In this chapter you can find answers to some of the most
frequently asked questions. The latest FAQ is always available at
Q. What is the difference
between NetResident Lite and NetResident Pro?
A. Two license types are available for NetResident: Lite and
||Pro: All features are available.
||Lite: All features except VoIP support and the ability to
import packet log files from other applications are available.
Q. I plan to install the
NetResident service on one computer and then connect to it using
the console from another computer. What should I do to comply with
the license agreement?
A. According to the EULA, a single user license allows you to
operate one copy of NetResident by one user account in the
operating system. Installing and using the product on multiple
computers, regardless of the installation or usage type (service or
console) requires that you obtain the number of licenses
corresponding to the number of installations.
Q. My HTTP plugin does not
always display HTML pages correctly. For instance, some images are
not displayed. Why is it so?
A. A typical HTML page represents a collection of a dozen of
independent objects – HTML code, images, CSS styles, and others.
Each of these objects is requested by a browser, however most of
these objects are cached (saved to the computer hard drive for
future access) and hence not requested from the network every time
a Web page is viewed. NetResident does not have access to your
browser's cache, therefore it cannot 'see' these objects. This is
not a problem with NetResident; you can always reload the Web page
in your browser (you need to perform a complete reload, in MSIE
this is achieved by clicking on the Refresh button while holding
down the Shift key). This will allow NetResident to log and store
all Web page elements.
Q. Which address (IP or MAC)
should I use in order to identify a station that I'd like to
A. If you have DHCP enabled in your network, each computer with
a unique MAC address is assigned a different IP address for every
session. For this case, you should identify your stations by MAC
addresses. This will make the program assign all network events
where the specified MAC address is present to the particular
station and prevent the list of stations from being overpopulated.
In some cases, you may encounter different MAC address for each
host. If you have a static IP address assigned to your network
adapter and other stations on your LAN, you should use IP addresses
to identify stations. We recommend using aliases for MAC and IP addresses as it
makes recognition and analysis of network events much easier.
Q. When I try to import
CommView or CommView for WiFi log files, I am unable to display the
contents of some of the files. I believe I have all
parameters set correctly regarding the event viewer and
A. It's important to understand that the import procedure has
its own filter and the content displaying mechanism has its own
filter. When you were importing the file, the content was possibly
filtered out during the import phase if you applied filters. Once
the import phase is over, the application uses the display filter
to show the contents. There is a chance that the application is
configured to show only the data collected during the last two
days, while the logs contained sessions that were outside this time
frame. You may want to disable the display filter to have the
application show the data.
Q. Why NetResident service
insists on starting if I just want to review LOG files and not
capture current data?
A. The database is maintained by the service. The GUI is simply
a console that "talks" to the service. All data processing and
filtering is performed by the service as well, so it has to be
Q. I have NetResident set up to
start monitoring only when the application is running, and not to
start with Windows. I noticed that after I shut down
NetResident, the service process, "tfsnrs.exe" continues to run in
Task Manager. Why does it continue to run?
A. Running the service and monitoring are different things. The
service must be active at all times to be able to "talk" to the
GUI. This doesn't mean that the service is capturing data at all
times. It is capturing data only on demand. In theory, if the
application is configured to capture data only when the GUI is
running, one could start the service when the GUI starts and stop
it when the GUI stops, but starting the service is a bit slow and,
most importantly, that cannot be done remotely, when the service
and GUI are running on different machines. That is something we
plan to implement in the future. The fact that the service is
running in the background shouldn't worry you because when it's not
monitoring the network it doesn't consume considerable system
Q. Can you give some
performance metrics when NetResident is being used to monitor a
heavily loaded network?
A. The program's performance depends on the CPU speed and RAM
size. If you use the default monitoring settings, i.e. when all the
plugins are enabled and all the ports are being monitored, an
average Pentium4 3Ghz PC with 512 Mbytes of RAM can monitor a fully
utilized 100 Mbit link. To monitor faster network links, you should
set up filtering by station, limit
the ports being monitored, and
disable unnecessary plugins. The performance
also depends on the type of traffic being monitored, so additional
filters should be applied only if you experience performance
Q. For some ICQ and AIM chat
sessions, one of the parties' ID number is shown as "Not detected."
Why is it not detected?
A. This happens when an ICQ or AIM chat session (including the
authentication phase) begins before NetResident starts capturing
network packets. If capturing is started in the middle of a chat
session, the ID can sometimes be found (as it is contained in some
service packets, which are sent intermittently), although this
cannot be guaranteed.
Q. Can your VoIP module be used
for logging Skype conversations?
A. No, sorry. Skype uses robust encryption; it's impossible to
decrypt Skype conversations.
Q. Why does NetResident not
show the amount of transferred data in terms of bytes?
A. NetResident does not always store transferred data in its
original form. Rather, it processes it for more convenient
presentation. It's not uncommon for a single network session to be
divided into several separate events, or several network sessions
to be combined into one event. Besides, some transferred data
simply is not supposed to be processed by current NetResident
plugins. That said, NetResident cannot and is not supposed to
display reliable network data statistics. If you're interested in
network traffic statistics, you may want to use another TamoSoft
Q. I use WireShark and I
noticed that it could no longer capture packets after NetResident
had been installed.
A. There is a known conflict between WinPcap, the driver used in
WireShark and many similar products, and the driver used in
NetResident. There is a simple workaround: Start capturing packets
with WireShark before you
start capturing packets with NetResident. In this case, both
products will be able to capture data simultaneously. If you start
capturing with NetResident first, WinPcap will fail to capture any
packets for a reason unknown to us.
Q. Are there any known
conflicts with other software?
A. Currently we know about conflicts with Kaspersky 2009
Antivirus. Kaspersky Lab developers report that will fix this issue
as soon as possible.