NIMA V1 User Manual

Introduction

The Nework Information & Monitoring Appliance provides quite a few powerful features to keep an eye on your network. However, it is imperitive that you know how to use these tools in order to get the full benefit out of NIMA (as well as not inadvertantly causing problems). This manual will attempt to "cover all of the bases" when using and implementing NIMA into your network. Please note that this is currently only a "draft" document and will be updated regularly as time permits.

Installation and Setup

To get NIMA up and running, simply extract the Zip file and start the Virtual Machine. However, for proper usage it is imperitive that you "place" the host computer properly on your network. NIMA is built to provide Network Monitoring abilities, in order for this functionality to work, it must be able to "see" all of the traffic coming into and going out of your network. You can do this in a few ways, depending upon your network setup.

The biggest obsticle in monitoring your network is dependant upon whether you are using switches or hubs to connect your computer. Switches, because they are "smarter" won't allow you "monitor" your network (unless you have expensive ones). Before I go on you should know that a Network switch does not "broadcast" it's traffic across all of its ports like a network hub does, if you need any information on Network Hubs vs. Network Switches check out this wikipedia article.

Note: NIMA was built with Microsoft Windows users in mind, some of the functionality might not work if you are using a GNU/Linux host. This is due to some security issues in switching the "virtual network adapter" into promiscuous mode.

Using a Switch that provides monitoring features

Some network switches provide the ability to have all of the traffic going through certain ports to be "mirrored" to another port. This provides an easy way to setup NIMA to be fully functional.

Enabling a monitor port using an HP Switch
Enabling a monitor port using an HP Switch

When using these types of switches, it is important to know which ports to monitor. Many people just set their switch to monitor every port, this can create quite a bit of information to be passed to your computer, most is probably something you do not want to monitor (unless you are troubleshooting). For instance, if you monitor every port, you will see all traffic on your network, including any Windows traffic, such as logons and shares, as well as any NFS or LDAP traffic. Most of the time you will not want this, so to filter all of this out it is recommended that you only monitor the port that your Firewall or Router/Gateway is connected to. That way the only traffic you are monitoring is what is leaving or coming into your network.

Using a Network Hub with Switches

To get around the inablity of owning a switch that does not provide a "monitoring port", you can incorporate a network hub into your infrastructure to get NIMA's monitoring functionality to work.

To do this simply place a Network Hub between your Firewall/Router/Gateway and your high speed network hub.

Adding a Network Hub to your Infrastructure
Adding a Network Hub to your Infrastucture

When implementing this setup, you will only monitor traffic going into and out of your network through the Firewall/Router/Gateway device. (Which is probably what you want)

Adjusting NIMA's System Settings

The Network Information & Monitoring Appliance was designed to work with most networks "Out of the Box", but as with anything related to computers, sometimes changes have to be made. This section will show you all of the configuration settings that you may need to adjust for your enviornment.

Adjusting System Settings using NIMA
Adjusting System Settings

Changing Network Settings

NIMA's virtual network adapter is configured by default to grab an IP Address from a DHCP Server running on your network. If you do not utilize a DHCP Server, you can adjust the IP settings using this launcher.


Adjusting Network Settings
Adjusting Network Settings

As you can see, the launcher simply opens a text editor with the network settings listed. To set a manual IP Address, simply uncomment the "config_eth0" line (remove the # number sign) and set your IP Address (and gateway address if needed). Once you are done, you must restart the network (see below).

Note: VMWare Player gives the option of running the Virtual Network adapter in "NAT Mode" instead of the default "Bridged Mode", if you set NIMA's virtual adapter in the "NAT Mode" some of the Virtual Machine's functionality will be lost.

Edit Application Menus

NIMA's underlying Window Manager, IceWM, provides an easy way to adjust the "Start Menu Programs". This launcher will open the menu configuration file in a text editor so you can easily adjust the "Start Menu". This is really only usefull if you install additional software into NIMA (see below).

Porthole Application Installer

NIMA's underlying Operating System, Gentoo Linux, provides an easy way to add and update software to the system. The Porthole Software Installer is a utility to manage all of the software on a Gentoo Linux system.

The Porthole Software Installer
The Porthole Software Installer

The first time you launch Porthole, no applications will be listed, this was done to reduce the size of the NIMA Virtual Machine. To remedy this, simply hit the "Sync" button to download an updated software package list.

Restart Network

The Restart Network launcher is simply an easy way for you to execute the command "/etc/init.d/net.eth0 restart". You will want to execute this after you make any adjustments to your Network Settings.

Set Resolutions

The "Set 800x600 resolution" and "Set 1024x768 resolution" launchers are simply an easy way to increase/decrease the screen size of the NIMA Virtual Machine.

Set DNS Servers

The Set DNS Servers launcher provides an easy way to adjust which DNS Servers the NIMA Virtual Machine utilizes. The launcher will open the nameserver configuration file in a text editor to allow you to adjust which server to use.

Adjusting the DNS Servers
Adjusting the DNS Servers

If the file is empty, simply add a line (or two) similar to "nameserver 192.168.0.1" and save the file, you should not need to restart the network after you set different nameserver, simply re-launch whatever application you need to use the new nameservers.

Note: This is not meant as a way to test different nameservers, there is a better way using the GNOME Network Tools application (see the Network Information Programs section of this User Manual).

VMWare Toolbox

The VMWare Toolbox launcher will launch VMWare's toolbox application to adjust various features reguarding this Virtual Machine.

NIMA's Network Information Programs

The Network Information programs provided with NIMA are meant to give you an easy way to "map" out your network, ensure your servers are not vulnerable and to ensure that your network is working correctly.


NIMA's Network Information Programs
NIMA's Network Information Programs

Cheops-ng

http://cheops-ng.sourceforge.net/
Cheops-ng is a tool to map out your network - find out what computers are on your network and what OS they are running.

Cheops-ng mapping out a network
Cheops-ng mapping out a network

To get started with Cheops-ng first launch the "Cheops Agent", this is a small "server" program that the Cheops-ng client program connects to. Then launch the Cheops-ng client program. When it asks for a computer to connect to, simply enter either the IP of your NIMA machine, or simply enter "127.0.0.1". Once the "client" is running, select "Viewspace" - "Add Network".

Once the dialog appears, you must enter a network - An example network would be Network="10.0.0.0", Netmask="255.255.255.0" - then click OK. What cheops will do is query all the hosts on the network, then find out what OS the hosts are running. Once you are finished using Cheops-ng, simply close the client, then close the xterm that is running the Agent.

Cheops-ng does offer some other features, such as host portscanning, but other programs are probably more suited for these tasks.

GNOME Network Tools

http://www.gnome.org/projects/gnome-network/
GNOME Network Tools provide a nice graphical interface to commonly used network diagnostic utilities.

GNOME Network Tools
GNOME Network Tools

The Devices Tab provides basic information about your network adapter, IP Address, Hardware MAC, Transmitted and Recieved bytes, etc.

The Ping Tab provides a nice gui interface to the Ping command, simply enter either an IP Address or a hostname and the appliance will send out packets to that address to see if and how fast the reply occurs.

The Netstat Tab provides a quick way to find out the routing table, active network services and the multicast info for the Virtual Appliance.

The Traceroute Tab provides an easy way to find out exactly which computers (and the speed of the computers) are located along the path to a remote address (or hostname). The screenshot above shows a traceroute in action.

The Portscan Tab allows you to scan the ports of any computer to see which services are available from that computer. Note: ensure you are in charge of the computer you are scanning, or have the permission of the person in charge. It is very "rude" to do a portscan of someone elses computer. If you need to scan an entire network of computers please use the NMAP port scanner (see below).

The Lookup Tab provides a nice gui frontend to tools that allow you to query DNS Servers. This is an invaluable tool to troubleshoot any DNS problems you may encounter.

The Finger Tab allows you to query any "Finger" server you need to talk to (this is a somewhat older service that isn't in use too much anymore).

The Whois Tab allows you to gather any information about who is the owner of a certain Internet Domain (such as pcc-services.com).

Nessus Security Scanner

http://www.nessus.org/

The Nessus Security Scanner provides an extremely easy way to ensure that your servers do not contain any known vulnerablities in it's software.

Starting a Scan with Nessus
Starting a Scan with Nessus

When you first launch Nessus, you are required to "login" to it, the username and password you need to use is "vmware" (for both). Once you are logged in, simply go to the Target Tab and enter either the IP Address or the hostname of whichever server you want to scan. Note: you can scan an entire network, for example the target could be "10.0.0.0/24" which would scan any computers at IP addresses 10.0.0.1-10.0.0.254.

Viewing a Nessus Report
Viewing a Nessus Report

After the scan, please do not be alarmed if some items come up! Nessus will report various items as warnings even if you simply have a service running on a particular port. Go through the entire report and see if you need to "patch" any services or simply disable any services. Be especially concerned with any server that is directly connected to the Internet.

NetDiscover - IP/MAC Info

http://nixgeneration.com/~jaime/netdiscover/

Netdiscover provides an easy way to find out what computers are on your network and find out what their IP - MAC address is.

Netdiscover showing results of a scan
Netdiscover showing results of a scan

To use Netdiscover you can simply lauch the application and it will watch the network for hosts. If you want quicker results you can set it to only scan your network, to do this open a "root terminal" (under Misc. Programs) then type in "leafpad /usr/share/bin/start-netdiscover", this will open a text editor to edit the launcher:

Now where it says "xterm -geometry 80x42 -e /usr/bin/netdiscover -r 10.0.0.0/24" - change the "-r 10.0.0.0/24" to whatever IP range your network is using. Now simply launch the app using the "start menu" and the program will now scan the IP range you entered.

NMAP Port Scanner

http://www.insecure.org/nmap/

NMAP is a fully configurable Port Scanner. It is used to query every port on the target and give information about what is available on the port.

NMAP showing the results of a scan
NMAP showing the results of a scan

With NMAP you can configure it to scan your entire network, simply use the following as your address "10.0.0.0/24", where 10.0.0.0 is your network range and /24 is the netmask (255.255.255.0 translates to 24).

NOTE: Again, ensure you either control or have permission to scan any computers, it is very "rude" to do a portscan without permission.

NIMA's Network Monitoring Programs

The Network Monitoring programs provided with NIMA are meant to give you an easy way to find out exactly what is happening on your network at any given time. You are able to monitor/graph any traffic travelling to/from your network, view any pictures coming into your network or record packets for future inspection.


Network Monitoring Programs provided with NIMA
Network Monitoring Programs provided with NIMA

NOTE: For these programs to work properly it is necessary to either make adjustments to any switches on your network or to utilize a network hub - see the Installation section of this User's Guide. It is also recommended to run this Virtual Appliance on a Microsoft Windows host, as certain GNU/Linux distributions prevent the Appliance to monitor your network.

Driftnet Image sniffer

http://www.ex-parrot.com/~chris/driftnet/

Driftnet will allow you to view *any* picture travelling to/from your network! I also coupled it with Webcollage so you can set the pictures to be viewed as NIMA's background image (as a collage).

Driftnet showing pictures being viewed on the network
Driftnet showing pictures being viewed on the network

Warning: This program can raise some privacy issues. I ran NIMA running driftnet as the background on a projector during a meeting and everyone's face turned quite a few shade's whiter - The Internet is not Private.

This is a very effective tool to let your users police themselves on the sites they visit. If you have a problem with users viewing pornography, this will stem their habbit.

Parents: This is also very effective at keeping your kids sticking the more appropriate web sites.

Etherape

http://etherape.sourceforge.net/

Etherape provides a nice graphical way to monitor all of the traffic on your network.

Etherape showing traffic to my website mirror
Etherape showing traffic to my website mirror

Etherape will show you instantly where all of the traffic is originating from or going to on your network. It also sorts the traffic into different colors dependiing upon what type of traffic it is - Red denotes http traffic.

Ethereal Packet Recorder

http://www.ethereal.com/

Ethereal is a very good packet analyzer/recorder. Most people won't ever need to use this, however, if you are running into network problems that you cannot sort out, this can come in handy.

Ethereal after a packet capture session
Ethereal after a packet capture session

To analyze network traffic, there are no other utilities that are as good as Ethereal, I have successfully found brand new viruses and have found faulty network cards using this tool.

IP Traf

http://iptraf.seul.org/

IP Traf is console base LAN Monitor. Using IP Traf you can view various real-time reports about the traffic on your network.

IP Traf running in Traffic Monitor Mode
IP Traf running in Traffic Monitor Mode

IP Traf allows you to view different kinds of information depending upon what mode you are running it in. You can view all traffic on your network, Network Interface information, packet-size info, etc.

NetWatch

http://www.slctech.org/~mackay/netwatch.html

Netwatch is a console utility to monitor the hosts that are communicating on your network.

Netwatch in action
Netwatch in action

Using netwatch you can quickly see what host(s) are using the most bandwidth and who everyone on your network is communicating with.

Currently there is a "bug" with using Netwatch under NIMA, sometimes it can take a few tries to get the program to launch correctly, hopefully this will be fixed in NIMA ver.2

Ntop

http://www.ntop.org/ntop.html

Ntop is a network traffic probe that provides various information through a web interface.

Viewing the local ntop Web Page
Viewing the local ntop Web Page

Ntop is a great way to view all of the traffic on your netwrok, including what services are using the network. The ntop implementation on NIMA runs constantly, so if you are running NIMA, then ntop is capturing data to be displayed. Simply launch the local web page using the shortcut provided in the "start menu" or click on "Local ntop" link when running firefox.

I somehow forgot the Admin password I used for Ntop, here is the instructions to reset the password:

  • Open a root terminal
  • stop ntop with: /etc/init.d/ntop stop
  • Remove the ntop_pw.db file using: rm /var/lib/ntop/ntop_pw.db
  • Run ntop so it will ask you for a password using: ntop
  • Restart the Virtual Machine to clear everything.
  • Logon to ntop using the web interface and the username of "admin".

Sorry for the inconvenience.

Packet Statistics

http://www.adaptive-enterprises.com.au/~d/software/pktstat/

Pktstat is a nice little utility that will give various information about all of the active packets being transfered on your network.

Pktstat showing some web, mail and CUPS traffic
Pktstat showing some web, mail and CUPS traffic

Pktstat is an easy way to determine exactly what kind of traffic is on your network, as well as finding out how much bandwidth different services are taking.

Tele Traffic Tapper (ttt)

http://www.csl.sony.co.jp/person/kjc/kjc/software.html

The Tele Traffic Tapper program is an excellent utility that shows a graph of the current bandwidth your network is using. It breaks the traffic down into two graphs hosts and protocols.

TTT showing a bandwidth graph
TTT showing a bandwidth graph

TTT is probably the quickest way to get very accurate information on the status of your Internet Bandwidth. It is a great way to find rogue applications or p2p apps using all of your bandwidth. It is also very useful in figuring out where a network bottleneck is occuring by providing you with a protocol breakdown as well as a host breakdown.

If you have any comments or suggestions for the next version of NIMA, feel free to email me.

Google Ad

© 2017 Mike Petersen - All Rights Reserved