Infohub‎ > ‎Projects‎ > ‎

NetBoar



Current version is 1.371b

Why?

This is easy to answer. I wrote this program because I needed it.
Sometimes, analyzing networks you need to know what is going on over your network, and you need to know it right here and right now. Specifically, say you see a 100 Mbit interface working at 70%, when normally it stays on 30%. Who is doing what? NetBoar will help you.

How?

NetBoar will sniff all the traffic on from your network connection, and display a summary on your screen. It works in a similar way as the iftop utility or Etherape on Unix systems, showing all the conversations going on. Also it differentiates them by the destination port when available, giving an idea of what protocols are taking up your bandwidth.

Good, and then?

Knowing the general plot of the history, you need to drill down using more specific tools, for example Ethereal.
NetBoar will not do any work other specialized tools will do better. It will give you the situation of your network at a glance, without having to sniff, store and analyze hundreds of Mbytes of traffic. It works in realtime, without using plenty of RAM or disk space.

What I need to run it?

A computer with Windows 2000, XP, 2003 or Vista, having Microsoft .NET Framework 2 installed. Also you will need WinPcap, to sniff network traffic. You will need some memory, say 20-32 Mb and some processing power. The program is multithreaded and asynchronously sniffs and elaborates data, so it will use the power of new dual core processor. That said, I tested it on a single Pentium 3@1Ghz, and it took 40-60% cpu to analyze traffic up to over 70 Mbit.

What will I see and what will I miss?

You’ll miss all non IP traffic. So you’ll miss IPX and other exotic protocols, even in the total byets counter. You’ll see several “known” protocols, with the option to see every singol TCP/UDP port used. In this first public version of NetBoar, the definition of “known” protocols is hard coded. Maybe it will change in future releases, if any. Protocols are also color-coded to see them at a glance.
NetBoar will let you select only special kinds of traffic, writing BPF filters. The syntax may be found in any libpcap man page, or just googling around. Also some pre-set filters can be found in NetBoar.
Lists are always sorted backwards from hi volume traffic.

Quick usage examples

You have lots of traffic from a branch office. Just connect NetBoar and you see, for example one specific IP that is doing hi rate SMTP traffic to one of your servers.

Also you just want to know which sites are accessed by your computer while you work.

Usage

Usage is very simple, just select your preferred interface ad click Start. If the number of conversations grows past the visible area, check the freeze checkbox in the Options menu or press CTRL+F. The capture and analysis process continues in the background. Also you may want to resolve IP addresses to hostnames. This could be a bad, bad idea if you have lots of traffic and the program may slow down waiting for DNS reverse lookups. Also you will create many DNS queries.

You have several options to choose from in the menu:

Promiscuous mode: sets the capture mode of your interface. Some wireless adapter require promiscuous mode to be disabled to sniff traffic
Only known protocols: filters out unknown protocols, that is protocols on ports not defined in the hard coded table.
Resolve ports: will change the display on numeric ports to their probable protocol (53->DNS, 80->HTTP).
Resolve addresses: will resolve ip addresses to host names (be careful)
Freeze display: stop updating display to let you scroll lists
Don't distinguish ports: eliminates the analisys of port numbers, so you have a single line for a destination server that receives different connections from the same client (1 http, 1 ftp and 1 SMB from host A to server B will show as a single conversation, and traffic is summed up)
Collapse (source / destination): will show a single conversation for (respectively)  several servers accessed by different clients or several clients on the same server
Packet filters: provide some hard coded BPF packet filters
Display limit: limits the number of items in the conversations and protocol list
Units scaling: lets you choose the units of the counters
If you have some improvement, usage example, suggestion or consideration, use the forum!

Credits

Writing this program was possible since people at Politecnico di Torino released WinPcap. Also the SharpPcap project made very simple to use WinPcap within .NET framework.

License

This is free software. You can download and use it without limitations as long as you don't patch it in any way. If you want to redistribute this program within your software, you must notify me via this page and insert the proper credits. The same if you use it in government, security or forensics environments.


ċ
netboar.zip
(250k)
Marcello Gorlani,
Jan 26, 2012, 5:54 AM