[Previous] [Contents] [Next]

3. Settings

3.1. The configuration file

By default, a configuration is read from a file <tv3 directory>\tv3.cfg. Other configuration file of is possible to specify at start with -c <file> parameter. Empty lines and lines beginning with a symbol ";" processing are passed. A format of options:

keyword <blank|tabulation> value <blank|tabulation> value [<blank|tabulation>value][...]

Options:

log – an output log file.
By default: is displayed.

charset – the name of the coding of symbols that will be used for information interchange. It is recommended to use utf-8. All WEB-interface tv3 is constructed with use utf-8.
By default: utf-8

storage – a file that will be used for storage of the filter and statistic. This file is used during tv3 work and is read out at start.
By default: filter.xml

flush – intervals of time in minutes through that the information in a file "storage" will be updated.
By default: record is made by the end of work.

cache_len – quantity of records in a cache storing the information on packets and corresponding rules for fast processing of identical packets. Too small cache leads to frequent processing of rules through the filter and the raised loading of the processor, but it is not necessary to set too big cache, processing of the cache can borrow a lot of time. The optimum size depends on quantity of various connections and steals up in case of occurrence of the big number of the "lost" packets (see statistics of a condition tv3).
By default: 40

listen – the IP-address (in a numerical format xxx.xxx.xxx.xxx) and the port on that will accept connections WEB-service. The instruction only numbers of port is possible, in this case connections will be accepted on all interfaces.
By default: the network interface is not used

doc_path – path to files of the WEB-interface.
By default: doc

free_access – adjusts free (value YES) or limited (value NO) access on reading of the information through the WEB-interface. At the limited access only the registered users can read statistics. The Java-client works only at the included easy approach. By default: yes

tracer/source – sources of data, see section 3.2.

observer_keep_alive – time in seconds before automatic deenergizing a mode "promiscuous mode" (observer) from the moment of last reference.
By default: 900

3.2. Data sources

There are 3 ways of monitoring of packets in the current version tv3: using of library ipspy (Edgar Buerkle) through the tool tracer, using plug-in module for SafeFire Firewall through the tool source and the main way - receiving of the information from own NDIS-driver through the tool tracer. These ways can be applied simultaneously to various network interfaces. I.e. there is a possibility to use several tracer and source in a configuration tv3.

IPSpy

IPSpy Library is written long time ago and is not supported by the author. Last version 1.40 was published 31 of May, 1998. Main benefit of this way of tracking of passing packets in tv3 is that there is no necessity for additional adjustment of the package ipspy and reboot a computer during adjustment of a source of data in case of if the mode "promiscuous mode" is not required. Ipspy supports a mode "promiscuous" of networks when interfaces of the given station are received all packets in the network. However, this library has disadvantages: first, at big traffic in network the trace of packets simply stops without any messages, secondly during work ipspy utilizing unfairly for the central processor highly. In addition using this library by any application can caused with the system error message when it stopped, tv3 it does not influence the basic work.

The library ipspy.dll is included in a package tv3, but for use of a "promiscuous" mode it is necessary to load a file ipspy140.zip from file archive http://hobbes.nmsu.edu/ and to install according to the instruction.

For trace of packets by the this way, it is necessary to add a line(s) to file tv3.cfg a following kind:

tracer tv3ipspy lanN flags queue_len

Where:

tracer – a keyword specifying connection of the plug-in module

tv3ipspy – a name of the plug-in module put in <tv3root>\plugins

lanN – a name of the network interface

flags – hex-al or decimal value, being the sum of flags of modes:

DIRECTED 0x0001
BROADCAST 0x0002
PROMISCUOUS 0x0004
SOURCE ROUTING 0x0008

queue_len – queue length of the received packets waiting processing through the filter. If tv3 informs on a plenty of not considered (passed) packets (see Status a field "lost packets") and this value constantly increases, it is meaningful to increase queue length.

An example:

tracer tv3ipspy lan0 0x000B 500
tracer tv3ipspy lan3 0x0003 150

SafeFire Firewall

SafeFire Firewall as a source is the most reliable way of tracking of streams of IP-packets. Disadvantage is that thus it is possible to trace packets only on one network interface. SafeFire Firewall with the plug-in module tv3sf from a package tv3 has to be installed for this purpose. The module tv3sf should be specified in a configuration file, for example:

[filter]
enable=yes
rule=1 permit all from any to any skipto 2
rule=1 plugin 1
rule=2 –your own rules–
...
[plugins]
plugin=1 <tv3 directory>\tv3sf.dll
extvar=1:name redEye
extvar=1:len 300

Here "redEye" - a symbol name of queue (this is not OS/2 native queue), through that data from SafeFire Firewall through the module tv3sf will be transferred in tv3. The will be a line in a configuration file tv3.cfg for listening a stream "redEye":

source redEye

If the name is not set - value "sfire" is used. The parameter "len" sets length of queue, to default value 500 is used.

After the instruction of adjustments it is possible to start sfire.exe, then tv3.exe

NDIS-driver tv3cap

This way is the most preferable. Data on passing packets are monitored at a level of network interface drivers - protocols and transferred for the analysis. The driver allows to receive the information from all network interfaces available in system, or to choose only definite. Tv3cap works as transparent "lining" between drivers of network cards and the tcpip protocol, passing through itself data and transferring the information to tv3.

You have to use "install.cmd /I" for the automatic installation of the driver on all interfaces available in system. Use "install.cmd /U" in case to remove the driver. If service MPTS is installed on a disk differ from boot-disk, it is necessary to specify in addition a parameter /D:d where d - the letter of a disk on that MPTS is installed. The original copies of files config.sys and protocol.ini will be kept at installation/removal of the driver. After completing the install.cmd process it is necessary to reload a computer.

It is necessary to add a line(s) for trace of packets by the given way in a file tv3.cfg, example:

tracer tv3cap tv3N$ flags queue_len

There are 2 value that can be accepted in "flags" parameter: 0x01 - to accept broadcasting (broadcast) packets, 0x00 - not to accept broadcasting packets. N sets number of the driver.

An example for system with 3 interfaces:

tracer tv3cap tv31$ 0x00 600
tracer tv3cap tv32$ 0x00 600
tracer tv3cap tv33$ 0x00 600

3.3. A current condition

Information on a current condition tv3 allows to estimate accuracy of work of the system and its communications with sources of data. The information is displayed on part Status in two sections: The packet is considered to be lost if at the moment of its reception the queue of a source has been overflown, i.e. data were read by the filter more slowly than received from a source. If the quantity of the lost packets constantly increases, it is necessary to increase length of queue of the interface and to make more precise selection of the size of a cache. Value Total Packets can be much less than total quantity of packets of the past through all sources (i.e. the sums of values packets sources). It is the result of work of data optimization mechanism: if the packet identical to last written down in queue, but still not read through by the filter the information on a new packet in queue does not enter the name receives, but at last packet in turn the fields describing the sizes of data (quantity of byte of data in view of and without taking into account heading increase). Identical packets with identical addresses of a source/receiver, the reports, given reports (types, ports) are considered.

3.4. Users

Information on the registered users is read from a file <tv3 directory>\users.lst. Empty lines and lines beginning a symbol ";" at parsing are skipped. There should be following format of user line in the configuration file:

Name <blank|tabulation> password <blank|tabulation> privilege

Privileges: ADMIN - the administrator, USER - the user. Administrators have the right to establish filters, "promiscuous mode" rules. With USER privileges it will be authorized to users to read statistics (if the reading is restricted in a configuration).

If the file users.lst has been changed, it will be loaded at a following input of the user. Reload of tv3 it is not required.


[Previous] [Contents] [Next]