Home
Contents

LAN Analyzer and Protocol Decoder - CommView

Prev Page Next Page
 
Introduction
About CommView
What's New
Using the Program
Overview
Selecting Network Interface for Monitoring
Latest IP Connections
Packets
Logging
Viewing Logs
Rules
Advanced Rules
Alarms
Reconstructing TCP Sessions
Reconstructing UDP Streams
Searching Packets
Statistics and Reports
Using Aliases
Packet Generator
Visual Packet Builder
NIC Vendor Identifier
Scheduler
Using Remote Agent
Using RPCAP
Capturing Loopback Traffic
Port Reference
Setting Options
Frequently Asked Questions
VoIP Analysis
Introduction
Working with VoIP Analyzer
SIP and H.323 Sessions
RTP Streams
Registrations
Endpoints
Errors
Call Logging
Reports
Call Playback
Viewing VoIP Logs
Working with Lists in VoIP Analyzer
NVF Files
Advanced Topics
Capturing High Volume Traffic
Working with Multiple Instances
Running CommView in Invisible Mode
Command Line Parameters
Exchanging Data with Your Application
Custom Decoding
CommView Log Files Format
Sales and Support

Alarms

This tab allows you to create alarms that can notify you about important events, such as suspicious packets, high bandwidth utilization, unknown addresses, etc. Alarms are very useful in a situation were you need to watch the network for some suspicious events, for example distinctive byte patterns in captured packets, port scans, or unexpected hardware device connections.

Alarms are managed using the alarm list shown below:

alarm1

Each line represents a separate alarm, and the check box next to the alarm name indicates if the alarm is currently active. When an alarm is triggered, the check mark disappears. To reactivate a deactivated alarm, check the box next to its name. To disable all alarms, uncheck the Enable alarms box. To add a new alarm or edit or delete an existing one, use the buttons to the right of the alarm list. The E-mail Setup button should be used for entering information about your SMTP server if you plan to use e-mail notification options (see below).

The alarm setup window is shown below:

alarm2

The Name field should be used for describing the alarm function. Check the Enabled box if you want the alarm that you're adding/editing to be activated once you've finished its setup. This check box is equivalent to the one shown in the alarms list. The Alarm Type frame allows you to select one of the seven alarm types:

· Packet occurrence: The alarm will be triggered once CommView has captured a packet that matches the given formula. The formula syntax is the same as the syntax used in Advanced Rules and is described in the Advanced Rules chapter in detail.
· Bytes per second: The alarm will be triggered once the number of bytes per second has exceeded (or fallen below) the specified value. Note that you should enter the value in bytes, so if you would like to have the alarm triggered when the data transfer rate exceeds 1Mbyte per second, the value you should enter is 1000000.
· Packets per second: The alarm will be triggered once the number of packets per second has exceeded (or fallen below) the specified value.
· Broadcasts per second: The alarm will be triggered once the number of broadcast packets has exceeded (or fallen below) the specified value.
· Multicasts per second: The alarm will be triggered once the number of multicast packets has exceeded (or fallen below) the specified value.
· Unknown MAC address: The alarm will be triggered once CommView has captured a packet with an unknown source or destination MAC address. Use the Configure button to enter known MAC addresses. This alarm type is useful for detecting new, unauthorized hardware devices connected to your LAN.
· Unknown IP address: The alarm will be triggered once CommView has captured a packet with an unknown source or destination IP or IPv6 address. Use the Configure button to enter known IP addresses. This alarm type is useful for detecting unauthorized IP connections behind a corporate firewall. Use of IPv6 addresses requires Windows XP or higher and that the IPv6 stack be installed.

The Events needed to trigger field allows you to specify the number of times the expected event must occur before the alarm is triggered. For example, if you specify the value of 3, the alarm will not be triggered until the even occurs three times. If you edit an existing alarm, the internal event counter will be reset.

The Times to trigger this alarm field allows you to specify the number of times your alarm may be triggered before the deactivation. By default, this value equals 1, so the alarm will be disabled after the first even occurrence. By increasing this value, you will make CommView trigger the alarm multiple times.  If you edit an existing alarm, the internal trigger counter will be reset.

The Action frame allows you to select the actions to be performed when the alarm event occurs. The following actions are available:

· Display message: Shows a non-modal message box with the specified text. This action allows use of variables that are to be replaced by the corresponding parameters of the packet that has triggered the alarm. These variables are listed below:

%SMAC% -- source MAC address.

%DMAC% -- destination MAC address.

%SIP% -- source IP address.

%DIP% -- destination IP address.

%SPORT% -- source port.

%DPORT% -- destination port.

%ETHERPROTO% -- Ethernet protocol.

%IPPROTO% -- IP protocol.

%SIZE% -- packet size.

%FILE% -- the path to a temporary file that contains the captured packet.

For example, if your message is "SYN packet received from %SIP%", in the actual pop-up window text %SIP% will be replaced by the source IP address of the packet that triggered the alarm. If you use the %FILE% variable, a .NCF file will be created in the temporary folder. It is your responsibility to delete the file after it has been processed; CommView makes no attempt to delete it. You should not use variables if the alarm is triggered by Bytes per second or Packets per second values, as these alarm types are not triggered by individual packets.

· Pronounce message: Makes Windows speak the specified text using the text-to-speech engine. This box is disabled if your Windows version doesn't have the text-to-speech engine. By default, Windows only comes with English computer voices, so Windows may not be able to pronounce messages correctly if the text is entered in a language other than English. You can use the variables described in the Display message section in the message text.
· Play sound: Plays the specified WAV file.
· Launch application: Runs the specified EXE or COM file. Use the optional Parameters field to enter command line parameters. You can use the variables described in the Display message section above as the command line parameters if you want your application to receive and process information about the packet that triggered the alarm.
· Send e-mail to: Sends e-mail to the specified e-mail address. You MUST configure CommView to use your SMTP server prior to sending e-mail. Use the E-mail Setup button next to the alarm list to enter your SMTP server settings and send a test e-mail message. Usually, an e-mail message can also be used to send alerts to your instant messaging application, cell phone, or pager. For example, to send a message to an ICQ user, you should enter the e-mail address as ICQ_USER_UIN@pager.icq.com, where ICQ_USER_UIN is the user's unique ICQ identification number, and allow EmailExpress messages in the ICQ options. Please refer to your instant messenger documentation or cell phone operator for more information. The Add text field can be used to add an arbitrary message to the e-mail notification. You can use the variables described in the Display message section in the message text.
· Enable capturing rules: Enables Advanced Rules; you should enter the rule name(s). If multiple rules must be enabled, separate them with a comma or semicolon.
· Disable other alarms: Disables other alarms; you should enter the alarm name(s). If multiple alarms must be enabled, separate them with a comma or semicolon.
· Start logging: Turns on auto-saving (see the Logging chapter); CommView will start dumping packets to the hard drive.
· Stop logging: Turns off auto-saving.

Click OK to save the settings and close the alarm setup dialog.

All the events and actions related to the alarms will be listed in the Event Log window below the alarm list.