Colasoft Blog

In business network settings, network administrators manage a large number of devices, like laptops, desktops, printers, switches and routers and they all have IP and MAC addresses. When we use a network analyzer to monitor the network traffic on the network, we can see lots of IP and MAC addresses. These addresses, however, aren’t friendly to read so we’d like to show their host names or give them labels.

In Capsa we use Name Table to do this job for us. With name table we can not only label IP addresses but also MAC addresses and we can delete, export or reload the address items there. We can right-click on an IP address or MAC address and we see Add to name table in context menu.

On the dialog box we can give the IP (or MAC) address and alias, also we can choose a color for it. If we don’t know the host name, we can click Resolve address to automatically look up its host name. Then click OK to save the input.

Now back to Capsa and we can see the address is already replaced by the name alias we just created. The Add to name table function is applicable to any item on Node Explorer and all other views except Summary, Protocol and Report views.

If we need upgrade or reinstall Capsa, we can use Export function to back up the name items. Click Name Table icon on the ribbon, and click Export button to save the name table file. Then after installation or upgrade we can use the Import function to reload the name items back to the system.

We are very happy to announce the arrival of Colasoft Capsa WiFi wireless network analyzer-the new member of Colasoft Network Analyzer Family to the public.

Capsa WiFi is a powerful and professional wireless network analyzer designed for complete 802.11 a/b/g/n wireless network troubleshooting, monitoring and analysis, with any of the most popular wireless network adapters. Capsa WiFi focuses on evolving its solution to enhance the security level as well as improve the reliability and visibility of services for wireless networks, and therefore maximize the value of the IT organization.

“After two months beta testing, we received many professional test reports from Colasoft Testing Group, which help making great improvement to this wireless network analyzer”, said Eddie Gao, CTO of Colasoft, “The beta version has proved to be fully functional and very successful. It has gained very high recognition in network community for its high reliability and great packets capturing and analyzing ability of 802.11 a/b/g/n networks. And based on testers’ feedbacks and suggestions, interfaces and user experiences have been enhanced magnificently. You will enjoy a much cleaner and friendly interface, especially a simple start page which straightly guides you to your wireless network analysis journey.”

Key Features of Capsa 7.4 WiFi wireless Network Analyzer:

Support 802.11a/b/g/n
Auto identify and decode with pre-entered WEP/WPA/WPA2 key
Compatible with all NDIS 6.0 wireless network adapters
Auto -scan all access points in the air
Capture all wireless network packets from one or more APs and keep APs records
Log DNS, Emails (SMPT POP3), FTP, HTTP & IM messages (MSN & Yahoo Messenger)
Provide customizable analysis profile and 40 expert diagnosed network problems
Provide powerful and customizable reports
Analyze post-events by replaying packet files

Click here to download the free trail of this great wireless network analyzer.

We are very glad to share with you that Capsa for WiFi, a professional and powerful wireless network analyzer is coming very soon. Not for long, it will officially be the new member of Colasoft Capsa network analyzer family.

Stay close:-)

During the process of analyzing a network problem with a network analyzer tool or a protocol sniffer, especially when we find a suspicious worm or backdoor activity, we get only useful information like MAC addresses, IP addresses and also the port number in transport layer. The analyzer may not even know which application layer protocol is used, even it tells, we still need to figure out which application or process is using this application layer protocol. Is there any method that we can find out the original application or process using that TCP or UDP port? If you are conducting an on-site analysis, Capsa can easily help find out which process is using what port.
Let’s see how.

Find out Port Number

For example, I spot in Capsa Free the following TCP connection suspicious, which constantly communicates to IP: xx.xx.0.183, on port 8000. So I’m going to look up the process name using this port.

Find Process ID (PID)

At once I evoke Command Prompt, and entered the following string and hit enter.

netstat –aon | findstr :8000

Explanation:

-a: list all active connections and their ports. –o: show process IDs. –n: display the port numbers numerically.

| findstr :8000: display only the items with string :8000 (findstr means find string). Don’t forget the pipe symbol | at the beginning.

Let’s see what we get.

We can read in this case 3968 is the PID, and the source IP address and the target address is the same as the first figure.

Find Process/Application

Next we’ll switch to another tool Process Explorer (a free tool that you can get from: http://technet.microsoft.com/en-us/sysinternals/bb896653) immediately. And we can easily find out the process or application of this PID: 3968.

I’m sure it’s an instant messenger used internal in my office and it’s safe. You can also try to find this PID in Windows Task Manager if you don’t have Process Explorer installed.

However task Manager will not provide as much information as Process Explorer. And command prompt is quite handy for geeks.

tasklist | findstr 3968

This command will list only the task items with string 3968. Please refer to previous command if you not sure about | findstr parameter.

Kill Process/Application

So next, you may want to kill a process when you find it’s malicious and want to end it at once? If you are with Process Explorer, you just right-click on a process item and choose Kill Process (Press Del button for short) to kill that process (you can do the same in Task Manager). Again, you may run the following in Command Prompt:

taskkill /F /PID 3968

Explanation:

/F means force to kill the process. And I suppose you understand PID so far.

Now we successfully detect and target the suspicious process with the specific port number, no matter UDP or TCP. And of course this procedure is reversible, you can find out the port number from the process’s PID.

We are very excited to share with you that the beta version of Capsa for WiFi is now available to public download. We’re sincerely inviting you to help us test Capsa for WiFi, your valuable feedback will be highly appreciated.

Capsa for WiFi is a powerful and professional wireless network analyzer for 802.11a/b/g/n networks which is compatible with all NDIS 6.0 wireless adapters. Capsa for WiFi shares not only the friendly user interface, but also the great capacity of capturing, analyzing and reporting that Capsa network analyzer has.

Capsa for WiFi Highlights:

 Support 802.11a/b/g/n
 Auto identify and decode with pre-entered WEP/WPA/WPA2 key
 Compatible with all NDIS 6.0 wireless network adapters
 Auto -scan all access points in the air
 Capture all wireless network packets from one or more APs and keep APs records
 Log DNS, Emails (SMPT POP3), FTP, HTTP & IM messages (MSN & Yahoo Messenger)
 Provide customizable analysis profile and 40 expert diagnosed network problems
 Provide powerful and customizable Reports
 Analyze post-events by replaying packet files

Download Capsa for WiFi beta here.

Trojan and Worms are two major threats to network security. Do you know what exact is a Trojan horse? In Wikipedia, Trojan horses are designed to allow a hacker remote access to a target computer system. Once a Trojan horse has been installed on a target computer system, it is possible for a hacker to access it remotely and perform various operations.

Almost all Trojans and worms need an access to network, because they have to send data out to the hacker. Only the useful data are sent to the attacker the Trojan accomplishes its mission. So it should be a good solution that we start from the aspect of traffic analysis and protocol analysis technology. We are going to detect the Trojan horse and worm with the help of a -network analyzer-Colasoft Capsa. Capsa is an easy-to-use and intuitive network analyzer, which provides enough information to help check if there is any Trojan activities in our network. In this article I’m going to show you how to spot a Trojan or worm.

5 solutions to find the trace of a Trojan or worm in LAN network:

Solution 1: The Summary Tab

Concentrate on TCP packet summary. We should be alerted when TCP SYN Sent number is much larger than TCP SYN ACK Sent number. Generally the ratio of these two numbers approximately equals 1:1. Trojans and worms always send large amount of TCP SYN packet to the network and try to establish connections with other machines. When a connection established, they try to penetrate into the target machine.

Solution 2: IP Endpoint Tab

We can reorder the rows by clicking the column headers of the Packet Sent, Packet Received or IP conversation. Pay attention to the node with big statistics. They, however, might be BitTorrent downloading. But Trojans and worms definitely send out a large amount of packets.

Solution 3: The Log Tab

Focus on the DNS Log. We could make a list of target websites of Trojan horses by Google. For example, website like *****.3322.org. Furthermore, we can store the DNS log and analyze by using filters of the Trojans’ keywords.

Solution 4: Using Filters

Build filters rules with patterns of some Trojans and worms. Until they send a packet out, we will get those Trojans’ and worms’ activities. This method has its drawback that it does nothing to a new Trojan or worm.

Solution 5: The TCP Conversation Tab & UDP Conversation Tab

When Trojan or worm activities are found in our network, we can locate the machine’s IP address in the Node Explorer and then check its TCP Conversation or UDP Conversation. In TCP Conversation tab, we can read the reconstructed data of the communication in Data Flow sub tab, (the UDP Conversation is with the Data sub tab). Attentions have to be paid if the conversation is sending your system information.
Above are the featured tabs of Capsa network analyzer that we often use to detect network problems or bottlenecks. Moreover, we can spend some time to study what ports do the Trojans and worms like to use such as Executor:80, Ultors Trojan:1234. Then when we troubleshoot the network and make the analysis, we should pay attention to the node sending or receiving packets to and from these ports as well.

Sometimes when our network is going abnormal, we need to find out and check the top bandwidth users for clues, such as BitTorrent downloading, online video, worm activities, and so on. With Capsa 7, you don’t need to do any settings or configurations. All you need to do is to run the program, and get the statistic results with a couple of clicks.

First, let’s start Capsa7.1, we’d better not set any filters, unless we are monitor a specific kind of traffic. Then, we just keep the program running.

We first t come to the dashboard. By default, there’re two graphs in the dashboard, providing top talkers statistic results. They are Top physical address by bytes, and top IP address by bytes. By default, they display the top 10s. We can move pointer over a bar to see its address. In this network, the IP address, 192.168.5.24 (one ninety two, dot one sixty eight, dot five dot twenty four), consumes the biggest portion of bandwidth.

If we need detailed statistics of those nodes, we can come to the physical endpoint tab, or Ip endpoint tab. We can click the column header to order the list. Click this column to order by bytes. We can see who take the most traffic. We can see these highlighted bars; they help us recognize the column difference. Also we can click packets to see, who send out the most packets. From these statistics, we can get hints of anomalies, such as downloading and online video takes a lot of bandwidth, and some worm or attacks sends a great number of packets. The difference is we get MAC address in this tab, and IP address in another tab.

For some occasion, we need to generate a report of the top bandwidth users. Capsa 7.1 has the report function, let’s move on to the report tab. It provides five top statistic groups. Click an item; we see it’s an easy-to-understand table with information of IP address, traffic consumption percentage, bytes and packets.

If we want to save the report, click this button, choose a folder, type in a file name, then we can choose to save the report in PDF or html. Click Save. Report saved, and we can see the webpage is the same in the report tab.

Watch the video tutorial at http://www.colasoft.com/download/top_10_network_traffic_hosts.php

This is my short story of how a rookie uses Capsa Network Analyzer to solve an easy network problem.

Too be honest, I don’t know too much about network management or network analysis. My friends and I, 5 of us, have a SEO studio and we are trying a little online business. We were pretty busy at that time because our business made some progress on our business. Days ago, our wired network, however, turned out to be intolerable lagging which we couldn’t stand for all our business depends on the Internet.

First action we took was to do is to check antivirus software. We had antivirus Mcfee installed on all our computers and updated. But there wasn’t a virus caught after a full scanning of all our computers. Now we took it seriously, we checked all the ports and the router we used to connect all our computers and tried all the means on Google. Nothing helped. Time is money; we had to get that smooth internet connection for our business. Regretfully, we hadn’t had a computer geek friend around. Also it’s not our style to pay a penny to hire someone to fix this. We were on our own.

Good news from Erik, one in our studio, he found out there was a program, WireShark, would fix our network. We all are disappointed again when we run it. None of us knew where to start checking which we couldn’t understand.

After his hard searching, we found this Capsa Network Analyzer Demo version and couldn’t wait to give it a try. First we noticed that there were lots of “ARP Too Many Unrequested Response” in its Diagnosis. We immediately got from its explanation that the two IP addressed computers were the causes. We took the two computers off the router and we had our network back. As the two computers, we only had to have them reinstalled OS. We were so pleased that we had our business back.

Thanks Capsa Network Analyzer.

To be honest, I am a little ashamed to share my experience here, however, I wish to learn more from you. Let me introduce myself briefly, my name is Don Smith, the network administrative of a small online business company in Texas.

As a small company, cost is a very sensitive problem to us especially under the recession. With a limited bandwidth, we need to make sure the core business goes steadily, I need to find out the illegal download activities in time. We bought Capsa last year after the evaluation and compare with other similar network monitoring software.

Ok, let’s see how I find out the illegal download in the network.

After the correct deployment of Capsa in our network, let’s run capsa and start the capture at first.

Figure 1.Summary View

As we can see in figure 1,the utilization is normal.

Now I will start a download, and check it again. See Figure 2:

We can see that in the packet size distribution, there are a lot of packets listed from 1024-1517,

Then we need to check how these packets generated.

Now, we will go to the protocol view to check whether there is any protocol for download.

We can see that there is http download in our network. Then we need to locate the computer which are downloading and deal with it.

Right click on the protocol, like Figure 4 showed, we can see the option: Locate Explore Node.

Then we can check the endpoints view for more details.

It is apparently that the node 192.168.6.8 is downloading, the bytes out is only 1.04MB, but the bytes out is 10.153MB.

Now we have find out the computer which are downloading the files and so we can deal with it.

As I know, this function is just a tip of iceberg. Capsa can do a lot of things like this.

Let’s share it.