Colasoft Blog

To football fans, today is a big day! FIFA World Cup opens today, Friday, June 11, 2010. They will spend the nights with the TV and bears. But our network admins will be drove crazy too. Why? The World Cup brings us great joys as well as certain network problems. Some of the crazy fans will watch or replay the competitions online at work. In these days, you will find your network traffic grows dramatically. I don’t want to be mean with the big fans, but we still have to do our work to maintain the network goes smoothly. How can we figure who is watching World Cup online at workplace? With Capsa network analyzer at hand, that would be so easy for you to monitor network, and prevent the network problems that World Cup may bring to your LAN.

Well, first we should make a list of football fans’ names and inform them not to watch videos online. And then we will keep an eye on our network utilization. When the utilization graph is high pitch, we know someone is disobeying the rules. Then we can check out who is consuming the bandwidth in the IP Endpoint tab.

But utilization cannot tell everything. We still need to spend a little seconds to check the protocols used in the network (Protocol tab). Special attention should be paid to protocols like P2P, RSTP and even HTTP. Online video takes a big portion of bandwidth so that we can easily find them out in the Protocol tab. The following figure shows that the HTTP traffic is abnormal which takes too much traffic.

When a suspicious protocol spotted, we should concentrate on it and check which IP address is generating the traffic in the IP Endpoint tab (figure below).

Then we could take a further step to prove our analysis. We can check out their conversations (IP Conversation tab), communication matrix (Matrix tab), and even we can go down to their original traffic packets (Packet tab).

With the above tips, I’m sure you can guarantee a healthy network during the special World Cup time.

Facebook users have to be very careful when they’re hanging out on Facebook because a new worm called FBHOLE is out there everywhere. According to the reports that FBHOLE “doesn’t seem to be doing anything else than posting a message to people’s Facebook walls”. As an innovative network security software provider, Colasoft responses to analyze the worm immediately and we do get some ideas to help keep our users away from FBHOLE worm.

Behavior Study

If you click any post link like: http://www.fbhole.com/omg/allow.php?s=a&r=[random number] (post name” try not to laugh xD”) on a post wall, you will probably be lead to a page like the figure below:

Figure 1: try not to laugh xD with a fbhole.com link

The web page pops up a message box tells that there are some errors. Of course you will click the OK button to close the dialog box readily. Once you click the OK button, you may find there is one more post submitted to your wall.

Figure 2: Error messages

After the study of the HTML and scripts of the web page, we find that wherever you click on this page, you will trigger a script that tries to submit the same post to your Facebook wall. All these are done by a hidden iframe showing below:

Figure 3: iFrame code

This iframe follows your mouse movements. Wherever you click on the page, you will always click the invisible “Publish” button.

Tips to keep your network away from FBHOLE worm:

Until now we find that is all it does without any further harm to your computer system. To help keep our users to away fromthis worm, we do have some suggestions:

1. Inform the users in your network not click any links shown in the Figure 1.
2. Set up a filter to monitor which users click these links.
3. Locate the computer and scan it with an anti-virus program because there are possibilities that the worm may evolve to infect the operation system.

Colasoft Packet Builder and Packet Player are very useful free tools. The latest versions, Packet Builder 1.0.1 and Packet Player 1.2.1 can support windows 7.

Colasoft Packet Builder

Colasoft Packet Builder enables creating custom network packets; users can use this tool to check their network protection against attacks and intruders.Colasoft Packet Builder includes a very powerful editing feature. Besides common HEX editing raw data, it features a Decoding Editor allowing users to edit specific protocol field values much easier.

Colasoft Packet Player

Colasoft Packet Player is a packet replayer which allows users to open captured packet trace files and play them back in the network. It supports many packet trace file formats created by sniffer software, such as Coalsoft Capsa, Ethereal, Network General Sniffer and WildPackets EtherPeek/OmniPeek, etc.

Except sending packet files in original interval between loops, Colasoft Packet Player also supports sending packet files in burst mode and defining the delay between loops if the loop count is more than one.

Sometimes when our network is going abnormal, we need to find out and check the top bandwidth users for clues, such as BitTorrent downloading, online video, worm activities, and so on. With Capsa 7, you don’t need to do any settings or configurations. All you need to do is to run the program, and get the statistic results with a couple of clicks.

First, let’s start Capsa7.1, we’d better not set any filters, unless we are monitor a specific kind of traffic. Then, we just keep the program running.

We first t come to the dashboard. By default, there’re two graphs in the dashboard, providing top talkers statistic results. They are Top physical address by bytes, and top IP address by bytes. By default, they display the top 10s. We can move pointer over a bar to see its address. In this network, the IP address, 192.168.5.24 (one ninety two, dot one sixty eight, dot five dot twenty four), consumes the biggest portion of bandwidth.

If we need detailed statistics of those nodes, we can come to the physical endpoint tab, or Ip endpoint tab. We can click the column header to order the list. Click this column to order by bytes. We can see who take the most traffic. We can see these highlighted bars; they help us recognize the column difference. Also we can click packets to see, who send out the most packets. From these statistics, we can get hints of anomalies, such as downloading and online video takes a lot of bandwidth, and some worm or attacks sends a great number of packets. The difference is we get MAC address in this tab, and IP address in another tab.

For some occasion, we need to generate a report of the top bandwidth users. Capsa 7.1 has the report function, let’s move on to the report tab. It provides five top statistic groups. Click an item; we see it’s an easy-to-understand table with information of IP address, traffic consumption percentage, bytes and packets.

If we want to save the report, click this button, choose a folder, type in a file name, then we can choose to save the report in PDF or html. Click Save. Report saved, and we can see the webpage is the same in the report tab.

Watch the video tutorial at http://www.colasoft.com/download/top_10_network_traffic_hosts.php