Network Sniffers, Troubleshoot Network Issues

5 Tools That Every Network Administrator Should Have

2009-08-21T02:39:00.000-07:00

Every network administrator has their own set of tools that they like to use

on a daily basis to help them do their job. Here I list 5 tools I like most.

Network Analyzer - There

are actually to sniffer applications that I keep in my toolbox, WireShark and Capsa Network Analyzer. Each program can

satisfy my different needs,the difference is that Wireshark has more functionality when it comes

to filters. But Capsa Network Analyzer, from my point of view, is the user interface. It presents

the data in an extremely easy-to-read way, such that you don’t need to be a hard-core network

engineer to see what’s happening. and the pretty graphs will make me happy.

PuTTY - PuTTY is a very versatile telnet application for use when you spend a

lot of your day working on Cisco equipment. PuTTY allows a number of different ways to connect to

a piece of equipment including Raw, Telnet, Rlogin, SSH, and with the newest version of PuTTY

Serial connection. The newest Serial option becomes very handy for network administrators since

HyperTerm is no longer available with Windows Vista and you still need a serial connection for

new routers and switches. PuTTY is also very customizable and can be run from a USB drive without

installing anything onto the computer.

PumpKIN - PumpKIN is a free FTP server program that you can download and use

to host your computer as an FTP server. I use this program main for transferring Cisco images

back and forth from the switch or router to my computer. This program become very valuable when

you have a switch or router down that you need to get back up quick.

MAC Scanner Pro - Colasoft MAC Scanner Pro has some advanced features,apart from scanning MAC

addresses and IP addresses, the most pratical feature is that it allows users to export or print

the scanning results.

NetStumbler - NetStumbler was one of the first "Wardriving"

programs you could get to pick up other people's wireless networks. I use this tool on a regular

basis for the opposite reason, I want to be able to check for rouge access points on my network.

I simply use this little tool and walk around all of my offices and see what wireless devices pop

up. I have found a couple of employees who wanted to work out side or away from their office and

added a wireless AP so they could.

So those are 5 tools I believe every network administrator should have in their toolkit. For

their ease of use, small size, and versatility they made my top 5 tools.

The 7 Most Common Mistakes Using Network Analyzers

2009-08-20T02:36:00.000-07:00

1) Over-Believing the Software's"Intelligence" without understanding how it makes determinations.

Software default settings are very seldom correct for YOU. For example, a device may say that a SQL server should respond in 50ms. But, if that device is across a WAN with a 200ms ping time--that is highly unlikely. This causes false SLOW SQL messages. This is only an example, but there are many such alerts and messages based on default "thresholds" within this type of software tool's configuration.

Particulars of your environment may create false alerts or other messages. The definitions of what is an "excessive" delay--latency--broadcasts, etc, are up to you--not the tool.

It's important for you to know the default settings driving alerts and messages. Then, ignore or alter those alerts that are not set best--for your enterprise. Altering them to make the appropriate settings for your enterprise is the best strategy. Too many false flags or alerts numb you into ignoring important ones or--cause you to make serious errors and incorrect decisions that can be Very Very expensive.

Properly used, those features can save enormous amounts of time and show things your own eye would likely miss.

2) Not understanding the Protocols used, such as TCP, HTTP, etc.

What good is a tool that tells you information about how a protocol is behaving if you do not understand the underlying technology? By this I mean the RFC's for the protocols that are relevent to your concerns.

---What is the impact of various protocols working differently for the same application doing the same transaction--in different locations?

---What is expected according to specs--and how is your trace file showing different--or less optimal behavior?

---Why would there be 2 TCP connections from one location and 10 from another--for the same application doing the same transaction?

This short article cannot answer all these questions--but it can show you the types of information that you will need to understand in order to make sense out of the data a trace file will show you. Know the protocols well. Deep understanding of TCP is the basic price of admission. While you may consider this a matter of skill sets, my point is that attempting to troubleshooting a problem with a packet-sniffer while not understanding the protocols is a mistake--and a common one. If you add this point to the first one listed--about not believing all the standard settings on tools--you find that the tool cannot answer anything for you by itself. You need to know what you are looking at. You are the analyst--the tool is just an aid.

3) Not understanding the layer 1 and layer 2 aspects of the topology you are sniffing.

Ethernet and all other topologies have many different specifications, which are altered or outright ignored by many switch or other network device manufactures. You must know the specs and how the hardware you are working with applies those specs--or doesn't apply them. A classic example is Spanning Tree. There are IEEE specifications for Spanning-Tree but those specifications are just a model...not a law. Each manufacturer has tweaked it in order to create some proprietary advancement to give them a competitive advantage. Sometimes, those advances become the new spec. However, you need to know what is standard and how your equipment varies on that theme. What good is seeing the BPDU's in a trace file if you don't understand what they contain or how it relates to the problem at hand? Again, this may be looked at as a skill set issue but--expecting to solve critical problems with a packet-sniffer while not knowing this about your network is a mistake.

4) Uni-directional SPANs or Port Mirroring & Single-sided trace files.

Often the switch port used by a server you need to monitor is incapable of providing a bi-directional SPAN (Port Mirror). If so, you cannot get answers from such a trace as it will miss critical information. It can be an oversight by the Engineer doing the trace but sometimes it is simply not understood to be such a critical concern--and ignored. Either way, when you have a situation like this you need to bite the bullet and put in a Change Order to get it moved to a fully bi-directionally mirror-able port before any serious analysis can be done.

Here is a good example of why this is so. Picture a Client and a Server. The Server wants to end a specific TCP connection and keeps sending FIN's. Yet, we never see the Client send back a FIN ACK. We do see other traffic between them and know that there is connectivity. So, here are the questions:

--Are the FINs not arriving at the Client--or--is the Client receiving them and appropriately sending back the FIN ACK--which are not getting back successfully?

----If so, then it is most likely a network issue.

--Are the FINs arriving successfully--but being ignored by the Client?

---If so, then it is mostly likely a Server or OS or Data Center issue.

These questions can not be answered with a trace file that only sees one side of the conversation. Two traces, sychronized, are needed to determine the answer to these questions.

5) Incorrect filters--either Capture or Display

An important concept here is that filters add nothing--they only remove--they only filter out. When you say that you are "filtering for" what you mean is that you are "filtering out" everything else. This isn't just semantics as understanding this perspective is critical to success.

Capture Filters:

Capture Filters are irreversible. If you filtered out something that you need to see--you just aren't going to see it. There is no second chance without running the test again.

Capture Filters determine what is allowed in the Capture Buffer. If the data is there to see--great. If you filtered what you need out--you can't change the filter after the fact. A very experienced Protocol Analyst may notice the problem by seeing anomalies that amount to the shadow of the missing data--but most will not be able to tell. And, of course, even if you can tell--you still have to re-test.

This might lead you to think that you should not use Capture Filters--and that is half true. If you don't really need them--don't use them. However, if you are drinking your packets out of the Fire Hydrant--you have no choice. Under those conditions the data will fill up your Capture Buffer is less than a single second.

Another point is that they should be consistent within a Test Design. If they vary too much, they will create false differences that can easily lead the Network and Application Performance Analyst or Protocol Analyst astray.

Monitor Filters:

Monitor Filters are forgiving. They work the same way--in that they filter out, not in. However, you can change your mind. The data is in the can (trace file) and it is only a matter of changing the filter to see what was filtered out the last time. Many times I am stumped and then have an idea--go back and change my Capture Filters--and bam! There is the answer. The point is--incorrect Monitor Filters will just as easily lead you astray--but you still have the opportunity to find your way back since the data is still there.

Again, this might leave you thinking to avoid Monitor Filters. Don't even consider it. Removing irrelevant packets is required to properly measure distinct conversations and search for anomalies. In fact, understanding proper filtering is what using the packet-sniffer software is all about.

6) Lack of understanding the Network-Analyzer's CURRENT settings.

Monday, you created a Capture Filter and left it as the default. Friday you need to capture a trace file and click on Capture. Various people perform their roles in the test and you save the trace file. Everyone goes home, back to their main job function or to bed. Then you look at it and discover that you didn't realize that the old Capture Filter was still in effect! Why? You altered the Default Capture File instead of creating a new one. Your Trace File is useless.

Always remember to review ALL settings before beginning a test. Additionally, run a practice test to make sure all filters and setting are as they should be.

Sometimes the error you discover is that you were given an incorrect IP address and that you never would find what you are looking for from the IP address from which you are capturing packets. That is a GOOD finding. It means someone's diagram is incorrect. It also means you prevented a useless round of testing.

7) Lack of test controls.

Like any proper experiment, a performance or application test requires a control group and controlled data for all groups. If it was a pharmaceutical test you might have a group with a placebo. In our field we need to create a "BESTline" first. A "Bestline" is not a baseline.

Here is an example.

You have a Client in Singapore and a Server in New York City. The client is Singapore takes 40 milliseconds to execute a transaction and European clients only need 30 milliseconds. Singapore, although farther away, has a faster connection and is expected to get it done in the same time as Europe. What now? Take a BESTline. Use a client in New York City running the same transaction in the same way on similar equipment on the same server as the other two tests. You may discover that it still takes 25 milliseconds! This may due to various issues in the Data Center, Server or PC itself, 25 milliseconds is the fastest it goes!

This means that the first 25 milliseconds have nothing to do with the transport distance or speed. It DOESN'T mean that you have to accept those 25 milliseconds. There is a great deal that can be done about it. However, it is not the network and you now know you have to focus on the Server, PC, Data Center and other components.

Such controls are easy to do--yet seldom done. That common error results in many false leads and false errors as well as lost time and money.

How to Discover Network Security Loopholes

2009-08-19T03:03:00.000-07:00

There is an illusion today towards discovering the loopholes in a network as wonders of global connectivity enfold. Such diversity seems to call for the need for companies to invest more in training their network operators on discovery of Network loopholes. Simultaneously, there also exists at large sophisticated hackers and crackers, who spend sleepless nights contemplating how to accurately discover security loopholes in a network enabling them penetrate through. this call for network security managers who should have the ability to hack into their own systems first.

These few challenges are the main forces driving research on discovering network security loopholes and as technological advances emerge, the cat and mouse game continues between attacker and protectors.

The major method that is being employed in most networks today to discover security loopholes is Penetration Testing as is examined below.

Penetration Testing

This can be defined as a process of actively testing information security measures. Organisations prefer to perform penetration tests to identify the threats facing them and resolving its vulnerabilities and weakness.

There are different types of penetration tests available. They are:

i. External Penetration Testing

The oldest approach of testing and is mainly focused on servers, infrastructure and software present in the target system. This type of testing is usually either performed with no prior knowledge of the site or with total knowledge of how the network topology is.

ii. Internal Security Assessment

This approach is similar to the external penetration testing with the addition of provision of a security report of the site. This testing is typically performed from a number of access points representing the different network segments.

iii. Application Security Assessment

This identifies and asses threats to an organisation through software applications that might provide interactive access to potentially sensitive materials. It is essential that the applications are accessed to ensure that they done expose the servers and the software to attack.

iv. Telephony Security Assessment

This assessment addresses security concerns relating to corporate voice technologies.

v. Social Engineering Security Assessment

This assessment addresses social engineering which is a non technical kind of intrusion.

For more information about Penetration Testing a great website that has lots of information is penetration-testing.com .

Network Analysing

After the penetration testings, it is quite easy to detect and confirm the network problems with a network sniffer/analyzer. With the professional data capturing technology and comprehensive capability of network analyzing, Colasoft Network Analyzer will help you monitor your network within seconds and maximize your network value.

Are You Being Watched?

2009-08-18T19:59:00.000-07:00

by Brett Glass -- pcmag.com

How private is your PC data? Thanks to the proliferation of Internet worms and hardware and

software spying tools, the erosion of loyalty between corporations and their employees, and the

9/11 disaster (which has caused many to value security over privacy and civil rights), the

likelihood is greater than ever that your computer is reporting your every move to a suspicious

spouse, a government agency, an employer, or the entire world. In this article, we'll cover the

most prevalent spying hardware and software and explain how it can be used, abused, and

detected.

A hardware key logger is a device that captures keystrokes en route from keyboard to PC.

KeyGhost (www.keyghost.com), a New Zealand company, offers two hardware key loggers. The first is

an inconspicuous cable that runs from the keyboard to the PC (prices start at $139 and go up to

$409 direct). The second is a keyboard with the logging hardware tucked entirely inside the case

($189 and up). The company claims to have a wide variety of bugged keyboards ready-made to match

many brands of computers. If your existing keyboard is unique, KeyGhost will modify it and return

it with the logger hidden inside. Both the internal and external versions have maximum capacities

of about 2MB—enough memory to capture as much as a year's worth of typing. The Spy Store

(www.thespystore.com/pcsurveillance.htm) shows a more compact external key logger ($139 direct).

It has a smaller memory capacity, but its capabilities are otherwise similar.

Hardware key loggers usually can't be detected by software and may be tough for non-technical

users to spot. They're also compatible with most operating systems and don't require complicated

installations. The main drawback is that they can't capture the information that appears on the

screen but isn't typed in by the user. So hardware devices are best used to sniff out small but

vital pieces of information, such as passwords.

Although keystroke-logging hardware is relatively new, software that performs the same

function is not. In 1988, I implemented a primitive network keystroke logger as a DOS TSR, using

the NetBIOS protocol. My motivation at the time was not to spy but to ensure that my programming

work was preserved on another machine in the event of a system crash.

But today's spying programs do much more than log keystrokes. Spying software can be selective

about the data it captures; administrators can set the software to skim information and then

capture more data when certain criteria are met. WinWhatWhere Investigator

(www.winwhatwhere.com), a major product in the monitoring market, captures keystrokes, e-mails

information about your activities when key phrases are entered, and even renames itself and

changes its location at random. If the victim's machine has a Webcam connected, WinWhatWhere

snaps pictures periodically and sends them out surreptitiously.

SpectorSoft (www.spectorsoft.com) makes Spector Pro, which captures screen shots, records e-

mail and chat sessions, and logs keystrokes. In short, if something of interest to you happens on

a user's machine, you will not only know what the person typed, you'll have logs of e-mail and

chat room conversations and pictures of the screen. Competing products such as D.I.R.T., from

Codex Data Systems' (www.codexdatasystems.com/menu.html), offer similar features. And several

keystroke logger programs are freely available for download from many shareware archives. Logging

software is easier to detect via system diagnostic tools, however, and may be wiped off the hard

drive by reconfiguring or reinstalling the operating system.

In some cases, spying software may be installed as a virus, worm, or Trojan horse that arrives

via e-mail or an infected file. BackOrifice, a program created by a group of rogue hackers called

The Cult of the Dead Cow, can be installed in this way and can spy on and even commandeer the

victim's system. Several recent worms, including Badtrans.B, attempt to capture passwords and

credit card information from users' systems and forward the information to the worms' creators

via e-mail or Internet relay chat (IRC).

Another spying technique uses a network sniffer (usually a computer running special software)

installed on the same LAN as the victim's computer or upstream between the victim's computer and

the Internet. The sniffer taps and records the raw data flowing between the victim and other

machines; this data can be scanned later.

Only a few Internet protocols use encryption. E-mail is most often sent and retrieved as plain

text, and the password needed to break into someone's electronic mailbox is very rarely

encrypted. If encryption is used, a key logger can often be used to discover the password that

unlocks the data.

The FBI's Carnivore system, which is installed at ISP facilities to collect evidence, is one

example of a network sniffer. Civilian tools that can sniff LAN traffic—even on networks

supposedly protected from monitoring by network switches—are widely available for free via the

Internet.

Even if the party who wants to spy on you has no physical access to your network, you cannot

necessarily rest easy. A cracker who manages to gain control of any vulnerable system on your

network can set it up to sniff traffic from the rest of the network. And recently revealed bugs

in most implementations of SNMP (Simple Network Management Protocol) may provide an easy way for

intruders to take over managed hubs and switches, routers, print servers, and network appliances.

(For more on these bugs, see the CERT advisory.)

What is the difference between an Ethernet hub and switch?

2009-08-14T02:19:00.000-07:00

Although hubs and switches both glue the PCs in a network together, a switch is more expensive and a network built with switches is generally considered faster than one built with hubs. Why?

When a hub receives a packet (chunk) of data (a frame in Ethernet lingo) at one of its ports from a PC on the network, it transmits (repeats) the packet to all of its ports and, thus, to all of the other PCs on the network. If two or more PCs on the network try to send packets at the same time a collision is said to occur. When that happens all of the PCs have to go though a routine to resolve the conflict. The process is prescribed in the Ethernet Carrier Sense Multiple Access with Collision Detection (CSMA/CD) protocol. Each Ethernet Adapter has both a receiver and a transmitter. If the adapters didn't have to listen with their receivers for collisions they would be able to send data at the same time they are receiving it (full duplex). Because they have to operate at half duplex (data flows one way at a time) and a hub retransmits data from one PC to all of the PCs, the maximum bandwidth is 100 Mhz and that bandwidth is shared by all of the PC's connected to the hub. The result is when a person using a computer on a hub downloads a large file or group of files from another computer the network becomes congested. In a 10 Mhz 10Base-T network the affect is to slow the network to nearly a crawl. The affect on a small, 100 Mbps (million bits per scond), 5-port network is not as significant.

Two computers can be connected directly together in an Ethernet with a crossover cable. A crossover cable doesn't have a collision problem. It hardwires the Ethernet transmitter on one computer to the receiver on the other. Most 100BASE-TX Ethernet Adapters can detect when listening for collisions is not required with a process known as auto-negotiation and will operate in a full duplex mode when it is permitted. The result is a crossover cable doesn't have delays caused by collisions, data can be sent in both directions simultaneously, the maximum available bandwidth is 200 Mbps, 100 Mbps each way, and there are no other PC's with which the bandwidth must be shared.

An Ethernet switch automatically divides the network into multiple segments, acts as a high-speed, selective bridge between the segments, and supports simultaneous connections of multiple pairs of computers which don't compete with other pairs of computers for network bandwidth. It accomplishes this by maintaining a table of each destination address and its port. When the switch receives a packet, it reads the destination address from the header information in the packet, establishes a temporary connection between the source and destination ports, sends the packet on its way, and then terminates the connection.

Picture a switch as making multiple temporary crossover cable connections between pairs of computers (the cables are actually straight-thru cables; the crossover function is done inside the switch). High-speed electronics in the switch automatically connect the end of one cable (source port) from a sending computer to the end of another cable (destination port) going to the receiving computer on a per packet basis. Multiple connections like this can occur simultaneously. It's as simple as that. And like a crossover cable between two PCs, PC's on an Ethernet switch do not share the transmission media, do not experience collisions or have to listen for them, can operate in a full-duplex mode, have bandwidth as high as 200 Mbps, 100 Mbps each way, and do not share this bandwidth with other PCs on the switch. In short, a switch is "more better."

Conclusion:

Acutally, this is a frequently asked problem in Capsa customers that why they have to deploy Capsa on hub Only? According to the info above, we can see that Switch transmit the data selectively(by the source of MAC address), while Hub is send the data to every ports randomly. So, we have to install Capsa on the Hub to capture the data in the network.

Understandings Network Management and Network Monitoring

2009-08-14T02:06:00.000-07:00

Network management may mean different things to different people. To some network management may be a network consultant monitoring network activity with Network analyzer(Colasoft Capsa Network Analyzer), to others network management may be about distributed database, high-end workstations generating and traffic. Speaking generally, network management is a service, which uses a wide range of devices, tools, and applications, to enable the network managers to monitor and maintain networks successfully & efficiently.

Network management deals with the top-level administration and maintenance of widespread and large networks, commonly seen in the field of computers or telecommunications, which may be necessarily, include user terminal equipment.

Network management executes functions such as security, control, allocation, monitoring, coordination, deployment and planning to name a few. It is also worth noting that network management is governed by a several protocols which are basically present there for its support, including SNMP, Common Information Model, CMIP, WBEM, Transaction Language 1, Java Management Extensions, and Netconf.

Routing is also an important area of network management. Routing refers to the process of selecting the paths in a computer network on which to send data. In this arena of network management, logically addressed packets get transported from their source to their destination with the help of nodes. These nodes are called routers, in a process termed as forwarding.

Successful network management also uses accounting management. This controls and reports on the financial status of the network. This area of network management involves bank account maintenance, financial statement development, and analysis of cash flow and financial health.

Coming to Network Monitoring, it is about policing network traffic. In other words, network monitoring is spying for the benefit of smooth working of network management. Network monitoring is part of network management. Ideally network monitoring is a function that one of your systems must perform on an ongoing basis. While the other systems are performing the functions assigned to them, one should set aside at least one computer to monitor network activity. This is network monitoring in a nutshell.

The computer performing network monitoring must be kept always on. Which means that network monitoring system should have exclusive power lines or, backup generator facility. Everyone should understand that network-monitoring system is the most critical part of any network, because it is with the help of network monitoring that that the alarm will be sent if something is wrong.

Network monitoring will identify the slow or failing systems and notify the network administrator of such lapses. Issues like overloaded systems, crashing of servers, network connections being lost, virus infections, and power outages will be dealt without losing time if network monitoring is in place.

How to Protect Your Network from Spam?

2009-08-14T01:42:00.000-07:00

According to the July 2009 edition of the MessageLabs Intelligence Report,Spam remains a major

problem, In fact, it has reached up to 90%, some European countries are higher, up to 95%

Three main problems caused the bad situation.

The use of automated tools: Spammers are used to use automated tools to

generate email addresses based on domain name.

URL-shortening spam: Currently, many social networking offers URL-shortening services to

users, 6.2% spamming emails contains shortened URLs to mask unsafe destinations.

International problem: Unlike we thought the souces of spam emails are outside United

States, According to the static of July, at least, 86% of all e-mails sent in the US are

spam.

Be a network administrator,what can we do to mitigate the effect of spam?

Well, there are two specific network methods you may take.

Traffic management

You'd better to install a network analyzer like Colasoft Capsa network analyzer in your network, that will

help you monitor network traffic especially SMTP traffic we more care

about in this article in real time,Traffic management entails reducing overall message volume by

relying on techniques that are implemented at the protocol level. Essentially,

unwanted senders are identified and their connections dramatically throttled using features that

are inherent to the TCP protocol. This allows incoming volumes of spam to be

slowed, allowing legitimate mail an opportunity to be processed and expedited by the mail

server.

This technique is obviously effective, but it is nevertheless useful to reduce the effect of

a DOS-style of e-mail flooding.

Connection management

Another method would be the use of connection management techniques. An example would be for

incoming SMTP connections from sources known for sending spam and malware to be immediately

rejected. The use of such blacklists can be done at the firewall level and could also include

open proxies or known botnets.

The obvious benefit of connection management is that mail servers do not even have to waste

processor cycles to deal with the incoming spam.

Do you have else methords? let's share our knowledge here!

Basic Network Troubleshooting Tips

2009-08-06T02:30:00.001-07:00

Here you will learn network troubleshooting tips, fix tcp/ip errors, tcp/ip settings, internet connectivity errors, how to fix pc errors, lan connectivity issues, traceroute and ping commands. Whether your operating system is Windows or Linux network problems are likely to arise. Many times the network problems arisee due to improperly configured TCP/IP settings. Following is the basic checklist to identify and troubleshoot the basic networking errors.
1. First of all you should learn what stopped working server or client computer also see if the outage affecting the other computers or only one.

2. If you server stopped working you should inform the users of the server and you should start working on fixing the error.

3. If a single client computer stopped working or disconnected from the network, ask the user of that computer that what recent changes cause the server to stop working such as newly installed software or games, service pakcs, internet software, new hardware or any other thing.

4. Check the physical network connectivity. The most network problems arise due to the physical layers failure.

5. Check all the network cable connections. You can start at the NIC and check if the green light is blinking then check the hub and see if the computer is getting the link across the cable.

6. Get a cable tester to check the connectivity of the cables.

7. Finally start pinging the network both Windows and Linux have the PING command. You can use ping command in this way start > Run > cmd > type "ping" then IP address of the other computer.

How to Troubleshoot Connectivity problems

1. Use the ping command to test the basic connectivity. By using the ping command you can isolate network hardware problems and incompatible configurations. By using the path ping you can detect packet loss.

2. If you want to see the Ping's statistics then you ping -t command and press enter to continue and if you want to stop then press CTRL+BREAKTo watch Ping statistics, use the ping -t command. To see statistics and continue, press CTRL+BREAK. To stop, press CTRL+C.

3. If you remote system is across the delay link, such as satellite link responses may take longer.

4. Check the event logs for network card and other hardware and software configurations and connectivity related entries.

5. Check whether the NIC card is on the Microsoft Hardware Compatibility List (HCL).

6. Check other computers that use the same gateway and are plugged into the same hub or switch and if these computers do not show any network connectivity problem then the problem is on the only one computer.

7. Contact the vendor of each NIC and motherboard and update the BIOS.

8. Replace the network adapter of the system with the good configured system and see if the same error arise again.

Conclusion

As a network administrator, we need to learn about the Basic Network Troubleshooting solutions. Of course, there are many network analyzers in the market,such as Colasoft Capsa Network Analyzer, which can provide us with more advanced & easier network problems troubleshooting solutions. learn more about Colasoft Capsa Network Analyzer, please visit http://www.colasoft.com/capsa/.

This article is rewriten by Tammy Zhou from Colasoft.com, please read the original copy of this article here: Basic Network Troubleshooting.

Case Study: ARP spoofing HTTP infection malware

2009-08-05T23:52:00.000-07:00

This year, we've seen many ARP spoofing viruses, also known as ARP cache-poisoning viruses. This type of malware comes in many variants and is widely spread in China. Recently, we uncovered an ARP spoofing virus that exhibits several new features.

The new ARP spoofing virus inserts a malicious URL into the session of an HTTP response, thus including significant malicious content, and then exploits Internet Explorer. At the same time, the virus makes a poisoned host act as an HTTP proxy server. When any machine in the same subnet with the poisoned machine accesses the Internet, the traffic goes through the poisoned machine.

Let's take a detailed look at the features of the latest ARP spoofing virus.

This type of virus replaces the MAC address of the Gateway machine with the MAC address of the poisoned machine. The following screen shows the correct Gateway MAC address:

When we run the ARP spoofing virus, the Gateway MAC address is changed, as shown in the following diagram. The real Gateway MAC address is changed by the poisoned machine to the MAC address of the poisoned machine. Please review the following diagram.

Now let's view a detailed virus analytic report

The following diagram shows the mechanism used by this type of virus. Normally, when we open a Web page, the traffic goes to the Gateway machine directly (see pathway 4). But if the local network is infected by an ARP spoofing virus, the traffic goes through the poisoned machine before it goes to the Gateway, as indicated by pathway 5 and pathway 6 below:

The following steps describe what occurs.

First step: The poisoned machine broadcasts ARP spoofing packets saying "I am the Gateway"

Second step: Each machine in the subnet receives an ARP spoofing packet and updates its ARP table, so the ARP cache is poisoned.

Third step: A machine accesses the Internet through the poisoned machine, then the poisoned machine routes this HTTP packet through the Gateway (the poisoned machine uses a Net driver, such as wpcap.dll or WanPacket.dll, to get network traffic).

Fourth step: The Gateway inserts a malicious URL into the HTTP response packet. Then it sends the malicious packet to the object machine.
In the following code, we see how the virus inserts a malicious link:

In the shown code above, we can see partial IP address information. The information comes from the author's network environment, which is similar to the following:
0000b3b0 255.255.255.0
subnet mask
0000b3c0 10.xx.xx.58
poisoned machine IP address
0000b840 10.xx.xx.1
correct Gateway address
0000b850 10.xx.xx.*

subnet information

When the virus obtains this data, it scans the local subnet and then sends ARP spoofing packets to machines in the local subnet.
Let's see how the virus implements these functions:

In the code above, the virus calls a system dll file (iphlpapi.dll) to get general information about the local network adapter. The iphlpapi.dll file is a module containing the functions used by the Windows IP Helper API. When the virus gets the local network adapter information, the virus can make spoofing ARP packet. The following graphic shows detailed code:

We used OllyDbg to trace the virus into the Windows system space, and we obtained the code above. When we introduced this virus here, we needed some background knowledge. The virus uses Colasoft Capsa to capture network traffic and insert malicious Web code into the HTTP response.

Learn about: Network Analysis

2009-08-04T01:28:00.000-07:00

Definition
To compete and win, businesses must increasingly operate with an expanding footprint. Today’s global economic climate creates significant obstacles to managing the enterprise. Offshoring, outsourcing, and telecommuting, as well as emerging markets worldwide, are driving the development of a virtual workforce that is widely distributed across a rapidly rising number of remote locations. A wide area network (WAN) is required to provide personnel at these sites access to the systems, applications, and data that often reside at the headquarters facility. Because WAN health is directly proportional to employee productivity, network analysis is a critical function.

Applications
Network analysis offers insights into what is happening not only over the WAN, but also on the local area network (LAN) at each location. Information pertaining to traffic flows, protocols, and even individual data packets can empower the IT organization responsible for the network to keep it operating at peak performance.

Traffic information yields perspective on WAN and LAN bandwidth utilization, trends, and even the switch ports in use and what is connected to each port. Protocol information reveals vital views into the events taking place on the underlying network communications fabric. And data packets provide the most granular detail about precisely how the WAN and LAN are performing with respect to response times and the overall quality of the end user experience.

When armed with these categories of information, IT can see remote network and application degradations before they become issues. They can tune bandwidth allocation and manage capacity more effectively. And they can improve availability, track quality of service metrics, and minimize the mean time to repair problems when they arise through rapid detection and accurate isolation.

Key Considerations
The challenge for IT is gaining access to the information so they can conduct network analysis and respond accordingly. Ironically, at the same time the enterprise is growing, companies are striving for efficiency by centralizing and consolidating IT. The lack of local IT presence at remote sites complicates the execution of network analysis.

Realizing the benefits of network analysis for increasingly complex, widespread enterprises requires a solution that accounts for the following key considerations:

Accessibility
– The solution must include robust network analyzer hardware and software that can be deployed throughout the enterprise, but controlled remotely. The cost, time, and impacts associated with dispatching IT personnel to identify and resolve anomalies are prohibitive and unacceptable.

Aggregation
–The solution must possess the scalability to collect WAN and LAN information from all remote sites, regardless of whether the information is delivered directly or via a third-party service provider network.

Granularity
–The solution must provide vision into activities across all seven layers of the network. That means the solution must include not only traffic analysis, but also the packet capture and decode capabilities for network packet analysis.

Visibility
–The solution must automatically discover and account for WAN and LAN updates so accurate analytics can be maintained without requiring IT staff to be sent to remote locations. The solution also must display data through graphs, charts, reports, and network diagrams, so IT can quickly and conclusively identify and resolve problems anywhere in the enterprise.

Colasoft Network Analyzer is offering you a comprehensive solution to monitor your network.

Admin resource: Use the right tools to manage your network

2009-07-30T01:57:00.000-07:00

To be an effective network administrator, you don't have to be a scientific genius. And you don't have to memorize a bunch of obscure facts about hardware and software. Instead, you need to know two things:

Where to find the appropriate solutions to technology problems when they arise

How to use the right tools for monitoring, troubleshooting, and managing the activities of the various systems on your network

We know TechRepublic is the biggest IT community, which provides kinds of sources you turn to for solutions when problems hit your network. To demonstrate that TechRepublic is worthy of being a solutions finder, here I've compiled a list of articles that discuss tools you can use to improve the management of your network.

Test-drive: Colasoft Capsa network analyzer

Having good insight to your network is critical. There are so many potential issues that can be going on that any additional tool can be welcome. This can include attacks, transmissions and applications without encryption, or incorrect configurations bogging down the network.

Recently, I had a chance to evaluate the Colasoft network analyzer or Capsa.

Servers Alive is a valuable and inexpensive uptime monitoring tool"

To handle a problem, you have to know that it exists. That's where a program such as Servers Alive comes in. It can e-mail, page, or call an administrator with an automated alert when a system goes down, a router fails, or a service goes offline.

"Let Big Brother keep tabs on the health of your servers"

Big Brother is another monitoring tool, but this one runs on Linux/UNIX (although it can monitor systems from other platforms). It's available free under an open source license.

"PRTG makes it easy to monitor bandwidth"

Bandwidth is an expensive and critical commodity for most organizations. PRTG (and its Linux/UNIX cousin, MRTG) allow you to keep a close eye on bandwidth utilization and quickly spot any potential problems.

"Get two must-have network tools--for free"

Here's a peek at two handy troubleshooting tools—HyperTrace and NetStatLive. Since these are small, easy-to-use, and free, there's no excuse not to try them.

"Quickly manage systems over KVM with BgInfo"

Most administrators who manage more than five or 10 servers usually have them loaded into a rack and access them with a KVM switch or remote access software. However, the more servers you have, the harder it can be to tell them apart—and making a configuration change to the wrong server can have disastrous consequences. BgInfo is a little tool that can help you set up desktop screens that allow you to quickly identify your servers.

Final word

Of course, this is not a comprehensive list of every tool you need to manage a network. It's just a sampling of the kinds of great tools that can make you more effective at spotting problems and getting them fixed in a timely fashion.

For more information, please visit:http://articles.techrepublic.com.com/5100-10878_11-5074896.html.

Monitor broadcast storm with Colasoft Capsa

2009-07-29T19:36:00.000-07:00

Causes of broadcast storm:

Incorrect network design and plan

Network equipment damage

HUB is easily lead to broadcast storm as broadcast equipment

NIC or switching equipment damage

Network loop

Incorrect router configuration

Virus

How to detect Broadcast Storm:

step1. Set up broadcast packets filter

Open Filter --> Add --> From Filter Table, check "Broadcast":

step2. Detect relevant parameters of the broadcast storm

1. Statistical parameters

broadcast packets bytes

total broadcast packets

packets per second

packet size distribution

protocol type

etc (add according to your own network)

How to make use of these paramaters?

Take a 100M ethernet for example. The maxmize packet per second is 12.5M x 1024 = 12800 Bytes/s. If the value of packet

per second of broadcast is greater or close to it, then we can define there's broadcast storm.

The packets sum, number, and its size distribution are different according to the size of network.

Protocol Type is mainly to stats the protocols with the largest traffic utilization. (PS: Care must be taken to distinguish ARP

Request and ARP Response, ARP Request is broadcast, while ARP Response is unicast.)

2. IPID Identification of the packet

IPID is the unique flow to identificate the packet. If there's a protocol in a large traffic utilization, we can check its IPID in

Packets view, if they are the same, we can confirm it is caused by network loop.

Currently, network loop is one of the mainly causes to broadcast storm.

3. Check the Utilization

How to make use of the utilization paramaters?

Utilization is divided into "Utilization (bits)" & "Utilization (percentage)". The computational process of network utilization is: bits per second(in "Summary" view) / network bandwidth(100M or 1000M Ethernet). Ordinary, the network is perfect if the utilization is 50% in a ethernet, we can get the conclusion that there must be broadcast storm in the network if the utilization of broadcast is over 30%.

Download the latest Capsa 6.9R2(windows 7 supported) to monitor your network perfermances in time.

How to analyze the statistic of a specific IP in LAN with Colasoft Capsa?

2009-07-29T03:05:00.000-07:00

Nowadays, computers is becoming the necessity in majority of companies all over the world. Network managers/adminstrators have to monitor their network, grasp the network status in time, and find a best solution once there's any abnormal condition occurs in the network. They have to make sure the whole network status is visible to them, even the traffic,conversation, packet in 1 specific IP address. Without a appropriate network management, a large amount of network risks will appear in your network.

Colasoft Capsa 6.9R2, which is windows7 supported, is such an ideal network monitor. This article is telling you how to analyze the statistics of a specific IP address once you have to analyze the stats by locating a IP address.

For example:
There are 200 hosts in LAN. You have detectde the network became very slow due to BT downloading by a specific IP address: 192.168.6.5. To check the stats, including protocols, conversations, packets, etc under this IP to prove it is the specific IP address, you need locate it. In Colasoft Capsa, there are 2 ways to implement it:

1. select the IP address under "IP Explorer" in the left Explorer window:

2. add the IP address in Filter setting, steps as follows:

Then we can check all the stats related to "192.168.6.5" only to further comfirm the problem. For more infomation of "How to Track BitTorrent User in Network with Colasoft Packet Sniffer", please go to http://blog.colasoft.com/how-to-track-bittorrent-user-in-network-with-colasoft-packet-sniffer/

How to Troubleshoot ARP Attacks with Colasoft Capsa

2009-07-16T01:32:00.000-07:00

For Colasoft Capsa you can get an easy use but advanced network traffic monitoring, protocol analysis and diagnosis view software. It is a specialist to help you solve LAN troubles.

ARP, because of its simpleness, fastness, and effectiveness, is becoming increasingly popular among internet raggers, thus causing severe influence to the internet environment.With Colasoft Capsa, we can quickly and accurately locate ARP source when ARP attack happens to the network, so as to ensure normal and reliable network operation.

We have four basic solutions to locate ARP attack with Colasoft Capsa:

View ARP diagnosis events in the Diagnosis View;

View ARP request and response packets in the Protocol View;

View original information of ARP packets in the Packets View;

View node information in the Endpoints View;

Solution one:

Diagnosis View is the most direct and effective place to locate ARP attack and should be our first choice. Its interface is displayed as picture1.

Picture 1 definitely points out that there are two kinds of ARP attack event, ARP Too Many Unrequested Response and ARP Request Storm, in the network, and the attack source is clearly given at the bottom. Meanwhile, Capsa will provide reasons of such ARP attacks and corresponding solutions.

Solution two:

The status of ARP packets are displayed in the Protocol View, like in picture 2. Here we must pay special attention to the value of ARP Request and ARP Response. The ratio of ARP Request and ARP Request should be approximately 1:1 under general condition. If there is a great difference between these two values, there may be ARP attacks in the network.

In picture 2 there are 3484 ARP Request packets but only 507 ARP Response packets, by comparing these two values, we can presume there are ARP attacks in the network.

Solution three:

Packet decoding information in the Packets View can tell us the original information of ARP packets, please look at picture 3.

(Picture 3)

By decoding ARP packets, we can find out the source and destination of the ARP packets, the function and the reality of these ARP packets.

Solution four:

Identify ARP attack in the Endpoints View. (See picture 4)

(Picture 4)

In the Endpoints View we can view the correlation of MAC address and IP address. Generally speaking, one MAC address shall have only one IP address corresponding to it. If one MAC address has multiple IP addresses to it, the condition may be:

the host with the MAC address is the gateway;

these IP addresses are bound to the MAC address manually;

ARP attack

So, the Endpoints View can also give us a hint to locate ARP attack.

In addition, the Matrix View allows us to see communication information between those hosts in the network, which helps us to fast identify abnormal conditions and locate the attack source.

(Matrix View)

Conclusion

ARP, as one of the most popular attacks in recent days, may cause severe problems to our network. How to fast troubleshoot ARP attacks is what every network administer concerns. Colasoft Capsa will greatly enhance network administrators’ capability to identify ARP attacks and protect the network from ARP attacks, so as to ensure normal network operation. Besides fast locating ARP attacks, Colasoft Capsa can also analyze network abnormities, locate failure nodes, enhance network security, evaluate and improve network performance.

Why should we monitor the network conversation?

2009-07-02T02:03:00.000-07:00

In a network group, especially for the company, enterprise, school, bank, NSA, etc, the confidential information is very very important, and may very dangerous if they are divulged.

And also, for a company/enterprise boss, he can get the information of what his staff are talking about via internet, no matter they are using MSN, Yahoo, Gtalk, ICQ, AIM…or Email Webmail…at any time.

Under this situation, we need a network monitor/packet sniffer, not only to monitor the network conversation, but also to guarantee our network security for prevent it from dangerous beforehand.

Resolution
Take Colasoft Capsa 6.9 for example, We will show you how to monitor the email activity & content with it step-by-step:

1. Choose “Logs” from the main window.

2. As shown in the following illustration, there’s a pop up window for changing settings after you choose the “Logs”.
Email Log→Log File Settings, then change the settings indicated by an arrow.

3. Choose Email Messages in the Logs view, you can find the detail information on all the email activities.

4. Just double-click the crossband, then you can check out the content of any email you want to read.

Conclusion:

For every organization, institution, company, enterprise…etc, the confidential information is very important that are never allowed to be leaked out.

Except the traditional File Encryption, Video Surveillance, what can we do if we are in a huge network? Under this situation, a powerful packet sniffer/network analyzer is quite a good right-hand.

How to Troubleshoot Connectivity problems

2009-06-30T03:03:00.000-07:00

This Tips will help you fix Connectivity problems.

1. Use the ping command to test the basic connectivity. By using the ping command you can isolate network hardware problems and incompatible configurations. By using the path ping you can detect packet loss.

2. If you want to see the Ping's statistics then you ping -t command and press enter to continue and if you want to stop then press CTRL+BREAKTo watch Ping statistics, use the ping -t command. To see statistics and continue, press CTRL+BREAK. To stop, press CTRL+C. you can use a free network tool--Colasoft Ping Tool, to excute Ping command on multi-computers at the same time, and see detailed Ping statistics.

3. If you remote system is across the delay link, such as satellite link responses may take longer.

4. Check the event logs for network card and other hardware and software configurations and connectivity related entries.

5. Check whether the NIC card is on the Microsoft Hardware Compatibility List (HCL).

6. Check other computers that use the same gateway and are plugged into the same hub or switch and if these computers do not show any network connectivity problem then the problem is on the only one computer.

7. Contact the vendor of each NIC and motherboard and update the BIOS.

8. Replace the network adapter of the system with the good configured system and see if the same error arise again.

This article is extracted from networktutorials by Colasoft writer.

About Colasoft Co., Ltd

Colasoft Co., Ltd is a leading network management and analysis software enterprise. Colasoft Network Analyzer - Capsa, an expert packet analyzer and network sniffing tool, is the flagship of Colasoft product line; its real time capturing, accurate analysis, continuous logs and extended diagnoses for network events, have made it indispensable for network troubleshooting.

Recommend 5 Nice FREE Network Analysis Tools to Network Admins

2009-06-23T01:20:00.000-07:00

Colasoft, with its all-in-one & easy-to-use network analyzer -Capsa, has been known and recognized in network analysis industry. Today let me recommend 5 nice Colasoft network analysis tools to all network administrators, the tools are totally free and very simple but helpful.

Colasoft MAC Scanner Pro

List MAC addresses and IP addresses in your local subnet in seconds. Network administration will never become efficient before you know exactly who is the user and where is the computer. MAC Scanner Pro will do it for you.

Core Values:

.Scan MAC addresses and IP addresses

.Save Scan Results into database for future reference and network maintenance.

.Add attributes (such as users name and physical location of the host) to scan results and save in database.

.Automatically compares new MAC scan results with database records and notifies difference and new records (illegal access).

.Print and Print Review MAC Scan Results

Special Notice:

Colasoft is launching a campaign this month, you can get a license key of MAC Scanner Pro edition for free as long as you recommend a friend to download MAC Scanner free editon successfully. Find out more information about this ,please go to http://www.colasoft.com/mac_scanner/index.php?act=recommend.

Colasoft Ping Tool

Colasoft Ping Tool is powerful in supporting to ping multiple IP addresses simultaneously and comparing response time in a graphic chart. Users can view historical charts and save the charts to a *.bmp file. With this build-in tool, users are able to ping the IP addresses of captured packets in a protocol analyzer (e.g. Colasoft Capsa) conveniently, including resource IP, destination IP or both.

Colasoft Packet Builder

Colasoft Packet Builder enables creating custom network packets; users can use this tool to check their network protection against attacks and intruders.Colasoft Packet Builder includes a very powerful editing feature. Besides common HEX editing raw data, it features a Decoding Editor allowing users to edit specific protocol field values much easier.

Colasoft Packet Player

Colasoft Packet Player is a packet replayer which allows users to open captured packet trace files and play them back in the network. It supports many packet trace file formats created by sniffer softwares such as Colasoft Capsa, Ethereal, Network General Sniffer and WildPackets EtherPeek/OmniPeek, etc.

Except sending packet files in original interval between loops, Colasoft Packet Player also supports sending packet files in burst mode and defining the delay between loops if the loop count is more than one.

Colasoft Will be No Longer Silent, Starting a Network Analysis Market Storm with MAC Scanner Pro 2.2

2009-06-18T20:21:00.000-07:00

June 18, 2009, Colasoft, Which specialized in network analysis field for more than 7 years, today announced that, they will take effective measures to seize network analysis and network monitoring market as soon as possible, the first bomb they will toss is to make MAC Scanner Pro 2.2 Free, which has 7 strong features that traditional MAC Scanner doesn’t have. This event signifies that Colasoft formally begins its powerful market development after years’ focused products developing.

Up to now, Colasoft has main product lines, Colasoft Network Analyzer - Capsa, Network Monitor – Unipeek MSN Monitor, Network Tools including Colasoft MAC Scanner, Colasoft Ping Tool, Colasoft Packet Builder, and Colasoft Packet Player. Its products have covered more than 60 countries worldwide and more than 55 Fortune 500 Enterprises like IBM, Airbus, and DELL are using Colasoft Network Analyzer-Capsa.

Compared with the network analysis Giant in this industry, – Wireshark, Colasoft has its irreplaceable characteristics and strengths. 1, Colasoft Network Analyzer is a Windows-based software, which make users more easily operate on Windows platform than Wireshark; 2, Colasoft Network Analyzer is an Easy – to – Use software, which doesn’t require users to have much specialized knowledge on network analysis.

About this market campaign, Colasoft is intending to induct current FREE MAC Scanner and Network Analyzer customers to recommend two of their contacts to download FREE MAC Scanner, consequently, get a MAC Scanner Pro 2.2 for FREE, this campaign will last two weeks from today on.

About Colasoft

Ever since 2001, Colasoft has been an innovative provider of all-in-one and easy-to-use network analyzer software for network administrators and IT managers to monitor network activities, analyze network performance, enhance network security, and troubleshoot network problems. Up to now, more than 5000 customers in over 70 countries trust the flagship product – Capsa as their network monitoring and troubleshooting solution. Colasoft also offers four free network utilities: Colasoft Packet Builder, Colasoft Packet Player, Colasoft MAC Scanner, and Colasoft Ping Tool. Learn more about Colasoft and its solutions, please visit http://www.colasoft.com/.

14 Tips to Protect Your Organization's Network

2009-06-16T02:56:00.000-07:00

Network security is an infinitely complex and dynamic subject, implementing these simple measures will go a long way to protecting your Organization's LAN.

1, Run Network Analyzer Frequently.Recommend an easy-to-use network analyzer, Colasoft Capsa.

2, Disable drives:Disable floppy drive access, USB ports and serial ports on networked computers.

3, Restrict Permissions: Windows 2000 and 2003 server allow you to set permissions so that users can't run downloaded 'exe' or other executable files.

4, Block Instant Messenger:IM and its cousins, ICQ and Yahoo Messenger, sends messages and attachments out to a server and then back to its clients. You lose control when this happens.

5, Password Protect Your BIOS:A BIOS without an administrator password is an invitation to mischief.

6, Run AV Software: Run anti-virus software on all your computers.

7, Build Your Defenses: Install a firewall or a proxy server.

8, Beware Of Attachments From Unknown, Untrusted Sources:Do not open attachments to email unless you trust the sender.

9, Monitor Your Ports:Install a port monitor to prevent your ports from being scanned.

10, Encrypt Wireless Access.

11, Keep Back Office Systems Off The Organization Network

12, Require passwords to be changed frequently

13, Use CTRL+ALT+DEL to logon

14, Keep your networking skills up to date.

How to detect the network malfunction via the end-point view with Colasoft Capsa

2009-06-10T23:33:00.000-07:00

Brief introduction about the Endpoint view in Colasoft Capsa
It is divided into Mac endpoint and IP endpoint in Colasoft 6.9. Users can detect the IP/Mac endpoint in the largest traffic in a short time by the endpoint analytics. And also, The system supply clear statistics of traffic ranking(Top 5 IP endpoint under HTTP protocol).

In the Endpoint view, we can see the specific traffic situation clearly of all the hosts(Including a network segment, a Mac address, and a IP address) in the currently network. Like the hosts with the largest total traffic, hosts that send/receive the largest traffic, hosts that send/receive the most packets, etc.

According to this information, we can confirm that if there are Broadcast / multicast storm, and help users detecting the network malfunctions about network slow, network disconnect, worm attack, DOS attack, and all the malfunctions besides.

Application case study
Once we meet the network malfunction or attack, what the most important thing we should pay attention to, is the currently total network traffic, sent/received traffic, network connection etc, to get a clear direction to find the problem. And, all of this information are included in the endpoint view in Colasoft Capsa 6.9(figure 1):

[caption id="attachment_31" align="alignnone" width="551" caption="endponit_view_1"][/caption]

In figure 1 we can make a compositor on the total traffic, network connection and other related information, to find and locate the host with largest traffic or most connections in the network. For example, at present, the host with the largest network connection is , we can locate the host, then check the related connection information(figure 2):

The connection information shown as the figure 2, we can know that has set up a large amount of TCP connection with other hosts, and the destination address and destination endpoint are indefinite, and Many of the state is to connect client requests synchronization.

[caption id="attachment_32" align="alignnone" width="550" caption="endpoint_view_2"][/caption]

Next, check the TCP packets, we can check them out in Summary and Graphic as follows:

[caption id="attachment_33" align="alignnone" width="551" caption="endpoint_view_3"][/caption]

[caption id="attachment_34" align="alignnone" width="546" caption="endpoint_view_4"][/caption]

In the TCP packets information, we found has sent TCP synchronization packet, and the TCP FIN packets and TCP Reset packets are, this is deviant in the network.

Please go to the Colasoft Official FAQ page for more "How-tos"

How to Track BitTorrent User in Network with Colasoft Packet Sniffer

2009-06-10T03:15:00.000-07:00

BitTorrent Consumes Big Bandwidth

Based on the working principle of BitTorrent protocol, if somebody is downloading big files with BitTorrent software, it will be a disaster for other users who need bandwidth for business operations as the user will consume large amount of bandwidth, thus causing long time network slowness, intermittence, even disconnections; because meantime the user downloading files from others, others are downloading files from him.

So it is necessary for IT administrators to track BitTorrent user at first place to regain network bandwidth for business operations. Blocking BitTorrent protocol can be one way; this article is to discuss how to track BitTorrent user with Colasoft Packet Sniffer.

How to Track BitTorrent User?

>Step1. Download a free trial and implement it correctly

>Step2. Launch a project and start capturing data

>Step3. Find BitTorrent Protocol in the "Protocols" Tab

>Setp4. Locate BitTorrent Protocol in the "Explorer"

Use the "Locate" function to locate BitTorrent protocol in the "Explorer" to analyze dedicated data.

>Step5. Track BitTorrent User in LAN in the "Endpoint" Tab

This is the way how to track the BitTorrent user in our network and who are connected with him. There is a lot more we can see from this tab, such as how much data has been downloaded and uploaded via BitTorrent protocol.

View how many connections have been built in "Matrix"

You’ll be shocked to see how many connections have been built in the "Matrix" Tab. In this case, we can see this user has built more than 1000 connections with other hosts.

About BitTorrent

BitTorrent is a peer-to-peer file sharing protocol used for distributing large amounts of data. BitTorrent is one of the most common protocols for transferring large files.

The protocol works when a file provider initially makes his/her file (or group of files) available to the network. This is called a seed and allows others, named peers, to connect and download the file. Each peer that downloads a part of the data makes it available to other peers to download. After the file is successfully downloaded by a peer, many continue to make the data available, becoming additional seeds. This distributed nature of BitTorrent leads to a viral spreading of a file throughout peers. As more peers join the swarm, the likelihood of a successful download increases. Relative to standard Internet hosting, this provides a significant reduction in the original distributor's hardware and bandwidth resource costs. It also provides redundancy against system problems and reduces dependence on the original distributor.

Next Step

>>Download a Free Trial

How to Monitor MSN Chat with Free Unipeek MSN Monitor

2009-06-10T01:16:00.000-07:00

For some purposes we want to monitor MSN chat around the network, for example, parents want to monitor MSN chat of their kids to ensure their safety; bosses want to monitor MSN chat of employees for company assets security and to improve work efficiency by minimizing none-business chat during working hours. You may still remember Colasoft MSN Monitor, now it is called Unipeek MSN Monitor and it is distributed completely Free for none commercial users.

Now let’s see how we can monitor MSN chat with Unipeek MSN Monitor, the free tool.

Step1. Download Unipeek MSN Monitor

Download Unipeek MSN Monitor, the free edition; from the website. As a matter of fact there is no function difference between Unipeek MSN Monitor the free edition and the commercial edition. The only difference is Unipeek MSN Monitor Free Edition only supports 10 MSN accounts maximum, but quite enough for family users.

Step2. Install and Deploy Unipeek MSN Monitor

The installation is quick and simple, just click “next” all the way to complete the installation. But the deployment is somewhat different. As Unipeek MSN Monitor is designed based on Colasoft’s packet capturing technology, so it has to be deployed properly like a packet sniffer if you want to monitor all MSN chat around the network. Of course, you don’t have to do it if you only want to monitor MSN chat of a single computer. To monitor multiple computers, you can install multiple copies.

Setp3. Run it and Start Monitor MSN Chat

After proper installation and deployment, we can start monitoring MSN chat right away.

About Unipeek MSN Monitor
Unipeek MSN Monitor (MSN sniffer) is Free MSN monitoring software for MSN chat monitoring and MSN message archiving. Based on Colasoft's packet analysis technology, Unipeek MSN Monitor is able to deliver the most accurate MSN monitoring statistics, and automatically record data for future reference. You need only install Unipeek MSN Monitor once to monitor all MSN chats over the local network.

Key Features include:

• Real-time and 24/7 MSN chat monitoring

• Automatically archive MSN messages for future reference

• Export messages of a custom time range

• Customize MSN account list to be monitored

• Unique Conversation Matrix showing account relations

• Support emotion icons, message font size and color.

Download Now

Download Unipeek MSN Monitor

Business IM: Risks and Resolutions

2009-06-05T00:41:00.000-07:00

Do your users use IM in your network? If I ask this questions, I believe above 95% network administrators will answer: Yes, of course.

MSN, Yahoo IM, Aol IM, Google Talk etc,with the rapid development of instant messaging tools,which are not just used for personal entertainment, but for workplace tools. However,according to a survey on the internet, most IM users are ignorant of its risks that may cause to the organization. Here we list the main Business IM Risks and Resolutons:

• Information leaks – Confidential materials, intellectual property, or proprietary information can be revealed, either intentionally or accidentally,through IM sessions or file transfers.

• Worms, viruses, etc. – Numerous malware programs target public IM systems and allow them to bypass standard firewalls and mail server antivirus systems.

• Network hacks and intrusions – Hackers use IM operating ports to bypass other security barriers and enter the corporate network unimpeded.

• Compliance, regulatory, or legal violations – Organizations subject to government oversight and compliance mandates may find themselves creating legal issues by failing to properly monitor, log, and regulate IM sessions and content.

• Productivity loss – Idle chat can disrupt employee productivity.

So many risks IM has, does it mean that we have to prohibit Instant Messaging in workplace, of course not, IM has its irreplaceable benifits other than other communication methods,as email, phone call, SMS. but we have some good suggestions to decrease the IM risks.

Deploy network analysis tools like Colasoft Network Analyzer in your computer, to detect network intrusion attempts, monitor network usage, gain information for effecting a network intrusion.

Regularly remind your users to update or upgrade their antivirus software

Create written policies – Clearly and explicitly define acceptable and unacceptable use of instant messaging within the business environment.

Tips for Troubleshooting Slow Internet Connections

2009-06-02T00:25:00.000-07:00

Follow these steps to diagnose your slow Internet connections

1. Configure Broadband Router Settings Properly

Improperly broadband router configuration will probably lead to slow internet connections. keep consisting your router's settings with the manufacturer's and your Internet Service Provider (ISP) recommendations.

2. Reposition Router and Change WI-Fi Channel Number

Signal interference which requires computers to resend messages to overcome signal issues constantly may affect the performance of Wi-Fi and other types of wireless connections, repositioning your router and changing your Wi-Fi channel number may benefit your connection performance.

3. Run Antivirus Software Regularly To Diagnose and Remove These Worms

Internet worm may begin generating huge network traffic, causing slow network connection if any of your computers are infected. Remember to run antivirus software regularly to diagnose and remove these worms from your computers.

4. Don't forget the Running Background Applications

Some useful background applications, like Peer to peer (P2P) programs, will greatly consume network recourses. Therefore, don’t be blind to the running background applications when facing slow network connection issues.

5. Temporarily Re-Arrange and Re-Configure Your Gear

Faulty network equipment typically won't support connections. To troubleshoot potentially faulty equipment, temporarily re-arrange and re-configure your gear while experimenting with different configurations. Try bypassing the router, swapping cables and changing network adapters to isolate the slow performance to a specific component of the system.

6. Inquire Your Service Provider

Internet speed ultimately depends on the service provider. Don’t forget to inquire your ISP about what happened if you suspect they have main responsibility in your poor connection performance.

Conclusion

Reasons for slow connection are diversified, the 6 tips for troubleshooting slow internet connections are basic solutions that may guide you when suffering network connection problems, however,moreover, to diagnose and troubleshoot the issues manually is not an easy work. nowadays, many network administrators usually choose some easy - to - use network analysis tools, like Colasoft Network Analyzer (also called packet sniffer, network sniffer, protocol analyzer) to monitor,analyze, and troubleshoot their network in minutes.

Introduce Four Free Network Tools to Network Administrators

2009-05-19T02:34:00.000-07:00

Today, Let me introduce four FREE network tools to all network administrators, the tools from Colasoft are totally free and are widely used, don't miss them out, guys.

Colasoft MAC Scanner
Colasoft MAC Scanner is a scan tool used for scanning IP addresses and MAC addresses in a local network, which display scan results in a list, including IP address, MAC address, Host Name and Manufacture. It will group all IP addresses according to MAC address if a MAC address is configured with multiple IP addresses. The scanned results can be exported into .txt file for future reference.

Colasoft Ping Tool
Colasoft Ping Tool is powerful in supporting to ping multiple IP addresses simultaneously and comparing response time in a graphic chart. Users can view historical charts and save the charts to a *.bmp file. With this build-in tool, users are able to ping the IP addresses of captured packets in a protocol analyzer (e.g. Colasoft Network Analyzer) conveniently, including resource IP, destination IP or both.

Colasoft Packet Builder
Colasoft Packet Builder enables creating custom network packets; users can use this tool to check their network protection against attacks and intruders.Colasoft Packet Builder includes a very powerful editing feature. Besides common HEX editing raw data, it features a Decoding Editor allowing users to edit specific protocol field values much easier.

Users are also able to edit decoding information in two editors - Decode Editor and Hex Editor. Users can select one from the provided templates Ethernet Packet, ARP Packet, IP Packet, TCP Packet and UDP Packet, and change the parameters in the decoder editor, hexadecimal editor or ASCII editor to create a packet. Any changes will be immediately displayed in the other two windows. In addition to building packets, Colasoft Packet Builder also supports saving packets to packet files and sending packets to network.

Colasoft Packet Player
Colasoft Packet Player is a packet replayer which allows users to open captured packet trace files and play them back in the network. It supports many packet trace file formats created by sniffer softwares such as Colasoft Network Analyzer, Ethereal, Network General Sniffer and WildPackets EtherPeek/OmniPeek, etc.

Except sending packet files in original interval between loops, Colasoft Packet Player also supports sending packet files in burst mode and defining the delay between loops if the loop count is more than one.

How Can I Detect a Network Sniffer?

2009-05-14T23:39:00.000-07:00

The article "How can I detect a network sniffer" is extracted by Jason Lee from www.Colasoft.com for knowledge sharing. For complete copy on this topic, please visit Sniffing (network wiretap, sniffer) FAQ.

In theory, it is impossible to detect packet sniffing programs because they are passive: they only collect packets, they don't transmit anything. However, in practice it is sometimes possible to detect sniffing programs. It is similar to how in theory it is impossible to detect radio/TV receivers, but European countries do it all the time in order to catch people avoiding the radio/TV tax.

A stand-alone network sniffer doesn't transmit any packets, but when installed non-standalone on a normal computer, the sniffing program will often generate traffic. For example, it might send out DNS reverse lookups in order to find names associated with IP addresses.

Non-standalone network sniffers are indeed what you want to detect. When crackers/hackers invade machines, they often install sniffing programs. You want to be able to detect this happening.

General Overview of Detection Method

Ping method

Most "network sniffers" run on normal machines with a normal TCP/IP stack. This means that if you send a request to these machines, they will respond. The trick is to send a request to IP address of the machine, but not to its Ethernet adapter.

To illustrate:

The machine suspected of running the network sniffer has an IP address 10.0.0.1, and an Ethernet address of 00-40-05-A4-79-32.

You are on the same Ethernet segment as the suspect (remember, the Ethernet is used only to communicate locally on a segment, not remotely across the Internet).

You change the MAC address slightly, such as 00-40-05-A4-79-33.

You transmit an "ICMP Echo Request" (ping) with the IP address and this new MAC address.

Remember that NOBODY should see this packet, because as the frame goes down the wire, each Ethernet adapter matches the MAC address with their own MAC address. If none matches, then they ignore the frame.

If you see the response, then the suspect wasn't running this "MAC address filter" on the card, and is hence sniffing on the wire.

There are ways defending against this. Now that this technique is widely publicized, newer hackers will enabled a virtual MAC address filter in their code. Many machines (notably Windows) have MAC filtering in drivers. (There is a hack for Windows: most drivers just check the first byte, so a MAC address of FF-00-00-00-00-00 looks like FF-FF-FF-FF-FF-FF (the broadcast address which all adapters accept). However, some adapters implement multicast in such as way that this address will match as a multicast, which is any address whose first byte is an odd number. Thus, this can result in false positives).

This technique will usually work on switched/bridged Ethernets. When switches see an unknown MAC address for the first time, they will "flood" the frame to all segments.

Ping method, part 2

The ping method can be enhanced in a number of ways:

Any protocol that generates a response can be used, such as a TCP connection request or a UDP protocol such as port 7 (echo).

Any protocol that might generate an error on the target machine might be used. For example, bad IP header values might be used to generate an ICMP error.

Sometimes a broadcast address (either a "local broadcast" like 255.255.255.255 or a "directed broadcast" like 10.0.0.255) needs to be used in order to bypass software IP address filtering. This then encounters another problem in that many machines do not respond to broadcast requests (responses to broadcasts causes network problems, such as the 'smurf' hack).

ARP method

The ARP method is similar to the ping method, but an ARP packet is used instead. An explanation (in Spanish) is given at http://www.apostols.org/projectz/neped/ which includes a program called neped to do this detection.

The simplest ARP method transmits an ARP to a non-broadcast address. If a machine responds to such an ARP of its IP address, then it must be in promiscuous mode.

A variation of this technique takes advantage of the fact that machines "cache" ARPs. Each ARP contains the complete information of both the sender as well as the desired target information. In other words, when I send out a single ARP to the broadcast address, I include my own IP-to-Ethernet address mapping. Everyone else on the wire remembers this information for the next few minutes. Therefore, you could do something like sending out a non-broadcast ARP, then a broadcast ping. Anybody who responds to your ping without ARPing you could only have gotten the MAC address from a sniffed ARP frame. (To make double-sure, use a different source MAC address in the ping).

DNS method

Many sniffing programs do automatic reverse-DNS lookups on the IP addresses they see. Therefore, a promiscuous mode can be detected by watching for the DNS traffic that it generates.

This method can detect dual-homed machines and can work remotely. You need to monitor incoming inverse-DNS lookups on the DNS server in your organization. Simply do a ping sweep throughout the company against machines that are known not to exist. Anybody doing reverse DNS lookups on those addresses are attempting to lookup the IP addresses seen in ARP packets, which only sniffing programs do.

This same technique works locally. Configure the detector in promiscuous mode itself, then send out IP datagrams to bad addresses and watch for the DNS lookups.

One interesting issue with this technique is that hacker-based sniffing programs tend to resolve IP addresses as soon as they are found, whereas commercial programs tend to delay resolution until the point where the network sniffer user views the protocol decodes.

Source-route method

Another technique involves configuring the source-route information inside the IP header. This can be used to detect network sniffers on other, nearby segments.

Create a ping packet, but put a loose-source route to force it by another machine on the same segment. This machine should have routing disabled, so that it will not in fact forward it to the target.

If you get a response, then it is likely the target sniffed the packet off the wire.

In the response, doublecheck the TTL field to find out if it' came back due to sniffing (rather than being routed correctly)

Details:

In loose source-routing, an option is added to the IP header. Routers will ignore the destination IP address and instead forward to the next IP address in the source-route option. This means when you send the packet, you can say "please send packet to Bob, but route it through Anne first".

In this scenario, both "Anne" and "Bob" are on the segment. Anne does not route, and therefore will drop the packet when received. Therefore, "Bob" will only respond if he has sniffed the packet from the wire.

On the off chance that Anne does indeed route (in which case Bob will respond), then the TTL field can be used to verify that Bob responded from routing through Anne, or answering directly.

The decoy method

Whereas the ping and ARP methods only work on the local network, the decoy method works everywhere.

Since so many protocols allow "plain text" passwords, and hackers run sifters looking for those passwords, the decoy method simply satisfies that need. It consists simply of setting up a client and a serve on either side of the network, which the client runs a script to logon to the server using Telnet, POP, IMAP, or some other plain-text protocol. The server is configured with special accounts that have no real rights, or the server is completely virtual (in which case, the accounts don't really exist).

Once a hacker sifts the usernames/passwords from the wire, he/she will then attempt to log on using this information. Standard intrusion detection systems or audit trails can be configured to log this occurance, alerting the fact that a sniffing hacker has found the traffic and attempted to use the information.

http://www.zurich.ibm.com/~dac/Prog_RAID98/Full_Papers/sniffer_detector.html/index.htm

Host method

When hackers break into your systems, they will often leave behind wiretap programs running in the background in order to sniff passwords and user accounts off the wire. These are often imbedded (as a trojan) in other programs, so the only way to find if something like this is running is to query the interfaces to see if they are running in promiscuous mode.

The most technique is to run the program "ifconfig -a". On my computer (Solaris 2.6) the output looks like:

# ifconfig -a

lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232

inet 127.0.0.1 netmask ff000000

hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,MULTICAST> mtu 1500

inet 192.0.2.99 netmask ffffff00 broadcast 192.0.2.255

ether 8:0:20:9c:a2:98

Of course, the first thing a hacker will do is replace the 'ifconfig' program to hide this. There are other utilities you can download from the net that will query the hardware directly in order to discover this information, or you could run the 'ifconfig' program directly from a CD-ROM distribution.

Latency method

This is a more evil method. On one hand, it can significantly degrade network performance. On the other hand, it can 'blind' network sniffers by sending too much traffic.

This method functions by sending huge quantities of network traffic on the wire. This has no effect on non-promiscuous machines, but has a huge effect on sniffing machines, especially those parsing application layer protocols for passwords. Simply ping the machine before the load and during the load and testing the difference in response time can indicate if the machine is under load.

One problem with this technique is that packets can be delayed simply because of the load on the wire, which may case timeouts and therefore false positives. On the other hand, many sniffing programs are "user mode" whereas pings are responded to in "kernel mode", and are therefore independent of CPU load on a machine, thereby causing false negatives.

TDR (Time-Domain Reflectometers)

A TDR is basically RADAR for the wire. It sends a pulse down the wire, then graphs the reflections that come back. An expert can look at the graph of the response and figure out if any devices are attached to the wire that shouldn't be. They also roughly tell where, in terms of distance along the wire, the tap is located.

This can detect hardware network sniffers that might be attached to the wire, but which are completely silent otherwise.

TDRs used to be used a lot in the old days of coax Ethernet in order to detect vampire taps, but these days with star topologies, they are used very rarely.

There also exist OTDR equipment, but this is really only for the truely paranoid.

Hub lights

You can manually check hub-lights to see if there are any connections you don't expect. It helps to have labeled cables to figure out where (physically) a network sniffer might be located.

SNMP monitoring

Smart hubs with SNMP management can provide automated monitroning of Ethernet (and other) hubs. Some management consoles will even let you log connections/disconnections to all your ports. If you've configured the system with the information where all the cables terminate, you can sometimes track down where a network sniffer might be hiding.

Ten Reasons Make Network Sniffers an Essential Network Tools

2009-05-14T01:27:00.000-07:00

No matter whether you are network administrators or IT managers, you should not be unfamiliar to the network analysis tool - network Sniffer, also known as a network analyzer, protocol analyzer or sniffer) which has been widely used by kinds of organizations, schools, enterprises, government institutions etc.

Maybe you are yet supirsed at why more and more enterprises, like IBM, Intel, Epson, Airbus, Ericsson etc, love to deploy network sniffer to their company’s network? OK, take a fresh coffee now, then look at the following problems, and ask yourself, as a network administrator or IT manager, if these issues are just what you have met?

Rushing from one network problem to another every day?

Have no way to judge if your network has been intruded?

Helpless collecting convincing information to submit your boss even if you have realized that your network system has been intruded.

No idea if current network usage is equal to actual need?

Know nothing of how many staffs are not killing their time by chatting with friends, browsing irrelevant webpage etc, but focusing on their job?

Yes, every question listed above has puzzled many network administrators, but no worry, network sniffer can easily help you out with its strong functions, here are network sniffer’s ten main uses.

* Analyze network problems

* Detect network intrusion attempts

* Gain information for effecting a network intrusion

* Monitor network usage

* Gather and report network statistics

* Filter suspect content from network traffic

* Spy on other network users and collect sensitive information such as passwords (depending on any content encryption methods which may be in use)

* Reverse engineer proprietary protocols used over the network

* Debug client/server communications

* Debug network protocol implementations

Currently, there are dozens of network sniffers in the market, some are very complex to use like wireshark, you must be versed in networking,; some are designed for common network administrators, such as Colasoft Network Analyzer, all- in-one & easy –to use, which are more and more accepted and welcome.

How to Find MAC Address with Colasoft MAC Scanner and More

2009-05-12T19:43:00.000-07:00

In computer networking, a Media Access Control address (MAC address) is a unique identifier assigned to most network adapters or network interface cards (NICs) by the manufacturer for identification, and used in the Media Access Control protocol sublayer. If assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered identification number. It may also be known as an Ethernet Hardware Address (EHA), hardware address, adapter address, or physical address.

Since a MAC Address is unique for most network adapters or network interface cards (NICs), it is important for IT administrators to know all the MAC addresses in LAN so as to quickly locate a network device when a network issue arises. Luckily we have tools to help us out. Let’s see how we can easily find MAC address in LAN with Colasoft MAC Scanner.

Colasoft MAC Scanner is a Free software to find MAC address and IP address. It can automatically detect all subnets according to the IP addresses configured on multiple NICs of a machine and find MAC addresses and IP addresses of defined subnets as your need. Users can custom own scan process by specifying the subsequent threads.

Step 1. Download Colasoft MAC Scanner

Step2. Install Colasoft MAC Scanner

The installation of Colasoft MAC Scanner is quick and easy, it is suggested to install Colasoft MAC Scanner on a laptop as it only scans and finds MAC addresses and IP addresses in the subnet to which the laptop is connected.

Step3. Start a Scan

It’s easy and quick, just press the start button, the Colasoft MAC Scanner will scan and find MAC addresses and IP addresses in the subnet and list them out. The results can be “copy and paste” or exported for future reference.

Now the problem is: if a LAN is divided into several subnets, we’ll have to move the laptop around and scan each subnet in order to find all MAC addresses and IP addresses. Then what’s the solution?

Find MAC Address and IP Address with Colasoft Network Sniffer

Colasoft Network Sniffer allows us to find MAC addresses and IP addresses both local and remote in the network as long as there is network communication initiated.

>>>>Download Colasoft Network Sniffer Now

Top 5 Most Welcome Network Sniffers

2009-05-11T23:49:00.000-07:00

According to the latest statistic from famous download sites regarding to downloads of Network Sniffers softwares, the following products are very honored to be listed as top 5 most welcome packet sniffers by network engineers, IT managers, and network administrators etc.

#1 Wireshark- A Free Open Source Network Sniffer for Top Network Engineers

Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic open source network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types. A tcpdump-like console version named tethereal is included. One word of caution is that Ethereal has suffered from dozens of remotely exploitable security holes, so stay up-to-date and be wary of running it on untrusted or hostile networks (such as security conferences).

#2 Colasoft Network Sniffer - All-In-One & Easy-To-Use Network Analyzer and Network Sniffer Available For Most Network Administrators.

Colasoft Network Sniffer - Capsa performs real-time packet capturing, 24/7 network monitoring, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. It allows you to get a clear view of the complex network, conduct packet level analysis, and troubleshoot network problems.

Whether you're a network administrator who needs to identify, diagnose, and solve network problems, a company manager who wants to monitor user activities on the network and ensure that the corporation's communications assets are safe, or a consultant who has to quickly solve network problems for clients, Capsa is the tool you need.

#3 Tcpdump: The Classic Sniffer For Network Monitoring And Data Acquisition

Tcpdump is the IP sniffer we all used before Ethereal (Wireshark) came on the scene, and many of us continue to use it frequently. It may not have the bells and whistles (such as a pretty GUI or parsing logic for hundreds of application protocols) that Wireshark has, but it does the job well and with fewer security holes. It also requires fewer system resources. While it doesn't receive new features often, it is actively maintained to fix bugs and portability problems. It is great for tracking down network problems or monitoring activity. There is a separate Windows port named WinDump. TCPDump is the source of the Libpcap/WinPcap packet capture library, which is used by Nmap among many other tools.

#4 Etherdetect : Connection-Oriented Network Sniffer And Protocol Analyzer

EtherDetect Packet Sniffer is an easy for use and award-winning packet sniffer and network protocol analyzer, which provides a connection-oriented view for analyzing packets more effectively. With the handy tool, all you need to do is to set up the filter, start capturing, and view connections, packets as well as data on the fly.

#5 Ettercap : In Case You Still Thought Switched Lans Provide Much Extra Security

Ettercap is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like ssh and https). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

Find Out the Top Network Administrator Tools

2009-05-08T00:03:00.000-07:00

Network Sniffers / Network Protocol Analyzer

With Network sniffers and network protocol analyzers, you can monitor network activity, analyze network performance, enhance network security, and troubleshoot network issues.

1, Colasoft Network sniffer - Capsa http://www.colasoft.com/ Colasoft Capsa performs real-time packet capturing, 24/7 network monitoring, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. It allows you to get a clear view of the complex network, conduct packet level analysis, and troubleshoot network problems.

2, Ethereal – http://www.ethereal.com/
3, EtterCap – http://ettercap.sourceforge.net/
4, Snort – http://www.snort.org/
5, WinDump / TCPDump - http://www.tcpdump.org/wpcap.html/
6, DSniff – http://naughty.monkey.org/~dugsong/dsniff/

Scanning Tools
1, Nmap – http://www.nmap.org/
Nmap is a port scanner. A port scanner scans for open ports, such as 80 (http) or 25 (SMTP)

2, Sam Spade – www.samspade.org/
Sam Spade is a multi network query tool with many extra built in utilities, even a tool for spam. It includes utilities such as ping, whois, traceroute, and finger

3, NetScanTools Pro ($199) –http://www.netscantools.com/nstmain.html
NetScanTools Pro Edition is an integrated collection of internet information gathering utilities for Windows Vista/2008/2003/XP/2000. Use it to research IP addresses, hostnames, domain names, email addresses, URLs automatically** or with manual tools.

4, SuperScan – http://www.foundstone.com/
SuperScan has the primary purpose of scanning an IP range. It supports extremely fast Host Discovery lookups as well as TCP and UDP port scans thanks to its multi-threaded and asynchronous techniques.

UserManagement - http://www.tools4ever.com/
Complete user account management featuring advanced user creation, modification, removal, mass creation/removal and delegation of administrative tasks. The UserManagemeNT Suite consists of three modules, Professional, Import and Delegation. These modules can operate independently or seamlessly integrated with each other.

AdminMagic - http://www.tools4ever.com/
Full control: Using AdminMagic, you can take over and control users' desktops from your own workstation. Featuring complete mouse and keyboard emulation, you can execute programs, login/logoff, modify device drivers and reboot all from a central location. You can also take screenshots of remote desktops and store/print them for later use. Remote users will not be interrupted and can continue working as they always do.

Advanced System Optimizer - http://www.systweak.com/
Advanced System Optimizer is a system tweaking suite that includes around 30 tools to improve and tweak your PC's performance. It offers an attractive and easy to use interface that organizes all tasks into categories and provides graphical statistics whenever possible. The tools include junk file cleaner, memory optimizer, system information, system files backup, file encryption, safe uninstaller, duplicate file finder, taskbar manager and much more. Advanced System Optimizer also includes an Internet tracks eraser with cookie manager and secure deletion, and even a desktop sticky notes application. Overall, a great bundle that offers a wide range of system tools with extra benefits that are hardly ever found.

How Public Key Encryption Works

2009-05-06T23:25:00.000-07:00

When you are entering your credit card number, talking with your lover, chatting with your business partners, can you imagine what will happen if everything you are doing is exposing to everybody?

Yes, it is unbelievable but it is quite true, hackers can easily obtain your private information like crecit card number, email logs, chat logs etc. by using some network analytic tools, such as Colasoft packet sniffers.

Protect Your Email Secure And Safe

So if we are helpless with our private information from being monitored or stolen? Of course not, to keep data sent via email private, you just need to encrypt it, as only unencrypted content can be monitored by network analytic tools like network analyzer. Only the targeted recipient will be able to decipher the message.

How to Encrypt Your Message?

Public key encryption is a special case of encryption, it operates using a combination of two keys: one is a private key, the other is a public key which together form a pair of keys. The private key is kept secret on your computer since it is used for decryption, the public key, which is used for encryption, is given to anybody who wants to send encrypted mail to you.

How public key works?

When you send public-key encrypted mail, the sender's encryption program uses your public key in combination with the sender's private key to encipher the message. When you receive public-key encrypted mail, you need to decipher it.
Decryption of a message enciphered with a public key can only be done with the matching private key. This is why the two keys form a pair, and it is also why it is so important to keep the private key safe and to make sure it never gets into the wrong hands (or in any hands other than yours).

Why the Integrity of the Public Key is Essential

Another crucial point with public key encryption is the distribution of the public key.
Public key encryption is only safe and secure if the sender of an enciphered message can be sure that the public key used for encryption belongs to the recipient.
A third party can produce a public key with the recipient's name and give it to the sender, who uses the key to send important information in encrypted form. The enciphered message is intercepted by the third party, and since it was produced using their public key they have no problem deciphering it with their private key.
This is why it is mandatory that a public key is either given to you personally or authorized by a certificate authority.

Monitor Your Network Traffic with Colasoft Network Sniffer

2009-04-23T19:32:00.001-07:00

Importance of network monitoring

Reading network traffic is essential for system administrators, network engineers, and security analysts. At some point there will be a need to read the network traffic directly instead of monitoring application level details. Examples of situations that might require monitoring network traffic are, auditing network security, debugging network configurations, and analyzing usage patterns. For this task we use network monitoring software, or network sniffers, that sniff the traffic your computer is able to see on the network. What exactly your computer can see really depends on how the network is laid out, but the easiest way to figure out what it can see is just start sniffing.

The most common tool to do the job is readily available. One of the most popular and easy – to - use tool for monitoring network traffic is Colasoft network sniffer,

How to Monitor Network Traffic

As a network sniffer, Capsa make it easy for us to monitor and analyze network traffic in its intuitive and information-rich tab views. With Capsa's network traffic monitor feature, we can quickly identify network bottleneck and detect network abnormities. This article is to discuss how we can monitor network traffic with Capsa's network traffic monitor feature.

1,Monitor network traffic in "Summary" tab

"Summary" is a view that provides general information of the entire network or the selected node in the "Explorer". In "Summary" we can get a quick view of the total traffic, real-time traffic, broadcast traffic, multicast traffic and so on. When we switch among the node from the explorer, corresponding traffic information will be provided.

(pic 1. monitor-network-traffic-in-summary)

2,Monitor network traffic in "Endpoints" tab

In "Endpoints" view, we can monitor network traffic information of each node, both local and remote. With its easy sorting feature we can easily find out which host is generating or has generated the largest traffic.

(pic 2. monitor-network-traffic-in-endpoints)

3,Monitor network traffic in "Protocols" tab

"Protocols" view will list all protocols applied in network transmission. In "Protocols" view we can monitor network traffic by each protocol. By analyzing network traffic by protocol, we can understand what applications are using the network bandwidth, for example "http" protocol stands for website browsing, "pop3" stands for email, etc.

(pic 3. monitor-network-traffic-by-protocol)

4,Monitor network traffic in "Conversations" tab

In "Conversations" tab we can monitor network traffic by each conversation and the figure out which conversation has generated the largest network traffic.

(pic 4. monitor-network-traffic-by-conversation)

5,Monitor network traffic in "Matrix" tab

"Matrix" is a view that visualizes all network connections and traffic details in one single graph. The weight of the lines between the nodes indicates the traffic volume and the color indicates the status. As we move the cursor on a specific node, network traffic details of the node will be provided.

(pic 5. monitor-network-traffic-in-Matrix)

6,Monitor network traffic in "Graphs" tab

If we want to get a trend chart of the network traffic, then we need to use the "Graphs" tab. "Graphs" view allows us view network statistics dynamically in different chart types, such as ling chart, bar chart, and pie chart. By selecting "Utilization" we get a real-time traffic trend chart.

(pic 6. monitor-network-traffic-in-graphs)

As we can see, with Capsa we can not only monitor network traffic in convenience, but also analyze network traffic in deferent levels, thus enables us quickly and efficiently detect network abnormities and troubleshoot network problems.

How to Monitor http Traffic with Network sniffer

2009-04-23T19:32:00.000-07:00

Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. Its use for retrieving inter-linked resources led to the establishment of the World Wide Web.

In order to monitor http traffic, we will need a network sniffer (or a protocol analyzer) software. Here is a detail process how we can monitor http traffic in LAN with Colasoft network sniffer – Capsa.

Again let’s launch Colasoft network sniffer and start a new project. Don’t forget one thing, we have to deploy the network sniffer to the mirror port of the core switch in order to monitor all http traffic in LAN, if not, we can only monitor http traffic of our own computer.

Then let’s start browsing a website, for example, www.colasoft.com, to generate some http traffic. Now let’s get back to the network sniffer and see if there is http traffic. OK, we can see the network sniffer has already captured some http traffic in the “Protocols” Tab

We can see both the aggregated http traffic since start capturing and the real-time http traffic in this tab.

If we want to do a deeper analysis on http traffic, we will need to use the “Locate” function to locate http protocol in the Explorer to let the network sniffer display only the data that is http protocol. Right click on the protocol and select “Locate Explorer Node” in the pop-up menu.

If we want to know who are using http protocol and what they are actually browsing, we are going to use two tabs, the “Endpoints” Tab and “Logs” Tab.

Let’s see who are using http protocol:

And what they are actually browsing:

What Can Hackers Do with Network Sniffer

2009-04-22T20:45:00.000-07:00

What Can Hackers Do with a network sniffer?

A network sniffer in the wrong hands is a deadly weapon. A network sniffer is a real danger because it is a very powerful and difficult to detect tool

Security breaches of all kinds are reported all the time. Everyday we hear of hackers who managed to steal sensitive data, of people who become victims of identity theft, etc. Very often the breaches are so incredible that you wonder if hackers have supernatural powers. Well, hackers hardly have supernatural powers but they don't need them –supernatural powers are not necessary when a networklacks security and one has the right tools to break in.

Hackers Can Monitor Networks With a network sniffer

The tools hackers use to break into networks are more or less the same tools network admins use to monitor and maintain their network with. For example, network sniffers are among the tools hackers love most. A network sniffer captures packets and shows you their contents.This means that with the help of a network sniffer running somewhere into the network, hackers can monitor all the unencrypted traffic to and from this network.

This is really scary – just imagine a malicious hacker who knows all the secrets of your company. It gets even more dangerous for networks, where hubs (and not switches) are used because in this case a network sniffer can be installed on any computer and the hacker will monitor all the traffic in that segment, not only the traffic to and from the host. The good news is that hubs are almost out of use today and because of that hackers can do less damage with a network sniffer.

Hackers Can Obtain Passwords and Credit Card Numbers With a network sniffer

When a hacker uses a network sniffer to monitor your network, this is not nice but when he or she steals passwords, credit card numbers and other types of sensitive data, this is a real danger. Unencrypted passwords, credit card numbers and other sensitive data are an easy target for a hacker with a network sniffer.

In many of the cases of mass theft of credit card numbers and passwords happen because hackers use a network sniffer on an unencrypted network. For truth's sake, it is important to mention that even if all the traffic is encrypted, there are still many other ways to obtain sensitive data. But when the traffic over a network is not encrypted and nobody monitors the network for unauthorized network sniffers, sooner or later data will be stolen.

One of the greatest achievements for hackers with a network sniffer is to capture the administrator's password. When the administrator's password is transmitted over the network in an unencrypted form, this is an easy target for hackers. If hackers manage to intercept the admin password, they have the power to do everything they want to on your network – delete data, modify data, etc. So, do you see why hackers don't need supernatural powers but only the admin password?

Network Sniffers, Troubleshoot Network Issues: How to Protect Your Network with Network Sniffer

2009-04-22T18:09:00.000-07:00

Network Sniffers, Troubleshoot Network Issues: How to Protect Your Network with Network Sniffer

5 Things Our IT Department had to skip

2009-04-21T20:39:00.001-07:00

In last blog, we have talked about the 5 items our IT department must do even in the big recession, in addition to the things we can't do without, there are many more things we had to skip. We are not exactly happy to stop doing these things but desperate times cry for desperate measures and since these activities are something we can do without we had to either quit them, or drastically reduce them:

No purchases of new hardware. Though it is not precise to say that we haven't bought a single piece of hardware in the last year, we have definitely cut hardware spendings. For the time being we do not plan to make major hardware purchases.
Capital expenditures. Capital expenditures are another budget item we had to drastically shrink. We had schedules projects but the current economic situation made us have second thoughts and now capital expenditures are on hold.
Software that is nice to have but we can do without it. Similarly to hardware and capital expenditures, some major software expenses had to be cut. Yes, there are many products, for instance accounting, HR, or ERP modules, which are great to have but we'll go for them when the economic outlook is less gloomy.
Standardization. You know that IT people generally hate when they have to deal with bureaucracy and standardization, so if there is an item, we are happy to skip, this is standardization. More or less we skipped all standardization-related activities except those, that are related to regulations compliance. Standardization is put on hold, especially if it requires investment or other resources.
No infrastructure upgrades. We are not exactly happy about this one but since there are more important items we can't skip, we had to significantly reduce the planned network upgrades. Some of the projects in this area are put on hold, while others are canceled.

It wasn't easy to decide what to skip and what to keep but when times are tough, it is not possible to pretend that everything is OK and go on as planned. We hope that we are right in our choices and time will show if we did wise choices or not.

James Ackland is Author of this article from www.Colasoft.com.

About Colasoft Co., Ltd.
Ever since 2001, Colasoft has been dedicated in providing all-in-one and easy-to-use network sniffer software for network administrators and IT managers to monitor network activities, analyze network performance, enhance network security, and troubleshoot network problems. Up to now, more than 5000 customers in over 70 countries trust the flagship product – Colasoft Network Sniffer as their network monitoring and troubleshooting solution. Colasoft also offers four free network utilities: Colasoft Packet Builder, Colasoft Packet Player, Colasoft MAC Scanner, and Colasoft Ping Tool. Learn more about Colasoft and its solutions, please visit http://www.colasoft.com/.

Top 5 Items Our IT Department Must Do

2009-04-19T19:21:00.000-07:00

Even though it is a basic economic fact that recessions happen once or twice in a decade, when the economy is in a good shape, like it was a couple of years ago, people, including IT managers, tend to forget that the summer will be over and hard times will come soon. On the other hand, recessions might be bad but the current one is certainly worse than many of the ones before. Actually, this is the worst recession since the Great Depression in the 1930s and even the most optimistically-minded managers have really serious reasons to fear and be cautious.

We can't say that the recession took us by surprise but certainly we didn't expect it to be that fierce. However, recession or no recession, life must go on and if a company wants to make it, there are many things which can't be skipped. So, no matter that IT budgets are tight, there are items a company can't save on. Here are the top 5 items our IT department will not sacrifice:

1, Network security and security in general. Being in the network security business themselves, we know that network security and security in general is paramount and no matter how hard the economic situation might be, this is not an item to save on because the price is too high. Certainly, we are not buying the most expensive solutions, even though they are incredibly great but we also do not make compromises with the quality either.

2, Going green. Going green is also an item we can't skip. Green technology saves money and now this benefit is more important than ever. So, if we buy new IT stuff, we definitely go for the green items.

3, Compliance. Regulations compliance is another item we can't afford to skip, unless we really want to go out of business (and we don't). So, when there are steps in this direction to be taken, we do them – no way!

4, Training. Training is also important and even though our training budget has shrunk, we still try to keep our staff qualified.

5, Outsourcing. Outsourcing has been a successful strategy for our company at all times and now, when money issues start to surface, we are happy that outsourcing helps us cut cost with no sacrifice of quality.

Kevin Chou is Author of this article from www.Colasoft.com.

About Colasoft Co., Ltd.
Ever since 2001, Colasoft has been dedicated in providing all-in-one and easy-to-use network sniffer software for network administrators and IT managers to monitor network activities, analyze network performance, enhance network security, and troubleshoot network problems. Up to now, more than 5000 customers in over 70 countries trust the flagship product – Colasoft network sniffer as their network monitoring and troubleshooting solution. Colasoft also offers four free network utilities: Colasoft Packet Builder, Colasoft Packet Player, Colasoft MAC Scanner, and Colasoft Ping Tool. Learn more about Colasoft and its solutions, please visit http://www.colasoft.com/.

Analyze Protocols With Network Sniffer

2009-04-16T20:59:00.000-07:00

What is Network Protocol?

A Protocol can be defined as rules governing the syntax, semantics and synchronization of communication.
In computing, A Protocol is a convention or standard that controls or enables the connection, communication and data transfer between two computing endpoints.
Protocols may be implemented by Hardware, Software or a Combination of two. At the lowest level, a protocol defines the behaviour of a hardware connection.

Why Protocol Analyzing Important?

Since all network communications are based on protocols and different protocols indicates varieties of network behaviours, by analyzing protocols using a network sniffer, we get to know what network applications are used on the network and what network behaviour is taken against your network. You may check out our protocols database to get an explanation of each protocol.

Analyze Protocols With Network Sniffer

A Network Sniffer is an important part of the Network Manager's toolkit. Traditionally sniffers are useful for troubleshooting networks and SNMP tools are better for trending and service management. The combination of an SNMP based Performance Manager and a well-featured Network Sniffer will allow you to perform many of the fundamental tasks required for successful network management.

Network Sniffers, often called "packet sniffers" after Network Associates market leading Sniffer product, capture packets and decode them into their component parts. It's fairly obvious how sniffers can be used to troubleshooting network problems. Once a problem is detected packets are captured and analyzed and the details of the communication can be worked out. But sniffers can do more than this and, in fact, turn out to be surprisingly useful in many aspects of network management.

Unexpected Traffic
The obvious thing to do is monitor the network for unexpected traffic. Most network managers know the types of application that they expect to see and can point out anything unusual. If anything unexpected is spotted then a capture of some of the traffic is usually sufficient to pinpoint the machines involved.

Unnecessary Traffic
Many machines to be set by default to run protocols that may not be required.
For Example: Many printers broadcast using Novell's IPX protocol. It is fine if you are using NetWare, but not always necessary. It's good housekeeping to remove any protocols that you do not need. You may be concerned about how your users are using the available bandwidth. A good sniffer will allow you to filter specific types of traffic, so that you can keep an eye on any traffic that may cause you a problem.

Unauthorized Program Use
It is useful to check the specific port numbers for services on your Servers. Most common services operate on defined port numbers, a packet capture on a Server will soon reveal what services are running. You can disable any services that you do not need. This has two benefits, one, it avoids unnecessary traffic on the network, and second it means that no unauthorized user can take advantage of that service. If anyone is using a service a packet capture will show you the address. Most sniffers allow filtering on specified port numbers so it is possible to monitor continuously for specified port numbers.

Email Problems
Email systems typically use standard port numbers, 25 for SMTP, 143 for IMAP, 110 for POP3. Setting filters for these ports will usually help to discover the cause of problems with email.

Virus Detection and Control
Antivirus software manufacturers offer updates services. Armed with the information on new threats it is often possible to build suitable filters to detect viruses. For example many sniffers allow you to specify a text pattern, so a virus contained in a message containing a known text string could be detected. Analysis of the capture will show the source and destination of the packets.

Firewalls
Firewalls need to be checked for outgoing and incoming traffic. You will have to define a set of filters for traffic in both directions. Should the firewall begin to let unauthorized traffic through you need to be able to detect it.

For Example:

TCP is a Reliable connection oriented Protocol. Common Applications of TCP are Email and File Transfer. TCP is optimized for accurate delivery rather than timely delivery, and therefore, TCP sometimes incurs relatively long delays (in the order of seconds) while waiting for out-of-order messages or retransmissions of lost messages. So TCP analysis is required with Colasoft Network Sniffer for finding delays.
UDP is a Reliable Connectionless Protocol. Common Applications of UDP are DNS, VOIP, IPTV and FTP.Sometimes Packet loss will happen during transmission and no help for this. Using Colasoft Network Sniffer we can find the loss
HTTP is a request/response standard of a client and a server. A client is the end-user; the server is the web site. The client making a HTTP request—using a web browser, spider or other end-user tool—is referred to as the user agent. The responding server—which stores or creates resources such as HTML files and images—is called the origin server. Certain design features of HTTP interact badly with TCP, causing problems with performance and with server scalability. Latency problems are caused by opening a single connection per request, through connection setup and slow-start costs. Scalability problems are caused by TCP requiring a server to maintain state for all recently closed connections. Colasoft Network Sniffer is used to detection such problems.

How to Protect Your Network with Network Sniffer

2009-04-16T19:07:00.000-07:00

A network sniffer (also called a network analyzer) can help you make your network more secure by identifying what's going on in it

Networks are large entities, even if they don't consist of thousands of machines. Large networks are especially vulnerable because they are a fruitful ground for attacks and hacking of all kinds. Even if a system administrator is a genius, he or she can't fight network security threats with bare hands.

Why Do You Need to Protect Your Network?

One of the major principles in network security is that a network is as secure as its weakest part is. In other words, it makes no sense to invest tons of money and spend many hours to secure some of the parts of a network, when there are small vulnerabilities that can be easily abused.

With networks small vulnerabilities are very common and even though one can never be sure that his or her network is secure, when no efforts in that direction are made, it is as sure as hell that this network is at risk. That is why it is absolutely clear that nobody can afford to leave a network unprotected. Fortunately, there are many tools, which help to protect a network and network sniffers are one of them.

How a network Sniffer Can Protect Your Network?

Network sniffers (or network analyzers, as they are also called) can be one of the best tools you can use to protect your network. There are many types of network threats and there is no universal tool that can help you protect your network against all of them, so if you expect that a network sniffer can safeguard your network against all kinds of threats, this is not so but it is a fact that a network sniffer can help you against many threats, both internal and external.

A network sniffer captures all the packets which go to and from your network and shows you their contents. While a network sniffer is helpless against encrypted traffic, with unencrypted traffic a network sniffer is an indispensable tool. When you have the chance to know what's going on in your network, you can easily spot the activities, which shouldn't be taking place.

For instance, if somebody is downloading files with BitTorrent, or is generating any other kind of substantial traffic, a network sniffer, such as Colasoft Network Sniffer, will display this immediately and you will know that you should take the adequate measures to stop it. Actually, a network sniffer allows to monitor all incoming and outgoing traffic and keep logs of this, so even if you don't react immediately when suspicious traffic occurs, all the traffic is logged and you can view it later.

Depending on the features of the network sniffer you have selected, you will have different options to protect your network. Some of the network sniffers with a rich feature set, for instance Colasoft Network sniffer, offers a lot in terms of traffic monitoring. Generally, even the network sniffers with less features allow to monitor suspicious activity at least from a given host or protocol.

One of the cases when network sniffers don't offer much help is with encrypted traffic. This is a technical limitation and even though network sniffers can intercept encrypted packets, they can't break the encryption and show the actual content of the packet. However, when you are monitoring a network and you notice that there is unauthorized encrypted traffic (for instance from a given host), this should ring a bell that something not nice is probably going on and you should take the adequate measures to investigate what exactly is happening.

How to Sniff all Images of a Webpage

2009-04-15T22:31:00.000-07:00

In case we want to sniff all images of a webpage, here is a detailed process how we can do it with Colasoft Packet Sniffer’s "Logs" feature. I will take the CNN.com home page as an example.

Step 1. Open Log Settings

Log settings allows us to set up some conditions or exceptions whether or not record some logs in the Logs tab. If we want to display just images in the Logs tab, we must enable the HTTP Log conditions.

Step 2. Enable Http Log Conditions

We must tick before Conditions to enable it

Step 3. Input "Image" into Content Type

On the right hand, lets’ input the content type in order to filter contents

Here is an explanation of Content Type

Step 4. "OK" to Activate the Setting

Now we’ve done with the Log Settings, let’s see whether we can sniff all images of CNN.com index page. First of all, let’s start capturing with Colasoft Packet Sniffer, then let’s input the URL into the address bar and start browsing.

Results start showing in the Logs Tab – Http Request Option, we can see all results are in image formats. We have successfully sniffed all the images on this webpage.

To view the image, we can click on the record, and it will be shown in a browser.

Colasoft Network Sniffer Capsa 6.9 Review

2009-04-12T20:06:00.000-07:00

Overview
Not so hard for a freshman.
Auto diagnosis.
Real time capture.
If it's cheaper, I will definitely buy it!
After using Colasoft Network Sniffer, I found 3 features of this product:

a.supports the real-time capturing and monitoring
b.excellent capability of protocol analyzing (approximately 300 types) and packet decoding
c.Well, the most exciting part is the automatic expert diagnosing! That really saves so much money and time for me,and I do not worry about the solution of failure again!

Cost and performance are in desired level .

What It Is and What It Can Do

Colasoft Network Sniffer is an expert Network Sniffer designed for packet decoding and network diagnosis; it monitors the network traffic transmitted over a local host and a local network, with the ability of real time packet capture and accurate data analysis. Colasoft Network Sniffer makes your network operations completely transparent before you, letting you isolate and troubleshoot network problems quickly and efficiently. The flexible and intuitive user interface lets either IT professionals or novice users skilfully handle it in a few moments.

Easily understand how to use this Network Sniffer with samples provided with the Tool. Sample packets helps me a lot for my first time deployment by avoiding contacting the Technical Support during my initial days of using this tool.

For a Small Business Enterprise, This tool’s network diagnosis helps me to detect slow network and upgraded speed for better utilization.

I prefer this for a Medium Business Enterprise as troubleshooting network issues is simply superb.

For Medium and a Large Business Enterprises, Security is an issue .This Network Sniffer enhances Network Security by monitoring the network with Logs. As every packet is recorded and analyzed, loopholes can easily detect.

For every organization, security is a major concern. By using this tool Monitoring of Email Contents and Monitoring IMs, Chats is easy. Every information in Messegers, chats, HTTP Requests is logged .

Can easily find where the problem from the Packet Analysis without letting the user to report about his huge traffic.

For Internet Service Provider, this is very very useful tool. ISPs have problems of Server down issues due to huge traffics. By diagnosing with this tool, Server down issues can be reduced.
Prevent hibernation while capturing and view both IP Addresses and Hostnames. This is a good feature in upgraded version.

Colasoft Network Sniffer Supports Windows Vista-64 bit Edition. Able to identify and Analyze 300+ Network Protocols.

By going through the site www.colasoft.com, I came to know thatColasoft Network Sniffer Professional Edition available and used it for Analyses. It really good to use and operate. Everything is logged and my network usage is monitored.

Videos in the website help me to understand the ARP Attacks, Monitoring Network traffic. So I can protect my network now by identifying the deceived hosts and by identifying who is consuming maximum bandwidth in a Local Segment.

I can monitor the traffic either by protocol, IP or MAC Address. So much flexibility in using this Network Sniffer.

Internet Service Providers can use this tool for quick issue troubleshooting. Easy to identify problems and minimizes the time to service the customer.

The reports are displayed with Graphs and Tables .Viewing the connection in a matrix is wonderful and it is something special in Colasoft Network Sniffer. This pictorial epresentation is really good to sort out the issue by easily detecting.

Colasoft Network Sniffer has the tools that would not find in other Network Sniffers, including ping and scan IPs and MACS across the LAN.

Summary
Colasoft Network Sniffer is an easy-to-use and all-in-one tool for IT Network Administrator, IT Consultant and for a Security Manager in IT Company.

Network Sniffers，Network Administrators' Basic Tools

2009-04-08T19:06:00.000-07:00

Network sniffers are a valuable tool for both network administrators and hackers. There are many network sniffers on the market and one of the most sophisticated is the network sniffer from Colasoft

Network sniffers are one of the best tools a network administrator has at his or her disposal to analyze network traffic and to troubleshoot problems. On the other hand, when a network sniffer is in the wrong hands – i.e. hackers use it – this can cause quite a lot of damage to a company or an individual, especially if the victim hasn't taken the required protective measures. You see, as with many things in life, network sniffers can be a great tool to maintain a network, yet they can be very destructive, if misused.

Network sniffers are very common, choose a best network sniffer for you. There are many network sniffers on the market and they range from free, to cheap, to expensive, from very simple, to advanced, to packed with features. Each type of network sniffers has its purposes and if you need a simple tool for quick results on a small network, you don't have to buy the most expensive network sniffers, no matter that they have tons of features. But in reality, if you need a network sniffer for professional use, low-end sniffers are not the answer and you need something more sophisticated, for example Colasoft Network Analyzer. Colasoft Network Analyzer is built around packet sniffing but includes many other useful features as well.

As any other network sniffer, the network sniffer from Colasoft, intercepts and logs traffic, transmitted within a network (or a network segment). A network sniffer can be really invisible because it monitors the network (almost) unobtrusively. Since a network sniffer just sniffs the packets without modifying them, it doesn't cause disturbances to alert the administrator that something is going on. Unless the administrator doesn't run an anti-sniffer, the traffic can be eavesdropped and nobody will know about it.

Of course, a good network administrator knows how to detect a network sniffer, so if you plan to get Colasoft network sniffer and use it in a malicious way, don't expect that this will go unnoticed. The network sniffer in the Colasoft Network Analyzer is not stealth but since anyway Colasoft Network Analyzer is intended for network troubleshooting, not network hacking, there is no reason to worry that the network sniffer is not hidden. When a network administrator uses a network sniffer in order to legitimately monitor network traffic, he or she doesn't need cover.

One of the most important features of a network sniffer is the protocols it can sniff. In this aspect Colasoft Network Analyzer is an unbeaten network sniffer because it can monitor over 300 protocols. Colasoft knows that when the packets of major protocols are not captured, this gives a wrong impression about the traffic in the network and that is why Colasoft Network Analyzer supports so many protocols. And no, the protocols Colasoft Network Analyzer can sniff are not exotic ones – they are protocols used frequently in networks.

Additionally, new and new protocols are added to the network sniffer from Colasoft, so even if your network uses some really rare protocols, which are currently not supported by Colasoft Network Analyzer, they could be added in the future. Well, if you expect that the network sniffer from Colasoft will sniff encrypted traffic, this will not happen because no network sniffer can do it!