Colasoft Blog

How to View and Analyze Historical Network Traffic

As a network forensic analysis application, nChronos allows users to view historical data just by a drag. Below is a screenshot of the Time Window, you can drag the trend charts back and forth to view the network traffic of any interested time period.

You can click the Set Time Window button  to set which time period to show:

When you select a time slice on the Time Window, the analysis views will only show data related to that time slice, and this is very convenient to analyze a traffic spike. Just select the spike to view and analyze the top talkers in that spike. Furthermore, you can double-click a record item to drill down it:

from: colasoft.com

By Shobhan Mandal

Colasoft Capsa Packet Analyzeris a free network analyzer software which can be used toanalyze and monitor WLAN andLAN networks. What it actually provides is network monitoring,in depth packet decoding, andadvanced protocol analysis of the network you are connected to. The best part is you do not have to install this software on a server to view the details; installing in any client machine of the network will provide you with all the necessary details.

Well the software has a number of functionalities, like:

• Troubleshooting Network Problems.
• Know about the performance of the network thus finding any bottlenecks.
• Can be used to detect virus,worms, or network attacks.
• It can also be used to teach and learn various things about network.

Here we will talk about the free version of Colasoft Capsa which has limited capabilities, like you can monitor the network continuously for 4 hours only using a profile and you can use only 1 analysis at a time.

How to use Colasoft Capsa Free Network Analyzer:

When you are downloading Colasoft Capsa, you will be asked to register with your email address. On this email address, you will be sent activation key, which will be valid for 4 months, after which you have to renew. The installation process will take a minute or two. After the installation is over you will get the home screen which looks like the first screenshot of this review.

At first, you have to select the connection from the adapter which you would like to monitor. When selected, it immediately shows a graph for the speed of the network.

The profile section allows you to select what type of analysis you would like to do. The software offers:

• Full Analysis
• HTTP Analysis
• Email Analysis
• DNS Analysis
• FTP Analysis
• IM Analysis
• Traffic Monitor

Full Analysis

Clicking on Full Analysis gives you various information regarding broadcast addresses, multicast addresses, local subnet, the IP addresses of the computer connected, etc. The center screen has various tabs like Protocol- tells about different protocols like IP, ARP, IPv6 and the amount of data and packets being transferred.

Physical Endpoint, IP Endpoint which tells about the MAC address and the IP address of the connected systems. Other tabs include TCP, IP, and UDP conversations. Somefunctionalities may not work in the free version.

HTTP Analysis

The HTTP analysis gives you the various results regarding HTTP protocol. At any normal instance it will give the IP address of the computers with which your computer has a HTP connection. Through the IP, TCP, and UDP conversation you can know the amount of data and packets being shared among the computers.

The other analysis gives out more information regarding data and packet movements in the network you are connected to.

Talking to one of my friends who is a ethical hacker and wants to remain anonymous, said that the software is great. According to him:

• This is really a great software and very powerful.
• It helps the network administrator to get various details about the network in real time.
• It can be used for educational purposes as the software tells how packet movement works actually in the network.

Downsides of the software

In the free version, the user cannot use more than one analysis simultaneously. If he wants to have a different analysis he must close the ongoing analysis. The free version has most of the good features restricted not allowing users to know the software’s working properly.

Also check out other network packet sniffer software.

Conclusion

It is a cool software to monitor the data traffic of your network. If you setup a private network you can watch out for any wrongdoings that might happen be happening in the network. It is very much useful for those who want to know more about computer networking.

Get Colasoft Capsa Packet Analyzer here.

Although Capsa network analyzer supports more than 160 protocols, there are still circumstances that you need add your private protocol rules. For example, you have a special service using a private TCP port in the network, and you want Capsa to recognize it. Or a protocol uses non-standard port. This document is to show you how to create your own custom protocols and edit built-in protocols as your need.
Create Custom Protocols
If you want to create a private protocol rule, follow the instructions below.
Step 1, run Capsa network analyzer. On the Start Page, click the Menu button (on the top-left corner). Choose Local Engine Settings -> Custom Protocol from the menu.
Step 2, on the Custom Protocol window, you can click the Add… button to create a custom protocol. For example, you are testing a new protocol, which uses TCP port 8080. You can just click Add, and type in protocol name, short name and port number, and choose a color for the protocol on the new dialog box. Then click OK to save the custom protocol.

Note: if the capture is running, you need to go back to the start page. Otherwise the Add button and Edit button will be grayed out.
Edit Protocols
If you use non-standard protocols in your network, for example, DNS isn’t on port 53 (TCP or UDP), or HTTP isn’t on TCP port 80, you should modify the default port number for these two built-in protocols. Or Capsa will recognize them as TCP/UDP Other type. Let’s make an example that HTTP uses TCP port 8080, rather than port 80.
Step 1, open the Custom Protocol window, type in http in the search box.
Step 2, double-click on the HTTP protocol item, and modify its port number to 8080 in the dialog box. Click OK to save.

Now if you start a capture, or replay a packet file, all packets using TCP port 81 will be labeled as HTTP protocol. On the Custom Protocol window, you can create private protocols on TCP/UDP ports, IP protocol type, and Ethernet type. TCP and UDP port numbers are used more often rather than the other two. And also you can use the Import button and Export button to back up your private protocols.

FAQ: Why the Add/Edit/Delete buttons of the Custom Protocol window are grayed out?
You are not allowed to change protocol rules while there is a capture running because the changes could crash the program. If you need to add/edit protocol rules, you need stop the capture and go back to the Start Page (if you run multiple instances, you need to close all others). Then click on the Menu button on the top-left corner of the Start Page, and choose Local Engine Settings > Custom Protocol to open the Custom Protocol window. Now you will find the buttons are clickable.

In a typical MAC flooding attack, a switch is flooded with packets, each containing different source MAC addresses. The switch records these addresses to its CAM table. When the table is full, the switch cannot look up the right destination port, but to broadcast out on all ports. A malicious user could then use a packet sniffer running in promiscuous mode to capture sensitive data from other computers, which would not be accessible were the switch operating normally.

How to detect if there’s a MAC flooding attack in the network? In this article, I will demonstrate to you with Colasoft Capsa Analyzer.

For detecting MAC flooding attack. Let’s start capture, we start the analysis from the SUMMARY TAB. All these statistics seem right. Except one when we come to the Physical address count. There are more than a hundred thousand MAC addresses discovered in this network. How could this small network have so many machines? Possibly, it is a mac flooding attack.

We need to check the addresses in the NOD EXPLORE. Open the physical explorer, and look this number; there are more than 1800 MAC addresses in local segment. It’s abnormal; there is no way that so many machines exist in this network. And apparently, these addresses are not real. We are sure that there are worm activities, or attacks in the network.

Let’s see how these nodes are communicating. Open the MATRIX TAB. And we choose Top 1000 physical node matrix type. We see this matrix, what a mess! There are so many nodes communicating, and according to the colors of the line, red means one way transmitting.

And we can go to the PHYSICAL CONVERSATION TAB to read that it’s true. Almost all nodes only send one packet out. Most packets are 64 bytes.
We know that all machines in our network are connected with a switch. This looks like a MAC flooding attack.

Still, to confirm our prediction, we need to see the original data of the packets they send out. Open the PACKET TAB. We see the delta time between packets is very small, which gives a great pressure to the switch. Almost all packets are 64 bytes. And let’s look at the original data in the packets. Almost all packets are randomly generated by padding same digits in the packets.

According to all these behaviors, and decoded information from packets, we are pretty sure that there is MAC flooding in this network. But it’s hard to find the attacker’s address directly because all addresses are forged. However, we can cut some machines off the network to eliminate the innocent machines until we find the target one.
Watch the video tutorial of detecting MAC flooding attack is avaliable at Here!

What Is an Email Worm
In networking, an email worm is a computer worm which can copy itself to the shared folder in system. And it will keep sending infected emails to stochastic email addresses. In this way, it spreads fast via SMTP mail servers.

What Is the Harm of Email Worm
An email worm can send lots of infected emails in a very short time and it will never stop unless it’s removed. It will cause a large traffic and make the system go slowly. Sometimes it even makes the mail server crash.

How to Detect Email Worm
If you are suspicious some host in your network is infected with an email worm, here is a process how we can detect email worm in network with Colasoft Packet Sniffer, step by step.

>Step1. Download a free trial and deploy it properly.

>Step2. Launch a Project and Start Capturing Some Traffic.

>Step3. Switch to “Diagnosis” Tab
Diagnosis tab is a view we can see all the network issues automatically detected by Colasoft Packet Sniffer, also some causes and solutions are suggested.

Diagnosis Tab Screenshot

If there is a host infected with an email worm, we should be able to see SMTP events in the application layer like this:

SMTP Events in Application Layer

>Step4. Locate the Source IP
Possibly the source IP is the host infected with an email worm as it is sending too many emails in a short period of time with SMTP. So let’s locate the source IP in the “Explorer” with the “Locate” shortcut in the right-click menu.

Locate Source IP

>Step5. Switch to “Logs” Tab
Check if the host is sending emails to a large number of recipients in a very short period of time. If so, we can determine the host is infected with an email worm and should be handled immediately. We should be able to see logs in the Tab like this:

View Email Logs in "Logs" Tab

No doubt the final step is to isolate the host and kill the email worm with some AV software

Also there will be some other process to detect email worm with Colasoft Packet Sniffer, this is the shortest one.

BitTorrent Consumes Big Bandwidth
Based on the working principle of BitTorrent protocol, if somebody is downloading big files with BitTorrent software, it will be a disaster for other users who need bandwidth for business operations as the user will consume large amount of bandwidth, thus causing long time network slowness, intermittence, even disconnections; because meantime the user downloading files from others, others are downloading files from him.

So it is necessary for IT administrators to track BitTorrent user at first place to regain network bandwidth for business operations. Blocking BitTorrent protocol can be one way; this article is to discuss how to track BitTorrent users with Colasoft Packet Sniffer.

How to Track BitTorrent User?

>Step1. Download a free trial and implement it correctly

>Step2. Launch a project and start capturing data

>Step3. Find BitTorrent Protocol in the “Protocols” Tab

Track BitTorrent User Screenshot 1

>Setp4. Locate BitTorrent Protocol in the “Explorer”
Use the “Locate” function to locate BitTorrent protocol in the “Explorer” to analyze dedicated data.

Track BitTorrent User Screenshot 2

>Step5. Track BitTorrent User in LAN in the “Endpoint” Tab
This is the way how to track the BitTorrent user in our network and who are connected with him. There is a lot more we can see from this tab, such as how much data has been downloaded and uploaded via BitTorrent protocol.

Track BitTorrent User Screenshot 3

View how many connections have been built in “Matrix”
You’ll be shocked to see how many connections have been built in the “Matrix” Tab. In this case, we can see this user has built more than 1000 connections with other hosts.

Track BitTorrent User Screenshot 4

About BitTorrent
BitTorrent is a peer-to-peer file sharing protocol used for distributing large amounts of data. BitTorrent is one of the most common protocols for transferring large files.

The protocol works when a file provider initially makes his/her file (or group of files) available to the network. This is called a seed and allows others, named peers, to connect and download the file. Each peer that downloads a part of the data makes it available to other peers to download. After the file is successfully downloaded by a peer, many continue to make the data available, becoming additional seeds. This distributed nature of BitTorrent leads to a viral spreading of a file throughout peers. As more peers join the swarm, the likelihood of a successful download increases. Relative to standard Internet hosting, this provides a significant reduction in the original distributor’s hardware and bandwidth resource costs. It also provides redundancy against system problems and reduces dependence on the original distributor.

Next Step
>>Download a Free Trial

For some purposes we want to monitor MSN chat around the network, for example, parents want to monitor MSN chat of their kids to ensure their safety; bosses want to monitor MSN chat of employees for company assets security and to improve work efficiency by minimizing none-business chat during working hours. You may still remember Colasoft MSN Monitor, now it is called Unipeek MSN Monitor and it is distributed completely Free for none commercial users.

Now let’s see how we can monitor MSN chat with Unipeek MSN Monitor, the free tool.

Step1. Download Unipeek MSN Monitor

Download Unipeek MSN Monitor, the free edition; from the website. As a matter of fact there is no function difference between Unipeek MSN Monitor the free edition and the commercial edition. The only difference is Unipeek MSN Monitor Free Edition only supports 10 MSN accounts maximum, but quite enough for family users.

Step2. Install and Deploy Unipeek MSN Monitor

The installation is quick and simple, just click “next” all the way to complete the installation. But the deployment is somewhat different. As Unipeek MSN Monitor is designed based on Colasoft’s packet capturing technology, so it has to be deployed properly like a packet sniffer if you want to monitor all MSN chat around the network. Of course, you don’t have to do it if you only want to monitor MSN chat of a single computer. To monitor multiple computers, you can install multiple copies.

How to Monitor MSN Chat Screenshot 1

Setp3. Run it and Start Monitor MSN Chat

After proper installation and deployment, we can start monitoring MSN chat right away.

How to Monitor MSN Chat Screenshot 2

About Unipeek MSN Monitor
Unipeek MSN Monitor (MSN sniffer) is Free MSN monitoring software for MSN chat monitoring and MSN message archiving. Based on Colasoft’s packet analysis technology, Unipeek MSN Monitor is able to deliver the most accurate MSN monitoring statistics, and automatically record data for future reference. You need only install Unipeek MSN Monitor once to monitor all MSN chats over the local network.

Key Features include:
•    Real-time and 24/7 MSN chat monitoring
•    Automatically archive MSN messages for future reference
•    Export messages of a custom time range
•    Customize MSN account list to be monitored
•    Unique Conversation Matrix showing account relations
•    Support emotion icons, message font size and color.

Download Now
Download Unipeek MSN Monitor

Some people may doubt if it is legal to monitor email of employees with an email monitor software (aka. email spy or email checker), but this is not the topic of this article. We are going to discuss how we can monitor email with some technical methods, especially how we can monitor email with this packet sniffer – Colasoft Capsa.

Step 1. Still we need to download a free trial and deploy it correctly.

Step 2. Launch a project

If we have not set Capsa to save email logs to a local disk, we’ll not be able to monitor email contents but we can monitor all email logs. So we must set the log settings to save email logs to a local path in order to monitor email contents. Also there will be a notice when start a new project.

Monitor Email Screeshot1

Setp3. Set Email Logs Settings

View full image to set the email logs setting correctly.

Monitor Email Screenshot2 - Click to view Large

Advanced Email logs settings to split email logs and keep the most recent email logs to save disk space.

Monitor Email Screeshot3

Step 4. Start Capturing and Monitoring Email in “Logs” Tab

After email log settings is finished, we can do a test to see if we can get some email monitoring logs. Let’s launch Outlook and start sending and receiving emails. We can see that we’ve received many spam email in my email box. We can see a lot of information in the logs Tab, such as date and time, client name, email subject, sender and receiver name, size, and more.

Monitor Email Screeshot - Click to View Large

Step 5. Monitor Email Contents

In order to view the original content of an email, the process is quite simple, just double-click on the logs, then Capsa will call an email software to display the email content, basically Outlook.

Monitor Email Screeshot5 - Click to View Large

Now this is the entire process how we can monitor email with Colasoft Capsa, we hope you enjoy this article.

Next Step
>>Download a Free Trial

Colasoft MAC Scanner Screenshot

In computer networking, a Media Access Control address (MAC address) is a unique identifier assigned to most network adapters or network interface cards (NICs) by the manufacturer for identification, and used in the Media Access Control protocol sublayer. If assigned by the manufacturer, a MAC address usually encodes the manufacturer’s registered identification number. It may also be known as an Ethernet Hardware Address (EHA), hardware address, adapter address, or physical address.

Since a MAC Address is unique for most network adapters or network interface cards (NICs), it is important for IT administrators to know all the MAC addresses in LAN so as to quickly locate a network device when a network issue arises. Luckily we have tools to help us out. Let’s see how we can easily find MAC address in LAN with Colasoft MAC Scanner.

Colasoft MAC Scanner is a Free software to find MAC address and IP address. It can automatically detect all subnets according to the IP addresses configured on multiple NICs of a machine and find MAC addresses and IP addresses of defined subnets as your need. Users can custom own scan process by specifying the subsequent threads.

Step 1. Download Colasoft MAC Scanner

Step2. Install Colasoft MAC Scanner

The installation of Colasoft MAC Scanner is quick and easy, it is suggested to install Colasoft MAC Scanner on a laptop as it only scans and finds MAC addresses and IP addresses in the subnet to which the laptop is connected.

Step3. Start a Scan

It’s easy and quick, just press the start button, the Colasoft MAC Scanner will scan and find MAC addresses and IP addresses in the subnet and list them out. The results can be “copy and paste” or exported for future reference.

Now the problem is: if a LAN is divided into several subnets, we’ll have to move the laptop around and scan each subnet in order to find all MAC addresses and IP addresses. Then what’s the solution?

Find MAC Address and IP Address with Colasoft Packet Sniffer

Colasoft Packet Sniffer allows us to find MAC addresses and IP addresses both local and remote in the network as long as there is network communication initiated.

Find MAC Address in Colasoft Packet Sniffer

>>>>Download Colasoft Packet Sniffer Now

Internet traffic is the flow of data around the Internet. It includes web traffic, which is the amount of that data that is related to the World Wide Web, along with the traffic from other major uses of the Internet, such as electronic mail and peer-to-peer networks.

In case we want to monitor internet traffic generated or is generating in LAN, here is a detailed process how we can monitor internet traffic with Colasoft Packet Sniffer – Capsa.

We must make sure the packet sniffer software is correctly implemented so we can capture all the traffic in LAN, if you don’t know how to do it, please make sure you read how to implement a packet sniffer.

First let’s launch a new project with Colasoft Packet Sniffer, then do some online activities, such as chatting, browsing a website, sending and receiving emails, downloading some files. All these activities will generate different kinds of internet traffic. We may keep the project running to continuously monitor internet traffic or stop the project to do some analysis.

To monitor internet traffic, we’d better first select the “Internet Addresses” in the “Explorer” on the left window:

Monitor Internet Traffic Screenshot1

We can see that all the internet addresses are listed by countries, to monitor internet traffic of a specific country, we just need click on it; If we want to monitor internet traffic of a specific IP address within one country, we need to expand the country node and select the IP address in it.

Also we can monitor internet traffic aggregated or internet traffic in real-time

Monitor Internet Traffic Screenshot2

To view what online activities have generated or are generating internet traffic, we need to use the “Protocols” Tab.

Monitor Internet Traffic Screenshot1

We can see there are protocols which separately stand for different internet activities:

HTTP – Website browsing
MSN – online chatting with Live Messenger
POP3 – Email
HTTPS – Website browsing via a secure link
QQ- online chatting with QQ
DNS – Domain Name System