Colasoft Blog

In a typical MAC flooding attack, a switch is flooded with packets, each containing different source MAC addresses. The switch records these addresses to its CAM table. When the table is full, the switch cannot look up the right destination port, but to broadcast out on all ports. A malicious user could then use a packet sniffer running in promiscuous mode to capture sensitive data from other computers, which would not be accessible were the switch operating normally.

How to detect if there’s a MAC flooding attack in the network? In this article, I will demonstrate to you with Colasoft Capsa Analyzer.

For detecting MAC flooding attack. Let’s start capture, we start the analysis from the SUMMARY TAB. All these statistics seem right. Except one when we come to the Physical address count. There are more than a hundred thousand MAC addresses discovered in this network. How could this small network have so many machines? Possibly, it is a mac flooding attack.

We need to check the addresses in the NOD EXPLORE. Open the physical explorer, and look this number; there are more than 1800 MAC addresses in local segment. It’s abnormal; there is no way that so many machines exist in this network. And apparently, these addresses are not real. We are sure that there are worm activities, or attacks in the network.

Let’s see how these nodes are communicating. Open the MATRIX TAB. And we choose Top 1000 physical node matrix type. We see this matrix, what a mess! There are so many nodes communicating, and according to the colors of the line, red means one way transmitting.

And we can go to the PHYSICAL CONVERSATION TAB to read that it’s true. Almost all nodes only send one packet out. Most packets are 64 bytes.
We know that all machines in our network are connected with a switch. This looks like a MAC flooding attack.

Still, to confirm our prediction, we need to see the original data of the packets they send out. Open the PACKET TAB. We see the delta time between packets is very small, which gives a great pressure to the switch. Almost all packets are 64 bytes. And let’s look at the original data in the packets. Almost all packets are randomly generated by padding same digits in the packets.

According to all these behaviors, and decoded information from packets, we are pretty sure that there is MAC flooding in this network. But it’s hard to find the attacker’s address directly because all addresses are forged. However, we can cut some machines off the network to eliminate the innocent machines until we find the target one.
Watch the video tutorial of detecting MAC flooding attack is avaliable at Here!

How are you using Capsa Network Analyzer to handle daily administration issues? How did you use Capsa Network Analyzer to solve your network problems? Share your story with us and You Can Win an Acer Laptop!

Have a look of our prizes!

Attracted? Click here to see how to get one!

Wow! another review is done by one of the greatest media in technology, physorg.com.

As computers become more ingrained in the daily operations of most companies, it seems that running into problems occurs more frequently and with greater consequences. When it comes to computer networks, the key issues are security, speed, and reliability. A newly improved network analyzer called Capsa 6.9 R2, developed by Colasoft Inc., can help companies monitor, detect, and troubleshoot network problems. This review highlights some of the main features of Colasoft Capsa, which together make the product an overall powerful tool for maintaining network security.

To read a full review, please click here. And don’t forget to comment and vote!

We are pleased to announce one of the major media in computer and software technology, TechRepublic.com, recently published a review of Capsa network analyzer 😀

Having good insight to your network is critical. There are so many potential issues that can be going on that any additional tool can be welcome. This can include attacks, transmissions and applications without encryption, or incorrect configurations bogging down the network.

Recently, I had a chance to evaluate the Colasoft network analyzer or Capsa. Capsa offers a lot of features in a small package, though the network analyzer field is very crowded. One thing that can differentiate a network tool is ease of use.

To read a full review, click here. Do not forget to leave a message and vote for the review!

We are glad to see one of the biggest software directory, fiberdownload.com, recently tested Capsa 6.9 R2 and wrote us a very impressive review.

Capsa is a great and affordable all in one network analyzer tool that will help you carry out your daily activities without being afraid of Internet threats.
But the first question that you ask yourself when you see this application for the first time is What CAPSA means ?

After testing it, I would say that CAPSA, apart of being a great network monitoring tool, means :
Confidence
Afordability
Performance
Safety
Advanced

It’s quite impressive that we never explained the software name like this. To view the the full review, please click here

We are so excited to announce a new version of our flagship product – Colasoft Capsa Network Analyzer. The latest released Capsa 6.9 R2 is now fully compatible with the current Windows 7 32bit and 64bit Edition, satisfying the users’ growing need for Win 7 compatibility.

Please check the following for new features and latest improvement of Capsa 6.9 R2. We hope you enjoy the new version! Any suggestions will be highly appreciated.

New Features:

• Support Windows 7 32bit and 64bit Edition.
• Packet Player: Support replay multiple packet files simultaneously.
• Globally added two new options: alias(or hostname) and address can be displayed simultaneously.
• There is a new option in the global Option settings users can enable to prevent hibernation when capturing.
• New protocol ISL and FCoE can be recognized now.
• Decoders for ISL, FCoE protocols.
• Support Windows Server 2008 and X64 Edition.

Improvements:

• An online help section activated in Start Page below Quick Link.
• The Loopback won’t be shown in the NIC test wizard.

Bug Fixed:

• A wrong value has been displayed in the decode area for IP Fragment Offset.
• Users login as other windows ID will have to reactivate Capsa every time they login.

Download a Free Trial Now

We are going to release Capsa 6.9 R2 very soon, stay close 🙂

What Is an Email Worm
In networking, an email worm is a computer worm which can copy itself to the shared folder in system. And it will keep sending infected emails to stochastic email addresses. In this way, it spreads fast via SMTP mail servers.

What Is the Harm of Email Worm
An email worm can send lots of infected emails in a very short time and it will never stop unless it’s removed. It will cause a large traffic and make the system go slowly. Sometimes it even makes the mail server crash.

How to Detect Email Worm
If you are suspicious some host in your network is infected with an email worm, here is a process how we can detect email worm in network with Colasoft Packet Sniffer, step by step.

>Step1. Download a free trial and deploy it properly.

>Step2. Launch a Project and Start Capturing Some Traffic.

>Step3. Switch to “Diagnosis” Tab
Diagnosis tab is a view we can see all the network issues automatically detected by Colasoft Packet Sniffer, also some causes and solutions are suggested.

Diagnosis Tab Screenshot

If there is a host infected with an email worm, we should be able to see SMTP events in the application layer like this:

SMTP Events in Application Layer

>Step4. Locate the Source IP
Possibly the source IP is the host infected with an email worm as it is sending too many emails in a short period of time with SMTP. So let’s locate the source IP in the “Explorer” with the “Locate” shortcut in the right-click menu.

Locate Source IP

>Step5. Switch to “Logs” Tab
Check if the host is sending emails to a large number of recipients in a very short period of time. If so, we can determine the host is infected with an email worm and should be handled immediately. We should be able to see logs in the Tab like this:

View Email Logs in "Logs" Tab

No doubt the final step is to isolate the host and kill the email worm with some AV software

Also there will be some other process to detect email worm with Colasoft Packet Sniffer, this is the shortest one.

We are happy to see that keyloggers.org, which has a special appetite in reviewing and testing monitoring software, recently tested and reviewed Capsa Enterprise Edition, also gave it a very favorable comment.

Keylogger.org Logo

Colasoft Capsa also has a lot of other advantages, but we think you already understood the two generic ones – first, the information analyzed by Colasoft Capsa is easy to access and view and, second, the program itself is very user-friendly and easy to understand. These qualities make Colasoft Capsa a perfect choice both for experts and novices in network administration.

To view to full review, you can click here.

Are you ready for this? We are. Say goodbye to the Free edition and get your license key for the Pro edition immediately!

How to Get It?

What’s the difference anyway?
With MAC Scanner Pro Edition, you can:

• Save Scan Results into database for future reference
• Add attributes (such as users name and physical location of the host) to scan results and save in database
• Automatically compares new MAC scan results with database records and notifies difference and new records (illegal access)
• Export Scan Results
• More…

Find the difference yourself as you can get it for free!

Cheers,
Colasoft Team