Copyrigth 2001 Rui Ribeiro & Jose Silva

1. Compilation & Installation

	1.1. I've compiled my JAVA applet, and installed it. When running under
	IE, it complains it can't find it's classes.
	
	R: The Internet Explorer (up to version 6), only provides support for 
	JAVA virtual machine v1.1. Using newers version of the SUN's JDK to 
	compile the applets will (re)create this error. Stick with the 1.1 
	version, or enable 1.1 compatibility in newer versions. 
	
	To solve this problem, be sure to use the command 
	
	#javac -target 1.1 *.java
	
	in order to force the binary format to JVM 1.1.
	
	
	1.2. I've tried to compile the code, but there's an error complaining 
	about libpcap missing.
	
	R: The sniffer works with the libpcap library. You'll need to have it
	installed. Under the packet manager of several Linux distribuions, 
	you'll find it under the development libraries. Otherwise, you must 
	fetch the source and compile it.


	1.3. What have you used to compile the code?
	
	R: We have used gcc under Linux, and Microsoft tools for the JAVA code.
	We have also tested it sucefully with SUN's JDK.


	1.4. I've tried NetScape, and it can't run the applet...
	
	R: The Java applet is compiled with JAVA 1.1. You'll need at least
	NetScape 5. If you're running Windows, switch to IE *sigh*


	1.5. I'm using your applet, and I notice that IE 5.0 or 6.0 there are 
	a couple of buttons in the lower rigth corner, but they don't show
	up with IE 4.0.
	
	R: IE 4.0 JAVA implementation is buggy. Try patching it, or better yet, 
	upgrade to 5 or 6. Beware about version 6, Microsoft created deliberate
	compatibility problems with foreign plug-ins.


	1.6. I don't seem to be able to run apache. It aborts when called.

	R: If you're running it in a machine that cannot use DNS services (
	either because it's standlone, or you don't have them in your network
	), try modifying:

	Debian:
	/etc/apache/hpptd.conf
	Uncomment the ServerName line. Place a name for your machine after
	Servername.

2. General questions

	2.1. The applet cannot communicate with the TCP server. What's wrong?
	
	R: First, are you sure the sniff server and TCP client is running?
	Are you trying to run the applet locally in your computer? You can't.
	Due to limitation in the JAVA's arquitecture design (security model),
	you have to download the applet from the very same server where you
	have installed the sniff/TCP server. To overcome this limitation with
	IE, we heard you need a Microsoft signed applet. 

	If you're using SUN's JDK appletviewer, you can add the contents of 
	the file ".java.policy" that comes with the application to yours, or
	if it doesn't exist, you can copy it to the root of your personal
	directory.
	
	Under Windows, 2000 e XP:
	
	copy .java.policy "%USERPROFILE%"
	
	Unix (and Linux):
	
	cp .java.policy ~/
	
	Pay attention, as this procedure disables the TCP/IP JAVA security 
	measures.


	2.2. I need long-term LAN usage stats. What can I do?
	
	R: You have a MRTG "plug-in" with this application. You can install the
	sniffer component, install MRTG, and modify it according to the INSTALL
	file. 
	Don't you have in that segment a hub or switch that supports SNMP? This
	would be more suited, as the sniffer CPU usage increases in a linear 
	fashion as your traffic increases.
	If you really want or need to use MRTG, take a look at the INSTALL 
	file, and mrtg.cfg in the source directory.


	2.3. Everything is working, but I barely see any traffic in the 
	graphics...
	
	R: Try to find if you're connected to a switch. If that's the case,
	you'll need to configure one of it's port for monitoring functions
	(if the hardware supports it). If you do it, be sure you do not run
	other services in the server side, as the impact will be very severe
	with a 100Mbps LAN.


	2.4. I want to have the sniff daemons always running. What should I
	do?
	
	R: 
	Debian
	------
	You must copy sniffstart.sh to:
	/etc/init.d
	In the /etc/rc2.d and /etc/rc5.d directories, execute:
	#ln -s /etc/init.d/slmstart.sh S20slm

	RedHat e Mandrake:
	-----------------
	You must copy sniffstart.sh to:
	/etc/rc.d/init.d
	In the /etc/rc.d/rc3.d and /etc/rc.d/rc5.d, execute:
	#ln -s /etc/rc.d/init.d/slmstart.sh S20slm

	From now on, everytime you boot the machine, it will start the server.


	2.5. Why did you this software? Network statistics can be obtained with 
	ipfilter/ipchains or ipfwadm... and there's ntop.
	
	R: The information returned by the firewall filters only are 
	meaningfull in the context of the traffic directely received by the
	machine, or for broadcasts. They only have meaning as the total 
	traffic, when they're functioning as a firewall or bridge.


	2.6. Isn't there already plenty of hardware/software in this field?
	
	R: Of course there are. In despite of it, there are also lots of
	different requirements. I (Rui Ribeiro) was needding a tool that
	provided me with the LAN usage feedback in real time, simple to use
	once installed, and install once and forget.
	
	About another alternatives:
	- ntop is *heavy*, and you can't possibly show every output to a client
	. It can be intimidating and appear to be intrusive;
	- MRTG is terrific when it's customized for a particular network, but
	it's tedious for reconfigurating. It's also slow for getting real-time
	results; you're also tied to it's 5 minute built-in interval.
	- a hardware network analyzer/tester is not always available; and it's
	unecessarily expensive (but terrific for cable testing); it also means
	another 400g in your suitcase (and forking around 2000USD for a entry
	level network tester... ouch!);
	- at least I've to carry almost always a notebook to our clients.

	We developed this software to:
	- impose a ligth burden in the CPU;
	- place a machine listening in one point of your network, and show
	the output to your client or your boss in another point of your
	network;


	2.7. Your software is exacly what I need for my proxy/my server 
	traffic statistics. Is there anything more appropriate?
	
	R: For this use, we recommend a SNMP server, or software capable of
	generating use statistics through the proxy logs. They use far less
	CPU, and do the same job.


	2.8. What are exactly the BPF rules you talk about?
	
	R: The BPF rules (Berkeley Packet Filter), were developed to provide
	a high level language for network packet filtering. They supported
	by the libpcap library. For more details, please read:
	- man tcpdump
	- http://www.tcpdump.org
	- Stevens' book, "UNIX Network Programming, Volume 1
			     Second Edition, Networking APis: sockets
			     and XTI, ISBN 0-13-490012-X"
	- the libpcap's sources.


	2.7. Isn't it dangerous to leave daemons running under the root
	account?

	R: Albeith some of them need to be booted with the root account
	to get hold of resources unavailable in another situation, they
	leave this priveliges as soons as possible, and run under the
	nobody account.

3. Future improvements

	3.1. Have you any plans for improvments?
	
	R: You have some ideas for a Win32 and XWindow clients. We also are
	thinking about NT, 2000 and a XP server.


	3.2. It's a bore compiling the code. Can't it just be installed?
	
	R: We still haven't tried to create rpm or deb packages. Send   
	step-by-step instructions... ;->


	3.3. Isn't the data transfer between the applet and the server
	insecure?
	
	R: Of course it is. Nevertheless, you have to chose the security levels
	appropriate to your actions. That is, you're not exactly sending NASA
	confidential documents between them...
	We don't want to even *think* of modifying this behaviour.


	3.4. Well can't I run everything in my NT server?
	
	R: (Rui) At this moment, we don't have planed a server side version
	for NT machines. In a not so far future, we'll develop a NT, 2000 and 
	XP server side program. Windows 9x and ME will not be supported as
	they're unstable, specially in their network code.

