TamoSoft: Network Analysis Tools & Security Software
Contents

Network Content Monitor - NetResident

NetResident Help Documentation Next Page
 

Plugins

NetResident uses a protocol module plugin system for processing and displaying network events. Every plugin is responsible for processing one network protocol or a number of protocols. NetResident installation package comes with the following protocol plugins:

 

Web – processes the data transmitted over the HTTP protocol. This plugin is responsible for displaying Web pages.
Mail – processes the data transmitted over the POP3, SMTP, and IMAP protocols. These protocols are used by e-mail client and server software for e-mail message exchange.
News – processes the data transmitted over the NNTP protocol. This protocol is used for newsgroup message posting and viewing.
ICQ/AIM – processes the data transmitted over ICQ and AOL instant messaging protocols.
MSN – processes the data transmitted over the MSN Instant messaging protocol version 8.
FTP – processes the data transmitted over the FTP protocol used for downloading/uploading files from/to FTP servers.
Yahoo – processes the data transmitted over Yahoo instant messaging protocol.
Jabber – processes the data transmitted over XMPP protocol. This protocol is used for instant messaging by various Jabber clients, including Google Talk. Please note that the Jabber plugin is unable to capture SSL-encrypted messages.
IRC – processes the data transmitted over Internet Relay Chat protocol.
Telnet – processes the data transmitted over Telnet protocol.
VoIP – processes the data transmitted over SIP protocol using RTP voice streams.
WebMail – processes e-mail messages sent or received via the Web interface of Web-based mail systems.
· FileShare – processes the data  sent or received via file hosting services (RapidShare, IFolder, NarodRu).
· SocialNet – processes the data transmitted over social networks (Twitter, Facebook, LinkedIn, MySpace, Google+, Xing, Tumblr, Odnoklassniki, LiveJournal, VKontakte, StudiVZ, MeinVZ, SchuelerVZ, and LiveInternet).

 

Note: the SocialNet plugin processes outbound data only!

Note: The Web plugin is required for WebMail, FileShare, and SocialNet to operate properly.

 

Note: Playback of captured voice streams is not available to Lite License users.

 

The plugin modules are located in the "Plugins" subfolder in the application folder. By default, all plugins are enabled and active, i.e. they process network data and save it to the database. If you are not interested in processing and storing the data transmitted over certain protocols, you can disable the corresponding plugins in order to decrease CPU load and disk space utilization.

 

Additional plugin modules from TamoSoft can be added to NetResident as they become available. You must put the plugin module file to the "Plugins" subfolder in the application folder. After adding a plugin, you need to restart the NetResident service to load the new module. Click on the Stop NetResident Service / Start NetResident Service items in the NetResident program group to restart the service.

 

Some NetResident plugins can be configured to hide captured events (they won't be displayed in the event list, but they will be stored in the database) or even to filter out events during capturing altogether (they will be neither stored in the database nor displayed). The latter type is referred to as a "capture filter".

 

To configure a plugin to hide events, select Events => Filter => Advanced. Go to the Plugins tab. Select the desired plugin and click the Change button. To configure capture filtering, select Tools => Options and click Plugins. Select the desired plugin and click on the Change button to change its settings. The following options are available:

 

 

HTTP filter

 

Displaying a Web page requires a large amount of auxiliary files to be loaded by a browser automatically when opening the web page. The purpose of this filter is to hide all auxiliary files in order to reduce the amount of displayed records.

 

http_filter

 

Please check the Enable filtering box for the HTTP filter to become active. If you would like to temporarily disable the filter, uncheck this box.

 

The Show the following types list allows you to specify the file types that will (or will not, depending on the settings) be shown as network events.

 

Text files – text and html files (Web pages)
Images – images
Well-known files –archives (.zip, .rar, .arj, etc.), MS Office documents (.doc, .xls) and other well-known files won't be displayed when this box is checked
Audio files – audio files
Video files – video files
All other – any other file type

 

Unchecking the corresponding boxes will make NetResident hide the respective files from the event list. For instance, if you uncheck the Images box, you won't be able to see any images on the list. Unchecking the corresponding boxes will make NetResident remove the respective file types from the list. If you uncheck all boxes, you won't see HTTP network events at all.

 

Minimum image size, Kb – this option sets the minimum size the image must match to be displayed. Most images on the web (except photos) are quite small. If you would like NetResident to display images, but you don't want to see banners and page elements, set the desired value in this field.

 

Ignore responses with errors – when enabled, this option hides error requests/responses (most users should enable this option to reduce the amount of junk records).

 

Another part of the HTTP filter is site address filtering. It allows you to hide specific sites using their name as the filter criterion.

 

Hide the following sites – enables/disables site address filtering.

 

When enabled, the site address filter will hide all sites meeting the filtering criteria (specified in the Site Address Filtering frame). Please use the following basic syntax for specifying filter criterions:

 

. – any symbol

\. – the dot symbol

\d – a digit (from 0 to 9)

 

NetResident uses standard regular expressions for filtering. You can find more information regarding regular expressions and their syntax at http://www.regular-expressions.info/reference.html

 

Criteria examples:

 

Google\.com – hides sites containing "google.com" in their domain name

www\.google\.com – hides "www.google.com"

\.org$– hides all sites from the .ORG domain

\d – hides all sites that have a digit in their domain name

 

Note: If you only specify the domain as a criterion (.org, .com, etc.), the $ character should be placed at the end of the string.

 

To add a filter criterion, please click the Add button on the right side of the window.

 

http_filter_new_record

 

The Add Record window will open. Please specify a desired criterion and click on the OK button. The window will close and the respective record will be added to the filter criteria list.

 

To remove a record, please select it in the list and click the Remove button. To edit a record, select the desired record and click the Edit button.

 

 

HTTP capture filter

 

The purpose of this filter is similar to the previous one, except that it filters out events before saving them to the database. This reduces the amount of required disk space and CPU load while processing the database.

 

http_capture_filter

 

Check the Enable filtering box for the HTTP filter to become active. If you would like to temporarily disable the filter, uncheck this box.

 

Check the Skip SSL sessions box to disable capturing of HTTPS sessions.

 

The Site Address Filtering frame allows you to configure the list of URLs you'd like the application to filter. More information on the syntax for specifying filter criteria (regular expressions) is given above.

 

Two filtering modes are available: recording only the events matching filter criteria (the Capture only the following URLs option) or recording all events except the ones that match the criteria (the Capture all except the following URLs option).

 

 

Mail capture filter

 

This filter is for filtering e-mail messages and it is similar in functionality to the previous one.

 

mail_capture_filter

 

 

Check the Enable filtering box for the Mail capture filter to become active. If you would like to temporarily disable the filter, uncheck this box.

 

Events can be filtered out by sender/recipient addresses and keywords in the message body. Boolean (AND/OR) logic is used to combine filter conditions. More information on the syntax for specifying filter criteria (regular expressions) is given above. This filter allows recording either all e-mail messages matching the filter conditions (the Capture only the following option) or recording all events except the ones that match filter the conditions (the Capture all except the following option).

 

 

FTP Capture Filter

 

Capturing data exchange via FTP protocol may result in storing many large files in the application database. The purpose of this filter is to limit the limit the size of such files.

 

ftp_eng

 

Check the Enable filtering box to enable the filter. If you would like to temporarily disable the filter, uncheck this box.

 

Check the Set file size box and specify the required maximum file size in Megabytes in the corresponding field on the right.

 

The following options can be applied to the files that exceeding the specified limit:

 

· Discard file content- when enabled, NetResident discards the content of the captured file and sets the file size to zero. The program keeps a record of the captured file in the database, but the file content is unavailable.
· Store part of file content – when selected, only the part of file content is stored. The part above the file size limit is discarded.