LabWatcher User Guide

 

1.       Current Internet Traffic Gauge – This shows the in and out bandwidth at the current moment. It only calculates Internet traffic and excludes local traffic. The results are based on the the bandwidth configured in the wizard or settings.

2.       Packet Latency – This shows the latency from when a packet is receive to when its analyzed to when its recorded to the database. As long as the scale is not ever increasing then the system can keep up with the traffic. Double click on the graph to view a larger representation of the data in the main section area.

3.       Bandwidth IN\Out – This will show a graph of the bandwidth in byte for the last 30 mins. Double click on the graph to get a larger representation of the data that will show the last 24 hours and allow you to see daily weekly and monthly graphs.

4.       Internet Connection Status – This is a last 30 mins status of the internet connection. By Default we are checking www.google.com for internet connection tests, the test is performed every 30 seconds. The First Hop is also tested to check to see if the router is connected and this is graphed separately. Double click on the graph to get a larger representation of the data that will show the last 24 hours and allow you to see daily weekly and monthly graphs

5.       Alerts Count – Shows the number of Events that have an alert level greater than 5. Dowble click on the item to drill into a list of all the alerts in the system.

6.       Asset Count – Shows the number of Assets detected on your local network. Double click to drill into asset lists where you can see most active, most recent and other views.

7.       The World Map – Shows the location that all your local assets are communicating. Only destination IP Addresses are plotted and looked up. Double click to open full size clickable, scrollable and zoomable map.

8.       Top Assets – Lists the TOP 5 Assets in the network communicating in the past hour. The data rolls over to Zero at the top of the hour. Double click to load Asset bandwidth to the main section.

9.       Top Web Hosts – Lists the Top 5 Web hosts by Page Count. Double click to open Web Hosts to the Main Section.

10.   Top Categories – Lists the Top 5 Categories for the Last Hour. Counds roll over to Zero at the top of the hour. Double Click to Open Category section.

11.   Top Flows – Shows the top 5 Flows currently. Double click to open a Flow browser to the Main Section.

12.   Navigation Window – Navigate to variaous data points by clicking on the links. See the Navigation Window Breakdown below.

13.   Main Section – When Double clicking on something in the navigation window or a graph it will load the data here.

14.   Main Section Navigation

a.       Back Button – Navigate backward to last item displayed in the main section.

b.      Refresh Button – Refresh the current data in the main section

c.       Auto Refresh Checkbox – If checked the Main Section will Auto refresh in the back ground.

15.   Main Section Selection

a.       Top Record Selector – Only Graph this many results, changing the value will cause it to refresh the main section

b.      Section Selector – The section will have many subsections and you choose them here.

16.   Main Menus

a.       Start and Stop Capture – Click this to start capturing packet and click again to stop.

b.      Interface selector – Choose WIFI and Ethernet Interfaces here, only selectable when capture is stopped.

c.       Reports Menu – Run a report, only one in the list and it looks piss poor.

 

 

 

Navigation Window Breakdown

 

Activity Group

Open the Bandwidth Breakdown
Open the Internet Connection Status
Open Asset Bandwitdh section
Open the Category Section
Open the Flows Section
Open the World Map

 

 


Network Assets Group

Open the Assets Section
Show the Asset scanners results.
Show the SSDP devices found on the network.
Show the Cisco Device Packets found on the network.
Show all detected WIFI AP Points, could be detected by the remote agents.

 

 

Alerts Group

Show all Alerts detected in the system
Show all Events raised by the system
Show all IP Address conflicts detected
Show all Blacklisted Destinations
Show all Inbound Connection requests to all local assets.

 

 

IP Host Monitoring Group

Show all Local IP Addresses in use on the network
Show all Local MAC addresses in use on the network
Show all IP addresses in the system
Show all Multicast and broadcast addresses in use on the network

 

 

Flows Group

Show the Top Flows graph
Show all the Flows in a spread sheet
Show all the Flow history in a spread sheet

 

 



Data Points Group

Show the Protocol Usage of all packets analyzed
Show browsing history logs
Show all TCP Dump capture files you have created, allows you to open and view them in wireshark.

 

Active Processes Group

Show all processes detected by the remote agents
Show all processes that have a network flow that active.
Show all processes that had previous network flows
Show all new processes added in the last 4 hours.
Show all processes that are only running on less than 3 computers or have tested positive for infection
Show all remote agents open local ports

 

 


Configuration Group

Show the list of MAC Manufacturers
Show the List of Known Ports
Show and Edit the MAC Alias List
Show and Edit the IP Alias List
Show and Edit the Real Time Blacklist Lookup values
Show and Edit all Category Rules
Show and edit all Alert Rules
Change the Settings

 

 

 

 

 

 

Graph and Grid Navigation

Every graph and spread sheet supports drill down and Tool tips. You can right click on the item in the graph or the row in the spread sheet and navigate directly to individual items or left click the item to see current data on it. If the graph or sheet data contains the requested data then the menu item will show. Below is a Complete Menu.

The Source Menu is shown when the Item contains a Source Mac address.
The Destination menu is shown when the item contains a Destination IP
The Flow Menu is shown when the item contains a FLOWID
The Protocol Menu is shown when the item contains a Protocol ID.
The Web Host menu is shown when the item contains a Host URI.

Show Scale Breaks will toggle the Breaks in the Bar Graphs.
Show Labels will toggle the Labels in the Graphs
Show Markers will toggle Markers in the Line Graphs.

Export will allow you to save the graph as a Picture or PDF and a sheet as Excel.

Add Mac Alias will take the current item and prompt you for an alias to use for this MAC in the future.
Add IP Alias will take the current item and prompt you for an alias to use for this IP in the future.

Capture Mac, IP, Flow, Protocol menus will turn on capture to TCPDump file for later viewing in wireshark. This will create a lot of data, watch it.


Top Filter Host and URI will allow you to filter the host or URI from the TOP Lists.
Open URI will navigate to the URI in the main Section area.

 

 

 

 

World Map Navigation

The world map plots the destination IP addresses on the map. The size of the DOT is determined by the amount of data transmitted to the end point. The Color of the Point, Green for more received data that sent and Red for more sent data than received.

Click on the Map Point to see a tool tip about the points under it.

 

Rick Click on the Map to get a Menu to open the destination IP in the Main Section.

IF the item is in Blue then it Hosts Webpages, the item is followed by the total bytes transferred.

 

 

 

Flow Category Rules

 

 

 

Flows are assigned a category and this assignment occurs because of category rules. You edit the existing rules by opening Flow Category Rules in the navigation menu. From here you can also add new rule but the best way to make a new rule is to right click on an existing flow and make a rule based on that.

 

 

Right click on a Flow and select Create Category Rule to make a rule based on the flows information

 

1.       Select the Category to assign with this rule

2.       Select the local port to match or 0 for ANY Port

3.       Select the Protocol to match or Any for all protocols, OR enter a number for an unlisted protocol/

4.       Select the remote port to match or 0 for ANY port

5.       Select the RegExpression to match the assigned program, this will be the ALIAS of the destination IP if no program can be found

6.       Select the RegExpression to match the Destination Alias

7.       Select the RegExpression to match the Mac Address

8.       Select the RegExpression to match the Country of the destination IP

9.       Select the RegExpression to match the Destination IPs Blacklist

10.   Select the RegExpression to match the Datastring returned in the flow.

11.   Select the Flow Type to match or ANYType to match any data type.

 

 

 

 

 

 

 

 

 

Settings

Open the Setting and you can change all the internal workings of the program. Settings are saved to %programdata%\Labwatch\LabWatcherConfig.dat when the program closes. If you run the program as ADMIN for the first time this file will be locked for editing by normal users so settings will appear not to save.

 

1.       Settings List – All of the settings are documented by clicking on them, Listed below are highlights

a.       Capture Configuration contains all the Mac, Flows, IPs you can set to capture to TCP Dump files.

b.      Cost Calculator – This section will let you swap the BYTES in all graphs with Dollars

c.       Filters – Will let you edit the filters you have created with the menus

d.      Retention Configuration – Lets you set how long information is kept, will increase memory usage and file storage

2.       Table Selector – Select the internal data table to view

3.       Active table editor – Connect and disconnect to the table to EDIT its values and watch live values, could cause locking issues for very active tables.

4.       Load copy of table – Load the table data for viewing, does not interfere with any locking.

 

 

 

 

 

 

Troubleshooting

Data file Locations are all in the %ProgramData%\LabWatch Folder. Clearing this Folder will start over and reexecute the wizard.

All Capture files and save images will appear here as well as any downloaded install files for prerequisits.

The Data is stored in the LabWatcherActiveData.dat and deleting this file will clear all collections. The .Bak is a backup of the previous copy.

The Config Data is stored in the LabWatcherConfigData.dat and deleting this will restart the Rule, Categories, Mac and IP alias.

The Wizard Configuration and Settings are all in the LabWatcherConfig.dat and deleteing this file will cause the wizard to rerun.