Notes on MACMON:

MACMON is a program to monitor an ethernet network and report when various
computers go on and offline - it also logs DNS lookups so that you can see
what sites they have been accessing. It can also generate an audible alarm
when certain machines are active outside of preset curfew times.

If you are concerned about your childrens computer and internet usage,
MACMON can turn an old DOS PC into a powerful tool to track and inform
you of their activity.

Unlike some other network monitors, MACMON uses the 'MAC' address, which is
the permanent hardware address of the ethernet interface in the PC. Many
other monitors use 'IP' addresses, which are dynamically assigned in many
networks, and can change with time, or be easily altered by the computer
users, circumventing monitoring.

MACMON uses a DOS-standard "crynwar" packet driver for the network
interface. Crynwar packet drivers are available for many network cards.
See www.crynwar.com (many network cards from the DOS era included Crynwar
compatible packet drivers with the install package).



Use: MM [log_prefix] [options]

opts:   D=xx            - packet Driver interrupt       [60]
        M=filename      - Mac definition file           [MM.MAC]

Dave Dunfield - Jan 16 2011



By default, MACMON writes a daily log file called 'yymmdd.LOG' to the
current directory. You can use the "log_prefix" option to place it
somewhere else, for example, the command: MM D:\logs\
will place the daily log files under 'D:\LOGS\yymmdd.LOG'. You can
examine the log files with any text editor/viewer.

MACMON loads definitions for known network devices and a few other operating
parameters from a file called MM.MAC - see the sample MM.MAC included with
this package for details of the various settings (it's a text file).

When operating, MACMON shows network activity on the main screen, and a
status bar at the bottom showing the active curfew alarms (Red=active,
Green=disabled). You can press the following keys:

    F1 = Toggle curfew alarm 1 Off/On
    F2 = Toggle curfew alarm 2 Off/On
    F3 = Toggle curfew alarm 3 Off/On
    F4 = Quiet curfew alarm
    F5 = Activate 60 second curfew alarm (for sound tests)

Note that a curfew alarm sounds for 60 seconds after seeing a network packet
from a restricted machine - F4 can be used to quiet the alarm immediately,
however it will re-activate if another packet is seen. To disable the alarm,
you need to use F1-F3 to toggle OFF the alarm.


Misc notes:
-----------

MACMON reverses the ordering of DNS lookups so that site names are shown in
the "expected" order ... this means that lookups for an IP address are shown
reversed ... this is a rare enough event that I never bothered to detect and
change it.


MACMON switches the network card into "promiscuous" mode, which means that it
can see all traffic on the network - this is necessary to detect non-broadcast
PC traffic and properly detect activity of various devices on the network.

- Unfortunately, most modern "switches" will route unicast traffic directly
to it's destination, which means it never occurs on MACMONs interface. For
best results, use a HUB instead of a switch, which will allow MACMON to see
all of the network traffic.

- Fortunatly windows and most other PC operating systems babble enough
broadcast and multicast packets, that MACMON can still perform basic activity
detection even if seeing the network through a switch - but DNS lookups (which
are directed to the router) will not be seen.

My setup is as follows:
  Router (with integrated switch) in office with internet connection,
  connected to an ethernet HUB in the basement, to which the MACMON PC
  as well as my childrens PC's are connected.
  An old wireless router, configured as an access point (router/wan port
  not used) is also connected to this hub, providing wireless access to
  the main floor of the house.

This basically causes all network traffic except for my own to travel through
the hub where MACMON can see it.

