Address-Wizard

RzK-Logo Version 4.2 Pro  -   (C) 04/2005 by RzK GmbH

Hauptstrasse 49 * D-53567 Asbach *Tel: 49 2683-940000 / Fax: 49 2683-4537

WWW: http://www.rzk.com email: info@rzk.com

Installation Licence Mainmenu Many IP-Addressranges Permanent Scan Settings for
passive Scanmode
Intrusion-Detection Context menu: Intrusion-Prevention
Port Scanner Commandline
parameters
NetBios Names NetBios
Configuration
SNMP VLANs Wake on LAN Problems Index

Overview:

The Address-Wizard identifies active stations on the network. It shows IP- and corresponding MAC-addresses as well as station names. It will inform you about double IP-addresses, changed MAC-addresses or foreign addresses in your network. Addresslists can be saved as text, HTML-files, XML or Excel-files. The program can permanently monitor your network and provide you with an addresslist which is always uptodate.

Additionally the Address-Wizard can "wake up" remote PC by sending Wake on LAN packets or to gather basic SNMP informations, send alarm messages via email or prevent unallowed stations to work properly within your network (intrusion prevention).

System requirements:

The Address-Wizard is a 32 bit software for Windows 9x, Windows NT, Windows 2000, Windows XP or Windows 2003.  It requires a network card with installed NDIS interface. Another requirement is the IP-protocol, because the addresses are gathered by searching one or more IP address-ranges.


Licence:

To run the Address-Wizard you will have to purchase a licence from RzK. The software will check the existence of a licence file on startup. If you already have purchased a licence you will find the licence file on your installation disk (File ADRWIZ.SNP).

The usage of the Address-Wizard  SNMP-, WakeOnLAN, Email-Alarming or Intrusion Prevention -functionality requieres a special licence.

There are three ways to activate the licence code:

  1. Use the menu item "licence -> licence from file" and choose the directory with the file ADRWIZ.SNP in the following file dialog box.
  2. If you have your licence code in another file from where you can paste the licence information to the clipboard you can use the menu item "licence -> new licence from clipboard" to activate the licence.
  3. Simply copy the file ADRWIZ.SNP to the NetControl program directory.

The licence determines the number of addresses the Wizard will identify and store. Upgrading to a higher licence is always possible.

If no licence is found you have two choices when starting the scanning process :


Installation:

  1. Execute the setup program from the installation disk.
  2. NDIS Driver files are installed automatically since program version 1.1.
  3. Start the Address-Wizard.
  4. If you have a new program licence activate it (see licence activation).
  5. Check the selected NDIS interface.

Uninstallation:

Close the application if it is currently running. Click the Windows "Start" button, and select "Settings", then "Control Panel". Double-click the "Add/Remove Programs item". Proceed by double-clicking the line corresponding to the Address-Wizard and follow the instructions. Note that some files, generally the licence file (AdrWiz.snp) and the ini file, may be created by the application and will not be deleted for your convenience in case you wish to refer to them at a later date. Delete these files manually if you do not want them.


Mainmenu:

Course:

1. Selection of the network card and IP-address: (Details)

If you are using more than one network card, you first of all have to check whether the correct card (NDIS interface) is selected. Next you have to control the IP-address configuration. It has to be that one which is assigned to the selected network card. If not, you would receive the Windows announcement "IP address conflict" when you have started the searching process.

2. Choose active or passive Scanmode:

You have to decide, if you want the Address-Wizard to scan the network by sending ARP packets to all IP addresses within the selected range or if it only should listen to all packets. This selection is made by "Scanmode: Active / listen only". If you select the active mode only those addresses within the IP addressrange will be recognized. If you select the passive mode all addresses which send UDP-, TCP-, ARP- or PING packets will be listed. Of course a passive scan needs its time to collect all addresses. If you select the passive scan mode please proceed with step 6.

3. Set the router IP address and the net mask: (Active scan only)

If you want to search addresses outside of your IP netmask, the Address-Wizard requires the IP address of the router. For distinction between internal and external IP addresses, the IP netmask is required.

For addresses within the net mask the ARP-protocol is used and for those outside (ICMP-)Ping.

4. Determine the IP address ranges to be searched in: (Active scan only)

Set the first and last IP-address, where the Wizard should scan for active stations. If you want to search in more than one range of addresses you have to use- button. You have the possibility to define 15 addressranges.

5. Determine the scan speed: (Active scan only)

It is hereby determined how many inquiries are send per second. Default: 100msec i.e. 10 packets per second. If you want to find addresses "behind" slow connections you have to reduce the scanning speed.

6. Start the search process:

Of course with the start button. IP-addresses that answer to ARP- or PING- inquiries will appear in the list standing below. If the IP-address is inside the net mask the MAC-address is shown, otherwise it is the MAC-address of the router.

In the STATUS field is shown which address is searched currently, how many packets (ARP and Ping) were sent (active scan), how many answers arrived and how many different addresses were recognized.

If an address has changed, it is entered in the error-log. This log can be access through the -button, which shows up in this case. If you open the log, delete the message and close it, the button disappears again.

You can interrupt the process any time with the Stop-button. Otherwise the process ends, if the End-address of the area to be searched is reached.

Subsequently you can enter and search further address ranges.

7. Determine the names for the found addresses:

If you press the button Resolve Names, the Address-Wizard will look via Winsock for the names assigned to the found IP- addresses. There are considered only the addresses, which are selected in the list (marking: ). Resolving names is realized over either over a local Hosts-list or by nameserver requests. The Winsock uses so-called blocking-calls. This means, that the individual request can take a relatively long period of time, if the address is not known. You can finish the process with the Stop-button. Address Wizard does't use the hosts file directly. It uses Winsock calls. These lead to a reverse DNS call, if there is no entry in the windows hosts file. So the DNS server entered in windows is used.
Found names are entered automatically in the list. If names have changed changed, an entry in the Address-Wizard error log is made. This log is accessible with the alarm-button ().

8. Selection of the addresses, which should be used in the NetControl lists:

Within the list you can decide for each address, if it should be used in the NetControl list. (marking: ). If you have finished scanning for addresses and resolving names with the Done-button, the Address-Wizard will ask, whether you want to take over the n marked addresses.

More than one IP-Addressrange:

If you want to search in more than one range of addresses you have to use- button.

You can define up to 15 ranges (defined by start- and end-IP-address, not by netmasks) to scan. A range will be scanned only if the in front of it is activated.

The "D" button behind the first address range sets the first range to your default address range.

The field "Use always ARP" means, that the addresses within this range will be scanned via ARP-packets, even if the addresses are outside the own IP-netmask. (So the Address-Wizard will not use the router).
Use direct ARP means: if a station's MAC-address has been found in a previous scan, the station's online status is checked by sending the following requests directly to its MAC-address and not as usual as a broadcast request. This applies to all stations in the specific address-range so this function reduces broadcasts and the network usage by Address-Wizard. The disadvantage of this function is that if the MAC-Adress changes, the station respectively the IP-Adress would stay marked offline (e.g. the IP is assigned to another station by the DHCP-server or a station's network adapter is replaced).

The last column displays the number of addresses within the defined address-range, and the required time to scan them. Below the address-ranges, the sum of the selected addresses, and the required time to scan them, is displayed.

The "Info" - button refreshes the calculation. This may get nessessary, if you change an address-range after you activated it.

Settings for passive Scanmode:

By using appropiate Options-menuitem you can open the following window:

For a passive scan (listen only) you can choose if

  1. all recognized addresses,
  2. only addresses within the defined address ranges  or
  3. only addresses which are in none of the defined ranges

will be put into the address list.
Addresses which are in none of the defined ranges will be marked in red color.

Additionally you can select the protocols to observe:

All not checked protocols will be ignored while passive scanning.

Address-Wizard can automatically save your addresslist to a file, so you can have an up to date list fo e.g. your intranet. You can use HTML or XML files. This is defined through the extension .HTM or .XML. You'll find a more exact definition of the formats in the section "export".

Addressrages and passive scanning as intrusion detection:

You can combine these two features to detect intruders. As each address that is not whithin the defined addressranges appears red, each unknown computer (and potential intruder) appears red if you define the adress ranges thightly around your network's adresses.

Permanent Scan:

If you want to use the active Scanmode permanently you can set up the Address-Wizard to restart the Scan automatically after a given period of time. This feature is useful for controlling the presence of all stations in the network permanently. Please use the Button to open the following window.

You can select the time the Wizard should wait before it starts the next scan. At the end of the scanning-process (before the waiting time starts) name resolution and SNMP requests can be sent. Passive scanning can be activated while the Wizard waits for the next scan to start.

The following events may be written to the - Log:

The Address Wizard can also automatically export the address-list to a HTML and/or XML-file (depending on your selection).

Additionally you can select if Address-Wizard shall log the absence of a station for longer than n seconds (in the -log). Of course, this period of time should be longer than the time needed for a complete scan plus the waiting time for the next scan.

The address of the own station is marked blue and the router address orange.

While permanent active scanning, the column with the time of the last occurence shows the presence of the found addresses in a coloured view. You can get an exact duration of the absence of the station if you move the mouse over the station's line in the columns Last Request till Last Occurence.

You can define these colors through the colors button in the Permanent Scan Menu:

The -Button changes to if permanent scanning is deactivated and it begins to "rotate" if permanent scanning is activated and the Wizard waits for the next scan.

Context menu

To access the context menu press the right mouse button in the address table.

The menu always refers to the address and the column you are pointing at. Up to five entries of this menu are userdefinable. Do define menu items please use "Define entries for this menu":

By checking the box at the left you decide if you want to be this menu entry be visible or not not. The text in the middle is shown as caption for the menu item and at the left you have to specify the command which is executed when this menu item is selected. You can use %I for the current selected IP-address, %M for the MAC-address, %N for the DNS name, %B for the NetBios station name, %G for the NetBios group and %U for the NetBios User.

If you want to process more than one command please use | for separating the commands. Please note: if there is more than one command, than the AddressWizards waits for the end of the last one before starting the next!

Intrusion Prevention (NetARP)

If the licence for Intrusion Prevention is installed, you can use the AddressWizard for preventing people from using IP-Adresses they are not allowed to use.

Sometimes new stations are added to the network with illegal IP-Numbers. Usually the network administartor should be asked for IP-numbers for new stations, but what if nobody cares? In this case the Intrusion Prevention function can help to keep your network clean, because illegal stations will not work properly.

How does it work?

If you start the Intrusion Prevention the AddressWizard launches the software NetARP and NetARP will answer all ARP requests coming from stations which are not in the current addresslist gathered by the AddressWizard.

So if you use this function you have to be sure that your current address list is complete and that there are no stations, which are allowed to use the network are missing in the list.

The Port Scan function

This entry of the context-menu opens the port-scanner.

In the upper left corner you'll find the hostlist, which contains all Hosts where at least one port has been found. If you choose any of these hosts, the scan process automatically starts. You can abort at any time by pressing the Stop-button.

There are two ways for the selection of ports to be scanned :

  1. You can type in the start- and the end-port in the two edit-fields in the upper right corner. PortScan will scan all Ports from the start until the end-port.
  2. You can choose a list with ports to scan. A sample file is includet ("sample.qpl"). It is in ASCII-Format with multiple rows each containing a number. PortScan will interpret it as a port-number and scan for it. If a row doesn't contain a number, PortScan ignores it.

By clicking on the save-button on the right side next to the file selection field, a list with all known ports is created. The advantage is that only these ports are scanned during the next scan process.
By clicking on the save-button under the host-list, all settings are saved.

The list of the available ports can also be saved in a whole, to consider the times of the first and last occurance. The buttons "Load Portlist" and "Save Portlist" do just that. This portlist is also saved in ASCII-format, so it can be viewed with a plain texteditor.

By clicking refresh, the scan process is restartet
PortScan can do this automatically by choosing "Activate Permanent Port-Scanning". The selected ports are automatically scanned in the entered interval.
You can also save the whole table through the buttons "Load Grid" and "Save Grid". Here you can choose bedween different formats.
One click on "Clear" empties the table. Under options are settings for the scan process. Usually you do not need to change these settings.

With an anti-virus program with email protection installed and running, it may happen, that for each scanned PC, port 25 (SMTP) is marked open.

Setting Filtes for the address display:

If you have long address lists, filters can be very useful to display only selected addresses. Use the context menu to set filter definitions. The filter alays refers to the column you opened the context menu on.

An empty filter shows all addresses. If you restart the scan process, the filter will be deactivated.

Store and read addresslists:

You can store the list of found addresses in an Addresswizard-file or a SNMP-addresses-file. The selection of the fileformat is made in the "file-save"-dialogue. This is useful, if you want to search several address-ranges and want to interrupt the process, since it is very time-consuming. In the SNMP-adresses-file only those addresses are stored, that responded to the SNMP-request.

Only the tagged addresses (tick in the first column is set) will be saved.

It is possible to import a HOST-list of IP-addresses into the Address-Wizard, if you choose the appropriate file type in the open-file dialogue. This makes sense to take a look at which addresses should be in the network. If you first load an up to date hosts file and then start the scanning process, also the adresses currently not available are shown up. Normally only the stations currently available are shown.

Exporting adresslists:

The "file-export"-function lets you store the addresslist in different formats, so you can use it in other programs.

Only the tagged addresses (tick in the first column is set) will be saved.

The following formats are supported:

Resorting the Addresslist:

New addresses are always added at the bottom of the list. You can resort the list by clicking on the cloumnheading.

Commandline Parameters:

You can use the following switches (Command line parameters) with the AdressWizard. You can write them behind either the AdrWiz.exe at the DOS-prompt or in the shortcut to it.

NetBios

If on your Computer NetBios over TCP/IP is activated the Address Wizard is able to collect and evaluate informations via Nbtstat. To determine NetBios informations for the admitted adresses click on -> "NetBios -> Get NetBios-Names now".

NetBios Configuration:

If you want to change the NetBios configuration please click on -> "NetBios -> Configuration".

You can also reach the menu by clicking on the configuration button in the "Manual adress range scan for NetBios names" window. In both cases the following window opens:

NbtStat:

Here you can make attitudes for NbtStat. There are five pre-defined language attitudes (German, English, Spanish, French and Swedish). If your language is not listed, you can change the pattern designations manually. For this look at the output from "nbtstat" , by calling "nbtstat" in a command line window.

Output Format:

By checking the boxes you can decide which parameters will be displayed in the Address Wizzard list ("NetBios name", "NetBios username", "NetBios groupname" and "additional NetBios info"). If NetBios shows more than one name for StationName, UserName or GroupName you can sort this list alphabetically or in order of occurence in nbtstat. By checking the "Show only first name in table" box you can also specify if all found names should be displayed or just the one which arises first in the NbtStat table.

Debug:

In the last configuration menu you can decide if the output of "nbtstat" should be saved as files and stored in the folder "\NBTSTAT". The programm can determine if you have selected the wrong language in the "NbtStat" configuration menu.

Manual address range scan for NetBios names:

To specify the IP-address range manually click on -> "NetBios -> Manual address range scan for NetBios Name".

If you select this menu option the following window opens:

Right beside the Start button you can specify the IP-address range which should be scanned. In this example the range from 194.127.156.0 - 194.127.156.255 will be scanned for NetBios informations. You can start the scanning process by clicking on the "Start" button. In the lower part of the window you can see the "IP-address", "MAC address", "NetBios-name", "NetBios-group" and and further queried informations. You can save this data as CSV (Excel etc.) or HTML files. For this please click on the appropriate button in the lower right corner!

SNMP:

If the corresponding license is installed, ther Address-Wizard can gather basic informations via SNMP within the scan mode.

You can select the SNMP-parameters to query vie the menu entry SNMP -> SNMP Configuration:

The AddressWizard can query up to 6 variables.If the SNMP device could not answer the request, an entry is made in the -log.

SNMP-requests can be made in active and in passive scanmode. In passive scanmode you have to define the time slice for the requests. All stations are asked and their answers are displayed in the addresstable.

To get access to the SNMP variables of your SNMP agents you have to specify the correct read community string. If you are using different community strings in your network you can enter these strings separated by ",".

If one of the selected variables is SystemUpTime, you can let AddressWizard create a log-entry of the device reset.

Wake on LAN:

The WakeOnLAN (WOL) technology is used to remotely wake up a sleeping or powered off PC over a network. This is accomplished by sending a specific packet of information, called a Magic Packet frame, to a node on the network. When a PC capable of receiving the specific frame goes to sleep, it will enable the Magic Packet mode in the LAN controller, and when the LAN controller receives a Magic Packet frame, it will alert the system to wake up.

The usage of the Address-Wizard WakeOnLAN functionality requieres a special licence.

If this licence is available you can send a WOL packet to the current selected address by activating the popup menu (right mouse button) or by using the main menu entry "Wake ON LAN -> Wake On Lan Configuration":

To use this feature save your address list after a complete network scan. If you want to wake up a PC later on, start the Address-Wizard, load the address list, select the PC to wake up and send the packet.

The Button Ping Test you can open a program that sends ping requests to the computer you waked until the computer answers, which means it is online. The button Send WakeOnLan Packet and wait max. n seconds makes both: wake and wait. n is the number of seconds Address Wizard shall try to reach the other computer.

VLANs:

The Address-Wizard can be used to identify VLANs while it is in the passive scan-mode. This requires a network card which does not extract automatically the VLAN-header from received packets. This behaviour shows the Intel100pro network card even if it has turned QoS Tagging (802.1Q) off.

If you connect the Address-Wizard to a port of a switch, where Ethernet frames are copied with VLAN-tag, the software shows for each IP-Addresse the used VLAN-number(s).


NetControl for Windows:

The Address-Wizard is part of the software NetControl for Windows.. This software forms the headquarters of  network supervision. It is able to gather local with its internal probes and it  receives data from the remote probes distributed in the network. NetControl analyses the data and generates automatically HTML-pages for presenting it. These pages can be viewed with any web-browser (locally), or published with a web-server in your inter-/intranet.

Do you need to know the status of your network? Do you need instant notification when the network status dramatically changes? For most network administrators, the answer is yes. As computer networks proliferate you need an easily to use monitor tool. If you are the person responsible for installing, configuring, monitoring, and correcting problems with an organization's network and computer assets, NetControl can make your job easier.

You can monitor, watch and permanently record all current network parameters of the shared network segments with NetControl. The complete address activities of every probe will be recorded separately. Stations can be identified by their MAC- or IP-addresses. NetControl will generate Ethernet long-time statistics for network management. This information can be used for planning further network expansions.

The system is very suitable for heterogenous networks and can be flexibly expanded with additional LAN probes. Therefore it can be easily adapted to the size of the network to be monitored. NetControl is able to monitor up to 40000 addresses.

A PC equipped with NetControl becomes a NetRecorder because it can permanently monitor and record network events.

To find creeping changes on the network it is necessary to compare new information with the older ones. For this you will need not only to monitor the current network parameters, you also need to permanently record it. A NetRecorder realizes both functions, monitoring and recording. The concept allows a data recording for many years. The NetRecorder permanently monitors the traffic on the network and reports an alarm on every transgression of definable ranges.

You can avoid many errors if the network is permanently monitored and changes are controlled. You can compare the NetRecorder to an airflight-recorder. After a net crash the recorded data can be used to find the reasons. Even if you don't monitor the records the whole time (because no complaints are known) you can trace suddenly occurred errors.


Problems:

Firewalls:

If the AddressWizard does not receive answers for ICMP Ping requests (necessary for active scanning of addresses outside ofbthe own IP network) or if it does not get NetBios names then this may by caused by activated firewalls on the remote maschines.

Enable ICMP echo in the Windows XP Firewall (ServicePack 2):  

Control Panel -> Windows Firewall -> Register "Advanced" -> ICMP -> check "Allow incoming echorequests"

(This is the default setting)

NetBios name request are using UDP port 137. This port is used for file and printer sharing too.

Enable responding to NetBios name request sent from other IP subnets in the Windows XP Firewall:  

Control Panel -> Windows Firewall -> Register "Exceptions" -> select "File- and Printersharing" -> Edit -> select "UDP Port 137" -> Change scope to "Any Computer"

The default setting allows only request from stations in the same network.


Glossary

MAC-Address:

MAC-Addresses (or Hardware-Addresses) are world wide unique 6 Byte (48 Bit) long addresses for identification stations on the Ethernet. The first three bytes identify the manufacturer of the Ethernet board (vendor code). MAC-addresses usually are noted hexadecimal (i.e. 00 00 FB 48 56 56).

IP-Address:

Each device in a TCP/IP network is identified by network wide unique, 32 bit long IP-address. IP-addresses usually are given as 4 decimal numbers separated by dots (i.e. 194.127.156.150).

Each address consists of two parts. The first part is the network-address, and the last part is the host-address.

Router:

IP-Routers are used for reaching stations in different IP-networks. They transfer the packets to the other network.

Broadcasts:

Broadcast-packets are sent to all stations in the network.

The MAC-destination address is FF-FF-FF-FF-FF FF (hex.).

A high Broadcast-load is dangerous because all stations have to process these packets. For this it is important, to have an eye on broadcasting stations. This is very easy realized with the NetControl hitlists of most active broadcast senders.

Dangerous are so called broadcast storms. This describes a condition where devices on the network are generating traffic that by its nature causes the generation of even more traffic. The inevitable result is a huge degradation of performance or complete loss of the network as the devices continue to generate more and more traffic. This can be related to the physical transmission or to very high level protocols. There is a famous example of Banyan Vines bringing a huge network to its knees because of the addition of a single server, which brought the network to "critical mass" (this logic error has been corrected). NFS is famous for this type of failure.


The program uses the WinPCap interface, Copyright (c) 1999 - 2004 NetGroup, Politecnico di Torino (Italy).

WinPCap Copyright Notice:

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


Index


Broadcasts
Commandline Parameters
Export
Intrusion Detection
IP-Adress
IP-Addressranges
Installation
Licence
Licenceactivation
MAC-Address
Mainmenu
Mainmenu:
Newtork Interface
Passive Scanmode:
Permanent Scan:
PortScan
Router
SNMP:
System requirements:
VLANs
Wake on LAN