ipTicker v1.6

Overview

What is ipTicker?

ipTicker is a diagnostic tool that detects and measures IP (internet protocol) traffic to and from your PC. It listens to all ports and reports the activities centrally on its screen in real time. It reports IP activities in three ways: -

• A summary screen where it shows the IP statistics group by the IP address, direction and port
• An active audit trail screen where it shows the current IP activities
• A dump screen where it shows the most recent dump of TCP/UDP data

NOTE

Like its name, the ipTicker icon (which represents a ticker tape) runs when there are IP activities. The movement of the tape increases when the IP activities increase and (the ticker tape) stops when there is no activity.

Potential usage of IP ticker are:-

1. To measure the amount of IP traffic to and from your PC (grouped by IP address,port)
2. To confirm if there are any unsolicited outbound IP activities from your PC
3. To investigate IP activities

IP ticker is supported in Windows 2000 and XP only.

Here are some sample scenarios where ipTicker could be useful: -

Determine if there is any IP traffic.

You surf to a web site. Your browser icon keeps spinning showing that it is doing work. Normally you would associate the spinning of the browser icon as IP activity (as there are data being downloaded to your browser). ipTicker icon shows the same behaviour (it runs when there are IP activities).

Now you download a file. Your Browser shows a download dialog box with a progress bar to indicate the download progress. You noted that the progress bar is showing 26% for a long while but you have no idea if there is any real data being downloaded, or if the network is slow, or if the web site is down. You were about to abort the download by pressing the Cancel button when you noted that the ipTicker icon is running very quickly. You observed in the ipTicker Audit Trail screen that there are indeed a lot of rows showing activities for the web site of interest and it keeps recording new rows (indicating that downloading of data is really happening).

The end result : you have the confirmation you need to make the decision – not to cancel the download operation because it (the download) is still active.

Determine if there is any suspicious activity.

Keyboard loggers are spywares – they capture your keystroke and then upload or send your keystrokes back to the hacker. Let’s assume for the exercise that there is a keyboard logger logging your activities (especially those logon details when you are logging on your favorite Internet Bank (e.g. ANZ Bank) or to your favorite shopping site (e.g. e-Bay).

In this scenario, you left your PC idle. In theory, everything should be quiet but you noted that the ipTicker icon is running very quickly.On checking the ipTicker Audit Trail screen, you noted that there are some new rows. You observed that the recorded rows are pointing to an unknown European web address and using port 25. This is telling you that some application is sending data to an unknown SMTP server. Using netstat (or a similar tool), you discovered the application that is sending the data is an unknown executable. Upon further investigation, you found that the executable is a keyboard trojan.

Features

Quick Start

What do you need to run ipTicker?

At a glance, you need

1. Windows 2000 or Windows XP

How to install ipTicker?

This section describes the manual procedure for installing ipTicker.
ipTicker is packaged in a zip file where

• ipTicker.exe is the executable
• ipTicker.pdf is the User Guide (this document)

Prerequisite

Your PC Operating System is Windows 2000 or Windows XP (or higher) You know how to use explorer.exe (basic skills) You know how to use winzip.exe (basic skills) You have ipTicker.zip

Assumptions

You have chosen to install to c:\Program Files\ipTicker ipTicker.zip is saved in c:\temp directory

1. Unzip all files from ipTicker.zip into the ipTicker directory.
   • Start winzip.exe
   • Open c:\temp\ipTicker.zip
   • Enter "c:\Program Files\ipTicker" as the "Extract to" directory
   • Select the "All Files" radio button
   • Click the Extract button. You should see all the files unzipped into the specified directory.
2. Run the following command
   • Start Explorer
   • Go to the directory "c:\Program Files\ipTicker"
   • Double click on ipTicker.exe to run
   • Once ipTicker is started, it will sit itself in the system tray.
     That is it! No further configuration is required. ipTicker will start to measure your IP traffic.
   • To bring ipTicker to foreground, right mouse click on the ticker icon.

How to uninstall ipTicker?

1. Run the following command
   • Start Explorer
   • Delete the "c:\Program Files\ipTicker" directory

Operations

Using ipTicker

When ipTicker starts, it will automatically listen to all IP activities. If there is an IP event, ipTicker will record the event to the Audit Trail screen. The row will record the following details:-

Column	Explanation
Timestamp	The timestamp of the IP event. It is specified in “yyyyMMddhhmmss” where yyyy is the year MM is the month dd is the year hh is the hour mm is the minute ss is the second
Direction	The direction of the IP event. The direction is "In" if it is an incoming IP event The direction is "Out" if it is an outgoing IP event
IP Address	The ip address of the IP event
Host	The hostname of the ip address (if any). If the hostname is not found, then the value in this column will be blank
Length	The packet size (in bytes)
Protocol	The IP protocol It could be one of these values:- IP ICMP IGMP GGP IPV4 TCP PUP UDP IDP IPV6 ROUTING FRAGMENT ESP AH ICMPV6 NONE DSTOPTS ND ICLFXBM RAW
Port	The port number of the IP event (if applicable).

The Audit Trail screen shows the latest 100 events. The latest event is always on top.

It will also create a row in the Summary screen. The summary screen shows the IP statistics for this web address, which is grouped by the Direction, IP address and port. If there is already an existing row in the Summary Screen, it will update the "Total" column of the row.  The details of the Summary row are described below: -

Column	Explanation
Timestamp	The latest timestamp of the IP statistics. It is specified in "yyyyMMddhhmmss" where yyyy is the year MM is the month dd is the year hh is the hour mm is the minute ss is the second
Direction	The direction of the IP statistics. The direction is "In" if it is an incoming event The direction is "Out" if it is an outgoing event
IP Address	The ip address of the IP statistics
Host	The hostname of the ip address (if any). If the hostname is not found, then the value in this column will be blank
Total	The accumulated total number of bytes.
Protocol	The IP protocol It could be one of these values:- IP ICMP IGMP GGP IPV4 TCP PUP UDP IDP IPV6 ROUTING FRAGMENT ESP AH ICMPV6 NONE DSTOPTS ND ICLFXBM RAW
Port	The port number of the IP statistics (if applicable).

 

On the bottom of the screen, there is a Dump screen. The dump screen can record the latest 5000 lines of TCP/UDP data.

How to exclude an event

This procedure is to exclude an event AFTER you have decided that an event is benign and you do not wish record the event again.

1. In the Summary window, select the event (you may highlight one or more events)
2. Click the Exclude button

An excluded IP event is identified by its IP address and its port number.

How to manage excludes

This procedure is to review or manage excluded events. You can "unexclude" one or more events here.

1. Select the "Options+Manage Excludes" menu item
2. In the "Manage Exclude List" window, select one or more audit trail events
3. Click the Delete button
4. Click the OK button to save the changes

Checking ipTicker Version

To check the version of ipTicker, select the "About ..." context menu item. An About box will be displayed.