February 26, 2013 – Colasoft, an Oklahoma company, is a leading provider of innovative, affordable, network analysis software solutions. Colasoft today announced the release of its latest Capsa Network Analyzer, version 7.7, a real-time portable network analyzer for wired and wireless network monitoring, bandwidth analysis, and intrusion detection.

In addition to Bandwidth Monitoring and Traffic Analysis, Capsa Enterprise now has Filters and Views to not only alert of a CyberAttack, but also provide the ability to perform detailed packet analysis to assess the impact of the CyberAttack. A Free Trial version is available for download at:   http://www.colasoft.com/download/products/download_capsa.php

Capsa now has the ability allow network engineers to create custom alarm rules to monitor for network anomalies, such as excessive traffic throughput, excessive broadcast packets, suspicious conversations, and much more.  Capsa 7.7 will now provide alarm alerts and email notification the moment an alert is triggered allowing you to react in minutes to a network violation or CyberAttack.

 

“Capsa is the only Packet Sniffer and Packet Decoder to provide an easy to use GUI combined with CyberAttack Detection features”, said Brian K. Smith, Vice President at Colasoft LLC, “found only in a more expensive Intrusion Detection Application. Colasoft Capsa now offers the Network Engineer one of the most robust Bandwidth and Packet Analysis tools available.”

With the release of Capsa 7.7 over 10 new decoders were added for protocols like; SIP, SDP, MEGACO/H.248, MGCP, Q.931, SAP, H.225, RMI, Oracle, MMS, GOOSE, SMV, and GMRP. Capsa also added several new VoIP protocols. Capsa inherently analyzes VoIP issues, like voice quality QOS, dropped packets and connectivity issues.

 

The following are brief descriptions for some of these protocols:

• SIP (Session Initiation Protocol): a widely used protocol for controlling communication sessions such as voice and video calls over Internet Protocol (IP).
• SDP (Session Description Protocol): a format for describing streaming media initialization parameters [RFC 4566].
• MEGACO/H.248: known as Gateway Control Protocol, a recommendation from ITU Telecommunication Standardization Sector (ITU-T) which defines protocols that are used between elements of a physically decomposed multimedia gateway.
• MGCP (Media Gateway Control Protocol): a protocol used for controlling media gateways on Internet Protocol (IP) networks and the public switched telephone network (PSTN).
• Q.931: the ITU standard ISDN connection control signaling protocol, forming part of Digital Subscriber Signaling System No. 1.
• SAP (Session Announcement Protocol): an experimental protocol for broadcasting multicast session information [RFC 2974].
• H.225: part of the H.323 family of telecommunication protocols.
• Oracle: a protocol used by Oracle database to transfer data.

Additionally Capsa now offers the ability to alert on “Suspicious Conversations”, to track employee activity or even log and view IM conversations. Capsa helps not only identify “Top Talkers” but also help protect your company against internal employee theft of Intellectual Property.

Capsa 7.7 is compatible with Windows XP/2003/2008/Vista/Windows 7/Windows 8.
A trial version is available for download at:   http://www.colasoft.com/download/products/download_capsa.php

About Capsa

Capsa is an easy-to-use Ethernet packet sniffer (network analyzer or network sniffer) for network monitoring and troubleshooting purposes. It performs real-time packet capturing, 24×7 network monitoring, reliable network forensics, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. By giving you insights into all of your network’s operations, Capsa makes it easy to isolate and solve network problems, identify network bottleneck and bandwidth use, and detect network vulnerabilities.

About Colasoft

Since 2001, Colasoft, an Oklahoma Company, has been an innovative provider of all-in-one and easy-to-use software solutions for users to monitor network activities, analyze network performance, enhance network security, and troubleshoot network problems. Currently, more than 5,000 customers in over 80 countries trust the company’s flagship product, Capsa Packet Sniffer, as their network monitoring and troubleshooting solution.  Please visit http://www.colasoft.com for more information.

by Tony Fortunato

Source: http://www.lovemytool.com/blog/2013/02/nat-packet-analysis-using-wireshark-by-tony-fortunato.html

One of the most popular questions I get when people get the hang of protocol analysis is the daunting exercise of multitrace analysis. As with anything else the best advice is to start with the basics before tackling anything complicated.

Multitrace analysis is only effective if you truly understand your vendors products, networking and how it relates to the OSI model or packet analysis. I always suggest that you start at layer 1 and work yourself up. The key is to know what fields in the frame or packet changes, or remains the same. Ideally when you figure this out you can use a better capture or display filter

A multitrace capture of a hub, switched, or bridged network is most straight forward since a hub or switch is transparent at layer 1 or 2 and doesn’t change anything in the packet.

When you move up to layer 3 or routing, several things change in the packet such as MAC address, IP TTL and TOS. Of course your mileage will vary, and any device could be configured to muck with more bits in the packet, but I figure I would give you a point of reference.

At layer 4 we get into application gateways, proxy, firewalls and NAT type devices where the following packet fields gets modified; MAC address, IP address, IP TOS, TCP/UDP port numbers, TCP ACK/SEQ values, etc.

Lastly at layer 7, we are dealing with multi-tiered applications and basically everything changes in the packet.

In this video example I do a multitrace analysis of a simple netgear router/NAT/firewall device where I take a trace from the WAN and LAN side to compare. Not to sound like a broken record, but please remember that your devices might behave totally differently and these notes and techniques should only be used as a reference  in your environment.

Check the video here:
http://www.youtube.com/embed/J9FzaFryQIw?feature=oembed

Source: http://www.firewall.cx/cisco-technical-knowledgebase/cisco-switches/940-cisco-switches-span-monitoring.html

Being able to monitor your network traffic is essential when it comes to troubleshooting problems, performing a security audit, or even casually checking your network for suspicious traffic.

Back in the old days, whenever there was a need to monitor or capture network traffic, a hub would be introduced somewhere in the network link and thanks to the hub’s inefficient design, it would copy all packets incoming from one port, out to all the rest of the ports, making it very easy to monitor network traffic. Those interested on hub fundamentals can read our Hubs & Repeaters article.

Of course switches work on an entirely different principle and do not replicate unicast packets out every port on the switch, but keep them isolated unless it’s a broadcast or multicast.

Thankfully, monitoring network traffic on Cisco Catalyst switches is a straight forward process, and does not require the presence of a hub. The Cisco method is called Switched Port Analyser also known as  SPAN.

Understanding SPAN Terminology

• Ingress Traffic: Traffic that enters the switch
• Egress Traffic: Traffic that leaves the switch
• Source (SPAN) port: A port that is monitored
• Source (SPAN) VLAN: A VLAN whose traffic is monitored
• Destination (SPAN) port: A port that monitors source ports. This is usually where a network analyser is connected to.
• Remote SPAN (RSPAN): When Source ports are not located on the same switch as the Destination port. RSPAN is an advanced feature that requires a special VLAN to carry the monitored traffic and is not supported by all switches. RSPAN explanation and configuration will be covered on another article.

The network diagram above helps us understand the terminology and implementation of SPAN.

Source SPAN ports are monitored for received (RX), transmitted (TX) or bidirectional (both) traffic.  Traffic entering or exiting the Source SPAN ports are mirrored to the Destination SPAN port. Typically, you would connect a PC with a network analyser (we trust and use Colasoft’s Capsa Enterprise) on the Destination SPAN port, and configure it to capture and analyse the traffic.

The amount of information you can obtain from a SPAN session really depends on how well the captured data can be interpreted and understood.  Tools such as Capsa Enterprise will not only show the captured packets, but automatically diagnose problems such as TCP retransmissions, DNS failures, slow TCP responses, ICMP redirect messages and much more. These capabilities help any engineer quickly locate network problems which otherwise could not be easily found.

Basic Characteristics and Limitations of Source Port

A source port has the following characteristics:

• It can be any port type, such as EtherChannel, Fast Ethernet, Gigabit Ethernet, and so forth.
• It can be monitored in multiple SPAN sessions.
• It cannot be a destination port (that’s where the packet analyser connects to)
• Each source port can be configured with a direction (ingress, egress, or both) to monitor. For EtherChannel sources, the monitored direction applies to all physical ports in the group.
• Source ports can be in the same or different VLANs.
• For VLAN SPAN sources, all active ports in the source VLAN are included as source ports.

Basic Characteristics and Limitations of Destination Port

Each SPAN session must have a destination port that receives a copy of the traffic from the source ports and VLANs.

A destination port has these characteristics:

• A destination port must reside on the same switch as the source port (for a local SPAN session).
• A destination port can be any Ethernet physical port.
• A destination port can participate in only one SPAN session at a time.
• A destination port in one SPAN session cannot be a destination port for a second SPAN session.
• A destination port cannot be a source port.
• A destination port cannot be an EtherChannel group.

Limitations of SPAN on Cisco Catalyst Models

Following are the limitations of SPAN on various Cisco Catalyst switches:

• Cisco Catalyst 2950 switches are able only to have one SPAN session active at a time and can monitor source ports. These switches cannot monitor VLAN source.
• Cisco Catalyst switches can forward traffic on a destination SPAN port in Cisco IOS 12.1(13)EA1 and later
• Cisco Catalyst 3550, 3560 and 3750 switches can support up to two SPAN sessions at a time and can monitor source ports as well as VLANs
• The Catalyst 2970, 3560, and 3750 Switches do not require the configuration of a reflector port when you configure an RSPAN session.
• The Catalyst 3750 Switches support session configuration with the use of source and destination ports that reside on any of the switch stack members.
• Only one destination port is allowed per SPAN session, and the same port cannot be a destination port for multiple SPAN sessions. Therefore, you cannot have two SPAN sessions that use the same destination port.

Configuring SPAN On Cisco Catalyst Switches

Our test-bed was a Cisco Catalyst 3550 Layer 3 switch, however the commands used are fully supported on all Cisco Catalyst 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3560−E, 3750, 3750−E and 4507R Series Switches.

The diagram below represents a typical network setup where there is a need to monitor traffic entering (Ingress) and exiting (Egress) the port to which the router connects to (FE0/1). This strategically selected port essentially monitors all traffic entering and exiting our network.

Since router R1 connects to the 3550 Catalyst switch on port FE0/1, this port is configured as the Source SPAN port.  Traffic copied from FE0/1 is to be mirrored out FE0/24 where our monitoring workstation is waiting to capture the traffic.

Because serious network procedures require serious tools, we opted to work with Colasoft’s Capsa Enterprise edition, our favourite network analyser. With Caspa Enterprise, we were able to capture all packets at full network speed and easily identify TCP sessions and data flows we were interested in. If you haven’t tried Capsa Enterprise yet, we would highly recommend you do by visiting Colasoft’s website and downloading a copy.

Once we got our network analyser setup and running, the first step is to configure FastEthernet 0/1 as a source SPAN port:

Next, configure FastEthernet 0/24 as the destination SPAN port:

After entering both commands, we noticed our destination’s SPAN port LED (FE0/24) begun flashing in synchronisation with that ofFE0/1’s LED – an expected behaviour considering all FE0/1 packets were being copied to FE0/24.

Confirming the monitoring session and operation requires one simple command, show monitor session 1:

To display the detailed information from a saved version of the monitor configuration for a specific session, issue the show monitor session 1 detailcommand:

Notice how the Source Ports section shows Fa0/1 for the row named Both . This means that we are monitoring both RX & TX packets for Fa0/1, while the Destination Port is set to Fa0/24.

Turning to our Capsa Enterprise network analyser, thanks to its predefined filters, we were able to catch packets to and from the worksation monitored:

This completes our discussion on SPAN configuration and how to monitor/capture packets on a Cisco Catalyst switch.  Upcoming articles will cover RSPAN and more advanced packet capturing techniques using dedicated VLANs for captured traffic and other complex scenarios.

 

Colasoft received the Best Products of 2012 Award from PC Magazine for Colasoft Capsa, one of our flagship software products designed for LAN and WLAN network monitoring, troubleshooting and analysis. Capsa gets a 4.5-star Editors’ Choice pick for networking utilities.

The editors of PC Magazine note that Capsa is a well-designed, fairly user-friendly (at least for network admins), Windows-oriented network analysis tool that offers network admins deep insight into their networks without the steep learning curve required to learn the ins and outs of Wireshark, plus Capsa is heavier on data visualization.

Source: http://www.pcmag.com/article2/0,2817,2408410,00.asp

Product Versions: Since Capsa 7.0

Intended Audience:

• Capsa Enterprise users
• Capsa Professional users
• Capsa WiFi users
• Capsa Free users
• Including all Demo and Evaluation users

When we need to do some tests or experiments, we just need to capture packet data between two hosts. The typical instance is to capture packet data between my local host and another host/server. In order to capture packets only between two hosts we can use a capture filter to ignore all packet data that we don’t need. For instance, we want to capture packets only between my host and Colasoft website:

• My IP address – 192.168.6.112
• Colasoft Website IP address – 207.218.235.182

Before we get started we should figure out where is the best place to capture packet data, make sure you are capturing right on the path of the traffic flow, read Where to Capture Packets on my Network for more details. If you are planning to capture packet data between your local host and another machine, the convenient way to do so is to install Capsa on your machine. And follow the steps below to create and enable a capture filter.

Create a Capture Filter in Capsa

• Run Capsa; click the Set Capture Filter link on top-right corner.



• Capture filter window appears. Click the Add button (on the bottom on the window).



• Input Name, check Address Rule, and choose IP Address from Address 1 drop-down list. Input IP address, 192.168.6.112, in the textbox under the drop-down list. Then choose IP Address from Address 2 drop-down list, and input IP address – 207.218.235.182.



• Click OK.
• Check the new filter’s Accept checkbox, and click OK.

We’ve already created and enabled Capsa to capture packet data only between my host and the remote IP address. Next we can click Start button to start a capture. And we see only packets between my local IP and Colasoft website address. By this way we can create filters to capture packets for certain IP or MAC addresses and also use combinations to create advanced filters with multiple conditions.

Tips:

• You are suggested to use the Export function to back up your filter settings (you can find the Export button on Figure A), and make sure you export all filters.

About nChronos

nChronos is a back-in-time network analysis server for high performance & critical enterprise networks. It combines nChronos Console and nChronos Server to deliver the capability of 7*24 continuous packet capturing, unlimited data storage, efficient data mining and in depth traffic analysis.

nChronos Console provide quick access to all distributedly deployed nChronos Servers where packets are stored, it serves as the center of the enterprise network management which is capable of visualizing the overall enterprise network activities, drilling down to isolate performance issues and troubleshooting high-priority and critical network issues.

nChronos Server performs 7*24 real-time packet capturing and continually store to hard disk for quick packets and statistics retrieval. With flexible and non-intrusive deployment with standard network mirror port or link tap technologies, it provides native packets for the Console to go back in time and complete retrospective network analysis.

With nChronos, you can

• Retrospectively analyze the historical network traffic;
• Proactive network monitoring and cost-effective network management;
• Efficient drill-down for data-mining & index;
• Provide forensics analysis and mitigate security risks;
• Remote access for distributed LAN/WAN network management.

Video Tutorials List

Install, Initialize & Activate Colasoft nChronos

Create Link to Start Packet Capture

Use Console to Connect to nChronos Server

nChronos Console User Interface Overview

Use Drill Down Function to Analyze Network Traffic

How to Download Original Packets From Server

Colasoft, an innovative network analysis solution provider, announces its official collaboration with Firewall.cx, one of the world’s leading networking technology websites.

“With this collaboration, more users can benefit from our most popular and multi-awarded software applications covering network and packet analysis solutions, and with feedbacks from the users, slew of improvements will be made at future releases and products.” said Roy Luo, founder and CEO of Colasoft.

Our products, including nChronos back-in-time network analysis server, Capsa network analyzer and freeware will be available on Firewall.cx, and our products will be used for its upcoming network analysis articles.

About Colasoft

Ever since 2001, Colasoft has dedicated itself to the development of innovative network analysis software and solutions. The flagship products nChronos and Capsa network analyzer are offering real-time and back-in-time network analysis solutions for organizations of all sizes. Colasoft is a fast-growing company with more than half million users in over 80 countries. Featured customers include IBM, Dell, Philips, Emerson, and other industry leading companies.

Capability, Customization, User Experience, All Enhanced in nChronos 3.1

Chengdu, China – August 16, 2012 – Colasoft, an innovative provider of network analysis software and solutions, today announced a new version of its flagship product, nChronos back-in-time network analysis solution. Capability, customization and user experience are all enhanced in v3.1 which allow network administrators to easily complete back-in-time and real-time network analysis on high performance enterprise networks over a long period of time.

nChronos now delivers real-time network monitoring, key real-time traffic statistics and charts are available, such as throughput and top IP talkers. It helps maintain a productive enterprise network by providing visibility of the bandwidth usage. Besides, it provides long-term packet capturing and recording, you can zoom in any traffic anomaly which needs deeper investigation and rapidly find out the root to solve the problem. Now, 40-Day time window is available, much longer traffic trends can be displayed and analyzed.

“Our customers want to control both back-in-time and real-time network,” said Kang Lin, Vice President at Colasoft. “The new nChronos capability fulfills both of these needs, and unlike existing solutions in the market, we enable customers enjoy this without paying a high price for what is fundamentally a very simple software solution. It is more flexible.”

Also, alarm is the first line of defense for business networks. Alarm is critical for network administrators to instantly identify and resolve network problems. Practical alarms including email, domain and signature alarms are now available. Traffic anomaly alarm is also enhanced which enables you customize alarms with complicated thresholds to monitor network faults and abnormal activities.

The new nChronos also optimized user interface, security settings and activation mechanism which make a better user experience.

The evaluation version is now available at Colasoft website www.colasoft.com.  

About nChronos
nChronos is a back-in-time network analysis server for high performance & critical enterprise networks including the following key features:

• Back-in-time network analysis of historical traffic for forensics;
• Benchmark and visualize trends of network performance;
• 7×24 real-time network traffic capturing and recording;
• Critical links monitoring & alerting;
• In-depth network analysis for performance optimization;
• Efficient drill-down for data-mining & index;

For more information, please visit http://www.colasoft.com/nchronos/index.php.

About Colasoft
Ever since 2001, Colasoft has dedicated itself to the development of innovative network analysis software and solutions. The flagship products nChronos and Capsa network analyzer are offering real-time and back-in-time network analysis solutions for organizations of all sizes. Colasoft is a fast-growing company with more than half million users in over 80 countries. Featured customers include IBM, Dell, Philips, Emerson, and other industry leading companies. For more information about Colasoft, please visit www.colasoft.com.

Capsa Network Anlayzer 7.6 is newly released! You are welcomed to try all the new features and improvements. The free trail is avaliable for download at Colasoft website.

New features and improvements in Capsa network analyzer 7.6:

Unique Analysis Task Scheduler Used to Preset Time for Analysis Projects;
Global Configurations Can Be Exported & Imported;
Display Filters Are Provided for Isolating & Viewing Particular Items;
Report with User-defined Name & Optional Statistic Items is Available;
Logs can be automatically saved in *.csv format.
Capsa can now identify encryption type of AP automatically.
An MAC address column is added to the Log tab.
Settings for analysis profile have been optimized.
Local engine settings are merged into Options on the Menu button.
Capsa can now decode Tunnel IP in IP protocol.
Analysis profiles, such as Traffic Monitor, Protocol Analysis and IM Analysis have been

Read the detailed descriptions about the new features here. For more information, please visit www.colasoft.com.

Although Capsa network analyzer supports more than 160 protocols, there are still circumstances that you need add your private protocol rules. For example, you have a special service using a private TCP port in the network, and you want Capsa to recognize it. Or a protocol uses non-standard port. This document is to show you how to create your own custom protocols and edit built-in protocols as your need.
Create Custom Protocols
If you want to create a private protocol rule, follow the instructions below.
Step 1, run Capsa network analyzer. On the Start Page, click the Menu button (on the top-left corner). Choose Local Engine Settings -> Custom Protocol from the menu.
Step 2, on the Custom Protocol window, you can click the Add… button to create a custom protocol. For example, you are testing a new protocol, which uses TCP port 8080. You can just click Add, and type in protocol name, short name and port number, and choose a color for the protocol on the new dialog box. Then click OK to save the custom protocol.

Note: if the capture is running, you need to go back to the start page. Otherwise the Add button and Edit button will be grayed out.
Edit Protocols
If you use non-standard protocols in your network, for example, DNS isn’t on port 53 (TCP or UDP), or HTTP isn’t on TCP port 80, you should modify the default port number for these two built-in protocols. Or Capsa will recognize them as TCP/UDP Other type. Let’s make an example that HTTP uses TCP port 8080, rather than port 80.
Step 1, open the Custom Protocol window, type in http in the search box.
Step 2, double-click on the HTTP protocol item, and modify its port number to 8080 in the dialog box. Click OK to save.

Now if you start a capture, or replay a packet file, all packets using TCP port 81 will be labeled as HTTP protocol. On the Custom Protocol window, you can create private protocols on TCP/UDP ports, IP protocol type, and Ethernet type. TCP and UDP port numbers are used more often rather than the other two. And also you can use the Import button and Export button to back up your private protocols.

FAQ: Why the Add/Edit/Delete buttons of the Custom Protocol window are grayed out?
You are not allowed to change protocol rules while there is a capture running because the changes could crash the program. If you need to add/edit protocol rules, you need stop the capture and go back to the Start Page (if you run multiple instances, you need to close all others). Then click on the Menu button on the top-left corner of the Start Page, and choose Local Engine Settings > Custom Protocol to open the Custom Protocol window. Now you will find the buttons are clickable.