Posts Tagged ‘packet analysis’

Colasoft Announces Release of nChronos v5.2

October 19th, 2016 Comments off

October 19, 2016 – Colasoft, an innovative provider of powerful and affordable network analysis and application performance analysis solutions, today announced the release of its flagship product Colasoft nChronos Network Performance Analysis Solution v5.2. nChronos v5.2 comes with new types of alarms and adds TCP transaction analysis.

nChronos v5.2 provides a baseline analysis feature. Choose a baseline type, and then the baseline will be generated and displayed automatically. Furthermore, users can configure baseline alarms by setting a deviation threshold from the baseline. Also provided are whitelist and blacklist alarms, which allow users to customize whitelist and blacklist. Baseline analysis, together with blacklist and white alarms, makes it easy for network administrators to find out abnormal network traffic and abnormal net

NAT Packet Analysis Using Wireshark

February 4th, 2013 1 comment

by Tony Fortunato


One of the most popular questions I get when people get the hang of protocol analysis is the daunting exercise of multitrace analysis. As with anything else the best advice is to start with the basics before tackling anything complicated.

Multitrace analysis is only effective if you truly understand your vendors products, networking and how it relates to the OSI model or packet analysis. I always suggest that you start at layer 1 and work yourself up. The key is to know what fields in the frame or packet changes, or remains the same. Ideally when you figure this out you can use a better capture or display filter

A multitrace capture of a hub, switched, or bridged network is most straight forward since a hub or switch is transparent at layer 1 or 2 and doesn’t change anything in the packet.

When you move up to layer 3 or routing, several things change in the packet such as MAC address, IP TTL and TOS. Of course your mileage will vary, and any device could be configured to muck with more bits in the packet, but I figure I would give you a point of reference.

At layer 4 we get into application gateways, proxy, firewalls and NAT type devices where the following packet fields gets modified; MAC address, IP address, IP TOS, TCP/UDP port numbers, TCP ACK/SEQ values, etc.

Lastly at layer 7, we are dealing with multi-tiered applications and basically everything changes in the packet.

In this video example I do a multitrace analysis of a simple netgear router/NAT/firewall device where I take a trace from the WAN and LAN side to compare. Not to sound like a broken record, but please remember that your devices might behave totally differently and these notes and techniques should only be used as a reference  in your environment.

Check the video here: