*****************************************************************
*********  Bloodhound Beta  *********  Bloodhound Beta  *********
*****************************************************************

	    *******************************************

	     Frequently Asked Questions:  Test Release
			     B3FAQ.TXT

	    *******************************************


A:  CAPTURING

1.  I can't see traffic between machine A and machine B.  Why 
    not?
2.  Why am I getting the popup "No network drivers were 
    found..."?
3.  Why is Bloodhound running in the view only mode?
4.  Why does my machine crash sometimes during capture?
5.  The service starts just fine and Bloodhound loads okay, but 
    when I start a capture I get the error "Promiscuous mode not 
    supported". Why?
6.  Why do my Network Card (MAC) Statistics section and Network
    Card (MAC) Error Statistics section of the statistics pane in
    Capture window keep on returning 'Unsupported'?
7.  What is remote capturing?


B:  READING FILES

1.  Why can't I load a Bloodhound file?
2.  Why can't I open this Network General sniff?
3.  Are there any other kinds of files I can read?


C:  NETWORK CARDS AND PROTOCOLS

1.  Why can't I use my XXX card?  When will I be able to?
2.  What is the difference between NDIS 2.0 and NDIS 3.0 drivers?


D:  OTHER

1.  How do I know which build of Win32s is being used?
2.  How much space is required on my machine for Bloodhound?
3.  How can I set a filter to apply every time I run Bloodhound?


			AND THE ANSWERS
			===============


CAPTURING

1.  I can't see traffic between machine A and machine B.  Why 
    not?

	In order to intercept traffic between two machines, you 
	must be monitoring the same subnet that those two 
	machines are on.  In a token-ring environment, you have 
	to be monitoring physically between A and B on the ring.
	Also, be sure your filters are set correctly.

2.  Why am I getting the popup "No network drivers were 
    found..."?

	There are several reasons why you could get this message.
	Usually the main reason is that you've changed what the 
	setup program gave you.  
	a) If you are using WfW, you do not have VXD (VBH.386) 
	   loaded properly from your SYSTEM.INI.
	b) If you are using WfW, you do not have "NAL=NDIS20 
	   NDIS30" in your BH.INI.

	If fixing these does not make the problem go away (don't 
	forget to reboot!), you need Professional Help.  File a 
	bug report and include your CONFIG.SYS, AUTOEXEC.BAT, 
	PROCOTOL.INI and SYSTEM.INI.

3.  Why is Bloodhound running in the view only mode?

	You did not enter the capture-mode password.

4.  Why does my machine crash sometimes during capture?

	Your problem may be one of memory management.  Bloodhound 
	may have a problem with SmartDrive from MS-DOS 6.0, so 
	you may want to try commenting out SmartDrive.  
	As well, be sure to exclude memory for both your net card 
	and for Bloodhound. You should have a line in your 
	CONFIG.SYS that looks like this:
		DEVICE = EMM386.EXE NOEMS X= <CARD MEM> 
			 X=<other mem to exclude>
	Look in your hardware manual to find out what memory to 
	exclude for the network card.

5.  The service starts just fine and Bloodhound loads okay, but 
    when I start a capture I get the error "Promiscuous mode not 
    supported". Why?

	Some network card drivers do not support promiscuous 
	mode.  This is needed to capture packets from the 
	network.  Contact the vendor and encourage them to update 
	their driver.

6.  Why do my Network Card (MAC) Statistics section and Network
    Card (MAC) Error Statistics section of the statistics pane in
    Capture window keep on returning 'Unsupported'?

	These are statistics that are provided to Bloodhound from 
	the Network Card, also known as the Media Access Control 
	or MAC.  Thus it is up to the developer of the network 
	card driver to choose to return these stats, or not.

	Microsoft does not write all NIC drivers.  If the 
	developer who wrote the system software driver for your 
	network card chose not to return them, Bloodhound would 
	not be able to display them.  It's the driver as opposed 
	to the net card that determines whether you will get 
	stats in the MAC boxes in the stats pane of the Network 
	Capture window.

7.  What is remote capturing?

	One of the fundamental requirements of Bloodhound is the 
	ability to capture remotely from another network segment 
	or RAS gateway.  In order to accomplish this, a 
	remoteable Bloodhound driver has an additional NAL DLL 
	that will provide the essential NAL API's (see 
	Bloodhound Network Abstraction Layer Specification, 
	Network.doc).  The Remote Network Abstraction Layer, or 
	RNAL (Client Side) establishes a connection with 
	another (Server Side) RNAL on the remote Bloodhound 
	machine and passes the API requests from the local 
	Bloodhound to the remote Bloodhound.  The SSRNAL reissues
	the API request to the actual NAL that will process the 
	request.  Effectively an RNAL is a Kernel/NAL shim that 
	looks like a NAL to the Kernel (Client Side) and a Kernel 
	to the NAL(Server Side).

	All this allows you to capture packets that your local
	machine would not normally see, for example packets on 
	the other side of a router or a learning bridge, as long
	as you can connect to a remote agent in that segment of
	the network.

	When using the remote capturing capability, be sure you
	do not overcommit on the capture buffer.  If you set the
	capture buffer too large, you may cause paging and other
	worse behaviour.


B:  READING FILES

1.  Why can't I load a Bloodhound file?

	Your computer may be low on memory.  You can either close 
	other Bloodhound views or other Windows applications.

2.  Why can't I open this Network General sniff?

	If you try to load a Network General sniff and you get a
	blank data screen, that means that Bloodhound cannot read
	that sniff.

	Network General version 4.3 files can be saved in a 
	compressed format.  If saved that way, Bloodhound is 
	unable to read them because Network General has not made
	its compressed format public.

3.  Are there other vendors' network analyzer files I can read?

	We support the Bloodhound format and the Network General 
	(NG) format.  If you must read a file, try using a 
	utility to translate it to NG format, then reading it in 
	Bloodhound.  One such utility is the Protocol Analyzer 
	Trace Translator (PATT), by the Pine Mountain Group, 
	Groveland, California.  NOTE: no guarantees for this or 
	other translator software; we haven't tested any.

	Another workaround is to load the file into a network
	analyzer that can read that format, transmit the frames
	over a private network, and capture them using 
	Bloodhound.


C:  NETWORK CARDS AND PROTOCOLS

1.  Why can't I use my XXX card?  When will I be able to?

	With most cards, Bloodhound should operate fine, just 
	without complete information.  We do not expect an 
	improvement in how network cards work with Bloodhound 
	until network card manufacturers develop drivers that 
	work well in promiscuous mode.


2.  Why isn't Bloodhound supported with NDIS 2.0?

	NDIS20 drivers are real-mode drivers, and Bloodhound has 
	to literally jump through hoops (ring transitions etc.) 
	to work with it.  NDIS20 drivers tend to drop more frames 
	due to the extra overhead.  
	NDIS30 drivers on the other hand are completely protect 
	mode, and the model is so clean that the amount of 
	overhead is relatively minimal.
	NDIS20 drivers vary widely in quality and in the ability 
	to handle promiscuous mode that Bloodhound requires.  
	

D:  OTHER

1.  How do I know which build of Win32s is being used?

	The build number can be found in the WIN32S.INI file in 
	your windows directory.

2.  How much space is required on my machine for Bloodhound?

	The application takes up 2.0 MB in the directory where 
	you install it, usually c:\bh.
		BH: 2.01 MB
	The Windows NT Driver takes 32 KB in 
	\winnt\system32\drivers.
		WINNT: 32 KB
	The WIN32s Drivers take 1.2+ MB in \windows\system.
		WIN32S: 1.2+ MB

	Total for Windows NT:   BH+WINNT= 2.05 MB
	Total for Windows, WfW: BH+WIN32S= 3.0 MB

3.  How can I set a filter to apply every time I run Bloodhound?

	Save the filter as default.cf if it is a capture filter
	or as default.df if it is a display filter.  WARNING!  If
	you do this, and wish to return to capturing all frames,
	you have to enter the capture all frames filter yourself!

*****************************************************************
*********  Bloodhound Beta  *********  Bloodhound Beta  *********
*****************************************************************
