				README.TXT for IP-MON Version 1.0.0
				===================================

Introduction
------------

This is the quick start guide to using the IP-MON Ethernet Packet monitor for
DOS. This program is currently still under development, and is released for
EVALUATION purposes only. This file details the current state of functionality
for the product, and also gives information about limitations and known bugs.

IP-MON (ETHERMON.EXE) may be passed on to others without the express
permission of the author, Steve Gailey, it may not be modified or combined
with other products however. The software and documentation remains the
property of Steve Gailey, only its use is licensed.

System Requirements
-------------------

A 286 machine or above, with 256K available memory, after DOS is loaded. DOS
Versions of 3.31 and above are supported. MDA, CGA, EGA or VGA Graphics
adapter. Clarkson Packet Driver for supported Network Interface Card,
conforming to specification version 1.07 or above.

N.B. MDA (Mono) Support not competed.

Installation
------------

IP-MON is for use with Clarkson Packet Drivers, release 1.07 or above. Drivers
from earlier releases may function but are likely to be unreliable.

The packet driver must be installed first, with exclusive use of the network
adapter. The packet driver must also be set to use a software IRQ between 0x65
and 0x74 (inclusive). After loading the driver, run ETHERMON.EXE, which is the
main monitor program.

If the program is unable to establish communications with the packet driver,
a message to this effect will be displayed, and the program will terminate. If
the program can not allocate the buffer pool, a message to that effect will be
displayed.

Running IP-MON
--------------

The monitor program will display a message when it is first loaded, showing
serial number information. The program will then wait for a key to be pressed
before continuing. IP-MON will then attempt to load three files, SERVICES,
HOSTS and ETHERNET.NIC. The program will not complain if these files are not
present, or are not in the correct format. The format and use of these files
is explained elsewhere.

A clock is displayed on the right of the bottom margin, as a confidence that
the program is running. The default mode is for detection of TCP/IP traffic.
Other modes include Novell IPX/SPX, and Raw Ethernet. These modes can be
selected from the menu, which is called up by pressing a key. The space bar
can be used to pause the display.The mode is selected from the OPTIONS menu.

No Ethernet monitoring will take place while the menu's are displayed. You can
also press space to pause the display.

When in IP/TCP mode, Filtering can be enabled from the main menu. There are
four filter modes: Conversation mode, which will monitor traffic between the
source and destination machine; Dual Mode, which will monitor traffic to or
from either the source or destination machines; Source mode, which will only
show traffic to the source machine; Destination mode, which will only show
traffic to the destination machine. The machines are selected by entering their
IP addresses in the appropriate edit boxes.

Time stamping can be enabled from the option menu, and will preppend the time to
all displayed data, in any mode.

Multi-Line display, enabled from the option menu will display additional
information about level 3 protocols, such as telnet and ftp. This includes
option negotiation, and parameter passing. On busy networks, it is advisable
that filtering be enabled, to prevent the information racing up the display.

File logging can be selected from the file menu. As disk access is very slow,
it is advised that if this option is required, IP-MON be run from a RAM-DISK.
The output sent to the disk file IPMON.LOG is the same as the screen output,
but it is not limited to 80 column display.

Understanding the screen display
--------------------------------

ETHERNET mode

The Source and Destination Ethernet address are shown, with the maker of the
network interface (if known) shown in brackets. The protocol, or frame type is
also shown.

IP/TCP Mode

The Source and Destination IP addresses are shown, or the hostnames, if found
in the HOSTS file. The 2nd level protocol, such as TCP, ICMP or UDP is shown.
If the protocol is ICMP, the type of ICMP message is displayed. If the
protocol is UDP, then the source and destination port are shown, as port
numbers, or as services, if the port is found in the services file. If the
protocol is TCP, then the same information, as for UDP is displayed, together
with the sequence and acknowledgement numbers and the flags. If the 3rd level
protocol is recognised, and Multi-Line display is enabled, a second line will
be displayed for this protocol. Currently known protocols include telnet and
ftp.

IPX/SPX Mode

This mode is currently not completed, but will show information about source and
destination node and network, sequence and socket numbers for SPX etc.

Customising for your network (SERVICES, HOSTS and ETHERNET.NIC)
---------------------------------------------------------------

The HOSTS file is of the same format as /etc/hosts, that is to say, it should
contain IP addresses and host names separated by white space, one per line.
Unlike the /etc/hosts file, HOSTS must not contain blank lines or comments.
If you wish to have host names displayed rather than IP addresses, then modify
HOSTS for your network. In addition, you can enter Broadcast, as a hostname
for your IP broadcast addresses. If a hostname is not found, or the HOSTS file
is not loaded, then IP addresses will be displayed in any case.

The SERVICES file is of the same format as /etc/services, but with the same
limitations as HOSTS. Service names will be displayed instead of UDP/TCP port
numbers, if located in the SERVICES file.

The ETHERNET.NIC file is used in Raw Ethernet mode, and is a list of Ethernet
addresses, and the makers of those interfaces. This file can be added to and
modified, the format is self explanatory.

Bugs, Limitations and Caveats
-----------------------------

A maximum of 55 hosts can be in the HOSTS file, and more may crash IP-MON. The
SERVICES file is limited to 95 UDP services, and 95 TCP services, each of
which can have a maximum of 18 characters. The ETHERNET.NIC file is limited to
115 entries, each of which can be up to 18 characters long.

Most PC Network Interface Controllers which are currently available, are
reasonably limited in their ability to respond to back-to-back packets. In
addition, IP-MON itself requires a finite time to process and display the
information provided by the card through the packet driver. As a result of
this, fast packet replies, such as ICMP-Echo's may be missed. To get around
this limitation, if you really want to see ICMP-Echo's then set filter mode to
source and enter the source machines IP address.

Other bugs should be reported to Steve Gailey on (+44) 628 776254
(0628 776254) in the UK.

Registration
------------

IP-MON is free software. It may not work, or even destroy all the computer
systems you own, or anything else for that matter, so don't complain to me if
it does.

Technical Support
-----------------

If you have anything to say on this subject, phone me, write to me, or E-Mail me on:
sgailey@cix.compulink.co.uk
		or
steveg@bytech.demon.co.uk