overview - ftp.gunadarma.ac.idftp.gunadarma.ac.id/research/modul/webboy.pdf · overview webboy is a...
TRANSCRIPT
Overview
WebBoy is a powerful Internet/Intranet monitoring and management utility. It monitors all Internet Protocol (IP) traffic providing insights and answers to a large number of network management and utilisation questions. WebBoy provides an intuitive real-time display of IP activity including logging and monitoring of Hypertext Transfer Protocol (HTTP), the major protocol used for World Wide Web traffic on the Internet. WebBoy provides facilities to focus on network traffic and produce complete logs of Internet and Intranet communications. WebBoy's intuitive graphical user interface is shown below.
Example WebBoy Display.
This snapshot shows monitored internet and intranet communication patterns on the local LAN. Hosts are shown as points (nodes) located around the circumference of the larger network circle. Networks are shown as larger circles containing the hosts. Networks are also organised into a circle to aid with visualisation although this has nothing to do with their actual (physical) location. The size of a node is directly proportional to the amount of traffic emanating from that host. Links represent communications between hosts and are shown as lines connecting nodes. The colour of a link shows the dominant protocol on that link, while the thickness is directly proportional to the amount of traffic being transmitted over the link. The display is updated at regular intervals to give a continuous visualisation of network activity.
In addition to per-host and per-protocol visualisations, WebBoy also provides information on
overall network activity. The instantaneous network load is displayed in the top right corner of the display along with a graph of the changes in network load over time. The accessed URL's are displayed immediately below the load along with a graph of accessed URL's over time.
A large number of features on WebBoy's graphical display can be customised to suit a specific site or task. The graphical features are controlled via the controls panel. From this panel features such as node, link, network and font size can be scaled along with setting time-out values for nodes and links. A time-out value dictates how long a node or link will remain visible on the display after it stops communicating.
WebBoy's protocol key displays the current protocol focus. This shows the protocols currently in focus (being displayed). Protocols not in the current focus are shown in grey by default. The protocol focus is fully customisable. Any IP protocols can be defined and added to an existing or new protocol focus via the focus builder built into WebBoy.
When a large amount of data is displayed on WebBoy's graphical display it may become difficult to visualise the data. To solve this problem a Zoom Control window is provided. From the zoom window regions of the larger display can be selected for closer investigation.
Webboy's statistics panel provides information on network current network statistics including the application run-time, peak and average network load, the number of URLs accessed from proxies and the number of URLs accessed directly from the remote site.
The panel in the bottom right corner of the screen is the alarms panel. It provides a scrolling window of alarm notifications as they occur. Alarms are fully customisable and can be configured for accesses to a host or URL, use of a protocol or application as well as network performance statistics.
The bottom window is the active URLs window. This window gives a continuous display of URLs currently being accessed. Each URL is displayed along with the time of access, the source IP (the node who requested the URL), the Destination IP (the node who supplied the URL note; this may be a proxy server or the actual server for the URL) and the actual requested.
WebBoy records information of all traffic monitored and can provide full communication summaries. These communication summaries can be processed off-line to provide statistics for each monitoring session.
Reports can be generated upon request from the traffic reports menu. Reports can be ASCII text files, RTF, or HTML documents for viewing with an appropriate browser. In addition to IP traffic statistics, WebBoy provides summaries of accessed URLs. Access logs can be view in the accessed URLs window or from the available report generating facilities. These logs will be of particular interest to network administrators since they report the accessed URLs and where they were obtained from. Knowing the location a URL was accessed from provides an insight into the efficiency and use of web caches.
Alarms are another important feature of WebBoy. The alarms window is a scrolling list of real-time alarm notification messages. Alarms can be generated for a number of events including:
• access to a particular host
• access to a particular network
• access to a particular URL
• a network statistic exceeds a given threshold
• use of a particular protocol
The menu interface provides access to some of WebBoy's more advanced features. Features such as this can provide invaluable information to the network manager, however, they can also increase the screen complexity.
Advanced features provided by WebBoy are discussed in detail in the relevant sections of the manual. It is strongly advised that the network manager read the manual (particularly the chapter on using WebBoy for fault diagnosis and network management) in order to take full advantage of WebBoy's features.
Using WebBoy - The Display
An Overview of the WebBoy Display
An Overview of the WebBoy Display
When you run WebBoy, it automatically initiates monitoring of network traffic, building a picture of your network on screen. After a few minutes, the picture should be similar to this picture:
WebBoy Display.
The screen is divided into several areas. On the left is the network display area where you will see a picture of your network dynamically updated as the network is monitored. The menu system is accessed via the top of this screen. Hosts are shown as points (nodes) located on the circumference of the larger network circle.
Networks are shown as larger circles containing the hosts. The networks are also organised into a circle to aid visualisation. The size of a node is directly proportional to the amount of traffic emanating from that host. Links represent communications between hosts and are shown as lines connecting nodes. The colour of a line shows the dominant protocol on that link, while the thickness shows the amount of traffic being transmitted over the link. On the right and bottom of the screen are the statistics and control panels. The panels have several areas:
On the top right corner of the screen is the load monitor stripchart which is updated periodically. This monitors and displays the overall load on the network (as a percentage of total available network bandwidth).
Network Load Graph.
Beneath this is the accessed URL load graph. This monitors and displays the number of URL being accessed per second. The graph shows the values of this figure over the previous 5 minutes.
URL Load Graph.
Underneath the monitors are the protocol key and display controls. WebBoy's protocol key displays the current protocol focus. This shows the protocols currently being displayed and their respective colours.
Protocols not in the current focus are shown in grey by default. The protocol focus is a list of protocols which are to be displayed. Using the protocol focus builder it is possible to build a number of protocol focuses which can be used at different times. Any IP protocol can be defined and added to a new or existing protocol focus using the focus builder. Readers are referred to the Section “Defining Custom Protocols” for details on defining your own custom protocols and focuses. The colour in which the protocol name is shown corresponds to the colour used in the display area.
Protocol Key.
At the bottom of the protocol panel is the network statistics window. In this window statistics are displayed reflecting the state of the network. These statistics include:
• Runtime: displays the total time, in HH:MM:SS format, WebBoy has been running.
• Proxy: displays the number of URLs which were served from URL proxy servers.
• Non Proxy: displays the number of URLs served from there home sites (rather than going through proxies)
• Total URLs: displays the number of URLs seen. Note that this number may run ahead of the URL display window at the bottom of the screen since that window will not display a URL until it has resolved DNS information about the URL.
• Peak load: displays the highest network load encountered (as displayed in the load monitor) for the total runtime.
• Average load: displays the average network load (as displayed in the load monitor) during the total runtime.
Statistics Box.
Next to the protocol key are the screen control sliders which enable the user to control the look and feel of WebBoy's visual display. The Controls provided are as follows:
Controls Panel.
• Node scale: This affects the size of a host (node) when it is communicating traffic. The size of the node is proportional to the amount of traffic emanating from the host. Altering this control will scale the size of the host relative to this figure.
• Link scale: This effects the size of a link between nodes when they are communicating. The link thickness is proportional to the traffic volume on the link. Altering this control will scale the size of the link relative to this figure.
• Max Node Radius: Sets a limit on the display size of a host.
• Max Link Width: Sets a limit on the display width of a link.
• Node Time-out: Governs how long a node stays visible on the screen after it has stopped transmitting.
• Link Time-out: Governs how long a link stays visible on the screen after communication ceases.
• Font Scale: Controls the size of the font used to display text on the screen.
• Network Scale: Controls the size of networks.
• Update Frequency: Controls the rate at which the visualisation screen is updated. On a busy network slowing this rate will free more CPU to capture and process packets.
Below the Controls is the Zoom box. This allows the user to zoom in on areas of interest and
move around the screen when zoomed in. A zoom is selected by clicking the left mouse button and (with the button depressed) dragging the desired box. The box can be moved around the screen using the right mouse button. Clicking the left button again will turn zooming off.
Zoom Box.
Below the Zoom Control is the Alarms window. This window continuously displays alarm notification strings and times as alarms occur. Alarm notification strings are defined with an alarm and allow the administrator to know exactly which alarm has activated. Alarms can also be configured to play audio (.wav) files as well as execute shell commands. Custom alarms can be defined for most network events. Alarms are defined using the alarms builder (available from the Misc menu). For details on building your own custom alarms refer to the “Defining Custom Alarms” section.
Alarms Window.
The final window visible on the screen is the accessed URLs window. When a URL is accessed, details about the URL are resolved before the access is displayed in this window. The window shows the time of the access, the source host which requested the URL, the destination node which served the URL (note: this may be a proxy server) and the URL requested. This window has a sophisticated set of more detailed viewing options for URLs.
Accessed URLs Window.
By clicking on any URL with the right mouse button a number of extra viewing options can be accessed. Further details on URL accesses which can be requested include:
• Source Hosts Traffic: A list of all the hosts to which the source node has sent packets, how many packets and bytes have been sent and which protocols were used.
• Source Hosts Accessed URLs: A list of all the other URLs the source host has accessed.
• Source Hosts Served URLs: A list of all the URLs served by the source host.
• Destination TrafficHost: A list of all the hosts to which the destination host has sent packets, how many packets and bytes have been sent and which protocols were used.
• Destination Hosts Accessed URLs: A list of all the other URLs the destination host has accessed.
• Destination Hosts Served URLs: A list of all the other URLs the destination host has served.
• Browse the URL: This option will call up your default web browser and supply it with the URL for viewing.
Options on accessed URLs.
• Toggle Pause: This option will allow you to temporarily pause the scrolling of the URL output window so that you may examine the most recently accessed URLs in real-time. Note that all URLs pending output will be queued and displayed when you toggle the pause again. The number of pending URLs will be displayed in the “URL Requested” column of the “Accessed URLs Window” whilst the pause is active.
Using WebBoy - Menus and Options
File Menu
Custom Menu
Hosts Menu
Statistics Menu
Traffic Summaries Menu
Traffic Reports Menu
File Menu
The File menu allows access to features which control WebBoy’s overall aplication parameters, as well as allowing you to quit from the application.
• Adapter: If you have more than one network interface, this option will allow you to switch between adapters. At present, all configured network interfaces (excluding the dial-up adapter) will be displayed. The bit rate of your interface will be displayed in the “Link Speed” column. If you have a interface which supports more than one bit rate (eg. auto-sensing 10/100), the currently active speed will be displayed. Upon changing interfaces, all overall network statistics will be resumed for that interface.
Upon exiting, the last used adapter will become the default the next time you invoke the application. The reference to the default adapter resides in the registry via the path:\HKEY_LOCAL_MACHINE\SOFTWARE\NDG Software\WebBoy\1.4\interface
Interface is a “dword” value which corresponds to the adapter id shown in the “Adapter” column of this dialog.
Adapter dialog.
• DB options: This option allows you to perform routine or immediate maintenance on the URL database.
The “Pruning options” are by defualt set to retain all URLs, which means that WebBoy’s database of URLs will grow ad infinitum. If you are running WebBoy contantly and wish to keep the size of your database relatively constant, then you will need to select a retention time (or prune time) so that you may configure WebBoy to automatically prune its database at set intervals. This paramter is used in conjunction with the “Actions” sub-system (please see the example – “how to automatically prune the database”).
In the “Immediate actions” section you can flush out all URLs in the database via the “Initialise DB” radio button. Please note that this does not mean that disk space will be reclaimed as a result, but performing this operation will free up records in the database which can be re-used and not claim any further disk space. A similar result can be achieved by specifying the number of days worth of URLs to retain, again this will not reclaim any disk space. Note that the Immediate actions paramters will not affect pruning options parameters.
Database Options dialog.
• Preferences: Changing the preferences of the “Host List” and “Node Watch” popup dialogs can be performed through this menu option. Selecting/Unselecting check boxes in either group box will cause columns from the respective dialogs to be displayed/not displayed.
Preferences dialog.
Custom Menu
This menu allows access to WebBoy's user customisation features.
• Protocol Focus Builder: Invoking this item will allow you to build your own “protocol focus”. Please refer to the section on “Defining Custom Protocol Focuses” for a detailed explanation.
• Alarms Builder: Invokes the dialog which will allow you to build custom alarms for network events of interest. Please refer to the section on “Defining Custom Alarms” for more information.
• Actions: If you want WebBoy to perform a background task at a particular time (eg. generate a report or prune the database), this function will allow you to configure such a task. Please refer to the section on “Actions – Scheduling Background Tasks” for further explanation.
Hosts Menu
The Hosts Menu provides access to host information as well as controlling how hosts appear on the network display. There are four options:
• IP Address: This option displays hosts and networks by their IP address.
• Local Name: This option displays hosts by their local name rather than their IP address.
• Host List: This option displays all hosts dynamically. By clicking with the left mouse button a host line is selected for further investigation. Once a line is selected the right mouse button allows the user to watch particular aspects of a host's activities. The individual host report (like most other reports in this application) provides an infinitely cascading set of menus. This means that from each report a line can be selected with the left mouse button and further viewing options obtained using the right mouse button. Also note that by clicking on the column headings, you can sort the entries in decending order.
Host List dialog.
• Duplicate IP detect: Causes a self updating dialog box, which shows all duplicate IP addresses in use on your network, to appear. This option should only be used if you suspect that two (or more) hosts are using the same IP address. It is also useful for discovering routing mis-configurations of all devices on your network. For example, if
you have two logical IP subnets defined in the same physical LAN, then for any given host a situation could arise whereby all traffic between either subnet could be repeated twice – leading to a degradation in network performance. Once invoked, the dialog will contain no entries, ideally it should stay this way.
Duplicate IP address detection dialog.
Note that the remove button will simply delete the display entry for the list of duplicates, it will not “fix” the problem on your LAN.
Statistics Menu
The Statistics Menu contains options that affect the time period which the network display reflects. These options are:
• Dynamic Hosts: Once the hosts exceed a time period without producing any traffic they time-out and disappear from the display. The time period for which they remain visible can be controlled via the Node Time-out control in the Controls panel.
• Dynamic Links: When no traffic has been seen on a link for a particular time period they time-out and disappear from the display. The time period for which they remain visible can be controlled via the Link Time-out control in the Controls panel.
• Cumulative Hosts: In cumulative mode all hosts which have produced traffic are shown. This allows the user to see all hosts that have been active during the current execution.
• Cumulative Links: This mode shows all links for the currently visible hosts. If the Cumulative Hosts option is used in conjunction with this option all monitored traffic will be shown.
Traffic Summaries Menu
This menu allows access to summaries of data. For all menus in this section the left mouse button selects a line of interest and the right mouse button selects further information for the line.
• Top URLs: This option shows the most frequently accessed URLs. Further information can be obtained by highlighting a URL with the left mouse button. You can watch the URL accesses or browse the URL.
Top URLs Window.
All menus are infinitely cascading i.e. from each menu you can continue to click with the mouse to obtain further viewing options for data.
• Top Senders: This option shows the top hosts which transmit the most traffic. Further host information can be obtained including host traffic and accessed URLs by clicking the right mouse button.
Top Hosts Window.
• Top Receivers: This option shows the top hosts which receive the most traffic. Further host information can be obtained including host traffic and accessed URLs by clicking the right mouse button.
Top Hosts Window.
• Top Alarms: This option shows the alarms most frequently triggered. The alarm notification string is shown along with the number of times the alarm was triggered.
Top Alarms Window.
• Top Clients: This option shows the nodes most frequently making URL requests. Further host information, can be obtained via the left mouse button including: generated traffic, accessed URLs and served URLs.
Top URL Clients.
• Top Servers: This option shows the URL servers serving the most URLs. Further information for the host can be obtained via the left mouse button including: generated traffic, accessed URLs and served URLs.
Top URL Servers.
• Top Links: This option shows top links based upon the number of bytes traversing the link. By clicking with the right mouse button further information for the host can be obtained including:
• Source host’s traffic
• Source host’s accessed URLs
• Source host’s served URL
• Destination host’s traffic
• Destination host’s accessed URLs
• Destination host’s served URLs
Top Links Window.
• Protocol Statistics: This option shows an overall volume breakdown of all identifyable protocols. Also note that by clicking on the column headings, you can sort the entries in decending order.
Protocol Statistics.
Traffic Reports Menu
A number of different reports (described below) may be generated. On any report, the File menu can be used to print and save the report. The report can be saved as text (ASCII), HTML, or RTF (Rich Text Format). There is also an Edit menu which contains options to find, copy, cut, and paste the results of the report.
• URLs Report: This option shows all accessed URLs. URLs are displayed along with a summary of the host who accessed it, the name used to access the URL and the time and date when the access occurred. If the report is saved as HTML, each link is HREF’d the the appropriate URL.
URLs Report.
• Hosts Report: This option shows all monitored hosts. Hosts and the nodes with which they communicated, which protocols were used, and how many packets and bytes were sent.
Hosts Report.
• Stats Report: This option shows overall summary statistics gathered during the execution of WebBoy. Statistics summarised include:
• top URLs, with the number of accesses,
• top hosts with the number of bytes transmitted,
• top Alarms along with the number of times the alarm was triggered.
Stats Report.
• Url Statistics Report: This option show overall URL summary statistics gathered during the execution of WebBoy. Statistics summarised include:
• top URL clients with the number of URLs accessed,
• top URL servers with the number of URLs requested.
Stats Report.
• Alarms Report: This option shows all alarms triggered during the execution of WebBoy. Alarm notify strings are displayed and the time and date when the alarm was triggered.
Alarms Report.
• Client URLs Hit Report: This option shows a per client summary of the total number of hits registered with each visited web server.
Customising WebBoy
Defining Custom Protocols
Defining Custom Protocol Focuses
Example of Building a Custom Protocol Focus
Defining Custom Colours for Protocol Focuses
Defining Custom Alarms
Actions – Scheduling Background Tasks
Defining Custom Protocols
Webboy examines all IP traffic. It learns about the various IP protocols via a protocol definition file (called protocol.pdl) which is written using NDG Software's Protocol Definition Language (PDL).
The language has two statements these are: primitive and protocol. The primitive statement is used to assign a tag to a value within a protocol. The syntax is:
primitive tag_name:tag_value "string"
The protocol definition begins with a tag name which is used to identify the primitive and can be used in further definitions. The tag value specifies a symbol or value to be searched for in the packet to identify this protocol. The string is for identification of the protocols by the user and is the string which will appear in the Custom Protocol Focus Builder.
Primitives are primarily used to define tags to be used in protocol definitions. A primitive by itself does not constitute a protocol definition. Here are some example primitive definitions:
primitive TELNET:23 "Telnet"
In this primitive definition the tag is TELNET and the tag's value is 23 (the port number for telnet). This tag value is important since it is the value which will be searched for to identify TELNET packets.
primitive ICMP:1 "ICMP"primitive IGMP:2 "IGMP"primitive FTP:20,21 "FTP"primitive SMTP:25 "Mail"primitive HTTP:80,81 "HTTP"primitive HTTP_2:8000, 8080 "HTTP"
The HTTP definitions show how to define a range of values for the tag value. Ranges are used when a protocol is identified by a set of numbers within a range. Ranges must be continuous which is why two tags are needed for HTTP, one defining port numbers 80 and 81 (HTTP) and another defining port numbers 8000 through to 8080 (HTTP_2).
The protocol statement is used to define protocols and to provide classification rules for packets. The syntax of a protocol definition is as follows:
protocol tag_name:tag_value "String" header_size{
byte | word:location_value tag_name...
}
The protocol definition begins with a tag name which is used to identify the protocol and can be used in further definitions. The tag_value specifies a symbol or value to be searched for in the packet to identify this protocol. The string is for identification
of the protocols by the user and is the string which will appear in the Custom Protocol Focus Builder. The header size is supplied as a check for the packet parser when parsing incoming packets.
Here are some examples of protocol definitions:
protocol IP:0x800 "IP" 20{
byte:9 ICMPbyte:9 IGMPbyte:9 TCPbyte:9 UDP
}
The first line defines a protocol with a name tag of IP and a name value 0x800. The identification string is "IP" and the IP header has a size of 20 bytes. Inside the IP header are further sub-protocols and primitives called ICMP, IGMP, TCP and UDP. These sub-protocols will have either protocol or primitive definitions defining tag values which identify the sub-protocols contained within each IP packet. The byte:9 in the specification denotes the primary offset and size of the value to check from the beginning of this protocol specification. In other words we are to compare a byte value 9 bytes into the IP header looking for a byte containing the tag value of ICMP, IGMP, TCP or UDP. The tag value for each of these is contained within their specification.
Given the previous definition of IP consider the following definition of TCP.
protocol TCP:0x6 "TCP" 20{
word:0,2 FTPword:0,2 TELNETword:0,2 SMTPword:0,2 HTTPword:0,2 HTTP_2...
}
From this definition we can see that the tag value for TCP is 0x6 and that the TCP header is 20 bytes long. The word:0,2 in the specification specifies that tag value for sub-protocols can be found at 2 locations called the primary offset or secondary offset. The primary offset is 0 meaning that the tag value for FTP, TELNET etc. can be found by doing a word sized comparison (16 bits) starting at byte 0 (the primary offset) or 2 (the secondary offset) inside the TCP header. The tag value to look for at these offsets can be found along with the definitions of FTP, TELNET etc. As a further example what follows is part of the specification for UDP.
protocol UDP:0x17 "UDP" 8{
word:0,2 NFSword:0,2 X11...
}
The pdl language described here is very versatile and will allow the user to
incorporate custom protocol specifications into WebBoy. Complete definitions can be found in the protocol.pdl file. Once a new protocol has been included into this file it will automatically appear in the protocol focus builder for inclusion into Webboy's visual display as well as all reports. When incorporating new protocols into WebBoy uses should remember that WebBoy monitors IP packets only meaning the even if the protocol.pdl file contains definitions for protocols other than the TCP/IP suite protocols they will be ignored.
Defining Custom Protocol Focuses
WebBoy has a complete protocol focusing mechanism offering flexibility in the protocols (and colours) displayed. The picture shown below is an example of the display appearing when "Custom Protocol Focus" is selected from the Custom menu.
Protocol Focus builder Display.
The display is divided into the regions: the Focus Dictionary, the Focus Editor and the Protocol Tree. The Focus Dictionary contains the list of defined protocol focuses which can be selected via the left mouse button. The Focus Editor contains the list of displayed protocols in their respective colours. The Protocol Tree lists the protocols which can be included in a Custom Focus. The list of protocols to be included in the Protocol Tree is obtained from protocol.pdl.
Example of Building a Custom Protocol Focus
We shall demonstrate the power of the custom protocol focus by building a focus to display HTTP traffic in red, NFS traffic in blue and all other IP traffic in grey (the default colour).
1. Click on "New" in the Focus Dictionary; a new focus will appear in the dictionary.
2. Click the left mouse button on the text "New Focus" to change the text to an appropriate string e.g. "Web Focus".
3. Double click in the Protocol Tree to expand the tree of sub-protocols. From the Root, the sub fields of Ethernet II and IEEE802.3 will appear; double click on Ethernet II to expand this sub-tree. From this sub-tree, double click on IP to expand it.
4. Double click on TCP to expand the TCP sub-tree; from the TCP sub-tree left click on HTTP and with the mouse down drag the text (and icon) into the Focus Editor. Release the mouse button over this window to include the protocol in the focus.
5. Double click on UDP to expand the UDP sub-tree and drag-and-drop NFS from this sub-tree into the Protocol Focus.
6. The focus protocols to be included will all be in the same (default) colour. To change the colour of a protocol, double click on the protocol and a colour palette will appear; select a colour from the palette with your left mouse button and the protocol's colour will change.
7. You can repeat this process to define colours for other protocols in the current protocol focus.
8. At this point you have defined your custom protocol focus. Click OK (bottom left of the display) to activate the current protocol focus.
Protocol Focus Builder with an active Focus.
Defining Custom Colours for Protocol Focuses
When using the protocol focus builder protocols can be defined to appear in any colour from the colour palette. The palette itself can be customised as follows.
1. Select Edit Palette from the focus editor region; the palette editor appears.
2. Select one of the squares from the colour palette to be modified. Select a black square (bottom of the palette) if you wish to add a colour to the palette. An example of the palette editor is shown below.
Protocol Focus Palette Editor.
3. Adjust the red, green and blue controls to achieve the desired colour.
4. When satisfied, click the OK button to include the colour at the selected position in the palette.
Defining Custom Alarms
WebBoy has a flexible and powerful alarm generation mechanism. Alarms can be generated for a number of reasons including:
• access to a URL
• access to a host
• use of a protocol
• a network (or traffic) variable exceeding a threshold.
Proper use of WebBoy's alarms mechanism can assist in maintaining network performance, improving network configuration and capacity planning as well as its obvious potential for improving network security.
The Alarms Builder, accessed from the Custom menu, activates a display similar to the picture below.
Custom Alarms Builder.
The Alarm Builder display is divided into five areas:
1. The "Alarms" area shows all the currently defined alarms. The alarm display string is shown along with a bell icon denoting weather the alarm is active or not (note: An alarm may be defined but not active).
2. The "Object" region displays all the objects upon which an alarm may be set i.e. a host, a network statistic, a protocol, a link or a URL.
3. The "Threshold Type" region defines a threshold for activating an alarm.
4. The "Traffic Units" area is used in conjunction with the Threshold Type region to set a unit measure for traffic levels when activating an alarm.
5. The "Actions" region allows the user to specify an audio file (.wav file) or command to run if the alarm is activated.
Example1: Host AlarmIn the first example consider setting an alarm signal when a particular host becomes too busy.
1. Click on "New" in the Alarms box. A new alarm will appear with the text "New Alarm" and the activated (bell) icon turned off.
2. Slowly double click the left mouse button on "New Alarm" to change the text to an appropriate string e.g. "Disk server very busy".
3. Click on the Host button in the Object Type region thus highlighting a Name/Address field ready for a value to be entered.
4. Move to the Name/Address field and enter the host's name (a local name, complete domain name or an IP address may be entered).
5. Move to the Traffic Units region and select the units for the value field: Kbytes/sec, packets/sec or percentage of bandwidth being generated by the individual host.
6. After specifying the units, enter a value.
7. After this you may optionally set an audio alarm (.wav file) or a command to run, but at this point the alarm is defined.
8. Double click on the bell icon in the Alarms region to turn the alarm on and then confirm "OK" (bottom right of the alarm builder screen) to complete the definition and activate the alarm.
When triggered the alarm message (entered in the Alarms Region) is displayed in the Alarms section of the main window along with the time the alarm was triggered (i.e. the event occurred).
Example 2: Network AlarmIn the next example we shall define an alarm to activate if the network load exceeds 40% of capacity.
1. Click on "New" in the Alarms box. A new alarm will appear with the text "New Alarm" and the activated (bell) icon turned off.
2. Slowly double click the left mouse button on "New Alarm" to change the text to an
appropriate string e.g. "Net Load over 40%".
3. After typing the text click the left mouse button on the Network button in the Object Type region. Selecting Network will cause the Traffic type region to automatically select a threshold high and the Traffic units region will automatically select KBytes/sec as the units and highlight the value field ready for a value.
4. Change the traffic units if necessary (e.g.%Bandwidth) and enter a value e.g. 40 into the value field.
5. You may optionally set an audio alarm (.wav file) or a command to run, but at this point the alarm is defined.
6. Double click on the bell icon in the Alarms region to turn the alarm on and then confirm "OK" (bottom right of the alarm builder screen) to complete the definition and activate the alarm.
Example 3: URL AlarmIn this example we shall define an alarm to activate if a particular URL is accessed.
1. Click on "New" in the alarms box. A new alarm will appear with the text "New Alarm" and the activated (bell icon) turned off.
2. Slowly double click (left mouse button) on the text "New Alarm" to change the text to an appropriate string e.g. "Access to NDG Home Page".
3. After typing the text left mouse click on the URL button in the Object Type region. Selecting URL will cause the Traffic type region to highlight a URL field ready for a value to be entered.
4. Move to the URL field and enter the URL: an individual URL e.g. http://www.ndgsoftware.com/products or a URL mask e.g. http://www.ndgsoftware.com may be entered. An individual URL means that the alarm will only trigger when that particular URL is accessed. A mask URL means that any URL beginning with this sequence will trigger the alarm e.g. if the URL is http://www.ndgsoftware.com, any URL from this site will trigger an alarm, but if the URL is http://www.ndgsoftware.com/ then only the top level home URL i.e. the "/" URL will cause an alarm.
5. After entering the URL select Occurrence from the Threshold type region meaning that the alarm should activate every time the URL access occurs.
6. After this you may optionally set an audio alarm (.wav file) or a command to run.
7. Double click on the bell icon in the Alarms region to turn the alarm on and then confirm "OK" (bottom right of the alarm builder screen) to complete the definition and activate the alarm.
Custom Alarms Builder with alarm defined.
Actions - Scheduling Background Tasks
Sometimes you may wish to generate a report or perform another kind of operation at a particular time, but would like to have it scheduled to execute completely unattended. These background tasks are known as “actions” and may be scheduled through this sub-system.
Currently, there are nine (9) possible actions which can be scheduled:
1.Urls report
2.Statistics report
3.Host report
4.Alarms report
5.Urls report with database purge
6.URL statistics report
7.Database purge
8.Database prune
9.Execute command
10. Client URLs hit report.
Of these, “Execute command” is the only action which is not available as a menu item from within WebBoy.
Example Actions Dialog.
The above example shows the layout of the dialog which is divided into five (5) groups:
1. Time: Allows you to specify the time at which to execute the action. There are four ways of specifying how often to execute an action:
1. Per minute: Selecting this mode will allow the execution of an action every x minutes, where x is the parameter specified in the “Time:” edit box.
2. Hourly: Will execute only once per hour at the time specified in the “Time:” edit box.
3. Daily: Will execute only once per day at the time specified in the “Time:” edit box.
4. Weekly: Will execute only once per week at the time and day specified in the appropriate edit boxes.
Note that you can also set the priority of execution for each task. Priorities above “Normal” are not recommended as they may lead to a non-responsive system upon execution of the action.
2. State: Controls whether the action is to be executed whenever the time condition is matched (recurring), once only or never.
3. Action: Allows selection of one of the above nine (9) action types.
4. File: Allows the specification of a path for reports to be stored with associated file type. In the case of “Execute command”, this is the command (entered into the “Path:” edit box) with any associated arguments.
5. Actions list: Each list item summarises an action with its associated attributes. By selecting an item you are able to modify the attributes using the above group dialogs.
A new action is instantiated by clicking on the “New” button and then modifying the attributes appear in the dialog. Unwanted actions may be removed by selecting the “Remove” button. All modifications made to the action list can be aborted by selecting the “Cancel” button. Selecting the “OK” button will commit all changes to the current configuration database and immediately activate the new action list.
How to Automatically Prune the Database
Assuming you have configured a prune time via the “DB options” dialog, you can have WebBoy automatically prune the database at set intervals. This is not imperative as the default value for pruning is 28 days. For this example we will assume that the database is to be pruned every hour, at 15 minutes past the hour.
1. Select the “Actions” item from the “Custom” menu.
2. Click on the “New” button – you will see a new item appear in the actions list. You will also notice that a set of default attributes are assigned to a new item.
3. Click on the “Hourly” radio button then enter “15” in the “Time:” edit box.
4. Select the “Recurring” in the “State” group box. You will notice the state icon change in the action list.
5. Click on the “Database prune” radio box in the “Action” group.
6. When you click on “OK” the action will be committed to the configuration database and instantly activated.
Note that this operation will now automatically prune the URLs database every 15 minutes past the hour with a URL logging window of whatever the value of the “Remove after” parameter in the “Pruning options” group of the “DB options” is set to (default of 28 days).
Common Faults FAQ
Here are some common faults that you may encounter whilst using WebBoy. If you have any suggestions or problems you encounter that are not in this list, please forward them to [email protected]
Why does it say Default adapter is currently invalid for my card?
Why does it sometimes “blue screen” if I change adapter or exit?
Why can’t I monitor using my dialup adapter?
What’s the difference between purging and pruning the database?Can I print the results of a watch node operation?
Why can’t I see URLs that I know other people are accessing?
Why does it say Default adapter is currently invalid for my card?
There are several possibilities which cause this problem to arise. The most common cause of this error is that the default adapter is not an Ethernet card, that is, your default system adapter is Token Ring, RAS, FDDI etc. We are working towards adding support for these devices, but at present only Ethernet devices are supported (including Fast Ethernet).
Under NT4.0, you must install and use WebBoy as administrator or equivalent. This is to protect administrators from “normal” users gaining access to the promiscuous Ethernet driver, and ultimately raw network traffic.
Also under NT4.0, if you have previously installed any products from NDG Software (excluding GeoBoy), you may need to manually remove a registry key in the Service Manager’s sub-tree. This is because previous versions of the install script do not automatically remove this key, and references to the old driver are left behind. To fix this problem run regedit and remove this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDISHOOK\
Why does it sometimes "blue screen" if I change adapter or exit?
The driver mechanism employed by 95/98 and NT4.0 are different. This problem will only occur under 95/98 as they use a dynamically loading VxD which has a known fault. Usually you will only see this problem after running WebBoy for a number of hours and then quitting the application or selecting a different adapter. At present we do not have a fix, and unfortunately you will have to reboot after this occurs. Please stay up to date on our web site (http://www.ndgsoftware.com) for further developments.
What's the difference between purging and pruning the database?
A database purge removes all URL records from the database. A prune is a selective removal of URLs past a certain time period, that is, only the most recent URLs are retained. Pruning the database is useful for retaining a reasonably constant level of disk usage if WebBoy is left running 24 hours a day. Please refer to the section “How to Automatically Prune the Database” for more information.
Why can't I monitor using my dialup adapter?
In previous versions of WebBoy (V1.2) it was possible to monitor Dialup devices, but since then the driver has undergone some radical improvements (e.g. dynamic loading and major internal efficiency improvements). One of the side effects of the new driver was the loss of being able to monitor Dialup adapters. This will be fixed in a future release.
Can I print the results of a watch node operation?
Unfortunately it is currently not possible to print or save as text from any of the “watch node” popups. This feature will be added to a future version.
Why can't I see URLs that I know other people are accessing?
There are a number of reasons as to why you cannot see traffic that you think you should be able to see. There are however, a number of work arounds that you can use to position yourself so that you can view all of your site’s incoming and outgoing IP traffic.
The most common problem encountered is that you are connected to an Ethernet switch. Being connected to a switched hub means that by definition you can only see your own traffic as well as other people’s broadcasts. This means that normal traffic (such as web traffic) is “screened” from your machine by the switch. If your Internet gateway is connected directly to your switched LAN then there is only one possible solution – if you switch supports it. Refer to your switch vendor’s manual for a mode which will allow you to view all (promiscuous) traffic on a designated port. Sometimes this is referred to as a “monitor” or “diagnostic” mode of operation. If your switch supports it, and you have no other way (see below) of accessing your LAN’s overall IP traffic, then enable this mode and patch yourself directly to the designated port (usually the highest physical port number on your switch). Note that this may incur a slight CPU performance penalty on your switching hardware.
If you have a network which is comprised of a combination of switches and “normal” shared medium Ethernet (hub style), then you may be able to position yourself on a hub which bares most of you IP traffic. If your Internet router is connected to such a hub, then this is the ideal monitoring position.
Also consider the possibility of being connected to a separate collision domain, that is you are bridged somehow, from the domain which carries the traffic you wish to monitor. The solution to this could be as simple as patching yourself into that collision domain which you wish to monitor.
Ultimately, solving this problem relies on your local knowledge of your LAN configuration, and perhaps a little trial and error. A future strategy for WebBoy is to include a distributed “remote agent” approach which will allow for total enterprise-wide monitoring of your Internet traffic.