This tab allows you to create alarms that can notify you about
important events, such as suspicious packets, high bandwidth
utilization, unknown addresses, etc. Alarms are very useful in a
situation
where
you need to watch the network for some suspicious events, for
example distinctive byte patterns in captured packets, port scans,
or unexpected hardware device connections.
|
|
|
|
IMPORTANT:
Alarms can be triggered only by those packets that have passed the
program's filters. If, for example, you configured the program to
filter out UDP packets by creating the corresponding rule, while
one of your alarms is supposed to be triggered by a UDP packet,
such an alarm will never be triggered.
|
|
|
|
|
|
|
|
|
|
Alarms are managed using the alarm list shown below:
Each line represents a separate alarm, and the check box next to
the alarm name indicates if the alarm is currently active. When an
alarm is triggered, the check mark disappears. To reactivate a
deactivated alarm, check the box next to its name. To disable all
alarms, uncheck the
Enable alarms
box. To add a new alarm or edit or delete an existing one, use the
buttons to the right of the alarm list. The
E-mail Setup
button should be used for entering information about your SMTP
server if you plan to use e-mail notification options (see
below).
The alarm setup window is shown below:
The Name field
should be used for describing the alarm function. Check
the Enabled box
if you want the alarm that you are adding/editing to be activated
once you have finished its setup. This check box is equivalent to
the one shown in the alarms list. The Alarm
Type frame
allows you to select one of the ten alarm types:
·Packet
occurrence
– The alarm will be triggered once CommView has captured a packet
that matches the given formula. The formula syntax is the same as
the syntax used in Advanced Rules and is described in the
Advanced Rules
chapter in detail.
·Bytes
per second
– The alarm will be triggered once the number of bytes per second
has exceeded (or fallen below) the specified value. Note that you
should enter the value in bytes, so if you would like to have the
alarm triggered when the data transfer rate exceeds 1Mbyte per
second, the value you should enter is 1000000.
·Packets
per second
– The alarm will be triggered once the number of packets bytes per
second has exceeded (or fallen below) the specified
value.
·Broadcasts
per second
- The alarm will be triggered once the number of broadcast packets
has exceeded (or fallen below) the specified value.
·Multicasts
per second
- The alarm will be triggered once the number of multicast packets
has exceeded (or fallen below) the specified value.
·CRC
errors per second
- The alarm will be triggered once the number of CRC errors per
second has exceeded (or fallen below) the specified
value.
·Retries
per second
- The alarm will be triggered once the number of retries per second
has exceeded (or fallen below) the specified value.
·Unknown
MAC address
– The alarm will be triggered once CommView has captured a packet
with an unknown source or destination MAC address. Use the
Configure
button to enter known MAC addresses. This alarm type is useful for
detecting new, unauthorized hardware devices connected to your
WLAN.
·Unknown
IP address
– The alarm will be triggered once CommView has captured a packet
with an unknown source or destination IP or IPv6 address. Use
the
Configure
button to enter known IP addresses. This alarm type is useful for
detecting unauthorized IP connections behind a corporate firewall.
Use of IPv6 addresses requires Windows XP or higher and that the
IPv6 stack be installed.
·Rogue
APs
– The alarm will be triggered once CommView has captured a beacon
packet from an unknown access point. Use the
Configure
button to enter the MAC addresses of known access points. This
alarm type is useful for detecting unauthorized access
points.
·Ad
Hoc Networks –
The alarm will be triggered once CommView has captured a beacon
packet from an unknown Ad Hoc station. Use the
Configure
button to enter the MAC addresses of known Ad Hoc stations, if any.
This alarm type is useful for detecting unauthorized usage of Ad
Hoc networks.
The
Events needed to trigger
field allows you to specify the number of times the expected event
must occur before the alarm is triggered. For example, if you
specify the value of 3, the alarm will not be triggered until
the
event
occurs three times. If you edit an existing alarm, the internal
event counter will be reset.
The
Times to trigger this alarm
field allows you to specify the number of times your alarm may be
triggered before deactivation. By default, this value equals 1, so
the alarm will be disabled after the first event occurrence. By
increasing this value, you will make CommView for WiFi trigger the
alarm multiple times. If you edit an existing alarm, the
internal trigger counter will be reset.
The
Action
frame allows you to select the actions to be performed when the
alarm event occurs. The following actions are available:
·Display
message:
Shows a non-modal message box with the specified text. This action
allows use of variables that are to be replaced by the
corresponding parameters of the packet that has triggered the
alarm. These variables are listed below:
%SMAC% -- source MAC address.
%DMAC% -- destination MAC address.
%SIP% -- source IP address.
%DIP% -- destination IP address.
%SPORT% -- source port.
%DPORT% -- destination port.
%ETHERPROTO% -- Ethernet protocol.
%IPPROTO% -- IP protocol.
%SIZE% -- packet size.
%FILE% -- the path to a temporary file that contains the captured
packet.
For example, if your message is "SYN packet received from %SIP%,"
in the actual pop-up window text %SIP% will be replaced by the
source IP address of the packet that triggered the alarm. If you
use the %FILE% variable, a .NCFX file will be created in the
temporary folder. It is your responsibility to delete the file
after it has been processed; CommView for WiFi makes no attempt to
delete it. You should not use variables if the alarm is triggered
by
Bytes per second
or
Packets per second
values, as these alarm types are not triggered by individual
packets.
·Pronounce
message:
Makes Windows speak the specified text using the text-to-speech
engine. This box is disabled if your Windows
version does not have the text-to-speech engine. By default,
Windows only comes with English computer voices, so Windows may not
be able to pronounce messages correctly if the text is entered
in
a language other than English. You can use the variables described
in the
Display message
section in the message text.
·Play
sound –
plays the specified WAV file.
·Launch
application –
runs the specified EXE or COM file. Use the optional
Parameters
field to enter command line parameters. You can use the variables
described in the
Display message
section above as the command line parameters if you want your
application to receive and process information about the packet
that triggered the alarm.
·Send
e-mail to –
sends e-mail to the specified e-mail address. You MUST configure
CommView to use your SMTP server prior to sending e-mail. Use
the
E-mail Setup
button next to the alarm list to enter your SMTP server settings
and send a test e-mail message. Usually, an e-mail message can also
be used to send alerts to your instant messaging application, cell
phone, or pager. For example, to send a message to an ICQ user, you
should enter the e-mail address as ICQ_USER_UIN@pager.icq.com,
where ICQ_USER_UIN is the user's unique ICQ identification number,
and allow EmailExpress messages in the ICQ options. Please refer to
your instant messenger documentation or cell phone operator for
more information. The
Add text
field can be used to add an arbitrary message to the e-mail
notification. You can use the variables described in the
Display message
section in the message text.
·Enable
capturing rules –
enables
Advanced
Rules;
you should enter the rule name(s). If multiple rules must be
enabled, separate them with a comma or semicolon.
·Disable
other alarms –
disables other alarms; you should enter the alarm name(s). If
multiple alarms must be enabled, separate them with a comma or
semicolon.
·Start
logging –
turns on auto-saving (see the
Logging
chapter); CommView will start dumping packets to the hard
drive.
·Stop
logging –
turns off auto-saving.
Click
OK
to save the settings and close the alarm setup dialog.
All the events and actions related to the alarms will be listed in
the
Event Log
window below the alarm list.
|