Archive

Author Archive

Use Filters to Capture Packets between Two Hosts

November 11th, 2012 2 comments

Product Versions: Since Capsa 7.0

Intended Audience:

  • Capsa Enterprise users
  • Capsa Professional users
  • Capsa WiFi users
  • Capsa Free users
  • Including all Demo and Evaluation users

When we need to do some tests or experiments, we just need to capture packet data between two hosts. The typical instance is to capture packet data between my local host and another host/server. In order to capture packets only between two hosts we can use a capture filter to ignore all packet data that we don’t need. For instance, we want to capture packets only between my host and Colasoft website:

  • My IP address – 192.168.6.112
  • Colasoft Website IP address – 207.218.235.182

Before we get started we should figure out where is the best place to capture packet data, make sure you are capturing right on the path of the traffic flow, read Where to Capture Packets on my Network for more details. If you are planning to capture packet data between your local host and another machine, the convenient way to do so is to install Capsa on your machine. And follow the steps below to create and enable a capture filter.

Create a Capture Filter in Capsa

  • Run Capsa; click the Set Capture Filter link on top-right corner.
  • Capsa Start Page

  • Capture filter window appears. Click the Add button (on the bottom on the window).
  • Filter Manager

  • Input Name, check Address Rule, and choose IP Address from Address 1 drop-down list. Input IP address, 192.168.6.112, in the textbox under the drop-down list. Then choose IP Address from Address 2 drop-down list, and input IP address – 207.218.235.182.
  • Filter

  • Click OK.
  • Check the new filter’s Accept checkbox, and click OK.
  • Enable Filter

We’ve already created and enabled Capsa to capture packet data only between my host and the remote IP address. Next we can click Start button to start a capture. And we see only packets between my local IP and Colasoft website address. By this way we can create filters to capture packets for certain IP or MAC addresses and also use combinations to create advanced filters with multiple conditions.

Packets

Tips:

  • You are suggested to use the Export function to back up your filter settings (you can find the Export button on Figure A), and make sure you export all filters.

Categories: Articles, Tips & How-tos Tags:

Colasoft Announces the Release of Capsa Network Analyzer 7.6

June 20th, 2012 2 comments

Capsa Network Anlayzer 7.6 is newly released! You are welcomed to try all the new features and improvements. The free trail is avaliable for download at Colasoft website.

New features and improvements in Capsa network analyzer 7.6:

Unique Analysis Task Scheduler Used to Preset Time for Analysis Projects;
Global Configurations Can Be Exported & Imported;
Display Filters Are Provided for Isolating & Viewing Particular Items;
Report with User-defined Name & Optional Statistic Items is Available;
Logs can be automatically saved in *.csv format.
Capsa can now identify encryption type of AP automatically.
An MAC address column is added to the Log tab.
Settings for analysis profile have been optimized.
Local engine settings are merged into Options on the Menu button.
Capsa can now decode Tunnel IP in IP protocol.
Analysis profiles, such as Traffic Monitor, Protocol Analysis and IM Analysis have been

Read the detailed descriptions about the new features here. For more information, please visit www.colasoft.com.

How to Create and Edit Custom Protocol

May 20th, 2012 No comments

Although Capsa network analyzer supports more than 160 protocols, there are still circumstances that you need add your private protocol rules. For example, you have a special service using a private TCP port in the network, and you want Capsa to recognize it. Or a protocol uses non-standard port. This document is to show you how to create your own custom protocols and edit built-in protocols as your need.
Create Custom Protocols
If you want to create a private protocol rule, follow the instructions below.
Step 1, run Capsa network analyzer. On the Start Page, click the Menu button (on the top-left corner). Choose Local Engine Settings -> Custom Protocol from the menu.
Step 2, on the Custom Protocol window, you can click the Add… button to create a custom protocol. For example, you are testing a new protocol, which uses TCP port 8080. You can just click Add, and type in protocol name, short name and port number, and choose a color for the protocol on the new dialog box. Then click OK to save the custom protocol.

Note: if the capture is running, you need to go back to the start page. Otherwise the Add button and Edit button will be grayed out.
Edit Protocols
If you use non-standard protocols in your network, for example, DNS isn’t on port 53 (TCP or UDP), or HTTP isn’t on TCP port 80, you should modify the default port number for these two built-in protocols. Or Capsa will recognize them as TCP/UDP Other type. Let’s make an example that HTTP uses TCP port 8080, rather than port 80.
Step 1, open the Custom Protocol window, type in http in the search box.
Step 2, double-click on the HTTP protocol item, and modify its port number to 8080 in the dialog box. Click OK to save.

Now if you start a capture, or replay a packet file, all packets using TCP port 81 will be labeled as HTTP protocol. On the Custom Protocol window, you can create private protocols on TCP/UDP ports, IP protocol type, and Ethernet type. TCP and UDP port numbers are used more often rather than the other two. And also you can use the Import button and Export button to back up your private protocols.

FAQ: Why the Add/Edit/Delete buttons of the Custom Protocol window are grayed out?
You are not allowed to change protocol rules while there is a capture running because the changes could crash the program. If you need to add/edit protocol rules, you need stop the capture and go back to the Start Page (if you run multiple instances, you need to close all others). Then click on the Menu button on the top-left corner of the Start Page, and choose Local Engine Settings > Custom Protocol to open the Custom Protocol window. Now you will find the buttons are clickable.

How to baseline network throughput and performance

May 10th, 2012 1 comment

What is network baseline?

Do you know what your normal network throughput volume is, what types of traffic are most used in your network? If you can’t answer these questions then you should baseline your network. Network baseline is very important to network management because the data will tell you what it’s like when everything goes all right.

To baseline your network, you need software or hardware to listen on your network or a particular device. Both Colasoft nChronos and Capsa can be used to accomplish this task. Both of them are used to listen into packet data of a wire and generate all kinds of statistics on the network. To baseline a network, you need to use them to monitor the network traffic long enough, because a wider time span presents a more real picture of network traffic pattern. The use of network baseline is listed as follows:

• Understand healthy network pattern and traffic trends.

• Evaluate network management policies compliance.

• Understand how the network resources are allocated.

• Accelerate to troubleshoot network issues, i.e. abnormal traffic and spam traffic, etc.

• Provide data on network and security management to support decision making.

• Provide history statistics on network upgrade.
Read more…

Colasoft nChronos: How to Display IP Addresses as Host Names

March 27th, 2012 1 comment

If you use nChronos to monitor traffic on a core switch you will see lots of internal IP addresses, and also the Internet IP addresses. You can find that most of the Internet IP addresses are shown as their domain name, such as www.colasoft.com, and www.google.com, etc. Wouldn’t it be great if nChronos shows host names of our local machines, because they are much easier to understand, rather than just IP addresses? This tips article will show you how to use Name Table to display IP and MAC addresses as host names.

Suppose that there is a user, Steve, whose laptop has this IP address, 192.168.8.25, and you want nChronos to show his IP address as the text – Steve’s Laptop. First you run nChronos Console, connect to the server, right-click on the server name, and click Settings from the context menu. Then select Name Table on the Server Settings window.

Read more…

Thanksgiving Big Sale, Get Capsa at up to 40% off!

November 21st, 2011 No comments

Colasoft Thanksgiving big sale is now online! You can get Capsa at the most favorable price. Get coupons of up to 40% off now by clicking here!

Find out which process/application is using which TCP/UDP port on Windows

January 20th, 2011 3 comments

During the process of analyzing a network problem with a network analyzer tool or a protocol sniffer, especially when we find a suspicious worm or backdoor activity, we get only useful information like MAC addresses, IP addresses and also the port number in transport layer. The analyzer may not even know which application layer protocol is used, even it tells, we still need to figure out which application or process is using this application layer protocol. Is there any method that we can find out the original application or process using that TCP or UDP port? If you are conducting an on-site analysis, Capsa can easily help find out which process is using what port.
Let’s see how.

Find out Port Number

For example, I spot in Capsa Free the following TCP connection suspicious, which constantly communicates to IP: xx.xx.0.183, on port 8000. So I’m going to look up the process name using this port.

find_port

Find Process ID (PID)

At once I evoke Command Prompt, and entered the following string and hit enter.

netstat –aon | findstr :8000

Explanation:

-a: list all active connections and their ports. –o: show process IDs. –n: display the port numbers numerically.

| findstr :8000: display only the items with string :8000 (findstr means find string). Don’t forget the pipe symbol | at the beginning.

Let’s see what we get.

find_pid

We can read in this case 3968 is the PID, and the source IP address and the target address is the same as the first figure.

Find Process/Application

Next we’ll switch to another tool Process Explorer (a free tool that you can get from: http://technet.microsoft.com/en-us/sysinternals/bb896653) immediately. And we can easily find out the process or application of this PID: 3968.

process_explorer

I’m sure it’s an instant messenger used internal in my office and it’s safe. You can also try to find this PID in Windows Task Manager if you don’t have Process Explorer installed.

However task Manager will not provide as much information as Process Explorer. And command prompt is quite handy for geeks.

tasklist | findstr 3968

This command will list only the task items with string 3968. Please refer to previous command if you not sure about | findstr parameter.

Kill Process/Application

So next, you may want to kill a process when you find it’s malicious and want to end it at once? If you are with Process Explorer, you just right-click on a process item and choose Kill Process (Press Del button for short) to kill that process (you can do the same in Task Manager). Again, you may run the following in Command Prompt:

taskkill /F /PID 3968

Explanation:

/F means force to kill the process. And I suppose you understand PID so far.

Now we successfully detect and target the suspicious process with the specific port number, no matter UDP or TCP. And of course this procedure is reversible, you can find out the port number from the process’s PID.

IT in 2011: Four Trends that will Change Priorities

January 17th, 2011 No comments

It’s always a challenge for IT departments to anticipate how corporate technical demands will evolve, especially when IT budgets have been as tight as a drum for two years.

How do you “do more with less” and prepare for an explosion in bandwidth demand, a need to upgrade both software and hardware, and employees asking that work data be available on their personal smartphones?
The post-recession enterprise IT environment is only going to get more chaotic, but opportunities abound for the savvy IT manager, according to a new report from Technisource, a technology staffing and services company with clients ranging from the mid-market to global Fortune 500 companies.

The pressure to have “efficient operations and visibility into every aspect of the organization despite strict budget constraints has been the genesis of strategic trends that are re-shaping IT priorities, whether you are supporting an online retail portal, a university, or a high-tech manufacturing operation,” writes report authors Andrew Speer, Chad Holmes and Dick Mitchell.

Here are four trends Technisource says will play a key role in defining your organization’s priorities for the next year or more.

1. You’re Gonna Need More Bandwidth

It’s almost a guarantee that organizations of all sizes will increase bandwidth in 2011 and 2012 to support growing multimedia within the corporate network. The main technologies driving this need are video conferencing and tele-presence, VoIP and distributed storage networks.

The smart IT manager will stay ahead of the bandwidth curve by assessing WAN and LAN environments frequently and looking for ways to save money.
“Regularly review WAN options, with special emphasis on emerging access technologies that offer better deals on bandwidth and flexible provisioning plans,” the Technisource report states.

“On the LAN side, pay attention to your cabling plant as well as your switch and router fleet to ensure that there are no hidden bottlenecks to impede the inevitable upgrades you’ll be making.”

2. Prepare for More Mobility and User-Owned Devices

Mobile business apps are no longer a luxury, but a necessity at every level of the organization. Advances in Wi-Fi and other wireless technologies can put much of the corporate network in a worker’s pocket. Handheld devices are now commonly used to access corporate e-mail and sales reports, and track supply chain inventory in real time.

Looking ahead, Technisource predicts companies will establish their own internal “apps stores” that give employees password-protected access to software tools and other corporate resources.

IT departments should also prepare to use mobility asset management software to remotely configure and upgrade mobile apps and secure lost or stolen mobile devices by remotely wiping them clean of sensitive data. Finally, network and security admins must prepare for the inevitable: corporate users requesting to use their personal iPhones, Droids and other consumer-friendly smartphones for work purposes.

3. Ascending to the Cloud, One Careful Step at a Time

Companies are slowly but surely moving to some sort of cloud computing model. According to Gartner Group research, 8% of U.S. corporations had implemented a cloud service at the end of 2010, and Gartner expects that number to jump to over 50% by the end of 2012.

A cloud model offers obvious benefits: cheaper pay-as-you-go delivery methods, less operational complexity and fewer, if any, servers to manage.
But a cloud migration is complex, particularly at the enterprise level where data security is paramount.

“You’ll need to develop heightened level of data security for the cloud computing environment, where some, or all, of your critical data resides outside the traditional corporate firewall,” the Technisource report states, adding that cloud-based apps are also not as flexible, providing users with only a simplified menu of configuration and control options.

“Expect some snags when integrating several applications from different vendors into the seamless cloud platform of your dreams,” the report states.
As for return on investment guidance: Technisource writes that initial cloud ROI gain is in the first two years due to a decrease in infrastructure costs, but fee structures should be reviewed in the third year to make sure you’re getting the best deal.

4. The Windows 7 Upgrade Catch-Up

For most businesses, the Great Recession put a hold on any non-essential technology upgrades. But the standard four-year refresh cycles are timing out and hardware and software are getting long in the tooth, to the point where user productivity is sapped and security is at risk.

While users with old PCs obviously need newer and faster hardware, the main driver for upgrades in 2011 is to migrate from Windows XP to Windows 7-capable PCs.
“In 2009 only 7% of businesses had adopted Windows 7, or planned to do so over the next 12 months,” the Technisource report states, “but this has skyrocketed to 46 % in 2010.”

But migrating a large installed base of Windows XP machines to Windows 7 is an IT resource drain and a complicated process that includes re-loading user data, applications, drivers, preferences and settings.

By Shane O’Neill from arnnet.com.au

Join Capsa Testing Group, Get iPad and Capsa for Free!

January 5th, 2011 2 comments

Dear customers,

Capsa Testing Group, dedicated to advancing the understanding and practice of Capsa software testing, is now established and waiting for your participation!

Join us in the effort to develop a better Capsa for WiFi by enrolling to Capsa Testing Group. You will not only have the chance to make a difference and get your needs implemented into the product, but also win an ipad and free license.

Join Capsa Testing Group now!
join_to_get_ipad

Using Capsa for WiFi to Secure Your Wireless Network

December 30th, 2010 3 comments

By ZhaoRui Meng — CCIE Security

Wireless technology is one of the most fast-growing network technologies. It has been spreading rapidly around the company, campus, public area etc. Unfortunately, many implementations are being done without attention to issues of security and authentication. As a result, many wireless networks are set up so that anyone with mobile equipment can access, even from outside the building. Anyone with the proper equipment can also spy on traffic. The problem with WLAN users is that very few understand how their data is sent through the air, much less comprehend the associated risks.

Recently a study discovered that 40 – 50% of the wireless users aren’t implementing any form of protection. Some wireless networks are encrypted with WEP key, which is significantly less secure than WPA. To prove my point, I randomly scanned wireless networks around my office building and found out 7 WLANs were encrypted by WEP keys, one network unencrypted among 15 SSID received. It takes no more than 10 minutes to crack a WEP password by BT3. WPA has helped to increase the security available to wireless network. But a good dictionary may brute forcing a WPA password when the pre-defined key is weak.

Due to the broadcasting nature of radio propagation at typical Wi-Fi frequencies, anyone on the street or in the neighborhood will have chance to access to it. A whole subculture has sprung up of people going around, scanning for open wireless nodes, and publicizing them to people who want free wireless access. Capsa for WiFi helps network administrators manage access control by monitoring access IP addresses and security. Capsa for WiFi can detect all access IP addresses as well as peer hosts activities, to monitor network activities and identify network penetration and scanning anomalies. More specifically, any wireless engineers can use Capsa for WiFi to lock down network intruders, monitor clients’ online activities, and spot malware like worms, ARP attacks, Trojan horses etc. To deploy Capsa for WiFi is as simple as to connect your Caspa for WiFi equipped station with a common wireless card to your AP and enable traffic capturing on the fly. You can realize wireless network management without setting up port mirroring.