TamoSoft: Network Analysis Tools & Security Software

Network Content Monitor - NetResident

NetResident Help Documentation Next Page

Frequently Asked Questions

In this chapter you can find answers to some of the most frequently asked questions. The latest FAQ is always available at http://www.tamos.com/products/netresident/faq.php.


Q. What is the difference between NetResident Lite and NetResident Pro?


A. Two license types are available for NetResident: Lite and Pro.


Pro: All features are available.
Lite: All features except VoIP support and the ability to import packet log files from other applications are available.


Q. I plan to install the NetResident service on one computer and then connect to it using the console from another computer. What should I do to comply with the license agreement?


A. According to the EULA, a single user license allows you to operate one copy of NetResident by one user account in the operating system. Installing and using the product on multiple computers, regardless of the installation or usage type (service or console) requires that you obtain the number of licenses corresponding to the number of installations.


Q. My HTTP plugin does not always display HTML pages correctly. For instance, some images are not displayed. Why is it so?


A. A typical HTML page represents a collection of a dozen of independent objects – HTML code, images, CSS styles, and others. Each of these objects is requested by a browser, however most of these objects are cached (saved to the computer hard drive for future access) and hence not requested from the network every time a Web page is viewed. NetResident does not have access to your browser's cache, therefore it cannot 'see' these objects. This is not a problem with NetResident; you can always reload the Web page in your browser (you need to perform a complete reload, in MSIE this is achieved by clicking on the Refresh button while holding down the Shift key). This will allow NetResident to log and store all Web page elements.


Q. Which address (IP or MAC) should I use in order to identify a station that I'd like to monitor?


A. If you have DHCP enabled in your network, each computer with a unique MAC address is assigned a different IP address for every session. For this case, you should identify your stations by MAC addresses. This will make the program assign all network events where the specified MAC address is present to the particular station and prevent the list of stations from being overpopulated. In some cases, you may encounter different MAC address for each host. If you have a static IP address assigned to your network adapter and other stations on your LAN, you should use IP addresses to identify stations. We recommend using aliases for MAC and IP addresses as it makes recognition and analysis of network events much easier.


Q. When I try to import CommView or CommView for WiFi log files, I am unable to display the contents of some of the files.  I believe I have all parameters set correctly regarding the event viewer and filtering.


A. It's important to understand that the import procedure has its own filter and the content displaying mechanism has its own filter. When you were importing the file, the content was possibly filtered out during the import phase if you applied filters. Once the import phase is over, the application uses the display filter to show the contents. There is a chance that the application is configured to show only the data collected during the last two days, while the logs contained sessions that were outside this time frame. You may want to disable the display filter to have the application show the data.


Q. Why NetResident service insists on starting if I just want to review LOG files and not capture current data?


A. The database is maintained by the service. The GUI is simply a console that "talks" to the service. All data processing and filtering is performed by the service as well, so it has to be running.


Q. I have NetResident set up to start monitoring only when the application is running, and not to start with Windows.  I noticed that after I shut down NetResident, the service process, "tfsnrs.exe" continues to run in Task Manager. Why does it continue to run?


A. Running the service and monitoring are different things. The service must be active at all times to be able to "talk" to the GUI. This doesn't mean that the service is capturing data at all times. It is capturing data only on demand. In theory, if the application is configured to capture data only when the GUI is running, one could start the service when the GUI starts and stop it when the GUI stops, but starting the service is a bit slow and, most importantly, that cannot be done remotely, when the service and GUI are running on different machines. That is something we plan to implement in the future. The fact that the service is running in the background shouldn't worry you because when it's not monitoring the network it doesn't consume considerable system resources.


Q.  Can you give some performance metrics when NetResident is being used to monitor a heavily loaded network?


A. The program's performance depends on the CPU speed and RAM size. If you use the default monitoring settings, i.e. when all the plugins are enabled and all the ports are being monitored, an average Pentium4 3Ghz PC with 512 Mbytes of RAM can monitor a fully utilized 100 Mbit link. To monitor faster network links, you should set up filtering by station, limit the ports being monitored, and disable unnecessary plugins. The performance also depends on the type of traffic being monitored, so additional filters should be applied only if you experience performance problems.


Q. For some ICQ and AIM chat sessions, one of the parties' ID number is shown as "Not detected." Why is it not detected?


A. This happens when an ICQ or AIM chat session (including the authentication phase) begins before NetResident starts capturing network packets. If capturing is started in the middle of a chat session, the ID can sometimes be found (as it is contained in some service packets, which are sent intermittently), although this cannot be guaranteed.


Q. Can your VoIP module be used for logging Skype conversations?


A. No, sorry. Skype uses robust encryption; it's impossible to decrypt Skype conversations.


Q. Why does NetResident not show the amount of transferred data in terms of bytes?

A. NetResident does not always store transferred data in its original form. Rather, it processes it for more convenient presentation. It's not uncommon for a single network session to be divided into several separate events, or several network sessions to be combined into one event. Besides, some transferred data simply is not supposed to be processed by current NetResident plugins. That said, NetResident cannot and is not supposed to display reliable network data statistics. If you're interested in network traffic statistics, you may want to use another TamoSoft product, CommTraffic.


Q. I use WireShark and I noticed that it could no longer capture packets after NetResident had been installed.

A. There is a known conflict between WinPcap, the driver used in WireShark and many similar products, and the driver used in NetResident. There is a simple workaround: Start capturing packets with WireShark before you start capturing packets with NetResident. In this case, both products will be able to capture data simultaneously. If you start capturing with NetResident first, WinPcap will fail to capture any packets for a reason unknown to us.


Q. Are there any known conflicts with other software?

A. Currently we know about conflicts with Kaspersky 2009 Antivirus. Kaspersky Lab developers report that will fix this issue as soon as possible.