Colasoft Blog

February 26, 2013 – Colasoft, an Oklahoma company, is a leading provider of innovative, affordable, network analysis software solutions. Colasoft today announced the release of its latest Capsa Network Analyzer, version 7.7, a real-time portable network analyzer for wired and wireless network monitoring, bandwidth analysis, and intrusion detection.

In addition to Bandwidth Monitoring and Traffic Analysis, Capsa Enterprise now has Filters and Views to not only alert of a CyberAttack, but also provide the ability to perform detailed packet analysis to assess the impact of the CyberAttack. A Free Trial version is available for download at:   http://www.colasoft.com/download/products/download_capsa.php

Capsa now has the ability allow network engineers to create custom alarm rules to monitor for network anomalies, such as excessive traffic throughput, excessive broadcast packets, suspicious conversations, and much more.  Capsa 7.7 will now provide alarm alerts and email notification the moment an alert is triggered allowing you to react in minutes to a network violation or CyberAttack.

 

“Capsa is the only Packet Sniffer and Packet Decoder to provide an easy to use GUI combined with CyberAttack Detection features”, said Brian K. Smith, Vice President at Colasoft LLC, “found only in a more expensive Intrusion Detection Application. Colasoft Capsa now offers the Network Engineer one of the most robust Bandwidth and Packet Analysis tools available.”

With the release of Capsa 7.7 over 10 new decoders were added for protocols like; SIP, SDP, MEGACO/H.248, MGCP, Q.931, SAP, H.225, RMI, Oracle, MMS, GOOSE, SMV, and GMRP. Capsa also added several new VoIP protocols. Capsa inherently analyzes VoIP issues, like voice quality QOS, dropped packets and connectivity issues.

 

The following are brief descriptions for some of these protocols:

• SIP (Session Initiation Protocol): a widely used protocol for controlling communication sessions such as voice and video calls over Internet Protocol (IP).
• SDP (Session Description Protocol): a format for describing streaming media initialization parameters [RFC 4566].
• MEGACO/H.248: known as Gateway Control Protocol, a recommendation from ITU Telecommunication Standardization Sector (ITU-T) which defines protocols that are used between elements of a physically decomposed multimedia gateway.
• MGCP (Media Gateway Control Protocol): a protocol used for controlling media gateways on Internet Protocol (IP) networks and the public switched telephone network (PSTN).
• Q.931: the ITU standard ISDN connection control signaling protocol, forming part of Digital Subscriber Signaling System No. 1.
• SAP (Session Announcement Protocol): an experimental protocol for broadcasting multicast session information [RFC 2974].
• H.225: part of the H.323 family of telecommunication protocols.
• Oracle: a protocol used by Oracle database to transfer data.

Additionally Capsa now offers the ability to alert on “Suspicious Conversations”, to track employee activity or even log and view IM conversations. Capsa helps not only identify “Top Talkers” but also help protect your company against internal employee theft of Intellectual Property.

Capsa 7.7 is compatible with Windows XP/2003/2008/Vista/Windows 7/Windows 8.
A trial version is available for download at:   http://www.colasoft.com/download/products/download_capsa.php

About Capsa

Capsa is an easy-to-use Ethernet packet sniffer (network analyzer or network sniffer) for network monitoring and troubleshooting purposes. It performs real-time packet capturing, 24×7 network monitoring, reliable network forensics, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. By giving you insights into all of your network’s operations, Capsa makes it easy to isolate and solve network problems, identify network bottleneck and bandwidth use, and detect network vulnerabilities.

About Colasoft

Since 2001, Colasoft, an Oklahoma Company, has been an innovative provider of all-in-one and easy-to-use software solutions for users to monitor network activities, analyze network performance, enhance network security, and troubleshoot network problems. Currently, more than 5,000 customers in over 80 countries trust the company’s flagship product, Capsa Packet Sniffer, as their network monitoring and troubleshooting solution.  Please visit http://www.colasoft.com for more information.

by Tony Fortunato

Source: http://www.lovemytool.com/blog/2013/02/nat-packet-analysis-using-wireshark-by-tony-fortunato.html

One of the most popular questions I get when people get the hang of protocol analysis is the daunting exercise of multitrace analysis. As with anything else the best advice is to start with the basics before tackling anything complicated.

Multitrace analysis is only effective if you truly understand your vendors products, networking and how it relates to the OSI model or packet analysis. I always suggest that you start at layer 1 and work yourself up. The key is to know what fields in the frame or packet changes, or remains the same. Ideally when you figure this out you can use a better capture or display filter

A multitrace capture of a hub, switched, or bridged network is most straight forward since a hub or switch is transparent at layer 1 or 2 and doesn’t change anything in the packet.

When you move up to layer 3 or routing, several things change in the packet such as MAC address, IP TTL and TOS. Of course your mileage will vary, and any device could be configured to muck with more bits in the packet, but I figure I would give you a point of reference.

At layer 4 we get into application gateways, proxy, firewalls and NAT type devices where the following packet fields gets modified; MAC address, IP address, IP TOS, TCP/UDP port numbers, TCP ACK/SEQ values, etc.

Lastly at layer 7, we are dealing with multi-tiered applications and basically everything changes in the packet.

In this video example I do a multitrace analysis of a simple netgear router/NAT/firewall device where I take a trace from the WAN and LAN side to compare. Not to sound like a broken record, but please remember that your devices might behave totally differently and these notes and techniques should only be used as a reference  in your environment.

Check the video here:
http://www.youtube.com/embed/J9FzaFryQIw?feature=oembed

Source: http://www.firewall.cx/cisco-technical-knowledgebase/cisco-switches/940-cisco-switches-span-monitoring.html

Being able to monitor your network traffic is essential when it comes to troubleshooting problems, performing a security audit, or even casually checking your network for suspicious traffic.

Back in the old days, whenever there was a need to monitor or capture network traffic, a hub would be introduced somewhere in the network link and thanks to the hub’s inefficient design, it would copy all packets incoming from one port, out to all the rest of the ports, making it very easy to monitor network traffic. Those interested on hub fundamentals can read our Hubs & Repeaters article.

Of course switches work on an entirely different principle and do not replicate unicast packets out every port on the switch, but keep them isolated unless it’s a broadcast or multicast.

Thankfully, monitoring network traffic on Cisco Catalyst switches is a straight forward process, and does not require the presence of a hub. The Cisco method is called Switched Port Analyser also known as  SPAN.

Understanding SPAN Terminology

• Ingress Traffic: Traffic that enters the switch
• Egress Traffic: Traffic that leaves the switch
• Source (SPAN) port: A port that is monitored
• Source (SPAN) VLAN: A VLAN whose traffic is monitored
• Destination (SPAN) port: A port that monitors source ports. This is usually where a network analyser is connected to.
• Remote SPAN (RSPAN): When Source ports are not located on the same switch as the Destination port. RSPAN is an advanced feature that requires a special VLAN to carry the monitored traffic and is not supported by all switches. RSPAN explanation and configuration will be covered on another article.

The network diagram above helps us understand the terminology and implementation of SPAN.

Source SPAN ports are monitored for received (RX), transmitted (TX) or bidirectional (both) traffic.  Traffic entering or exiting the Source SPAN ports are mirrored to the Destination SPAN port. Typically, you would connect a PC with a network analyser (we trust and use Colasoft’s Capsa Enterprise) on the Destination SPAN port, and configure it to capture and analyse the traffic.

The amount of information you can obtain from a SPAN session really depends on how well the captured data can be interpreted and understood.  Tools such as Capsa Enterprise will not only show the captured packets, but automatically diagnose problems such as TCP retransmissions, DNS failures, slow TCP responses, ICMP redirect messages and much more. These capabilities help any engineer quickly locate network problems which otherwise could not be easily found.

Basic Characteristics and Limitations of Source Port

A source port has the following characteristics:

• It can be any port type, such as EtherChannel, Fast Ethernet, Gigabit Ethernet, and so forth.
• It can be monitored in multiple SPAN sessions.
• It cannot be a destination port (that’s where the packet analyser connects to)
• Each source port can be configured with a direction (ingress, egress, or both) to monitor. For EtherChannel sources, the monitored direction applies to all physical ports in the group.
• Source ports can be in the same or different VLANs.
• For VLAN SPAN sources, all active ports in the source VLAN are included as source ports.

Basic Characteristics and Limitations of Destination Port

Each SPAN session must have a destination port that receives a copy of the traffic from the source ports and VLANs.

A destination port has these characteristics:

• A destination port must reside on the same switch as the source port (for a local SPAN session).
• A destination port can be any Ethernet physical port.
• A destination port can participate in only one SPAN session at a time.
• A destination port in one SPAN session cannot be a destination port for a second SPAN session.
• A destination port cannot be a source port.
• A destination port cannot be an EtherChannel group.

Limitations of SPAN on Cisco Catalyst Models

Following are the limitations of SPAN on various Cisco Catalyst switches:

• Cisco Catalyst 2950 switches are able only to have one SPAN session active at a time and can monitor source ports. These switches cannot monitor VLAN source.
• Cisco Catalyst switches can forward traffic on a destination SPAN port in Cisco IOS 12.1(13)EA1 and later
• Cisco Catalyst 3550, 3560 and 3750 switches can support up to two SPAN sessions at a time and can monitor source ports as well as VLANs
• The Catalyst 2970, 3560, and 3750 Switches do not require the configuration of a reflector port when you configure an RSPAN session.
• The Catalyst 3750 Switches support session configuration with the use of source and destination ports that reside on any of the switch stack members.
• Only one destination port is allowed per SPAN session, and the same port cannot be a destination port for multiple SPAN sessions. Therefore, you cannot have two SPAN sessions that use the same destination port.

Configuring SPAN On Cisco Catalyst Switches

Our test-bed was a Cisco Catalyst 3550 Layer 3 switch, however the commands used are fully supported on all Cisco Catalyst 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3560−E, 3750, 3750−E and 4507R Series Switches.

The diagram below represents a typical network setup where there is a need to monitor traffic entering (Ingress) and exiting (Egress) the port to which the router connects to (FE0/1). This strategically selected port essentially monitors all traffic entering and exiting our network.

Since router R1 connects to the 3550 Catalyst switch on port FE0/1, this port is configured as the Source SPAN port.  Traffic copied from FE0/1 is to be mirrored out FE0/24 where our monitoring workstation is waiting to capture the traffic.

Because serious network procedures require serious tools, we opted to work with Colasoft’s Capsa Enterprise edition, our favourite network analyser. With Caspa Enterprise, we were able to capture all packets at full network speed and easily identify TCP sessions and data flows we were interested in. If you haven’t tried Capsa Enterprise yet, we would highly recommend you do by visiting Colasoft’s website and downloading a copy.

Once we got our network analyser setup and running, the first step is to configure FastEthernet 0/1 as a source SPAN port:

Next, configure FastEthernet 0/24 as the destination SPAN port:

After entering both commands, we noticed our destination’s SPAN port LED (FE0/24) begun flashing in synchronisation with that ofFE0/1’s LED – an expected behaviour considering all FE0/1 packets were being copied to FE0/24.

Confirming the monitoring session and operation requires one simple command, show monitor session 1:

To display the detailed information from a saved version of the monitor configuration for a specific session, issue the show monitor session 1 detailcommand:

Notice how the Source Ports section shows Fa0/1 for the row named Both . This means that we are monitoring both RX & TX packets for Fa0/1, while the Destination Port is set to Fa0/24.

Turning to our Capsa Enterprise network analyser, thanks to its predefined filters, we were able to catch packets to and from the worksation monitored:

This completes our discussion on SPAN configuration and how to monitor/capture packets on a Cisco Catalyst switch.  Upcoming articles will cover RSPAN and more advanced packet capturing techniques using dedicated VLANs for captured traffic and other complex scenarios.

 

Colasoft received the Best Products of 2012 Award from PC Magazine for Colasoft Capsa, one of our flagship software products designed for LAN and WLAN network monitoring, troubleshooting and analysis. Capsa gets a 4.5-star Editors’ Choice pick for networking utilities.

The editors of PC Magazine note that Capsa is a well-designed, fairly user-friendly (at least for network admins), Windows-oriented network analysis tool that offers network admins deep insight into their networks without the steep learning curve required to learn the ins and outs of Wireshark, plus Capsa is heavier on data visualization.

Source: http://www.pcmag.com/article2/0,2817,2408410,00.asp

About nChronos

nChronos is a back-in-time network analysis server for high performance & critical enterprise networks. It combines nChronos Console and nChronos Server to deliver the capability of 7*24 continuous packet capturing, unlimited data storage, efficient data mining and in depth traffic analysis.

nChronos Console provide quick access to all distributedly deployed nChronos Servers where packets are stored, it serves as the center of the enterprise network management which is capable of visualizing the overall enterprise network activities, drilling down to isolate performance issues and troubleshooting high-priority and critical network issues.

nChronos Server performs 7*24 real-time packet capturing and continually store to hard disk for quick packets and statistics retrieval. With flexible and non-intrusive deployment with standard network mirror port or link tap technologies, it provides native packets for the Console to go back in time and complete retrospective network analysis.

With nChronos, you can

• Retrospectively analyze the historical network traffic;
• Proactive network monitoring and cost-effective network management;
• Efficient drill-down for data-mining & index;
• Provide forensics analysis and mitigate security risks;
• Remote access for distributed LAN/WAN network management.

Video Tutorials List

Install, Initialize & Activate Colasoft nChronos

Create Link to Start Packet Capture

Use Console to Connect to nChronos Server

nChronos Console User Interface Overview

Use Drill Down Function to Analyze Network Traffic

How to Download Original Packets From Server

Colasoft, an innovative network analysis solution provider, announces its official collaboration with Firewall.cx, one of the world’s leading networking technology websites.

“With this collaboration, more users can benefit from our most popular and multi-awarded software applications covering network and packet analysis solutions, and with feedbacks from the users, slew of improvements will be made at future releases and products.” said Roy Luo, founder and CEO of Colasoft.

Our products, including nChronos back-in-time network analysis server, Capsa network analyzer and freeware will be available on Firewall.cx, and our products will be used for its upcoming network analysis articles.

About Colasoft

Ever since 2001, Colasoft has dedicated itself to the development of innovative network analysis software and solutions. The flagship products nChronos and Capsa network analyzer are offering real-time and back-in-time network analysis solutions for organizations of all sizes. Colasoft is a fast-growing company with more than half million users in over 80 countries. Featured customers include IBM, Dell, Philips, Emerson, and other industry leading companies.

Capability, Customization, User Experience, All Enhanced in nChronos 3.1

Chengdu, China – August 16, 2012 – Colasoft, an innovative provider of network analysis software and solutions, today announced a new version of its flagship product, nChronos back-in-time network analysis solution. Capability, customization and user experience are all enhanced in v3.1 which allow network administrators to easily complete back-in-time and real-time network analysis on high performance enterprise networks over a long period of time.

nChronos now delivers real-time network monitoring, key real-time traffic statistics and charts are available, such as throughput and top IP talkers. It helps maintain a productive enterprise network by providing visibility of the bandwidth usage. Besides, it provides long-term packet capturing and recording, you can zoom in any traffic anomaly which needs deeper investigation and rapidly find out the root to solve the problem. Now, 40-Day time window is available, much longer traffic trends can be displayed and analyzed.

“Our customers want to control both back-in-time and real-time network,” said Kang Lin, Vice President at Colasoft. “The new nChronos capability fulfills both of these needs, and unlike existing solutions in the market, we enable customers enjoy this without paying a high price for what is fundamentally a very simple software solution. It is more flexible.”

Also, alarm is the first line of defense for business networks. Alarm is critical for network administrators to instantly identify and resolve network problems. Practical alarms including email, domain and signature alarms are now available. Traffic anomaly alarm is also enhanced which enables you customize alarms with complicated thresholds to monitor network faults and abnormal activities.

The new nChronos also optimized user interface, security settings and activation mechanism which make a better user experience.

The evaluation version is now available at Colasoft website www.colasoft.com.  

About nChronos
nChronos is a back-in-time network analysis server for high performance & critical enterprise networks including the following key features:

• Back-in-time network analysis of historical traffic for forensics;
• Benchmark and visualize trends of network performance;
• 7×24 real-time network traffic capturing and recording;
• Critical links monitoring & alerting;
• In-depth network analysis for performance optimization;
• Efficient drill-down for data-mining & index;

For more information, please visit http://www.colasoft.com/nchronos/index.php.

About Colasoft
Ever since 2001, Colasoft has dedicated itself to the development of innovative network analysis software and solutions. The flagship products nChronos and Capsa network analyzer are offering real-time and back-in-time network analysis solutions for organizations of all sizes. Colasoft is a fast-growing company with more than half million users in over 80 countries. Featured customers include IBM, Dell, Philips, Emerson, and other industry leading companies. For more information about Colasoft, please visit www.colasoft.com.

As the big holiday Thanksgiving is coming very soon, Colasoft are wishing all of our customers and software users a great Thanksgiving! It’s time to sharing and spreading happiness, to celebrate this great holiday, we are preparing a big sale to offer you the most cost-effective software. It is coming very soon and up to 40% discount for both Capsa network analyzer and Colasoft nChronos will be available.

Free trail of Capsa network analyzer and nChronos is available for download at our website www.colasoft.com.

In business network settings, network administrators manage a large number of devices, like laptops, desktops, printers, switches and routers and they all have IP and MAC addresses. When we use a network analyzer to monitor the network traffic on the network, we can see lots of IP and MAC addresses. These addresses, however, aren’t friendly to read so we’d like to show their host names or give them labels.

In Capsa we use Name Table to do this job for us. With name table we can not only label IP addresses but also MAC addresses and we can delete, export or reload the address items there. We can right-click on an IP address or MAC address and we see Add to name table in context menu.

On the dialog box we can give the IP (or MAC) address and alias, also we can choose a color for it. If we don’t know the host name, we can click Resolve address to automatically look up its host name. Then click OK to save the input.

Now back to Capsa and we can see the address is already replaced by the name alias we just created. The Add to name table function is applicable to any item on Node Explorer and all other views except Summary, Protocol and Report views.

If we need upgrade or reinstall Capsa, we can use Export function to back up the name items. Click Name Table icon on the ribbon, and click Export button to save the name table file. Then after installation or upgrade we can use the Import function to reload the name items back to the system.

We are very excited to release the availability of Capsa Network Analyzer7.5. Except for the enhanced user interface, the biggest highlight of Capsa Network Analyzer7.5 is TCP flow analysis which makes it easier for network administrators to analyze application performance and pinpoint critical performance issues.

Capsa Network Analyzer 7.5 presents a comprehensive high-level overview of application health on your network. From TCP transaction analysis, you can easily access to more detailed information, including TCP server/client response time, delay, retransmissions, and further down to the server flow to observe the actual media content of the flow. “This unparalleled level of control and visibility speeds time to resolve application problems and minimize overall network downtime,” said Ocean Yu, Vice President at Colasoft.

In addition to MSN and Yahoo Messenger monitor, Capsa Network Analyzer 7.5 added ICQ monitor to meet the market demands. ICQ logs can be easily found at the log tab where detailed information is vividly displayed. Moreover, RADIUS protocol is supported as a new member in the more than 300 protocol analysis family.

Top Highlights of Capsa Network Analyzer 7.5:

1. Powerful TCP flow analysis for application performance optimization
2. Add ICQ monitor to analyze and log ICQ activities
3. Support RADIUS protocol analysis
4. Intuitive TCP transaction sequence diagram
5. Enhanced user interface & performance

Capsa 7.5 runs under Windows XP/2003/2008/Vista/7. A trial version is available for download.