Colasoft Blog

In business network settings, network administrators manage a large number of devices, like laptops, desktops, printers, switches and routers and they all have IP and MAC addresses. When we use a network analyzer to monitor the network traffic on the network, we can see lots of IP and MAC addresses. These addresses, however, aren’t friendly to read so we’d like to show their host names or give them labels.

In Capsa we use Name Table to do this job for us. With name table we can not only label IP addresses but also MAC addresses and we can delete, export or reload the address items there. We can right-click on an IP address or MAC address and we see Add to name table in context menu.

On the dialog box we can give the IP (or MAC) address and alias, also we can choose a color for it. If we don’t know the host name, we can click Resolve address to automatically look up its host name. Then click OK to save the input.

Now back to Capsa and we can see the address is already replaced by the name alias we just created. The Add to name table function is applicable to any item on Node Explorer and all other views except Summary, Protocol and Report views.

If we need upgrade or reinstall Capsa, we can use Export function to back up the name items. Click Name Table icon on the ribbon, and click Export button to save the name table file. Then after installation or upgrade we can use the Import function to reload the name items back to the system.

It is one of the essential duties for network administrators to monitor their network traffic like HTTP traffic to see what applications are running on the network. There are countless network traffic monitor tools in the market which make us dazzling and hard to choose. Except for those costly network monitors, Capsa Free is a totally network freeware which serves much better than common network monitors in monitoring network traffic like HTTP traffic.

This article is mainly to guide you through the steps of how to monitor HTTP traffic with Capsa Free.

Capsa Free is a must-have freeware network analyzer for network monitoring, network troubleshooting and network analysis. It provides users with great experience to learn how to monitor network activities, pinpoint network problems,enhance network security and so on. Moreover, Capsa Free is a perfect choice for students, teachers and computer geeks to learn protocols and networking technology knowledge.

Step 1: Download and install Capsa Free.
Step 2: Initiate Capsa Free, choosing HTTP Analysis as the analysis profile.

Step 3: View the HTTP traffic statistics in different tabs of Capsa Free.

a. Summary view: overall statistics of the capture.
b. Log view: webpage visiting records (anyone visited a website, logged here).
c. Dashboard view: important statistic data showing in visualized charts.
d. Diagnosis view: auto detected network errors.
e. Protocol view: the applications/protocols running on the network, traffic statistics.
f. Physical Endpoint & IP Endpoint views: traffic volume statistics of each node (by MAC address or IP address).
g. IP Conversation, TCP Conversation & UDP Conversation views: statistics on two communication nodes (from layer 3 to layer 4).
h. Matrix view: map of how hosts are communicated (MAC or IP addresses).

For the different tabs view, please click here.

During the process of analyzing a network problem with a network analyzer tool or a protocol sniffer, especially when we find a suspicious worm or backdoor activity, we get only useful information like MAC addresses, IP addresses and also the port number in transport layer. The analyzer may not even know which application layer protocol is used, even it tells, we still need to figure out which application or process is using this application layer protocol. Is there any method that we can find out the original application or process using that TCP or UDP port? If you are conducting an on-site analysis, Capsa can easily help find out which process is using what port.
Let’s see how.

Find out Port Number

For example, I spot in Capsa Free the following TCP connection suspicious, which constantly communicates to IP: xx.xx.0.183, on port 8000. So I’m going to look up the process name using this port.

Find Process ID (PID)

At once I evoke Command Prompt, and entered the following string and hit enter.

netstat –aon | findstr :8000

Explanation:

-a: list all active connections and their ports. –o: show process IDs. –n: display the port numbers numerically.

| findstr :8000: display only the items with string :8000 (findstr means find string). Don’t forget the pipe symbol | at the beginning.

Let’s see what we get.

We can read in this case 3968 is the PID, and the source IP address and the target address is the same as the first figure.

Find Process/Application

Next we’ll switch to another tool Process Explorer (a free tool that you can get from: http://technet.microsoft.com/en-us/sysinternals/bb896653) immediately. And we can easily find out the process or application of this PID: 3968.

I’m sure it’s an instant messenger used internal in my office and it’s safe. You can also try to find this PID in Windows Task Manager if you don’t have Process Explorer installed.

However task Manager will not provide as much information as Process Explorer. And command prompt is quite handy for geeks.

tasklist | findstr 3968

This command will list only the task items with string 3968. Please refer to previous command if you not sure about | findstr parameter.

Kill Process/Application

So next, you may want to kill a process when you find it’s malicious and want to end it at once? If you are with Process Explorer, you just right-click on a process item and choose Kill Process (Press Del button for short) to kill that process (you can do the same in Task Manager). Again, you may run the following in Command Prompt:

taskkill /F /PID 3968

Explanation:

/F means force to kill the process. And I suppose you understand PID so far.

Now we successfully detect and target the suspicious process with the specific port number, no matter UDP or TCP. And of course this procedure is reversible, you can find out the port number from the process’s PID.

By ZhaoRui Meng — CCIE Security

Wireless technology is one of the most fast-growing network technologies. It has been spreading rapidly around the company, campus, public area etc. Unfortunately, many implementations are being done without attention to issues of security and authentication. As a result, many wireless networks are set up so that anyone with mobile equipment can access, even from outside the building. Anyone with the proper equipment can also spy on traffic. The problem with WLAN users is that very few understand how their data is sent through the air, much less comprehend the associated risks.

Recently a study discovered that 40 – 50% of the wireless users aren’t implementing any form of protection. Some wireless networks are encrypted with WEP key, which is significantly less secure than WPA. To prove my point, I randomly scanned wireless networks around my office building and found out 7 WLANs were encrypted by WEP keys, one network unencrypted among 15 SSID received. It takes no more than 10 minutes to crack a WEP password by BT3. WPA has helped to increase the security available to wireless network. But a good dictionary may brute forcing a WPA password when the pre-defined key is weak.

Due to the broadcasting nature of radio propagation at typical Wi-Fi frequencies, anyone on the street or in the neighborhood will have chance to access to it. A whole subculture has sprung up of people going around, scanning for open wireless nodes, and publicizing them to people who want free wireless access. Capsa for WiFi helps network administrators manage access control by monitoring access IP addresses and security. Capsa for WiFi can detect all access IP addresses as well as peer hosts activities, to monitor network activities and identify network penetration and scanning anomalies. More specifically, any wireless engineers can use Capsa for WiFi to lock down network intruders, monitor clients’ online activities, and spot malware like worms, ARP attacks, Trojan horses etc. To deploy Capsa for WiFi is as simple as to connect your Caspa for WiFi equipped station with a common wireless card to your AP and enable traffic capturing on the fly. You can realize wireless network management without setting up port mirroring.

Colasoft just released a major upgrade of Capsa Network Analyzer a few days ago and we notice that the Security Analysis Profile is the most important new feature in Capsa 7.3 which helps users to locate and troubleshoot network issues and attacks like ARP attack, DoS attack and port scanning. Besides that, the feature of email auto-saving that users appreciated in previous versions had some adjustments. So, this article is aims to teach you how to save monitored email contents.

In Capsa Network Analyzer 7.3, if you need to save a copy of the monitored email to your hard disk, you should do the following:

Step 1. Enable Log Output

a. Go to the Start Page and click the Set Data Storage link on the right panel.
b. You see the Data Storage Options dialog box, highlight the Log Output tab and then check the Save log to disk checkbox.
c. Finish the settings of choosing file folder and setting up the rules to save logs in different files.

Step 2. Enable Email Copy

a. Double-click the analysis profile you want to use and enable the Email analysis module. Probably you’ll use Full Analysis or Email Analysis because they initially enabled the Email analysis module. This step is very important and if you don’t enable Email analysis module, Capsa will not analyze and capture any email.
b. Click Next and click Log Settings. You will focus on the Output Settings and make sure the Email Copy item is checked.

Set up as the instructions above, Capsa will save all captured inbound and outbound email contents to your hard disk. Why did you make these adjustments, you may ask? This is because users of the earlier versions might be toggled among different analysis profiles and they often forget to enable log output on different profiles. That means in previous versions, every analysis profile has a switch of email auto-saving. Therefore this time we can see the switch is made globally. Once you enabled log output, the logs will be saved to your hard disk no matter which analysis profile you choose.

It’s also notable that this time Capsa is able to output logs in multiple files as the rules you set. For example, you can set to save logs to a separate file every 10 minutes. It makes it easy for you to find useful logs in time-split small files rather than in a big log file.

I’m sure you already know how to save emails with Capsa 7.3 after reading through this article.

There comes the moment when the local network becomes very slow and they are suspicious of downloading in their network. To ensure the normal use of bandwidth, they need to find out who’s downloading in the network quickly and stop them to make sure everyone can work with efficiency. But many just don’t know how where to get started.

With Capsa Network Analyzer, you can find out the downloading computers within five minutes. Capsa captures all the traffics in the network, going-in and coming-out, and analyzes them to provide you enough statistics of the traffic. To find out who is downloading, we always start from looking into traffic volume of each machine.
Why should we start from traffic volume? That’s because when the downloading is digesting your bandwidth greedily, they will always generate greater traffic volume, not packets but bytes number.

Step1. Run Capsa, using Full Analysis with no filter, and capture traffic for three minutes.
Step2. Highlight IP Explorer -> Local Subnet in Node Explorer window.

Step3. Open the IP Endpoint tab in the Main View.Click Bytes column header to rearrange the list in DESC order.

The IP addresses with the longest bars on the top of the list are the suspects. But we need to eliminate the ones we trust. Then, we locate the machines with their IP addresses and warn them to stop downloading right away. It takes no more than five minutes and really it’s simple, right?

This article focuses on normal downloading, while there is another kind of downloading, Bit Torrent, out there. If you are interested about finding out Bit Torrent downloading in your network, please refer to here.

In networking, an email worm is a computer worm which can copy itself to the shared folder in system. And it will keep sending infected emails to stochastic email addresses. In this way, it spreads fast via SMTP mail servers. An email worm can send lots of infected emails in a very short time and it will never stop unless it’s removed. It will cause a large traffic and make the system go slowly. Sometimes it even makes the mail server crash. This article aims to teach you how to detect an email worm with Capsa network analyzer 7.

About Capsa 7

Capsa 7 is the flagship product of Colasoft. It is based on the second-generation Colasoft Packet Analysis Engine (CSPAE), which substantially improved the data processing speed and guaranteed the analysis performance in large traffic networks. Some unique features and ideas are introduced to Capsa 7, like Network Profile, this function allows user to set and save network profiles for different environments (departments, clients), making their analysis more customized, accurate and efficient. Another prominent feature is Analysis Profile which provides flexible, extensible and effective analysis performance based on user’s analysis objectives.

Step 1 of detecting an email worm with Capsa network analyzer 7: Diagnosis tab

In the Diagnosis tab we can see all the network issues automatically detected by Capsa network analyzer 7 , also some causes and solutions are suggested.

If there is a host infected with an email worm, we should be able to see SMTP events in the application layer like this:


Step 2 of detecting an email worm with Capsa network analyzer 7: Locate the source IP

Possibly the source IP is the host infected with an email worm as it is sending too many emails in a short period of time with SMTP. So let’s locate the source IP in the Node Explorer window with the Locate shortcut in the right-click menu.

Step 3 of detecting an email worm with Capsa network analyzer 7: Log tab

Check if the host is sending emails to a large number of recipients in a very short period of time. If so, we can determine the host is infected with an email worm and should be handled immediately. We should be able to see logs in the tab like this:

No doubt the final step is to isolate the host and kill the email worm with some AV software.So, I’m sure you already got how to detect an email worm with Capsa network analyzer 7. A free trail of Capsa network analyzer 7 is avaliable at http://www.colasoft.com/.

ARP attacks also known as ARP spoofing is a technique used to attack an Ethernet wired or wireless network. It is becoming increasingly popular among internet raggers because of its simpleness, fastness, and effectiveness, thus causing severe influence to the internet environment. As more and more people trust windows 7, it is very important to find a network analyzer that supports windows 7. Capsa network analyzer is such a great software that supports windows 7. The purpose of this article is to teach you how to detect ARP attacks in windows 7 with Capsa network analyzer.

The main point of ARP attacks detection is to locate the source of the attack when there is any ARP attack happens to our network. Capsa network analyzer can do it quickly and accurately. First of all, you need to download Capsa network analyzer at its official site and install it correctly. Now let’s see how we can achieve that.

Solution 1 to detect ARP attacks: Diagnosis Tab

The Diagnosis tab is the most direct and effective place we check the location of ARP attack, and should be our first choice.

Solution 2 to detect ARP attacks: Protocol Tab

As shown in the following figure, the status of ARP packets are displayed in the Protocol tab, Here we must pay special attention to the value of ARP Request and ARP Response. The ratio of ARP Request and ARP Request should be approximately 1:1 under general condition. If there is a great difference between these two values, there may be ARP attacks in the network.

Solution 3 to detect ARP attacks: Packet Tab

Packet decoding information in the Packet tab can tell us the original information of ARP packets, by decoding ARP packets, we can find out the source and destination of the ARP packets, the function and the reality of these ARP packets.

Solution 4 to detect ARP attacks: Physical Endpoint Tab

In the Physical Endpoints tab we can view the correlation of MAC address and IP address. Generally speaking, one MAC address shall have only one IP address corresponding to it. If one MAC address has multiple IP addresses to it, the condition may be:

1.the host with the MAC address is the gateway;
2.these IP addresses are bound to the MAC address manually;
3.ARP attack

Soluton 5 to detect ARP attacks: Matrix Tab

The Matrix tab allows us to see communication information between those hosts in the network, which helps us to fast identify abnormal conditions and locate the attack source.

From the above 5 solutions on how to detect ARP attack in windows 7 with Capsa network analyzer, it will greatly enhance network administrators’ capability to identify ARP attacks and protect the network from ARP attacks, so as to ensure normal network operation.

Network traffic is data in a network. In computer networks, the data is encapsulated in packets. So network traffic monitoring is to capture all the packets going down the network. Sometimes, it will be very useful to check your network activity. When Windows 7 network is very slow, internet browsing is very slow, connection problems and high network activity occurs when you do nothing, you will find this really helpful. The purpose of this article is to help you understand how to monitor network traffic in windows 7 with Capsa network analyzer.

About Capsa Network Analyzer

Capsa is an easy-to-use Ethernet packet sniffer (network analyzer or network sniffer) for network traffic monitoring and troubleshooting purposes. It performs real-time packet capturing, 24/7 network monitoring, reliable network forensics, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. By giving you insights into all of your network’s operations, Capsa makes it easy to isolate and solve network problems, identify network bottleneck and bandwidth use, and detect network vulnerabilities.

Solution 1. Monitor network traffic in the Dashboard tab of Capsa network analyzer

If we want to have a graphical view of the statistics or get a trend chart of the network traffic, then we can use the graphs in the Dashboard tab. It provides a great many of statistic graphs from global network to a specific node. You are able to as well create almost any kind of graph based on any MAC address, IP address and protocol, etc. With these graphs, you can easily find out anomalies of the network and get useful statistics.

Solution 2. Monitor network traffic in the Summary tab of Capsa network analyzer

The Summary tab provides general information of the entire network or the selected node in the Node Explorer window. In the Summary tab we can get a quick view of the total traffic, real-time traffic, broadcast traffic, multicast traffic and so on. When we switch among the node in the Node Explorer window, corresponding traffic information will be provided.

Solution 3. Monitor network traffic in the Physical Endpoint and IP Endpoint tabs of Capsa network analyzer

In these two endpoint tabs (Physical Endpoint and IP Endpoint), we can monitor network traffic information of each physical address node and IP address node, both local and remote. With their easy sorting feature we can easily find out the nodes with abnormal traffic, such as which hosts are generating or have generated the largest traffic.

Solution 4. Monitor network traffic in the Protocol tab of Capsa network analyzer

The Protocol tab lists all protocols applied in your network transmission. In the Protocol tab we can monitor network traffic by each protocol. By analyzing the protocols in the network traffic, we can easily understand what applications are consuming the network bandwidth, for example, the HTTP stands for website browsing, and the POP3 stands for email, etc.

Solution 5. Monitor network traffic in the Matrix tab of Capsa network analyzer

The Matrix tab visualizes all network connections and traffic details in one single graph. The weight of the lines between the nodes indicates the traffic volume and the color indicates the status. As we move the cursor on a specific node, network traffic details of the node will be provided.

These are the very basic methods of monitoring network traffic in windows 7 with Capsa network analyzer, there are lot of advanced functions available on Capsa Network Analyzer 7 .

Share your experience with this tool and any new findings on this is welcomed.

The latest released Capsa Network Analyzer 7.2 supports monitoring instant message activity, which not only gives us real time monitoring, but also auto-saving instant messages details to local disk. Whether a parent who has teenager kid, monitoring his teenager kids’ online activities like whom are they chatting with, what they are talking about are of great importance to make sure the kids are safe and will not be misled. Or a company policy requires taking some measures to guarantee the employees’ working efficiency, one of the measures is to find out who is chatting on MSN or Yahoo Messenger about some non-working stuffs. This article is to talk about how to monitor instant message activities with Capsa 7.2 as well as save the messages to local disk.

To monitor instant messages, we need first to enable the IM analysis modules in the analysis profiles, because none of them are enabled by double-clicking an analysis profile to change the profile settings.

If we’d like to create a new analysis profile only used to monitor IM messages. Right-click anywhere in this section, and choose New from the context menu and only enable the MSN and Yahoo analysis modules.

Then click Next and then OK to finish the settings. Now click the big run button to start a capture.

When the main program is initiated and we go to the Log tab which holds the IM monitor results. In this tab, we’ll see two IM logs, MSN log and Yahoo log, including the time, sender’s account and the receiver’s account.

Not only can Capsa monitor all IM activities in our network segment, but also save these records to a csv file. Click the Export icon, and give the file a name. We can open the csv file with Excel to make a deeper analysis.

Someone may ask what if we are not around, is Capsa able to auto save the messages down to a file? Sure it is. Click the Log Settings icon, and click the Save Log File button. A new dialog box appears. Check Save to disk. There are two ways to save logs: save to a Single File and save to Multiple Files. For example, we enter the prefix for their name. And then decide how to split logs, say we split by everyone day. If we just want to save the latest files, we should check this and enter a number, say 30. We can read that we save everyday’s messages into a file, and just keep the latest 30. We’ll get the messages of the past 30 days. Now, any message goes from or to your network will be logged into a log file.

This is how Capsa monitors instant message activity and auto-saving the content to local disk. Hope it helps. And we have a video tuterial at our official site.