these things for them. Even the

installation instructions for these software’s are available on web site. They can download

software online and follow their simple installation and configuration instructions to attack

computer system (Rowe, 2004).

2.1.3. Using Mac address changing software

The MAC address is a unique value or ID associated to the network adapter. It is also

known as physical address or the hardware address. It helps in uniquely identifying an

adapter on LAN. MAC addresses are 6-byte i.e. 12 digits in length, and written in the

format “MM:MM:MM:SS:SS:SS/MM-MM-MM-SS-SS-SS”.

MAC address of a computer is always stored by the server so that they can pin point a computer

in the network. So now if anyone has accessed an illegal website with a fake MAC address and

change it back later then he/she can’t be tracked.

Literature Review

15

Although mac address is written in the hardware level, there are still ways to change the

MAC address of device. One such example is shown as below. Technitium MAC

Address Changer: It basically helps a user to change their MAC address which hides

their real identity. So by using a MAC address changer a student can try to access restricted

computer and files and then become untraceable.

Figure 2.1 Mac Address changing technique

2.1.4. Using proxy

By using a proxy we can redirect our internet traffic through a specific router or computer. This

method is very common and is used by many people to bypass the firewall to open blacklisted

sites in colleges. By using proxy, the students can also redirect their internet traffic through

other computers or routers and can find answers for the online exam and then resume their

online exam through the original channel. It can be done in different ways; the common way is

to edit the windows internet setting so that all traffic passes through a proxy server or by using

VPN (virtual private network)

Literature Review

16

Figure 2.2 Screen shot for setting proxy

The above diagram shows the Internet Settings in the web browser where we can configure the

proxy to be used for certain sites.

Figure 2.3 VPN Connection

The last method which is the easiest one is using free proxy. Some websites provide free proxy

services like www.newip.us which allows you to encode not only URL but also any page content.

Using these sites, any student can encode the whole page if what he is surfing and it can’t be

tracked.

Literature Review

17

2.1.5. Using IP address

We know that every domain name on the interface is mapped to an IP address. Direct use of IP

address can bypass keyword filters. For example if www.facebook.com is blocked by the

router/proxy server by keyword filter it can still be accessed with http://66.220.158.47/.

2.1.6. Using forensics technique

Computer forensics is a branch of forensic science pertaining to legal evidences found in

computers. This technique is used to examine the digital media with the motive of finding

relevant information. It is mainly used to investigate computer crime but people with its

knowledge can use it to get important information from any computer system. For example

students can use the tools used for forensic examination of computer to get information about

the data the computer has. Even if students are not using special software’s like sniffing or

software to change MAC address, they can easily track down all the activities of tutor, by using

computer forensics tools (Philipp et al., 2010). Whenever user logs off a computer, they leave

much information behind while they were working on one particular computer. That

information is left mostly in memory or on a disk they have been working on. This information

can be easily retrieved using built-in tools and free software’s. For example, Instructor working

on an online test may leave the final version of page being downloaded, with the answers, in the

cache of their Web browser. So, even when the power is turned off, the cache will still remain on

disk, and even if the files are requested for deletion the operating system keeps them in a

“recycle bin” before deleting them permanently (Rowe, 2004).

The different types of challenges described in this section are few common types of cheating

that are observed while students are giving online exams. To avoid such type of cheating when

students are giving online test there are various measures that are taken by universities. The

software developed in this report helps professor to track students by getting notifications on

their mobile phones too.

2.3. Introduction to Sniffing

Sniffing is a technique which is used in any network to capture the data which is flowing

through the network. Sniffer is a tool which can intercept the packets floating in the network. It

can then analyze those packets for its content which can lead to important information leak if

the packets are not encrypted. In networking protocols, the data transmitted gets split into

small packets and the IP address of destination computer is written in header of each packet.

Those packets will pass via router and eventually reach the network address containing the

destination address of computer. While the packets are travelling to the destination computer,

the network card residing in the computer will examine the address in the header of each

Literature Review

18

packet. Now, if the destination address on each packet is same as IP address of the computer

then, the network card will keep the packet in the host computer. If the destination address on a

packet is different than the IP address of the machine then that packet is rejected (King, 2002).

2.4. Packet sniffing

Packet sniffing is the process of monitoring packets passing through the network. A packet

sniffer is either a piece of software or hardware that can be used to monitor all network traffic.

Sniffers are able to capture all incoming and outgoing packets, including user name and

passwords and other sensitive details which are basically the content of the packets. Most of the

packet sniffers operate in stealth mode meaning they only listen to all the packets being passed

in the network and records them. This way they remain passive yet able to capture all the

packets. In theory, it is impossible to detect such type of sniffing tools, as they are passive in

nature. It can only be detected when they are not fully passive.

Packet sniffing has a slightly different mechanism; it picks the address present on packet and

also set the network card in “promiscuous mode” and copies each and every detail of packet

that passes through the network. So, in short this lets packet sniffer to listen all the details of

data traffic on the network to which they are attached. They can also be able to trace network

traffic that includes some interesting details for attackers, such as user name and passwords,

some confidential data which is not in encrypted format etc. This technique can be used by

network engineers to detect and diagnose network faults. Hackers can use this technique to

analyze the confidential data flowing through the traffic (Spangler, 2003).

Sniffers can be used for both to maintain networks and attack networks.

1. Commercial type of packet sniffers is used to manage networks.

2. Packet sniffers can be used by attackers to get unauthorized access to remote hosts too.

2.5. Types of packet sniffing

There are mainly three types of sniffing methods as mentioned below (Spangler, 2003).

IP-based sniffing: This is the exact way of sniffing packets. In this type of sniffing, the network

card is put into promiscuous mode and sniffing is done by matching the IP address. This method

can work in non-switched network too.

MAC-based sniffing: This method can also work by putting the network card in promiscuous

mode. The packets are sniffed by matching the entire MAC address filter.

Literature Review

19

ARP-based sniffing: In this type of sniffing there is no need to put the network card in

promiscuous mode. It’s because ARP packets are sent to the computer sniffing packets and the

ARP protocol are stateless. Such method is used in switched network. In this the ARP cache

needs to be poisoned on the host computers that we need to sniff. Once ARP cache is poisoned,

all the packets instead of sending the traffic directly will be send to the host computer that is

sniffing packets. Such traffic is then logged and real time data is captured by the computer

intending to sniff packets. This type of sniffing is also known as man in middle attack.

2.6. Different type of sniffing tools

There are various types of sniffer applications which are mostly used to trace the network

communication that is occurring between the client machine and server. Such type of network

communication can be HTTP, LDAP, or telnet etc. There are different application used for

sniffing, it can be open source, http header sniffers, terminal sniffers and many other.

All the sniffing application has its own interface and usability. The following sections will

attempt to identify few of the common sniffer applications that is recommended and the

advantages and disadvantages of each.

2.6.1. Ethereal

Ethereal is an open source network protocol analyzer, commonly known as sniffer application.

It can be used with operating systems like windows, Linux, and Solaris environment.

There is an advantageous feature in ethereal known as “Follow TCP Stream”, this allows filtering

all the network traffic once the TCP packets are identified that we are looking for. This feature

allows cutting all the other layers of network communication and tracks only the http headers

and content. This feature is very useful for quickly identifying and analyzing a specific packet

sequence. Additional features of ethereal include performing capture filter and display filter

(McRee, 2006).

Capture filter is used to define what packets need to be captured before you start sniffing. In

addition, ethereal is also used for offline packet analysis. Ethereal supports different capture

filter file formats like .tcpdump, .pcapdump etc. These files are then being sent over ethereal for

offline analysis of packets.

Display filter is used when all the packets are captured to filter them by categories. Display

filters can be used to limit what you want to display on the screen, and then modify based on

packets that you have after sniffing.

Literature Review

20

There are three basic frames displayed with ethereal GUI.

1. Packet by packet overview. It can display the following information like grouping source

and destination IP address, packet number observed by network card interface.

2. Packet breakdown screen displays important information to determine the network layers.

This packet breakdown will be displayed in second middle frame by highlighting the first top

frames. It includes information like Ethernet, IP, tcp and other layers in the packet.

3. The final frame will be display raw data of the highlighted packets.

Overall ethereal has cross platform compatibility wherein it can be used in both Windows and

Linux and it is most commonly used sniffing tool.

2.6.2. TCPDump

TCPdump was introduced in the early 1990s. It’s a UNIX based tool and a similar tool which

works on windows is called WinDump. This tool is used for packet sniffing, and works on same

line as ethereal works (Fuentes & Kar,2005).

TCPdump is a network analyzer which was developed by Van Jacobson and is mainly operated

using its command line interface. It analyses all important network protocols such as TCP, UDP,

IPV4, ICMPv4, IPv6, ICMPv6, SNMP etc.

The figure 2.4 below shows an example of TCPdump captures (Fuentes & Kar, 2005).

Source: (Fuentes & Kar, 2005)

Figure 2.4 Example of TCPdump packet capture

In the above figure, the bold face letters indicate the timestamp, 15:14:54.281059

corresponding to 15:14PM and 54.281059 seconds.

If the frame is in IP datagram, the tcpdump will display source and destination information of

packets being transferred over the network.

Literature Review

21

Here 10.0.1.11.33129 represents the sender’s IP address is 10.0.1.11 and its application port

number as 33129 while 10.0.1.12 is the destination IP address and application port is ftp. The

symbol “S” indicates synchronization packet.

Now in the following sequence of number “2860245706:2860245706(0)” the first 10 digits -

2860245706 indicates initial synchronization number (ISN) and 0 indicates that no data is

passed in the packet.

While the entry “win 5840 <mss 1460” indicates the TCP window size where 5840 bytes is the

available TCP window size and maximum segment size is 1460 bytes.

The remaining line contains “nop” which indicates no option.

Although tcpdump seems to be a very powerful tool but as seen from the above explanation,

tcpdump becomes very tedious to analyze. By, simply typing tcpdump command, all the traffic

will be dumped wherein all the data might not be of interest for the users. So, using filter

expression can help limiting the traffic to be captured for a specific data of interest but then it

requires a lot of effort (Fuentes & Kar, 2005).

2.6.3. NetSumbler

This tool is specifically designed for windows operating system and is contrary to kismet. This

tool is used for detecting wireless local area networks (WLANs) using 802.11b, 802.11a,

802.11g. It also provides RF signal information. Netstumbler basically, sends a “probe request”

every second and capture responses with useful information such as the Service Set Identifier

(SSID) and the Media Access Control (MAC) numbers of the wireless networks present in the

nearest vicinity. Such type of sniffing is called active sniffing. It is active because the probe

request sent to the wireless network can be easily identified and can be tracked. One of the

drawbacks of Netstumbler is that it cannot identify hidden SSIDs. Also it can be easily identified

as it is sending probe request to the network every second. However, it can represent very

useful graphical representation of signal strength shown in green colour and noise ration shown

in red color that might be very useful for finding Wireless LANs (Villegas, 2008).

Literature Review

22

Figure 2.6 below displays the main screen of Netstumbler.

Source: (Villegas, 2008)

Figure 2.5 The main screen of NetStumbler

Source: (Villegas, 2008)

Figure 2.6 Netstumbler wardriving graph

Even Netstumbler can identify the location of WLANs using GPS device. It creates .ns1 file that

can be imported into Microsoft’s MapPoint software to display any Wardriving in the form of

graph as shown in figure 2.7. Netstumber send broadcasted probe request to WLAN and most of

the access points respond to such broadcast request by default. But there are some access

Literature Review

23

points that do not respond to such request. In such cases Netstumbler cannot detect such access

point. Since, Netstumbler cannot find the wireless access points who are not broadcasting their

SSID, another wireless sniffer called Kismet can be used to overcome this drawback (Villegas,

2008).

2.6.4. Kismet

Kismet is an open source 802.11 wireless network detector and analyzer, sniffer and

intrusion detection system. Kismet will work with any wireless card which supports

raw monitoring (rfmon mode) and can sniff types of network traffic like 802.11b,

802.11g and 802.11n (Hurley, 2007). Kismet is extremely configurable. It can be easily

configured to hop through all the channels and analyze the entire wireless network. It

can also be configured in a manner to work for only one dedicated channel in order to

analyze traffic for single channel. Kismet is completely passive in operation unlike other

sniffing tools like NetStumbler. It identifies network by collecting packets passively and

detecting named networks, detecting hidden networks, and concluding the presence of

nonbeaconing networks via data traffic. Kismet is also undetectable while it is sniffing packets

(Kershaw, 2009).

2.7. Wireless Sniffing techniques

The term wireless technology is referred as enabling two or more computers to

communicate with each other using wireless network and not connecting using wired

cable. It is also referred as wireless LANs. The peer to peer wireless network or ad-hoc

network comprises of many computer each equipped with wireless interface card. Each

computer can communicate directly with all the other computers and can share files

and printers connected to the network. A wireless network can also use access point, or

base station. Such access point acts as a hub providing wireless connectivity to the

computers. Also, Wireless LANs can be connected to wired LAN using a bridge. Wired

networks can be easily sniffed unlike wireless networks (King, 2002).

In shared environment, wireless sniffing can be easily achieved by putting the network card

in promiscuous mode and using sniffing tool like Wireshark to sniff those packets flowing in the

shared network. Even in case of switched environment, we can sniff by using the concept of

man in middle attack. Common techniques used are ARP spoofing, MAC flooding, MAC

duplicating, ICMP redirection, DHCP spoofing and port stealing.

Literature Review

24

In both the cases of shared and switched environment, it’s easy to run packet sniffing

tool and start collecting packets from the network for analysis. But when its wireless

analysis, the sniffing procedure becomes complicated and requires additional decisions

making skills to best support the analysis that needs to be performed while sniffing. The

sniffing station must also be equipped with appropriate hardware and software.

Hardware Requirements:

Hardware requirements depend on wireless network interface card like CF, PCI, USB, PCMCIA

based and on board of wireless NICs/chipsets. Based on device drivers as well as capability of

each chipset, the software required may differ. Let’s suppose we use Kismet

(http://www.kismetwireless.net) as sniffing tool and ethereal (http://www.ethereal.com) to

analyze the sniffed packets. Kismet works with any wireless card that supports raw monitoring

(rfmon) mode and for other operating systems like MAC OSX and OpenBSD, it includes a

“detection selection” of cards. In case of GPS available, kismet can also log the location of

packets being transmitted. It comes with “gpsmap” to plot the data graphically on downloaded

maps.

Normally the wireless NIC card is placed in monitor mode for sending and receiving packets.

The wireless NIC card will not pick up any other packet other than the one destined to itself

until and unless the card is placed in rfmon mode. The only problem with kismet is that in

windows it’s difficult to get the wireless NIC into rfmon mode. Win32 drivers don’t support the

rfmon mode by default.

2.8. Related work

There are various process implemented aiming at detecting cheating in online exams.

According to Costagliola et al. (2009), the project aims at recording student’s habits during

online tests without informing them to yield the realistic behavior. This report also mentioned

about the aspects of cheating detection. The ultimate aim of the project was to present an

approach and a system to let tutor monitor learner’s strategies during online tests. The result is

represented in the form of chart using Log analyzer. They also mention about deep exploration

of cheating detection in future work. There are few steps taken in (Eplion & Keefe, 2005) project

to minimize cheating. This project aims at minimizing the impact of cheating by taking various

cheating aspects into account in online test. They aim at providing limited time for each

question to engage them in the test like 45 seconds/question i.e. timing the test. Even the orders

Literature Review

25

of exam questions are scrambled so as to prevent student asking each other the answer of the

common questions.

In Castella-Roca et al. (2006), this project aims at secure e-exam management system based on

cryptographic protocols that offers high security for all exam stages. It covers cheating aspects

such as authenticity, privacy, correction and secrecy. This exam is conducted in supervised area,

where student uses a computer to take the exam. It mentions about further research where

students will be allowed to hold exams in less restricted environment.

The distributed firewall techniques in Pan et al. (2004) were used to control network packets of

all machines, and centralized security policy, to control the security policies of all machines.

Since its using distributed firewall, security is the most important part of this project. It can be

attacked by forging, duplication and distortion etc. the brute force mechanism is used to prevent

cheating against attacks like forging. In future work this project aims at enhancing the cheating

detection in the form of logs.

The research work conducted by Jung and Yeom (2009) aims at monitoring students giving

online test remotely where proctor is not present at the same location where the examination is

being held. This paper aims at removing human presence completely in secure online exam

management. It uses enhanced security control system in the online exam (SeCOnE) based on

group cryptography.

Cheating Prevention and Detection through E-monitoring

Source: (Jung & Yeom, 2009)

Figure 2.7 System Architecture of SeCOnE

Literature Review

26

The SeCOnE system adopts five methods to prevent and detect cheating.

1. Use of Webcam to identify student, the photos taken during registration process and

current image displayed on webcam is verified for authentication purpose. The verified

data is then saved during exam.

2. Continuous recording is performed both audio and video, to capture data while

examinees are giving test. These data is then saved during exam. This is mainly

performed to reduce the chance of cheating while exam is in progress and even after the

exam.

3. Since each and every screen shot of a student has been saved in parallel with videos, it is

easy for proctor to determine what exactly an examinee is doing on his or her computer.

4. All the ports except the port required for online exam are disabled. This prevents

examinee from accessing internet and avoids cheating using fixed port. The only port

open is used to send IP address of online exam client to the exam administrator.

5. All other programs except online exam client are deactivated by controlling input

triggered by examinees.

In short, this method uses webcam to capture examinees activities and all the ports are

disabled so that student cannot access internet.

In (Sung, 2009), the project aims at providing u-learning environment to students using

mobile phones, portable computers, PDAs and tablet PDAs. It has been developed to only

provide internet based e-learning and wireless facilities. It provides any time any place

concept of e-learning, without requiring any permanent connection to physical network.

Source: (Sung, 2009)

Figure 2.8 Configuration of the U-learning on Ubiquitous learning environment (ULE)

Literature Review

27

It uses 7 phases for developing framework as mentioned below:

1. Input

2. Authentication

3. Distribution

4. Monitor

5. Gathering

6. Grading

7. Inquiry

In these stages the monitoring stage uses the audio/video/chatting to conduct online exam

monitoring. It includes three modes synchronous, asynchronous and hybrid mode. The

synchronous mode is mainly used to conduct online examination and also includes examination

to be taken from remote site. So, it facilities the student to take the examination anytime,

anywhere within a specified time limit. The system is designed to provide students with an

interactive user interface, encouraging them to use it for learning purposes too.

In (Frandsen, 2010), the author prevents cheating when students give online exam on their own

laptop. When students are allowed to use their own laptop, the risk of cheating is the major

issue to resolve. It opens up new ways for student to cheat. The first half of the report

concentrates on the different possible ways that a student can use to cheat in examination. The

second half of the report concentrates on finding solutions to prevent the cheating detected. The

author uses directional antennas and triangulation and many small experiments to test the

methods. It considers students as attacker in the network security model and specifies different

type of attacks.

It includes various cheating scenarios like:

Students taking help from outside resource. The outside resource may be wireless

access point proving internet, or an expert hired to help in examination.

Literature Review

28

Source: (Frandsen, 2010)

Figure 2.9 Student cheating by taking help from outside recourse

Students communicating with other student seated in same examination hall at some

distance apart from each other. It can include various cheating like comparing answers

or helping each other or discuss the questions related to exam.

Source: (Frandsen, 2010)

Figure 2.10 Students cheating being at a particular distance

Students communicating with neighbour student seated in the same examination hall. It

is same situation as mentioned above where they are communicating to each other but

not with outside world.

Literature Review

29

Source: (Frandsen, 2010)

Figure 2.11 Student trying to cheat by communicating with neighbor student

All this 3 types of attack mentioned above are resolved using Triangulation. Triangulation is the

method used for detecting the location of a particular student using triangle geometry. Using

different types of antennas the location of transmitting wireless node can be detected.

After setting antenna and an external USB Wifi card, the signal strength is measured using

Linux. Kismet is used for capturing packets. The packets captured by kismet are saved in

.pcapdump format. Wireshark is used to filter the captured packets based on MAC address of

NIC and signal strength of each of the packets is stored in file. The file is then opened in Excel to

calculate the averages and draw graph accordingly.

There are some of the software’s that does take into account the security issues in online test,

like Nottingham University’s Course master system. This system makes traffic encrypted

between the administrator and the server, and uses a “cross-checking session key system” to

avoid students communicating with server from packet sniffing (Truong et al., 2002).

There are few more issues addressed by this software like, in HTML the answers of the

questions are can be easily viewed by clicking on view source. Such type of issue is addressed by

using more capable commercial software. This software also dynamically links to the marking

software where the computer can automatically mark the solutions using the same course

master tool. The framework provides the two main functionality one is to conduct exam online

and second to automatically mark the solutions (Higgins et al., 2002).

Literature Review

30

2.9. Summary

This section gives the background knowledge of online test and the various types of cheating

seen in online test. It also describes the basics of packet sniffing and different tools that can be

used for sniffing packets. Each sniffing tool has its own property, some of them can be used to

sniff switched network while some of them can be used for sniffing wireless network. The

various approach taken in past to avoid cheating are also discussed in this section.

Design

32

Chapter 3 – Design

3. Introduction

This section describes the different process involved in designing the software. It starts with

describing the primary approach used to build software presenting a general overview on how

to build software. Then a brief description of the development tools used for implementing the

software is given. Finally, the software design is presented taking into account the standard

designing process.

3.1. Approach

This section will discuss the approach for building the application. The goal of the project is to

build an online test monitoring tool which considers that the students are giving the exam on

their own laptop and they are allowed to access only a few recommended websites. This

monitoring tool should detect if any student tries to cheat. Now the students can cheat by either

opening the websites which are not allowed on their own laptop or they can use some other

device to connect to the wireless network to open those websites. In either case they would be

opening the restricted websites with some device.

So the main approach for making the Online Test Monitoring tool is:

1. To notify the tutor when a new MAC address has joined the network

2. To display log files with list of sites viewed by each student

This was achieved by sniffing packets in the network which is used by students to give the test.

Sniffing the packets is done by using a tool called “Kismet”. “Kismet” as described in the

previous sections, is a wireless sniffer and IDS which can help in monitoring the wireless

network which is used by the students to give the online test. Since “Kismet” can detect what an

IP/MAC address is doing on the network, it still can’t detect which IP/MAC address belongs to

which student. This is where the login page of the online test plays an important role.

This login page of the online test designed for this project retrieves the IP & MAC address of the

machine associated with the username of the student giving exam. Thus now we have a

mapping of which IP/MAC address belongs to which student and now Kismet log files can

specifically point out a student.

The above can be done by inserting the Mac & IP address obtained from login page into a MySQL

database. This Mac address can later be retrieved from the database and can be compared

against the “.netxml” obtained from Kismet tool having list of all the “wireless clients” connected

Design

33

to that network. The IP address obtained from MySQL database can also be matched with the IP

address present in the logs obtained from kismet. Since the log files from Kismet can’t directly

be processed to obtain the IP address we have to use another tool “Wireshark” to read the log. It

will then tell us the details of all the activities of every IP address. Based on the activities of

every IP address, the list of websites viewed by each student can be extracted from log files.

Now the data extracted from the two different files can then be displayed in the online test

monitoring application. The new Mac address joining the network is displayed in the form of

notification. And the list of websites viewed by each student is represented in the form of list

view.

Hence, the preliminary approach taken is to use the wireless sniffing tool “Kismet” to capture

packets, filter those packets using “Wireshark” and display the information in the tool.

3.2. Development Tools

3.2.1. Kismet

Kismet is an open source 802.11 wireless network detector and analyzer, sniffer and intrusion

detection system. Kismet will work with any wireless card which supports raw monitoring

(rfmon mode) and can sniff types of network traffic like 802.11b, 802.11g and 802.11n. It can be

easily configured to hop through all the channels and analyze the entire wireless network. It can

also be configured in a manner to work for only one dedicated channel in order to analyze

traffic for single network (Haines et al., 2008).

Kismet is completely passive in operation unlike other sniffing tools like NetStumbler. It

identifies network by collecting packets passively and detecting named networks, detecting

hidden networks, and concluding the presence of nonbeaconing networks via data traffic.

Kismet is also undetectable while it is sniffing packets.

Kismet has a distributed architecture. It comprises of a server called “kismet_server” and a

client components called “kismet_client” that can be connected to many servers. There is a

drone component also, which can be used for listening devices remotely that is sending traffic to

the central server (Murray, 2009) .

Design

34

Source: (Murray, 2009)

Figure 3.1 Kismet architecture

Kismet is able to generate several log files like “.dump”, “.csv”, “.xml”, “.netxml”, “.nettxt” and

“.pcapdump”.

Summary of all the features on Kismet (Etter, 2002):

It scans the wireless access points passively

It can detect hidden access points that do not emit beacon frames. In short it can detect

“cloaked” access points

It also provides GPS support to locate one particular access points

It logs all the access point information in the form of log files (.csv, .netxml, .nettext, .gps)

All the raw data packets transmitted over the network are recorded in .pcapdump file

It also includes ‘Kismet to CWGD’ converter program and gpsmap mapping program

Running Kismet (on Ubuntu 11.04)

1. If Kismet is not installed as root, then type command “sudo kismet” in the

terminal.

2. A GUI will open in the terminal, which will prompt user to start the Kismet server,

choose “Yes”.

Design

35

Figure 3.2 Kismet GUI screen

3. Next, it will prompt the user to “Add Sources”, if you are not sure of the sources, you

can use the “iwconfig” command to find the sources and add the source type. In this

project we are using the wireless interface so the source will become “wlan0”.

Figure 3.3 Adding source

4. The sources also needs to be defined in “kismet.conf” file as follows:

“ncsource=wlan0:option1=foo, option2=bar” if the source is wireless card.

5. Once the source is added, Kismet will start capturing packets as shown in the figure

3.4 below:

Design

36

Figure 3.4 Packet capturing screen

3.2.2. .netxml file explanation

When Kismet is run it generates a “.netxml” file which basically comprised of three parts:

1. Wireless card type information

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE detection-run SYSTEM "http://kismetwireless.net/kismet-3.1.0.dtd">

<detection-run kismet-version="2011.03.R2" start-time="Sat Aug 13 17:50:38 2011">

<card-source uuid="5f97bfac-c5cc-11e0-8dae-49049a1ce201">

<card-source>wlan0:name=intel,hop=false,channel=11</card-source>

<card-name>intel</card-name>

<card-interface>wlan0</card-interface>

<card-type>mac80211</card-type>

<card-packets>12687</card-packets>

<card-hop>false</card-hop>

<card-channels>1,5,9,13,2,6,10,3,7,11,4,8,12</card-channels>

</card-source>

This part of xml informs about the

card interface, name of the card

and channel used

Figure 3.5 Card type information in .netxml file

This part of XML highlights the information of the wireless card of the computer running

kismet in it. In this case, wlan0 is the card interface and intel is the card name. The other

information of the NIC card is shown in figure 3.5.

2. List of wireless network

<wireless-network number="1" type="data" first-time="Sat Aug 13 17:54:44 2011" last-time="Sat Aug 13

17:54:44 2011">

<BSSID>00:15:6D:A6:DA:9C</BSSID>

<manuf>UbiquitiNe</manuf>

<channel>0</channel>

<freqmhz>0 1</freqmhz>

<maxseenrate>0</maxseenrate>

<packets>

<LLC>0</LLC>

<data>1</data>

<crypt>0</crypt>

<total>1</total>

<fragments>0</fragments>

<retries>0</retries>

</packets>

<datasize>78</datasize>

<bsstimestamp>0</bsstimestamp>

<cdp-device></cdp-device>

<cdp-portid></cdp-portid>

<seen-card>

<seen-uuid>5f97bfac-c5cc-11e0-8dae-49049a1ce201</seen-uuid>

<seen-time>Sat Aug 13 17:54:44 2011</seen-time>

<seen-packets>1</seen-packets>

</seen-card>

List of Wireless

networks example

Figure 3.6 Wireless network information in .netxml file

Design

37

This part of XML gives information about the list of wireless network being captured by

kismet with data and time of capture. It also provides information like the BSSID and

UUID of the network, whether the network is encrypted or not etc.

3. List of wireless client connected

<wireless-client number="1" type="fromds" first-time="Sat Aug 13 17:54:44 2011" last-time="Sat

Aug 13 17:54:44 2011">

<client-mac>00:19:99:36:18:26</client-mac>

<client-manuf>FujitsuTec</client-manuf>

<channel>0</channel>

<freqmhz>0 1</freqmhz>

<maxseenrate>0</maxseenrate>

<packets>

<LLC>0</LLC>

<data>1</data>

<crypt>0</crypt>

<total>1</total>

<fragments>0</fragments>

<retries>0</retries>

</packets>

<datasize>78</datasize>

<ip-address type="ARP">

<ip-block>172.16.3.1</ip-block>

<ip-netmask>0.0.0.0</ip-netmask>

<ip-gateway>0.0.0.0</ip-gateway>

</ip-address>

<seen-card>

<seen-uuid>5f97bfac-c5cc-11e0-8dae-49049a1ce201</seen-uuid>

<seen-time>Sat Aug 13 17:54:44 2011</seen-time>

<seen-packets>1</seen-packets>

</seen-card>

</wireless-client>

</wireless-network>

</detection-run>

Indicating the Wireless Client

connected to the network

Mac Address of the client

Figure 3.7 Wireless client information in .netxml file

This part of the XML is of main interest for the application. It gives the information of the

list of wireless client connected to the network.

As shown in the figure 3.7, there is a wireless client number 1 connected to the wireless

network no. 1. There can be many wireless clients connected to the wireless network 1.

The second highlighted part of the XML displays the MAC address of the wireless client

connected to the network. This MAC address is of great interest from the point of view of

detecting the new device connected to the network.

3.2.3. Wirehsark

Kismet while capturing the packets also generates a “.pcapdump” file. This .pcapdump file

contains the raw packets captured from the network. The information present in .pcapdump file

is not in a readable format. This file is opened using Wireshark to analyze the data. Wireshark is

used to filter the .pcapdump file and show the packet contents.

Design

38

The diagram below shows the screen shot of the .pcapdump file opened in wireshark.

Figure 3.8 Wireshark filtering .pcapdump file

Wireshark is used to filter only the HTTP and TCP protocols by using display filter. After

filtering the file is saved as .pcap file. This .pcap file obtained from Wireshrak is converted into

.txt file using tshark.

The following command is used to convert .pcap file into .txt file.

C:\>"c:\program files\wireshark\tshark.exe" -r "C:\Kismet-20110811-21-53-10-1.pc

ap">"c:\studentlogs.txt".

All the above development tools can be summarized in the main building block of the online test

monitoring tool. The diagram as shown in figure 3.10 summarizes how the tool is structured to

generate and read the log files.

With the help of sniffing tools like Kismet and Wireshark, the .netxml and .txt file are generated.

These file are then parsed using a SAX parser and File Reader using JAVA technology. The MAC

address is obtained from Parsing .netxml file and the website visited by each IP address is

obtained from .txt file. Both of them are then stored in a MySQL database.

Design

39

Figure 3.9 Online test monitoring development tools

Now the students who login to the online test, their IP address and MAC address along with the

username is also stored in a MySQL database. These stored values in MySQL database are then

fetched by Android application to display the useful information to the tutor. This information

includes notifying tutor about any new device connecting to the network and the list of websites

visited by each students other than the one recommended by tutor.

Sniffing Tools

PHP pages

Android App

Java Technology

Technology

Design

40

3.3. User Requirements

This section discusses the research method which is used to evaluate the User interface design.

A study was conducted in the form of interviews to collect the features desired by the people.

The participants were chosen keeping in mind the usability of tool. As this tool monitors

cheating while giving online test, the immediate users identified were system administrator,

students and professor. There were 6 students, 1 system administration and 1 professor who

were interviewed. The interview gave many useful inputs that helped to improve the design

layout.

System Administrator:

The participant was the system administrator of University of Nottingham. He is responsible for

setting up the online exams for various modules like programming. Online test in this university

does not allow internet access. It was observed that system administrator has to ensure the

confinement of the system in order to ensure that students are unable to access any external

information.

Student:

The participants in this category were excited to get an online test system with Internet access.

They were in agreement to have such an online test where in one or two sites are allowed to

refer. They argued that the concept of blacklist of sites introduced in the layout was not a

feasible feature because there are hundreds of sites available and making professor add all

those sites will be an additional overhead.

Professor:

According to this participant, the overall technology used was exciting to implement this tool.

He suggested that the log files obtained from kismet must be presented to the professor after

the completion of test and not in the middle of the test. This will help him to mark the students

by referring the logs flies obtained at the end.

These interviews helped in introducing few more features to the tool as mentioned below:

Less overhead on system administrator

Introducing the concept of only white listed sites

Presenting the log files to the instructor/tutor after online test is completed

Design

41

3.4. Software Design

In this section the User Story was created to highlight the functionality of the monitoring

application. Then the system was designed which helped in deciding the architecture of the

application. The application features were then broken into the classes and class diagram was

drawn which will later be used for writing code. The database design for the application was

also studied and an ER diagram was made. Then the layout of the android application was

designed and the various screens were mocked as per the functionality desired.

3.4.1. User story

User story is mostly used for making the just in time analysis of the software. It’s a very high

level definition of the requirement containing basic information about the reasonable estimate

of the efforts required to implement the software.

When an online exam is held in the lab or in the examination hall, the professor will inform

students that they are allowed to view only few sites. To design the system the following states

of the application were thought of:

For example, if the Mobile Device programming test is going on, then students are

allowed to visit site named “http://developer.android.com/index.html”.

Students will also be informed that they are being tracked and if they visit any site other

than android then strict action would be taken against them.

The professor will have the mobile application installed on his mobile phone to get

notification from the tool about any such activity by a student.

There will be online test login system which will allow all the students to login into the

system and in the backend the MAC address and the login ID of the students associated

to each computer will be stored in database.

The sniffing tool Kismet will be running on one of the computer and will track all the

activities of students in that network while they are giving online test.

While the exam is going on, if the student tries to connect to internet via his/her mobile,

then the professor will be notified that a new device has been connected to the network.

If the student is trying to access any other site other than the one specified by professor,

the application will log the student name into the log files. This will also notify the

professor about such an activity of the student.

Design

42

3.4.2. System Architecture

MySQL

Database

Student 1

Student 3

Student 2

Monitoring

wireless

traffic using

Kismet

Online Test

Monitoring Tool

Log file

received

from kismet

Android

Application

Laptop

Figure 3.10 System Architecture

Description: Students will give exam in their on laptop. They will login to the online test system

provided by the professor which will store the MAC address and the user name of the student in

the database. One of the computers in the examination hall will have Kismet installed, which will

log each and every activity of student and also keep a track of new devices connecting to the

system. These log files would then be analysed by the designed application for results.

Design

43

The analysis of log files generated from kismet can be divided into two parts

A. Notifying the tutor about the new devices joining the network

XML File

MySQL

Sending

notification to

end user

Fetching MAC

address from

XML

Polling Mac

address from

database at

certain polling

interval

Parsing XML

file using SAX

parser

Laptop running

Kismet

Figure 3.11 MAC address notification

The first part is to notify the professor about any new devices connected to the network while

examination is going on.

This part of coding is implemented as follows.

The computer having kismet installed will start capturing packets. Kismet generates

.xml file which contains the list of MAC addresses connected to the network.

This .xml file is parsed using a SAX parser and the MAC address retrieved after parsing

the xml is stored in MySQL database.

These MAC addresses are inserted into the database every 5 minutes. So the entry of

new MAC address found in the XML is inserted into the database every 5 minutes.

The android application will then fetch the list of Mac addresses from the database using

json technology.

The database will be polled every 5 minutes to find the new entry inserted into the

database by using Notification scheduler.

If the new entry is found, the notification service will notify the professor about the new

device joining the network with the MAC address.

Design

44

B. Analysing Log files

Figure 3.12 Displaying list of websites accessed by student

In this second part, the aim is to analyze the log files and display the list of student logs. This

student log comprises of the username and the list of websites visited by each student.

The figure shown above displays the logic behind implementing the analysis of log files.

The login page of Online Test will allow students to login to the test and in the backend

the details of students like username, IP address and Mac address of the machine being

used will be stored in a MySQL database.

The JDBC interface is used to make connection with MySQL database. Once the driver of

the MySQL server is installed, the java application can then communicate with the server

and access the database.

This java class will then fetch all the student details present in Student table and store it

in the array.

Design

45

The text file obtained from wireshark is then parsed to fetch the websites corresponding

to each IP address. These values are also stored in the MySQL database in the table

named Text.

Now the android application will make connection to the MySQL server.

In order to fetch data from the MySQL DB, PHP script is used to output the JSON file. The

PHP script written will basically have the SELECT query “SELECT * FROM Student”.

The android application then reads the JSON file using BufferReader and outputs the

result.

The result obtained from the database is then displayed in the android activity using list

view.

Design

46

3.4.3. Class Diagram

Figure 3.13 Class Diagram

Design

47

The figure above shows the overview of the dependency of the various classes in the android

project.

ParseFile.java and ReadFile.java are used for parsing the log files obtained from Kismet and

Wireshark respectively.

The rest of the classes mentioned in the class diagram are part of Android Application described

as follows:

OnlineTestMonitoringActvity: This class is responsible for displaying main screen to the user.

StudentDataActivity: This class is responsible for displaying student details like username, IP

address and MAC address of the machine.

StudentLogsActivity : This class is responsible for displaying the list of username caught

cheating in online test.

HelpActivity : This class will display the guidelines to use the application.

DBHelper: This class is responsible for creating database to maintain student data.

AddlistActivity: This class will allow user to add the list of whitelisted site.

NotificationService: This class is responsible for displaying the notification about the new mac

address joining the wireless network.

The classes mentioned above are the main classes of the application.

Design

48

3.4.4. ER Diagram

In this section the structure of table present in the MySQL database is discussed.

Figure 3.14 Entity Relationship Diagram

Figure 3.18 shows the entity relationship diagram of the tables present in online test database.

Detailed description of each table is shown in the table below:

Entity Name Attributes Data Type Size Description

Users user_id username user_password user_regdate

INTEGER VARCHAR VARCHAR INTEGER

11 30 40 11

Primary key for user identification

MacTable ID mac_address

INTEGER VARCHAR

11 40

Primary key of MacTable

StudentDetails username ID ip_address mac_address

VARCHAR INTEGER VARCHAR VARCHAR

40 40 40 40

Primary key for student identification

TextLogs ID username ip_address url

INTEGER VARCHAR VARCHAR VARCHAR

11 40 40 500

Primary key to identify each user Foreign key to StudentDetails

Table 3.1 Logical data design specification for the database

Design

49

3.4.5. UI layout for the mobile application

The screens shown below have been deigned to make the application simple and interactive.

Screen 1 is the menu screen of the online test monitoring tool, it comprises of the following four

functionalities.

Figure 3.15 Screen 1 & Screen 2

1. Add List Of Sites: This section will allow tutor to add the list of blacklisted and

whitelisted sites.

2. Student’s Data: This section will allow user to see the list of student giving test along

with their ID, IP address and MAC address.

3. Student Logs: This section will allow the tutor to view the list of websites viewed by

each student.

4. Help: This section will have the information about how to use the application.

Screen 2 is opened when user clicks on “Add List Of Sites” button. It will allow user to add the

whitelisted and blacklisted sites.

Design

50

Figure 3.16 Screen 3 & Screen 4

Screen 3 is opened on clicking the Add Whitelisted sites. User can enter the list of whitelisted

sites and click on submit button. This will add the list of whitelisted sites into database.

Screen 4 is opened on clicking Add Blacklisted sites. The user can add the blacklisted sites and

click on submit button to add the list to database.

Figure 3.17 Screen 5

Design

51

Screen 5 is displayed when user clicks on Student logs icon in the main menu. This screen will

display the list of student’s username who were cheating in the exam.

Figure 3.18 Screen 6 & Screen 7

Screen 6 is displayed when user clicks on one particular username for e.g. pxs00m, this screen

basically gives the list of sites visited by student while giving online test.

Screen 7 is opened on clicking Help button in the main menu. These screens will display all the

information about using the tool.

3.5. Summary

This section discusses the features and property of the sniffing tools like Kismet and Wireshark

to get the useful data related to online test. The study conducted in the form of interviews show,

how the features of the tool were decided. Finally, the different software designing techniques

were used to find out the challenges that may be encountered while developing the software.

Implementation

52

Chapter 4 - Implementation

4. Introduction

This section of the report discusses about the implementation of the application developed. The

basic functionality of each class is discussed in this chapter. The steps of implementation are:

Kismet was installed and configured on one of the system. It was started to capture the

packets flowing in the network

The students were then allowed to join the network and login to the test server

After login the students were given instructions to use only few sites

The test begun and the application started recording all the data

The xml files generated were parsed to generate reports.

The various packages used in the project are described as follows:

4.1. Parsing files Package

This package contains the main program for parsing the files. A class-by-class description is

given for all the files in the parser package as follows:

4.1.1. ParseNetXmlFile

This class resides under the package named com.pxs00m.parsefile. The .netxml generated

from Kismet in real time is parsed by this class. The main functionality of this class is as follows:

1. To parse .netxml file and extract Mac addresses from the file

2. Connect to MySql database ’OnlineTest’

3. Insert Mac address obtained after parsing into the table ’MacTable’

4. Avoid duplication of data while inserting

Explanation:

The .netxml obtained from Kismet comprises of a node element called client-mac which

contains the MAC address of the wireless client connected to the network. The function

getMacAddress() returns the list of MAC address in the form of string array.

The .netxml file is parsed using a SAX parser that reads the XML formatted data into Java

objects.

A SAX parser is used because it has smaller code size and executable memory compared to

DOM parser. It also uses event driven mechanism for processing the XML file, which means

it does not need to load entire XML tree in the memory and the XML is parsed in the

sequential order (Choi, Hong, & Ju, 2003). Example of parsing is as shown below:

Implementation

53

public ArrayList<String> db_results_xml;

DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();

DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();

Document doc = docBuilder.parse (new File("Kismet-20110813-22-55-38-1.netxml"));

// normalize text representation

doc.getDocumentElement ().normalize ();

System.out.println ("Root element of the doc is " +

doc.getDocumentElement().getNodeName());

NodeList listOfMac = doc.getElementsByTagName("wireless-client");

int totalMacAddress = listOfMac.getLength();

System.out.println("Total no of MAC Address : " + totalMacAddress);

int count = listOfMac.getLength();

for(int s=0; s<listOfMac.getLength() ; s++)

{

db_results_xml = new ArrayList<String>();

Node firstPersonNode = listOfMac.item(s);

if(firstPersonNode.getNodeType() == Node.ELEMENT_NODE)

{

Element firstPersonElement =(Element)firstPersonNode;

NodeList firstNameList = firstPersonElement.getElementsByTagName("client-mac");

Element firstNameElement = (Element)firstNameList.item(0);

NodeList textFNList = firstNameElement.getChildNodes();

nodeValue = ((Node)textFNList.item(0)).getNodeValue().trim();

}

db_results_xml.add(nodeValue);

}

Fetching total number of

wireless client connected.

Fetching the MAC address

of client network

E.g: 00-B0-D0-86-BB-F7

File path that needs to be

parsed

Figure 4.1 SAXParser code

The second method of the class getConnection() will connect to the MySql database using

JDBC interface.

Once the connection is established, using PreparedStatment, the list of MAC address stored

in an array is inserted into the MySql database table named “mactable”.

MacTable

PK ID

mac_address

Figure 4.2 MacTable attributes

Since, file is parsed in real time, the parsing of file, getting connection to the database and

inserting query into the database is run in a thread. The file is parsed every 5000

milliseconds to see if a new MAC address joins the wireless network. This new address

needs to be inserted to the database. A “for” loop is used in the run() method to perform all

the necessary functions.

There are chances that the same lists of MAC address are inserted into database more than once.

This is not desired as we need to insert only when a new MAC address is obtained from file. This

was done by comparing the list of MAC addresses obtained from parsing the xml file and the

database.

Implementation

54

The list of MAC addresses obtained after parsing the .netxml file is stored in an array String

file_array[ ] and the list of MAC addresses obtained from the database is stored in String

database_array[ ]. All the elements of database_array[] is then compared and removed from

the file_array[]. Now either the file_array[] would be empty if no new device has joined the

network or it will contain the list of all the new MAC addresses that have joined the network.

These new MAC addresses will then be inserted into the database. The insert query will only be

executed when file_array size is greater than zero which means only the new entries will be

inserted to the database if any.

The screen shot of the output is as shown below:

Figure 4.3 Output of ParseFile showing list of Mac address obtained

Finally, the new addresses fetched by the application are notified to the user.

4.1.2. ReadFile

This class reside under package named com.pxs00m.readfile.

Wireshark filters the .pcapdump file generated by Kismet and produces a text file. The class

ReadFile is used to read this text file. The main functionalities of this class are as follows:

1. Read the IP address and the url from the text file

2. Fetch username of student based on IP address

3. Insert all the information into MySql database

Implementation

55

Explanation:

The very first function of the class named readFile() will read the file using standard java

classes like FileInputStream, DataInputStream , BufferReader and InputStreamReader.

List and Hashmap are used to store the data obtained from the text file. The main purpose of

reading the file is to get the IP address and the URL corresponding to each IP address. The study

done on the text file from wireshark shows that only the line containing “GET” keyword gives

the information about the website being viewed by student.

So using readLine() function, the lines containing GET keyword are extracted. After these lines

are extracted split() function is used to extract the IP Address, and URL. The IP Address and

URL are then stored in a hashmap. Then using Iterator, IP address is stored in the string using

like this

String IPAddress = iterator.next().toString()

While the URL are stored in the form of list corresponding to IP address as follows

List<String> url = (List) map.get(IPAddress)

It will extract the URL of only those IP addresses that are present in the StudentsDetail table.

The list of IP address is fetched by making connection to the database and this list of IP address

is compared with the list of IP address obtained from text file. Only the list of URL

corresponding to those IP addresses found from the database are considered.

The list of IP addresses obtained from database is stored in an array Ip_address_array[]. The

list of IP addresses obtained from reading text file is stored in an array Ip_address_text[]. The

following piece of code finds the IP addresses common in both the array and extracts the URL.

Figure 4.4 New array having list of student’s IP address

This is how only URL of those IP address are fetched from text file that are related to the IP

address of those student giving online test.

Implementation

56

The screenshot of output is as shown in figure:

Figure 4.5 Output obtained from ReadFile

Now the function named insertIntoDatabase() will insert the following values in the table

named “TextLogs”:

username, ip_address and url.

The relationship of two tables is as shown below:

StudentDetails

PK username

ID ip_address mac_address

TextLogs

PK ID

FK1 username ip_address url

Figure 4.6 Relationship between StudentDetails and TextLogs table

username: is the foreign key of TextLogs table and is related to the username field of the

StudentDetails table. “username” is inserted into the TextLogs table by executing the query

mentioned below.

insert into table TextLogs (ID, username, ip_address, url) values (ID, username, ip_address, url);

The username is obtained by executing the following query:

SELECT username FROM StudentDetails where ip_address =’ IPAddress’ ;

The rest of the fields like ip_address and url are obtained by reading text file as mentioned in

above section ReadFile.

Implementation

57

All the attributes are inserted into the TextLogs table using PrepareStatement.

The challenging part in this particular class is to fetch the list of URL for a particular IP address

based on the key word GET. The above two packages discusses about how to parse the file and

extract data as per the requirements.

The next section gives the detailed information the challenges involved in displaying this data to

the user having a tablet or an android phone.

4.2. Online Test Monitoring Tool Package

4.2.1. Activities package

The online test monitoring tool is an Android application designed for the android smart phone.

The android application consists of many activities and the com.pxs00m.activities package

comprises of the list of activity classes as below:

1. OnlineTestMonitoringActvity

This is the main activity which is responsible for displaying the main menu of the Online

Test Monitoring Tool to the user. It includes four basic icons – Add List of sites, Student

Data, Student Logs & Help.

This activity is also responsible to trigger the NotificationService as soon as the activity

starts using Intent. This allows the user to get notification whenever a new wireless client

joins the network.

The screen of the main menu is as shown in figure.

Figure 4.7 Main menu screen

Implementation

58

2. HelpActivity

This activity displays the Help screen to the new users. It provides help with most of the

basic steps that needs to be done when this application is used. The information displayed

in the help screen is extracted from a text file stored in the res folder of android project.

Figure 4.8 Help Screen

3. AddListOfSitesActivity

This activity is responsible for displaying the menu for the list of sites. User can click on any

of the buttons to perform the desired operation. The buttons are self-explanatory for e.g.

when user clicks on Add list of Whitelisted sites, user can add the list of sites that student

are allowed to view and likewise for the other button.

Figure 4.9 Adding list of sites screen

Implementation

59

4. AddWhitelistedSitesActivity

The main functionality of this activity class is to allow user to add whitelisted sites. These

whitelisted sites are then stored into the Whitelisted sites table of SQLite database named

“OnlineTest”. The data stored in the table is later used to display the list of students who

were using sites other than the whitelisted sites.

Below is the screen shot showing how we can add whitelisted sites:

Figure 4.10 Add white listed sites screen

5. ViewWhitelistedSitesActivity

This particular activity will display the list of whitelisted sites added by user.

The main functionalities of this class are as follows:

1. Display list in the form of ListView –

This function is implemented using the ListView in layout. The Whitelisted table is

queried for fetching the list of all the whitelisted sites inserted by user and is stored in

an array. The list is then displayed by setAdapter function which will set the data in the

ListView on the UI. It will produce a view to represent the list of all whitelisted sites in

the data set.

Figure 4.11 View Whitelist site

The default layout provided by android is used in adapter:

android.R.layout.simple_list_item1

Implementation

60

2. Allow user to delete a particular site if needed –

This functionality is achieved by using setOnItemClickListener method. This method is

called when the item in the AdapterView is clicked. On click of an item, an alert dialogue

box is displayed to user. This dialogue box will ask the user whether he/she wants to

delete a record. If yes is clicked, then delete query is executed to delete that particular

record from database.

Figure 4.12 Alert dialogue box to delete selected site

6. StudentDataActivity

This activity is responsible for fetching student details from the StudentDetails table and

displays the list to the user in the form of ListView. The main challenge in displaying the

information was to establish connection with MySQL database.

Figure 4.13 Student data

Android application cannot directly connect to MySql database. So, to establish connection

a simple web service is created that will send request to MySql database and get the

response via web service. This can be achieved by writing php script as a webservice which

Implementation

61

will run on the same server where the database is stored. In our case it is apache server.

The data obtained from the php script is stored in JSON format. The example of php script

used to query the StudentDetails present in the MySql database is shown below:

Figure 4.14 Php script for android application to fetch data from MySql

This php script will manage the content obtained from database. The getConnection()

method is responsible for executing the php script mentioned in the figure.

The main problem encountered while making connection is that HttpPost class in the code

below does not accept “http://localhost”. Even if the server is running along with the

android SDK on the same machine and the same wireless network, it cannot connect to the

apache server. So, we need to write the IP address of the machine instead of

“http://localhost”. The code mentioned below establishes the connection with MySQL

database.

Figure 4.15 Android application establishing connection to MySql database

The highlighted text in the code above makes connection to MySQL database. InputStream

is used to get the data fetched by HttpEntity which is encoded in json format. Using

BufferReader and StringBuilder the output of the sql query is stored in JSONArray. Then

Implementation

62

the username, ip_address and mac address is fetched and displayed on the screen using

ListView.

7. StudentLogsActivity

This is very important activity of the online test monitoring tool. This class is responsible for

displaying the list of students and the corresponding URL accessed by them while giving

online test.

The main functionalities of this class are as follows:

1. Establishing connection with MySQl database –

The connection to MySQL database is established in the similar way as discussed in

StudentDataActivity class but this time data is fetched from the table ‘TextLogs’.

2. Storing data obtained from external data to the SQLite database –

The data obtained from JSONArray, is stored in the internal table named Logs. The

reason behind storing into the internal database is that it is easier to query. This class

will display only the list of student’s username. Now, when user clicks on one particular

username, the user is routed to another activity named ListofSitesActivity using Intent.

The username clicked by user is stored using putExtra(“username”, username) method

in the intent.

3. Preventing duplication of data –

Every time user clicks on Student Logs icon, the data will be inserted into internal

database. To avoid this duplication of data, similar logic is applied as discussed in

section 4.1.1. If the array of internal database is equal to the array of external database,

then empty the internal database. The insert query will be executed only when the size

of the array of internal database is greater than zero.

Figure 4.16 Screen displaying list of students detected cheating

8. ListofSitesActivity

This class is responsible for displaying the list of web sites visited by student. The value of

username passed from StudentLogsActivity class using putExtra() is fetched in this class

using Bundle by getIntent().getExtras() function. Based on this username obtained, the

internal database named Logs is queried for list of URL. The advantage of storing data

Implementation

63

obtained from MySql to internal database is that, there is no need of making connection

multiple times.

Figure 4.17 List of websites viewed by student

4.2.2. Services package

The com.pxs00m.services package comprises of the list of activity class listed below.

1. NotificationScheduler

This class is responsible to schedule alarm to run the NotificationService at a particular

interval. The main functionality of this class is to allow Notification service to poll the

database at certain interval. The scheduleAlarm() method is used to set the polling

interval time. In this method AlarmManager sets the repeating alarm by running

ALARM_SERVICE in the background.

The assumption is that, if the online test is held for an hour then the polling interval is set

to 5 minutes. That means the NotificationService will poll the MySQL database for a new

MAC address every 5 minutes.

2. NotificationService

This class is responsible for notifying the user about new mac address joining the wireless

network.

The main functionality of this class is as follows:

1. Making connection to MySql database

2. Notifying user about the new Mac address.

The connection is made to MySQl database in the similar way as mentioned in

StudentDataActivity class using php script. The only difference is the php script. In the

script, the table named “mactable” is queried to fetch the list of Mac address. Now, the

Implementation

64

notification is sent to user only when new Mac address is joining the network using this

class. The notification is as shown below:

Figure 4.18 Notification of new device joining the wireless network

4.2.3. Database helper package

The com.pxs00m.dbhelper package comprises of class listed below.

DBHelper

The main functionality of this class is to create database and tables. It creates database named

OnlineTest and creates 2 tables (WhitelistSite, Logs). The attributes of the each table are as

shown in the figure below.

Entity

Name

Attributes Data

Type

Size Description

WhitelistSite ID sitename

INTEGER VARCHAR VARCHAR INTEGER

11 30 40 11

Primary key for sitename identification.

Logs username ID ip_address mac_address

VARCHAR INTEGER VARCHAR VARCHAR

40 40 40 40

Primary key for user identification.

Table 4.1 Logical data representation of database

4.3. PHP Script

Online test framework is designed for student has a login feature in the interface. The main role

of this online test is to get the MAC address and IP address associated to each student’s

username. This is achieved by retrieving the IP address and Mac Address form the backend

when student will logs in to the test. The screen shot of the login page is shown below. It will

retrieve the required information along with username of the student. The rest of the pages of

online test including the quiz are similar to an ordinary online test conducted in any educational

system. The code for online test created by Skudaev (2005) was used to test the online test

Implementation

65

monitoring application. The login page was modified to embedd the code for getting IP address

and MAC address of the student’s machine. The screen shot of the login screen and home page

are as shown in the figure 4.19 and 4.20. The main purpose of using online exam quiz was to

test the application by answering few of the questions without referring internet while

answering some of them by using internet.

Figure 4.19 Login screen of Computer security online test

Figure 4.20 Home page of online test

Implementation

66

4.4. Packet analysis using wireshark

This part of the section will focus on the various experiments done for the software developed.

There are few tests conducted to see how the data is displayed. The main screen of this software

is the list of websites viewed by one student while giving online test.

The capturing of data is done in a step by step manner to analyze the data obtained from the log

file.

Test 1: In this test case, data is captured by surfing few websites on the browser and see how

the packets are captured and then represented in the form of text file

Wireshark is used to collect data by using wlan0 for sniffing the own packets and analyzing

those packets. Wireshark will capture data by placing NIC card in promiscuous mode (Orebaugh

et al., 2007). The capture options screen is as shown in the figure below:

Figure 4.21 Capture options screen

It is observed that it contains all protocol like HTTP, TCP, DNS, and ARP etc.

Implementation

67

Figure 4.22 Wireshark screen displaying all protocols

In this particular file the only protocol that is of main interest is to analyse is the HTTP protocol.

So, in order to simplify the analysis of data that is captured by wireshark, we use display filter.

But display filter is just to see the HTTP data. While saving this particular capture even if it

displays only HTTP data, it will save all the packets.

Figure 4.23 Using display filter to get only HTTP protocol

There is difference between display filter and capture filter. So to only capture and save HTTP

protocol related packets. We need to create a capture filter.

The Capture filter screen shot is as shown in the screen shot below:

Implementation

68

Figure 4.24 Creating new capture filter

Figure 4.25 Selecting the new capture filter defined

After the capture filter is selected, only the HTTP protocols will be captured while sniffing, that

are of main interest for analysis of cheating. Now, the packets captured are saved as .pcap file

and converted into the text file using the command mentioned below.

C:\>"c:\program files\wireshark\tshark.exe" -r "C:\TestCase.pcapdump">"c:\test.txt"

The text file analyzed shows that the “GET” keyword in the text file is the main websites the user

has requested. GET is the response to a particular website requested by user. While the POST

means requesting for a particular data. In order to track the particular website accessed by user,

we look for the GET keyword.

The result in the Android application is as shown in figure after parsing this particular file.

Implementation

69

Figure 4.26 Output after parsing .txt file

Test 2: This part of test case will test the type of URL displayed while online test is running on

browser. The interface used is similar to the one discussed in test case 1 i.e wlan0.

The packets obtained after capturing are shown in the screen shot below:

Figure 4.27 No localhost url observed

As, we can see that, there are no url’s captured related to online test. This is because local host

packets cannot be captured using interface named wlan0. To capture local host packets, we

need to use loopback interface.

Test 3: This part of test case is used to capture local host packets of the online test running in

the browser. To achieve this, the loopback (lo) interface is used in wireshark. The screen shot is

shown below.

Implementation

70

Figure 4.28 Using lo interface to capture localhost packets

The only drawback of using loopback is that, the rest of the HTTP protocols are not captured.

Figure 4.29 Local host packets captured using lo interface

Test 4: This part of the test will analyse the packets for online test by typing the IP address in

the browser (http://10.50.10.160/exam/index.php) for running the online test. The packets are

captured again using wlan0. The packets captured are as shown in the figure.

Implementation

71

Figure 4.30 Using IP address to capture online test url

Implementation

72

Test 5: In this part of the tests, the online test website is opened in the browser. While giving this test, few of the questions are answered by

searching on internet.

The result of the packets captured and the file obtained are as shown below:

Figure 4.31 The result of log files obtained while giving online test and visiting other sites

No Cheating detected

Cheating detected

No Cheating detected

No Cheating detected

Implementation

73

It is observed that there is huge amount of traffic flowing before submitting one particular

answer. There is the POST url observed at the line “/exam/index.php?boxaction=quiz1 HTTP

1.1” .There are also many lines containing “GET” keyword in the middle. And then the answer is

submitted which can be observed at this line

“POST http://10.50.10.160/exam/index.php?boxaction =savegrade HTTP 1.1”

If some of the questions are answered without searching into the internet. This can be observed

by finding no GET keywords between two POST keywords having URL –

http://10.50.160/exam/index.php?boxaction =savegrade.

The final output can be seen by clicking on the student logs icon in the Online Test Monitoring

Tool Android application is as follows:

Figure 4.32 List of student’s cheating in test

Figure 4.33 List of websites visited by student

As seen in figure, when we click on username kismet16, we can observe the list of websites

accessed by the student kismet16. The examination url can be seen at serial number 7. And

serial number 9 URL indicates that the student started cheating by opening google.co.uk site.

Implementation

74

The other important result obtained from this tool is the notification given to the instructor

about the new device joining the network. This notification helps tutor to detect, if someone in

the examination hall is trying to cheat. It can either be a student trying to connect to internet by

using mobile device or any other external device.

The screen shot of the notification is as shown below:

Figure 4.34 Notification screen

Testing and Evaluation

75

The below table summarizes the final results achieved by performing various test cases.

Test

Cases

Description Analysis of Results Steps to achieve

better result

1 Analyzing packets captured by

normally surfing few websites

All the protocols were

observed in the

wireshark window.

The name of website

being accessed was

observed in HTTP

protocol.

Create capture

filter to capture

only HTTP

protocol.

2 Analyzing packets by opening

Online test in browser

No packets observed

related to the online

test.

Use lo interface to

capture local host

packets.

3 Analyzing packets by using lo

interface

Only local host

websites were

observed.

Use wlan0

interface.

Write IP address

instead of local host

to see packets

other than local

host

4 Analyzing packets by using IP

address to open online test

Online test url were

observed along with

the IP address.

Create another test

case to observe

both online test url

and other website

accessed.

5 Analyzing packets by opening

online test and other websites

while answering the test

Online test url and

other websites

accessed to answer

the question were

observed.

Table 4.2 Summary of the test cases

4.5. Summary

This chapter describes the basic functionality of each class in detail. The main motive of the

whole system is to analyze the log files and present it to the tutor in a very simplified format.

The logs files must be able to show the amount of data traffic flowing before one particular

answer is submitted. The detailed description of the log files analysis is discussed using various

steps to get the actual output.

Testing and Evaluation

76

Chapter 5- Testing and Evaluation

5. Introduction

This section of report describes the different test cases implemented to test the software

developed. The lab experiment for further research is stated for further analysis of the tool.

5.1. Testing Android Application

5.1.1. Student Details Icon

To verify, if the list of students giving online test is displayed on this icon.

Steps

1. Start apache server

2. Open the online test url as mentioned: http://localhost:8080/onlineexam/login.php

3. Use userid as kismet 12 and password as root

4. Once login is done, run the android application

5. Click on student details icon

Output

The output screen is as displayed in the screen shot below:

Figure 5.1 Output for Student Data icon

The screen shown above shows the userid of the student and the ip address and the mac

address of the machine on which student is taking the online test.

Testing and Evaluation

77

5.1.2. View Whitelist site

The list of whitelist site enetered by user is verified using this screen.

Steps

1. Run the android application

2. Click on Add list icon from the main menu

3. Add list of whitelistsite for e.g. www.android.com

4. Click on View Whitelist sites

Output

The output screen is as displayed in the screen shot below:

Figure 5.2 Output for Add list Icon

The screen shot below shows the whitelist site entered by user.

5.1.3. Delete Whitelist site

The list of whitelist sites deleted by user is verified in this section.

Steps

1. Click on Add list icon

2. Click on view whitelist site

3. Click on the whitelist site displayed, one pop up will be displayed

4. Click on Yes

5. Again click on view whitelist site

Testing and Evaluation

78

Output

The output screen is as displayed in the screen shot below:

Figure 5.3 Output screen after deleting the whiltelist site

The screen shot shows that the whitelist site is deleted from the database

5.1.4. Student Logs Icon

To check if the list of username accessing illegal sites is being displayed on student logs screen.

Steps

1. Open online test website in browser using the url,

“http://10.50.248.97//onlineexam/login.php”

2. Run wireshrak in promiscuous mode.

3. Login to the online test using the username let’s say kismet16.

4. Answer the questions mentioned in the online test using internet.

5. Stop the wireshark after 10 mins.

6. Save the data captured by wireshark in .pcap format.

7. Covert this .pcap file to txt file using tshark as discussed in section 3.2.4.

8. This txt file is read for getting list of url corresponding to ip address of the username

kismet15 by compiling ReadFile.java

9. Run the android application and click on Student logs icon.

Output

The output screen is as displayed in the screen shot below:

Testing and Evaluation

79

Figure 5.4 Output screen on click of Student Logs icon

Figure 5.5 Output screen on click of username kismet15

The figure 5.4 displays the username being blacklisted and the figure 5.5 displays the list of

websites opened by user kismet15 to answer the question while doing online test.

5.1.5. Notification Screen

This screen is used to test, if the new MAC address joining the network is notified to the user.

Steps

1. Run Kismet by putting NIC card in monitor mode

2. Compile ParseFIle.java for storing the list of Mac address joining the network

3. Run the android application

4. Use another laptop/mobile device to connect to the wireless network

5. The notification of the new mac address will be seen

Testing and Evaluation

80

Output

Figure 5.6 Notification screen

The screen shot above shows the new mac address joining the network.

5.1.6. Help Screen

To test, if the help screen is displayed on click of Help icon.

Steps

1. Run the android application

2. Click on Help icon

Output

Figure 5.7 Help screen output

Testing and Evaluation

81

5.2. Further Research

Participant 1

Participant 2

Participant 3

Participant 4

Wireless Router

Laptop running Kismet

Wireless access point

Ethernet

Connected to internet via ethernet

Instructor

Tablet with online test monitoring tool installed

Internet

Figure 5.8 Lab experiment set up

Due to time constraints and unavailability of the resources, the lab experiment was not

conducted. For further research and evaluation of the software developed, the lab experiment

can be conducted as described in below section.

The aim of the study: The main aim of this experiment is to identify the participant who is

cheating while taking the online test, when they are allowed to access the internet.

Description:

The participants will be informed that it’s a fake online test and it is conducted for the purpose

of testing the online test monitoring tool.

It is assumed that participants will give online test on their own laptop. All the participants will

connect their machine to the wireless router having internet connection. A fake online exam will

be held in the lab, where the students will login to the fake online test website. The participants

Testing and Evaluation

82

will be provided with the username and the password for logging into the online test. This

online test will have 20 question based on computer security module. The test will be held for

30 minutes.

There will be a laptop having Kismet installed in it. As Kismet runs only when NIC card is put

into monitor mode, the laptop cannot connect to internet. The other NIC card of the laptop is

used to connect internet using Ethernet (eth0) interface.

It is important for this laptop to connect to internet for two reasons. One is that the online test

server resides on this machine where the IP address and MAC address of each user will be

stored once the participants login to the online test. Secondly, the .netxml file generated in run

time will be processed for notifying about the new MAC address joining the network.

The Kismet tool will monitor the traffic passing through the wireless router. It will also track all

the activities of participants while they are giving the online test. The participants will be

allowed to refer to one website recommended by instructor to answer the question. Some of the

participants will be instructed to ‘cheat’ while they are taking test while some of them will be

informed to take the test sincerely. Those participants allowed to cheat will access internet to

search the answers. Those participants taking test without cheating will only refer to the site

recommended. The participants have been informed that their activity is tracked while they are

giving the test.

The Android application developed will be installed on one of the tablet which will be used to

track the activities of students. This is a fake online exam to test how cheating can be detected

using kismet. There will be no disclosure of participant’s personal data. Participants will be

allowed to read and sign the consent form provided prior taking the online test.

The sample consent form is attached in the appendix.

Expected results

The instructor having online test monitoring tool installed in his/her tablet will get the

notification of the new wireless network mac address joining the network. After all the

participants have completed their online test, the log files generated by kismet will be processed

offline. These log files will be filtered using wireshark to get only HTTP packets. This file is then

converted into .txt file using tshark. After the offline analysis is completed, the instructor can see

the list of participants who cheated in the exam. The tool will also display the list of url’s

accessed by each participant while cheating.

Testing and Evaluation

83

5.3. Summary

This section of the report shows the various outcomes of the software’s based on the steps

followed to achieve them. It also describes the types of resources and procedures involved in

the set up of the lab experiment to be held in future.

Conclusion

84

Chapter 6- Conclusion

Benefits of the Research

The Online test monitoring tool offers great advantage to tutor in terms of monitoring the online

test without much effort. This tool facilitates tutor with two great advantages. One is the

notification in real time which helps the tutor to identify the new device getting connected to

the network. Second is the log files that detects the list of student caught while accessing illegal

sites.

The main benefits of this tool includes, less overhead on system administrator and tutor on

setting up the online test. Students can take online test, where in they are allowed to access one

or more site for reference. This monitoring tool is a mobile application to help facilitate

professor get notifications and logs while tutor is roaming in examination hall. It can also help

the professor to conduct the exams remotely. The report generated at the end makes it easier

for tutor to analyze the results and take appropriate action against it. The report also gives

detail information of the students activity who were being dishonest in the exam.

The sniffing tools used for tracking student activities have their own advantage and

disadvantages. Kismet generates .netxml file comprising of the list of mac_address, which can be

parsed in real time. While the .pcamp dump file generated by Kismet is not a readable format

and here comes the need of wireshark to filter the log file obtained from Kismet.

Various test cases were implemented to check the efficiency of the tool. The sniffing tool,

wireshark is used to capture various types of log files. This log files comprises of all the

information about the different wireless network. While examining the log files captured, it was

clear that, only HTTP protocol is of the main concern. The log files are then converted into text

files to display only the useful information about each wireless network. The second part of the

evaluation includes examining the tool for giving real time notification. To achieve this, Kismet

is used to capture the list of wireless client getting connected to the network in real time. At the

same time, the .netxml file being processed by Kismet, is parsed and the newly joined wireless

devices are recorded and the user notified.

Few of the challenging issues that were rectified using this tool are mentioned below:

If someone tries to change the MAC address of their machine by using technique

mentioned in the section 2.4.3. This tool will identify the new MAC address with the help

of Kismet and notify the details of new MAC address. Once the student login into the

Conclusion

85

online test, the MAC address notified earlier, will be displayed in the student details

screen.

Even, if the student tries to access any of the websites using the proxy technique as

mentioned in the section 2.4.5. The initial proxy url used by the student, for e.g.

www.newip.us will be captured by Kismet and student userid will get automatically

blacklisted with the details of websites accessed.

The forensics technique mentioned in the section 2.4.6 cannot be used. As the students

are giving online test on their own machine.

Potential Limitations

The most important limitation in this project is that the student website access log is not parsed

in run time. It is seen that the process of displaying the list of sites in the student logs screen is

done manually after the exam. The log file obtained from kismet is processed offline for filtering

purpose. The logs file requires conversion into .txt file using tshark. This leads to an additional

overhead for administrator to process the log files.

There is huge amount of traffic being displayed, even if the student tries to open one single

websites. Filtering of this websites is essential to display one particular websites accessed. The

tool can only display the list of websites accessed by student while they were cheating in the

exam. But this tool cannot take any action against the illegal websites accessed by students

during the exam.

It is seen that the analysis of software done is limited. A good understanding of the tool can only

come when a live online examination is held in the lab. Only after the lab experiment, the actual

output and functionality of the tool could be evaluated. At this point, due to lack of resources

and time, it was not possible to conduct this experiment.

Future Scope

To conclude, it is essential to encourage the instructors to engage in the evaluation part of this

tool. The benefits of online test are plentiful; unless it is assured that the instructor and system

administrator are convinced with the accuracy of the tool to minimize cheating. By continuing to

explore more about the type of traffic obtained from sniffing tool, the problem of cheating can

be minimized. The result displayed can also be improved by enhancing the evaluation of

software.

Conclusion

86

This dissertation has encouraged me to learn the various steps required for undertaking an

individual project, including researching about the basics of packet sniffing, steps required to

design and implements the project and finally evaluation of project to test the feasibility of the

software developed. Overall, the project requirements are satisfied and project has been

successful in analyzing the log files for detecting the cheating while students are giving the

online test.

87

Bibliography

1. Anandan, S. (2010). Online Application Monitoring Tool. San Jose: San Jose State University

SJSU Scholar Works.

2. Castella-Roca, J., Herrera-Joancomarti, J., & Dorca-Josa, A. (2006). A secure e-exam

management system. First International Conference on Availability Reliability and Security

ARES06, 5-8.

3. Choi, M., Hong, J., & Ju, H. (2003). XML-Based Network Management for IP Networks. ETRI

Journal, 25, 450-451.

4. Cluskey, G., Ehlen, C., & Raiborn, M. (2011). Thwarting online exam cheating without proctor

supervision. Journal of Academic and Business Ethics, 1-6.

5. Costagliola, G., & Fuccella, V. (2009). Online testing, current issues and future trends. Journal

of e-Learning and Knowledge Society, V, 81-83.

6. Costagliola, G., Fuccella, V., Giordano, M., & Polese, G. (2009). Monitoring Online Tests

through Data Visualization. Knowledge and Data Engineering IEEE Transactions on, 21(6),

773,778,782.

7. Eplion, D., & Keefe, T. (2005). On-line Exams: Strategies to Detect Cheating and Minimize Its

Impact. New Albany: Indiana University Southeast.

8. Etter, A. (2002). A Guide to Wardriving and Detecting Wardrivers. SANS Institute, 8-9.

9. Frandsen, M. (2010). Detection of cheating when students use their own computers during

examinations. Denmark: Technical University of Denmark (DTU).

10. Fuentes, F., & Kar, D. (2005). ETHEREAL VS. TCPDUMP: A COMPARATIVE STUDY ON PACKET

SNIFFING TOOLS FOR EDUCATIONAL PURPOSE. Texas: Texas A&M University-Corpus Christi.

11. Gujarathi, D., & Gosai, P. (2010). ONLINE EXAMINATION SYSTEM. Retrieved July 11, 2011,

from Scribd: http://www.scribd.com/doc/24751893/online-examination-system-

Presentation

12. Haines, B., Thornton, F., & Schearer, M. (2008). Kismet Hacking. Massachusetts: Syngress.

13. Higgins, C., Symeonidis, P., & Tsintsifas, A. (2002). The Marking System for CourseMaster.

ITiCSE’02, 46-48.

14. Hurley, C. (2007). Penetration Tester's Open Source Toolkit. Burlington: Syngress Publishing,

Inc.

15. Jung, I., & Yeom, H. (2009). Enhanced Security for Online Exams Using Group Cryptography.

IEEE TRANSACTIONS ON EDUCATION, 52, 341-343.

16. Kershaw, M. (2009). Kismet Documentation. Retrieved July 11, 2011, from

http://www.kismetwireless.net

88

17. King, T. (2002). Packet Sniffing In a Switched Environment. Information Security, 1-6.

18. McRee, R. (2006). Security Analysis with Wireshark. ISSA Journal, 39-45.

19. Murray, J. (2009). An Inexpensive wireless IDS using Kismet and OpenWRT. SANS Institute,

8-9.

20. Nigavekar, A., & Harris, W. (2010). Examinations and the Role of Technology: Emerging

Directions. New Delhi: EDGE-ValueNotes.

21. Orebaugh, A., Ramirez, G., & Burke, J. (2007). Wireshark and Ethereal network protocol

analyzer toolkit. Massachusetts: Syngress Publishing, Inc.

22. Pan, C., Yang, K., & Lee, T. (2004). Secure Online Examination Architecture Based on

Distributed Firewall. IEEE Intenational Conference on e-Technology, e-Commerce and e-

Service, 533-536.

23. Philipp, A., Cowen, D., & Davis, C. (2010). Hacking Exposed Computer Forensics. United States

of America: Mc Graw Hill.

24. Rowe, N. (2004). Cheating in Online Student Assessment : Beyond Plagiarism. Online Journal

Of Distance Learning Administration, 7(II), 4.

25. Skudaev, S. (2005). Computer Programming Web programming Tips. Retrieved 08 11, 2011,

from Online Quiz Code Example in PHP: http://www.configure-all.com/fusebox.php

26. Spangler, R. (2003). Packet Sniffer Detection with AntiSniff. Wisconsin: University of

Wisconsin - Whitewater.

27. Sung, J. (2009). U-Learning Model Design Based on Ubiquitous Environment. International

Journal of Advanced Science and Technology, 77-86.

28. Truong, N., Bancroft, P., & Roe, P. (2002). A Web Based Environment for Learning to

Program. TwentySixth Australasian Computer Science Conference ACSC2003, 7.

29. Villegas, G. (2008). Analysis of Tool for conducting Wireless Penetrartion Testing. Texas:

Texas A&M University-Corpus Christi.