1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="GENERATOR" content="Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2 i686) [Netscape]">
<title>NWatch</title>
</head>
<body bgcolor="#FFFFFF">
<table WIDTH="100%" >
<tr BGCOLOR="#2A0D45">
<th ALIGN=CENTER><b><font color="#FFFFFF">NWatch Network Monitor</font></b></th>
</tr>
</table>
NWatch is a security tool useful for network monitoring, policy development,
and certain types of intrusion detection. It maintains state for
the IP traffic it sees on an interface, deducing the state of hosts and
services over a given time span. Using NWatch you can gather
samples from specific nets and verify the traffic is what you expect it
to be.
<p>NWatch is a sniffer but can be conceptualized as a "passive port scanner",
in that it is only interested in IP traffic and it organizes results as
a port scanner would.
<p>Output is in standard nmap machine-readable format, allowing you to
use <a href="http://www.vinecorp.com/ndiff">NDiff</a> and other tools on
the data as you
<br>would an ordinary nmap run. It is useful both as an individual
security tool in your arsenal, or as a sanity check for <a href="http://www.insecure.org/nmap">nmap</a>
or other port scanners. Owing to its design, NWatch will catch ports
that are opened only transiently, something which a port scanner would
likely miss.
<p>NWatch is known to work on Linux/x86. I have not yet considered
portability, but it may work on other architectures, as well.
<p>NWatch requires
<a href="http://www.cpan.org/src">perl</a> 5.005_03,
<a href="http://www.vinecorp.com/ndiff">NDiff-0.05beta2
or later</a>, the <a href="http://search.cpan.org/search?dist=Net-Pcap">Net::Pcap</a>
module and <a href="http://www.tcpdump.org/">libpcap</a>.
<p>Familiarity with NDiff, nmap, and installing perl modules is also very
helpful. Root access to the installation host is also required.<!--
<p>
NMap is available from <A href="http://www.insecure.org/nmap">http://www.insecure.org/nmap</A>.
<p>
Perl is available from from all the usual places in
<A HREF="http://www.cpan.org/ports">binary</A> and
<A HREF="http://www.cpan.org/src">source</A> form.
-->
<br>
<table WIDTH="100%" >
<tr BGCOLOR="#2A0D45">
<th ALIGN=CENTER><b><font color="#FFFFFF">Status</font></b></th>
</tr>
</table>
The current release is version 0.02. <a href="Changelog">Changelog</a>
<p>This release introduces true stateful inspection of packets. NWatch
now properly detects closed UDP ports, as well as filtered TCP ports.
The state machine design is still evolving - it is possible to fool nwatch
with deliberate spoofing in addition to certain specific everyday cases.
Please email me if you notice questionable results with NWatch.
<br>
<table WIDTH="100%" >
<tr BGCOLOR="#2A0D45">
<th ALIGN=CENTER><b><font color="#FFFFFF">Download NWatch</font></b></th>
</tr>
</table>
<a href="ftp://ftp.vinecorp.com/pub/nwatch/">FTP</a>
<p>See the included file INSTALL for installation instructions. See the
NWatch_Quickstart manpage for usage instructions.
<p>NWatch is released under the GPL. See the file COPYING included with
this distribution for terms and conditions for use of this software.
<table WIDTH="100%" >
<tr BGCOLOR="#2A0D45">
<th ALIGN=CENTER><b><font color="#FFFFFF">Documentation</font></b></th>
</tr>
</table>
<a href="nwatch_manpage.html">nwatch manpage</a>
<br>
<table WIDTH="100%" >
<tr BGCOLOR="#2A0D45">
<th ALIGN=CENTER><b><font color="#FFFFFF">Help!</font></b></th>
</tr>
</table>
I provide support through email as time allows - contact me at the address
below.
<p>I am available for more in-depth support through my consulting company.
If you need help integrating NWatch and other security tools into your
environment, custom programming, etc, please contact me for details.
<table WIDTH="100%" >
<tr BGCOLOR="#2A0D45">
<th ALIGN=CENTER><b><font color="#FFFFFF">Feedback</font></b></th>
</tr>
</table>
<p>Please send questions, comments, requests, patches, bug reports ...
<a href="mailto:jdl@vinecorp.com">jdl@vinecorp.com</a>
</body>
</html>
|
