Spector CNE
|
|
Administrator's Guide |
Configure the flexible Network Activity Recording options from:
Client Deployment Utility - Pre-configure the recording options in the Client installation file.
Control Center >Configure Computer View > Client Settings - Select individual Network Activity options to enable or disable.
Configure Computers View > Client Properties > Configure - Enable or disable individual recording tools.
Capture Network Connections - Select the check box to enable recording and clear the check box to disable all recording.
Programs - Include or exclude specifies which programs are to be recorded.
IP:Ports - Include or exclude network addresses and IP:Ports for recording network connections.
Advanced Flush after __ Minutes of Inactivity - In order to reduce the number of recorded events generated by network connection activity, the Client will not record an additional event if subsequent connections are made by the same program to the same network address and network port within a specific period of time. Once the Inactivity time has passed without a new network connections established, the Client will record that network connection event with a count of the number of connections made to the same network address and port. The network Inactivity time can be adjusted with this option. Reducing the time on this option will generate the recording of more events.
To control the amount of network connection activity recorded, you can filter by including or excluding what programs and network addresses are to be recorded. By default, only Internet connections are recorded. Connections to resources on the local network are NOT recorded.
Exclude - Using the Exclude option will not capture those programs listed - all other programs will be recorded.
If it is noticed that a specific application is generating many network connection events and it is decided that there is no longer interest in recording these events, then the program can be specified in this filter for exclusion.
Example It is decided that the Spector Web Site Visited recording tool records all activity for Internet Explorer and so it is unnecessary to record the network connections for Internet Explorer. Add Internet Explorer as a program exclusion and greatly reduce the number of network connection events recorded by the Client.
Include - Using the Include option will only capture those programs listed - all other programs will NOT be recorded.
After clicking Add, you can either use the Browse button to find the application file executable (Microsoft Internet Explorer = Iexplore.exe), or you can run the application on the computer you are configuring from and then select the application from the list of programs provided. The correct program file name will be added for any applications in the list. The folder path of the file name is NOT necessary.
Specify which IP address and ports to include or exclude for recording. For example, port 25 is almost always used for SMTP email and Port 80 is almost always used for the web.
IP:Port filter - Include or exclude specific IP address or ports.
Local Connection Excluded - The network IP address of the local Client computer is always excluded - IP address:port 0.*.*.*:*, and 127.*.*.*:*. This means that network connections from the local computer to itself will not be recorded.
Example If you only wanted to capture web traffic, you could include any IP address and port 80 (*.*.*.*:80). If you did not want your local network to be recorded you could exclude your local network address range (192.168.*.*:*).
|
Note By default, Spector will exclude the common network address ranges used for local networks. These are 10.*.*.*:*, 169.254.*.*:*, and 192.168.*.*:*. If you decide to remove these exclusions and record network connection activity on your local network, there will be a large number of network connections events recorded. |
When a network connection event is recorded, all the connections to the same network address, within the same program, will be recorded in a single event as long as the sequence of connections took place before the Inactivity period. This reduces the number of recorded network connection events for programs that may make a large number of connections in a short period of time. The recorded event will show a count for the number of network connections made in a specific time frame.
Example If you browse CNN in the morning for 5 minutes and again at lunch for 15 minutes, this activity would be recorded as two network connections to cnn.com (inactivity detected between morning and lunch). If you were browsing CNN in the morning and continued to browse on the cnn.com site continuously until lunch, then the network connection activity would be recorded as a single event with many connections (no inactivity detected).
The Inactivity setting is the number of minutes that should transpire between network connections before recording of an event. When the Inactivity time has expired without a subsequent connection to the same address, then the event will be recorded. The default Inactivity time is 10 minutes. Reducing the Inactivity time will cause more network connections events to be recorded.