Link Logger Home ZyXel Banner Binary Visions
Netgear
LinkSYS
Router

Support
Link Logger for Windows
Home Home Product Info Product Info Download Download/Purchase Support Support  
Link Logger for Windows

NewsLatest News

Screen ShotsScreenshots

Customer CommentsFeedback

Common ScansScans

Additional ResourcesResources

Additional ResourcesMy Articles

My BlogMy Blog


How to Setup:

setup helpLinksys
Linksys Router

setup helpNetgear Fx114y
Netgear FR114/FM114

setup helpNetgear/ZyXEL
Netgear/ZyXEL Routers

setup helpZyXEL Prestige
Zyxel Router

Link Logger FAQ

Question - Can Link Logger detect attacks to our network, and what does an infected system look like in Link Logger?
Answer - Please see our article on Attack and Infection Detection.

Question - I installed Link Logger with my Linksys firewall but only the counters change but no traffic is displayed, how do I fix this?
Answer - For most Linksys models there are multiple hardware versions (for example there are at least 5 hardware versions of the BEFW11S4) and some versions log protocol information and some don't which is why we have the protocol and non-protocol logging versions of Link Logger.  In this case we suspect you have the wrong version of Link Logger running with your Linksys.  Go to Link Logger's Registration Screen and note if you have the protocol or non-protocol logging version, then uninstall it and then download and install the other version and it should work for you.  For more information see Link Logger / Linksys Versions page.

Question - How do I know if I have the right version (Protocol / nonProtocol logging) for my Linksys router/firewall.
Answer - Please see our detailed Link Logger / Linksys Versions page.

Question - How do I configure ZoneAlarm to work with Link Logger?
Answer - Please see our detailed Link Logger and ZoneAlarm Configuration page.

Question - How do I configure SyGate to work with Link Logger?
Answer - Please see our detailed Link Logger and SyGate Configuration page.

Question - How do I configure XP SP2 Windows Firewall to work with Link Logger?
Answer - Please see our detailed XP SP2 Configuration page.

Question - How do I configure ICF (internet Connection Firewall) in XP to work with Link Logger?
Answer - Please see our detailed Link Logger and ICF Configuration page.

Question - How do I setup Link Logger not to mark events as alerts to authorized and trusted external servers?
Answer - Please see how to setup Trusted IPs in Link Logger.

Question - How do I setup Link Logger not to mark inbound traffic to my internal servers as alerts?
Answer - Please see how to setup port forwards within Link Logger.

Question - Can I run Link Logger as a service on NT, Windows 2000, XP or 2003?
Answer - We would suggest that you consider using Fire Daemon (impressive utility that allows you to install and run virtually any application as a Windows NT/2K/2K3 service) which can easily configure Link Logger to run as a service (complete with, Startup Type, Priorities, CPU assignment, etc). Download Fire Daemon and use the FireDaemonUI program as it makes running Link Logger as a service a snap. You will want to remove Link Logger from the All Users Startup if you configure Link Logger to start up on machine bootup.

Question - How do I setup FireDaemon to work with Link Logger?
Answer - Please see our detailed Link Logger and FireDaemon Configuration page.

Question - How to setup Link Logger on SBS Windows 2003 System?
Answer - One of our clients has posted his experiences with this at Link Logger Setup for SBS 2k3.

Question - Anyway to sniff the inbound traffic packets?
Answer - You could try our free PortPeeker utility.

Question - What is 'UTC' after the time stamp and why isn't 'GMT' used?
Answer - 'UTC' is the abbreviation for 'Co-ordinated Universal Time' which replaced Greenwich Mean Time (GMT) as the World standard for time in 1986.  It is based on atomic measurements rather than the earth's rotation.  Military Zulu time is also the same as UTC.

Question - Whats a 10048 error on startup of Link Logger and how do I fix it?
Answer - A 10048 error indicates that Link Logger was unable to listen on your logging port as some other application is already listening on that port and only one application can listen on a port at a time.  Linksys users might want to check if they have the SNMP services running in XP, NT or Windows 2000.  You do not need these to run Link Logger so you need to shut these services down if your going to run Link Logger.

Question - What ports does Link Logger use?
Answer - Depending on what router/firewall you are using Link Logger receives SNMPTrap messages (UDP port 162) or Syslog messages (UDP port 514) containing the logging information from your router/firewall.  The Linksys routers send SNMPTrap messages and all other router/firewall use Syslog.  Link Logger also pings the Router on startup and expects a reply. Also if you enable hostname lookup within Link Logger you might see outbound traffic on UDP port 137 (if the reverse DNS lookup fails, Windows tries a NETBIOS name request). Also if you enable Link Logger to email alerts/alarms then you need to enable it outbound access on SMTP (TCP port 25).

Question - Why does Link Logger report so many IP addresses as 'Not Found'?
Answer - Link Logger uses a DNS Reverse Name Lookup to find the hostname for a system. Unfortunately a number of ISPs do not have hostnames or do not have reverse lookups enabled.  For example we were recently scanned by a what could be�a Opaserv infected system (looking at the source and destination port numbers)�with an IP address of 203.232.229.103 and Link Logger was unable to retrieve the hostname and reported it as 'Not Found'. Using something like SamSpade.org we can confirm that they are also unable to retrieve a hostname for this system using a traceroute.


3 130.152.180.21 2.746 ms isi-1-lngw2-atm.ln.net [AS226] Los Nettos origin AS
4 66.28.28.33 7.758 ms f1.ba01.b000899-0.lax01.atlas.cogentco.com (DNS error) [AS16631] Unknown
5 66.28.6.241 9.952 ms g3-4.core01.lax01.atlas.cogentco.com (DNS error) [AS16631] Unknown
6 66.28.4.74 15.239 ms p14-0.core01.sjc01.atlas.cogentco.com (DNS error) [AS16631] Unknown
7 66.28.4.93 17.445 ms p4-0.core01.sfo01.atlas.cogentco.com (DNS error) [AS16631] Unknown
8 66.28.4.146 16.450 ms p5-0.core03.sfo01.atlas.cogentco.com (DNS error) [AS16631] Unknown
9 210.107.53.45 17.911 ms paxg08pop7-fe0-5.rt.bora.net (DNS error) [AS3786] DACOM Corporation in Seoul, Korea
10 203.255.234.54 19.696 ms p4.bora.net (DNS error) [AS3786] DACOM Corporation in Seoul, Korea
11 203.255.234.229 158.565 ms gw2.bora.net (Fake rDNS) [AS3786] DACOM Corporation in Seoul, Korea
12 210.120.192.131 157.010 ms DNS error [AS3786] DACOM Corporation in Seoul, Korea
13 210.120.248.166 150.325 ms DNS error [AS3786] DACOM Corporation in Seoul, Korea
14 210.120.248.198 158.562 ms DNS error [AS3786] DACOM Corporation in Seoul, Korea
15 203.248.225.142 161.396 ms DNS error [AS3786] DACOM Corporation in Seoul, Korea
16 210.124.236.106 160.088 ms DNS error [AS3786] DACOM Corporation in Seoul, Korea
17 203.232.229.103 153.492 ms DNS error [AS9572] Hankuk University Of Foreign Studies

Note the DNS errors caused by the reverse DNS lookups not being enabled by the ISP.  You can see however that the system is part of Hankuk University of Foreign Studies, which is done using Whois information (ie who own the netblock in this case 203.232.224.0-203.232.239.255, so all addresses in this range are the responsibility of Hankuk University (note they in turn could assign out subblocks within this range to other parties)).  Whois is the definitive way to lookup who is responsible for an IP address but it is by design very difficult to use as there is no one central source of this information (as you can see from the example given they were unable to figure out ownership of every IP address along the traceroute). 

As example of how annoying a Whois Search can be, lets find the whois information for 203.232.229.103. Typically you start at Arin.net and then it tells you that you need to go to APNIC.net (RIPE for example wouldn't tell you to try APNIC) which in turns tells you to go use NIC.OR.KR.   You will note that there are no whois standards concerning required data elements or format so whois searches are almost impossible to automate (this strangely is by design in order to prevent automated tools from harvesting email addresses within whois data).  Most of the whois engines will also limit the number or rate of queries you are allowed to make as well (for example SamSpade.org is being null-routed by ARIN due to high traffic). Typically if occupy an internet�security role then you start to recognize IP blocks by country and go directly to the proper whois server but your success rate is based on your experience.�


Our experience is about 30 - 40% of scanning or attacking systems are located within countries who's ISPs typically don't have reverse hostname lookups enabled (hmm could be a clue here for those ISPs).  One other thing that we should mention is that Link Logger uses a built in Windows call to retrieve the hostname. If this Windows function is unable to retrieve the hostname via a reverse DNS lookup, it will do a Netbios hostname request which you will see as outbound traffic similar to this (note not all routers/firewalls log DNS traffic):�


Jan 13, 2003 02:20:15.109 UTC - (UDP) 192.168.0.3 : 4319 >>> 24.71.223.144 : 53 <- this is the request to the DNS server
Jan 13, 2003 02:20:15.921 UTC - (UDP) 192.168.0.3 : 137 >>> 203.232.229.103 : 137 <- this is a Netbios hostname request�

Note the netbios hostname request is sent to the IP address in question. You can disable Link Logger's automated hostname lookups by disabling 'Auto Name Lookup' within the user setup screen.

Question - I never knew that my network would be so busy and generate so much information in my logs. How can I keep it manageable?
Answer - Use Link Logger's display filters to only display blue alerts or better (probes/scans). The Display Filters are located under the Traffic list on the main screen. All traffic is recorded regardless if its displayed so you can still generate reports or perform other analysis on 'normal' traffic.

Question - I've downloaded Link Logger and want to try it, but how do I get past the registration screen.
Answer - During your free trial just press the 'Continue' on the Registration screen to enter Link Logger.

Question - How do I know if Link Logger is running correctly?
Answer - We would suggest that you visit an online scanning site like www.pcflank.com and run some of their scans. If Link Logger is setup correctly you should see a number of traffic events appear in Link Logger. If Link Logger still doesn't work, please check that you have the correct hardware and hardware and firmware requirements. If you have the correct hardware and firmware, but Link Logger still doesn't work, please contact support@linklogger.com and let us know what version of Windows you are running, what Linksys product you are using and what firmware version.

Question - Can I see other nontraffic messages within Link Logger sent out from my router/firewall?
Answer - In the Link Logger reports screen there is a report titled Messages which contains these types of messages as well as operational and error messages from Link Logger.

Question - I have a high volume traffic passing through my Linksys and sometime Link Logger appears to hang, can I fix this?
Answer - Link Logger can handle high volume networks (Link Logger has been loaded tested at over a hundred thousand connections an hour on a non top end system and we currently have clients logging over 2 million events a day with Link Logger), but you need to make a couple of setting changes. First Link Logger uses the native Windows ListView component which is powerful, but does have a performance issue sorting thousands of items (displayed events). To eliminate this problem disable auto sorting in the Link Logger configuration (main menu -> Edit -> Setup... -> User tab -> Enable Auto Sorting). What this option does is resorts the list after every event is added to the Traffic list (for example your Traffic list is set to show higher alerts at the top). By disabling this feature Link Logger places all new events at the bottom of the list. You can still perform manual sorts by clicking on the column headers. The second change you might want to consider is using Link Logger's display filters (located under the Traffic list). These allow you to filter what is displayed in the Traffic list by alert level. For example most traffic is logged as normal (green), but if you would rather just see traffic with a minimum alert level of scan or probe (blue), you can use the display filters to do this. NOTE all traffic is recorded by Link Logger and retrievable during searches, reports, etc. Since using Display Filters reduces the number of events stored in the list, you might be able to leave auto sorting enabled (something to try).

If you have any other Questions or suggestions concerning Link Logger please send an email to support@linklogger.com. You will speed up your Answers if you provide an accurate description of your problem, the results you expected and the results you received when using Link Logger.