Notes on MACMON:

MACMON is a program to monitor an ethernet network and report when various
computers go on and offline - it also logs DNS lookups so that you can see
what sites they have been accessing. It can also generate an audible alarm
when certain machines are active outside of preset curfew times, or access
sites containing defined "objectionable" strings in the hostname.

If you are concerned about your childrens computer and internet usage,
MACMON can turn an old DOS PC into a powerful tool to track and inform
you of their activity.

Unlike some other network monitors, MACMON uses the 'MAC' address, which is
the permanent hardware address of the ethernet interface in the PC. Many
other monitors use 'IP' addresses, which are dynamically assigned in many
networks, and can change with time, or be easily altered by the computer
users, circumventing monitoring.

MACMON uses a DOS-standard "crynwar" packet driver for the network
interface. Crynwar packet drivers are available for many network cards.
See www.crynwar.com (many network cards from the DOS era included Crynwar
compatible packet drivers with the install package).

Use: MM [config_file]

By default, MACMON writes a daily log file called 'yymmdd.LOG' to the current
directory. You can change this with the "#log" command in the configuration
file. You can examine the log files with any text editor/viewer.

MACMON loads definitions for known network devices and a few other operating
parameters from a configuration file called MM.MAC - see the sample MM.MAC
included with this package for details of the various settings (it's a text
file).

When operating, MACMON shows network activity on the main screen, and a
status bar at the bottom showing the active curfew alarms (Red=active,
Green=disabled). You can press the following keys:

   F1 = Toggle curfew 1 Off/On
   F2 = Toggle curfew 2 Off/On
   F3 = Toggle curfew 3 Off/On
   F4 = Toggle curfew alarm On/Off
   F5 = Toggle DNS alarm On/Off

Note that an alarm sounds for a preset period after the event triggering it.
You can use the F4/F5 keys to quiet an alarm immediately (or to sound it
for testing purposes). Keys F1-F3 are used to enable/disable a specific
curfew (for example, if your son needs to use his PC late one evening for
homework).

Misc notes:
-----------

MACMON reverses the ordering of DNS lookups so that site names are shown in
the "expected" order ... this means that lookups for an IP address are shown
reversed ... this is a rare enough event that I never bothered to detect and
change it.

MACMON switches the network card into "promiscuous" mode, which means that it
can see all traffic on the network - this is necessary to detect non-broadcast
PC traffic and properly detect activity of various devices on the network.

- Unfortunately, most modern "switches" will route unicast traffic directly
to it's destination, which means it never occurs on MACMONs interface. For
best results, use a HUB instead of a switch, which will allow MACMON to see
all of the network traffic.

- Fortunatly windows and most other PC operating systems babble enough
broadcast and multicast packets, that MACMON can still perform basic activity
detection even if seeing the network through a switch - but DNS lookups (which
are directed to the router) will not be seen.

My setup is as follows:
  Router (with integrated switch) in office with internet connection,
  connected to an ethernet HUB in the basement, to which the MACMON PC
  as well as my childrens PC's are connected.
  An old wireless router, configured as an access point (router/wan port
  not used) is also connected to this hub, providing wireless access to
  the main floor of the house.

This basically causes all network traffic except for my own to travel through
the hub where MACMON can see it.

You can also run MACMON with two network interfaces, and have it bridge
traffic between them (see commands in MM.MAC) - by routing the traffic through
the MACMON PC, you not only insure that it will see all traffic, but you also
give it the ability to selectively block traffic when curfew and DNS
violations occur. You could use a setup such as:
  Router in secured location which has internet connection connected to
  the bridge network port of MACMON.
  "Public" switch/access point connected to the primary network of
  MACMON as well as all monitored devices.


REMOTE CONTROL
--------------
The MMCTL utility allows you to send a remote control command to MACMON,
commands will only be accepted from MAC addresses configured with the 'C'
flag (see comments in MM.MAC).

Currently there are only two remote control commands defined:

   CLEAR - Clear Curfew and DNS alarms immediately
   STOP  - Shutdown MACMON (exits with DOS exit code 100)

I use the "STOP" function in conjunction with my DDLINK utility to be able
to retrieve the log files remotely. I run MACMON from a DOS "batch" file
which looks like:
--------------------------
@echo OFF
:cap
mm
if errorlevel 100 goto net
goto quit
:net
ddlink p= /s!
if errorlevel 100 goto cap
:quit
--------------------------
If I send the "STOP" command to MACMON, it exits with code 100 - this causes
it to launch DDLINK as a server - I then run DDLINK on my PC and retrieve
the log files. The '!' tells DDLINK to exit (also with code 100) when the
session terminates - this restarts MACMON.

