BitTally: network monitoring for Windows
It's not a low-level packet sniffer, like those used mostly by network administrators, programmers, and other geek types. BitTally is for normal people ?like managers, parents, etc. ?who want to know what is going on on their networks.
What it does:
- Collects detailed traffic statistics by user, network, application protocol (HTTP, BitTorrent, Skype,etc.), domain, domain category (Adult, Gambling, Media), country.
- Allows the administrator to set up triggers to detect suspicious activities in real time (e.g. to identify P2P or e-mail abusers).
- Resets unwanted TCP connections and redirects HTTP (criteria: user, application protocol, network, domain, domain category, country, time of day, day of week, traffic volume, the number of inbound/outbound connections, etc.)
Like sniffers, BitTally must see all network traffic. So it must be connected to a hub, mirror port of a switch, etc. In the simplest configuration BitTally may run on the single user's computer.
What makes BitTally different?
Stateful Traffic Analysis
BitTally keeps track of all active connections from beginning to end so every packet, byte, and bit can be tallied properly and attributed to a correct protocol, user, etc.
Deep Packet Inspection (DPI)
It means that application protocols are not recognized by port numbers or other shallow packet-level characteristics. This simply doesn't work with many protocols, neither does simple pattern recognition (e.g. BitTorrent may look like HTTP, Skype like HTTPS, etc.)
BitTally recognizes application protocols by:
- Protocol-specific signatures
- Analysis of other connections (e.g. FTP control connection carries information about future data connections)
- Heuristic analysis of behavioral patterns, and finally, if everything else fails,
- Port numbers
User-aware network statistics
Traffic statistics are collected for users, networks, countries, etc. rather than raw IP addresses. For it to work, you must tell BitTally how to map IP addresses to meaningful user IDs and network IDs. Explicit user mapping is optional; BitTally may be configured to use reverse DNS lookup or just raw IP addresses.
BitTally consists of two components: Monitor and Client.
- Monitor collects traffic statistics, detects suspicious activites, resets undesirable TCP connections, generates reports. It has no GUI interface and runs as Windows service.
- Client (coming soon) is a GUI application that controls Monitor. It may be installed on any computer (local or remote) and is used by the administrators to configure Monitor, generate traffic reports, watch real-time traffic information.
In addition to the GUI client, any web browser may be used to control the monitor. In this case no setup whatsoever is required on client machines.
With BittTally Standard Edition you can easily create your own custom applications to import traffic data into a database of your own, periodically reconfigure Monitor's IP-to-user mapping using data obtained from your DHCP or RADIUS server, and so on.
Click to Enlarge