To install:

• Download the version required(Download);
• Compare the checksum of the downloaded exe file with the web site value;
• Run the executable file as administrator;
• Confirm the MS Windows UAC request;
• Follow the instructions of the install wizard;

Enterprise Version

Host (possible versions include the server one for installation into the standard 19” rack or the miniature desktop version) with the pre-installed Stethoscope software (the Software) in installed into the communication channel. Generally, the Software host application point is the dedicated internet channel of the organization with installation performed at the border between the LAN perimeter for control of all LAN network interactions and the internet. To solve traffic control and analysis problems within the organization network, the Software host may be installed between its segments.
To minimize risks of network service failure during installation, the Software host has special network equipment with the bypass function that allow transmitting data via the host even though it is de-energized or its software malfunctions.
The Software host must have at least two network interfaces for implementing the bridge type virtual interface and the sufficient number of HDDs for recording traffic. Two network interfaces of the host are united into the logical bridge type interface and the program processes the whole traffic passing through the virtual interface. The third network interface should be dedicated for host control purposes. In this connection, control tasks are not prohibited to use the interface included into the bridge.

Free Version

The Stethoscope software (the Software) is installed onto the user PC operating under control of the MS Windows operating system. The following MS Windows versions are supported: Windows XP SP3, Windows Vista, Windows Vista SP1, Windows Vista SP2, Windows 7, Windows 7 SP1, Windows 8, Windows 8.1, and Windows 10. All MS Windows versions have 32 and 64-bit support.
During its installation, the program integrates itself into the network stack of the user PC allowing it to control all network interactions of any programs and processes of the user and the system.

Operating Principle of Both Versions

It is based on the principle of intercepting session with subsequent recording them to disk and transmitting to protocol analyzers. The analyzers dynamically identify protocols, decrypt content, receive meta information on the sessions and transmit the data collected to the indexer. The indexer records session information into the database to make it available to the user in the special control and monitoring console. Console operations support static and dynamic modes. In the dynamic mode, the user is provided with new data on interactions of users, hosts and processes of operating systems in the near real-time mode.

• The operating speed of the disk subsystem must exceed the speed of network flows being analyzed. In this connection, short-time excesses of flow speeds over the recording speed of the disk subsystem are possible;
• MS Windows: Windows XP SP3, Windows Vista, Windows Vista SP1, Windows Vista SP2, Windows 7, Windows 7 SP1, Windows 8, Windows 8.1, Windows 10;
• At least 1 GB of free HDD space;
• The Software operation require disk space that can be calculated as follows: <Required Disk Space> = <Traffic Speed in Mbps> * 8 * <Storage Days> * 86400 (sec). The result will be in megabytes.
  For example, 10 days of guaranteed traffic storage at 100 Mbps require 10 Tb of HDD space (provided the channel is 100% busy throughout the period);
• CPU requirements for the Enterprise version depend on the network throughput, user and local host number. The Free version has no special CPU requirements;
• RAM Requirements: Enterprise — at least 16 GB, Free — at least 1 GB.

The Stethoscope development priority is the module for blocking and replacing traffic based on content objects. Content objects based on which blocking may be activated include contacts, addresses, applications, protocols, services, character sets, words and expressing within the transmitted content using regular expressions.

The Administrator Manual document describing key capabilities of the Stethoscope software interface can be downloaded from the Documentation page. The document is developing continuously following the Software.

There are three methods of intercepting encrypted traffic:

• Interceptor outside the Client Machine. Using the special Proxy Server setting for each client. The client browser will be intentionally forwarding all queries to the special server that terminates the connection and acts as the requested final server counterfeiting the destination server certificate and opening the connection to the requested server on its own. After it, the data from the server connection are put into the client connection, and vice versa. To prevent the client from doubting the counterfeit certificate, the special root certificate is installed into the client’s trusted certificates and is used to sign all counterfeit ones and operate the scheme. Conventional Proxy Mode.
• Interceptor outside the Client Machine. The special router setting allows routing the whole flow to the proxy server concealed from the client. The further scheme is similar to the first one. It differs from the first one in no need to configure the client proxy but still requires prescribing the trusted root certificate. Transparent Proxy Mode.
• Interception immediately at the client machine. The processor receiving public data is integrated immediately into the network stack (driver) of the client machine. Transparent Proxy Mode.

The connection protected with the SSL/TLS encryption is processed in the Software be preserving the original encrypted traffic, preserving the decrypted traffic and indexing the encrypted and decrypted traffic. All the rest is only in the roadmap currently including extracting application protocol objects (emails, links, files, addresses, etc.) from the decrypted traffic, saving and indexing application protocol objects.

• The simple deployment/integration procedure that does not require additional client equipment or additional client equipment properties;
• Control at the common user level;
• Requires no expensive server equipment for channels not exceeding 1 Gbps;
• Time Machine Retrospective analysis The user may shift the viewing window along the time axis to view all occurrences in the network from the statistic standpoint and [in the roadmap] from the standpoint of the transmitted content or application protocol objects.
• [In the roadmap] plugin-based analytic capacity extension system (plugins developed by the users and the Company available from the proprietary market platform). Given the Retrospective analysis, future connection of the plugin allows using its functionalities to process the traffic for the period before installation of the plugin.
• We are continuously improving the software user interface to make its capabilities available to users with minimum IT and IS knowledge;

Here, one must define the terms in advance. There are network incident investigation systems interfaces allow controlling the entire incident lifecycle (collecting and normalizing messages, identifying events, registering incidents, investigating incidents with further closing thereof, designated employees and deadlines for incidents, etc.), and there are sensor systems providing information for the former systems and providing extended information on request to create bodies of evidence or conduct more detailed investigations. Additionally, the quality of sensor operation and minimization of false tripping thereof influences the quality of incident identification and investigation materially.
Currently, our software allows identifying incidents in the automated mode but there are plans [in the roadmap] to implement automatic identification. The following situation may be used as an example of automated identification. The user regularly (on a daily or weekly basis) searches graphs and tables for host and/or processes that used most network resources in a given period (for the last day or week). After identifying the objects, the user receives information on external resources participating in usage of the network throughput. Automatic modes include, for example, content searches (the user sends the CV document), traffic statistic combination searches for the period indicating abnormal behavior (the accountant’s host having 100 contacts with other hosts indicates the virus scanning the network, the accountant doing something different from its official duties or, in the extreme case, improper configuration of the network by the administrators).