SourceFiles.org - Use the Source, Luke
Home | Register | News | Forums | Guide | MyLinks | Bookmark

Related Sites

Latest News
  General News
  Reviews
  Press Releases
  Software
  Hardware
  Security
  Tutorials
  Off Topic


Back to files

What is contained herein: 

        COMMENTS
        COMMAND LINE OPTIONS
        DBCONF
        CAVEATS
        DESCRIPTION
        NOTE

COMMENTS

Tvark is necessarily resource-intensive. It is a multithreaded, database utility for recording network traffic. As a consequence, it uses 100% of the CPU simply because of context-switching and packet handling. Additionally, using the database with Tvark on a high traffic network will generate a great deal of stored data quite rapidly, hence filtering options.

COMMAND LINE OPTIONS 

        -d : this flag turns on the database functionality      
        -g : this is the DEFAULT if no flags are provided, and runs the GUI
            without the database.
        -f <filename> : instructs Tvark to use "filename" to draw its database
            configuration.  See DBCONF below.
        -i <interface> : set interface on which to run Tvark

DBCONF

The format of the (optional) configuration file is as follows:

[user[:passwd]@host[:port] [dbname [dbtype]]]

Square brackets represent optional segments -- do not use literal brackets in the configuration file itself. The defaults are: 

        user:   current user
        passwd: NULL
        host:   localhost
        port:   3306
        dbname: tvark
        dbtype: mysql

Currently, "mysql" is the only supported database type. Send feedback (or patches) to feedback@tvark.com if you'd like to see your favorite database supported.

CAVEATS

Tvark must be run as root to place the interface in promiscuous mode.

DESCRIPTION

Tvark is a network monitoring tool (sniffer) with a GUI front end and is tied to a MySQL database. The GUI provides a view of traffic activity that can be seen from the machine/interface that Tvark is run on. What you see is a list of source nodes on the left, destination nodes on the right, and lines drawn, left to right, showing traffic flow. Tvark runs in "realtime", meaning you see the traffic roughly as it happens. There is a small delay between actual traffic flow and the display because buffering of traffic information was neccessary to be able to determine rate information. The color of the nodes, and the lines between them, provide an indication of rate of traffic.

The database is setup to record traffic based on the filtering options selected in the GUI. This will change in a future release so that database population will have its own filtering options without having to run the GUI.

What we are looking to provide is a forensic tool that meets two needs. First, an admin should be able to get a 'feel' for traffic on the network by running the GUI, and be able to determine traffic of interest quickly and visually. Second, a simple database of traffic information allows us, and anyone else, to build forensic modules that display traffic information in a customized (and thereby useful) way.

Tvark's user interface: 

File | Options          -> popup the Options dialog
File | Exit             -> quit
Filter | All            -> set filtering options to show all traffic
Filter | By Address     -> popup the By Address dialog
Filter | Arp | All      -> set filtering options to show all Arp traffic
Filter | IP 
    | All               -> set filtering options to show all IP traffic
    | By Port           -> popup the By Port dialog, filter on IP & Port(s)
    | ICMP | All        -> set filtering options to show all ICMP traffic
           | Request    -> set filtering options to show ping requests only
           | Reply      -> set filtering options to show ping replys only
           | Pair       -> set filtering options to show ping pairs only
    | IGMP              -> set filtering options to show all IGMP traffic
    | TCP  | All        -> set filtering options to show all TCP traffic
           | By Port    -> popup the By Port dialog, filter on TCP & Port(s)
           | http       -> set filtering options to show HTTP traffic only
           | ftp        -> set filtering options to show FTP traffic only
           | ssh        -> set filtering options to show SSH traffic only
    | UDP  | All        -> set filtering options to show all UDP traffic
           | By Port    -> popup the By Port dialog, filter on UDP & Port(s)

The options dialog has three settings, the buffer size, minimum rate, and maximum rate.

The buffer size is used to determine the amount of time, in seconds, that packet information persists. Basically, the average rate information is better when dealing with burst traffic if there is a large buffering time, however, the response of the GUI is correspondingly diminished. The default time is 10 seconds, this is arbitrary, but seems to work well enough.

The rate information is used to set threshold settings for the color gradient. The maximum corresponds to red, the minimum corresponds to blue. Setting the minimum greater than the maximum shows all traffic as blue, this is expected behavior.

The address dialog has two checkboxes for activating filtering on source and/or destination addresses. Under each checkbox are 4 boxes for entering an IP address. Additionally, there is a CIDR box for netmasking such that a host IP address may be entered, and then the CIDR mask can be set for a broader range of address than a single host. The CIDR mask defaults at 0 (zero) for a single host.

The port dialog accepts a list of ports (comma delimited) and/or a range of ports. (i.e. 12,23,60-120,232)

NOTE

This project is under development, we are having a good time with it and hope you do as well. Please provide any feedback, comments, or bug reports to feedback@tvark.com.
Thanks.


Other Sites

Discussion Groups
  Beginners
  Distributions
  Networking / Security
  Software
  PDAs

About | FAQ | Privacy | Awards | Contact
Comments to the webmaster are welcome.
Copyright 2006 Sourcefiles.org All rights reserved.