Colasoft Blog

by David M Williams
July 26, 2010

If you run any type of network infrastructure there will come a time you need a low-level packet sniffer to work out just what is going on. Colasoft’s Capsa product challenges the myth these tools must be hard to use.

Have you ever had users ask why is the network so slow? Chances are high any IT professional will have looked into network related faults but found it difficult to get a handle on just what is going on because Ethernet is so, well, ethereal.

Here is where a network analyzer comes in handy. It will sniff the raw packets of data flying about as they happen and give you meaningful information to make intelligent determinations.

Previously I have talked about the tremendous open source product WireShark but WireShark isn’t for everyone. For one, the Windows port requires GTK+ and Glib to be installed which some Windows administrators aren’t keen to do. For another, although it is less arcane and cryptic than a command-line tool like tcpdump it’s still not user-friendly enough for many.

Here is where Colasoft’s Capsa product comes in. As you might guess, it is a deep low-level network protocol analyzer and its purpose is to give you the low-down on just what is happening on your network.

Where it stands out from the competition is its brilliant ease of use. Capsa adopts the same ribbon style interface as seen in Microsoft Office 2007 and it is a snap to navigate between tabs and check out the options and power available.

When it comes to network analysis so much is going on that it’s a must to separate out the chatter from the data that matters. Capsa makes it a cinch to hone in on what you want with easy to use filters and rules.

Capsa also has a concept of projects, meaning you can set global filters and rules to always apply but also make specific filters and rules for individual projects, letting you switch between these as needed.

Capsa displays intuitive options and is a genuine pleasure to use. I do not believe I’ve seen a more straightforward or elegant network analysis tool with the majority requiring expert knowledge to get any meaningful results.

Capsa is a commercial product so it does carry a price tag beginning at $US 549 for one license without maintenance but if your job requires you to troubleshoot network faults then the software will pay for itself.
As well as the commercial support Colasoft provide an extensive and helpful FAQ. A free trail of Capsa is avaliable here.

In networking, an email worm is a computer worm which can copy itself to the shared folder in system. And it will keep sending infected emails to stochastic email addresses. In this way, it spreads fast via SMTP mail servers. An email worm can send lots of infected emails in a very short time and it will never stop unless it’s removed. It will cause a large traffic and make the system go slowly. Sometimes it even makes the mail server crash. This article aims to teach you how to detect an email worm with Capsa network analyzer 7.

About Capsa 7

Capsa 7 is the flagship product of Colasoft. It is based on the second-generation Colasoft Packet Analysis Engine (CSPAE), which substantially improved the data processing speed and guaranteed the analysis performance in large traffic networks. Some unique features and ideas are introduced to Capsa 7, like Network Profile, this function allows user to set and save network profiles for different environments (departments, clients), making their analysis more customized, accurate and efficient. Another prominent feature is Analysis Profile which provides flexible, extensible and effective analysis performance based on user’s analysis objectives.

Step 1 of detecting an email worm with Capsa network analyzer 7: Diagnosis tab

In the Diagnosis tab we can see all the network issues automatically detected by Capsa network analyzer 7 , also some causes and solutions are suggested.

If there is a host infected with an email worm, we should be able to see SMTP events in the application layer like this:


Step 2 of detecting an email worm with Capsa network analyzer 7: Locate the source IP

Possibly the source IP is the host infected with an email worm as it is sending too many emails in a short period of time with SMTP. So let’s locate the source IP in the Node Explorer window with the Locate shortcut in the right-click menu.

Step 3 of detecting an email worm with Capsa network analyzer 7: Log tab

Check if the host is sending emails to a large number of recipients in a very short period of time. If so, we can determine the host is infected with an email worm and should be handled immediately. We should be able to see logs in the tab like this:

No doubt the final step is to isolate the host and kill the email worm with some AV software.So, I’m sure you already got how to detect an email worm with Capsa network analyzer 7. A free trail of Capsa network analyzer 7 is avaliable at http://www.colasoft.com/.

ARP attacks also known as ARP spoofing is a technique used to attack an Ethernet wired or wireless network. It is becoming increasingly popular among internet raggers because of its simpleness, fastness, and effectiveness, thus causing severe influence to the internet environment. As more and more people trust windows 7, it is very important to find a network analyzer that supports windows 7. Capsa network analyzer is such a great software that supports windows 7. The purpose of this article is to teach you how to detect ARP attacks in windows 7 with Capsa network analyzer.

The main point of ARP attacks detection is to locate the source of the attack when there is any ARP attack happens to our network. Capsa network analyzer can do it quickly and accurately. First of all, you need to download Capsa network analyzer at its official site and install it correctly. Now let’s see how we can achieve that.

Solution 1 to detect ARP attacks: Diagnosis Tab

The Diagnosis tab is the most direct and effective place we check the location of ARP attack, and should be our first choice.

Solution 2 to detect ARP attacks: Protocol Tab

As shown in the following figure, the status of ARP packets are displayed in the Protocol tab, Here we must pay special attention to the value of ARP Request and ARP Response. The ratio of ARP Request and ARP Request should be approximately 1:1 under general condition. If there is a great difference between these two values, there may be ARP attacks in the network.

Solution 3 to detect ARP attacks: Packet Tab

Packet decoding information in the Packet tab can tell us the original information of ARP packets, by decoding ARP packets, we can find out the source and destination of the ARP packets, the function and the reality of these ARP packets.

Solution 4 to detect ARP attacks: Physical Endpoint Tab

In the Physical Endpoints tab we can view the correlation of MAC address and IP address. Generally speaking, one MAC address shall have only one IP address corresponding to it. If one MAC address has multiple IP addresses to it, the condition may be:

1.the host with the MAC address is the gateway;
2.these IP addresses are bound to the MAC address manually;
3.ARP attack

Soluton 5 to detect ARP attacks: Matrix Tab

The Matrix tab allows us to see communication information between those hosts in the network, which helps us to fast identify abnormal conditions and locate the attack source.

From the above 5 solutions on how to detect ARP attack in windows 7 with Capsa network analyzer, it will greatly enhance network administrators’ capability to identify ARP attacks and protect the network from ARP attacks, so as to ensure normal network operation.

Network traffic is data in a network. In computer networks, the data is encapsulated in packets. So network traffic monitoring is to capture all the packets going down the network. Sometimes, it will be very useful to check your network activity. When Windows 7 network is very slow, internet browsing is very slow, connection problems and high network activity occurs when you do nothing, you will find this really helpful. The purpose of this article is to help you understand how to monitor network traffic in windows 7 with Capsa network analyzer.

About Capsa Network Analyzer

Capsa is an easy-to-use Ethernet packet sniffer (network analyzer or network sniffer) for network traffic monitoring and troubleshooting purposes. It performs real-time packet capturing, 24/7 network monitoring, reliable network forensics, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. By giving you insights into all of your network’s operations, Capsa makes it easy to isolate and solve network problems, identify network bottleneck and bandwidth use, and detect network vulnerabilities.

Solution 1. Monitor network traffic in the Dashboard tab of Capsa network analyzer

If we want to have a graphical view of the statistics or get a trend chart of the network traffic, then we can use the graphs in the Dashboard tab. It provides a great many of statistic graphs from global network to a specific node. You are able to as well create almost any kind of graph based on any MAC address, IP address and protocol, etc. With these graphs, you can easily find out anomalies of the network and get useful statistics.

Solution 2. Monitor network traffic in the Summary tab of Capsa network analyzer

The Summary tab provides general information of the entire network or the selected node in the Node Explorer window. In the Summary tab we can get a quick view of the total traffic, real-time traffic, broadcast traffic, multicast traffic and so on. When we switch among the node in the Node Explorer window, corresponding traffic information will be provided.

Solution 3. Monitor network traffic in the Physical Endpoint and IP Endpoint tabs of Capsa network analyzer

In these two endpoint tabs (Physical Endpoint and IP Endpoint), we can monitor network traffic information of each physical address node and IP address node, both local and remote. With their easy sorting feature we can easily find out the nodes with abnormal traffic, such as which hosts are generating or have generated the largest traffic.

Solution 4. Monitor network traffic in the Protocol tab of Capsa network analyzer

The Protocol tab lists all protocols applied in your network transmission. In the Protocol tab we can monitor network traffic by each protocol. By analyzing the protocols in the network traffic, we can easily understand what applications are consuming the network bandwidth, for example, the HTTP stands for website browsing, and the POP3 stands for email, etc.

Solution 5. Monitor network traffic in the Matrix tab of Capsa network analyzer

The Matrix tab visualizes all network connections and traffic details in one single graph. The weight of the lines between the nodes indicates the traffic volume and the color indicates the status. As we move the cursor on a specific node, network traffic details of the node will be provided.

These are the very basic methods of monitoring network traffic in windows 7 with Capsa network analyzer, there are lot of advanced functions available on Capsa Network Analyzer 7 .

Share your experience with this tool and any new findings on this is welcomed.

Author: Chris Partsenidis
July 3, 2010

Introduction

A Network Analyser is without doubt an Engineer’s best friend.
Using network analysing software, we are able to monitor our network and dig into the various protocols to see what’s happening in real time. This can help us understand much better the theoretical knowledge we’ve obtained throughout the years but, most importantly, help us identify, troubleshoot and fix network issues that we wouldn’t be able to do otherwise.
A quick search on the Internet will surely reveal many network analysers available making it very confusing to select one. Some network analysers provide basic functions, such as packet sniffing, making them ideal for simple tasks while others give you all the necessary tools and functions to ensure your job is done the best possible way.
Colasoft’s network analyser is a product that falls in the second category. We had the chance to test drive the Colasoft Network Analyser v7.2.1 which is the latest available version at the time of writing.
Having used previous versions of Colasoft’s network analyser, this latest version we tested left us impressed and does, in fact, promise a lot no matter what the environment demands.

Colasoft’s Capsa network analyser is available as a demo version directly from their website www.colasoft.com. We quickly downloaded the 21.8mb file and began the installation which was a breeze. Being small and compact meant the whole process didn’t take more than 30-40 seconds.
We fired up the software, entered our registration details, activated our software and up came the first screen which shows a completely different philosophy to what we have been used to:

The Software
Before you even start capturing packets and analysing your network, you’re greeted with a first screen that allows you to select the network adaptor to be used for the session, while allowing you to choose from a number of preset profiles regarding your network bandwidth (1000, 100, 10 or 2 Mbps).
Next, you can select the type of analysis you need to run for this session ranging from Full analysis, Traffic Monitoring, Security analysis to HTTP, Email, DNS and FTP analysis. The concept of pre-configuring your packet capturing session is revolutionary and very impressive. Once the analysis profile is selected, the appropriate plug-in modules are automatically loaded to provide all necessary information.
For our review, we selected the ‘100Mb Network’ profile and ‘Full Analysis’ profile, providing access to all plug-in modules, which include ARP/RARP, DNS, Email, FTP, HTTP and ICMPv4 – more than enough to get any job done!
Optionally, you can use the ‘Packet Filter Settings’ section to apply filters to the packets that will be captured:

The full review at http://www.firewall.cx/reviews-colasoft-v721.php

The latest released Capsa Network Analyzer 7.2 supports monitoring instant message activity, which not only gives us real time monitoring, but also auto-saving instant messages details to local disk. Whether a parent who has teenager kid, monitoring his teenager kids’ online activities like whom are they chatting with, what they are talking about are of great importance to make sure the kids are safe and will not be misled. Or a company policy requires taking some measures to guarantee the employees’ working efficiency, one of the measures is to find out who is chatting on MSN or Yahoo Messenger about some non-working stuffs. This article is to talk about how to monitor instant message activities with Capsa 7.2 as well as save the messages to local disk.

To monitor instant messages, we need first to enable the IM analysis modules in the analysis profiles, because none of them are enabled by double-clicking an analysis profile to change the profile settings.

If we’d like to create a new analysis profile only used to monitor IM messages. Right-click anywhere in this section, and choose New from the context menu and only enable the MSN and Yahoo analysis modules.

Then click Next and then OK to finish the settings. Now click the big run button to start a capture.

When the main program is initiated and we go to the Log tab which holds the IM monitor results. In this tab, we’ll see two IM logs, MSN log and Yahoo log, including the time, sender’s account and the receiver’s account.

Not only can Capsa monitor all IM activities in our network segment, but also save these records to a csv file. Click the Export icon, and give the file a name. We can open the csv file with Excel to make a deeper analysis.

Someone may ask what if we are not around, is Capsa able to auto save the messages down to a file? Sure it is. Click the Log Settings icon, and click the Save Log File button. A new dialog box appears. Check Save to disk. There are two ways to save logs: save to a Single File and save to Multiple Files. For example, we enter the prefix for their name. And then decide how to split logs, say we split by everyone day. If we just want to save the latest files, we should check this and enter a number, say 30. We can read that we save everyday’s messages into a file, and just keep the latest 30. We’ll get the messages of the past 30 days. Now, any message goes from or to your network will be logged into a log file.

This is how Capsa monitors instant message activity and auto-saving the content to local disk. Hope it helps. And we have a video tuterial at our official site.

June 22, 2010 – Colasoft, an innovative provider of all-in-one and easy-to-use network analyzer software, today announced the newest version 7.2.1 of its flagship product-Capsa network analyzer, which is the combination of powerful monitoring, alerting, and reporting capabilities. In this version, two long-awaited monitors are added in: IM monitor and Email monitor.

Emails are provided to employees as an efficient means of communication, along with this technological advancement are many collateral problems concerning enterprise information security, such as email worm thread, disclosure of trade secrets or other enterprises’ confidential information, etc. Capsa 7.2.1 provides you with powerful email monitoring. With the captured email file, you are accessible not only to basic email information such as client, server, sender name, time, etc, but also to the original content of the email. Capsa 7.2.1 supports auto-saving email content. All of the email information is captured and saved, which will serve as valuable electronic evidence when needed.

MSN (aka Live Messenger) and Yahoo Messenger are two of the most popular chat tools on internet, IM monitoring is a necessary and effective method for enterprises to ensure employees’ work efficiency. Capsa 7.2.1 gives a real-time instant message monitoring and recording. Capsa 7.2.1 is able to deliver the most accurate MSN and Yahoo messenger monitoring statistics which can be exported and saved for further analysis. To some extent, IM monitor helps enterprise achieve effective management as well as improve network and economic performance.

Besides IM and Email monitors, considering our users may have useful project files saved by version 6.9, Capsa 7.2.1 supports opening project file from Capsa 6.9.

Capsa 7.2.1 runs under Windows XP/2003/Vista/7. A trial version is available for download at the company’s website: http://www.colasoft.com/

About Capsa

Capsa is an easy-to-use Ethernet packet sniffer (network analyzer or network sniffer) for network monitoring and troubleshooting purposes. It performs real-time packet capturing, 24/7 network monitoring, reliable network forensics, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. By giving you insights into all of your network’s operations, Capsa makes it easy to isolate and solve network problems, identify network bottleneck and bandwidth use, and detect network vulnerabilities.

About Colasoft

Ever since 2001, Colasoft has been an innovative provider of all-in-one and easy-to-use software solutions for users to monitor network activities, analyze network performance, enhance network security, and troubleshoot network problems. Currently, more than 5000 customers in over 80 countries trust the company’s flagship product, Capsa Packet Sniffer, as their network monitoring and troubleshooting solution. Featured customers include Alcatel, Airbus, Dell, Ericsson, IBM, Intel, and Pepsi. Learn more about Colasoft and its solutions, please visit http://www.colasoft.com/

To football fans, today is a big day! FIFA World Cup opens today, Friday, June 11, 2010. They will spend the nights with the TV and bears. But our network admins will be drove crazy too. Why? The World Cup brings us great joys as well as certain network problems. Some of the crazy fans will watch or replay the competitions online at work. In these days, you will find your network traffic grows dramatically. I don’t want to be mean with the big fans, but we still have to do our work to maintain the network goes smoothly. How can we figure who is watching World Cup online at workplace? With Capsa network analyzer at hand, that would be so easy for you to monitor network, and prevent the network problems that World Cup may bring to your LAN.

Well, first we should make a list of football fans’ names and inform them not to watch videos online. And then we will keep an eye on our network utilization. When the utilization graph is high pitch, we know someone is disobeying the rules. Then we can check out who is consuming the bandwidth in the IP Endpoint tab.

But utilization cannot tell everything. We still need to spend a little seconds to check the protocols used in the network (Protocol tab). Special attention should be paid to protocols like P2P, RSTP and even HTTP. Online video takes a big portion of bandwidth so that we can easily find them out in the Protocol tab. The following figure shows that the HTTP traffic is abnormal which takes too much traffic.

When a suspicious protocol spotted, we should concentrate on it and check which IP address is generating the traffic in the IP Endpoint tab (figure below).

Then we could take a further step to prove our analysis. We can check out their conversations (IP Conversation tab), communication matrix (Matrix tab), and even we can go down to their original traffic packets (Packet tab).

With the above tips, I’m sure you can guarantee a healthy network during the special World Cup time.

We provide some tips on monitorring FBHOLE worm. In this article, we specificlly provide a step by step guide on how to build a fileter and monitor FBHOLE worm with Capsa network analyzer.

1. On the Start Page, click Packet Filter Settings link to open the Filter dialog box, which organizes all the filters.

2. Click the Add button (on the bottom-left corner of the dialog box) to build a new filter.

3.In the new window, choose Advanced Filter tab. And click the And icon. Choose Content from the context menu.

4. In the Pattern Rule window, just enter keyword: fbhole.com in the Pattern text box. Then click OK to close the window.

5. Click OK again to close the Packet Filter window.

6. Check the Accept checkbox of the filter just built which enables the program only capture the packets containing keyword “fbhole.com”.

7. Click OK and then start a capture.

8. If there is already a project running, you’d better stop it to build the filter and restart the capture. To build a filter in a running project: click the Filter button on the Ribbon. You will also see the Filter dialog box as well.

Facebook users have to be very careful when they’re hanging out on Facebook because a new worm called FBHOLE is out there everywhere. According to the reports that FBHOLE “doesn’t seem to be doing anything else than posting a message to people’s Facebook walls”. As an innovative network security software provider, Colasoft responses to analyze the worm immediately and we do get some ideas to help keep our users away from FBHOLE worm.

Behavior Study

If you click any post link like: http://www.fbhole.com/omg/allow.php?s=a&r=[random number] (post name” try not to laugh xD”) on a post wall, you will probably be lead to a page like the figure below:

Figure 1: try not to laugh xD with a fbhole.com link

The web page pops up a message box tells that there are some errors. Of course you will click the OK button to close the dialog box readily. Once you click the OK button, you may find there is one more post submitted to your wall.

Figure 2: Error messages

After the study of the HTML and scripts of the web page, we find that wherever you click on this page, you will trigger a script that tries to submit the same post to your Facebook wall. All these are done by a hidden iframe showing below:

Figure 3: iFrame code

This iframe follows your mouse movements. Wherever you click on the page, you will always click the invisible “Publish” button.

Tips to keep your network away from FBHOLE worm:

Until now we find that is all it does without any further harm to your computer system. To help keep our users to away fromthis worm, we do have some suggestions:

1. Inform the users in your network not click any links shown in the Figure 1.
2. Set up a filter to monitor which users click these links.
3. Locate the computer and scan it with an anti-virus program because there are possibilities that the worm may evolve to infect the operation system.