[jabzor]

Irongeek, on Jun 20 2008, 09:32 AM, said:

I'm looking at the code, should't $monitorgateways be $monitorfirewall? IS $monitorfirewall even used?

Also, why is the file now encoded as UTF16?

Yes, sorry that was a typo on my behalf, I'll attach a fixed version to this post.

$monitorgateways is for a future as of yet unimplemented function to monitor changes in the default gateways and their metrics (with 'route print') or at the very least calling IP_Gateway_List()
I am not sure about the speed hit but your arp-cache monitor function should really be calling IP_Gateway_List() every time instead of using the list generated at program startup.

You can see that pipes or threads / etc will be necessary.. we need to monitor the arp cache independent of the gui, same with the windows firewall and the security event log BUT the arp cache thread also needs to know the second there is a change to the gateway info so it isn't monitoring outdated information.

UTF16 is being used for multilingual support, as is the raw menu module instead of the standard though I have included both of them if a user wishes to compile for ansi.

Irongeek, on Jun 20 2008, 09:40 AM, said:

One last thing, I'm not very up to date on this UFD. Is there a way to tell in code the menu becomes visible? If there is, we could have it stop parsing logs when that happens so it seems more responsive.

There likely is a way, but if things were threaded you could simply instantly kill or start the thread responsible for that feature and the gui would function as normal. This should be the end goal.

NOTE:
I have discovered an annoying bug between the beta 3.2.13.2 and the stable 3.2.12.1 autoit..

In the stable, reading the submenu checkboxe states works but in the beta the code doesn't work, not for me at least with the function I am using.
(GUICtrlRead($GatewayWatch),$GUI_CHECKED) or (GUICtrlRead($GatewayWatch),$GUI_UNCHECKED) doesn't work.. just returns -1 regardless of state in the beta autoit. :(
This breaks checkbox functionality of 0.03+ builds in the beta autoit, though the stable works just fine.

EDIT: attached 0.03a - utf16 script and binary compiled with latest stable, up to users to compile with beta or for ansi
(includes a bugfix for the previously mentioned typo and a msgbox to alert users that monitor gateways isn't added yet if they try and use it in the menu)

Attached File(s)

•  jabdecaffeinatid0.03a.zip (491.37K)
  Number of downloads: 1

This post has been edited by jabzor: 23 June 2008 - 04:43 PM

[Irongeek]

Cool, I'm working on a faster way to do the ARP cache refresh. If I can get that fast enough the single thread may work. I'm going to be working on this more tonight, and I may list the monitor check boxes as being "in testing" in the menu and add an option to edit the INI directly. You mentioned in the mail there is a better way to handle this conversation, want to go direct email or something?

The only problem with having the source it in UTF16 causes me is I can't use the auto tidy feature to make my code pretty, but if I encode it as ansi then the UDF include fails to work right. Weird. I can work around this.

[jabzor]

Irongeek, on Jun 20 2008, 11:39 AM, said:

Cool, I'm working on a faster way to do the ARP cache refresh. If I can get that fast enough the single thread may work. I'm going to be working on this more tonight, and I may list the monitor check boxes as being "in testing" in the menu and add an option to edit the INI directly. You mentioned in the mail there is a better way to handle this conversation, want to go direct email or something?

The only problem with having the source it in UTF16 causes me is I can't use the auto tidy feature to make my code pretty, but if I encode it as ansi then the UDF include fails to work right. Weird. I can work around this.

Don't worry about including it until things are actually working properly or at least faster than they are. Would rather things came out later and working well than earlier and not.

We could email, or irc.binrev.net|cryptirc.net:+7000/#binrev would probably be faster.

The alternate menu include for ansi is in the zips I attached, you can use the standard one for ansi just fine if you don't want to support utf just yet, simply change the include path to the non-raw one.

This post has been edited by jabzor: 20 June 2008 - 03:52 PM

[Irongeek]

Ok, I posted my changes:
http://www.irongeek.com/i.php?page=securit...tch-for-windows

Jabzor, is there a personal site you want me to link to?

[jabzor]

Irongeek, on Jun 20 2008, 05:53 PM, said:

Ok, I posted my changes:
http://www.irongeek.com/i.php?page=securit...tch-for-windows

Jabzor, is there a personal site you want me to link to?

Binrev is fine. ;)
One note about the 0.04 beta release, as it is packed the the end user must still copy the /art/ folder to program directory to view the about screen icon delogo.avi.
The program will run just fine without this but there will be an empty box where it should be.

I haven't figured out how to easily embed the file in the exe from within AutoIt (ResHacker after the fact works but eww) or how to access the avi icon from within itself without extracting it, while at the same time remaining functional in script form, same with the systray icon infact.
See Below:
 delogo.PNG (12.81K)
Number of downloads: 1
Running from the extracted zip folders.. note /art/delogo.avi isn't in the exe path, it shouldn't have to be either but I have yet to figure out how to include files etc as mentioned above.

EDIT: Also noticed just noticed another error: - fixed in 0.04t
20080620191708: New IP in cache: invalid with MAC of 192.168.1.1 <- hrmmm?
20080620191711: New IP in cache: 192.168.1.1 with MAC of 00-0a-61-05-43-ef

I'll have to go through the code, but your more efficient arp-watch might have introduced the error.

This post has been edited by jabzor: 23 June 2008 - 11:59 AM

[Irongeek]

I'm pretty sure the "invalid" error was in my old version as well. Yeah, my parse code needs some work. :) Right now I'm working on getting the GUI more responsive, which I think I can do with timerdiff.

This post has been edited by Irongeek: 21 June 2008 - 10:05 PM

[Irongeek]

Ok, here is version 0.04t

The t is for timer, it now goes through the cycle of checking ARP, FW and SecLog every 3 sec.
I also fixed the "invalid" problem I think. Let me know, and I'll post it the the main page soon.

Attached File(s)

•  decaffeinatid0.04t.zip (461.24K)
  Number of downloads: 1

[jabzor]

The results aren't displayed/recorded quite instantaneously but they are within a few seconds which should be well within acceptable ranges for this application at this point in development.
I don't see the arp-errors returning on my end though so I'd this this release is good to go online - as it is *much* more responsive.

I'll add the default systray click event action (View Logs) tomorrow if you don't get to it before I do; we can really start hacking away at the todo list with it seems like the speed issue somewhat taken care of.
At least with so few processes being monitored.. were we to add 'nbtstat -c', 'ipconfig /all', 'ipconfig /displaydns' and 'route print' it might slow down a bit, especially if we throw in the hosts and lmhosts file monitoring, which I'm thinking we could.. as well as windows proxy settings.

This post has been edited by jabzor: 22 June 2008 - 04:25 AM

[Irongeek]

Damn, you plan to add a lot of functions. :) I'm glad you rewrote some of my code to make it easier to maintain/follow.

[Irongeek]

Ver 0.05 has been posted.

[jabzor]

Irongeek, on Jun 22 2008, 08:35 PM, said:

Ver 0.05 has been posted.

Was waiting for you to post that so I could edit it and post my 0.05a.
Added the default left-click action (if you double-click on the icon, it opens the log-file (and moved this in to a new function, with an ifexists pre-check)), as well as changed the menu side-text background and the ini icon.

 decaf_0.05a_menu.PNG (6.5K)
Number of downloads: 0

Attached File(s)

•  decaffeinatid0.05a.zip (471.77K)
  Number of downloads: 7

This post has been edited by jabzor: 23 June 2008 - 03:39 AM

[Irongeek]

Thanks. I'll roll this in the next time I put a version up.

[Irongeek]

Posted. Thanks Jabzor.

[SAGA]

Every thing is nice....

Please add a help file..so that novices can know things :)

Help file may contain

1.whats ARP cache and all?
2.Description of important events with proper explanation
3.Things in the INI file..(eventhough some fields are obvious :) )

For example description of
"ignorenetworksrc" ,what are the values that can be assigned and what are their behaviour...


Good work!!!! i really like it Irongeek Rocks!

[SAGA]

I discovered a bug or something..I am using windows vista...After an hour runtime or something..I cannot right or left click the icon on the tray..

I don't know whether its a fault in vista or the decaffeinatid0.05a...??

[Irongeek]

SAGA, on Jun 24 2008, 09:24 PM, said:

I discovered a bug or something..I am using windows vista...After an hour runtime or something..I cannot right or left click the icon on the tray..

I don't know whether its a fault in vista or the decaffeinatid0.05a...??

A little of both. :) Can you attach your log file?

Thanks

[jabzor]

SAGA, on Jun 24 2008, 07:24 PM, said:

I discovered a bug or something..I am using windows vista...After an hour runtime or something..I cannot right or left click the icon on the tray..

I don't know whether its a fault in vista or the decaffeinatid0.05a...??

I don't know about Irongeek but I have done zero-testing of Decaffeinatid in Vista.
I have though I left 0.05a running all night with all the options enabled and it worked fine this morning so it might be Vista??

I have a 0.06a I am working on. Fixed a few other minor bugs (like setting a trayicon in script form) and increased the speed a bit by removing some redundant calls.
Adding a Gateway monitor and a Route monitor but things are getting tricky so that is going to take some time.

[jabzor]

Attached 0.06a
Change Log:
- NEW: some 'TODO' comments in the code (issues that need to be addressed)
- NEW: added a msgbox if no gateways are found for the arp-function.. might want to give the option to 'never show this again' if users are running without gateways? - should never come up though as it is written
- STYLE: setup concatenation (replaced all lines like "$output = $output & $line" with $output &= $line)
- STYLE: setup incrementors (replaced all lines like "$j = $j + 1" with $j += 1)
- STYLE: made all non-global variables local to their function / loop / etc, double-check for me to make sure they are all working.. this should be the future standard
- STYLE: removed some redundant lines, increased speed etc (ex Global $NewARPArray = $OldARPArray)
- FIX: gateway info is now reloaded every time arp-watch is loaded in case the gateways are changed (got rid of Global $IP_Gateway_List entirely, called directly now)
- FIX: non-default systray icon when running as a script (added a conditional to check if compiled or scripting) (I broke back in 0.03, working now though)

May need to be further code-tested so run some tests before implementing any changes in to newer builds. We need beta-testers and a set of test functions to perform. :unsure:
----

There could be one issue that I can think of SAGA and I've addressed it with the TODO comments in the code, though not fixed it here in 0.06a:
Currently, if you have a menu option set to disabled when decaf loads it will start a timer for the function but never reset it.
I don't know what happens if the timer overflows or if it can? This might be what you are having trouble with.

We need to add prechecks, as all code is run once on startup regardless of the ini and a timer is started, this shouldn't happen if the ini isn't set to load that feature when the program is loaded.
We also need to set the menu processing code to start or stop the timer for the specific function.

----

Default-gateway and route monitoring hopefully in next version, still too beta to include - but it does process ospf/igrp/static/network-mgmt (automatically created by the adapter), etc and all the metrics therein.
Monitoring for DNS Poisoning and changes to the dns server entry will also eventually see the light of day.

Attached File(s)

•  decaffeinatid0.06a.zip (472.48K)
  Number of downloads: 3

This post has been edited by jabzor: 25 June 2008 - 03:01 AM

[Irongeek]

Thanks Jabzor. I'll roll this in the next time time I post to the page.

[SAGA]

I figured it out (guess)...

I cannot right click or left click on the tray icon after locking vista machine and unlocking it!!!

do you want me to send idslog file?

I have attached it!!!

Attached File(s)

•  idslog.txt (1.41K)
  Number of downloads: 3