Network real-time monitoring system using VB6.0

Source: Internet
Author: User
The increasing development and popularization of computer network technology provides a global high-speed channel for information sharing. However, the current TCP/IP protocol family has potential security vulnerabilities, and its security mechanism is not sound, how to protect the resources and information in the enterprise's internal network from being arbitrarily damaged or stolen by external attackers is an important issue for enterprise network security. When we are worried about hacking or computer Trojans, we often turn to the firewall, which implements anti-hacker attack by monitoring all TCP connections in real time. At the same time, during the entire network operation, network administrators can monitor the running status and operations of networked computers in real time, which plays an extremely important role in network security. the following describes the design and implementation of two main modules using Visual Basic 6.0 as a development tool.

System Overview

The system consists of two subsystems: server-side system and client (Workstation) system. The server system is installed on the computer of the network administrator to perform various monitoring operations on networked computers. The client system is installed on each networked computer, it appears in the prompt area of the system taskbar as an icon, without affecting other operations on the workstation. It is only used to respond to monitoring commands on the server and according to service needs, the corresponding data of the sampling workstation is returned to the server in a timely manner. The running environment of the system can run under Win98, Win95, WINNT, and win2000. In system development, the Winsock communication control is introduced. In addition, several API functions are used to better implement various monitoring operations.

System Functions

1. monitor all TCP connections: monitors the connections of all server ports in real time, warns of abnormal connections in a timely manner, and prompts the user to delete abnormal connections;

2. Screen monitoring: This function allows the server to capture the screen images of the monitored workstation to the server at any time, and the network administrator can perform operations on the corresponding workstation at a glance, if an illegal operation is found, a warning or forcible action can be taken to force the operation to stop;

3. Lock the workstation, shut down, and restrict mouse activity;

4. Information exchange between servers and workstation.

Function implementation

1. monitor all TCP connections

TCP/IP (Transmission Control Protocol/Internet Protocol: Transmission Control Protocol/Internet Protocol) is a set of network protocols including TCP, IP, UDP, ARP, RARP and ICMP. TCP/IP is often referred to as the adhesive for binding the Internet together. It allows multiple information networks separated in space to join together to form a huge virtual network. TCP and UDP (User Datagram Protocol) are two of the most common data transmission protocols. They all use the method of setting the listening port to complete data transmission.

This article discusses TCP connections. By using TCP, the Internet client can open a virtual connection to another Internet client and transmit data streams. Different from UDP, TCP ensures transmission reliability through retransmission of lost data packets. It also ensures applications at the receiving endProgramReassemble the received bits and bytes in the order of sending to obtain the complete data.

To obtain all valid TCP connections to the server system, use the gettcptable API function, which is defined as follows:

Private declare function gettcptable lib "iphlpapi.
DLL "(byref ptcptable as mib_tcptable, byref
Pdwsize as long, byval border as long) as long

The ppcptable parameter is the pointer to the buffer of the generated TCP connection table, and the pdwsize parameter is the buffer size (when the buffer is not large enough, this parameter returns the actual size ), the border parameter indicates whether the connection table needs to be sorted by "local IP", "localport", "remote IP", and "remote port.

Compare the two TCP connection tables using the timer event of a timeer control. We can immediately detect an exception and issue a warning. The system uses sound and alarm signs to remind users of possible external intrusion. After receiving the warning signal, we should first Delete the suspicious connection. The settcpentry function can help us Delete the suspicious connection. It is defined:

Private declare function settcpentry lib "iphlpapi.
DLL "(byref ptcptable as mib_tcprow) as long

The ptcptable parameter is the pointer to the TCP table row. Then, set the status of the connection to be deleted to mib_tcp_state_delete_tcb (value: 12) to delete the connection.

Timer eventSource code:

Private sub timer1_timer ()
Dim return1 as long, I as long
Dim tmp1 as long, tmp2 as long
Dim ip_buf (1 to 4) as byte
Dim win_path as string, tmp3 as string
Return1 = gettcptable (TCP1, Len (TCP1), 1)
If last_num_of_entries <> 0 and _
Last_num_of_entries <> tcp1.dwnum _ of_entries then
'Warn when exceptions occur
Picture1.visible = true' warning flag
On Error resume next
Win_path = string (145, 0)
'Use the API function getwindowsdirectory to obtain the current system directory.
I = getwindowsdirectory (win_path, 145)
Win_path = left (win_path, I)
'Use the API function sndplaysound to send an alarm.
I = sndplaysound (win_path + "\ media \ ding.wav", & H1)
On Error goto 0
Else
If picture1.visible = true then
Picture1.visible = false
End if
End if
Last_num_of_entries = tcp1.dwnum _ of_entries
Select case return1
Case 0 &:
Text1 = "": combo1.clear
For I = 0 to tcp1.dwnum _ of_entries-1
Tmp3 = STR (I + 1) + ""
Select case tcp1.tcp _ TABLE (I). dwstate
'Display connection status
Case 1: tmp3 = tmp3 + "closed"
Case 2: tmp3 = tmp3 + "listening"
Case 3: tmp3 = tmp3 + "syn_sent"
Case 4: tmp3 = tmp3 + "syn_rcvd"
Case 5: tmp3 = tmp3 + "established"
Case 6: tmp3 = tmp3 + "fin_wait1"
Case 7: tmp3 = tmp3 + "fin_wait2"
Case 8: tmp3 = tmp3 + "close_wait"
Case 9: tmp3 = tmp3 + "Closing"
Case 10: tmp3 = tmp3 + "last_ack"
Case 11: tmp3 = tmp3 + "time_wait"
Case 12: tmp3 = tmp3 + "delete_tcb"
End select
Combo1.additem tmp3 fill list for deletion
'Local IP Address
Tmp3 = tmp3 + ":" + vbcrlf + vbtab + "Local :"
'Copymemory is an API function.
Copymemory ip_buf (1), tcp1.tcp _ TABLE (I). dwlocaladdr, 4
Tmp3 = tmp3 + CSTR (ip_buf (1) + "." + _
CSTR (ip_buf (2) + "." + CSTR (ip_buf (3 ))_
+ "." + CSTR (ip_buf (4 ))
Tmp1 = tcp1.tcp _ TABLE (I). dwlocalport
'Local Port
Tmp2 = tmp1/256 + (tmp1 mod 256) * 256
'Remote IP Address
Tmp3 = tmp3 + ":" + STR (tmp2) + vbtab + "remote :"
Copymemory ip_buf (1), tcp1.tcp _ TABLE (I). dwremoteaddr, 4
Tmp3 = tmp3 + CSTR (ip_buf (1) + "." + CSTR (ip_buf (2 ))_
+ "." + CSTR (ip_buf (3) + "." + CSTR (ip_buf (4 ))
'Remote Port
Tmp1 = tcp1.tcp _ TABLE (I). dwremoteport
Tmp2 = tmp1/256 + (tmp1 mod 256) * 256
Tmp3 = tmp3 + ":" + STR (tmp2) + vbcrlf
Text1 = text1 + tmp3
Next I
Case 50 &:
Msgbox "the system does not support this API function": End
Case 87:
Msgbox "invalid parameter": End
Case 111 &:
Msgbox "buffer overflow": End
Case 232 &:
Msgbox "no data": End
End select
End sub

Click Event sources used to delete connectionsCode:

Private sub delete_click ()
Dim return1 as long
If combo1.listindex <0 Then exit sub
'Set the status of the connection to be deleted to 12
Tcp1.tcp _ TABLE (combo1.listindex). dwstate = 12
'Execute Deletion
Return1 = settcpentry (tcp1.tcp _ TABLE (combo1.listindex ))
If return1 = 0 then
Msgbox "deleted successfully"
Else
Msgbox "deletion failed"
End if
Timer1_timer
End sub

2. Screen monitoring

When the server system detects a TCP abnormal connection, you can use the screen monitoring function to capture the screen of the monitored workstation in the LAN to the server and implement corresponding measures, such as locking or shutting down the workstation. The Winsock control is used here. For the communication principle, see related materials. The screen monitoring function uses the TCP protocol. To achieve better results, you can add the timer control to the form to set the timer event.

(1) workstation end

Listen for and respond to connection requests and screen captures from the server. The screen capture function can be implemented through the API function:

dim A as string
winsock1.getdata, vbstring
select case a
case "ZP"
picture1.autoredraw = true
picture1.scalemode = 1
ldesktop = getshorttopwindow ()
LDC = getdc (ldesktop)
bitblt picture1.hdc, 0, 0, screen. width, _

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.