Colasoft Blog

Colasoft Thanksgiving big sale is now online! You can get Capsa at the most favorable price. Get coupons of up to 40% off now by clicking here!

Why do we need to preserve packets to local?

We all know that packets never lie. Saving packets to local means we have preservation of evidence on the network. One basic mission of a network analyzer is to capture network packets and save them to disk. To help us understand easily, we can compare the network analyzer as a monitoring camera. A monitoring camera continuously records image 24 hours a day and stores the movie for a certain time span. When we need to check what really happened in the past, we just replay the movie and we figure all out.
Capsa is like a network monitoring camera which is able to capture packets traveling in and out of the network and save the packets to a hard disk as packet files. Capsa listens to your order to save captured packets to a single file or multiple files by your splitting settings. My network traffic is very heavy, I don’t think my hard disk has enough space to hold those files, you may wonder. Under such circumstance, we can use filters to help us capture packets we are just interested in.

When do we need to save packets to local?

•Monitor network activities such as downloading, using IM, sending Email
•Recording traffics when the network admin not around. We can check last night’s network health status the second morning
•A network problem can’t be solved. We can save traffics to a packet file and turn to other technicians for help.

How to save packets to hard disk?

Finally let’s see how to save network packets to a hard disk. There are just a few simple steps of settings to accomplish this. But please make sure you have enough space to store those files on your hard disk.
1. Click the Packet Storage icon (figure below) on the Ribbon to open the Analysis Profile Options dialog box.

2. This is the Packet Storage page of the Analysis Profile Options. Check the Enable auto packet saving box in the Save to Disk group.

Now, we will go through the options one by one:
2.1 Limit each packet to: If this box checked, only the first configured number of bytes of a packet will be saved. The excessive bytes will be discarded.
2.2 Single file: We should enable this option if we just need to store the packets to one packet file.
2.3 Multiple files: We should use this one when we need to capture packets for a long time. Capsa will split packets into multiple files according to the setting rules. It’s more useful for later analysis and traffic management. For example, we split packets by a time span of 24 hours. We only need to replay and analyze the packet file of that day which makes us focus on that traffic and make it easily to troubleshoot the network problems.
2.3.1 Save into folder: To choose a folder to store the packet files.
2.3.2 Prefix name: To set the file prefix for the packet files. We can click the ? button to see how the file names will be generated (figure below).

2.3.3 Split file every: Set the conditions for how to separate files. There are two conditions, by time or by file size. You can decide which one to choose by your certain network environment.
2.3.4 Keep all files/Keep the latest: If we choose to keep the latest number files, only the latest number of files will be kept and the older files will be deleted. To choose this option, we can save the space to store the packets files. Also the files exceed a long time are useless anymore.
When we need go back to pinpoint a network problem happened in the past, we just choose the interested packet files in the replay functionality of Capsa to reproduce the scenario of that time.

Trojan and Worms are two major threats to network security. Do you know what exact is a Trojan horse? In Wikipedia, Trojan horses are designed to allow a hacker remote access to a target computer system. Once a Trojan horse has been installed on a target computer system, it is possible for a hacker to access it remotely and perform various operations.

Almost all Trojans and worms need an access to network, because they have to send data out to the hacker. Only the useful data are sent to the attacker the Trojan accomplishes its mission. So it should be a good solution that we start from the aspect of traffic analysis and protocol analysis technology. We are going to detect the Trojan horse and worm with the help of a -network analyzer-Colasoft Capsa. Capsa is an easy-to-use and intuitive network analyzer, which provides enough information to help check if there is any Trojan activities in our network. In this article I’m going to show you how to spot a Trojan or worm.

5 solutions to find the trace of a Trojan or worm in LAN network:

Solution 1: The Summary Tab

Concentrate on TCP packet summary. We should be alerted when TCP SYN Sent number is much larger than TCP SYN ACK Sent number. Generally the ratio of these two numbers approximately equals 1:1. Trojans and worms always send large amount of TCP SYN packet to the network and try to establish connections with other machines. When a connection established, they try to penetrate into the target machine.

Solution 2: IP Endpoint Tab

We can reorder the rows by clicking the column headers of the Packet Sent, Packet Received or IP conversation. Pay attention to the node with big statistics. They, however, might be BitTorrent downloading. But Trojans and worms definitely send out a large amount of packets.

Solution 3: The Log Tab

Focus on the DNS Log. We could make a list of target websites of Trojan horses by Google. For example, website like *****.3322.org. Furthermore, we can store the DNS log and analyze by using filters of the Trojans’ keywords.

Solution 4: Using Filters

Build filters rules with patterns of some Trojans and worms. Until they send a packet out, we will get those Trojans’ and worms’ activities. This method has its drawback that it does nothing to a new Trojan or worm.

Solution 5: The TCP Conversation Tab & UDP Conversation Tab

When Trojan or worm activities are found in our network, we can locate the machine’s IP address in the Node Explorer and then check its TCP Conversation or UDP Conversation. In TCP Conversation tab, we can read the reconstructed data of the communication in Data Flow sub tab, (the UDP Conversation is with the Data sub tab). Attentions have to be paid if the conversation is sending your system information.
Above are the featured tabs of Capsa network analyzer that we often use to detect network problems or bottlenecks. Moreover, we can spend some time to study what ports do the Trojans and worms like to use such as Executor:80, Ultors Trojan:1234. Then when we troubleshoot the network and make the analysis, we should pay attention to the node sending or receiving packets to and from these ports as well.

Sometimes when our network is going abnormal, we need to find out and check the top bandwidth users for clues, such as BitTorrent downloading, online video, worm activities, and so on. With Capsa 7, you don’t need to do any settings or configurations. All you need to do is to run the program, and get the statistic results with a couple of clicks.

First, let’s start Capsa7.1, we’d better not set any filters, unless we are monitor a specific kind of traffic. Then, we just keep the program running.

We first t come to the dashboard. By default, there’re two graphs in the dashboard, providing top talkers statistic results. They are Top physical address by bytes, and top IP address by bytes. By default, they display the top 10s. We can move pointer over a bar to see its address. In this network, the IP address, 192.168.5.24 (one ninety two, dot one sixty eight, dot five dot twenty four), consumes the biggest portion of bandwidth.

If we need detailed statistics of those nodes, we can come to the physical endpoint tab, or Ip endpoint tab. We can click the column header to order the list. Click this column to order by bytes. We can see who take the most traffic. We can see these highlighted bars; they help us recognize the column difference. Also we can click packets to see, who send out the most packets. From these statistics, we can get hints of anomalies, such as downloading and online video takes a lot of bandwidth, and some worm or attacks sends a great number of packets. The difference is we get MAC address in this tab, and IP address in another tab.

For some occasion, we need to generate a report of the top bandwidth users. Capsa 7.1 has the report function, let’s move on to the report tab. It provides five top statistic groups. Click an item; we see it’s an easy-to-understand table with information of IP address, traffic consumption percentage, bytes and packets.

If we want to save the report, click this button, choose a folder, type in a file name, then we can choose to save the report in PDF or html. Click Save. Report saved, and we can see the webpage is the same in the report tab.

Watch the video tutorial at http://www.colasoft.com/download/top_10_network_traffic_hosts.php

Do you know what a network loop is? Have you ever had a network loop in your LAN? No matter you want it or not, a network loop in the LAN can bring down your whole network.

First, let’s see what a network loop is. What does a network loop do? A network loop is a network configuration there is more than one path between two computers or devices, which causes packets to be constantly repeated. This is due to the fact that a hub will blindly transmit everything it receives to all connections – other devices, such as switches and routers, might be able to reduce or eliminate this problem.

In this article, I’m going to show you how to detect the network loops in network with Capsa network analyzer 7.1?

Let’s start Capsa, and then add in the packet file into the ready-to-replay list. Without any other settings, click this icon to start replay directly.

To detect network loops, first we come to the Dashboard tab. The graphs show that the traffic is not big. We can conclude that, no machine is keeping sending a large sum of packets, to block the bandwidth.

We can sure from the Protocol tab, that only ICMP is used in the traffic. However, in Diagnosis tab, there is one record, IP TTL too low, which means a packet has passed too many routers. That is a sign od network loop.

And we can see the anomaly happens at IP address, one seventy two, dot sixteen, dot two zero eight, dot thirty three. Let’s start from this address. Right-click on the address, and locate it.

Then, go directly to the packet tab. We can see all the packets are ICMP packets. And we find the delta time between the packets is very small, and there are more than twelve thousand packets. This couldn’t be normal. Just a simple ping can’t produce so many packets, it looks like network loop a little bit.

To confirm our guess, we should go down to the digits in the packets. We can compare the field information of different packets, by checking the fields in this pane. While we come to the identification field, we can see there are so many packets have the same identification number. We know that one ICMP packets has its own identification number, there’s no way that so many packets have the same number. Now we are much sure it’s a network loop. But to make sure of this, we need to see another important field, TTL value. Check the Time To Live field. We can see that the same ICMP packet loops around the router, and each time it passes the router, its TTL value is reduced by one. Until its TTL value comes to zero, it’s dropped by the router. Then another packet does it again.

This is the end of the story. Hope you already know how to find out network loop in network with network sniffer.
A video tutorial for troubleshooting network loops is avaliable at http://www.colasoft.com/download/arp_flood_arp_spoofing_arp_poisoning_attack_solution_with_capsa.php

This is my short story of how a rookie uses Capsa Network Analyzer to solve an easy network problem.

Too be honest, I don’t know too much about network management or network analysis. My friends and I, 5 of us, have a SEO studio and we are trying a little online business. We were pretty busy at that time because our business made some progress on our business. Days ago, our wired network, however, turned out to be intolerable lagging which we couldn’t stand for all our business depends on the Internet.

First action we took was to do is to check antivirus software. We had antivirus Mcfee installed on all our computers and updated. But there wasn’t a virus caught after a full scanning of all our computers. Now we took it seriously, we checked all the ports and the router we used to connect all our computers and tried all the means on Google. Nothing helped. Time is money; we had to get that smooth internet connection for our business. Regretfully, we hadn’t had a computer geek friend around. Also it’s not our style to pay a penny to hire someone to fix this. We were on our own.

Good news from Erik, one in our studio, he found out there was a program, WireShark, would fix our network. We all are disappointed again when we run it. None of us knew where to start checking which we couldn’t understand.

After his hard searching, we found this Capsa Network Analyzer Demo version and couldn’t wait to give it a try. First we noticed that there were lots of “ARP Too Many Unrequested Response” in its Diagnosis. We immediately got from its explanation that the two IP addressed computers were the causes. We took the two computers off the router and we had our network back. As the two computers, we only had to have them reinstalled OS. We were so pleased that we had our business back.

Thanks Capsa Network Analyzer.