Welcome to TrfWatch, a real time Network Traffic Monitor, with summaries being 
saved to Disk. Please take time to read this. It won't take too long, but 
should help in running the program.

I developed this program because the commercial programs were just too 
expensive for the budget at work, and also most of the commercial programs
did not save summaries to disk.

This program is e-mail ware. If you like it, please e-mail me. My address is 
at the bottom. If you really like it, I won't refuse a donation. Or send a 
donation to your favorite charity (and maybe even get a tax-deductible 
receipt). Need a favorite charity?? I work for Prairie Bible Institute here 
in Three Hills, a non-profit educational Institute. Their mailing address is:

Prairie Bible Institute
Box 4000
Three Hills, AB  T0M-2N0
Canada

Feel free to copy this program. Please include all the files (trfwatch.exe, 
litt.chr, readme.txt, and namefile.txt) if you do copy it for somebody else.

What you need to run TrfWatch:

This program. I would recommend that it goes in a subdirectory by itself, 
    along with the namefile.txt and litt.chr files. Make this subdirectory the 
    default, as the disk files (see below) go into the default subdirectory, 
    and the program expects to find namefile.txt in the default subdirectory.

640K RAM (yup, you read right, no extended memory needed unless your version 
    of DOS wants/needs it) Actually it will run with about 400K free RAM.

VGA Monitor (the program uses 640 * 480 resolution, 16 color)

486 66Mhz computer (or faster). If you don't have much traffic, a slower 
    computer might work. The screen updates look a bit ragged on slower
    computers. I've got it running on a 486DX 33, and outside of screen
    updates being slow, it's working. Traffic is quite low (under 2% average)
    on the subnet it is watching.

MSDOS (not Windows 95 DOS Box). I haven't tried different versions, but I 
    think any version 5.00 or later will work just fine.

Ethernet Network. I don't think this will work in a Token Ring network, but
    I have no way of verifying that.

Network Card with Packet Driver. I am assuming that if you are interested in
    monitoring traffic, you know enough about computers to load a Packet
    Driver on your computer. I've only tested this using 10Mhz network card.
    Some of the internal variables will probably not work if used on a 100Mhz 
    network card hooked to a 100Mhz hub/switch. (Maybe next version).

I've only tested this on a Class C subnet with about 150 users. I know a full
Class C subnet can take 253 users, and I think the program will work fine with
that. A Class B might cause problems, again due to storage space of internal
variables. Obviously (or maybe not so obvious), this program will only monitor 
what it can see. It can't monitor beyond switches or routers. It doesn't do
any SNMP stuff either.


Installation:
    If you are reading this, then you have the program installed. It is a DOS
    program. There are no other files installed other than what is in the
    subdirectory where you are reading this. No other files or settings are
    modified in any way by running this program.

UnInstall:
    If you installed it in a subdirectory by itself, just delete all the files
    in the subdirectory, and delete the subdirectory. Otherwise the files to
    delete are:
    TrfWatch.exe, Litt.chr, NameFile.txt, T*.log, and maybe History.dat


Special note about namefile.txt:
    This is a text file. If you open it using Edit (or Notepad), you will see 
    that there are two entries. Each entry consists of a MAC address, and a
    user friendly name. Notice the quotes around each part. You can add your
    own MAC addresses and computer names. Please do it alpabetically, as this
    program doesn't sort the data as it is read in. I put my computers MAC
    addresses in, then used the DOS SORT utility to sort it. Also note there
    is a dummy line at the bottom. Please keep the dummy line in. The program
    doesn't like to read the last line of a file, so having a dummy line
    solves that problem. TrfWatch will give the user friendly name for MAC
    addresses it can "translate" otherwise it will give the MAC address.
   
About the program:

It can take two parameters. 
     'D0' or 'D1'. 'D0' means that there will be no disk summaries. 
     'D1' means there will be disk summaries. 'D1' is default.
     'S1' - 'S5'. How many seconds between screen updates. 'S1' is every 
          second and is the default, 'S5' means the screen will be updated
          every 5 seconds.
  e.g. TrfWatch d0 s3 (notice the parameters are not case sensitive). This 
          means that there will be no disk summaries, and the screen will be
          updated every 3 seconds.
       TrfWatch   This means that there will be disk summaries, and the screen
          will be updated every second.

As you start the program, it does some initialization, then goes into a 
graphic screen mode. Here is what you see on the screen.

Upper Left is a bar graph of the last 120 time units showing either Frames 
per time unit or % Bandwidth per time unit (more on time units later)

Upper Right are two bars, one showing current Bandwidth and one showing 
number of frames. These are updated every second, and if the screen update is
not every second, will show the bandwidth and frames for the last second.

Then there are 4 major bar graphs. Upper Left of the 4 is Top Links. This 
shows the 5 Top Links (user to user or user to server). Upper Right shows 5 
top Users. Lower Left shows 5 Top Protocols (IP, Netware, Lantastic, ARP, 
DECNet, and Other). Lower Right shows the 5 top IP Types (SMTP, HTTP, NetBios,
DNS, POP, etc).

At the bottom, there is some helps. Pressing the following letters does the 
following (you can press the upper case or lower case).

 F: Switches between showing frames per time unit or % of Bandwidth used per 
    time unit. Default is % Bandwidth used. (see T: for time units)
      
 T: Switches between time units of seconds, minutes and hours. Default Time 
    unit is every second. You will see on the bar graph in the top upper left, 
    there are three times just below the chart. In the default time unit of 
    every second, the three times are 1 minute apart. There are 120 little 
    bars (60 seconds per minute gives 2 minutes). Press T once, and the time
    unit is Minutes (the times show every hour). Press it again, and the time
    unit is hours (with the middle time 60 hours (2-1/2 days before), and the
    first time of 120 hours (5 days) earlier. Great to get a quick overview of 
    what happened over the weekend.

 A: Switches between Accumulated and Current Modes. The 4 middle graphs switch
    between these two. Accumulated shows the number of bytes since the program
    started running. Current shows the past second.

 R: Reset Accumulated Numbers to Zero.

 Esc: Exits the program (first writing summaries to disk if requested).


Every 15 minutes, the following is written to disk (if disk summaries is on)

% Bandwidth Usage per minute for the past 15 minutes (15 numbers)
Frames per minute for the past 15 minutes (again 15 numbers)
Number of Bytes for each link in the past 15 minutes
Number of bytes for each user in the past 15 minutes
Number of Bytes for each protocol in the past 15 minutes
number of bytes for each IPType in the past 15 minutes

The naming convention of these files is as follows:
Tyymmdd.hhl where T is the letter T.
            where yy is year (2000 is 00)
            where mm is month
            where dd is day
            where hh is hour
            where l is A, B, C or blank. A means 15 minutes, B is 30 minutes etc

EG. T000113.15C is January 13, 2000 at 15:45 (3:45 p.m.).
    T030530.04  is May 30, 2003 at 4:00 a.m.

Obviously, the data on the files is what has happened in the previous 15 
minutes. The data on the files is all in text, so you can do whatever you want
or need to do to make reports, or analyze the data any which way you want.

To get the data, you will need to exit the program. I do some reporting etc on
a different computer. Every day I exit the program, copy the files, then start
the program again. So my monitoring is down for a few minutes each day. I pick
a time when the traffic is light so as not to miss too much.


More Technical Stuff:

This program uses a Packet Driver as the interface between it and the network.
By design packet drivers don't handle bad packets, CRC errors etc. So my 
program makes no attempt to handle them either. I assume that all packets that
my program reads are good packets. Becaues this isn't 100% true in the real
world, the statistics given are not 100% true either. But they should be 
quite close.

This program does not capture packets for looking at. It only looks at the 
headers to get the info it needs. Also it does not do any name translation,
(ARP) so you need to fill in namefile.txt file with the information.


DISCLAIMER:

This software is provided "as is", without any guarantee made
as to its suitability or fitness for any particular use. It may
contain bugs, so use of this tool is at your own risk. I take
no responsilbity for any damage that may unintentionally be caused
through its use.


Thanks:

I would like to thank Oliver Rehman for his permission to use his free source
code to capture packets.

Bugs?? (I'll do my best to fix them).

email me at:
mark.reimer@pbi.ab.ca

or write me at: (I don't respond too good to snail mail)

Mark Reimer
Box 4336
Three Hills, AB
T0M-2N0
Canada


Versions:

1.0 This is the first version, so there is no history nor bug fixes.
