===== NETMON.NLM ===== NETMON.NLM ===== NETMON.NLM ===== NETMON.NLM ===== ===== NETMON.NLM ===== NETMON.NLM ===== NETMON.NLM ===== NETMON.NLM ===== 1. Why NETMON.NLM ? ================ NETMON stands for NETwork MONitor. 2. What is NETMON.NLM and what is it good for ? ============================================ NETMON.NLM is a NetWare loadable modul which acts on the server console and monitors network traffic on a given network interface card. Program's main screen gives you quick overview of what is happening on the network segment monitored NIC is connected to. Semigraphical, colored histogram as well as various counters (TX,RX,packets,bytes,peak,...) provide you with comprehensive information. Capture screen allows you to capture packets on a given network interface. Because switching to and from promiscuous mode is also supported by this program, you can capture not only the traffic, which belongs to the server, but in fact any packet visible to the segment, to which the server is connected. Capture screen provides you with comprehensive information about captured packets and can be effectively used for first and quick analysis of any server/client problem. Captured data can also be filtered "on the fly", according to what the actual need is. Filtering is based on source/destination MAC addresses or IP addresses, and/or on protocol type (IPX/SPX, TCP/IP). Once you have packets in your buffer, you can either show and dump them on the screen or you can save them into the file for later detailed analysis. File format used is compatible with Novell's LANalyzer file format. NetMon supports post-filtering operations over captured packets. Simple yet powerful filter command interpreter has been built into this software. One of the big advantages of this program is that you do not need any extra PC or other device when you need to capture traffic between the server and the client PC on the segments equipped with intelligent switching hubs. These intelligent switching devices do not allow you to see the network traffic which does not belong to the port you are connected to. So monitoring traffic between NetWare server and a client PC is rather complicated in such case. Using NETMON.NLM helps significantly here. You just load NETMON.NLM on the server you want to monitor and that's it ! NetMon recognizes and supports multiple boards/interfaces on the NetWare server, and supports switching to/from promiscuous mode, which is needed for capturing the whole traffic on the given network segment. This version of NetMon understands and supports Ethernet 10MBit, 100MBit (Fast), as well as 1000MBit (Gigabit) technology, and can be loaded on 3.x, 4.x and 5.x NetWare server versions. Token-Ring 4MBit, 16MBit, and 100MBit technologies are also supported, but the support here is somehow limited. FDDI 100Mbit technology is officialy not supported, but is supposed to work. 3. What are the program versions/modifications currently available ? ================================================================= - NETMON.NLM, version 1.12 4. How to install and run this NLM ? ================================= You do not need any special installation or library files. Just copy the file to your SYS:SYSTEM (or other) directory and from your console enter: LOAD NETMON You can also run this program from the floppy disk. NETMON.NLM can be run on 3.x, 4.x and 5.x NetWare servers. 5. Functionality overview ====================== Main program screen: F1 - HELP - use arrows, PgDn, PgUp, Home, End keys for moving in F2 - LANList - provides table with existing initialized network interfaces F3 - STATS starts/stops basic statistics and shows statistic window F5 - PROMTGL - toggles NIC between promiscuous and normal mode F7 - CLEARs all internal counters F9 - CAPTURE - starts or goes to Packet Capture screen F10 - QUIT - exits the program Alt-F1 - Sets scale in histogram to 1:1 Alt-F2 - Sets scale in histogram to 1:10 Alt-F3 - Sets scale in histogram to 1:100 Alt-F5 - Toggles between normal and logarithmical scale Ctrl-F1 - the same functionality as Alt-F1 (to be used from RCONSOLE.EXE) Ctrl-F2 - ... as Alt-F2 Ctrl-F3 - ... as Alt-F3 Ctrl-F5 - ... as Alt-F5 Packet Capture screen: F1 - HELP - use arrows, PgDn, PgUp, Home, End keys for moving in F2 - SAVE - saves captured packets into file F3 - LOAD - reads packets from file and fills internal buffer F4 - FILTER - sets packet capture pre-filtering options F5 - STARTs or stops packet capturing F6 - RESETs packet capture buffer F7 - MEMADJ - changes size of buffer for captured packets F8 - WRAPIT (or RUONCE) toggles between WRAP mode and RUN ONCE mode for capture buffer. Current implementation in WRAP mode does not support sliding window (yet) and simply deletes all data from capture buffer. F9 - BACK - goes back to main NETMON screen F10 - EXITs the Packet Capture thread Alt-C - toggles between colored and greyed decode output Alt-D - deselects all previoulsy selected packets Alt-F - filters out packets from buffer following given citerias (post-filtering) Alt-G - goes to the given packet number Alt-N - finds the next packet in the dialog (not available yet) Alt-P - saves packet trace summary into text file Alt-R - resets post-filtered packets and returns original packet buffer Alt-S - searches for specific (char) string from the current position in buffer until the end of buffer INSERT - selects/deselects highlighted packet ENTER - opens detailed packet decode window Post filtering: <+|-> = +|- FRAME = ETHER_II | ETHER_8022 | ETHER_8023 | ETHER_SNAP +|- FRAME = TOKEN_SNAP | TOKEN_8022 +|- PROT = IP | IPX | ARP | RARP | ATALK | ATARP | NBIOS +|- PROT = ICMP | UDP | TCP | FTP | TELNET | SNMP | LDAP +|- PROT = RIP | DHCP | SMTP | SLP | HTTP +|- PROT = SPX | NWRIP | SAP | NLSP | NCP | NDS +|- MAC = hhhhhhhhhhhh (MAC address in hex numbers) +|- IP = ddd.ddd.ddd.ddd (IP address in decimal numbers) +|- OFFSET = aaaa, DATA=hhhhhhhhhh... (both offset and data should be in hex numbers) Only one expression per command is allowed, space characters are ignored, lower cases are always translated into upper cases. Examples: +FRAME=ETHER_II ... select only packets in ETH_II envelope +MAC=00506E298744 ... select only packets with MAC specified (either source or destination) -PROT=SPX ... filter out all SPX packets 6. Parameters which can be used while loading program ================================================== BOARD= - this parameter can be used when starting NETMON from AUTOEXEC.NCF. It allows initialization and usage of given board for monitoring immediately after NETMON loads without need to choose monitored interface interactively. PROMISCUOUS - this parameter toggles operating mode of monitored NIC into promiscuous mode, provided it was not there before. Otherwise it simply toggles NIC back to normal (non-promiscuous) mode. This parameter is applicable only with parameter BOARD=<...>. WRAP - this parameter toggles capture packet buffer into wrapping mode. Example: LOAD NETMON BOARD=3C90X_E82 PROMISCUOUS 7. Known limitations ================= - TX packets on 3.x servers can neither be counted nor captured by NETMON. This is caused by limitation of underlying services on 3.x servers. - Current NETMON.NLM version does not provide full and detailed packet analysis. This is not the main purpose of this tool. - Information about possible daylight saving time on the given server is NOT taken into account when packet trace is saved or loaded. It means you can see packet arrival time moved by one hour offset. 8. Limitations of the date-stamped version ======================================= - It will work for you only until certain date is reached (see outputs on your system console when loading this program or see HELP comments in the program) - Capture filter cannot be set/modified - Memory adjustment for capture buffer cannot be done, and memory for captured packets is significantly limited (8KBytes only) 9. List of changes / fixes ======================= Version 1.12c (BUild September 2002) - fixed problem with intermittent abend appearing when trying to unload NETMON from console while being in LAN LIST window Version 1.12b (Build August 2002) - fixed problem with 100MBit TR NIC cards recognition Version 1.12a (Build July 2002) - added quick decode for SMTP protocol Version 1.12 (Build June 2002) - added possibility to select capture buffer mode usage, either WRAP mode or RUN ONCE mode. Version 1.11c (Build June 2002) - SLP quick decode modified. - packet buffer adjustement algorithm changed. It accepts now values in bytes, kBytes and MBytes. Version 1.11b (Build February 2002) - some minor additions, fixes, and changes in post-filtering. Version 1.11a (Build July 2001) - added logarithmical scale (0-100%) to histogram - added possibility to load NETMON with parameter BOARD= to enable autostart from AUTOEXEC.NCF - some minor changes in code Version 1.11 (Build March 2001) - added support for Gigabit Ethernet Version 1.10a (Build February 2001) - added support for post-filtering - fixed bug which caused AbEnd in case not used NIC returned invalid values to the application Version 1.01f (Build February 2001) - fixed packet time arrival bug - some minor changes in format of packet decode output Version 1.01e (Build January 2001) - several minor changes and fixes. Version 1.01d (Build December 2000) - fixed bug which caused AbEnd on TR interface when saving packet trace containing big TR packets Version 1.01c (Build December 2000) - added support for filtering based on IP addresses - fixed some minor TokenRing decode problems Version 1.01b (Build December 2000) - fixed some minor TR-SNAP decode problems Version 1.01 (Build December 2000) - added limited support for Token-Ring networks - fixed some minor problems Version 1.00 (Build October 2000) - added quick decode support for LDAP protocol Version 1.00 Beta 7 - fixed the bug which caused RX values have been invalidated on 100MBit segments - some minor changes - added downloadable demo to www.roletosoft.com Version 1.00 Beta 6 (Build September 2000) - some minor changes Version 1.00 Beta 5 (Build August 2000) - some minor problems fixed Version 1.00 Beta 4 (Build June 2000) - completed support for 64-bit counters arithmetic - size of captured packet can be modified Version 1.00 Beta 3 (Build May 2000) - added statistics counters (size, frame and protocol distribution, broadcast counters) - added OSPF and RPC quick decodes - fixed several minor problems Version 1.00 Beta 2 (Build March 2000) - added several quick decodes Version 1.00 Beta 1 (Build November 1999) - starting point for this history list. 10. How much does the NETMON.NLM cost ? ==================================== This program is neither shareware nor freeware. If you want to get full version, you have to order it and pay license fees. NETMON.NLM 1 license .... 69,- US$ 11.Where can I order the program ? =============================== Send your order to: Rostislav Letos ROLETOSoft Brandtova 3263/6 400 11 Usti nad Labem Czech Republic Phone: +420-604-266737 (CZ) or +49-211-5370216 (GER) Or you can e-mail me: support@roletosoft.cz rletos@roletosoft.cz Have fun ! ===== NETMON.NLM ===== NETMON.NLM ===== NETMON.NLM ===== NETMON.NLM ===== ===== NETMON.NLM ===== NETMON.NLM ===== NETMON.NLM ===== NETMON.NLM =====