Colasoft Blog

I work for a small company as a network administrator. There’s no doubt I’m the person who is responsible for the security of network. Despite those complicated network problems, I’m sure many network admins have the same headache as me. When network problems occur and the internet could not work as usual, absolutely we are the persons to be blame first. We must try to find out the source of the problems as soon as possible. This is why we need a network sniffer to monitor our network. With the limited budget, I search on the internet, and finally I found Colasoft Capsa. I just download a free trail to see if it really works as is said.

Now, I have being using it for more than two weeks, and I found it is quite easy to use. The function of Capsa is not what I’m going to talk about in this article, because it may cost a dayJ Here I’m going to share with you a small but quite useful setting-Add physical group in network.

First, we open Settings, and click network, and click add:

Then write down the group name and the IP ranges of this group:

Well, it’s done, we can see it in the Explore:

In conclusion, with this setting, it’s very convenient to see the traffic of any specific group or department in our company. If you want to do that, just follow the above steps. Hope you enjoy this article!

This is my short story of how a rookie uses Capsa Network Analyzer to solve an easy network problem.

Too be honest, I don’t know too much about network management or network analysis. My friends and I, 5 of us, have a SEO studio and we are trying a little online business. We were pretty busy at that time because our business made some progress on our business. Days ago, our wired network, however, turned out to be intolerable lagging which we couldn’t stand for all our business depends on the Internet.

First action we took was to do is to check antivirus software. We had antivirus Mcfee installed on all our computers and updated. But there wasn’t a virus caught after a full scanning of all our computers. Now we took it seriously, we checked all the ports and the router we used to connect all our computers and tried all the means on Google. Nothing helped. Time is money; we had to get that smooth internet connection for our business. Regretfully, we hadn’t had a computer geek friend around. Also it’s not our style to pay a penny to hire someone to fix this. We were on our own.

Good news from Erik, one in our studio, he found out there was a program, WireShark, would fix our network. We all are disappointed again when we run it. None of us knew where to start checking which we couldn’t understand.

After his hard searching, we found this Capsa Network Analyzer Demo version and couldn’t wait to give it a try. First we noticed that there were lots of “ARP Too Many Unrequested Response” in its Diagnosis. We immediately got from its explanation that the two IP addressed computers were the causes. We took the two computers off the router and we had our network back. As the two computers, we only had to have them reinstalled OS. We were so pleased that we had our business back.

Thanks Capsa Network Analyzer.

We are running a small company major in customer service of a net-game, less than 50 staff working together. As generally, there are some problem occurs from time to time during working time. The majority symptom is the network speed slow down sharply suddenly, we can’t confirm the root source of the network congestion. It’s a large waste of time to figure it out that what and where exactly the problem is, it has been taking my mind for a very long time.

Last week, one of my game friend found on Linkedin.com, recommended a Chinese network sniffer – Colasoft Capsa, to monitor my network traffic and detect the problem in a very short time. Frankly, I really don’t believe there’s good software made in China, especially in network security. I just Try holding the mentality of it just because of my friend.

I downloaded their product and asked for the evaluation license key. Unexpectedly, I got it within 8 hours after I sent the application, I thought I’ll get it at least in 2 days due to the time difference. Another thing surprised me is the easy-to-use usability and the perfect UI design. I handled the network malfunction in a short time (seems 5 minutes) with this software. I really appreciate them and share my experience of my case.

First, under “Protocol Explorer”, I found BT in “Protocols” window, then locate it in the Explorer:

Then, at “Endpoints” window, we can quickly find out the local IP address who has the largest packets connection. Obviously, 192.168.1.128 is the prime culprit who leads the network congestion:

Additionally, you can find all the protocols, IP/Mac addresses in the Node Explorer, really a convenient explorer. I’m not familiar with this software at that time, I believe it won’t take more than 2 minutes if you are familiar with it. For such small-and-medium-sized enterprises like us, Capsa is really a good network monitor, and I made my decision to purchase its single seat license with 1 year maintenance.

To be honest, I am a little ashamed to share my experience here, however, I wish to learn more from you. Let me introduce myself briefly, my name is Don Smith, the network administrative of a small online business company in Texas.

As a small company, cost is a very sensitive problem to us especially under the recession. With a limited bandwidth, we need to make sure the core business goes steadily, I need to find out the illegal download activities in time. We bought Capsa last year after the evaluation and compare with other similar network monitoring software.

Ok, let’s see how I find out the illegal download in the network.

After the correct deployment of Capsa in our network, let’s run capsa and start the capture at first.

Figure 1.Summary View

As we can see in figure 1,the utilization is normal.

Now I will start a download, and check it again. See Figure 2:

We can see that in the packet size distribution, there are a lot of packets listed from 1024-1517,

Then we need to check how these packets generated.

Now, we will go to the protocol view to check whether there is any protocol for download.

We can see that there is http download in our network. Then we need to locate the computer which are downloading and deal with it.

Right click on the protocol, like Figure 4 showed, we can see the option: Locate Explore Node.

Then we can check the endpoints view for more details.

It is apparently that the node 192.168.6.8 is downloading, the bytes out is only 1.04MB, but the bytes out is 10.153MB.

Now we have find out the computer which are downloading the files and so we can deal with it.

As I know, this function is just a tip of iceberg. Capsa can do a lot of things like this.

Let’s share it.

We are glad to recived a professional and exhaustive review of our latest Capsa 6.9R2 from Top4download, a burgeoning free software download site.

“The Colasoft Capsa Enterprise Edition addresses a network manager’s needs to monitor activity on a localized network. Even as a beginning user, you can easily handle this piece of nifty software due to its user-friendly interface.

By giving the user a clear view of how their network is operating, Capsa allows for easy troubleshooting due to the ability to isolate and solve different kinds of network problems…“

Click [here] to read the full story.

Causes of broadcast storm:

• Incorrect network design and plan
• Network equipment damage
• HUB is easily lead to broadcast storm as broadcast equipment
• NIC or switching equipment damage
• Network loop
• Incorrect router configuration
• Virus

How to detect Broadcast Storm:

step1. Set up broadcast packets filter
Open Filter –> Add –> From Filter Table, check "Broadcast":

step2. Detect relevant parameters of the broadcast storm

1. Statistical parameters

• broadcast packets bytes
• total broadcast packets
• packets per second
• packet size distribution
• protocol type
• etc (add according to your own network)

How to make use of these paramaters?

Take a 100M ethernet for example. The maxmize packet per second is 12.5M x 1024 = 12800 Bytes/s. If the value of packet

per second of broadcast is greater or close to it, then we can define there’s broadcast storm.
The packets sum, number, and its size distribution are different according to the size of network.
Protocol Type is mainly to stats the protocols with the largest traffic utilization. (PS: Care must be taken to distinguish ARP

Request and ARP Response, ARP Request is broadcast, while ARP Response is unicast.)

2. IPID Identification of the packet

IPID is the unique flow to identificate the packet. If there’s a protocol in a large traffic utilization, we can check its IPID in

Packets view, if they are the same, we can confirm it is caused by network loop.

Currently, network loop is one of the mainly causes to broadcast storm.

3. Check the Utilization

How to make use of the utilization paramaters?

Utilization is divided into "Utilization (bits)" & "Utilization (percentage)". The computational process of network utilization is: bits per second(in "Summary" view) / network bandwidth(100M or 1000M Ethernet). Ordinary, the network is perfect if the utilization is 50% in a ethernet, we can get the conclusion that there must be broadcast storm in the network if the utilization of broadcast is over 30%.

Download the latest Capsa 6.9R2(windows 7 supported) to monitor your network perfermances in time.

Why should we monitor the network conversation?

In a network group, especially for the company, enterprise, school, bank, NSA, etc, the confidential information is very very important, and may very dangerous if they are divulged.

And also, for a company/enterprise boss, he can get the information of what his staff are talking about via internet, no matter they are using MSN, Yahoo, Gtalk, ICQ, AIM…or Email Webmail…at any time.

Under this situation, we need a network monitor/packet sniffer, not only to monitor the network conversation, but also to guarantee our network security for prevent it from dangerous beforehand.

Resolution
Take Colasoft Capsa 6.9 for example, We will show you how to monitor the email activity & content with it step-by-step:

1. Choose “Logs” from the main window.

2. As shown in the following illustration, there’s a pop up window for changing settings after you choose the “Logs”.
Email Log→Log File Settings, then change the settings indicated by an arrow.

3. Choose Email Messages in the Logs view, you can find the detail information on all the email activities.

4. Just double-click the crossband, then you can check out the content of any email you want to read.

Conclusion:

For every organization, institution, company, enterprise…etc, the confidential information is very important that are never allowed to be leaked out.

Except the traditional File Encryption, Video Surveillance, what can we do if we are in a huge network? Under this situation, a powerful packet sniffer/network analyzer is quite a good right-hand.

eminisecurity.com, which is major in security solutions, has recently released a review about Capsa, compared with Wireshark. Capsa is well considered with the company, and they have made a excellent review in Capsa’s features:

You’ve already been introduced to Wireshark and learned how to use it. We now consider another tool, Colasoft Capsa Enterprise Edition, which can be used for network sniffing as well. Colasoft Capsa offers many of the same features as Wireshark and introduces new features in analysis. Similar to Wireshark, Colasoft Capsa captures and decodes packets, and supplies a hex view of each packet.

Click here to read the full story about Colasoft Capsa VS Wireshark, and this “Using Colasoft Capsa” is a perfect brief introduction to help you learn more about Capsa.

Brief introduction about the Endpoint view in Colasoft Capsa
It is divided into Mac endpoint and IP endpoint in Colasoft 6.9. Users can detect the IP/Mac endpoint in the largest traffic in a short time by the endpoint analytics. And also, The system supply clear statistics of traffic ranking(Top 5 IP endpoint under HTTP protocol).

In the Endpoint view, we can see the specific traffic situation clearly of all the hosts(Including a network segment, a Mac address, and a IP address) in the currently network. Like the hosts with the largest total traffic, hosts that send/receive the largest traffic, hosts that send/receive the most packets, etc.

According to this information, we can confirm that if there are Broadcast / multicast storm, and help users detecting the network malfunctions about network slow, network disconnect, worm attack, DOS attack, and all the malfunctions besides.

Application case study
Once we meet the network malfunction or attack, what the most important thing we should pay attention to, is the currently total network traffic, sent/received traffic, network connection etc, to get a clear direction to find the problem. And, all of this information are included in the endpoint view in Colasoft Capsa 6.9(figure 1):

In figure 1 we can make a compositor on the total traffic, network connection and other related information, to find and locate the host with largest traffic or most connections in the network. For example, at present, the host with the largest network connection is , we can locate the host, then check the related connection information(figure 2):

The connection information shown as the figure 2, we can know that has set up a large amount of TCP connection with other hosts, and the destination address and destination endpoint are indefinite, and Many of the state is to connect client requests synchronization.

Next, check the TCP packets, we can check them out in Summary and Graphic as follows:

In the TCP packets information, we found has sent TCP synchronization packet, and the TCP FIN packets and TCP Reset packets are, this is deviant in the network.

Please go to the Colasoft Official FAQ page for more “How-tos”