Visualware Support

Installing CallerIP

First, make sure that you meet the minimum requirements for your platform, including the proper Java VM, then download and install CallerIP:

Run the 'cip.exe' install program, by opening the file or double-clicking the filename, then follow the instructions.

Running CallerIP

To run CallerIP go to Start / Programs / CallerIP and click on CallerIP. This will run CallerIP.

Running CallerIP for the first time

When you run CallerIP for the first time the dialog box below will appear (image below)

Autostart Dialog

You can choose whether or not you want CallerIP to start when Windows starts.

The second option you have is which trial version you want to trial, see image below:

Trial Select Window

Simply click either the Standard Edition or the Professional Edition then click the 'Ok' button. If have a key and want to enter it click the 'Click here if you would like to enter a license key you've already purchased' link.

CallerIP License Key

When you have selected the language you have to enter your license key (if you have bought one.) This can be done be either clicking the link on the top part of the GUI to bring up the license key dialog or you can go through the menus (Help --> Enter License key...)

Once "license key" has been selected you can will get the dialog below. Simply highlight your license key and copy and paste it into the license dialog below and click ok.

License Key

CallerIP Display

The image below shows the advanced display for CallerIP. The simplified display is the same as below except the CallerIP table would not be shown, it would just have the world map.

CallerIP Display

The image above is numbered 1-6, indicating various features of the display:

1. The World Map - When a connection is made it will be displayed on the world map to show you where the connection originated.
2. Plot all connections - When this button is clicked it will display cross hairs on the world map for every connection in the table. Connections that do not have a country assigned to them (country column) will not be plotted. Connections that come up as just 'EU' will not be plotted as the connection could be anywhere in Europe. Example
3. Connections Table - This is a list of the connections currently occurring on the machine CallerIP is running on. It includes information such as Country, whether the connection is incoming or outgoing, IP address, Local IP and port number etc.
4. Run VisualRoute - If you have VisualRoute installed on your machine then you can run a more detailed trace by clicking this link and using VisualRoute.
5. Identification Report - see below
6. Connections History - see below
7. CallerIP Server Icon (Professional Edition only) - a shortcut to the CallerIP Server dialog box
8. Caller History Log Search Icon (Professional Edition only) - a shortcut to the Caller History Log Search dialog box.
9. Minimize window - this minimizes the CallerIP window to the condensed dispaly.

CallerIP gives you the choice to have as much or as little information on the screen as possible. You will see on the image above that you can 'hide' any of the screens you see above. Fig 4.1 shows CallerIP with all windows showing.

To analyze a remote IP, or an IP in the 'Callers History', all you have to do is click on the IP address you wish to analyze. You can also enter an IP of your choice and click the 'Go' button at the end of the address bar to create a report.
When 'Plot all Connections' has been chosen on the world map, you will be able to see each connection for a particular country by moving your mouse over that country name. The connections list will appear like the image below:

Roll Over Connections Display

If you wish to then analyze one of the IP's, just click on one from the list and CallerIP will bring up the Identification Report for it on the right hand side window (point 5 in the CallerIP display above).

Identification Report

Identification Reports can be produced for any connection listed in CallerIP. You will see in the screenshot above (CallerIP Display) that remote IP's are linked, as are the IP's in the Connections History box. By clicking on any of these CallerIP will produce a report. The Map will show the location of the Caller (IP) and the 'Identification Reports' box will show more detailed information. See image below:

Identification Report

The Identification Report will give you contact details in the way of email address, phone number and address. By scrolling down you will be able to see domain information as well, which shows who the domain is registered to and contact details. In the image above you will see a 'Show full results' link at the bottom of the window. By clicking this you will a lot more technical information in a raw format. See image below:

Identification Report Raw Information

Connection History

The dialog box directly below the Identification reports shows the Caller History. This shows connections that have been made to or from a number of systems that are listed in the Caller History window. See image below:

Connection History

As mentioned before, any one of these connections can be clicked to produce a report.

On the left hand side of the IP's you will see 3 different color lights.

Green - This means that the IP connecting to your machine is definitely not a hacker!

Amber - This means that the IP connecting to your machine is almost definitely not a hacker!

Red - This means that the IP connecting to your machine is more likely to be a hacker BUT it does NOT mean "Definitely hacker"!

This list also support right clicking. By right clicking on an IP you get a few options as shown below:

Right click options

The first option allows you to do a 'Look up' of the IP. This plots the location on the map and produces and Identification Report for the IP

The second option allows you to run a search for that IP address in your CallerIP logs (Professional Edition only)

The thrid option allows you to set an alarm for when that IP next connects to your machine (Professional Edition only)

Listening Ports

To get to the listening ports window go to the 'Tools' menu and choose 'Listening Ports...'. You will get a window like the one below:

Listening Ports window

This window shows which tasks your system has listening on which ports. The information is sorted by ascending port number. As mentioned in the last section of the manual you have colored lights to the far left of the port number which indicates the threat level of the connection.

By clicking on the port number you will get a description of the connection on that port in the yellow box below the list of port numbers. The task running on that port is shown to the right hand side of the port number in the ports list at the top of the window.

CallerIP Knowledge base

CallerIP has the ability to scan all the ports on your machine and see if there are any backdoors, HTTP Web servers, FTP Web servers or SMTP Servers running. If there are, CallerIP will pop up with a warning to let you know. You may have a Web server setup deliberately, in which case you can tell CallerIP not to warn you again. If you want more information about what is running on your machine and instructions on how to disable it then you can go to the CallerIP Knowledgebase (there will be a link in the pop up dialog box.)
The Knowledgebase will tell you what port the backdoor or server is running on and what the IP address is, plus information on how to disable it. If you have a server running and you choose to see more information you will get a screen like the one below:

Server Running

The image below is the screen you should get if you have a backdoor running on your machine

Backdoor running

Menu Options

File:

Save Map... -- Allows the user to save the current map view

Save Report... -- Allows the user to save the current report view

Save Connections Information... -- Allows the user to save the current connections view

Print -- Allows the user to print the CallerIP screen

Exit -- Exits CallerIP

Options:

Use condensed view -- By click this option CallerIP will minimize to the condensed view.

Show Report -- The user can tick or un-tick this option which either shows or hides the Report view in CallerIP

Show Callers History -- The user can tick or un-tick this option which either shows or hides the Callers History view in CallerIP

Show Current Callers -- The user can tick or un-tick this option which either shows or hides the Current Callers view in CallerIP

Preferences... -- Brings up the preferences dialog box

Tools:

Listening Ports... -- Launches a window that shows you the current connections on ports on your machine.

Alert Management... -- Launches a window that allows you to configure various alarms when connections are made.

Callers History Log Seach... -- Allows you to search through the history of connections made to or from your machine.

CallerIP Server... -- Allows you to setup the CallerIP Server.

Help:

CallerIP Help... -- Launches the in product help file.

Product Feedback... -- Launches a browser and browses to the Visualware Product Feedback Page

Visualware Homepage... -- Launches a browser and browses to the Visualware Homepage

Visualware Support... -- Launches a browser and browses to the Visualware Support Request page

Frequently Asked Questions... -- Launches a browser and browses to the CallerIP FAQ

How to Purchase... -- Launches a browser and browses to the Visualware Purchase Page

Newsletter Signup... -- Launches a browser and browses to the Visualware Newsletter Signup Page

Enter license key... -- Launches the License key dialog box which allows you to enter your key and register CallerIP

About... -- Launches the 'About' dialog box with current version and key data

Preferences

Below is the preferences dialog box:

Preferences

The logging and notifications options do what the say, just check them if you want them and un check them if you don't.

Connections table options:

Only show connections which have been established to remote hosts -- This options hides connections which are established to hosts on the local network. This is important as it is not the same as the established option below which would include LAN connections.

Only show connections with the following states:

Established -- The connection is in progress and active.

Listening -- The connection has not been established, but the system is waiting around on that IP address/port for an incoming request. For example and HTTP server would be listening on port 80.

Time Wait -- The connection is shutting down.

SYN Sent/Received-- The connection is being established

FIN Wait -- Waiting for the other side of the connection to acknowledge closure.

Closing -- All the last data has been sent, no more waiting is necessary and the socket is being closed.

Note that none of the options above affect the Caller's History dialog box in CallerIP. The options that affect that box are at the bottom of the preferences dialog box under 'Caller History List Options.'

Alert Management (Professional Edition Only)

The alert management feature of CallerIP is for Professional edition users only and can be accessed by going to the 'Tools' menu and choosing 'Alert Management...'. You will get a dialog box like the one below:

Alarm rules

To add a new rule click the 'Add' button to the right hand side of the window to launch the dialog box below:

Rule Creator

This windows is split into sections.

First Section
The first section, Choose alarm actions, is where you choose the type of action you want to occur when an alarm is triggered. The three options you have are Send an email, Display a warning dialog box and Append to a log file. If you choose 'Send an email' you will need to enter your email settings. A link will appear in section 3 of the Rule Creator window that allows you to do this. By clicking it you will get the dialog box below:

eMail settings

The settings are self explanatory; you first have to enter the email address you want to send the alert to, along with any CC's and a subject. You then have to enter the SMTP server and the port number that server is running on in order for the email to send successfully.

If you choose the 'Append to a log file' option you need to specify which file. Again a link will appear in section 3 which you need to click in order to get the dialog box below:

File name

Simply enter the file name (eg. c:\CallerIP\alarm.txt) and click the ok button.

Second Section

Second section

This section is where you specify the criteria needed for an alarm to be triggered. The various options you have to choose from are listed in the image above. Simply check the alarm conditions you want. With each option you check a link will appear in section 3 that allows you to specify the IP, port number, process number etc depending on which option you have chosen.

Third Section

Third Section

This section is the review section. It allows you to see all the criteria you have set for an alarm. You will see the various 'Click here to select' links in the image above, these are used to enter specific settings to do with the option you chose. For example if you wanted to trigger an alarm when a connection was made from or to Italy you would have to click on the 'Ascension Island' link and choose Italy from a drop down menu. The reason Ascension Island is there initially is because it is the first country in the list.

Fourth Section

This section is where you simply name the alarm.

Choose a name for this alarm

Simply enter the name you want for this alarm and click the ok button once you have happy with all the criteria you have set.

Caller History Log Search (Professional Edition Only)

Advanced Search and Filter

The advanced search and filter option allows you to quickly search through log files to find the data you want. As you can see in the image above there are numerous parameters you can enter in order to find the information you want.

Simply enter the parameters you want to search for then click the 'Find Now' button. A table will then appear below showing the results as the image shows below:

Filter Results

CallerIP Server (Professional Edition Only)

The CallerIP Server is only available in the Professional edition. To configure the server go to the 'Tools' menu and choose 'CallerIP Server...' or click the CallerIP Server icon on the main display (denoted by the number 7 in the display section of the manual). By doing this you will get the dialog box shown below:

Server dialog box

To configure the server click the 'Preferences' button to get the following dialog box:

Server preferences

In this dialog box you need to choose the IP address and port number you want the server to run on. You can also change the username and password; the default password is 'hello' but we recommend changing this to something more secure. The 'Change Password...' button take you to a typical password change dialog box. Once you have done this click the 'Ok' button to return to the first dialog box.

If the server has not already started running you can click the 'Start' button and then the 'Test' button to see what the server window will look like. Once you have started the server running go 'Start --> Control Panel --> Administrative Tools --> Services' and change the Visualware CallerIP service to start automatically.

... Now the CallerIP server will start on every boot.

The server window will look something like this. The link will launch a pop up browser as the image is too large to display in the manual.

CallerIP in condensed mode

To condense CallerIP you can either:

- go to the options menu and choose 'Use Condensed View' or
- click the minimize toolbar button as shown by number 9 in the CallerIP Display image above

The condensed view gives a useful overview of current and past callers. .

The following dialog is shown:

Connections graded as potentially malevolent are shown next to the red indicator.
Connections graded as unlikely to be malevolent are shown next to the amber indicator.
Connections graded as safe are shown next to the green indicator.

In each case, the current figure indicates the number of currently active connections, and the total figure the number of current and past connections. Any of the indicators can be clicked for a list of callers. These in turn can be selected to perform a trace on them.

The green 'arrows' button is used to reset the history count.
The black 'expand' button is used to return to the main window.

By clicking on one of the indicators you get a list of the IP's associated with the connections as shown below:

By clicking on one of the IP's CallerIP will maximize then produce and identification report with details of that IP.