Netwatch is a Linux program created to aid in monitoring Network Connections. It is based on a
program called "statnet" but has been substantially modified for its Ethernet emphasis. It is a
dynamic program which displays the Ethernet status based each the connection's activity. It has
the capability of monitoring hundreds of site statistics simultaneously. The connection's port
number (Well Known Service) and destination address are available as well. There are options
which allow router statistics to be measured on simple networks (with one router). External
network communication is counted and transfer rates are displayed.
The latest versions adds
THREADS and SEMAPHORES!!!!! (should be a MUCH snappier response to keys and data update)
"-k" option for SSH users of remote systems - eliminates SSH connection traffic
simulation of netwatch using LOG file (as saved previously)
entire packet information captured/displayed now...
It is interesting to note the prevalence of APACHE as an HTTP Daemon.
The latest available released version is "netwatch-1.3.0-1.tgz" otherwise know as Version
NOTE: This version is currently being tested and cannot be considered totally stable.
Saves of Routing Statistics for last day of run (min. by min.)
Freeze display (continue logging) for remote efficiency
PPP Connectivity Monitoring
Multiple Interface Support (1 at a time)
Available from "sunsite.unc.edu" in
and mirrors throughout the world...
Passive Network Monitoring & Network Security
There is a distinct advantage to passive rather than active network monitoring. In passive
monitoring, the systems outside of the monitor have no loading due to any software for
monitoring. These systems actually have no idea that any monitoring is being performed. This is
an advantage that can be turned into a disadvantage. Security on Ethernet requires tight controls
on packet data encryption otherwise all data transfers, including logins (!), can be seen easily.
FULL CONTENT MONITORING
In Network Forensics, it is essential to save the entire history of
packet usage for a network. Netwatch can help here. It can log the
entire collection of packets exchanged for a network saving it to a
file for viewing later. It can AUTOMATICALLY save an entire day (or
hour or....) and reload to begin saving the next time frame. Placing a
netwatch-enabled system on a firewall, hub or switch management port
can facilitate activity analysis if your systems become compromised.
Analysis of saved netwatch files can be viewed within netwatch using a
"simulation mode". In this mode, you have VCR-like controls that allow
you to play, fast forward, reverse and rewind. It allows you to stop
and examine data exchanges as they happen and to view the individual
packet details (using "Watch Mode" and selecting the desired host).
There are NO restrictions on what you can examine in "simulation
mode". You can even decide to log ONE host saving that data to a file
(or as many hosts as you desire). As you play, the data gets saved to a
file using the host name to name the log file (and your desired prefix).
REQUIREMENTS for NETWATCH
486+ Computer with 8 Meg RAM+
LINUX (version 1.2.13 Kernel+... although Version 1.0+ should work)
Latest Version tested on:
Red Hat 9.0
Mandriva 2008 (2.6.x Kernel)
Ethernet Connection (Thinnet/Thicknet/Twisted Pair)
PPP connection (for Experminental Version)
Unloaded network box (don't use on a WWW server or Heavy Compilation Box)
As connections increase, table size increases, searching for entry takes longer, NETWATCH
degrades. Table sizes for remote end can be over 2500 hosts easily.
Netwatch will send a packet to a home base (personal system) when you start it for the
first time. This is NOT a security hazard. It is simply for statistics tracking. The software
is free (under the GPL), so you should not complain about this one request. Many hours
of toil went into the creation of the software. Distributions commonly modify the source to
eliminate this feature. It is NOT necessary to eliminate it if it is deemed unoffensive.
Back in 1996 (12 YEARS AGO), when Netwatch was first created and distributed, there
were 40,000 requests logged in 6 months. It WAS a popular program. The current version
is an improvement over the original in speed and system loading. I hope that it entices
administrators to try it again.... It is not Wireshark... and does not claim to be but
it is UNIQUE in its approach to monitoring. (NO LIBPCAP REQUIRED)
A window resizing bug will not SEG fault butscambles the screen
- resize the window before running and it is ok
As of version 0.8e, Netwatch will accept a configuration file in
"/root/.netwatch.conf". ALL binary users SHOULD make a personal configuration
file. Source code users have other options, but the configuration file
is simplest. Here is a sample configuration file for the latest netwatch (1.2.0): netwatch.conf