User Guide:Administration and Management
From Netmon
Using the Settings Console
The Netmon Settings console is where most administrative tasks are performed. To open this console, click the Settings button in Netmon's main toolbar, and choose from a number of maintenance and administrative snap-ins, including:
- Basic Setup Tasks
- Define Alert Conditionals
- Customize Alert Templates and Alert Commands
- Use Data Management Tools which can help you perform data backups
- Manage Traffic and Host Filters
- Manage Netmon's Host Name Database
- Define Local Networks for reporting and display purposes
- Manage Netmon System Services
- Manage the Port Label Database
- Manage Netmon User Accounts
Managing Alert Conditionals
What is an Alert Conditional?
An Alert Conditional provides fault tolerance for false alert situations. Imagine what might happen if the Netmon server itself were to become disconnected from the rest of the network. Since it would be unable to reach any of the services and devices it is monitoring, it might (incorrectly) assume that all of those services and devices were down - and trigger the appropriate email and pager alerts. Nobody wants to receive an avalanche of alert emails and/or pager beeps.
False alerts can be prevented with the use of a Conditional, which is simply an IP address that Netmon checks in order to ensure that an alert situation is genuine.
If the IP address specified in the Conditional is determined to be alive (through a simple ICMP PING/echo request) Netmon knows that the alert situation is real. On the other hand, if the IP address specified in your Conditional is unresponsive, Netmon withholds the alert, since this would indicate that Netmon itself had a connectivity problem.
Are Conditionals Mandatory?
No. Conditionals are optional, and you do not have to specify any. Their use is recommended only to prevent unwanted false alarm situations.
Using Conditionals Effectively
In most cases, you only need to set up two conditionals: one which tests internal connectivity (such as the IP address of a domain controller or other high-uptime device) and another which tests external connectivity. For external connectivity tests, choose the IP address of a highly-available web destination (such as Google.com).
Adding an Alert Conditional
To add a new conditional, select Alert Conditionals from the Settings Explorer, and click the Add New Conditional button. A dialog window opens in the Settings Editor panel on the right side of the screen.
Enter the IP address of the conditional in the IP Address, and specify a friendly name in the Conditional Name field. To add this conditional to the database, press the Add Conditional button when you have finished entering the preceding information.
Removing an Alert Conditional
To remove an alert conditional from Netmon's database, select Alert Conditionals from the Settings Explorer, and click the Delete link next to the conditional you wish to remove. You'll be prompted to confirm your decision: click OK to proceed with removal of the selected conditional, or Cancel to abort the operation.
If you remove a conditional, you will also remove that conditional from any previously configured alerts. Other previously configured conditionals for existing alerts will remain unchanged.
Managing User Accounts
Each individual who uses Netmon should have an individual user account. These people might include network administrators, system technicians or even management / administrative personnel. Logging in with Netmon's admin account for normal everyday system usage is not recommended.
Viewing Account Details
To quickly view expanded details for a user account, such as group membership or pager information, click the Details link in the Actions column, next to the desired account.
Adding a New User Account
To add a new user account, click the Add New User button in the middle panel. This will cause the Settings Editor panel to open on the right side of the screen, displaying a form for the entry of new user information. To read more about each of these , see Editing User Account Properties.
Modifying a User Account
To update group membership, an email address or other user details, click the Edit link in the Actions column next to the account to be modified.
Deleting a User Account
To remove a Netmon user account, simply click the Delete link in the Actions column next to the account to be deleted. You'll be asked to confirm if this is what you really want to do. If you confirm, the selected user account will be removed from the system, and logins under that account will no longer be permitted.
Suspending a User Account
Suspending a user account has almost the same effect as deleting the account: future logins for that account are disabled. However, when you suspend a user account, you have the later option to re-activate it. This can be a useful option in cases where access should be temporarily disabled, but not permanently revoked. For example, you may wish to temporarily disable the user accounts of technicians or administrators who are away on vacation.
To suspend an active account, click Suspend in the Actions column. To reactivate an account which has been previously suspended, click Reactivate in the Actions column.
Managing Account Groups
Account groups allow you to logically group individual Netmon user accounts, and bind them to a specific set of permissions that is common between them. For example, you may want to prevent network technicians from deleting data or making changes to Netmon's configuration, while providing senior administrators with more control.
Netmon ships with four built-in account groups. You can modify the individual permission settings in each of these groups, create your own groups, or even remove groups that are not required in your environment.
Administrators By default, this group has full control over the Netmon software application. It is strongly recommended that you do not change the permission structure of this group, nor should it be removed.
Backup Users This group is only permitted to perform backup operations, such as configuration backups, database compact operations, and complete data backups.
Standard Users This is the 'normal' account group that should be used for most of your Netmon user accounts. It grants access to the entire Netmon application, but prevents members from deleting data or performing administration functions.
Report Users By default, this group has read-only access to the entire Netmon application, but is prevented from altering data or performing system administration or maintenance functions. You can customize the individual permissions in this group to allow/disallow access to specific areas of Netmon.
Understanding Permission Inheritance
A user account can belong to one or more groups. When a user account belongs to two groups or more, the user inherits all available permissions from both groups.
Group A has permissions X and Y. Group B has permissions Z. A user who is a member of both groups inherits permissions X, Y and Z.
Viewing Group Details
To quickly view expanded details for an account group, click the Details link in the Actions column, next to the desired group.
Adding a New Group
To add a new user account, click the Add New Group button in the middle panel. This will cause the Settings Editor panel to open on the right side of the screen, displaying a form for the entry of new group information. To read more about each of these, see Modifing Group Properties.
Modifying a Group
To update permission assignments for an existing group, click the Edit link in the Actions column next to the group to be modified. Check/uncheck the desired values, and click the Update button in the Settings Editor panel.
Deleting a Group
To remove a Netmon account group, simply click the Delete link in the Actions column next to the group to be deleted. You'll be asked to confirm if this is what you really want to do. If you confirm, the selected group will be removed from the system.
Note: You should not remove the Administrators group, nor should you delete all groups. Doing so could result in an unexpected lockout from administrative functions.
Managing Alert Message Templates
Netmon allows you to customize the alert messages which are sent from various monitoring facilities through the use of simple templates. Simply navigate to Settings > Alert Message Templates, and expand the tree to see a complete list of available templates.
Customizing an Alert Message Template
To customize any template, select it from the available list in the Settings Explorer. An editing window will appear, showing the current alert text.
In any alert message, special information is inserted (such as the name and IP address of a service which has failed, for example) via specially tagged keys into the template. These keys look like {$host} or {$ip_address}, and they help Netmon to understand where to place important alert information.
You can insert these tags anywhere in your template using the specially provided buttons. Simply position the cursor where you'd like to place the data, and then click the desired button on the right side of the editing window. You can also use standard cut & paste tools to move tags around your message.
You must click the Save Template button to permanently commit any changes you make to a template.
Restoring Default Templates
To restore any template to its factory default settings, select it from the template list, and click the Restore Default Template button. The window contents will be immediately populated with the factory default alert message for that particular alert. You must then click the Save Template button to commit any changes to Netmon's database.
Managing Alert Response Commands
Netmon can run special scripts or commands in response to an alert event. For example, you may wish to run a port scan against a newly-discovered host, or receive a list of large files when a disk capacity alert is issued. Using this facility, you can also issue a restart to an unresponsive Windows service.
Alert commands are associated with alert events, and they are managed on the same screen as Managing Alert Templates. Once a command has been associated to a particular alert event, you then have the option to run that command for any alerts of that type.
Note that alert commands do not run automatically in response to alert events. You must still associate any desired commands you wish to run with each new alert you create. This area simply allows you configure which commands are available for a specified alert type.
Creating a New Alert Command
To create a new alert command, take the following steps:
1. Click Settings > Alert Message Templates and locate the alert condition to which you wish to attach a new command. 2. Fill out the appropriate fields (outlined below) and click the Create Command button.
Label A friendly name or label for this command.
Command The actual command syntax. The text specified here is run as a shell command on the Netmon server. You can use the Insert Variable buttons on the top of the Alert Template window to insert dynamically changing values (i.e. the device IP address, hostname, etc.) into your command string. Netmon will substitute these values for each individual alert.
Timeout The number of seconds Netmon should wait to run the command before giving up.
Process Asynchronously / Add Output To Alert You can choose to process the command before the alert message is sent by selecting the Add Output to Alert radio box. In this case, Netmon will append the results of the command to the alert message you receive. Alternatively, you can run the command separately from the alert message by selecting the Process Asynchronously radio box, so that the command and alert message are both processed separately from one another.
Modifying an Existing Alert Command
Any existing commands will be listed in the Alert Template editing window. To modify an existing command, simply click the Edit link next to it. Make any necessary adjustments, and then click the Update Command button.
Removing an Alert Command
To remove a command from the available selections, simply click the Del link next to it. You’ll be prompted to confirm deletion. Once a command has been deleted from this area, any existing alerts which may have called that command will continue to function, however, they will no longer run that command.
Sophisticated Alert Response Mechanism (SARM)
Overview
The most significant update to Netmon 4.5 to date is the introduction of a new facility that allows you to configure custom commands to be executed when an alert is triggered. You can create your own scripts, use built-in commands available as part of the Debian GNU/Linux Operating System, or use some of the commands we have created just for you. Alert commands are associated with alert “Types”, and you can create/edit/delete “Response Commands” by clicking on the Settings button of the top toolbar, then clicking on the Alert Message Templates item in the tree. Some alert templates will not display the command association dialog in order to avoid redundancy with other templates.
Creating Alert Commands
After clicking on the alert template that is of interest to you, you will see a new area at the bottom of the template dialog with a form that allows you to configure your new command. The form contains the following fields:
- Label: The value you enter in that field is the “Name” of your command, and is the value Netmon will use to populate the “Command Association” dropdown when you create a new alert. Pick something that briefly describes what the command does.
- Command: Enter the command Netmon will execute when the alert is triggered. This is typically the name of your command, followed by specific arguments. You can pass any of the variables available on top of that dialog to your command by clicking on the variable's button.
- Process Asynchronously: If you select this option, Netmon will first dispatch the alert notification, and then execute the specified command. This is useful if you want to ensure your alerts will be dispatched quickly, but not recommended because you have no way of finding out if your command has failed.
- Add output to Alert: If selected, Netmon will first execute the specified command, collect its complete output, and then add the output of the command to the alert notification message. This means that Netmon must wait for your command to finish executing before it can send the alert. We recommend using this setting, but you must also make sure that your command can complete in timely fashion to ensure you will receive your alerts.
- Conditions: Use the “Process on Failure” and “Process on Recovery” checkboxes to instruct Netmon to execute the command when the alert condition is first met and also when the alert condition is no longer met. This allows you, for example, to have Netmon execute your command when a server goes down, and then again when that same server comes back up.
Upon creating your command, it will be immediately added to the commands list located right under the alert creation form. You can click on the delete link beside any of the commands to delete it, or click on the 'Edit' link to display an edit form, which you can use to update your command.
Associating Commands to individual Alerts
Builtin Alert Response Scripts
Examples
Pix Response Example
Portscanning new hosts that join your network
Restarting IIS on a Windows WebServer
Managing Host Names
Using this console, you can manage Netmon's name database, which contains a variety of NetBIOS, DNS and user-defined host names. Each of these host names maps to an IP address, and often many different host names map to the same IP address. This console allows you to manage names for any host (and even to include your own user-defined labels) as well as search Netmon's database for host names which match a particular search criteria.
Searching for Hostnames
To search Netmon's name database, enter a search string in the Search Text/IP Address: box on the Hostname Management console. (For example, to search for all hostnames which contain the text "google", simply enter google into the Search Text/IP Address: box) Then click the Search button.
If you wish, you can customize your search, to NetBIOS names only, DNS names only, HTTP Requests only, or user-defined names only.
Removing a Host Name
In some cases, a host name may no longer be accurate or relevant. In these cases, you'll want to trim Netmon's name database by deleting inaccurate or outdated names.
To delete any name, simply click the Delete link in the Actions column beside the particular name which you wish to remove. You'll be prompted to confirm that you really do wish to delete this name from the database. If you're certain, click the OK button to proceed, and Netmon will remove the name from its database.
Adding a User Defined Host Name
You can apply your own friendly host name to any IP address. Click the Add New Host button in the Manage Hostname Database panel. An editing window will open in the Settings Editor panel on the right side of the screen.
Enter the IP address and label, and then click the Add Hostname button. Your IP address will now appear as your friendly label throughout the Netmon application.
Managing Filter Collections
One of the most powerful features in Netmon is the use of filters. Filters allow you to look for specific kinds of traffic, or narrow your view to a certain set of IP addresses - or both! You can use filters in the Visual Network Explorer (VNE) and they can also be used when creating reports. Netmon uses two kinds of filters:
Traffic Filters
Traffic filters allow you to refine your view (or a report) to look for specific TCP or UDP ports or protocols. You can look for an individual protocol/port combination (i.e. UDP 514) or you can include a wide range of different ports into a single filter.
Netmon ships with a series of built-in traffic filters, but you can also create your own traffic filters in the Settings > Filter Collections > Traffic Filters console.
Host Filters
Host filters permit you to create logical groups of hosts, and narrow your search to a specific IP address, or a group of related IP addresses. You can assign a friendly name to this group.
Netmon does not ship with any predefined host filters, as these are dependent on the IP addresses which are important to you. You can create your own host filters in the Settings > Filter Collections > Host Filters console.
Managing Network Ranges
For reporting and automatic discovery services, Netmon needs to know the IP range(s) that belong to you. In many cases, your network range(s) will be LAN addresses which use non-routable IP ranges (such as 192.168.xxx.xxx or 10.xxx.xxx.xxx) - however this does not necessarily have to be the case. (When monitoring a WAN, for example, remote IP ranges could be listed here).
Each range should consist of a block of addresses, such as:
- 10.10.1.1 to 10.10.1.255 or
- 10.10.2.1 to 10.10.3.100
Adding a New Network Range
To add a new IP range to Netmon's database, press the Add New Network Range button, under Settings > Define Network Range(s), which makes an editing window visible. Enter the following values in the boxes provided:
Starting Address The starting IP address of a contiguous block.
Ending Address The ending IP address of a contiguous block.
Enable SNMP AutoDiscovery A checkbox indicating whether Netmon should attempt to scan this range for SNMP-capable devices. If you do not want Netmon to perform automatic device discovery on this range, uncheck this box.
Enable Background Port Scans A checkbox indicating whether Netmon should attempt to perform background port scans against devices in this range. If you do not want Netmon to perform automatic port scans on this range, uncheck this box.
Once the correct information has been entered, press the Add Network button.
Modifying an IP Range
To make changes to an existing IP Range, locate it in the Manage Network Range(s) panel, and click the Edit link next to the range you wish to modify.
Make the necessary changes to your IP Range in the Settings Editor window, and then click the Update Network Range button.
Removing an IP Range from the Database
To remove an IP range from the Netmon database, simply locate it in the Manage Network Range(s) panel, and click the Delete link next to the range you wish to delete.
Using the Netmon Update Service
The Netmon Update Service is a background service that checks for new patches or updates for your Netmon product automatically, every 24 hours. This service is capable of updating any component of your Netmon system, including:
- Operating System / Security Updates
- Background Services / Netmon Engine
- Application / Middleware
- User Interface and Documentation
The Netmon Update Service uses the RSYNC protocol to communicate with the update server at Netmon headquarters. It therefore requires your Netmon server appliance to establish outbound connections on TCP Port 873. If your firewall rules do not permit this type of connection, you'll need to install updates manually from CD-ROM.
Checking for Updates Manually
You can also force Netmon to check for new updates anytime outside of its normal 24 hour interval. For example, you may be instructed by Netmon Technical Support personnel to request an update, or you may wish to apply a new update ahead of schedule. To manually trigger an update request, take the following steps:
1. Click the Settings button in the top toolbar.
2. Choose Netmon Update Service from the Settings Explorer tree.
3. Click the Check for New Updates Now button.
Installing Updates from CD-ROM
If your network does not permit outbound connections on TCP Port 873, you will need to apply patches and updates manually from a CD-ROM image, which is available at the following location:
Link: http://www.netmon.ca/support/downloads/
Managing the Port Label Database
When Netmon recognizes a particular port (i.e. TCP port 80) it applies a friendly label (i.e. HTTP) from this table. Netmon ships with nearly 2,000 built-in port labels.
To manage the port label database, click Settings > Port Label Database.
Adding a New Port Label
To add a new port label to Netmon's database, press the Add New Port Label button, which makes an editing window visible. Enter the following values in the boxes provided:
Transport Layer Choose between TCP and UDP.
Port Number Provide a valid port number, from 1 to 65535.
Label Enter a brief (36 character maximum) friendly label to apply to this protocol/port combination.
Once the correct information has been entered, press the Create Port Label button.
Modifying a Port Label
To change an existing port label, click the Edit link next to the label you wish to modify. An edit window will appear in the Settings Editor on the right side of the screen. Made the desired changes to the transport protocol, port number or label, and click the Update Port Label button to save your changes.
Removing a Port Label from the Database
To remove a port label from the Netmon database, simply click the Delete link next to the particular label you wish to delete. You'll be prompted to confirm each delete operation.
Built-In Protocol Dictionary
If an entry for a particular protocol exists in Netmon's protocol dictionary, Netmon displays it when you click the protocol's friendly label. If Netmon does not recognize the protocol, a generalized entry is displayed.
Managing Netmon System Services
Netmon uses a variety of background services (known as 'daemons' in the UNIX world) to perform its many monitoring tasks. The Netmon Services Manager lets you monitor and manage each of these services for your Netmon server appliance.
Starting and Stopping Services
Each of Netmon's background services can be started or stopped using this console. Under normal operating conditions, it is generally not be necessary to start or stop any of these services. However, if you wish to customize various services for different deployment scenarios, or if your Netmon server appliance is behaving unexpectedly, this panel can be a quick way to tell if Netmon's core services are alive and running.
Services that are running are denoted with a 
icon, and services which are off have a 
icon.
To change the start/stop status of any service, simply click the Start Service or Stop Service button next to the service you wish to modify. Note that changes made in this panel are not preserved after reboot, so they will need to be made again if you need to restart your Netmon server appliance.
Overview of Individual Services
ARP Probe Service Analyzes ARP packets and records MAC/IP pairs. This service is used to support new host detection in the Recently Discovered Hosts panel, on the Netmon Home Dashboard.
Background Port Scanning Service With this service enabled, Netmon performs regular port scans all of the IP address ranges defined in your Local Network range(s).
Email Alert Service This service supports the forwarding of email alerts to your mail server.
IP Packet Analyzer (Master Process) This is Netmon’s primary network traffic inspection and protocol analysis service. The “IP” is a misnomer – this service is responsible for analyzing network activity at many different OSI layers. This service coordinates each instance of a packet analyzer plugin (see Packet Analyzer Plugin below) allowing incoming data from each interface to be properly managed.
Packet Analyzer Plugins (Interfaces 0 to 3) These plugins examine particular types of network traffic. For example, the mod_eth plugin examines Layer 2 frame activity, while the mod_http plugin looks specifically for HTTP requests at Layer 7. Simply start the desired plugin for each physical interface which is to be monitored for that type of activity.
Name Resolution Service Responsible for resolving DNS and NetBIOS names for hosts which appear in Netmon's protocol analyzers. This service is generally best left active, unless you have specific reasons for not resolving DNS names.
NetFlow Collector This service analyzes incoming NetFlow datagrams and processes them according to the rules and policies set forth in the Devices section and the service configuration settings.
Pager Alert Service This service manages Netmon pager alert system. If you are not using pager alerts, you can safely stop this service.
Service Monitor This service handles ICMP and TCP Trackers in the Netmon Trackers console. In most cases, this service should be left running.
SNMP AutoDiscovery Service This service scans your Local Network range(s) for SNMP-capable devices, and tries to connect to those devices. If Netmon discovers an SNMP-capable device, it adds it to a list of discovered hosts in the SNMP console.
SNMP Interface Monitor This service monitors and records bandwidth utilization for network interfaces on SNMP-capable devices.
SNMP OID Tracker Service This service is responsible for monitoring user-defined management points on SNMP-capable devices. If you are not monitoring custom Object IDentifiers (OIDs), you can disable this service.
SNMP Trap Handler This service processes and stores SNMP trap messages, and optionally hooks into Netmon's email and pager alert system.
SYSLOG Server Starts and stops Netmon's built-in SYSLOG server. If you are not using the SYSLOG server console, you can safely stop this service.
UNIX Partition Monitoring Service This service is responsible for monitoring Linux/UNIX disks and partitions. If you are not monitoring Linux or UNIX partitions, you can disable this service.
URL Monitoring Service This service is responsible for monitoring websites and web applications. If you are not monitoring these systems, you can disable this service.
Windows Share Monitoring Service This service is responsible for monitoring Windows NT/2000/XP shared folders and disks. If you are not monitoring Windows disks with Netmon, you can safely turn this service off.
Configuring Individual Services
Many Netmon Services have customizable settings. For example, the Email Alert Service allows you to specify SMTP settings for outbound mail alert messages, and the Packet Analyzer Service allows you to adjust your historical data retention policy for that service.
To configure custom parameters for specific services, click the Configure link next to the associated service. You'll be brought to a page where you can configure all available items for that service.
Data Retention Policies
Netmon stores data for a specified period of time. This ensures the disk will not get filled up with data as the services continue to log network traffic and other information over long periods of time. Netmon allows you to configure how long data will be stored in the system for each background service. This is configured under Settings > Netmon Services > configure > data_archival. The data_archival setting is specified as weeks. A data_archival setting set to 6 weeks will mean that data will be deleted a month and a half after it is recorded.
Below is a reference to point you towards which background service you will want to edit the data retention policy for. In the below list, find the feature you want to limit data retention for, find the service name above it, and click 'configure' next to that service name in under Settings > Netmon Services.
Features and Their Associated Background Service
- Snmp Interface Monitor
- Bandwidth Activity Report
- Bandwidth Graphs
- OID Tracker Report
- ip plugin
- Network Activity Report
- Conversation Report
- Bandwidth Consumption Report
- Visual Network Explorer Traffic
- http plugin
- Web Traffic report
- Syslog Server
- Events and Logs
Changing Service Startup Behavior
By default, Netmon is configured to start most background services when the appliance is booted. However, you may want to configure your system to start additional services (or services on additional network interfaces) upon a system boot. You may also wish to turn certain services off at boot time.
To change the startup behavior for a particular service (or plugin) you change the Automatic / Manual flag next to it. Setting a service/plugin to Automatic will tell your Netmon server to start that service/plugin upon system boot. Choosing Manual will tell your system to leave that service off at system boot.
Shutting Down and Restarting the Netmon Server Appliance
To properly shut down or reboot the Netmon server appliance properly, you'll need to log into the operating system console, and issue one of the following commands:
Restarting the Server
To restart the server appliance, issue the following console command, and press Enter when complete:
shutdown -r now
Shutting Down the Server
To restart the server appliance, issue the following console command, and press Enter when complete:
shutdown -h now
Navigation
