NetContExt CA user guide



NetContExt CA

(Content Analyzer)

user guide

[pic]



Document v1.1 Aug 2004

NetContExt CA

(Content Analyzer)

v1.7 user guide

Index

Chapter Page

• Foreword - 3

• Introduction - 4

• Installation and Setup - 5

• System Overview - 5

• Logging in to the NetContExt system - 6

• The NetContExt main menu - 8

• The NetContExt image report 10

• Search Tool - 13

• Live view - 14

• System administration and configuration - 16

• The NetContExt CA demo interface - 23

Published by , Mountain view CA 94040. Contact support@ or visit

Last Revision Aug 2004

Version 1.0

Copyright 2004

All rights reserved. No parts of the contents of this document may be reproduced or transmitted in any form without the written permission of the publisher.

Foreword

NetContExt CA is a Network Traffic content analyzer that provides a searchable and browseable report of payload data on the network it is listening to. This version specifically addresses images such as GIF / JPEG / PNG but it can be modified to collect any payload information. It supports a real-time JAVA view that allows you to see the content and user statistics as it occurs.

NetContExt CA provides a solution to address inappropriate use issues and enforce them by alerting you to the specific users and the actual content they view. It supplies information on where and when they viewed it.

Introduction.

NetContExt is a flow based, real-time network content analyzer. It reassembles network packets data in the correct order and searches thro the payload for know data types. In this case GIF / JPEG / PNG images.

Image data is written to permanent storage and reports are made on the collected images at regular intervals. The default interval is 4 minutes.

The report modules create a thumbnail proof sheet of all the images in any period for quick and easy inspection from any supported web browser. You can select a thumbnail to view the content in its original size. All the connection information about who/where/what/what is provided for each image.

Content can be grouped and sorted in a number of ways to easily create a report on specific users activities over a period of time.

Inappropriate content is automatically detected using a built in image content analysis module and selected for a specific report. This allows network abusers to be quickly and easily identified.

NetContExt utilizes the flexibility of HTML reporting, monitoring and configuration, and is accessible to any authorized user with a supported web browser.

This manual will explain how to configure and use NetContExt to help you understand your users behavior, enhance network security and increase network efficiency.

Trademark Notices.

NetContExt is Copyright in the USA and other countries and owned exclusively by . All other products and brands are the property of their respective owners.

Installation and Setup

This guide assumes that the software is already installed and running. Consult the Install Guide if you require further information on building a new system from scratch and loading a base operating system.

System Overview

NetContExt behaves like a network VCR. It continuously records and processes every packet it sees on its snoop network interface and reassembles the packets back into their original flows or connection streams. The final stream and all its data is examined for known content when the connection closes. If any known content types are found they are written to disk.

Data reports for each interval are available to view as an HTML folder.

Once configured the system is designed to run 7x24. It automatically manages its own resources and disk space and should require no maintenance.

Logging on to the NetContExt system

Access the NetContExt system homepage using any supported browser with a URL like:



Where 1.2.3.4 is the IP address or the domain name of your NetContExt system. Ensure you are using the HTTPS protocol and not HTTP to connect.

Your web browser should display the NetContExt home page banner. This page allows you to login as 2 different users, guest and xqos. It also shows important support information such as the device hostname, id and software version number.

The guest user is the normal account used. It provides access to all the network reports and search functions. The privileged xqos user has access to all the areas of the guest user but can in addition view the administration folder to change the behavior of the NetContExt device and view the current setting and health status.

The image below shows the NetContExt home page.

[pic]

The image below shows the NetContExt login dialog.

[pic]

The NetContExt main menu

This page displays the main menu to access all the components in the NetContExt system. This is the page you will be using as a home base while you operate the system. It is split into a number of main components:

Administration functions

Tools

System folders

Saved folders

Live folders

The image below shows the NetContExt main menu.

[pic]

The areas listed above and shown on the example screenshot have the following purpose.

Administration functions

• System - view/change the main system setting that control the operation of NetContExt.

• Config - view/change the main system setting that control the behavior of NetContExt.

• Accounts - change/set the passwords to the NetContExt accounts.

• Health - view the current health of the NetContExt system.

Tools

• Search - create a report on usage involving a specific IP address. (Images viewed by a single user).

• Help - view basic help on the NetContExt system functions and reports.

• Live - start the JAVA based real-time tool to view images, as they are collected.

System folders

• Demo - view a demonstration of the NetContExt system using example images. It operates in a similar manner to the Live system but uses a standard set of cleansed images to display. View the 'Example Images' report for typical example of the range of images seen on most networks.

• Archive - view a history of image thumbnails that have been collected since the system was started.

• Skin Tone - view images that match the skin tone detection algorithm.

Saved folders

View images that have been selected by the operator for permanent storage.

Search folders

View images that have been selected by a user search for activity on a specific IP address.

Live folders

View real-time images that have been collected by the system. By default Live folders are created every 4 minutes. The last folder collected is at the top of the list.

Each folder entry contains the name, time, size and number of images in the folder.

Save and Delete buttons are available on the Search, Saved and Live folders. Delete allow you to remove unwanted folders, you are prompted to confirm any delete request.

The Save function will recreate the selected folder on your local PC as a standalone HTML report. It has no dependencies of the NetContExt system and enables you to put content on a CDROM for long-term storage and backups purposes.

Context sensitive help is available throughout the main page. Click on any of the question mark symbols for further information.

The NetContExt Image Report

Each image report folder is split into a number of distinct areas.

Title - provides a link to return to the main menu and a link to jump to the statistics report at the bottom of the page.

Content table - displays thumbnails versions of the captured images. Each image cell contains details about the source and destination addresses and timing/size information. See the section below for further details on the image cell layout.

Control buttons - On each report page there are 5 buttons located between the content table and the report summary sections. The buttons mainly control what happens to any images that have been selected. Images are selected by clicking on the check box in any image cell. The check box has the title 'Mark' next to it. A tick mark will appear in the box when it has been selected.

Clicking on the Group button in any image cell will automatically select all images associated with the same client IP address. Use this to quickly find all images viewed by the same user. Once they have been selected press the 'Save marked images and return' button to permanently copy all the selected images to a saved folder. The Saved folders are accessible from the main menu.

The control buttons have the following effect:

• Save marked images and return - copy all selected images to a Saved folder and return to the main menu.

• Return with no changes - return to the main menu page without making any changes.

• Select all - select all images on the page by marking all the check boxes in image cells.

• Unselect all - unselect all selected images.

• Help - display basic help on the NetContExt system.

Report Summary - a table containing statistics about the activity of clients and server involved in the transaction of images. This makes it easy to see whom the top suppliers and consumers of images are. Use this table to display images associated with specific server and clients.

The image below shows an example of the image report.

[pic]

Image Details

Each cell layout is identical, regardless of the type of report.

The image below shows an example of the details of each image.

[pic]

The statistics section at the bottom of each report details the activities of all the images in the report. Group totals for documents sent by server or received by client are shown. The left column of statistics shows totals by server (sender). The right columns show totals by client (recipient).

Use this report to determine the top senders and receivers of documents seen in the report. Links are provided to display all images from any server or client (View), select all matching images (Mark) and search for similar documents associated with an IP address (Find).

The image below shows an example of the statistics.

[pic]

Search Tool

The Search tool enables the user to find network traffic demands that match specific IP addresses.

Access the tool thro the 'Search' link on the main menu page.

The image below shows the Search page.

[pic]

Enter the IP address that you wish to search for i.e. 192.168.1.4

Make a note of the IP address you have entered. You will need to find the corresponding report on the main page in the report section when you have completed the search.

The default setting is to search the 'Live Folders' and skip the 'Archives'. This results in the fastest search times. The 'Live Folders' contain the latest information; the maximum age is set by the 'Circular Buffer' value in the Config page. The 'Archives' contain any data that has been expired from the 'Circular Buffer'.

Warning: The 'Archives' may contain a significant amount of data and will take some time and resources to complete the search. Only search the 'Archives' if necessary.

You can also reach the Search page by selecting any of the IP address links from the reports. In this case the IP address will already be filled in ready to go. This is the most common method of searching for similar documents.

Once a search has completed the matching documents will be automatically displayed. You can also reach the results of any search by looking for the related entry in the 'Search' section of the main page. Results of searches are never deleted unless you request removal. In addition, search results can be downloaded to your PC for further analysis by selecting the 'Save' button in the Search section next to any report.

Live View

The NetContExt system supports a near real-time view of the images seen traversing the network via a JAVA applet. Ensure you have a current version (1.4.2+) of the JVM installed on your PC from .

The JAVA applet connects to the NetContExt server via your browsers HTTPS connection and downloads a random selection on the thumbnail images from the current 4 minute collection period. These thumbnail images scroll across the JAVA window and can be clicked on for further information concerning the source, destination and protocol etc.

Double clicking any image from the scrolled list will save the image in the 2nd tabbed folder. These images are preserved for the lifetime of the JAVA applet session. Use this feature to select interesting documents and spot trend patterns in usage.

The image below shows an example of the JAVA real-time launch window.

[pic]

The image below shows an example of the JAVA real-time applet.

[pic]

If you have problems with the JAVA applet loading or wish to restart it for any reason, use the 'Reload" button at the bottom of the window. Be aware that for a number of reasons, Microsoft does not support JAVA very willingly and it may take a few tries to get the applet running smoothly. Be sure you have the very latest JVM from the link above and close all IE windows before retrying a new version.

This applet is an example of what is possible with the real-time data feed from the NetContExt server. All the traffic data is available and is fully asynchronous, you will require an https socket via wget (Unix command line utility) or a JAVA tool to access the data. Contact for further information.

System Administration

The system administration section allows you to configure, control and monitor the functions of the NetContExt device.

All the system administration functions require the administrators account privileges. If you logged on as the administrator, you will not have to do anything, but if you logged on as guest you will be prompted for the administrators account information.

The administration functions are

• System - view/change the main system setting that control the operation of NetContExt.

• Config - view/change the main system setting that control the behavior of NetContExt.

• Accounts - change/set the passwords to the NetContExt accounts.

• Health - view the current health of the NetContExt system.

The image below shows an example of the System window.

[pic]

The items you can change in the System folder are:

• View the current status of your NetContExt license. Use the Update button to install a new license or update your existing license.

• Start and Stop the collection of network traffic and the creation of reports.

• Reset the report database. ie delete all collected data and reports.

The NetContExt system can be changed to modify the way it collects and stores documents. It is recommended that you use the default values whenever possible. The components that can be changed are:

• The minimum size of documents to keep (default 20kBytes)

• The size of the circular buffer on the main NetContExt menu (default 48 hours)

• The collection time for each Live folder (default 4 minutes)

• Archive only thumbnails to save space (default True)

• The number of Live Folders shown on the main NetContExt page (default 15 / the last hours activity) The circular buffer size controls how long full size images are kept on the system. After this time only a thumbnail of the image is kept. These are stored until the disk fills up. The oldest images are then removed first.

The circular buffer is a key component to the NetContExt system. Due to the vast amount of documents that the system can potentially collect, it is unfeasible to keep original copies of every document. The circular buffer duration determines how long original documents are maintained. Once a document leaves the circular buffer only a thumbnail is kept (in the case of images). These thumbnail documents are kept in the system archives until the disk reaches maximum capacity (default 95%). At this point the oldest archived documents are deleted to make space for new content.

The system must be restarted if any changes are made to the settings.

The image below shows an example of the Config window.

[pic]

System Administration – Accounts

The NetContExt system has 3 default accounts.

Guest - general read-only account for browsing the reports.

Demo - view only the demonstration. No access to live data.

Admin - Access all data and modify the system settings including start/stop/reset functions.

tip: only update 1 account password at a time to avoid errors. Passwords must be entered in both fields.

The image below shows an example of the Accounts window.

[pic]

System Administration – Health

The health page provides details on the current state of the device. Use this information to identify causes of any problems you experience. The health information displayed cover the standard resources consumed by most computers and should be familiar to anyone with PC system administration.

For further information, read any basic UNIX system administration manual.

The items displayed are:

General system and process information

09:35:52 up 72 days, 12:07, 1 user, load average: 0.33, 0.82, 0.90

59 processes: 57 sleeping, 1 running, 1 zombie, 0 stopped

CPU states: cpu user nice system irq softirq iowait idle

total 0.2% 0.0% 1.2% 0.0% 0.4% 2.4% 95.5%

cpu00 0.0% 0.0% 2.9% 0.0% 0.0% 0.0% 97.0%

cpu01 0.9% 0.0% 0.9% 0.0% 1.9% 5.8% 90.1%

cpu02 0.0% 0.0% 0.0% 0.0% 0.0% 0.0% 100.0%

cpu03 0.0% 0.0% 0.9% 0.0% 0.0% 3.9% 95.0%

Mem: 1028484k av, 1008340k used, 20144k free, 0k shrd, 238996k buff

597072k actv, 333512k in_d, 8848k in_c

Disk volume utilization

Shows the current disk space utilization amount. Example entry:

Filesystem 1K-blocks Used Available Use% Mounted on

/dev/sda1 4127076 1232116 2685316 32% /

/dev/sda3 134931468 10764912 117312424 9% /data

none 514240 0 514240 0% /dev/shm

Current users

Shows any users who are logged on to the system console. This is not a list of users of the web interface. Example entry:

09:35:52 up 72 days, 12:07, 1 user, load average: 0.33, 0.82, 0.90

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

joe pts/1 192.168.1.69 14Jul04 12days 0.12s 0.03s sshd

Active Servers and connections

Displays active connections to the device and a list of services, such as the time daemon (ntp), that the device is running. Example entry:

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State User Inode

tcp 0 0 *:http *:* LISTEN root 1770

tcp 0 0 *:ssh *:* LISTEN root 1695

tcp 0 0 *:https *:* LISTEN root 1772

udp 0 0 snoop.:ntp *:* root 1766

udp 0 0 xqos02100.:ntp *:* root 1765

udp 0 0 localhost:ntp *:* root 1764

udp 0 0 *:ntp *:* root 1763

Network Interfaces

Lists the embedded network interface on the NetContExt device and provides statistics on the utilization of every interface found. eth0 is the management interface, eth1 is the listening (snoop) interface. lo is an internal loopback virtual interface and can be ignored. Any additional interface shown will depend on the configuration of your specific device.

Example entry:

eth0 Link encap:Ethernet HWaddr 00:0B:DB:A8:BB:FD

inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:9001736 errors:11510 dropped:0 overruns:0 frame:266

TX packets:3771662 errors:0 dropped:0 overruns:0 carrier:0

collisions:382867 txqueuelen:1000

RX bytes:891815609 (850.5 Mb) TX bytes:2109239246 (2011.5 Mb)

Interrupt:28

eth1 Link encap:Ethernet HWaddr 00:0B:DB:A8:BB:FE

inet addr:192.168.4.100 Bcast:192.168.4.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:1468371810 errors:8 dropped:0 overruns:0 frame:13

TX packets:4 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:185630855 (177.0 Mb) TX bytes:256 (256.0 b)

Interrupt:29

eth2 Link encap:Ethernet HWaddr 00:02:B3:D2:F4:DE

BROADCAST MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

Interrupt:24 Base address:0xdce0 Memory:fcf20000-fcf40000

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:169 errors:0 dropped:0 overruns:0 frame:0

TX packets:169 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:9020 (8.8 Kb) TX bytes:9020 (8.8 Kb)

The image below shows an example of the Health window.

[pic]

The NetContExt CA demo interface

The Demo interface is very similar to the main menu. The Demo window is accessed from the link on the main menu page.

The image below shows an example of the Demo window. [pic]

Instead of the images being collected from traffic data they are taken from a library of images contained within NetContExt. This library contains 'soft' content and is intended to be non-offensive. At the same time it is typical of traffic found on most large networks.

Each time the demo window is refreshed a new Live folder is created. The remaining features work in the same way as the main NetContExt system.

An 'Example Images' folder link is provided at the top of the Demo window. This folder contains Example images that depict typical images found on most networks.

End.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download