Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: CVTWIN - Reference Documentation CVTWIN - Reference Documentation

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest version: 2.0.22 (Error determining file creation time.)    Changelog
Download CVTWIN (Can't determine file size.) Complete installation.    Installation instructions.
Download update (Can't determine file size.) If you already have CVTWIN installed.    Update instructions.

Getting Going

Reference for when you get stuck

Send any questions about CVTWIN to

Check for the most recent version of CVTWIN.


Use this progam to convert your firewall logs to DShield format and email them to This is an interactive Windows program, but also can be configured as a task in the Windows Task Scheduler so you can have "set and forget" DShield log submission.

Even though setting this client program up to submit your firewall logs to DShield is easy, it will go faster it you have this information collected ahead of time:

  • Login information You will need the email address you used when you signed up for your DShield account, along with the User ID that DShield assigned you after you signed up.
  • Your Firewall You need to know the name of your firewall and the location of the log file that it writes. More info.
  • Mail server You should know the name of the SMTP Server that your email program uses to send mail. More info.

This is pretty much all that you need to know. If you know this information, then you can dive in and install CVTWIN and skip the rest of these docs.


Even though you don't have to set up a DShield account before you submit logs, it is better all around if you do. If you set up an account, you will be able to

  • See the logs that you have submitted to DShield, with logs that indicate potential security problems highlighted.
  • Enable DShield to send Fightback to ISPs on your behalf, based on the logs that you submit. You can review a summary of the abuse reports that have been sent on your behalf, along with any replies that the ISP sent.

You can signup right here. After you sign up you will be sent an email with your user ID. You enter this information in the CVTWIN client so it can submit your logs to your account.

If you already have a DShield account, you can log in from here.


Download and unzip CVTWIN-SETUP.EXE, run the SETUP.EXE program and follow the prompts.

After SETUP.EXE has completed, run
Start / Programs / DShield / DShield Universal Firewall Client.


If you have already installed CVTWIN, v. 1.0.17, or later, then you can update to a new version by downloading CVTWIN-UPDATE.ZIP. Follow the instructions at

If you are using a version earlier than 1.0.17 then you must upgrade by downloading CVTWIN-SETUP.EXE unzipping and running SETUP.EXE. You must first uninstall the previous version. Select Control Panel, Add/Remove Programs. Choose DShield Universal Firewall Client and click on Add/Remove... When it finishes uninstalling, run SETUP.EXE to install the new version.

Help / About to check your version.


When you first start CVTWIN, it will display a short summary of instructions

But, the first thing you need to do is to configure it so it will work. So go to the Configuration page.


Now test the configuration by selecting File / Convert. CVTWIN will attempt to convert the log file you specified, using the converter for the firewall you specified. The results of the conversion will be displayed. (This example shows a ZoneAlarm log conversion.)

CVTWIN opening screen

This display is a combination of your original log file with each line's conversion displayed. If it was able to be converted to DShield format, then the converted line will be shown. If it wasn't able to be converted for some reason, it will display the reason why it wasn't converted.

Other file menu choices:

  • View Log File Displays your firewall's log file, unconverted
  • View DShield File Displays the converted file. This is what will be emailed to DShield. This menu item is only enabled after a conversion
  • View Status File This is the combination that displays both the original log and the results of the conversion. It is the same thing that you see immediatly after a conversion.
  • Filtered IPs Displays and lines that were filtered out based IP addresses that are in the Source IP Filters and Target IP Filters (from the Edit menu.) These are typically IP addresses that you want filtered out and not sent to DShield. Examples include "reserved" IPs (that are only valid on a local LAN and are shouldn't appear on the Internet), and known security scanning sites (such as "Shield's Up" security scan.
  • View CVTWIN log CVTWIN writes its own log of each conversion and email operation.
  • View Summary A detailed summary of the most recent conversion.

A detailed description of the File Menu commands is at the File Menu Reference.


After you are satisfied with the conversion, select File / Email to to send the log to DShield.

  • Email to report@dshield Emails the converted DShield log to DShield. If you have enabled "Also send a copy to yourself", it will, um, also send a copy to you.
  • Email test to ..... For testing. Will send the converted DShield log to you (and not to DShield.) Just so you can see that everything is working.


Quite often you want to exclude certain log lines from being sent to DShield. Examples could be, IPs that you'd want to exclude because they include "reserved" IP ranges (that are only valid for local LAN use), and IPs associated with known security scanning services. If you have done a security scan locally, you'd want to exclude the IP of the machine that did the security scan.

Filter settings available from the Edit menu:

  • Source IP Reject source (remote) IPs from this list. enter individual IPs or IP ranges, separated by a "-" character.
  • Target IP Reject target (local) IPs from this list.
  • Source Port Reject source ports from this list. Enter either individual ports or a range of ports separated by a "-". You can also limit the filter to a single protocol by appending the protocol to the filter separated by a comma. (21 - 25, TCP)
  • Target Port Reject target ports from this list. Enter these the same was as Source Ports.
  • Line Inclusion Only include log lines that contain these phrases. You probably don't need to use this, but this filter was implemented in case you needed to do some tricky filtering that couldn't be accomplished any other way. It will only include log lines that contain the words or phrases in this filter.
  • Line Exclusion Exclude log lines that contain these phrases.

    Both Line filters are case insensitive.

After you do a conversion, you can check to see what log lines were excluded by the exclusion filters by clicking on File / View Filtered IPs

In addition to using these filters to prepare the log that will be sent to DShield, you can also use these filters to do a form of analysis on your log. For example, if you were interested in how many SubSeven accesses you are getting, you could put "27374" in the target port filter and do a conversion. Then look at File / View Filted Lines

If you do use the filters for this type of analysis, don't forget to restore them to the way they should be for normal DShield processing. The # (comment) character is handy for commenting out filter lines that you want in the filter, but don't want to enable.


It is important for logging purposes that the clock on your machine be set as accuratly as possible. ISPs need accurate time information in log lines that are sent as abuse reports so that they can identify exactly when a suspected attacker was logged in.

More information doing this is here.


(Also see for more extensive documentation on doing this.)

After you have used CVTWIN interactively to configure and test it, you can also use it unattended. Start it as

CVTWIN -noui

In this case it will execute, but will *not* display anything on the screen. If it is configured correctly it will send the converted log file to the address that is configured in 'File/Configure/To Address' (normally It will log the results of the operations to {App.Path/}CVTWINLOG.TXT.

You can use the Windows task scheduler. Open the Task Scheduler from the task bar, and click on "Add Scheduled Task" Follow the Wizard until you have set

Run: "c:\Program Files\cvtwin\cvtwin.exe" -noui

Start in: "c:\Program Files\cvtwin"

Asuming that you installed in in the default directory. Set the schedule to sometime during the middle of the night.

You should get a confirmation email if you are a registered DShield user and checked the Confirmation box in your DShield user profile. You can login ( and use "Check Your Reports" to see that your log lines are entered in the DShield database.

You can also check the cvtwinlog.txt file to see that the converted logs were mailed to


Keeps showing Rejected: 2002-31-03 01:49:42 +00:00 not valid. It is greater than 2002-03-28 23:59:59 -05:00 type errors.    Is because there is a mismatch between how your system wants to display the order of the components in a date and how CVTWIN interprets them. CVTWIN needs dates to be in YYYY-MM-DD format. 2002-01-04 23:59:59 -05:00 has the month and day transposed, so the date sanity check erroneously fails. The fix is to edit CVTWIN's Regional Settings variables as described in Date Conversion Problems.

Keeps showing 'Parsed 0 lines' Usual problem is that you did a Convert and the timestamp was set to the last timestamp in your log. When you do another Convert, all the log lines are earlier then this timestamp so they are rejected. The solution to this is to go into Edit/Configure and edit the Date/Time field. Then do Convert again. (As of v. 1.0.2, the timestamp won't be saved until after an email was actually sent, so you shouldn't have to fight with this so much when testing.)

Could also be because dates aren't being converted properly. See Date Conversion Problems.

Shows Unable to send email (Error code = -2 Error message = "Bad SMTP server address" when you try to send mail Usually means that the SMTP server you configured won't work. See below.

Can't send mail to DShield Probably some problem with the SMTP Server setting in the Configuration dialog. Do not set the SMTP server to point to a web mail service. "" is not a valid SMTP server.

Your ISP is blocking port 25 ISPs are starting to block port 25 that is used to send email in an attempt to throttle infected machines that have been taken over by spammers and used to send SPAM. This is all well and good, except that it causes CVTWIN's sending the converted log as email to fail.

As a workaround, we set up an alternate mail servers as on non-standard port 81. To use this, set SMTP Server in 'Edit/Configure" to be (This was added in CVTWIN 1.2.18 and won't work in earlier versions. But you can make it work in earlier versions by also setting sndmailParms=-P 81' in cvtwin.ini so that sndmail.dll will use port 81. CVTWIN 1.2.18 and later handle this automatically.)

One side effect of doing this is that you won't be able to send a copy of your logs to yourself.

AOL started the trend of blocking port 25. Now other ISPs are doing the same thing.

Can't send test mail to yourself Usual cause is if you use '' as the SMTP server. '' works when sending to but won't work when sending the test mail to you. Fix is to set the SMTP server to the same server as you normally use to send email. More information on configuring the SMTP server is on the Configuration dialog page.

Get Run-time error '-nnnnnnn (nnnnnnn) ... when trying to send mail Windows 2000

Brian Bresnan reports:

The problem is the default setting in the win2k event log properties is to limit the file size to 512k and to only overwrite application log entries after 7 days. My log was full but couldn't be overwritten so CVTWIN aborted. So the simple solution is to set the application log to overwrite as needed.

This problem shouldn't happen with versions later than 1.0.78. Windows Event logging is now disabled. If you see this problem with 1.0.78, or later, then please write to

Using Log Files to Debug CVTWIN Problems

Can't convert BlackIce logs Make sure that you are converting 'attack-list.csv'. The other BlackIce logs won't work. Look in "c:\Program Files\Network Ice\BlackIce"

Can't convert Linksys logs Use the "Linksys" setting when you are using the BTT Software SMNP Trapper. Use "Linksys LogViewer" when using the Linksys LogViewer program. See the Linksys section, below.

LogViewer logs aren't up to date LogViewer doesn't always write new log lines to the disk file automaticallty, even after you have configured it to. See the LinksysLogviewer section, below, for more on this.

LogViewer won't write logs if the log file exceeds the maximum log size that is set in "Save Logs." If you see that LogViewer has stopped writing new logs, then check the size of the incoming log file. If it is too big, then stop LogViewer and Rename or erase the existing log file and then start LogViewer again.

Can't convert ZoneAlarm logs CVTWIN reads from ZALog.txt. Make sure that ZoneAlarm is actually writing to ZALog.txt. We have had reports that some combination of ZoneAlarm's archiving settings prevent it from writing to ZALog.txt.

You might need to shut down ZoneAlarm and delete the Iamdb.rdb and hostname.ldb (where hostname is derived from your own computer's name) files if ZoneAlarm refuses to write to ZALog.txt. You will need to reconfigure your ZoneAlarm settings after deleting these files. Make a note of your ZoneAlarm "Program Control - Programs and Firewall - Zones" settings before deleting these files. This issue is obliquely touched on in ZoneAlarm's Installation & Uninstallation FAQ.

Thanks to Toivo Talikka for this information.


The source code for CVTWIN is available from

(Can't determine file size.). Requires Microsoft Visual Basic 6.


Some firewalls use Window's Regional Settings to determine the order of the month, day and year in the date that is stored in the log file. If CVTWIN doesn't know about this, then it will convert dates incorrectly. Look at the date in the DShield file that is produced after a conversion. It must be in the American date format. e.g., 2002-03-25 for a date of March 25, 2002. If CVTWIN's notion of how the date in your log file is wrong, then it would swap the month and day. If you see that the month and day are swapped in the DShield file, then you must change these settings in the CVTWIN.INI file.

To change the settings, load C:\Program Files\cvtwin\cvtwin.ini into Notepad and look for the Regional Settings Variables at the end.

# Regional Setting variables.
# Should be in the order of your Regional Settings Short date
#  Control Panel/Regional Settings/Date 
# Change if your date isn't in the correct order in the DShield file
# after conversion, or you see other CVTWIN created dates in the wrong order.
# They should be YYYY-MM-DD (2002-03-25 for March 25th, 2002)
# M/d/yy would be MM=0, DD=1, YY=2  (North American standard)
# d/M/yy would be MM=1, DD=0, YY=2  (European standard)
# Sep is the separator character that is used to separate the
# month, day and year in the date in your log file.

Exchange the settings for the MM and DD variables. For example, if they are set as 'MM=0 DD=1', then change them to be 'MM=1 DD=0' and then save cvtwin.ini

Now do another conversion and check to see that the date in the DShield file is formatted in YYYY-MM-DD format. If there is still a problem with the date conversion, then please report the problem to

Writing to a different directory

CVTWIN defaults to writing all temporary files and reading configuration information from the directory that it is installed in. Most of the time this works, but you might want to have CVTWIN read and write from a different directory (say, if security procedures require that programs not write anywhere in C:\Program Files.)

You can tell CVTWIN to use a different directory by creating the file "cvtwintemp.txt" in the directory that CVTWIN is installed in. cvtwintemp.txt should contain one line. The line should be the drive and directory that you want CVTWIN to write to. The directory must already exist.

Note that CVTWIN will expect to see its configuration information there, so if you have already configured CVTWIN, then copy your cvtwin.ini and logdate.txt files to this directory.

Also convert to ZoneAlarm

This is a bonus feature. There are several ZoneAlarm log file analyzers, such as VisualZone and ZoneLog, that are valuable for analyzing ZoneAlarm logs. If only they weren't restricted to analyzing ZoneAlarm logs.... If you enable this feature, then CVTWIN will also write a ZoneAlarm log file when it does the normal DShield conversion. This has the effect of converting your log to ZoneAlarm format so that you can use one of these analyzers.

To enable this, edit cvtwin.ini and add a 'ZoneAlarmLog=" variable. Set it to point the ZoneAlarm log file that you want created. Examples:


Each time that CVTWIN runs, it will also create 'ZaLog.txt' in the directory that CVTWIN is running in.


Same as above, but will create "C:\Temp\ZaLog.txt

Important: If you do use one of the ZoneAlarm log analyzers that have DShield support, do not use it to send the converted ZoneAlarm log in to Dshield. The converted ZoneAlarm log isn't filtered as much as the normal DShield log that CVTWIN produces. Continue to use CVTWIN to submit your log.

Support for the ZoneAlarmLog variable was added in CVTWIN 1.1.87. It won't work in earlier versions.

cvtwin.ini Configuration file

Even though you can do most configuration from CVTWIN's Edit/Configure menu, there are some configuration variables that you can only access by editing cvtwin.ini. cvtwin.ini is located either in the directory that CVTWIN is installed in, or in the directory referenced by the cvtwintemp.txt file.

1.1.87 added "Edit config.ini" to the 'Edit' menu. cvtwin.ini has come out from the cold.

Sample cvtwin.ini


# Configuration file created by DShield CVTWIN 2.0.14
# But the version you are using now is...

# Don't change variables that are in the Edit/Configure dialog
# i.e., Don't change the 'IDS' variable.  Only change variables
# that Edit/Configure doesn't handle.
# If you manage to change stuff so that CVTWIN can't load, then rename
# cvtwin.ini to be something else and restart CVTWIN.  CVTWIN will
# create a new civilized copy of cvtwin.ini.  Then reconfigure it.

# What firewall is used?
IDS=Kiwi Syslog Daemon (All formats)

# Location of Firewall log file?
logfile=C:\Program Files\Syslogd\Logs\SyslogCatchAll.txt

# Your email address that you used when you registered with DShield
# at

# DShield Password that you chose when you registered
# at

# DShield UserID that was assigned to you when you registered
# at

# Use HTTP upload instead of SMTP email?
# See 'sndHTTP', below.
# UseHTTP=Yes
# URL to upload the converted firewall log.  This will ultimatly 
# replace the SMTP/email method of transmitting the converted log to
# DShield.  If this method works for you, you don't need to configure
# the SMTP server (below.)  Use 'File/Upload' instead of 'File/Email
# to transmit the logs to DShield.
# If uncommented, leave the value as ''
# sndHTTP=

# A usable mail server.  Use the one you normally use to send email
# '' will work to send to  It will
# *not* work to send to any other address (including to yourself.)
# If '' doesn't work, try ''
# Do *not* use a URL that points a web based mail service.
# i.e.,   is not a valid mail server
# (Deprecated, if you can use the sndHTTP method.)

# Use 24 hour clock for CVTWIN's own log?
# (File/View CVTWIN log)
# Uncomment for 24 hour time format.  Otherwise, will be 12 hour AM/PM.
# LogTime=24

# Address to send the report to
#    When ready to submit report "for real"
# You can send to multiple addresses by separating them by ","
# Also send a copy to yourself by,
# (This method of sending to yourself isn't needed anymore,
# see the Send_Copy variable, below.)

# Also send a copy of the DShield log to yourself in addition
# to sending it to DShield.
# 0 = no, 1 = yes

# Optional additional parameters to pass to sndmail.dll
# Normally not needed, but would be needed if you need to
# use authorization.
# sndmailParms=-h LOGIN -u username -p password
# See 'sndmail.txt' for more info.
# Note: if you set '' CVTWIN will automatically
# add '-P 81' to sndmailParms so that sndmail.dll will use port 81
# If SMTP does is does not equal '', then CVTWIN will automatically
# remove '-P 81' from sndmailParms.  This means that you can't use '-P 81'
# for any other mail server.  This logic was added in CVTWIN 1.2.18.
# See for more info
# See SENDIT.BAT to experiment....

# Use an alternate program to send mail, instead of sndmail.dll
# (If sndmail.dll is causing a problem.)
# See for more info

# Obfuscate (mangle) your IP by changing the beginning to "10"
# 0 = No, 1 = Yes
# (Obfuscate is a lousy word to use as a variable.  "Mangle" is much easier
# to remember.)

# Suppress creating dlog.out 'Status' file.
# If your log files are real large, then you can live
# without this.  To save disk space and processing time.
# NoStatus=1

# Maximum number of host names to convert to IP addresses.
# This takes time, so you probably don't want to set this
# too high.  Do you *really* need to have your firewall configured
# to resolve IPs?

# Enlarge the area for the status line at the bottom.
# For people who use very large system fonts.
# Try something like 100-500
# StatusLine=200

# Must be a valid domain. should work.

# Time zone.  Example.  -5:00 is Eastern Standard Time
# See TIMEZONE.TXT for complete list
# TZ=+00:00 GMT
# TZ=-05:00 Eastern Standard Time
# TZ=-04:00 Eastern Daylight Savings Time
# (Don't change this--it is set by CVTWIN)
# This may, or may not be the same as WinTZ
# If your logs are in UTC, then TZ would (should) be '+00:00'
# The time zone offset that Windows uses.
# This is read from Windows and written here
# for debugging time zone problems.
# (Don't change this--it is set by CVTWIN)

# Uncomment this if CVTWIN is not using the correct TZ.
# If you are forcing to a TZ other than GMT, make sure to
# keep track of Daylight Savings Time.
# CAUTION! Make sure that you understand
# this before uncommenting ForceTZ--we really need the log
# you send in to have the correct time zone offset.
# ForceTZ=+00:00

# Also export a ZoneAlarm file.  (Convert from your log to ZoneAlarm)
# So you can use ZoneAlarm log analyzers like
# VisualZone on your log file.
# If you enter a drive/directory, the directory must already
# exist.  Otherwise, it will be created in this directory.
# There is no point in doing this if you already use ZoneAlarm.
# ZoneAlarmLog=ZALog.txt

# ProgDir points to the directory that holds a program that CVTWIN
# needs.
# We only want the directory.  Don't include a program name.
# (Don't change this--it is set by CVTWIN)
Progdir=C:\Program Files\Syslogd\Logs\

# MFlag will be set if you have to manually export the log
# before converting.  ('Set' is 'Yes', 'unset' is blank.)
# (Don't change this--it is set by CVTWIN)

# PFlag will be set if the firewall creates a separate log for
# each day.  (Tricky footwork is needed....)
# (Don't change this--it is set by CVTWIN)

# Regional Setting variables.
# If these are being used, then 'RFlag' will be set
# If RFlag is blank, then your converter isn't using
# the Regional Setting variables.
# (Don't change this--it is set by CVTWIN)

# Should be in the order of your Regional Settings Short date
#  Control Panel -> Regional Settings -> Date 
# Change if your date isn't in the correct order in the DShield file
# after conversion, or you see other CVTWIN created dates in the wrong order.
# They should be YYYY-MM-DD (2004-03-25 for March 25th, 2004)
# M/d/yy would be MM=0, DD=1, YY=2  (North American standard)
# d/M/yy would be MM=1, DD=0, YY=2  (European standard)
# All converters don't use this.  Write if you tried 
# changing these variables and CVTWIN still won't convert the date correctly.

# Sep is the separator character that is used to separate the
# month, day and year in the date in your log file.

# TimeSep is the separator character that is used to separate the
# hours, minutes and seconds in your log file.

# RefDate is an arbitrary reference date formatted using
# Windows Regional Settings.  The date is December 30, 2001
# This is for debugging.  If you have unresolved date conversion
# problems, then include the RefDate setting in your message to
RefDate=12/30/2001 12:30:01 PM

Again, most configuration should be done from CVTWIN's Edit/Configure menu. The additional variables that aren't in the Configure dialog box were added to solve problems that only affects a few people.


Convert Reads the log file that is defined in the Configure menu and converts it to DShield format. It rejects log lines that are earlier than the Date/Time listed in the Configure dialog. It also rejects lines that contains IPs that are defined in the IP Filters. See the Edit menu to edit the IP filters.

View Log File Shows your log file. Use to check that it is configured properly in the Configure dialog. Or just look at it, if you have time on your hands.

View DShield File Shows the DShield file that was produced by the Convert operation. This is what will be sent to Only enabled after a successful Convert operation. ({app.path}\DLOG.TXT) The File menu also displays the Date/Time it was converted and the number of lines.

View Status File Shows a diagnostic file that is created by Convert. This file is a mixture of the your original log file with output lines interspersed. It will contain accepted DShield format lines, along with lines that were rejected, for whatever reason. ({App.Path}\DLOG.OUT) This file is for your own reference--it will not be mailed to DShield. The File menu also displays the Date/Time it was converted and the number of lines that were rejected because they were earlier than the last date/time of the previous run. (This is not an error condition--they are supposed to be rejected so they won't be repeatedly sent to DShield.)

View Filtered Lines Shows a diagonostic file that is created by Convert. This shows log lines that were filtered by IP (will not be sent to DShield), based on the contents of Source and Target IP filters. Edit these from the Edit menu. This file is for your own reference--it will not be mailed to DShield. ({App.Path}\DIPFLT.TXT) The File menu also displays the Date/Time it was converted and the number of lines that were rejected because they fell within the IP filters.

(Note that the way that CVTWIN now works: when you initially start it you can view the results of the *previous* conversion. This is handy if you have set CVTWIN up for unattended operation using the Windows Task Scheduler. If you start it from the Start menu, you can see the files that were (hopefully) emailed in to DShield. Previous versions of CVTWIN would only let you view files after doing a Convert operation, so you couldn't use CVTWIN to view the files that were emailed in if it was run from the Task Scheduler.)

View CVTWIN log Shows the log file that CVTWIN creates. ({App.Path}\CVTWINLOG.TXT)

Email to ( Mails the converted DShield log (DLOG.TXT) (This is changable by a variable in cvtwin.ini, but you shouldn't need to change this.) If the email operation was successful, then it will save the last timestamp so that the next conversion will not accept lines earlier then this date. If you enabled "Also send a copy to youself" in the Configuration dialog, then it will also send a copy to you. (But only if you aren't using '' as the SMTP server.)

Email test to (Email Address) Mails the converted DShield log (DLOG.TXT) to the address you configured as 'Email Address', typically your own address. Use this for testing. It will *not* save the timestamp date.

Exit: Uh, exit.

Return to the DShield Windows Clients page.