Monitor broadcast storm with Colasoft Capsa

Causes of broadcast storm:

Causes of broadcast storm:

• Incorrect network design and plan


• Network equipment damage


• HUB is easily lead to broadcast storm as broadcast equipment


• NIC or switching equipment damage


• Network loop


• Incorrect router configuration


• Virus

How to detect Broadcast Storm:

step1. Set up broadcast packets filter

Open Filter --> Add --> From Filter Table, check "Broadcast":

step2. Detect relevant parameters of the broadcast storm

1. Statistical parameters

• broadcast packets bytes


• total broadcast packets


• packets per second


• packet size distribution


• protocol type


• etc (add according to your own network)

How to make use of these paramaters?

Take a 100M ethernet for example. The maxmize packet per second is 12.5M x 1024 = 12800 Bytes/s. If the value of packet

per second of broadcast is greater or close to it, then we can define there's broadcast storm.

The packets sum, number, and its size distribution are different according to the size of network.

Protocol Type is mainly to stats the protocols with the largest traffic utilization. (PS: Care must be taken to distinguish ARP

Request and ARP Response, ARP Request is broadcast, while ARP Response is unicast.)

2. IPID Identification of the packet

IPID is the unique flow to identificate the packet. If there's a protocol in a large traffic utilization, we can check its IPID in

Packets view, if they are the same, we can confirm it is caused by network loop.

Currently, network loop is one of the mainly causes to broadcast storm.

3. Check the Utilization

How to make use of the utilization paramaters?

Utilization is divided into "Utilization (bits)" & "Utilization (percentage)". The computational process of network utilization is: bits per second(in "Summary" view) / network bandwidth(100M or 1000M Ethernet). Ordinary, the network is perfect if the utilization is 50% in a ethernet, we can get the conclusion that there must be broadcast storm in the network if the utilization of broadcast is over 30%.

Download the latest Capsa 6.9R2(windows 7 supported) to monitor your network perfermances in time.

How to analyze the statistic of a specific IP in LAN with Colasoft Capsa?

Nowadays, computers is becoming the necessity in majority of companies all over the world. Network managers/adminstrators have to monitor their network, grasp the network status in time, and find a best solution once there's any abnormal condition occurs in the network. They have to make sure the whole network status is visible to them, even the traffic,conversation, packet in 1 specific IP address. Without a appropriate network management, a large amount of network risks will appear in your network.

Colasoft Capsa 6.9R2, which is windows7 supported, is such an ideal network monitor. This article is telling you how to analyze the statistics of a specific IP address once you have to analyze the stats by locating a IP address.

For example:
There are 200 hosts in LAN. You have detectde the network became very slow due to BT downloading by a specific IP address: 192.168.6.5. To check the stats, including protocols, conversations, packets, etc under this IP to prove it is the specific IP address, you need locate it. In Colasoft Capsa, there are 2 ways to implement it:

1. select the IP address under "IP Explorer" in the left Explorer window:


2. add the IP address in Filter setting, steps as follows:




Then we can check all the stats related to "192.168.6.5" only to further comfirm the problem. For more infomation of "How to Track BitTorrent User in Network with Colasoft Packet Sniffer", please go to http://blog.colasoft.com/how-to-track-bittorrent-user-in-network-with-colasoft-packet-sniffer/

Why should we monitor the network conversation?

In a network group, especially for the company, enterprise, school, bank, NSA, etc, the confidential information is very very important, and may very dangerous if they are divulged.

And also, for a company/enterprise boss, he can get the information of what his staff are talking about via internet, no matter they are using MSN, Yahoo, Gtalk, ICQ, AIM…or Email Webmail…at any time.

Under this situation, we need a network monitor/packet sniffer, not only to monitor the network conversation, but also to guarantee our network security for prevent it from dangerous beforehand.

Resolution
Take Colasoft Capsa 6.9 for example, We will show you how to monitor the email activity & content with it step-by-step:

1. Choose “Logs” from the main window.


2. As shown in the following illustration, there’s a pop up window for changing settings after you choose the “Logs”.
Email Log→Log File Settings, then change the settings indicated by an arrow.


3. Choose Email Messages in the Logs view, you can find the detail information on all the email activities.


4. Just double-click the crossband, then you can check out the content of any email you want to read.


Conclusion:

For every organization, institution, company, enterprise…etc, the confidential information is very important that are never allowed to be leaked out.

Except the traditional File Encryption, Video Surveillance, what can we do if we are in a huge network? Under this situation, a powerful packet sniffer/network analyzer is quite a good right-hand.