Technology and architecture
NetFort Technologies Windows File Share Monitor is software that tells you what is happening on your Windows file shares. It shows you detailed information that you can use to monitor file share activity, troubleshoot problems, and demonstrate compliance with internal and external standards.
More details
Learn more about Windows File Share Monitor concepts and configuration:
Click on the links below to find out more.
- Deployment options
- Windows File Share Monitor in a physical network
- Windows File Share Monitor in a virtual network
- System architecture
Deployment options
Windows File Share Monitor is a standalone software system that requires no operating system licenses. You can deploy it as a VMware virtual appliance or install it on a dedicated physical PC or server.
When installed on a dedicated physical PC or server, Windows File Share Monitor runs on industry standard hardware. The only special requirement is that the PC or server must have two NICs (network interface cards) – one to collect the traffic data, and one to provide access to the Windows File Share Monitor user interface.
When deployed as a virtual appliance, Windows File Share Monitor can monitor internal virtual and physical network traffic. To monitor virtual network traffic, the virtual switch you are monitoring must be configured to operate in promiscuous mode. To monitor physical network traffic with a Windows File Share Monitor virtual appliance, you need a dedicated virtual switch that is associated with its own NIC.
Windows File Share Monitor in a physical network
The diagram below shows Windows File Share Monitor in a typical network setup consisting of PCs, laptops, servers, a core switch, and a firewalled Internet connection. Windows File Share Monitor is installed on a standalone server that is connected directly to the core switch.
Click on the diagram to see a close-up of the switch ports.
Click to close
In this network, the core switch port assignments are as follows (click the diagram to see a close-up of the switch ports):
| Port number | Description |
| 5 | File server 1 |
| 6 | File server 2 |
| 7 | File server 3 |
| 10 | Unused port |
| 12 | Monitoring (SPAN) port |
To monitor this network, the following steps are necessary:
- On your network switch:
- Configure port 12 as a monitoring port.
- Configure ports 5, 6, and 7 (the ports to which the file servers are connected) as the source ports to be monitored.
- Connect a network cable from the monitoring port on the switch (port 12) to one of the network interface cards on the Windows File Share Monitor server.
- Connect a network cable from an unused port on the switch (port 10) to the other network interface card on the Windows File Share Monitor server.
- In the Windows File Share Monitor user interface:
- In the Administration menu, click Sensors.
- In the Sensors menu, click Add New Sensor.
- Choose a sensor type and follow the instructions.
Windows File Share Monitor in a virtual network
Windows File Share Monitor works on the same principle in virtual networks as in physical networks. A VMware ESX environment incorporates a virtual network switch, which is the virtual equivalent of the core switch in a physical network. The virtual network switch supports promiscuous mode, a setting that enables virtual adapters to see all traffic flowing through the switch and essentially providing the same functionality as a SPAN or monitoring port on a physical network. This makes it possible for the Windows File Share Monitor virtual appliance to monitor and report on all file share traffic flowing through the virtual network.
The illustration below shows a typical virtual network setup consisting of several file servers connected to a virtual switch. When connected to the same virtual switch as the file servers, Windows File Share Monitorvirtual appliance can monitor all file share activity on the servers.
In this network, Windows File Share Monitor is installed on a virtual server that is connected to a virtual switch. When the switch is configured in promiscuous mode, Windows File Share Monitor can capture all traffic flowing through the switch.
See the VMware installation instructions for detailed information about configuring Windows File Share Monitor on VMware networks.
Monitoring physical network traffic with a virtual appliance
As well as monitoring traffic on your virtual network, a Windows File Share Monitor virtual appliance can monitor file share traffic on your physical network. In this configuration, you must configure an additional sensor in the Windows File Share Monitor user interface and connect this sensor to a separate virtual switch, which in turn must be connected to the physical network. The diagram below illustrates this configuration.
System architecture
Windows File Share Monitor uses advanced Deep Packet Inspection techniques to analyze the data packets flowing through the core switch on your network. It has a customizable browser-based user interface that shows you at a glance the file share activity that is most important to you, and gives you the ability to drill down to whatever level of detail you need.
Windows File Share Monitor creates and maintains a database of traffic information that gives you access to historical as well as real-time file share activity data. Historical data is indispensable for network forensics, and for identifying network issues and trends that cannot be identified using real-time data alone.
The diagram below shows the Windows File Share Monitor system architecture.
Click on the blocks in the diagram for details about each major component.
Management port
The management port on the Windows File Share Monitor system enables network administrators to establish a browser connection so that they can view the traffic data captured and stored by system.
Click to close
Browser-based user interface
Windows File Share Monitor has a browser-based user interface with a customizable dashboard and drill-down capability to whatever level of detail you need. All modern browsers are supported.
Click to close
You can configure any Windows File Share Monitor report to send you an e-mail alert immedidately when certain conditions are met (for example, when a user accesses a specified website or file share).
Click to close
CSV and PDF reports
You can generate CSV (for importing into Microsoft Excel and other spreadsheet applications) and PDF versions of all Windows File Share Monitor reports.
Click to close
Reporting engine
The Windows File Share Monitor reporting engine uses the information in the traffic database to generate interactive web pages, e-mail alerts, CSV files and PDF reports.
Click to close
Directory services integration
With the optional module for directory services integration, you can generate reports that include user names and other details derived from your corporate directory. You can also configure the system to ignore specific accounts such as those that are used to download anti-virus updates and operating system patches.
Click to close
Directory server connection
Windows File Share Monitor supports Microsoft Active Directory, Novell eDirectory, and the industry standard LDAP format.
Click to close
Traffic database
Windows File Share Monitor stores a historical record of traffic data in a secure, hardened, and highly optimized database. The database capacity is limited only by the amount of storage space available, while the storage used per day is determined by the amount of traffic on your network. Because the database is independent of system log files, you can use it to demonstrate compliance with the segregation of duties requirements of internal and external auditors.
Click to close
Deep packet inspection
Windows File Share Monitor uses Deep Packet Inspection techniques to inspect the contents (payload) of data packets in addition to the packet header, enabling it to identify threats that cannot be identified using standard networking components alone. Windows File Share Monitor implements DPI at full wire speed and does not slow down the network.
Click to close
Traffic collection engine
The traffic collection engine collects file share activity data from the monitoring port on your core switch and prepares it for deep packet inspection (DPI) and subsequent storage in the Windows File Share Monitor traffic database.
Click to close
Monitoring port
When monitoring a physical network, the monitoring (SPAN) port on the Windows File Share Monitor system connects to the monitoring port on the core switch. When monitoring a virtual network, the monitoring port connects to a virtual switch, which must be operating in promiscuous mode. The file share traffic seen by the monitoring port is collected by the Windows File Share Monitor traffic collection engine.
Click to close
Find out more
If you have any questions about how Windows File Share Monitor can help you with your network monitoring requirements, please contact us. If you would like to see Windows File Share Monitor in action, please try our online demo system. or download a free 30-day trial to try it on your own network with your own data.