NetControl Documentation

RzK-Logo Version 5.0  -   (C) 10/2004 by RzK GmbH

Hauptstrasse 49 * D-53567 Asbach *Tel: 49 2683-940000 / Fax: 49 2683-4537

WWW: email:

Index Installation Licence Mainmenu Address-Wizard Configuration Accounting
Summarize data Probes: Names and Alarms Probe Overviews Configurationfiles Speed-Navigation Keyboard Commands Stored Data


NetControl for Windows forms the headquarters of  network supervision. The software is able to gather local data with its internal probes and can  receive data from the remote probes distributed in the network. NetControl analyses the data and generates automatically HTML-pages for presenting it. These pages can be viewed with any web-browser (locally), or published with a web-server in your inter-/intranet.

Do you need to know the status of your network? Do you need instant notification when the network status dramatically changes? For most network administrators, the answer is yes. As computer networks proliferate you need an easily to use monitor tool. If you are the person responsible for installing, configuring, monitoring, and correcting problems with an organization's network and computer assets, NetControl can make your job easier.

NetControl is designed for usage with remote probes but it contains two internal probes, for using it in small networks without installing any external probes. Please note that NetControl is a passivley network monitoring tool. If the NetControl PC is attached to a switched network the switch isolates all the traffic except that for the PC itself. In this case you have to configure the port where the NetControl PC is located as a monitoring port or you have to use a (not switching) hub.

Please wait at least for one intervall if you use NetControl for the first time before you view the data files. You can specify NetControl's data-directory and the length of the time intervals in NetControl's configuration.

You can monitor, watch and permanently record all current network parameters of the shared network segments with NetControl. The complete address activities of every probe will be recorded seperately. Stations can be identified by their MAC- or IP-addresses. NetControl will generate Ethernet long-time statistics for network management. These informations can be used for planning further network expansions.

The system is very suitable for heterogenous networks and can be flexibly expanded with additional LAN probes. Therefore it can be easily adapted to the size of the network to be monitored. NetControl is able to monitor up to 40000 addresses.

Probes for NetControl:

NetControl without any additional remote probe is able to monitor with its internal probes the traffic on the network segment, where it is installed. Both internal probes (one designed for MAC and one for IP addresses) can be activated in NetControl's configuration.

If you want to monitor remote segments you need to install remote probes in those segments. These RzK statistic probes will analyse the traffic on the remote network segments and send the gathered information to the NetControl PC.

RzK delivers hardware probes for 10 MBit ethernet. These small preconfigured boxes can process MAC- or IP-addresses.

For MS-DOS PCs RzK delivers a packet driver based software probe (Freeware "NC-Probe"). NC-Probe is also able to run under Windows 95/98 in a background task.

The RzK software probe for Windows 9x/me, Windows NT, Windows 2000 and Windows XP is realised by NetControl itself using a special licence (NetControl "Monitor" licence). This probe uses the NDIS driver and can evaluate MAC and IP addresses simultaneously.

A special case is the RzKFlow Probe. This probe is used for gathering NetFlow statistics from routers and transfering the data to NetControl.

You can use the software probes for Gigabit Ethernet-, FDDI- etc. networks, if an appropriate NDIS or packet driver is present.

System requirements:

NetControl for Windows is a 32 bit software for Windows 9x/me, Windows NT, Windows 2000 and Windows XP. There are two possibilities for receiving data from the remote statistic probes: the Winsock interface (UDP packets only) or the RzK NDIS driver. If you want to use the internal probes, you have to use a NDIS driver. The PC hardware requirement depends on how many probes NetControl should manage and how much traffic is on the network.

Advantages of network monitoring with WWW interface:

Because the data can be displayed in HTML format any station on the network with a WWW browser can be used as a network monitor. The maintainance service has direct access to the monitored logs, alarm data and statistics.

Even for the ordinary users the network gets more transparent. With a web browser they can take a look at graphics displaying the current network load and collision rate in the users's segment. He can inform himself about the current network state and he can adapt his behaviour on the net to evade straitened circumstances. In that way the network can be used more efficiently.

With NetControl your PC becomes a NetRecorder

A PC equipped with NetControl becomes a NetRecorder because it can permanently monitor and record network events.

To find creeping changes on the network it is necessary to compare new information with the older ones. For this you will need not only to monitor the current network parameters, you also need to permanently record it. A NetRecorder realizes both functions, monitoring and recording. The concept allows a data recording for many years. The NetRecorder permanently monitors the traffic on the network and reports an alarm on every transgression of definable ranges.

You can avoid many errors if the network is permanently monitored and changes are controlled. You can compare the NetRecorder to an airflight-recorder. After a net crash the recorded data can be used to find the reasons. Even if you don't monitor the records the whole time (because no complaints are known) you can trace suddenly occurred errors.


To run the NetControl without any restrictions you will have to purchase a licence from RzK. The software will check the existence of a licence file on startup.If you already have purchased a licence you will find it on your installation disk (File NCW.SNP). If you do not have a licence installed NetControl will ask wther it should run in demo mode with simulated data received from simulated remote probes or if it should run in "real measuring" mode. The latter one has the restriction that it will stop after three days and that it will monitor and account only 25 addresses.

There are three ways to activate this licence file:

  1. Use the menu item "licence -> licence from file" and choose the file NCW.SNP in the following file dialog box.
  2. If you have your licence code in another file from where you can paste the licence information to the clipboard you can use the menu item "licence -> new licence from clipboard" to activate the licence.
  3. Simply copy the attached file NCW.SNP to the NetControl program directory.

If no licence is found NetControl will start in demo mode. Demo Mode requires a file with simulated data. If it is not included in your NetControl version you can find such a file at for free download.

Here are the possible licence options to adapt NetControl to your needs and to the size of your network:
NetControl Licence: "Monitor" "Lite" "Standard" "Large" "XLarge" "Campus"
Saving of HTML Data: no yes yes yes yes yes
Max. number of addresses to monitor: 100 100 300 1000 5000 40000
Max. number of remote Probes: 0 10 10 50 100 350

Upgrading to a higher licence is always possible. The "Monitor"-licence does not allow any saving of data, but this licence is sufficient to set up NetControl as a remote probe for another NetControl PC. The address restriction for the monitor licece applies only for the local control of the address related data. It has no influence on the probe capabilities.


NetControl installation:

  1. Execute the setup program from the installation disk.
  2. Driver for the NDIS will be installed automatically for all operating systems (since NetControl version 3.31).
  3. Start NetControl.
  4. If you don´t have a program licence simply press the start button and select if you will use NetControl in demo mode.
  5. If you have a program licence activate it (see licence activation) and open the NetControl configuration. Check the selected NDIS interface (network card) in the register "Interface". If you do not have any remote probes activate the internal NetControl probes (Register "Probes"). Begin gathering of data by pressing the "Start"-Button.

You have to wait for at least one NetControl time interval (Default: 2 minutes), before you can view NetControl's saved HTML files.

Remote Probes:

If you are in possession of hardware- or software probes for monitoring remote segments, you must install and configure them first.

Hardware probe installation (RzK Ethernet Box):

Use the program PRBCONF to configure the Ethernet Box. That program is located on the Ethernet Box Utility Disk.

To change the configuration connect the box to the serial (Nullmodem cable) port of your PC. Adjust port and baudrate in PrbConf. The default value is 9600 baud and no password is specified.

Software probe installation (NetControl Monitor Licence):

The installation process is the same as for a usual NetControl. You only have to set up NetControl as a sending probe in the configuration (see "Configuration of NetControl as Probe").

A special case is the RzKFlow Probe. This probe is used for gathering NetFlow statistics from routers and transfering the data to NetControl.

NetControl Uninstallation:

Close the application if it is currently running. Click the Windows "Start" button, and select "Settings", then "Control Panel". Double-click the "Add/Remove Programs item". Proceed by double-clicking the line corresponding to NetControl and follow the instructions. Note that some files, generally the licence file (ncw.snp) and the ini file, may be created by the application and will not be deleted for your convenience in case you wish to refer to them at a later date. Delete these files manually if you do not want them.

Main menu:

NetControl Main menu

By using the File menu you can start the configuration, view the available address- and configuration-lists (IP services and protocols, IP-Nets, Vendor Codes and protocols) and quit the program. In the View menu you can enable and disable the speed navigation window , you have access to the NetControl log files and you can start the web browser. The Probe Overview menu enables or disables the various probe overview windows. With Graphics you may generate GIF-graphics from the NetControl statistical data directly and control these with a web browser. The Options menu gives access to the summation tool for the addres related data. By using the Licence menu you can check the current licence and activate a new one. With the Language menu you can switch from english to german and vice versa. This is only possible if more than one language file is installed (Files ncw-deu.ini and ncw-eng.ini).

The Start button starts datasampling. The window  standard probe overview opens automatically (configurable in the configuration menu, register view). The command line parameter go will force NetControl to start datasampling on startup. If the datasampling is in progress the status panel of the current interval displays the interval length, remaining time and number of active connections in the network between IP and MAC addresses.

The three LEDs show the activity of the different probes: upper LED: remote Probes, lower LEDs: internal MAC-address-probe (right) and internal IP-address-probe (left).

Address-Wizard Lite:

(Call: File, Addresswizard, not available in Monitor-Licence.)

The Address-Wizard is a perfect tool for identification of active stations on the network. It is integrated into NetCotrol as a "lite" version. The Wizard requires the IP-Protocol.

 The Address-Wizard has its own configuration window for the selection of the network card and IP address (Details)


1. Choose active or passive Scanmode:

You have to decide, if you want the addresswizard to scan the network by sending ARP packets to all IP addresses within the selected range or if it only should listen to all packets. This selction is made by "Scanmode: Active / Inactive". If you select the active mode only those addresses within the IP addressrange will be recognized. If you select the passive mode all addresses which send UDP-, TCP-, ARP- or PING packets will be listed. Of course a passive scan needs its time to collect all addresses. If you select the passive scan mode please proceed with step 6.

2. Selection of the network card and IP-address: (Active scan only)

If you are using more than one network card, you first of all have to check whether the correct card (NDIS interface) is selected. The Wizard starts with the card which is also selected in the NetControl configuration. Next you have to control the IP-address which the Wizard itself uses. It has to be that one which is assigned to the selected network card. If not, you would receive the Windows announcement "IP address conflict" when you have started the searching process.

3. Set the router IP address and the net mask: (Active scan only)

If you want to search addresses outside of your IP netmask, the Adress-Wizard requires the IP address of the router. For distinction between intern and external IP addresses, the IP netmask is required.

For addresses within the net mask become the ARP-protocol is used and for those outside (ICMP-)Ping.

4. Determine the IP address ranges to be searched in: (Active scan only)

Set the first and last IP-address, where the Wizard should scan for active stations. If you want to search in more than one range of addresses you have to use- button.

5. Determine the scan speed: (Active scan only)

It is hereby determined how many inquiries are send per second. Default: 100msec i.e. 10 packets per second. If you want to find addresses "behind" slow connections you have to reduce the scanning speed.

6. Start the search process:

Of course with the start button. IP-addresses that answer to ARP- or PING- inquiries will appear in the list standing to the right. If the IP-address is inside the net mask the MAC-address is shown, otherwise it is the MAC-address of the router.

Left in the STATUS field is shown which address is searched currently, how many packets (ARP and Ping) were sent (active scan), how many answers arrived and how many different addresses were recognized.

You can interrupt the process any time with the Stop-button. Otherwise the process ends, if the End-address of the area to be searched is reached.

Subsequently you can enter and search further address ranges.

6. Determine the names for the found addresses:

If you press the button Resolve Names the Adress-Wizard will look via Winsock for the names assigned to the found IP- addresses. There are considered only the addresses, which are selected in the list (marking: ). Resolving names is realized over either over a local Hosts-list or by nameserver requests. The Winsock uses so-called blocking-calls. This means, that the individual request can take a relatively long period of time, if the address is not known. You can finish the process with the Stop-button.

Found names are entered automatically in the list. If names have changed changed an entry in the Address-Wizard error log is made. This log is accessible with the alarm-button ().

7. Selection of the addresses, which should be used in the NetControl lists:

Within the list you can decide for each address, if it should be used in the NetControl list. (marking: ). If you have finished scanning for addresses and resolving names with the Done-button, the Adress-Wizard will ask, whether you want to take over the n marked addresses.

More than one IP-Addressrange:

If you want to search in more than one range of addresses you have to use- button.

You can define up to 10 ranges (defined by start- and end-IP-address) to scan. A range will be scanned only if the in front of it is activated.

The field "Use always ARP" means, that the addresses within this range will be scanned via ARP-packets, even if the addresses are outside the own IP-netmask. (So the Address-Wizard will not use the router).

For a passive scan (listen only) you can choose if

  1. all recognized addresses,
  2. only addresses within the defined address ranges  or
  3. only addresses which are in none of the defined ranges

will be put into the address list.

Addresses which are in none of the defined ranges will be marked in red color.

The address of the own station is marked blue and the router address yellow.

While permanent active scanning the column with the time of the last received response packets shows the presence of the found addresses in the network in a coloured view.

Green: This address has answered in the last scan.
Yellow: This address has answered in the scan before.
Dark red:This address has not answered for more than three scans.

Store and read addresslists:

You can store the list of found addresses in a text- or a Html-file. The selection of the fileformat is made in the save-dialogue. Lists in the text-format can be read in later on. This is useful, if you want to search several address-rangese and want to interrupt the process, since it is very time-consuming.

On the other hand you can import the list in other programs, which can handle standard ASCII files.

It is possible to import a HOST-list of IP-addresses into the Address-Wizard, if you choose the appropiate file type in the open-file dialogue.

Sorting the list:

Newly found addresses are inserted always at the end of the list. So the list is not always sorted for addresses. You can resort the list by clickin on the corresponding column headline.


(Call: File, Configuration or Alt-K)

The configurations' register pages
Interval Interface for receiving data Probes Probes for CISCO Netflow Records NetControl as Probe Files Hitlists Graphics Address counters Address restrictions Alarms View

will be explained one by one. If you have a NetControl-"Monitor"-licence only, which is not usable for storing data, some points in the configuration are not accessible.


NetControl assigns the received probe data to time intervals. For every time interval and probe a record will be calculated and saved.

Here you can specify the interval length in seconds or choose one of the default values.

The interval length influences the exactness of the daily gathered data and of course the produces the data quantity. The default value is 2 minutes and because of that 720 intervals per day.

If you want to use NetControl as a remote probe for another NetControl PC (monitor licence), please set a short time interval (i.e. 20 or 30 seconds).

Interface for receiving network data:

NetControl can receive data from the Windows WinSock interface or directly from the RzK NDIS driver.

If possible, that means

you can use the Winsock interface. Using Winsock is the default configuration if the internal probes are deactivated.

With RzK NDIS selected you can use the internal probes and receive data from probes which are not sending via UDP to NetControl. If you have installed more than one NDIS interface in your PC first of all you have to choose the appropriate interface. The MAC address and the interface speed for this interface will be displayed. It is not possible to choose a dial up network interface.

NetControl can receive data from the Windows WinSock interface or directly from the RzK NDIS driver.

If possible, that means

you can use the Winsock interface. Using Winsock is the default configuration if the internal probes are deactivated.

With RzK NDIS selected you can use the internal probes and receive data from probes which are not sending via UDP to NetControl. If you have installed more than one NDIS interface in your PC first of all you have to choose the appropriate interface. The MAC address and the interface speed for this interface will be displayed. It is not possible to choose a dial up network interface.

If you set the option "ignore packets sent by this station" NetControl will not count any traffic which is caused by the PC where NetControl is installed. If you want to monitor a server and have installed NetControl on that server you have to uncheck this option. Otherwise you would see only the incoming server traffic.

You can filter groups of remote probes by selecting only this which send to a specific MAC address:

When using the NDIS interface you can set a Berkeley Packet Filter expression for the incoming packets. (Details) Setting a filter may block receiving of packets from remote probes.


If you have only a "Monitor"-licence, only the internal probes are available.

Internal probes:

NetControl also can be used without probes. With Activate internal MAC-probe you can enable NetControl to simulate a MAC-address-Probe (No. 1) and With Activate internal IP-probe an probe (No. 2), which collects IP-addresses. With this feature enbaled, the program has to read all packets on the network. So it may be useful in networks with high traffic, to use external probes. The data receiving will switch to the NDIS Interface automatically if you activate an internal probe.

If you want to use NetControl only to gather NetFlow statistics (see below) than you have to install the RzKFlowprobe into the NetControl directory and activate the checkbox "Activate RzkFlowProbe on this PC". The internal probes will be deactivated in this case. If you start the datasampling process NetControl will automatically start the RzKFlowprobe.


You can select, if the internal probes should count packets (default) or bytes. The latter is useful if you want to use NetControl for accounting purposes. The daily and monthly saved addresscounters give detailed information about the number of bytes sent by all active stations. Additional the number of Broadcast- and Multicasts-Bytes is stored. The daily protocol-counters (see below) give an overview what netload each protocol causes.


For the internal probe, which registers MAC-addresses, an additional statistic may be activated. This Typefield/Protocolstatistics shows which protocols (identified by their Ethernet Typefield - (Byte 13 and 14 of each Ethernet packet) are used in the network.

NetControl generates for each day a list, where all active protocols are listed with the amount of sent packets (or bytes - see above). For each interval a special hitlist is calculated. All packets with a typefield below 1536 (600hex) are counted under 802.3 (Packetlength in typefield).

Error recognition of internal Probes:

Error measurement with the internal probes is possible with the internal MAC probe (No. 1). Depending on the network card in use it can recognize CRC errors. Shortframes or collisions are not measurable. For this a remote hardware probe is required.

Send Data of internal Probes to other NetControl PCs:

NetControl itself can act as a remote probe for other NetControl PCs. Of course this only makes sense, if you have at least one other PC with NetControl which will receive the probe packets. If this is the case you have to set the checkbox Send Data to other NetControl PCs. You will see a new register card, where you can configure the probes (see below).

Remote Probes:

(Not available if you are using the "Monitor"-licence).

If you are using remote probes you have to activate the checkbox allow remote Probes.

With the button Names and Alarms you can edit the appropriate list. There you should enter the highest probe number sending to your NetControl on your network. NetControl can manage up to 300 probes (depending on the licence in use). Your input in that field will influence the window size of the standard probe overview. If you have enabled both internal probes (see above), none of your remote probes should have the numbers 1 or 2.

In the field probe intervals you can specify the sending interval of your probes. The default value is 30 seconds. This statement affects the timeout for the probes. If a remote probe times out it is marked as "not working" with a special color in the standard probe overview

In the field UDP port you have to enter the port your probes use to send their packets. Otherwise you will receive no data from the probes. It only affects probes sending their data via UDP to NetControl.

Address mode:
For every probe the following options can be changed:

  1. MAC address evaluation. The stations will be assigned clearly to the hardware addresses.
  2. Evaluation (IP protocol) of:
    1. Only IP addresses: Interpretation of IP addresses instead of hardware addresses. (No different  protocols or services per IP address possible)
    2. IP addresses and IP services (Ports): Interpretation of IP addresses and all IP services. That means an IP address will appear more than once (One appearance for every service).
    3. IP addresses and known IP services: Only the IP protocols listed in PROTOCOLS (text file) and the IP services listed in SERVICES (text file) are evaluated. This should avoid too many address entries in the daily and monthly address counter lists.

This adjustment affects all probes. If you have different probes on your network or if you want to adjust IP probes differently you can adjust the address mode for every probe separately in the local probe configuration menu accessible from all probe overview windows.

Probes for CISCO Netflow Records:

By the help of RzKFlow Probes NetControl can be used for gathering NetFlow statistics from (CISCO) routers or NetFlow capable switches. This makes it possible to get traffic and accounting statistics for remote network segments without having to install remote probes within these segments.

If you install the RzKFlow Probe on the same PC as NetControl you have to use the same directory for the installtion and make the following setting within the configuration:

The internal NetControl probes are disabled in this case.

Requirements for using the NetControl statistics for CISCO routers:

The operating systems has to be at least IOS Version 12.0.

The flow records have to be send at least once per minute:
ip flow-cache timeout active 1

For each interface section sending of flow records must be enbaled:
interface ...
ip route-cache flow
At the end of the router configuration process you have to select Flowformat Version 5:
ip flow-export version 5
and determine destination Ip address and IP-port for the netflowrecords:
ip flow-export destination <ip-addr> <port>

For each router, which sends flowrecords to a RzKFlow Probe NetControl can make two virtual IP address probes: one for counting packets and one for counting bytes. Probenumbers for NetControl are defined within the RzKFlow Probe.

*NetFlow is a registered trademark of Cisco Inc.

Configuration of NetControl as Probe:

This register is available only if you have set the checkbox Send Packets to other NetControl PCs.

NetControl can act as an remote Probe. Of course this only makes sense, if you have at least one other NetControl PC on the net, which receives the probe data.

You have to specify:


(Not available if you are using the "Monitor"-licence).

Path to the stored (HTML) data files:

Here you can enter the DOS path where the program should save long time data files. The free disk space of the specified drive will be shown below.

If you enter the root directory the data files are written to the yearly and monthly organized subdirectories \1999\ETH01 (January), \1999\ETH02 (February), \1999\ETH03 ...

If you enter a path, the subdirectories (\1998, \1999...) will be created in that directory.

If you want to share the data on the WWW, your Web Server must have access to the data directory, so please choose an appropriate directory for your data files (i.e. \WWW-data\NETCONT\.) Naturally the Web Server and NetControl can be used on the same PC at the same time.

NetControl generates all links for a fast access between the WWW pages automatically. Therefore you can realize a comfortable access to the data.

Path to the stored images:

In this directory NetControl will search for the icons (small GIF images) used in the HTML files. If you change this path NetControl will copy the appropriate files to the new destination automatically.

Path to the address-, typefield-, IP-protocols and IP-servicea lists:

To assign names to MAC- and IP addresses, NetControl requires address lists. The same for resolving Ethernet Typefields (Protocols) and IP service numbers (i.e. "Telnet" instead of 23). Here you can enter the directory containing these lists. Default: NetControl directory.

You can work with different address lists, if you select the address lists manually with the "browse"- buttons. Address lists can automatically be generated with the Address-Wizard.

If you enable the display of file access errors NetControl will warn you with a message if it can't access a HTML file. This may happen if another process uses this file exclusively.

By setting the checkbox "use background image" you set up NetControl to use the background of this help file for all HTML data files.

The HTML index file is the main page for NetControl data. NetControl places all links to all probe pages on this main page as a table.
For this page you can choose if your browser should refresh it automatically. This happens in the time interval you have specified for NetControl. Additionally you can choose if the links to the probe data should be displayed as small or large icons.

Long-time-data to be saved:

Here you can choose what data NetControl should save:

  1. General network parameters (netload, packets per socnd...) as a list. If it should be displayed as a graphic too you must activate the graphics in the graphics register,
  2. Packetlength statistic as a list,
  3. Daily and monthly address related counters,
  4. Daily counters of Protocol distribution (MAC-probes only),
  5. Daily counters for the used IP-protocols ans services (IP-probes only),
  6. Alarm messages separately for every probe  and
  7. Summary alarm file for all probes.

Every file type is explained separately under file types

Deleting old data files:

To help you to keep an overwiew about your stored data, you can delete older files with the Delete files Button. This brings up a window, from within you can either search for files, which are older than a user given date, or simply tell NetControl to auto-delete files.

Deleting manually:

Set the age of files you wish to keep in the spinbox. Then click the Find Files Button. NetControl will show all directories with older files. To finally delete these files, click the delete files Button.

Using autodelete:

If you want NetControl to delete obsolete files by itself, enter the number of months you wish to keep data files. Then simply activate the box delete files automatically after this period. Now, NetControl will check on the end of every month, if there is obsolete data, which can be removed.


Hitlists help you to identify directly which are the most active stations, broadcasters, protocols etc.

The following hitlists can be generated for each time interval:

Every hitlist can be activated separately and for every hitlist you can choose the maximal number of entries. Furthermore you can choose by max. number how many hitlists should be saved before old lists will be overwritten. The maximal possible value depends on the NetControl licence.

A HTML file for all hitlists will be generated at the end of every time interval. You can choose whether the station-related or the connection-related lists should be at the top of that file.

Furthermore you can choose, if the stations in the hitlists should be displayed

Station names can't be displayed if no address lists are available.

Alarm with copy of Hitlists:

If you have set up alarms in the probe configuration list you may want to save the current hitlist in case of an alarm. Because the hitlists are giving a more detailed descripton of the current net state it may be useful to have them available in case of an alarm. Usually the hitlists are periodically overwritten by newer ones. Therefore NetControl can copy the current hitlists if an alarm occurs. The corresponding alarmmessage gets a link to the saved hitlists. If you follow this link you will see the hitlists from that point in time. This chackbox globally enables the copying of hitlists, but you have decide for each alarm condition, if you want to use this feature.


(This TabSheet is only visible if you have enabled saving of address counters on the Files TabSheet).

Address activities will be saved daily and monthly.

The following values will be saved for every station (identified by their IP or MAC address):

Optional you can log the activities of every IP protocol and service separately while monitoring IP addresses. You can activate this in the configuration at Address mode or separately for every probe in the probe overview windows.You can specify for all MAC-address probes and all IP-address probes if

should be written.

Furthermore you can specify, if the stations in the lists should be displayed

Station names can't be displayed if no address lists are available.

For MAC addresses you can choose if you want the first three bytes of the MAC address instead of the vendor code to be displayed (i.e. "RzK- 48 01 23" instead of "00 00 FB 48 01 23").

Summarizing address related data:

NetControl can summarize address lists to total lists, one list for all MAC address probes and one list for all IP address probes. For the last list you can choose if the various IP services should be added. Hereby only probes counting packets (not those counting bytes) are taken into consideration. Of course this feature only makes sense, if you have more than one IP- or MAC-probe.


Here you select which IP-address should be counted as broadcasts.


Additionally you have to choose, if ARP packets should be counted as IP-broadcasts.

Restricting the amount of stored addresses:

For IP-address probes you can configure NetControl to ignore addresses which are not in a list of specified ranges. This is useful, if your NetControl licence is sufficient to store all ip-addresses from the local network but not those coming from outside. In this case you should set the checkbox Store only IP-addresses in the following range and set the ranges to your network mask(s). Up to 10 ranges are possible. A range is specified by a start- and an end-address (not a subnetmask). Each range has to be activated separately with a checkbox: .

The address restrictions refers to the address related data (daily and monthly counters for each address) and to the connection related data (hitlists and complete communication matrix). A connection is ignored if both are outside the defined ranges.

Additionally you can restrict the amount of data to be saved by setting a "minimal activity level". This applies for all probes. An address will only appear in the daily and monthly list if it sends and receives more packets than defined here. In that way you can avoid logging of non existent addresses coming from bad packets.

Detection of "unknown" IP addresses:

NetControl can raise an alarm, if an unknown IP address is detected. "Unknown" are all addresses which are not found in the NetControl address list. If you set this checkbox the HTML logfile for the probe 2 (IP-address-probe) will receive messages for each new found IP-address. (With the correct settings under Alarms you can send an email for each message) You will see the list of unknown addresses in a little memo field. You can save this list to a textfile into the NetControl program directory by pressing the button directly left of the memo. If you restart the data sampling the list will be erased and you will receive an alarm again, if that "unknown" IP address is active.


(Not available if you are using the "Monitor"-licence).

In the Graphic register card you can choose first of all, if graphics should be created for the general network parameters anyway (Create graphics automatically). If you activate the graphics you may also choose how often graphics should be created (Default: Every 15 minutes). Consider, that generating graphic may be a time consuming process on a slow machine.

In the probe configuration list you can select for every probe separately if graphics should be generated. The probe configuration can be called by pressing the button "Select Probes"

For every probe and day NetControl can create up to five images. By default three images are created: The first shows the network load, error rate and collision rate, the second shows packets, broadcasts and multicasts per second and the third shows the number of active stations per time interval  Please notice that only parameters with comparable ranges (i.e. percent values) should be arranged in one image.

Via the button Select Colors you can choose a color for each parameter to plot.

For image generation NetControl calls the external program T2G (TextToGraph). T2G will be copied to the NetControl directory during installation.

You can generate graphics later on demand by using the graphics menu (callable from the the main menu with graphics)


By default NetControl wites all alarm messages into the logfile of the corresponding probe and into the global log file of all probes.

Additionally NetControl can execute an external program on every alarm (i.e. to forward alarms via Email or SMS-Call). This program can be specified here with command line parameters. The parameter $a will be replaced by the current message text.

In the menu File-"Probes: Names and alarms" you can enter the conditions when an alarm should be triggered. For unkonwn IP addresses can raised an alarm as well.


With this dialog, you select the windows, which open automatically, when the data recording is started.

If you set the checkbox "Allow onyl one open probeoverview at one time" any other probe overview window will close if you open a new one.


(Call: Options, Accountingmodule)

Usage of the accouning module requires a special licence for NetControl.

The accounting module of NetControl serves two purposes:

Of course the exactness of the gathered accounting data depends on the performace of the NetControl PC (CPU and network card) as well as on the network activity.

Switched networks:
If the NetControl PC is attached to a switched network the switch isolates all the traffic except that for the PC itself. For being able to gather accounting informations you have to attach the NetControl PC to a port where all packets of interest are copied to. If you can´t configure your switch to copy all packets to the port of the NetControl PC (port mirroring) you have to use a (not switching) Hub. If you want to account all traffic which is passing a router you may "insert" a hub between your network and the router and connect the NetControl PC to this hub.

Generating accounting reports:

  1. Choose the period of time by selecting a month or by giving the first date to evaluate (Startdate) and the last date to evaluate (Enddate). The button directly right of the enddate shows a yearly calendar. Days with NetControl accounting data available are shown red in this calendar.

    You can choose a period of time by marking it with pressed left mouse button.
  2. Choose a probe (Probe 1: accounting based on MAC-addresses and Probe 2: accounting based on IP-addresses and if applicable IP-Services).
  3. If you generate an accounting report for IP-addresses you have to decide, if different IP-protocols and services should be summarized to one address entry.
  4. Read the selected data by pressing the appropriate button.
  5. Define the format of your accounting report:
  6. Use the Update-Button if you have made changes to the report format.
  7. Save the report as Excel, CSV or HTML-file. For large reports the saving to Excel (OLE) can take very long. In this case please use the CSV format which can be imported into Excel.

Accounting reports for each user:

If you do have a accounting licence NetControl saves the activities of selected addresses (File -> Edit complete addresslist -> mark: Accounting data is set) seperately for each address in a special directory:
Default: C:\WWW-DATA\NETCONT\ADDR-ACCOUNTING\<Name_of_address>\

Extract from an example file:

IP-Address       Service: www

                                                          Time of first and last occurence
Date             received          sent    Multicasts    Broadcasts   /     \
01.08.2001        4153443       3443554         34425         54666 08:10 16:14
02.08.2001        4136543       3763534         65367         46474 08:44 18:34
03.08.2001        3398923       3013556         26266         26564 08:31 14:47

Calculation of weekly, monthly or yearly statistics:

(Call by: Options, address-summation)

NetControl is able to gather daily statistics for the station activities (Configuration: addresscounters). This tool is for calculating weekly, monthly or yearly summarized statistics manually for many probes at one time.

These statistics can be used for accounting purposes.

Before you start the summation process by pressing the Button you have to select:

  1. The first date to evaluate (Startdate)
  2. The last date to evaluate (Enddate). This date has to be greater than the startdate. You may use the up-down-buttons for automatic selection of monthly periods of time.
  3. Which probes should be taken into considetation. The selction is made by probenumbers and probe-type (for MAC- or IP-addresses).
  4. If for IP-probes all different IP-protocols and services should be summarized to one address entry.

The summarized data is written to HTML-files similar to those for the daily address related data.

The files are automatically integrated into the other NetControl HTML pages.

Probes: Names and Alarmconditions:

(Call by: File, Probes: Names and Alarms)

In this list you can assign a name to each probe (max. 15 characters), which will be shown in the Standard Probe Overview and written in all HTML-pages which contain data from this probe. For each probe you can define lower and upper limits for the measurable network parameters like netload, errorrate, collisionrate, broadcasts and multicasts per second, etc. In case of a transgression an configurable alarm will be triggered. The list of probe names and alarm conditions will be saved to the textfile PRB-DEF.INI.

The field max. number of probes should contain the greatest probe number which is should be handled by NetControl. If you're not using remote probes, you only have the two internal probes.(max. number of Probes = 2). Otherwise receiving of probe data must be enabled for the remote probes in the configuration menu.

The  number of remote probes which NetControl will process depends on the licence in use. The program itself is limitated to 300 probes. If you are using the internal probes, no other external probes are allowed to use the numbers 1 or 2.

If you enter a value greater then 0 in this column, NetControl watches the sending activity of this probe and triggers a alert, if the probe was inactive for a time longer than specified here. When the next packet is received from this probe, there will be generated a alert also showing how long the probe has been inactive. . If the value is zero, no alerts will be triggered anyway.

You can give a minimum and maximum allowed value for every netparameter. With the AI (=Alert index) you can determine the kind of action which should take place in case of a transgression:

Singe Probe Configuration:

Because you can configure many alert  condition the rows of the list above can become very long. Therefore NetControl offers another possibility to edit the alert settings. With a doubleclick you enter a menu, from within you can edit the configuration of every single probe:

The "Probe-Nr:" switch brings you to the specified probe number.

If a selected probe is unable to measure a network parameter that parameter will be shown gray.

Probe Overviews:

NetControl offers different probe overview windows. Most of them are only useful if you are using many remote probes.
Standard Data Overview Data History Activity Overview Activity History
Context-Menu; Graphics for one Networkparameter Bargraph for netload, distribution of Unicasts/Broadcasts

Standard Probe Overview:

(Call: Probe Overview, Standard ; optionally: automatic opening on startup of data receiving.)

In this table you can see the presence of the probes in the network in a coloured view.

The probe does not exist or the probe has not answered yet since the program was started.
The probe is active.
The probe has not answered since one probe interval.
Dark red:
The probe has not answered since two probe intervals.
Light red:
The probe has not answered since three probe intervals.

If a probe has not answered for some time NetControl will show the time of the last received data packet. Otherwise the current value of netload measured by this probe will be displayed.

On the right side NetControl shows for each probe if graphics are generated and which address mode is used:

The specified address mode is displayed only if it is different from the address mode specified in the global configuration.

Overview of measured network parameters:

This overview let you choose one networkparameter (e.g. the netload) and compare this parameter for several probes.

You may choose of:

Choose the color for emphazisation for values outside the allowed ranges with the -button.

If you see in one cell, this means, that the probe has delivered no data in this interval.

If a probe is unable to measure a network parameter you see "--" in the cell.

If you move the mousepointer over a cell, you get more information about the probe, the intervall and the measured value.

With the Autosize-button you adjust the size of the window.

History of values:

This overview shows the last values of netload, error and collision rate for a selection of probes. This overview is very usefull, if you are using RzK Hardwareprobes (Ethernet Box in Pulsar Mode).

You can choose:

If a probe is unable to measure a networkparameter, "--" will be shown instead.

If you move the mousepointer over a cell, you get further information about this probe, the interval and the values.

The autosize-button matches the window size to the ammount ov values in it.

Overview of probeactivity:

This overview shows, how many packets were received from the different probes in the last time intervals. So you can see instantly, if there where any probes down.

Set up:

The probes send packets to NetControl in a fixed time interval. Default: 30 Seconds. A probe sends more packets, if its internal address buffer gets an overflow.

With the -button you can choose, how to highlight the intervals where NetControl has determined a lag of packets.

The RzK hardwareprobes which work in pulsar mode play a special role. They always send three packets per minute(20 seconds interval) because they transmit no address information.

If you hold the mousepointer over a cell, you'll get closer information about the probe and it's interval.

With the Autosize-button you match the size of the window to its content.

History of the probeactivity:

This Overwiew also shows the number of packets, which were received in the last intervals. You can compare the activity of the probes for a longer period of time. Each probe defines one "activity column".

If you hold the mousepointer over a cell, you'll get closer information about the probe and it's interval.

Context Menu of probe overviews

Probe Info Current Networkparameters Addresscounters Counter of Protocols Counter of IP-Protocols and Services Current Hitlists HTML Data Probe Configuration

By selecting a probe and clicking with the right mouse button you get a popupmenu where you can control the data gathered by that probe. Furthermore you can activate the special configuration of that probe.

With Probe Info you get an overview about the measurement possibilities and the current state of the probe:

The menu item current network parameters shows a list of the last measured parameters for the selected probe:

This window will be updated automatically after each interval. Values above the alarm threshold are marked red. NetControl stores the last 100 intervals in this grid (expandable to 500 intervals in the NetControl INI-file).

By clicking into the grid headline you may resort the grid. The first click sorts the corresponding column ascending and the next click descending. So have a nice tool to see directly the time intervals of high netload.

Percentual values:

Values per second:

Values per interval:

If a parameter is missing, the choosen probe cannot measure it.

Onlinegraphics for one Networkparameter from a selected Probe:

By using the local context menu you may view online graphics for the current selected network parameter.

You can switch directly to another probe or choose a different networkparameter to plot. Additionally you can select to store the graphics within the web-pages written by NetControl.

Onlinebargraph for Netload, Unicasts/Broadcastsdistribution:

This graphics represent the netload and the distribution of  unicasts (packets directed to one station), Multicasts and Broadcasts.
There are many possibilities for adjusting the graphics to your needs:

Additionally you can select to store these graphics within the web-pages written by NetControl.

All Online-Graphics are accessible directly via the speednavigation.

The menu item current address counters shows you the daily and monthly counters for all recognized addresses:

The headline shows the probe, which has gathered address related data. Depending on the probes addressmode, the grid will be show IP or MAC- addresses. In addition, you see, whether the mode was set to packet mode or byte mode.

With the filter box, you can choose if

should be shown.

Further you can selct wether the daily collected counters or the monthly counters should be displayed.

If the datarecodring is active, this list is actualized permanently in background. To actualize the display, use the "Update"-button.

An additional list for the Typfeld/Protokollstatistic is available for probes gathering MAC addresses and for IP-addressprobes a list for the activity of the IP-protocols and services.


You may resort the grid by clicking into the headline. The first click sorts the corresponding column ascending and the next click descending. So have a nice tool to see direct, which stations have sent most packets that day. This is possible in most of the NetControl grid displays.

Current Hitlists:

The hitlists of NetControl are very useful for directly identifying the most active stations, broadcasters, connections, etc. So it is easy to find the stations who hog the network most. Hitlists show the top 10 (or top-100 - if configured so) for different types of entries.


The menu entry HTML data brings up a submenu, from within you can start your browser:

(not available, with a "monitor"-license.)

This only works, when a browser is installed on your computer.


This menuentry opens the single probe configuration window.


(Can open automatically when data sampling is started; or: Menu: View -> Speed-Navigation.)

This little window enables direct access to the different NetControl data views.

The "spinedit"-field at the left side let you select the probe number whose data should be shown.

The button gives access to (from left to right):

  1. current measured network parameters (netload, packets/sec,...)
  2. online graphic for one networkparameter
  3. bargraph for netload with distríbution of unicsasts, broadcasts and multicasts,
  4. address related counters (number of received and sent packets, broadcasts,...)
  5. counters for all protocols (MAC-address-probes only)
  6. counters for IP-protocols and services (TCP- and UDP-ports) (IP-address-probes only)
  7. current hitlists (text-display only)
  8. HTML data: graphics for networkparameters (if graphics are enabled in the configuration menu)
  9. HTML data: networkparameters in list format
  10. HTML data: hitlists
  11. HTML data: alarm messages.

HTML-data is not available within a Monitor-licence.

Keyboard Commands:

(Call by: Help -> Keyboard Cmmands.)

These (yellow shown) keyboard commands allow direct access to many of the NetControl windows.

Graphic Menu:

(Call by: Graphics or Alt-G. Not available if you are using the "Monitor"-licence).

Images for any date can be created and viewed (button Start browser) at any time. You have to choose the appropriate date  first.

Saved data:

(Not available if you are using the "Monitor"-licence).

NetControl saves all data in HTML format and automatically generates all links for an easy and comfortable access to the WWW pages and therefore to the data.

If there is less than 10 MB free on the drive where the HTML data should be saved, NetControl writes an alarm-message into the error-log. If there is less than 3 MB free the data sampling will be stopped.

File types:

The following files can be generated on demand:

  1. a list with general network parameters,
  2. graphics for the general network parameters,
  3. a list with packet-length statistics,
  4. daily address related counters,
  5. daily counters for the used IP-protocols and services,
  6. daily protocol distribution  and
  7. logfiles with alarm messages.

General network parameters:

(Filename PS-ddmm.HTM ; ddmm - date)

NetControl saves (depending of the possibilities of the probe in use) the following network parameters:

All values are saved to a HTML file with one row per interval. One file per day will be written. Graphics to the parameters can be generated as well. They will be included in the HTML pages. (Filename: PS-ddmmG.HTM ; ddmm - date)

You can define a maximum value for every parameter (using the menu command Probes: Names&Alarms). In case of a transgression an alarm will be triggered.

Length statistics:

(Filename PL-ddmm.HTM ; ddmm - date)

NetControl distinguishes between the following packet lengths:

All values are relative to the number of received packets per second.

Station related values:

(Filename A--ddmm.HTM ; ddmm - date for the lists containing all addresses,

 Filename AK-ddmm.HTM ; ddmm - date for the lists containing only the known addresses and

 Filename AN-ddmm.HTM ; ddmm - date for the lists containing only the new addresses.)

For every station (identified by its IP or MAC address) the following values are saved per day:

If the dd part of the filename is represented by xx then it is not a file with daily but with monthly address counters.

Optional you can log the activities of every IP protocol and service separately while monitoring IP addresses. You can activate this in the configuration at Address mode or separately for every probe in the local menu accessible from all probe overviews.

IP-Protocol and Services counters:

(Filename IS-ddmm.HTM ; ddmm - date)

For each day all used IP-protocols and TCP-/UDP-services are listed with number and percentage of sent packets or bytes. Of course this is available only for the IP-address-probes.

Protocol counters:

(Filename TF-ddmm.HTM ; ddmm - date)

For each day all used protocols (identified by their Ethernet typefield) are listed with number and percentage of sent packets or bytes. (Internal MAC-address-probe and remote NetControl software probes only).

Directory structure of the HTML data files:

You can specify in the configuration the root path for the HTML files. NetControl uses yearly and monthly organized subdirectories \1999\ETH01 (January), \1999\ETH02 (February), \1999\ETH03 which will be created in that root directory.

Within the monthly directories are the subdirectories for the probes: PROBE001, PROBE002... and PROBE-IP for all probes analyzing IP-addresses and PROBEMAC for all probes gathering data for MAC-addresses.

NetControl saves all data with one file written for each day. Therefore the filename is unique.

Additionally NetControl rewrites the HTML page LASTUPD.HTM at the end of each interval, where only date and time of the last written pages and the last alarm message are saved.

Configuration Files:

Addresslists Vendorcodes IP-Protocols IP-Services IP-Nets and Subnets Ethernet Typefields / Protocols



NetControl can show symbolic names instead of IP- or MAC-addresses if addresslists are available. Example list will be written to the program subdirectory EXAMPL during installation.

For IP-addresses a standard HOSTS-list (from Windows- or UNIX-systems) can be used. The list of names for MAC-addresses is read from the textfile ADRESSEN.SDF. There is one line for each address, the first 12 characters specify the hexadecimal address (i.e. 0000FB123ABC), it follows a separating blank and the the symbolic name for that address (max. 15 characters).

Both textfiles, HOSTS and ADRESSEN.SDF, have to be in the directory specified in the configuration (default: NetControl program directory). You can view these lists with the menu commands File..IP-Adresslist and MAC-Addresslist.

Address lists can automatically be generated with the Address-Wizard.

NetControl will check for new addresslists every day automatically, so you don´t need to stop the program if you have newer addresslists. Simply copy them to the directory specified in the NetControl configuration.

These lists are used to distinguish known and new addresses. You can specify in the configuration of the daily to save address counter files, wether you want to save separate files for new and for known addresses.

List of board manufacturer codes (vendor codes):

Ethernet hardware addresses are 48 bits, expressed as 12 hexadecimal digits (0-9, plus A-F, capitalized). These 12 hex digits consist of the first/left 6 digits (which should match the vendor of the Ethernet interface within the station) and the last/right 6 digits which specify the interface serial number for that interface vendor.

These addresses are physical station addresses, not multicast nor broadcast, so the second hex digit (reading from the left) will be even, not odd.

For MAC addresses you can choose within the configuration if you want the first three bytes of the MAC address instead of the vendor code to be displayed (i.e. "RzK- 48 01 23" instead of "00 00 FB 48 01 23"). For this NetControl uses the textfile (file HERSTELL.SDF) which will be installed to the program directory.

You can adjust this list with any texteditor and control this list with the menu command File..list of manufacturers.

List of IP-Services:


For resolving IP service numbers (i.e. "Telnet" instead of 23) NetControl uses a textfile SERVICES) which will be installed to the program directory.

You can adjust this list with any texteditor and view this list with the menu command File..list of IP-Services.

You can use this list for restricting the amount of saved data by selecting Evaluation of: IP addresses and known IP services in the configuration. Only the IP services listed in SERVICES (text file) are evaluated for each IP-address. All other services are summarized to one entry. This should avoid too many address entries in the daily address counter lists.

List of IP-Protocols


For resolving IP protocol numbers (i.e. "ICMP" instead of 01 or "GRE" instead of 47) NetControl uses a textfile PROTOCOLS) which will be installed to the program directory.

You can adjust this list with any texteditor and view this list with the menu command File..list of IP-Services. The protocols are listed at the end of that list.

Additionally the address resolution protocol (ARP) is taken into consideration.

List of IP Nets and Subnets:


For displaying names for IP networks in the hitlists of the most active IP nets NetControl needs this list. Usually NetControl defines the length of the network part of the IP address automatically (class A, B or C nets). If you want to have special subnets of class A or B nets to be considered seperately in the hitlists, please specify these subnets in IP-NETS.SDF.

An example file IP-NETS.SDF is generated during NetControl installation. The file format is described within this file.

List of Ethernet Typefield Codes:


For resolving Ethernet Typefields (Byte 13 and 14 of each Packet) (i.e. "IP" instead of 0800) NetControl uses a textfile ETHTYPES) which will be installed to the program directory.

You can adjust this list with any texteditor and the view this list with the menu command File..list of Ethernet Typefields/Protocols.

All packets with an Ethernet Typefield below 1536 (600hex) are listed under 802.3 (Packetlength in Typefield).

For the internal MAC-Probe you can activate the appropriate statistics in the configuration under "Probes" --> "Internal Probes:" --> "Typefield/Protocolstatistics".

Automatic startup:

If you want to start NetControl automatically on system start up, you have to put a link to the autostart program group and specify the command line parameter GO for NetControl. (For direct starting the sampling of data.)

Known Problems:

Nearly no netload is measured, only a few addresses are watched. (Switched networks)
If the NetControl PC (or NetControl as remote probe) is attached to a switched network the switch isolates all the traffic except that for the PC itself. For being able to gather accounting informations you have to attach the NetControl PC to a port where all packets of interest are copied to.

There are three ways you can use NetControl with a switch:

  1. Some switches have a dedicated "network monitor" port which sees a copy of all traffic routed by the switch. This is known as "switch monitoring". You can install NetControl on a PC which is connected to this switch monitor port.
  2. Some switches can be programmed to route a copy of all traffic on one or more ports to another specific port. This is known as "port monitoring". You can install NetControl on the PC connected to that port.
  3. You can attach a hub between the switch and the server, and attach a PC to the hub. Install NetControl on the PC attached to the hub. This will allow you to see all traffic between the server and the switch.

Remember that a switch only passes traffic through the a port on the switch if a packet is specifically addressed to that machine, or the packet has a broadcast- or multicast-address. If you don't use one of the above methods, you will not be seeing all the packets that are present on your network.

Waiting period for closing the RzK NDIS Interface:

Especially the usage of 100MBit Ethernet cards with the DEC chipset may cause longer waiting periods when NetControl stops the datasampling process. The same happens, if you open the configuration menu for the first time or if you select such an Ethernet card in the configuration menu.

NetControl shows the message "Closing RzK NDIS Interface" in the main status bar.

This has no influence on the functioning of NetControl with these Ethernet cards.

Incompatibility with the Novell Client for Windows95/98:

Under Windows95/98/me you can´t activate the RzK NDIS Interface if a Novell Client is installed.

Incompatibility with Microsoft Terminal Services:

The RzK NDIS Network interface is not working under Microsoft terminal services. Please use products as VNC in this case.


Ethernet Frame:

Preamble 8 Byte
MAC-Destination-Address 6 Byte
MAC-Source-Address 6 Byte
Typefield 2 Byte
DATA variable
CRC-Errorrecognition 4 Byte


MAC-Addresses (or Hardware-Addresses) are world wide unique 6 Byte (48 Bit) long addresses for identification stations on the Ethernet. The first three bytes identify the manufacturer of the Ethernet board (vendor code). MAC-addresses usually are noted hexadecimal (i.e. 00 00 FB 48 56 56).

NetControl uses a list of vendor codes to show vendor names instead of the first three address bytes. (RFC-1340 - available via FTP) .


Each device in a TCP/IP network is identified by network wide unique, 32 bit long IP-address. IP-addresses usually are given as 4 decimal numbers separated by dots (i.e.

Each address consists of two parts. The first part is the network-address, and the last part is the host-address.


Ethernet is a CSMA/CD (Carrier Sense Multiple Access/ Collision Detect) system. It is possible to not sense carrier from a previous device and attempt to transmit anyway, or to have two devices attempt to transmit at the same time; in either case a collision results. Ethernet is particularly susceptible to performance loss from such problems when people ignore the "rules" for wiring Ethernet.

A collision is a condition where two devices detect that the network is idle and end up trying to send packets at exactly the same time. (within 1 round-trip delay) Since only one device can transmit at a time, both devices must back off and attempt to retransmit again.

The retransmission algorithm requires each device to wait a random amount of time, so the two are very likely to retry at different times, and thus the second one will sense that the network is busy and wait until the packet is finished. If the two devices retry at the same time (or almost the same time) they will collide again, etc.


IP-Routers are used for reaching stations in different IP-networks. They transfer the packets to the other network.


Broadcast-packets are sent to all stations in the network.

The MAC-destination address is FF-FF-FF-FF-FF FF (hex.).

The definition of IP-Broadcasts is not so easy. NetControl gives you the following possibilities, which IP-addresses should be counted as broadcasts.

Additionally you have to choose, if ARP packets should be counted as IP-broadcasts.

A high Broadcast-load is dangerous because all stations have to process these packets. For this it is important, to have an eye on broadcasting stations. This is very easy realized with the NetControl hitlists of most active broadcast senders.

Dangerous are so called broadcast storms. This describes a condition where devices on the network are generating traffic that by its nature causes the generation of even more traffic. The inevitable result is a huge degradation of performance or complete loss of the network as the devices continue to generate more and more traffic. This can be related to the physical transmission or to very high level protocols. There is a famous example of Banyan Vines bringing a huge network to its knees because of the addition of a single server, which brought the network to "critical mass" (this logic error has been corrected). NFS is famous for this type of failure.


Multicast-packets are sent to a group of stations.

The MAC-destination address has the first bit set, that mean sthe address starts with 01, 03, ..0D, 0F (hex.). IP-Multicasts are packets to IP-addresses, beginning with 224 to 239.

One sided connections:

One sided connections are pairs of stations where packets have been sent only in one direction. That means that during the measurement interval no response packet has been detected. This behaviour may be intentional (for example keep alive messages) but it may be dangerous if these connection cause a high traffic load.

You have control over this with the NetControl hitlists of one sided connection.


Transitions are measurable only with the RzK Hardwareprobe for 10 MBit Ethernet. (RzK Ethernet Box )

Transitions are detected directly by a special hardware. A Transition occurs, if the Ethernet-Controller-Chip detects a change of Carrier-Sense signal to busy.

Usually the number of transitions is equal to the number of received packets. If not there is probably a hardware error on the network.

Further Information:
For the latest news about our products and services, please visit our web site at

Software Licence Agreement:
RzK GmbH makes no warranties, either impressed or implied, with respect to this software, its quality, performance, merchantibility or fitness for any particular purposes. The entire risk is with the user. In the event of loss or damage caused or alleged by the NetControl program, the user (and not RzK GmbH, its distributers or its retailers) assumes the entire cost of all necessary servicing, repair or correction.

The program uses the WinPCap interface, Copyright (c) 1999 - 2004 NetGroup, Politecnico di Torino (Italy).

WinPCap Copyright Notice:


NetControl Index:

Addresscounters: Restrictions
Alarm with Hitlist copy
Alarm for unknown IP addresses
Automatic start of NetControl
CISCO Netflow Records
connections: one sided
Ethernet Frame
Graphics (for HTML data)
Graphics (online)
Onlinebargraph for Netload,Unicasts/Broadcastsdistribution: Graphic menu
MAC Address
Main menu
Manufacturer (vendor) codes: list of
Hitlists: configuration
Internal Probes
IP Address
IP-Services - daily lists
Path for data files
Probes: Hardware-/Software
Probes: Internal
Probes: Interval
Probes for CISCO Netflow Records
Probes: Names and Alarms
Probes: Maximal number of
Probes: Overviews
Probes: remote
Restricting the amount of stored addresses
Saved data
Services: List