Colasoft Blog

The latest released Capsa Network Analyzer 7.2 supports monitoring instant message activity, which not only gives us real time monitoring, but also auto-saving instant messages details to local disk. Whether a parent who has teenager kid, monitoring his teenager kids’ online activities like whom are they chatting with, what they are talking about are of great importance to make sure the kids are safe and will not be misled. Or a company policy requires taking some measures to guarantee the employees’ working efficiency, one of the measures is to find out who is chatting on MSN or Yahoo Messenger about some non-working stuffs. This article is to talk about how to monitor instant message activities with Capsa 7.2 as well as save the messages to local disk.

To monitor instant messages, we need first to enable the IM analysis modules in the analysis profiles, because none of them are enabled by double-clicking an analysis profile to change the profile settings.

If we’d like to create a new analysis profile only used to monitor IM messages. Right-click anywhere in this section, and choose New from the context menu and only enable the MSN and Yahoo analysis modules.

Then click Next and then OK to finish the settings. Now click the big run button to start a capture.

When the main program is initiated and we go to the Log tab which holds the IM monitor results. In this tab, we’ll see two IM logs, MSN log and Yahoo log, including the time, sender’s account and the receiver’s account.

Not only can Capsa monitor all IM activities in our network segment, but also save these records to a csv file. Click the Export icon, and give the file a name. We can open the csv file with Excel to make a deeper analysis.

Someone may ask what if we are not around, is Capsa able to auto save the messages down to a file? Sure it is. Click the Log Settings icon, and click the Save Log File button. A new dialog box appears. Check Save to disk. There are two ways to save logs: save to a Single File and save to Multiple Files. For example, we enter the prefix for their name. And then decide how to split logs, say we split by everyone day. If we just want to save the latest files, we should check this and enter a number, say 30. We can read that we save everyday’s messages into a file, and just keep the latest 30. We’ll get the messages of the past 30 days. Now, any message goes from or to your network will be logged into a log file.

This is how Capsa monitors instant message activity and auto-saving the content to local disk. Hope it helps. And we have a video tuterial at our official site.

June 22, 2010 – Colasoft, an innovative provider of all-in-one and easy-to-use network analyzer software, today announced the newest version 7.2.1 of its flagship product-Capsa network analyzer, which is the combination of powerful monitoring, alerting, and reporting capabilities. In this version, two long-awaited monitors are added in: IM monitor and Email monitor.

Emails are provided to employees as an efficient means of communication, along with this technological advancement are many collateral problems concerning enterprise information security, such as email worm thread, disclosure of trade secrets or other enterprises’ confidential information, etc. Capsa 7.2.1 provides you with powerful email monitoring. With the captured email file, you are accessible not only to basic email information such as client, server, sender name, time, etc, but also to the original content of the email. Capsa 7.2.1 supports auto-saving email content. All of the email information is captured and saved, which will serve as valuable electronic evidence when needed.

MSN (aka Live Messenger) and Yahoo Messenger are two of the most popular chat tools on internet, IM monitoring is a necessary and effective method for enterprises to ensure employees’ work efficiency. Capsa 7.2.1 gives a real-time instant message monitoring and recording. Capsa 7.2.1 is able to deliver the most accurate MSN and Yahoo messenger monitoring statistics which can be exported and saved for further analysis. To some extent, IM monitor helps enterprise achieve effective management as well as improve network and economic performance.

Besides IM and Email monitors, considering our users may have useful project files saved by version 6.9, Capsa 7.2.1 supports opening project file from Capsa 6.9.

Capsa 7.2.1 runs under Windows XP/2003/Vista/7. A trial version is available for download at the company’s website: http://www.colasoft.com/

About Capsa

Capsa is an easy-to-use Ethernet packet sniffer (network analyzer or network sniffer) for network monitoring and troubleshooting purposes. It performs real-time packet capturing, 24/7 network monitoring, reliable network forensics, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. By giving you insights into all of your network’s operations, Capsa makes it easy to isolate and solve network problems, identify network bottleneck and bandwidth use, and detect network vulnerabilities.

About Colasoft

Ever since 2001, Colasoft has been an innovative provider of all-in-one and easy-to-use software solutions for users to monitor network activities, analyze network performance, enhance network security, and troubleshoot network problems. Currently, more than 5000 customers in over 80 countries trust the company’s flagship product, Capsa Packet Sniffer, as their network monitoring and troubleshooting solution. Featured customers include Alcatel, Airbus, Dell, Ericsson, IBM, Intel, and Pepsi. Learn more about Colasoft and its solutions, please visit http://www.colasoft.com/

To football fans, today is a big day! FIFA World Cup opens today, Friday, June 11, 2010. They will spend the nights with the TV and bears. But our network admins will be drove crazy too. Why? The World Cup brings us great joys as well as certain network problems. Some of the crazy fans will watch or replay the competitions online at work. In these days, you will find your network traffic grows dramatically. I don’t want to be mean with the big fans, but we still have to do our work to maintain the network goes smoothly. How can we figure who is watching World Cup online at workplace? With Capsa network analyzer at hand, that would be so easy for you to monitor network, and prevent the network problems that World Cup may bring to your LAN.

Well, first we should make a list of football fans’ names and inform them not to watch videos online. And then we will keep an eye on our network utilization. When the utilization graph is high pitch, we know someone is disobeying the rules. Then we can check out who is consuming the bandwidth in the IP Endpoint tab.

But utilization cannot tell everything. We still need to spend a little seconds to check the protocols used in the network (Protocol tab). Special attention should be paid to protocols like P2P, RSTP and even HTTP. Online video takes a big portion of bandwidth so that we can easily find them out in the Protocol tab. The following figure shows that the HTTP traffic is abnormal which takes too much traffic.

When a suspicious protocol spotted, we should concentrate on it and check which IP address is generating the traffic in the IP Endpoint tab (figure below).

Then we could take a further step to prove our analysis. We can check out their conversations (IP Conversation tab), communication matrix (Matrix tab), and even we can go down to their original traffic packets (Packet tab).

With the above tips, I’m sure you can guarantee a healthy network during the special World Cup time.

We provide some tips on monitorring FBHOLE worm. In this article, we specificlly provide a step by step guide on how to build a fileter and monitor FBHOLE worm with Capsa network analyzer.

1. On the Start Page, click Packet Filter Settings link to open the Filter dialog box, which organizes all the filters.

2. Click the Add button (on the bottom-left corner of the dialog box) to build a new filter.

3.In the new window, choose Advanced Filter tab. And click the And icon. Choose Content from the context menu.

4. In the Pattern Rule window, just enter keyword: fbhole.com in the Pattern text box. Then click OK to close the window.

5. Click OK again to close the Packet Filter window.

6. Check the Accept checkbox of the filter just built which enables the program only capture the packets containing keyword “fbhole.com”.

7. Click OK and then start a capture.

8. If there is already a project running, you’d better stop it to build the filter and restart the capture. To build a filter in a running project: click the Filter button on the Ribbon. You will also see the Filter dialog box as well.

Facebook users have to be very careful when they’re hanging out on Facebook because a new worm called FBHOLE is out there everywhere. According to the reports that FBHOLE “doesn’t seem to be doing anything else than posting a message to people’s Facebook walls”. As an innovative network security software provider, Colasoft responses to analyze the worm immediately and we do get some ideas to help keep our users away from FBHOLE worm.

Behavior Study

If you click any post link like: http://www.fbhole.com/omg/allow.php?s=a&r=[random number] (post name” try not to laugh xD”) on a post wall, you will probably be lead to a page like the figure below:

Figure 1: try not to laugh xD with a fbhole.com link

The web page pops up a message box tells that there are some errors. Of course you will click the OK button to close the dialog box readily. Once you click the OK button, you may find there is one more post submitted to your wall.

Figure 2: Error messages

After the study of the HTML and scripts of the web page, we find that wherever you click on this page, you will trigger a script that tries to submit the same post to your Facebook wall. All these are done by a hidden iframe showing below:

Figure 3: iFrame code

This iframe follows your mouse movements. Wherever you click on the page, you will always click the invisible “Publish” button.

Tips to keep your network away from FBHOLE worm:

Until now we find that is all it does without any further harm to your computer system. To help keep our users to away fromthis worm, we do have some suggestions:

1. Inform the users in your network not click any links shown in the Figure 1.
2. Set up a filter to monitor which users click these links.
3. Locate the computer and scan it with an anti-virus program because there are possibilities that the worm may evolve to infect the operation system.

by Michael Dragone at June 1, 2010.

At some point in the career of almost any IT professional, there comes a time when a detailed examination of network traffic at the packet level is required to troubleshoot a problem. These problems often occur at the worst time, and having the ability to quickly perform a detailed traffic analysis is critical to resolving the problem swiftly and efficiently.

In the field of network analyzers, there’s a range of choices. On the one end, you can obtain free tools that support basic capture tasks but require you to perform much of the analysis. On the other end, you can purchase multifunctional tools that perform the analysis for you.

I took at look at the recently released Capsa 7.1 from Colasoft to see how it performed. I was especially interested to see how it fared against free tools such as Microsoft’s Network Monitor and Wireshark (formerly Ethereal). I ran the software on a Windows XP Professional SP3 computer.

Capsa downloaded quickly, and the installation process was brief. During installation, I was given the opportunity to install additional Colasoft tools such as a packet generator. I declined because I was focusing on the network analyzer, but it was nice to see those tools included as an installation option and not as an additional download. I was also happy that the installation process gave me full control over the creation of the desktop and Quick Launch icons instead of littering my test computer with icons everywhere. Finally, I was expecting to have to reboot my computer after the installation, as I assumed that the installation routine would make changes to the network stack. I was happy to see that this wasn’t the case and no reboot was required.

When you start Capsa, an interface presents you with intuitive options that let you select the network you want to analyze and the type of analysis you want to perform, such as Full Analysis, Traffic Monitor, Security Analysis, and Email Analysis. I wanted to analyze traffic, so I selected Traffic Monitor and clicked the large play button. The analysis began immediately.

As Figure 1 shows, Capsa uses the Fluent interface introduced in Microsoft Office 2007. As such, it’s extremely easy to navigate and almost, dare I say, fun to poke around the various tabs as the product captures network traffic.

The information that the product can capture can be daunting, but it was easy to filter the capture to look for only HTTP traffic. The filter interface provides an excellent graphical representation of what your newly created filter will do.

I was able to drill-down into my newly captured HTTP traffic to the packet level and examine all the details. Because it was encrypted HTTP Secure (HTTPS) traffic, I couldn’t look into the data payload, but all the header details were available. I was also able to examine entire TCP conversations, from the initial handshake all the way down to the FIN flag. The graphical representations that this product can produce are simply wonderful.

Overall, Capsa is a joy to use. My only complaint is the high price tag, which might make it difficult to obtain if you don’t spend a majority of your time examining network traffic, as free (and excellent) alternatives exist. Despite this, I highly recommend this product and would be glad to add it to my toolbox.

Google announced last week that users can visit https://www.google.com to establish a secure connection for their searches, which Google says “helps protect your search terms and your search results pages from being intercepted by a third party on your network”.

In response to the worries that search terms are eavesdropped by third party on public Internet accesses, especially at public like WIFI hotspots at airport, Google offers a connection over HTTPS to protect your search terms been sniffed. The purpose of this article is to figure out how does the encrypted search connection work and see if it really protects you. As packets never lie, we will go down to the packet level to check the original traffic out. Let Capsa network analyzer to prove that. First let’s check out how the normal search goes.

Normal Google Search

First run Capsa Network Analyzer and start a capture, then visit http://www.google.com, enter the keyword Capsa, and click the Google Search button. Until now, we can clearly see a HTTP packet captured with the keyword “Capsa”. If in a public network, the hacker can easily get the GET request and figure out your search terms with little tricks.

And another important way to get your search terms is to get the packet of your clicking on a link in the search results, which contains the keywords too. In this case we will click the second link in the results. When we go back to the packets, we can see there are two DNS packets, a DNS query and a response, then three-way-handshake with www.colasoft.com. The fourth packet is a HTTP GET packet.

If you are interested in this GET packet, you will find a Referer string in it, which is pretty the same as the string in figure below.

Encrypted Google Search

After the normal search, we flush the DNS, start a new capture, and reopen the browser. This time we visit https://www.google.com, enter the same keyword “Capsa”, and click the Google Search button. The page loaded and we go back to the analyzer and find there are DNS packets and HTTPS packets, without any HTTP packets (figure E). As all transmissions are protected by SSL, we cannot find any search keyword in these packets, unless you have that power to decode them.

Then we click the same link over the returned search results, and we find there are two DNS packets too and three-way-handshake and then a HTTP GET packet to load the Colasoft page. We can check this packet and find there is not a Referer string (figure F) in it. As google’s explanation, they’ve stopped transferring this value to the clicked page to prevent keywords being tracked.

Google also pointed out that the encryption search only protects you from keywords tracking but the website you visit later could also be spotted because of you DNS queries. And that’s something they cannot do about. But that’s not the topic of this article. We can sure that the new HTTPS Google search does what it alleged (you can learn more Google SSL search from http://www.google.com/support/websearch/bin/answer.py?answer=173733&hl=en). Furthermore, the society is talking about the network security more and more these days. We should always pay attention to our communications on the Internet, emails, social media communications and passwords, and so on.

Packet Size Distribution is an important statistic group in the Summary tab in Colasoft Capsa, from which we can get useful information. The Packet Size Distribution group does statistic over seven packet size ranges with their own throughput, packet counting, utilization, and so on. The bigger packet size may result in more Bytes if the packets number equals the ones with smaller packet size. These statistics seem just do simple statistics, but they also give us important information to help us monitor and analyze the network.

The Packet Size Distribution Statistic Group in Summary Tab

The packet size distribution group can help us manage the network in the following ways:

1. Excessive <=64, 65-127 Packets: Attacks

We know ARP packets are 64 bytes and general TCP STN packets are about 66 bytes. Small sized packets contain less data. A network device needs to spend much of its resource to deal with excessive small sized packets which will result in inefficient to handle normal packets. So if the number is very big than other packet size statistic items, you should be alerted that it might be an attack such as ARP flooding, ARP spoofing, port scanning, worm activities, or DDoS attack.

2. Excessive 1024-1517, >=1518 Packets: Download

With larger size, a packet has a bigger payload to carry more data. That’s why downloading and uploading tools often generate packets with large sizes. These packets are very greedy to consume a big portion of bandwidth. That’s why network administrators always pay much attention to downloading and uploading at workplace. You should keep an eye on this type of packets too.

Note that here we are talking about EXCESSIVENESS, which means the number VERY BIG like tenfold or hundredfold bigger than other counters. Especially the small sized packets and if there is any port scanning on your network, you will capture a big sum of packets of 64 bytes in a blink of an eye and clearly feel the network delay.

Why do we need to preserve packets to local?

We all know that packets never lie. Saving packets to local means we have preservation of evidence on the network. One basic mission of a network analyzer is to capture network packets and save them to disk. To help us understand easily, we can compare the network analyzer as a monitoring camera. A monitoring camera continuously records image 24 hours a day and stores the movie for a certain time span. When we need to check what really happened in the past, we just replay the movie and we figure all out.
Capsa is like a network monitoring camera which is able to capture packets traveling in and out of the network and save the packets to a hard disk as packet files. Capsa listens to your order to save captured packets to a single file or multiple files by your splitting settings. My network traffic is very heavy, I don’t think my hard disk has enough space to hold those files, you may wonder. Under such circumstance, we can use filters to help us capture packets we are just interested in.

When do we need to save packets to local?

•Monitor network activities such as downloading, using IM, sending Email
•Recording traffics when the network admin not around. We can check last night’s network health status the second morning
•A network problem can’t be solved. We can save traffics to a packet file and turn to other technicians for help.

How to save packets to hard disk?

Finally let’s see how to save network packets to a hard disk. There are just a few simple steps of settings to accomplish this. But please make sure you have enough space to store those files on your hard disk.
1. Click the Packet Storage icon (figure below) on the Ribbon to open the Analysis Profile Options dialog box.

2. This is the Packet Storage page of the Analysis Profile Options. Check the Enable auto packet saving box in the Save to Disk group.

Now, we will go through the options one by one:
2.1 Limit each packet to: If this box checked, only the first configured number of bytes of a packet will be saved. The excessive bytes will be discarded.
2.2 Single file: We should enable this option if we just need to store the packets to one packet file.
2.3 Multiple files: We should use this one when we need to capture packets for a long time. Capsa will split packets into multiple files according to the setting rules. It’s more useful for later analysis and traffic management. For example, we split packets by a time span of 24 hours. We only need to replay and analyze the packet file of that day which makes us focus on that traffic and make it easily to troubleshoot the network problems.
2.3.1 Save into folder: To choose a folder to store the packet files.
2.3.2 Prefix name: To set the file prefix for the packet files. We can click the ? button to see how the file names will be generated (figure below).

2.3.3 Split file every: Set the conditions for how to separate files. There are two conditions, by time or by file size. You can decide which one to choose by your certain network environment.
2.3.4 Keep all files/Keep the latest: If we choose to keep the latest number files, only the latest number of files will be kept and the older files will be deleted. To choose this option, we can save the space to store the packets files. Also the files exceed a long time are useless anymore.
When we need go back to pinpoint a network problem happened in the past, we just choose the interested packet files in the replay functionality of Capsa to reproduce the scenario of that time.

Trojan and Worms are two major threats to network security. Do you know what exact is a Trojan horse? In Wikipedia, Trojan horses are designed to allow a hacker remote access to a target computer system. Once a Trojan horse has been installed on a target computer system, it is possible for a hacker to access it remotely and perform various operations.

Almost all Trojans and worms need an access to network, because they have to send data out to the hacker. Only the useful data are sent to the attacker the Trojan accomplishes its mission. So it should be a good solution that we start from the aspect of traffic analysis and protocol analysis technology. We are going to detect the Trojan horse and worm with the help of a -network analyzer-Colasoft Capsa. Capsa is an easy-to-use and intuitive network analyzer, which provides enough information to help check if there is any Trojan activities in our network. In this article I’m going to show you how to spot a Trojan or worm.

5 solutions to find the trace of a Trojan or worm in LAN network:

Solution 1: The Summary Tab

Concentrate on TCP packet summary. We should be alerted when TCP SYN Sent number is much larger than TCP SYN ACK Sent number. Generally the ratio of these two numbers approximately equals 1:1. Trojans and worms always send large amount of TCP SYN packet to the network and try to establish connections with other machines. When a connection established, they try to penetrate into the target machine.

Solution 2: IP Endpoint Tab

We can reorder the rows by clicking the column headers of the Packet Sent, Packet Received or IP conversation. Pay attention to the node with big statistics. They, however, might be BitTorrent downloading. But Trojans and worms definitely send out a large amount of packets.

Solution 3: The Log Tab

Focus on the DNS Log. We could make a list of target websites of Trojan horses by Google. For example, website like *****.3322.org. Furthermore, we can store the DNS log and analyze by using filters of the Trojans’ keywords.

Solution 4: Using Filters

Build filters rules with patterns of some Trojans and worms. Until they send a packet out, we will get those Trojans’ and worms’ activities. This method has its drawback that it does nothing to a new Trojan or worm.

Solution 5: The TCP Conversation Tab & UDP Conversation Tab

When Trojan or worm activities are found in our network, we can locate the machine’s IP address in the Node Explorer and then check its TCP Conversation or UDP Conversation. In TCP Conversation tab, we can read the reconstructed data of the communication in Data Flow sub tab, (the UDP Conversation is with the Data sub tab). Attentions have to be paid if the conversation is sending your system information.
Above are the featured tabs of Capsa network analyzer that we often use to detect network problems or bottlenecks. Moreover, we can spend some time to study what ports do the Trojans and worms like to use such as Executor:80, Ultors Trojan:1234. Then when we troubleshoot the network and make the analysis, we should pay attention to the node sending or receiving packets to and from these ports as well.