| NWatch Network Monitor |
|---|
NWatch is a sniffer but can be conceptualized as a "passive port scanner", in that it is only interested in IP traffic and it organizes results as a port scanner would.
Output is in standard nmap machine-readable format, allowing you to
use NDiff and other tools on
the data as you
would an ordinary nmap run. It is useful both as an individual
security tool in your arsenal, or as a sanity check for nmap
or other port scanners. Owing to its design, NWatch will catch ports
that are opened only transiently, something which a port scanner would
likely miss.
NWatch is known to work on Linux/x86. I have not yet considered portability, but it may work on other architectures, as well.
NWatch requires perl 5.005_03, NDiff-0.05beta2 or later, the Net::Pcap module and libpcap.
Familiarity with NDiff, nmap, and installing perl modules is also very
helpful. Root access to the installation host is also required.
| Status |
|---|
This release introduces true stateful inspection of packets. NWatch
now properly detects closed UDP ports, as well as filtered TCP ports.
The state machine design is still evolving - it is possible to fool nwatch
with deliberate spoofing in addition to certain specific everyday cases.
Please email me if you notice questionable results with NWatch.
| Download NWatch |
|---|
See the included file INSTALL for installation instructions. See the NWatch_Quickstart manpage for usage instructions.
NWatch is released under the GPL. See the file COPYING included with this distribution for terms and conditions for use of this software.
| Documentation |
|---|
| Help! |
|---|
I am available for more in-depth support through my consulting company. If you need help integrating NWatch and other security tools into your environment, custom programming, etc, please contact me for details.
| Feedback |
|---|
Please send questions, comments, requests, patches, bug reports ... jdl@vinecorp.com