Network Packet Sniffer and Network Analyzer

Network Security Software

2009-09-21T02:07:00.000-07:00

Sunbelt Software's VIPRE - Redefining security software

Adrian Kingsley-Hughes from zdnet.com

Sunbelt Software’s VIPRE - I’ve finally found an antivirus package that delivers the goods.

Over the years I’ve become truly disillusioned by security software. A good antivirus package used to be the first thing that I installed on a system after installing the OS, but now that’s become one of those tasks that I know I should do (not just to protect myself, and the network, but others that I communicate with) but that I put off until the last minute. Why? Because I know I’ll start hating the system shortly afterwards and resenting the security software for consuming so much of my precious system resources.

VIPRE setup and interface gallery

There have been times when seeing the performance hit that a system takes after installing a security package has actually made me put my head in my hands and wonder whether all these strides we have made in processor power and RAM capacities are all undone thanks to security firms unleashing their bloated wares upon us. I’m not going to name any names - I’m pretty sure that most of you will be able to rattle off a list of them without any prompting from me.

Time for a short story …

OK, story time. Last night my wife and I were at my mother-in-laws and the subject of her slow notebook came up. The notebook is question is an aging IBM ThinkPad R51e that runs Windows XP and which hasn’t really been all that fast from the start. It suffers from not enough RAM and too many drivers and specific apps (which are tricky to remove without losing features) kludging up the system. But what makes matters worse is that any security software that you install onto the system amplifies these problems greatly.

The antivirus package that was installed on the system was Kaspersky AntiVirus 2009 2008. I have a love/hate relationship with this product and use if mostly because it’s the best of a bad bunch (a statement that says a lot about the current line up of security software). We uninstalled this application and immediately there was a performance gain. I didn’t benchmark the system under controlled conditions but I’d say that boot times were cut by about 33% and loading times for applications by 25%. However, I knew that I couldn’t leave the system unprotected and that I’d have to install something in place of Kaspersky. Then I remembered that I’d received an email earlier in the week from Sunbelt Software informing me that the new VIPRE antivirus and antispyware app was out (an enterprise version has also been released). One of the features that the email bragged about what how this software wasn’t a resource hog.

I decided to pull up the website and take a look. The copy for VIPRE (which stands for “Virus Intrusion Protection Remediation Engine”) was full of performance-related claims:

“VIPRE Antivirus + Antispyware is high-performance security software that doesn’t slow down your PC like older, traditional antivirus products.”

“Tired of old antivirus software that makes your PC slow down to a crawl? Interrupting what you are doing with slow scan times, causing problems and nagging you? Time for a change to next-generation antivirus + antispyware that IS NOT a resource hog!”

“Does not slow down your PC”

Bold claims, but that said, almost all antivirus vendors nowadays makes similar claims.

OK, I clicked the download link and the 12.6MB packaged came down swiftly. I started the install process which seemed much like every other install process and the program installed without fuss. After a reboot the setup wizard picked up again and guided us through the initial setting up of the software. VIPRE downloaded the risk definitions and the program was ready to roll.

Then I noticed something. The system was just as responsive with VIPRE installed as without. Wow! I wasn’t expecting that. We rebooted the system just in case it wasn’t running, and then downloaded the EICAR test file to make sure that it was running and sure enough, it was, and it was having almost no effect on the performance of the system. To say I was impressed would be an understatement.

Back at the PC Doc HQ …

Today I’ve had a chance to take a closer look at VIPRE, and it has to be said that I like what I see.

First off, the performance claims do seem to be real. today I’ve uninstalled a number of different antivirus packages from a selection of systems and replaced them with VIPRE and on every system I’m seeing and feeling a performance boost. Not only is the real time monitoring far lighter and and less of a resource hog than any other antivirus package I’ve come across, the system scanner is also fast and light-weight (I’ve been typing this, taking screenshots and running a couple of virtual machines while VIPRE has been scanning my system). My testing backs up the claims made by Sunbelt Software and goes to prove the benefits of adopting a clean slate, building a product from the ground up approach.

VIPRE offers all-round protection - antivirus, antispyware, protection from email-borne threats, rootkit detections and other goodies such as a secure file eraser and history cleaner.

VIPRE is easy to use. In fact, the interface is a pleasure to use.

The product is honest and gives you clear feedback relating to what it finds on your system - no scan and scare tactics here.

Then there’s the aspect of fair pricing. A single license for VIPRE costs $29.95 and gives you a year’s worth of updates, while a 3-user annual subscription is $39.95, while for $49.95 you can protect all PCs in a single household with a single site license. That’s the fairest deal I’ve come across.
“Typical ‘household’ licenses offered for security software products limit the number of PCs protected to anywhere from three to five per household,” said Alex Eckelberry, president of Sunbelt Software. “With our unlimited home site license, customers pay one low annual subscription price for the product of their
choice for all the PCs in their home. We don’t care if it’s five, ten, or 200 computers. One price covers all the computers located in that residence.”

Now I’ve rolled VIPRE onto a number of systems, I’ll let you know how things go in a follow-up post.

System Requirements

Microsoft Internet Explorer 5.5 or higher

At least an IBM Compatible 400MHZ computer with minimum 256MB RAM

At least 150MB of available free space on your hard drive

2x CDROM

Internet access with at least 56Kbps connection

Supported Operating Systems:
- Windows 2000 SP4 RollUp 1
- Windows Server 2008
- Windows XP SP1, SP2, SP3 (Home, Pro, Media Center, Tablet) 32 and 64-bit
- Windows Vista+ (All flavors) 32 and 64-bit

Supported Email Applications: Outlook 2000+, Outlook Express 5.0+, Windows Mail on Vista, and SMTP and

POP3 (Thunderbird, IncrediMail, Eudora, etc.)

Installation of VIPRE is not supported on Windows 95, 98, or ME, Macintosh or Linux

A completely fully functioning trial version of Colasoft Capsa R2 is available.

Can peer-to-peer coexist with network security?

2009-09-21T01:55:00.000-07:00

Network security experts have long cautioned about the risk posed by the use of peer-to-peer file sharing by individuals working in corporations, warning that the practice creates holes that let malware in and sensitive data out. Their message may be having an impact in the P2P development community.

A trade group representing peer-to-peer file sharing providers next week will publish a report that finds P2P software companies are modifying their programs in an effort to make it harder for users to inadvertently share sensitive information.

Elinor Mills(Cnet news editor) said:

For corporate IT administrators, that shift can't come soon enough. The problem was highlighted by the recent news that avionics blueprints of President Obama's helicopter had leaked through a peer-to-peer network used by a defense contractor to an IP (Internet Protocol) address in Iran.

This isn't the first time sensitive data has trickled out via popular file sharing networks. Last summer, personal information of some 1,000 former patients of the Walter Reed Army Medical Center was believed to have been leaked via a peer-to-peer network. Sensitive health care and financial data has also been found on file sharing networks, according to studies from Dartmouth College and P2P network monitoring service provider Tiversa, which also uncovered the leaked presidential helicopter data.

Peer-to-peer use at ABN Amro and Pfizer led to the exposure of personally identifiable information of more than 20,000 consumers in 2007. And then there was the symbolic slap in the face when politicians called P2P networks a potential "national security threat" at a congressional hearing that summer.

Minimizing the risk

IT administrators need to have a written policy that specifies whether or not employees are allowed to use file sharing. And they need to use perimeter security software, including firewall and intrusion detection, "to lock down the ports used by P2P or to look for specific P2P network traffic," said Tony Bradley, director of security at Evangelyze Communications, a unified communications software and service provider.

Corporations also might consider encrypting sensitive information and using data loss prevention tools to block data leakage, experts said. And if they want to see if any of their data has found its way onto a P2P network, they can hire Tiversa to probe Gnutella, eDonkey and FastTrack file-sharing networks.

Tiversa probes the networks, searching for specific terms and lets customers know when it finds any data out there specific to that firm and helps pinpoint the source of the leak and stop it.

After lawmakers accused them of being part of the problem nearly two years ago, P2P providers and their trade group--the Distributed Computing Industry Association (DCIA)--formed a working group to figure out ways to minimize the risk for P2P users and their networks. The DCIA prepared a report dated Thursday on the Inadvertent Sharing Protection Compliance that lists guidelines for better protecting P2P users and percentages of its members who are following them.

The latest version of popular file sharing software, released earlier this year, LimeWire 5, includes a number of the suggested changes and served as a "poster child for compliance," said Marty Lafferty, chief executive of the DCIA.

The report shows 100 percent compliance with the guideline that recommends that default settings prohibit the sharing of user-originated files, while 57 percent of the respondents said they were complying with the guideline to offer a simple way for the user to disable the file-sharing functionality.

Other guidelines, with compliance percentages ranging from 29 percent to 71 percent, included requiring users to select individual files within a folder to share rather than sharing the entire folder, requiring the user to take affirmative steps to share sensitive folders and preventing the sharing of a complete network or external drive or user-specific system folder, such as "Documents and Settings." Among the guidelines are requirements for warnings to the user when particular settings might jeopardize security.

we(Colasoft) are focus on providing all-in-one and easy-to-use software solutions for users to monitor network activities, analyze network performance, enhance network security, and troubleshoot network problems.

Norton Internet Security 2010 Review

2009-09-21T01:42:00.000-07:00

Take a quick glance at the just-released Norton Internet Security 2010, and you won't notice much of a difference from previous incarnations -- the interface and feature set are so similar that it appears that only very minimal changes have been made to the suite. But under the hood is a new reputation-based security technology that the company claims is better positioned to protect against quickly evolving threats than traditional signature-based and behavior-based detection.

As with previous versions, Symantec's suite offers protection against viruses, Trojans, rootkits, spyware and malware of all kinds. Also, like previous versions, it has a firewall, intrusion protection, e-mail protection and Web protection. It integrates with your browser and search engine to warn you away from visiting sites that might be malicious.

The suite, despite its hefty feature set, does not take up a good deal of RAM or system resources. It's unlikely that you'll even notice it's running, a welcome change compared to several versions ago when it bogged down your system.

New reputation-based Quorum

Traditionally, security software detects threats by searching for signatures -- distinct code patterns that identify malware -- or by examining the behavior of a piece of software. Symantec claims that these solutions can't keep up with the massive amounts of new malware released every year.

The company has named its new reputation-based technology Quorum. It was designed for a world in which malware threats evolve exceedingly quickly and may be built to last only for a day, because malware writers know that signatures can be released to detect the threat in only 24 hours. Symantec claims that it is these kinds of threats -- those intended to do their damage quickly, before they are caught -- that are the primary dangers today.

Quorum creates a "reputation" for every piece of software it encounters, basing that reputation on a number of factors, including download source, age, prevalence and digital signature. So, for example, a new file downloaded from a not-well-known Web site that very few people have ever used will be regarded as suspect by Quorum, even if it is not known as a piece of malware and exhibits no suspicious behavior. As a result, one of malware writers' greatest weapons -- their ability to quickly turn out new pieces of malware -- makes it more likely that the new malware will be deemed suspicious by Quorum.

According to Symantec, Quorum relies on data that Symantec has been capturing for years through millions of people who use Norton products and opt in to the Norton Community, sending information anonymously about the applications running on their systems. Quorum uses this information to help calculate its "reputation score" for applications.

Symantec stresses that it hasn't abandoned other means of catching malware; the reputation score is used in concert with signature-based and behavior-based protection.

Will the addition of Quorum actually help protect you more than traditional forms of protection? We'll only know when labs weigh in with their results.

Welcome to the familiar interface

As I mentioned before, Norton Internet Security 2010 looks very much like the 2009 version, so there will be very little learning curve for those who have already used the product.

The main screen is now divided into three sections entitled Computer, Network and Web (rather than the previous Computer, Web and Identity). It tells you at a glance the state of your security, notes whether any actions need to be taken, and lets you turn features on and off. As with the previous version, there are monitors on the left-hand side of the screen that show your CPU's current usage and how much of that Norton is taking up.

If you want a quick glimpse of the state of your security, you'll just use the main screen. But if you're the kind of person who likes to dig deep, you'll find plenty of links here that will lead you to additional data. For example, click the Performance link on the left-hand side, and you'll see a new feature: a page that offers in-depth detail about CPU and RAM use over the last ten minutes, the last half hour, hour-and-a-half, day, week, and month.

Better yet, another new link on the main page gives you access to detailed information from the suite's System Insight feature. This display shows, over time, any events related to your PC's security, such as virus scans and their results, and new software that you've installed. Using this info, you may be able to track down PC problems yourself -- for example, if you notice unusual behavior, you can check this screen to see if that behavior started after you installed a particular piece of software.

Another useful feature accessible from the main screen is the Network Security Map. It shows you all of the devices attached to your network, and includes information such as the IP address, MAC address, whether they're online, and so on.

Another feature, the Vulnerability Protection link, is less than useful. It lists programs that Norton has found to have vulnerabilities -- but not necessarily those you have on your PC. The list is generic and lists all software against which Norton offers protection. There's no need ever to check it.

What's new?

Quorum's reputation-based strategy represents the biggest change compared to previous versions, but there have been other changes as well. The suite's anti-spam component features a new engine from enterprise anti-spam vendor Brightmail. Symantec claims that it is 20 percent more effective than the suite's previous anti-spam protection.

Also included is Norton Safe Web; this service is new to Norton Internet Security but was previously introduced in Norton 360 version 3.0. It works with Google, Yahoo and Bing, and shows whether any sites that turn up in search results are potentially dangerous or untrustworthy.

In addition, Norton Internet Security 2010 users get a free subscription to OnlineFamily.Norton, a Web-based service that lets parents control what their kids do on the Web.

The bottom line

If you're a user of Norton Internet Security 2009, it's certainly worth going to the newer version, because Quorum will most likely make you safer, and the new features are worthy additions. Not only that, but the upgrade is free.

As for whether to switch to NIS 2010 -- which costs $69.99 for a three-PC license -- from a different Internet protection program, that's a tougher call. The interface is certainly simple and straightforward, and also lets you dig into security details. There's no way to evaluate yet whether the new tools will be more effective than the old ones; only widespread use and exposure to many malware threats will tell.

More information about Internet Security, please go to colasoft.blog.com

Computer Security

2009-09-21T01:16:00.000-07:00

A What is computer security?

Computer security is the process of preventing and detecting unauthorized use of your computer. Prevention measures help you to stop unauthorized users (also known as "intruders") from accessing any part of your computer system. Detection helps you to determine whether or not someone attempted to break into your system, if they were successful, and what they may have done.

B Why should I care about computer security?

We use computers for everything from banking and investing to shopping and communicating with others through email or chat programs. Although you may not consider your communications "top secret," you probably do not want strangers reading your email, using your computer to attack other systems, sending forged email from your computer, or examining personal information stored on your computer (such as financial statements).

C Who would want to break into my computer at home?

Intruders (also referred to as hackers, attackers, or crackers) may not care about your identity. Often they want to gain control of your computer so they can use it to launch attacks on other computer systems.

Having control of your computer gives them the ability to hide their true location as they launch attacks, often against high-profile computer systems such as government or financial systems. Even if you have a computer connected to the Internet only to play the latest games or to send email to friends and family, your computer may be a target.

Intruders may be able to watch all your actions on the computer, or cause damage to your computer by reformatting your hard drive or changing your data.

D How easy is it to break into my computer?

Unfortunately, intruders are always discovering new vulnerabilities (informally called "holes") to exploit in computer software. The complexity of software makes it increasingly difficult to thoroughly test the security of computer systems.

When holes are discovered, computer vendors will usually develop patches to address the problem(s). However, it is up to you, the user, to obtain and install the patches, or correctly configure the software to operate more securely. Most of the incident reports of computer break-ins received at the CERT/CC could have been prevented if system administrators and users kept their computers up-to-date with patches and security fixes.

Also, some software applications have default settings that allow other users to access your computer unless you change the settings to be more secure. Examples include chat programs that let outsiders execute commands on your computer or web browsers that could allow someone to place harmful programs on your computer that run when you click on them.

From cert.org

Computer security is a branch of technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible and productive to its intended users.

The technologies of computer security are based on logic. As security is not necessarily the primary goal of most computer applications, designing a program with security in mind often imposes restrictions on that program's behavior.

There are several approaches to security in computing, sometimes a combination of approaches is valid:

1. Trust all the software to abide by a security policy but the software is not trustworthy (this is computer insecurity).
2. Trust all the software to abide by a security policy and the software is validated as trustworthy (by tedious branch and path analysis for example).
3. Trust no software but enforce a security policy with mechanisms that are not trustworthy (again this is computer insecurity).
4. Trust no software but enforce a security policy with trustworthy mechanisms.

Many systems have unintentionally resulted in the first possibility. Since approach two is expensive and non-deterministic, its use is very limited. Approaches one and three lead to failure. Because approach number four is often based on hardware mechanisms and avoids abstractions and a multiplicity of degrees of freedom, it is more practical. Combinations of approaches two and four are often used in a layered architecture with thin layers of two and thick layers of four.

There are various strategies and techniques used to design security systems. However there are few, if any, effective strategies to enhance security after design. One technique enforces the principle of least privilege to great extent, where an entity has only the privileges that are needed for its function. That way even if an attacker gains access to one part of the system, fine-grained security ensures that it is just as difficult for them to access the rest.

Furthermore, by breaking the system up into smaller components, the complexity of individual components is reduced, opening up the possibility of using techniques such as automated theorem proving to prove the correctness of crucial software subsystems. This enables a closed form solution to security that works well when only a single well-characterized property can be isolated as critical, and that property is also assessable to math. Not surprisingly, it is impractical for generalized correctness, which probably cannot even be defined, much less proven. Where formal correctness proofs are not possible, rigorous use of code review and unit testing represent a best-effort approach to make modules secure.

The design should use "defense in depth", where more than one subsystem needs to be violated to compromise the integrity of the system and the information it holds. Defense in depth works when the breaching of one security measure does not provide a platform to facilitate subverting another. Also, the cascading principle acknowledges that several low hurdles does not make a high hurdle. So cascading several weak mechanisms does not provide the safety of a single stronger mechanism.

Subsystems should default to secure settings, and wherever possible should be designed to "fail secure" rather than "fail insecure" (see fail safe for the equivalent in safety engineering). Ideally, a secure system should require a deliberate, conscious, knowledgeable and free decision on the part of legitimate authorities in order to make it insecure.

In addition, security should not be an all or nothing issue. The designers and operators of systems should assume that security breaches are inevitable. Full audit trails should be kept of system activity, so that when a security breach occurs, the mechanism and extent of the breach can be determined. Storing audit trails remotely, where they can only be appended to, can keep intruders from covering their tracks. Finally, full disclosure helps to ensure that when bugs are found the "window of vulnerability" is kept as short as possible.

Early history of security by design

The early Multics operating system was notable for its early emphasis on computer security by design, and Multics was possibly the very first operating system to be designed as a secure system from the ground up. In spite of this, Multics' security was broken, not once, but repeatedly. The strategy was known as 'penetrate and test' and has become widely known as a non-terminating process that fails to produce computer security.[citation needed] This led to further work on computer security that prefigured modern security engineering techniques producing closed form processes that terminate.

From WikiPedia

New Worm Installs Network Traffic Sniffer

2009-08-25T02:13:00.000-07:00

A new worm whose payload includes the SDBot trojan tries to install a "sniffer," seeking to use infected computers to capture login and banking information for other computers on the same network. While sniffers are hardly new, the bundling of a sniffer with an auto-propagating worm is a new wrinkle, according to security firms.

Sniffers are devices that monitor network traffic, and are a useful network administration tool. They can also be useful to hackers, who install them on compromised computers to monitor and intercept packets flowing through a network. This in turn enables the attacker to capture unencrypted usernames and passwords, which can be used to compromise additional machines on the network.

The sniffing capabilities of the new Worm-SDBot were documented by Trend Micro, and include a list of phrases associated with logins for network administration or Paypal accounts. "If the trojans described by Trend can successfully transmit the filter's packet captures back to the owner, they are going to cause problems well beyond typical bot infestation issues," according to the Internet Storm Center.

Malicious sniffers can be difficult to detect because their activity involves collecting packets, rather than transmitting them. Checking to see whether a network card is set in promiscuous (sniffing) mode is a common approach for users concerend about their own machines. Tools for detecting snifffers elsewhere on a network include WireShark, Capsa.

5 Tools That Every Network Administrator Should Have

2009-08-24T02:27:00.000-07:00

Every network administrator has their own set of tools that they like to use on a daily basis to help them do their job. Here I list 5 tools I like
most.

Network Analyzer - There are actually to sniffer applications that I keep in my toolbox, WireShark and Capsa Network Analyzer. Each program can satisfy my different needs,the difference is that Wireshark has more functionality when it comes to filters. But Capsa Network Analyzer, from my point of view, is the user interface. It presents the data in an extremely easy-to-read way, such that you don’t need to be a hard-core network engineer to see what’s happening. and the pretty graphs will make me happy.

PuTTY - PuTTY is a very versatile telnet application for use when you spend a lot of your day working on Cisco equipment. PuTTY allows a number of different ways to connect to a piece of equipment including Raw, Telnet, Rlogin, SSH, and with the newest version of PuTTY Serial connection. The newest Serial option becomes very handy for network administrators since HyperTerm is no longer available with Windows Vista and you still need a serial connection for new routers and switches. PuTTY is also very customizable and can be run from a USB drive without installing anything onto the computer.

PumpKIN - PumpKIN is a free FTP server program that you can download and use to host your computer as an FTP server. I use this program main for transferring Cisco images back and forth from the switch or router to my computer. This program become very valuable when you have a switch or router down that you need to get back up quick.

MAC Scanner Pro - Colasoft MAC Scanner Pro has some advanced
features,apart from scanning MAC addresses and IP addresses, the most pratical feature is that it allows users to export or print the scanning results.

NetStumbler - NetStumbler was one of the first "Wardriving" programs you could get to pick up other people's wireless networks. I use this tool on a regular basis for the opposite reason, I want to be able to check for rouge access points on my network. I simply use this little tool and walk around all of my offices and see what wireless devices pop up. I have found a couple of employees who wanted to work out side or away from their office and added a wireless AP so they could.

So those are 5 tools I believe every network administrator should have in their toolkit. For their ease of use, small size, and versatility they made my top 5 tools.

The 7 Most Common Mistakes Using Network Analyzers

2009-08-21T01:35:00.000-07:00

1) Over-Believing the Software's"Intelligence" without understanding how it makes determinations.

Software default settings are very seldom correct for YOU. For example, a device may say that a SQL server should respond in 50ms. But, if that device is across a WAN with a 200ms ping time--that is highly unlikely. This causes false SLOW SQL messages. This is only an example, but there are many such alerts and messages based on default "thresholds" within this type of software tool's configuration.

Particulars of your environment may create false alerts or other messages. The definitions of what is an "excessive" delay--latency--broadcasts, etc, are up to you--not the tool.

It's important for you to know the default settings driving alerts and messages. Then, ignore or alter those alerts that are not set best--for your enterprise. Altering them to make the appropriate settings for your enterprise is the best strategy. Too many false flags or alerts numb you into ignoring important ones or--cause you to make serious errors and incorrect decisions that can be Very Very expensive.

Properly used, those features can save enormous amounts of time and show things your own eye would likely miss.

2) Not understanding the Protocols used, such as TCP, HTTP, etc.

What good is a tool that tells you information about how a protocol is behaving if you do not understand the underlying technology? By this I mean the RFC's for the protocols that are relevent to your concerns.

---What is the impact of various protocols working differently for the same application doing the same transaction--in different locations?

---What is expected according to specs--and how is your trace file showing different--or less optimal behavior?

---Why would there be 2 TCP connections from one location and 10 from another--for the same application doing the same transaction?

This short article cannot answer all these questions--but it can show you the types of information that you will need to understand in order to make sense out of the data a trace file will show you. Know the protocols well. Deep understanding of TCP is the basic price of admission. While you may consider this a matter of skill sets, my point is that attempting to troubleshooting a problem with a packet-sniffer while not understanding the protocols is a mistake--and a common one. If you add this point to the first one listed--about not believing all the standard settings on tools--you find that the tool cannot answer anything for you by itself. You need to know what you are looking at. You are the analyst--the tool is just an aid.

3) Not understanding the layer 1 and layer 2 aspects of the topology you are sniffing.

Ethernet and all other topologies have many different specifications, which are altered or outright ignored by many switch or other network device manufactures. You must know the specs and how the hardware you are working with applies those specs--or doesn't apply them. A classic example is Spanning Tree. There are IEEE specifications for Spanning-Tree but those specifications are just a model...not a law. Each manufacturer has tweaked it in order to create some proprietary advancement to give them a competitive advantage. Sometimes, those advances become the new spec. However, you need to know what is standard and how your equipment varies on that theme. What good is seeing the BPDU's in a trace file if you don't understand what they contain or how it relates to the problem at hand? Again, this may be looked at as a skill set issue but--expecting to solve critical problems with a packet-sniffer while not knowing this about your network is a mistake.

4) Uni-directional SPANs or Port Mirroring & Single-sided trace files.

Often the switch port used by a server you need to monitor is incapable of providing a bi-directional SPAN (Port Mirror). If so, you cannot get answers from such a trace as it will miss critical information. It can be an oversight by the Engineer doing the trace but sometimes it is simply not understood to be such a critical concern--and ignored. Either way, when you have a situation like this you need to bite the bullet and put in a Change Order to get it moved to a fully bi-directionally mirror-able port before any serious analysis can be done.

Here is a good example of why this is so. Picture a Client and a Server. The Server wants to end a specific TCP connection and keeps sending FIN's. Yet, we never see the Client send back a FIN ACK. We do see other traffic between them and know that there is connectivity. So, here are the questions:

--Are the FINs not arriving at the Client--or--is the Client receiving them and appropriately sending back the FIN ACK--which are not getting back successfully?

----If so, then it is most likely a network issue.

--Are the FINs arriving successfully--but being ignored by the Client?

---If so, then it is mostly likely a Server or OS or Data Center issue.

These questions can not be answered with a trace file that only sees one side of the conversation. Two traces, sychronized, are needed to determine the answer to these questions.

5) Incorrect filters--either Capture or Display

An important concept here is that filters add nothing--they only remove--they only filter out. When you say that you are "filtering for" what you mean is that you are "filtering out" everything else. This isn't just semantics as understanding this perspective is critical to success.

Capture Filters:

Capture Filters are irreversible. If you filtered out something that you need to see--you just aren't going to see it. There is no second chance without running the test again.

Capture Filters determine what is allowed in the Capture Buffer. If the data is there to see--great. If you filtered what you need out--you can't change the filter after the fact. A very experienced Protocol Analyst may notice the problem by seeing anomalies that amount to the shadow of the missing data--but most will not be able to tell. And, of course, even if you can tell--you still have to re-test.

This might lead you to think that you should not use Capture Filters--and that is half true. If you don't really need them--don't use them. However, if you are drinking your packets out of the Fire Hydrant--you have no choice. Under those conditions the data will fill up your Capture Buffer is less than a single second.

Another point is that they should be consistent within a Test Design. If they vary too much, they will create false differences that can easily lead the Network and Application Performance Analyst or Protocol Analyst astray.

Monitor Filters:

Monitor Filters are forgiving. They work the same way--in that they filter out, not in. However, you can change your mind. The data is in the can (trace file) and it is only a matter of changing the filter to see what was filtered out the last time. Many times I am stumped and then have an idea--go back and change my Capture Filters--and bam! There is the answer. The point is--incorrect Monitor Filters will just as easily lead you astray--but you still have the opportunity to find your way back since the data is still there.

Again, this might leave you thinking to avoid Monitor Filters. Don't even consider it. Removing irrelevant packets is required to properly measure distinct conversations and search for anomalies. In fact, understanding proper filtering is what using the packet-sniffer software is all about.

6) Lack of understanding the Network-Analyzer's CURRENT settings.

Monday, you created a Capture Filter and left it as the default. Friday you need to capture a trace file and click on Capture. Various people perform their roles in the test and you save the trace file. Everyone goes home, back to their main job function or to bed. Then you look at it and discover that you didn't realize that the old Capture Filter was still in effect! Why? You altered the Default Capture File instead of creating a new one. Your Trace File is useless.

Always remember to review ALL settings before beginning a test. Additionally, run a practice test to make sure all filters and setting are as they should be.

Sometimes the error you discover is that you were given an incorrect IP address and that you never would find what you are looking for from the IP address from which you are capturing packets. That is a GOOD finding. It means someone's diagram is incorrect. It also means you prevented a useless round of testing.

7) Lack of test controls.

Like any proper experiment, a performance or application test requires a control group and controlled data for all groups. If it was a pharmaceutical test you might have a group with a placebo. In our field we need to create a "BESTline" first. A "Bestline" is not a baseline.

Here is an example.

You have a Client in Singapore and a Server in New York City. The client is Singapore takes 40 milliseconds to execute a transaction and European clients only need 30 milliseconds. Singapore, although farther away, has a faster connection and is expected to get it done in the same time as Europe. What now? Take a BESTline. Use a client in New York City running the same transaction in the same way on similar equipment on the same server as the other two tests. You may discover that it still takes 25 milliseconds! This may due to various issues in the Data Center, Server or PC itself, 25 milliseconds is the fastest it goes!

This means that the first 25 milliseconds have nothing to do with the transport distance or speed. It DOESN'T mean that you have to accept those 25 milliseconds. There is a great deal that can be done about it. However, it is not the network and you now know you have to focus on the Server, PC, Data Center and other components.

Such controls are easy to do--yet seldom done. That common error results in many false leads and false errors as well as lost time and money.

How to Discover Network Security Loopholes

2009-08-19T01:36:00.000-07:00

There is an illusion today towards discovering the loopholes in a network as wonders of global connectivity enfold. Such diversity seems to call for the

need for companies to invest more in training their network operators on discovery of Network loopholes. Simultaneously, there also exists at large sophisticated

hackers and crackers, who spend sleepless nights contemplating how to accurately discover security loopholes in a network enabling them penetrate through. this call

for network security managers who should have the ability to hack into their own systems first.

These few challenges are the main forces driving research on discovering network security loopholes and as technological advances emerge, the cat and mouse

game continues between attacker and protectors.

The major method that is being employed in most networks today to discover security loopholes is Penetration Testing as is examined below.

Penetration Testing

This can be defined as a process of actively testing information security measures. Organisations prefer to perform penetration tests to identify the

threats facing them and resolving its vulnerabilities and weakness.

There are different types of penetration tests available. They are:

i. External Penetration Testing

The oldest approach of testing and is mainly focused on servers, infrastructure and software present in the target system. This type of testing is usually either

performed with no prior knowledge of the site or with total knowledge of how the network topology is.

ii. Internal Security Assessment

This approach is similar to the external penetration testing with the addition of provision of a security report of the site. This testing is typically performed from a number

of access points representing the different network segments.

iii. Application Security Assessment

This identifies and asses threats to an organisation through software applications that might provide interactive access to potentially sensitive materials. It is essential

that the applications are accessed to ensure that they done expose the servers and the software to attack.

iv. Telephony Security Assessment

This assessment addresses security concerns relating to corporate voice technologies.

v. Social Engineering Security Assessment

This assessment addresses social engineering which is a non technical kind of intrusion.

For more information about Penetration Testing a great website that has lots of information is penetration-testing.com .

Network Analysing

After the penetration testings, it is quite easy to detect and confirm the network problems with a network sniffer/analyzer. With the professional data capturing technology and comprehensive capability of network analyzing, Colasoft Network Analyzer will help you monitor your network within seconds and maximize your network

value.

Are You Being Watched?

2009-08-18T03:03:00.000-07:00

by Brett Glass -- pcmag.com

How private is your PC data? Thanks to the proliferation of Internet worms and hardware and software spying tools, the erosion of loyalty between corporations and their employees, and the 9/11 disaster (which has caused many to value security over privacy and civil rights), the likelihood is greater than ever that your computer is reporting your every move to a suspicious spouse, a government agency, an employer, or the entire world. In this article, we'll cover the most prevalent spying hardware and software and explain how it can be used, abused, and detected.

A hardware key logger is a device that captures keystrokes en route from keyboard to PC. KeyGhost (www.keyghost.com), a New Zealand company, offers two hardware key loggers. The first is an inconspicuous cable that runs from the keyboard to the PC (prices start at $139 and go up to $409 direct). The second is a keyboard with the logging hardware tucked entirely inside the case ($189 and up).

The company claims to have a wide variety of bugged keyboards ready-made to match many brands of computers. If your existing keyboard is unique, KeyGhost will modify it and return it with the logger hidden inside. Both the internal and external versions have maximum capacities of about 2MB—enough memory to capture as much as a year's worth of typing. The Spy Store (www.thespystore.com/pcsurveillance.htm) shows a more compact external key logger ($139 direct). It has a smaller memory capacity, but its capabilities are otherwise similar.

Hardware key loggers usually can't be detected by software and may be tough for non-technical users to spot. They're also compatible with most operating systems and don't require complicated installations. The main drawback is that they can't capture the information that appears on the screen but isn't typed in by the user. So hardware devices are best used to sniff out small but vital pieces of information, such as passwords.

Although keystroke-logging hardware is relatively new, software that performs the same function is not. In 1988, I implemented a primitive network keystroke logger as a DOS TSR, using the NetBIOS protocol. My motivation at the time was not to spy but to ensure that my programming work was preserved on another machine in the event of a system crash.

But today's spying programs do much more than log keystrokes. Spying software can be selective about the data it captures; administrators can set the software to skim information and then capture more data when certain criteria are met. WinWhatWhere Investigator (www.winwhatwhere.com), a major product in the monitoring market, captures keystrokes, e-mails information about your activities when key phrases are entered, and even renames itself and changes its location at random. If the victim's machine has a Webcam connected, WinWhatWhere snaps pictures periodically and sends them out surreptitiously.

SpectorSoft (www.spectorsoft.com) makes Spector Pro, which captures screen shots, records e-mail and chat sessions, and logs keystrokes. In short, if something of interest to you happens on a user's machine, you will not only know what the person typed, you'll have logs of e-mail and chat room conversations and pictures of the screen.

Competing products such as D.I.R.T., from Codex Data Systems' (www.codexdatasystems.com/menu.html), offer similar features. And several keystroke logger programs are freely available for download from many shareware archives. Logging software is easier to detect via system diagnostic tools, however, and may be wiped off the hard drive by reconfiguring or reinstalling the operating system.

In some cases, spying software may be installed as a virus, worm, or Trojan horse that arrives via e-mail or an infected file. BackOrifice, a program created by a group of rogue hackers called The Cult of the Dead Cow, can be installed in this way and can spy on and even commandeer the victim's system. Several recent worms, including Badtrans.B, attempt to capture passwords and credit card information from users' systems and forward the information to the worms' creators via e-mail or Internet relay chat (IRC).

Another spying technique uses a network sniffer (usually a computer running special software) installed on the same LAN as the victim's computer or upstream between the victim's computer and the Internet. The sniffer taps and records the raw data flowing between the victim and other machines; this data can be scanned later.

Only a few Internet protocols use encryption. E-mail is most often sent and retrieved as plain text, and the password needed to break into someone's electronic mailbox is very rarely encrypted. If encryption is used, a key logger can often be used to discover the password that unlocks the data.

The FBI's Carnivore system, which is installed at ISP facilities to collect evidence, is one example of a network sniffer. Civilian tools that can sniff LAN traffic—even on
networks supposedly protected from monitoring by network switches—are widely available for free via the Internet.

Even if the party who wants to spy on you has no physical access to your network, you cannot necessarily rest easy. A cracker who manages to gain control of any vulnerable system on your network can set it up to sniff traffic from the rest of the network. And recently revealed bugs in most implementations of SNMP (Simple Network Management Protocol) may provide an easy way for intruders to take over managed hubs and switches, routers, print servers, and network appliances. (For more on these bugs, see the CERT advisory.)

Understandings Network Management and Network Monitoring

2009-08-16T23:08:00.000-07:00

Network management may mean different things to different people. To some network management may be a network consultant monitoring network activity with Network analyzer(Colasoft Capsa Network Analyzer), to others network management may be about distributed database, high-end workstations generating and traffic. Speaking generally, network management is a service, which uses a wide range of devices, tools, and applications, to enable the network managers to monitor and maintain networks successfully & efficiently.

Network management deals with the top-level administration and maintenance of widespread and large networks, commonly seen in the field of computers or telecommunications, which may be necessarily, include user terminal equipment.

Network management executes functions such as security, control, allocation, monitoring, coordination, deployment and planning to name a few. It is also worth noting that network management is governed by a several protocols which are basically present there for its support, including SNMP, Common Information Model, CMIP, WBEM, Transaction Language 1, Java Management Extensions, and Netconf.

Routing is also an important area of network management. Routing refers to the process of selecting the paths in a computer network on which to send data. In this arena of network management, logically addressed packets get transported from their source to their destination with the help of nodes. These nodes are called routers, in a process termed as forwarding.

Successful network management also uses accounting management. This controls and reports on the financial status of the network. This area of network management involves bank account maintenance, financial statement development, and analysis of cash flow and financial health.

Coming to Network Monitoring, it is about policing network traffic. In other words, network monitoring is spying for the benefit of smooth working of network management. Network monitoring is part of network management. Ideally network monitoring is a function that one of your systems must perform on an ongoing basis. While the other systems are performing the functions assigned to them, one should set aside at least one computer to monitor network activity. This is network monitoring in a nutshell.

The computer performing network monitoring must be kept always on. Which means that network monitoring system should have exclusive power lines or, backup generator facility. Everyone should understand that network-monitoring system is the most critical part of any network, because it is with the help of network monitoring that that the alarm will be sent if something is wrong.

Network monitoring will identify the slow or failing systems and notify the network administrator of such lapses. Issues like overloaded systems, crashing of servers, network connections being lost, virus infections, and power outages will be dealt without losing time if network monitoring is in place.

How to Protect Your Network from Spam?

2009-08-16T22:55:00.000-07:00

According to the July 2009 edition of the MessageLabs Intelligence Report,Spam remains a major problem, In fact, it has reached up to 90%, some European countries are higher, up to 95%

Three main problems caused the bad situation.

The use of automated tools: Spammers are used to use automated tools to generate email addresses based on domain name.

URL-shortening spam: Currently, many social networking offers URL-shortening services to users, 6.2% spamming emails contains shortened URLs to mask unsafe destinations.

International problem: Unlike we thought the souces of spam emails are outside United States, According to the static of July, at least, 86% of all e-mails sent in the US are spam.

Be a network administrator,what can we do to mitigate the effect of spam?

Well, there are two specific network methods you may take.

Traffic management

You'd better to install a network analyzer like Colasoft Capsa network analyzer in your network, that will help you monitor network traffic especially SMTP traffic we more care about in this article in real time,Traffic management entails reducing overall message volume by relying on techniques that are implemented at the protocol level. Essentially, unwanted senders are identified and their connections dramatically throttled using features that are inherent to the TCP protocol. This allows incoming volumes of spam to be slowed, allowing legitimate mail an opportunity to be processed and expedited by the mail server.

This technique is obviously effective, but it is nevertheless useful to reduce the effect of a DOS-style of e-mail flooding.

Connection management

Another method would be the use of connection management techniques. An example would be for incoming SMTP connections from sources known for sending spam and malware to be immediately rejected. The use of such blacklists can be done at the firewall level and could also include open proxies or known botnets.

The obvious benefit of connection management is that mail servers do not even have to waste processor cycles to deal with the incoming spam.

Do you have else methords? let's share our knowledge here!

What is the difference between an Ethernet hub and switch?

2009-08-16T22:52:00.000-07:00

Although hubs and switches both glue the PCs in a network together, a switch is more expensive and a network built with switches is generally considered faster than one built with hubs. Why?

When a hub receives a packet (chunk) of data (a frame in Ethernet lingo) at one of its ports from a PC on the network, it transmits (repeats) the packet to all of its ports and, thus, to all of the other PCs on the network. If two or more PCs on the network try to send packets at the same time a collision is said to occur. When that happens all of the PCs have to go though a routine to resolve the conflict. The process is prescribed in the Ethernet Carrier Sense Multiple Access with Collision Detection (CSMA/CD) protocol. Each Ethernet Adapter has both a receiver and a transmitter. If the adapters didn't have to listen with their receivers for collisions they would be able to send data at the same time they are receiving it (full duplex). Because they have to operate at half duplex (data flows one way at a time) and a hub retransmits data from one PC to all of the PCs, the maximum bandwidth is 100 Mhz and that bandwidth is shared by all of the PC's connected to the hub. The result is when a person using a computer on a hub downloads a large file or group of files from another computer the network becomes congested. In a 10 Mhz 10Base-T network the affect is to slow the network to nearly a crawl. The affect on a small, 100 Mbps (million bits per scond), 5-port network is not as significant.

Two computers can be connected directly together in an Ethernet with a crossover cable. A crossover cable doesn't have a collision problem. It hardwires the Ethernet transmitter on one computer to the receiver on the other. Most 100BASE-TX Ethernet Adapters can detect when listening for collisions is not required with a process known as auto-negotiation and will operate in a full duplex mode when it is permitted. The result is a crossover cable doesn't have delays caused by collisions, data can be sent in both directions simultaneously, the maximum available bandwidth is 200 Mbps, 100 Mbps each way, and there are no other PC's with which the bandwidth must be shared.

An Ethernet switch automatically divides the network into multiple segments, acts as a high-speed, selective bridge between the segments, and supports simultaneous connections of multiple pairs of computers which don't compete with other pairs of computers for network bandwidth. It accomplishes this by maintaining a table of each destination address and its port. When the switch receives a packet, it reads the destination address from the header information in the packet, establishes a temporary connection between the source and destination ports, sends the packet on its way, and then terminates the connection.

Picture a switch as making multiple temporary crossover cable connections between pairs of computers (the cables are actually straight-thru cables; the crossover function is done inside the switch). High-speed electronics in the switch automatically connect the end of one cable (source port) from a sending computer to the end of another cable (destination port) going to the receiving computer on a per packet basis. Multiple connections like this can occur simultaneously. It's as simple as that. And like a crossover cable between two PCs, PC's on an Ethernet switch do not share the transmission media, do not experience collisions or have to listen for them, can operate in a full-duplex mode, have bandwidth as high as 200 Mbps, 100 Mbps each way, and do not share this bandwidth with other PCs on the switch. In short, a switch is "more better."

Conclusion:

Acutally, this is a frequently asked problem in Capsa customers that why they have to deploy Capsa on hub Only? According to the info above, we can see that Switch transmit the data selectively(by the source of MAC address), while Hub is send the data to every ports randomly. So, we have to install Capsa on the Hub to capture the data in the network.

Tips--A list of Switches with Port Mirroring support

2009-08-11T01:22:00.000-07:00

Below you will find a latest list of some commonly used managed switches that support port mirroring, port spanning or port monitoring functions (whatever the name is

used for that function).

For some of models there are available instructions regarding how to configure port mirroring.

For other models, please, read the user's manual of the particular switch or contact the vendor for such information.

You are welcome to tell me (willis.huang@colasoft.com), if you know more such switches.

Note 1: Above are reference prices, which were active on the date of writing this article. The actual price may be different.

Note 2: Some of switches do not accept incoming packets on the ports, which is used as a destination for port mirroring session. Because of this fact,

it is necessary to install the second network adapter into a server. This secondary adapter will be used for accessing a server through a network.

Switches by Vendor:

Netgear

D-Link

Linksys

Dell

Cisco

Basic Network Troubleshooting Tips

2009-08-06T22:15:00.000-07:00

Here you will learn network troubleshooting tips, fix tcp/ip errors, tcp/ip settings, internet connectivity errors, how to fix pc errors, lan connectivity issues, traceroute and ping commands. Whether your operating system is Windows or Linux network problems are likely to arise. Many times the network problems arisee due to improperly configured TCP/IP settings. Following is the basic checklist to identify and troubleshoot the basic networking errors.
1. First of all you should learn what stopped working server or client computer also see if the outage affecting the other computers or only one.

2. If you server stopped working you should inform the users of the server and you should start working on fixing the error.

3. If a single client computer stopped working or disconnected from the network, ask the user of that computer that what recent changes cause the server to stop working such as newly installed software or games, service pakcs, internet software, new hardware or any other thing.

4. Check the physical network connectivity. The most network problems arise due to the physical layers failure.

5. Check all the network cable connections. You can start at the NIC and check if the green light is blinking then check the hub and see if the computer is getting the link across the cable.

6. Get a cable tester to check the connectivity of the cables.

7. Finally start pinging the network both Windows and Linux have the PING command. You can use ping command in this way start > Run > cmd > type "ping" then IP address of the other computer.

How to Troubleshoot Connectivity problems

1. Use the ping command to test the basic connectivity. By using the ping command you can isolate network hardware problems and incompatible configurations. By using the path ping you can detect packet loss.

2. If you want to see the Ping's statistics then you ping -t command and press enter to continue and if you want to stop then press CTRL+BREAKTo watch Ping statistics, use the ping -t command. To see statistics and continue, press CTRL+BREAK. To stop, press CTRL+C.

3. If you remote system is across the delay link, such as satellite link responses may take longer.

4. Check the event logs for network card and other hardware and software configurations and connectivity related entries.

5. Check whether the NIC card is on the Microsoft Hardware Compatibility List (HCL).

6. Check other computers that use the same gateway and are plugged into the same hub or switch and if these computers do not show any network connectivity problem then the problem is on the only one computer.

7. Contact the vendor of each NIC and motherboard and update the BIOS.

8. Replace the network adapter of the system with the good configured system and see if the same error arise again.

Conclusion

As a network administrator, we need to learn about the Basic Network Troubleshooting solutions. Of course, there are many network analyzers in the market,such as Colasoft Capsa Network Analyzer, which can provide us with more advanced & easier network problems troubleshooting solutions. learn more about Colasoft Capsa Network Analyzer, please visit http://www.colasoft.com/capsa/.

This article is rewriten by Tammy Zhou from Colasoft.com, please read the original copy of this article here: Basic Network Troubleshooting.

Case Study: ARP spoofing HTTP infection malware

2009-08-06T00:06:00.001-07:00

This year, we've seen many ARP spoofing viruses, also known as ARP cache-poisoning viruses. This type of malware comes in many variants and is widely spread in China. Recently, we uncovered an ARP spoofing virus that exhibits several new features.

The new ARP spoofing virus inserts a malicious URL into the session of an HTTP response, thus including significant malicious content, and then exploits Internet Explorer. At the same time, the virus makes a poisoned host act as an HTTP proxy server. When any machine in the same subnet with the poisoned machine accesses the Internet, the traffic goes through the poisoned machine.

Let's take a detailed look at the features of the latest ARP spoofing virus.

This type of virus replaces the MAC address of the Gateway machine with the MAC address of the poisoned machine. The following screen shows the correct Gateway MAC address:

When we run the ARP spoofing virus, the Gateway MAC address is changed, as shown in the following diagram. The real Gateway MAC address is changed by the poisoned machine to the MAC address of the poisoned machine. Please review the following diagram.

Now let's view a detailed virus analytic report

The following diagram shows the mechanism used by this type of virus. Normally, when we open a Web page, the traffic goes to the Gateway machine directly (see pathway 4). But if the local network is infected by an ARP spoofing virus, the traffic goes through the poisoned machine before it goes to the Gateway, as indicated by pathway 5 and pathway 6 below:

The following steps describe what occurs.

First step: The poisoned machine broadcasts ARP spoofing packets saying "I am the Gateway"

Second step: Each machine in the subnet receives an ARP spoofing packet and updates its ARP table, so the ARP cache is poisoned.

Third step: A machine accesses the Internet through the poisoned machine, then the poisoned machine routes this HTTP packet through the Gateway (the poisoned machine uses a Net driver, such as wpcap.dll or WanPacket.dll, to get network traffic).

Fourth step: The Gateway inserts a malicious URL into the HTTP response packet. Then it sends the malicious packet to the object machine.
In the following code, we see how the virus inserts a malicious link:

In the shown code above, we can see partial IP address information. The information comes from the author's network environment, which is similar to the following:
0000b3b0 255.255.255.0
subnet mask
0000b3c0 10.xx.xx.58
poisoned machine IP address
0000b840 10.xx.xx.1
correct Gateway address
0000b850 10.xx.xx.*

subnet information

When the virus obtains this data, it scans the local subnet and then sends ARP spoofing packets to machines in the local subnet.
Let's see how the virus implements these functions:

In the code above, the virus calls a system dll file (iphlpapi.dll) to get general information about the local network adapter. The iphlpapi.dll file is a module containing the functions used by the Windows IP Helper API. When the virus gets the local network adapter information, the virus can make spoofing ARP packet. The following graphic shows detailed code:

We used OllyDbg to trace the virus into the Windows system space, and we obtained the code above. When we introduced this virus here, we needed some background knowledge. The virus uses Colasoft Capsa to capture network traffic and insert malicious Web code into the HTTP response.

Monitor broadcast storm with Colasoft Capsa.

2009-08-06T00:02:00.000-07:00

Causes of broadcast storm:

Incorrect network design and plan

Network equipment damage

HUB is easily lead to broadcast storm as broadcast equipment

NIC or switching equipment damage

Network loop

Incorrect router configuration

Virus

How to detect Broadcast Storm:

step1. Set up broadcast packets filter

Open Filter --> Add --> From Filter Table, check "Broadcast":

step2. Detect relevant parameters of the broadcast storm

1. Statistical parameters

broadcast packets bytes

total broadcast packets

packets per second

packet size distribution

protocol type

etc (add according to your own network)

How to make use of these paramaters?

Take a 100M ethernet for example. The maxmize packet per second is 12.5M x 1024 = 12800 Bytes/s. If the value of packet

per second of broadcast is greater or close to it, then we can define there's broadcast storm.

The packets sum, number, and its size distribution are different according to the size of network.

Protocol Type is mainly to stats the protocols with the largest traffic utilization. (PS: Care must be taken to distinguish ARP

Request and ARP Response, ARP Request is broadcast, while ARP Response is unicast.)

2. IPID Identification of the packet

IPID is the unique flow to identificate the packet. If there's a protocol in a large traffic utilization, we can check its IPID in

Packets view, if they are the same, we can confirm it is caused by network loop.

Currently, network loop is one of the mainly causes to broadcast storm.

3. Check the Utilization

How to make use of the utilization paramaters?

Utilization is divided into "Utilization (bits)" & "Utilization (percentage)". The computational process of network utilization is: bits per second(in "Summary" view) / network bandwidth(100M or 1000M Ethernet). Ordinary, the network is perfect if the utilization is 50% in a ethernet, we can get the conclusion that there must be broadcast storm in the network if the utilization of broadcast is over 30%.

Download the latest Capsa 6.9R2(windows 7 supported) to monitor your network perfermances in time.

Admin resource: Use the right tools to manage your network

2009-07-30T03:11:00.000-07:00

To be an effective network administrator, you don't have to be a scientific genius. And you don't have to memorize a bunch of obscure facts about hardware and software. Instead, you need to know two things:

Where to find the appropriate solutions to technology problems when they arise

How to use the right tools for monitoring, troubleshooting, and managing the activities of the various systems on your network

We know TechRepublic is the biggest IT community, which provides kinds of sources you turn to for solutions when problems hit your network. To demonstrate that TechRepublic is worthy of being a solutions finder, here I've compiled a list of articles that discuss tools you can use to improve the management of your network.

Test-drive: Colasoft Capsa network analyzer

Having good insight to your network is critical. There are so many potential issues that can be going on that any additional tool can be welcome. This can include attacks, transmissions and applications without encryption, or incorrect configurations bogging down the network.

Recently, I had a chance to evaluate the Colasoft network analyzer or Capsa.

Servers Alive is a valuable and inexpensive uptime monitoring tool"

To handle a problem, you have to know that it exists. That's where a program such as Servers Alive comes in. It can e-mail, page, or call an administrator with an automated alert when a system goes down, a router fails, or a service goes offline.

"Let Big Brother keep tabs on the health of your servers"

Big Brother is another monitoring tool, but this one runs on Linux/UNIX (although it can monitor systems from other platforms). It's available free under an open source license.

"PRTG makes it easy to monitor bandwidth"

Bandwidth is an expensive and critical commodity for most organizations. PRTG (and its Linux/UNIX cousin, MRTG) allow you to keep a close eye on bandwidth utilization and quickly spot any potential problems.

"Get two must-have network tools--for free"

Here's a peek at two handy troubleshooting tools—HyperTrace and NetStatLive. Since these are small, easy-to-use, and free, there's no excuse not to try them.

"Quickly manage systems over KVM with BgInfo"

Most administrators who manage more than five or 10 servers usually have them loaded into a rack and access them with a KVM switch or remote access software. However, the more servers you have, the harder it can be to tell them apart—and making a configuration change to the wrong server can have disastrous consequences. BgInfo is a little tool that can help you set up desktop screens that allow you to quickly identify your servers.

Final word

Of course, this is not a comprehensive list of every tool you need to manage a network. It's just a sampling of the kinds of great tools that can make you more effective at spotting problems and getting them fixed in a timely fashion.

For more information, please visit:http://articles.techrepublic.com.com/5100-10878_11-5074896.html

Monitor broadcast storm with Colasoft Capsa.

2009-07-30T03:08:00.000-07:00

Causes of broadcast storm:

Incorrect network design and plan

Network equipment damage

HUB is easily lead to broadcast storm as broadcast equipment

NIC or switching equipment damage

Network loop

Incorrect router configuration

Virus

How to detect Broadcast Storm:

step1. Set up broadcast packets filter

Open Filter --> Add --> From Filter Table, check "Broadcast":

step2. Detect relevant parameters of the broadcast storm

1. Statistical parameters

broadcast packets bytes

total broadcast packets

packets per second

packet size distribution

protocol type

etc (add according to your own network)

How to make use of these paramaters?

Take a 100M ethernet for example. The maxmize packet per second is 12.5M x 1024 = 12800 Bytes/s. If the value of packet

Request and ARP Response, ARP Request is broadcast, while ARP Response is unicast.)

2. IPID Identification of the packet

IPID is the unique flow to identificate the packet. If there's a protocol in a large traffic utilization, we can check its IPID in

Packets view, if they are the same, we can confirm it is caused by network loop.

Currently, network loop is one of the mainly causes to broadcast storm.

3. Check the Utilization

How to make use of the utilization paramaters?

Download the latest Capsa 6.9R2(windows 7 supported) to monitor your network perfermances in time.

How to analyze the statistic of a specific IP in LAN with Colasoft Capsa?

2009-07-30T03:06:00.000-07:00

Nowadays, computers is becoming the necessity in majority of companies all over the world. Network managers/adminstrators have to monitor their network, grasp the network status in time, and find a best solution once there's any abnormal condition occurs in the network. They have to make sure the whole network status is visible to them, even the traffic,conversation, packet in 1 specific IP address. Without a appropriate network management, a large amount of network risks will appear in your network.

Colasoft Capsa 6.9R2, which is windows7 supported, is such an ideal network monitor. This article is telling you how to analyze the statistics of a specific IP address once you have to analyze the stats by locating a IP address.

For example:
There are 200 hosts in LAN. You have detectde the network became very slow due to BT downloading by a specific IP address: 192.168.6.5. To check the stats, including protocols, conversations, packets, etc under this IP to prove it is the specific IP address, you need locate it. In Colasoft Capsa, there are 2 ways to implement it:

1. select the IP address under "IP Explorer" in the left Explorer window:

2. add the IP address in Filter setting, steps as follows:

Then we can check all the stats related to "192.168.6.5" only to further comfirm the problem. For more infomation of "How to Track BitTorrent User in Network with Colasoft Packet Sniffer", please go to http://blog.colasoft.com/how-to-track-bittorrent-user-in-network-with-colasoft-packet-sniffer/

Recommend 5 Nice FREE Network Analysis Tools to Network Admins

2009-07-02T02:20:00.000-07:00

Colasoft, with its all-in-one & easy-to-use network analyzer -Capsa, has been known and recognized in network analysis industry. Today let me recommend 5 nice Colasoft network analysis tools to all network administrators, the tools are totally free and very simple but helpful.

Colasoft MAC Scanner Pro

List MAC addresses and IP addresses in your local subnet in seconds. Network administration will never become efficient before you know exactly who is the user and where is the computer. MAC Scanner Pro will do it for you.

Core Values:
.Scan MAC addresses and IP addresses

.Save Scan Results into database for future reference and network maintenance.

.Add attributes (such as users name and physical location of the host) to scan results and save in database.

.Automatically compares new MAC scan results with database records and notifies difference and new records (illegal access).

.Print and Print Review MAC Scan Results

Special Notice:
Colasoft is launching a campaign this month,you can get a license key of MAC Scanner Pro edition for free as long as you recommend a friend to download MAC Scanner free editon successfully.

Find out more information about this ,please go to www.colasoft.com/mac_scanner

Colasoft Ping Tool
Colasoft Ping Tool is powerful in supporting to ping multiple IP addresses simultaneously and comparing response time in a graphic chart. Users can view historical charts and save the charts to a *.bmp file. With this build-in tool, users are able to ping the IP addresses of captured packets in a protocol analyzer (e.g. Colasoft Capsa) conveniently, including resource IP, destination IP or both.

Colasoft Packet Builder
Colasoft Packet Builder enables creating custom network packets; users can use this tool to check their network protection against attacks and intruders.Colasoft Packet Builder includes a very powerful editing feature. Besides common HEX editing raw data, it features a Decoding Editor allowing users to edit specific protocol field values much easier.

Colasoft Packet Player
Colasoft Packet Player is a packet replayer which allows users to open captured packet trace files and play them back in the network. It supports many packet trace file formats created by sniffer softwares such as Colasoft Capsa, Ethereal, Network General Sniffer and WildPackets EtherPeek/OmniPeek, etc.

Except sending packet files in original interval between loops, Colasoft Packet Player also supports sending packet files in burst mode and defining the delay between loops if the loop count is more than one.

Why should we monitor the network conversation?

2009-07-02T02:13:00.001-07:00

In a network group, especially for the company, enterprise, school, bank, NSA, etc, the confidential information is very very important, and may very dangerous if they are divulged.

And also, for a company/enterprise boss, he can get the information of what his staff are talking about via internet, no matter they are using MSN, Yahoo, Gtalk, ICQ, AIM…or Email Webmail…at any time.

Under this situation, we need a network monitor/packet sniffer, not only to monitor the network conversation, but also to guarantee our network security for prevent it from dangerous beforehand.

Resolution Take Colasoft Capsa 6.9 for example, We will
show you how to monitor the email activity & content with it step-by-step:
1. Choose “Logs” from the main window.

2. As shown in the following illustration, there’s a pop up window for changing settings after you choose the “Logs”. Email Log→Log File Settings, then change the settings indicated by an arrow.

3. Choose Email Messages in the Logs view, you can find the detail information on all the email activities.

4. Just double-click the crossband, then you can check out the content of any email you want to read.

Conclusion:
For every organization, institution, company, enterprise…etc, the confidential information is very important that are never allowed to be leaked out.

Except the traditional File Encryption, Video Surveillance, what can we do if we are in a huge network? Under this situation, a powerful packet sniffer/network analyzer is quite a good right-hand.

How to detect the real-time network utilization

2009-06-18T00:25:00.000-07:00

Network utilization is the ratio of current network traffic to the maximum traffic that the port can handle. Through monitoring network utilization, we can understand whether the network is busy, normal or idle.

The Potential threats if the network utilization is over normal:

Will slow down the internet access and employee productivity;
Affect downloading;
Uploading. The bandwidth may becomes the bottleneck of business development. The current bandwidth can’t satisfy customers, without detecting the problem in time, you will lose your customers, decline in customers’ satisfaction, etc.
Package lost, some highly demanding IM business(like VoIP) will be affected seriously.

Colasoft Capsa make it easy for us to monitor the network utilization, so as to find out the bottleneck and improve network performance.

Check the brief current utilization in “Summary” after start the project:

We may switch among the nodes in the “Explorer” to view network utilization of a specific node:

We can also view network utilization by bits or by percentage in “Graphs” view. More ever, we can compare 2 different charts to better understand the network status.

Give top priority on your network utilization, Colasoft Capsa will help you quickly detect the network utilization and other network problems.

14 Tips to Protect Your Organization's Network

2009-06-17T02:57:00.000-07:00

Network security is an infinitely complex and dynamic subject, implementing these simple measures will go a long way to protecting your Organization's LAN.

1, Run protocol analyzer Frequently.Recommend an easy-to-use protocol analyzer, Colasoft Capsa.

2, Disable drives:Disable floppy drive access, USB ports and serial ports on networked computers.

3, Restrict Permissions: Windows 2000 and 2003 server allow you to set permissions so that users can't run downloaded 'exe' or other executable files.

4, Block Instant Messenger:IM and its cousins, ICQ and Yahoo Messenger, sends messages and attachments out to a server and then back to its clients. You lose control when this happens.

5, Password Protect Your BIOS:A BIOS without an administrator password is an invitation to mischief.

6, Run AV Software: Run anti-virus software on all your computers.

7, Build Your Defenses: Install a firewall or a proxy server.

8, Beware Of Attachments From Unknown, Untrusted Sources:Do not open attachments to email unless you trust the sender.

9, Monitor Your Ports:Install a port monitor to prevent your ports from being scanned.

10, Encrypt Wireless Access.

11, Keep Back Office Systems Off The Organization Network

12, Require passwords to be changed frequently

13, Use CTRL+ALT+DEL to logon

14, Keep your networking skills up to date.

Is Your PC Ready for Windows 7? This Tool Lets You Know

2009-06-08T23:01:00.001-07:00

Is Your PC Ready for Windows 7? This Tool Lets You Know

By Jeff Bertolucci , PC World , 05/18/2009

Microsoft has released the beta version of its Windows 7 Upgrade Advisor, a free utility that tells you if your PC is ready to run Windows 7. It scans your computer, checking internal components, external peripherals, and programs, and alerts you to potential compatibility issues. It also offers upgrade suggestions, such as which drivers to replace, should you make the move to Windows 7.

It's a good idea to run Upgrade Advisor, which takes only a few minutes, if you plan to install Windows 7 Release Candidate, which is also available as a free download. (The RC expires August 1, 2010.)

After downloading and installing Upgrade Advisor, you'll see an opening screen that advises you to connect all of your external devices, such as hard drives, cameras, MP3 players, and so on:

I ran the Upgrade Advisor on a 2-year-old Gateway MX8734 notebook that with a 1.6GHz Intel Pentium T2060 processor, 1GB of RAM, a 160GB hard drive. This system runs Vista sluggishly-no surprise given the 1 gig of memory-and based on initial reports from Redmond, I thought it might perform better with Windows 7. However, a recent PC World Test Center report says that may not be the case.

The compatibility check took about 6 minutes and found a few potential issues. While the Gateway's processor, memory, and hard drive met Windows 7's minimum requirements (I expected this), Upgrade Advisor recommended that I download the latest driver for the Realtek Wireless 802.11b/g USB 2.0 network adapter before installing Win 7. It didn't find potential conflicts with any installed programs.

Upgrade Advisor also pointed out that Windows 7 doesn't include Web filtering (Windows Mail and Parental Controls), and it included a link to Microsoft's Windows Live Essentials site, where you can download the free Family Safety utility.

Upgrade Advisor runs on Windows Vista and Windows XP Service Pack 2.

And also, Colasoft(which is commented the most easy-to-use network protocol analyzer in the market. It is designed for Windows platform, main features include: real-time packet capturing, traffic and bandwidth analysis, protocol analysis, automatic diagnosis, visible filters and quick reports. ) will release a new edition - Capsa 6.91 for windows 7 users. It is highly recommended to install it in your new operation system to monitor your network.

-- Willis, Marketing Executive of Colasoft

Business IM: Risks and Resolutions

2009-06-08T23:00:00.001-07:00

Do your users use IM in your network? If I ask this questions, I believe above 95% network administrators will answer: Yes, of course.

MSN, Yahoo IM, Aol IM, Google Talk etc,with the rapid development of instant messaging tools,which are not just used for personal entertainment, but for workplace tools. However,according to a survey on the internet, most IM users are ignorant of its risks that may cause to the organization. Here we list the main Business IM Risks and Resolutons:

? Information leaks – Confidential materials, intellectual property, or proprietary information can be revealed, either intentionally or accidentally,through IM sessions or file transfers.

? Worms, viruses, etc. – Numerous malware programs target public IM systems and allow them to bypass standard firewalls and mail server antivirus systems.

? Network hacks and intrusions – Hackers use IM operating ports to bypass other security barriers and enter the corporate network unimpeded.

? Compliance, regulatory, or legal violations – Organizations subject to government oversight and compliance mandates may find themselves creating legal issues by failing to properly monitor, log, and regulate IM sessions and content.

? Productivity loss – Idle chat can disrupt employee productivity.

So many risks IM has, does it mean that we have to prohibit Instant Messaging in workplace, of course not, IM has its irreplaceable benifits other than other communication methods,as email, phone call, SMS. but we have some good suggestions to decrease the IM risks.

Deploy network analysis tools like Colasoft Network Analyzer in your computer, to detect network intrusion attempts, monitor network usage, gain information for effecting a network intrusion.

Regularly remind your users to update or upgrade their antivirus software

Create written policies – Clearly and explicitly define acceptable and unacceptable use of instant messaging within the business environment.

Tips for Troubleshooting Slow Internet Connections

2009-06-08T22:58:00.000-07:00

CURSOR: hand; HEIGHT: 400px" alt="Colasoft Network Analyzer" src="http://1.bp.blogspot.com/_LCrZaQE-Vo8/SiTUR9kLHBI/AAAAAAAAFEI/uO6LClBc698/s400/160_600.gif" border="0"

/>

Follow these steps to diagnose your slow Internet connections

1. Configure Broadband Router Settings Properly

Improperly broadband router configuration will probably lead to slow internet connections. keep consisting your router's settings with the manufacturer's and your Internet Service Provider (ISP)

recommendations.

2. Reposition Router and Change WI-Fi Channel Number

Signal interference which requires computers to resend messages to overcome signal issues constantly may affect the performance of Wi-Fi and other types of wireless connections, repositioning

your router and changing your Wi-Fi channel number may benefit your connection performance.

3. Run Antivirus Software Regularly To Diagnose and Remove These Worms

Internet worm may begin generating huge network traffic, causing slow network connection if any of your computers are infected. Remember to run antivirus software regularly to diagnose and

remove these worms from your computers.

4. Don't forget the Running Background Applications

Some useful background applications, like Peer to peer (P2P) programs, will greatly consume network recourses. Therefore, don’t be blind to the running background applications when facing

slow network connection issues.

5. Temporarily Re-Arrange and Re-Configure Your Gear

Faulty network equipment typically won't support connections. To troubleshoot potentially faulty equipment, temporarily re-arrange and re-configure your gear while experimenting with different

configurations. Try bypassing the router, swapping cables and changing network adapters to isolate the slow performance to a specific component of the system.

6. Inquire Your Service Provider

Internet speed ultimately depends on the service provider. Don’t forget to inquire your ISP about what happened if you suspect they have main responsibility in your poor connection performance.

Conclusion

Reasons for slow connection are diversified, the 6 tips for troubleshooting slow internet

connections are basic solutions that may guide you when suffering network connection problems,moreover, to diagnose and troubleshoot the issues manually is not an easy work. nowadays,

many network administrators usually choose some easy - to - use network analysis tools, like Colasoft Network Analyzer (also called

packet sniffer, network sniffer, protocol analyzer) to monitor,analyze, and troubleshoot their network in minutes.

How to Monitor MSN Chat with Free Unipeek MSN Monitor

2009-06-08T22:55:00.000-07:00

For some purposes we want to monitor MSN chat around the network, for example, parents want to monitor MSN chat of their kids to ensure their safety; bosses want to monitor MSN chat of employees for company assets security and to improve work efficiency by minimizing none-business chat during working hours. You may still remember Colasoft MSN Monitor, now it is called Unipeek MSN Monitor and it is distributed completely Free for none commercial users.

Now let’s see how we can monitor MSN chat with Unipeek MSN Monitor, the free tool.

Step1. Download Unipeek MSN Monitor

Download Unipeek MSN Monitor, the free edition; from the website. As a matter of fact there is no function difference between Unipeek MSN Monitor the free edition and the commercial edition. The only difference is Unipeek MSN Monitor Free Edition only supports 10 MSN accounts maximum, but quite enough for family users.

Step2. Install and Deploy Unipeek MSN Monitor

The installation is quick and simple, just click “next” all the way to complete the installation. But the deployment is somewhat different. As Unipeek MSN Monitor is designed based on Colasoft’s packet capturing technology, so it has to be deployed properly like a packet sniffer if you want to monitor all MSN chat around the network. Of course, you don’t have to do it if you only want to monitor MSN chat of a single computer. To monitor multiple computers, you can install multiple copies.

Setp3. Run it and Start Monitor MSN Chat

After proper installation and deployment, we can start monitoring MSN chat right away.

About Unipeek MSN Monitor
Unipeek MSN Monitor (MSN sniffer) is Free MSN monitoring software for MSN chat monitoring and MSN message archiving. Based on Colasoft's packet analysis technology, Unipeek MSN Monitor is able to deliver the most accurate MSN monitoring statistics, and automatically record data for future reference. You need only install Unipeek MSN Monitor once to monitor all MSN chats over the local network.

Key Features include:

• Real-time and 24/7 MSN chat monitoring

• Automatically archive MSN messages for future reference

• Export messages of a custom time range

• Customize MSN account list to be monitored

• Unique Conversation Matrix showing account relations

• Support emotion icons, message font size and color.

Download Now

Download Unipeek MSN Monitor

How can I detect a protocol analyzer?

2009-05-15T01:37:00.000-07:00

The article "How can I detect a protocol analyzer" is extracted by Jason Lee from www.Colasoft.com for knowledge sharing. For complete copy on this topic, please visit Sniffing (network wiretap, sniffer) FAQ.

In theory, it is impossible to detect packet sniffing programs because they are passive: they only collect packets, they don't transmit anything. However, in practice it is sometimes possible to detect sniffing programs. It is similar to how in theory it is impossible to detect radio/TV receivers, but European countries do it all the time in order to catch people avoiding the radio/TV tax.

A stand-alone protocol analyzer doesn't transmit any packets, but when installed non-standalone on a normal computer, the sniffing program will often generate traffic. For example, it might send out DNS reverse lookups in order to find names associated with IP addresses.

Non-standalone protocol analyzers are indeed what you want to detect. When crackers/hackers invade machines, they often install sniffing programs. You want to be able to detect this happening.

General Overview of Detection Method

Ping method

Most "protocol analyzers" run on normal machines with a normal TCP/IP stack. This means that if you send a request to these machines, they will respond. The trick is to send a request to IP address of the machine, but not to its Ethernet adapter.

To illustrate:

The machine suspected of running the protocol analyzer has an IP address 10.0.0.1, and an Ethernet address of 00-40-05-A4-79-32.

You are on the same Ethernet segment as the suspect (remember, the Ethernet is used only to communicate locally on a segment, not remotely across the Internet).

You change the MAC address slightly, such as 00-40-05-A4-79-33.

You transmit an "ICMP Echo Request" (ping) with the IP address and this new MAC address.

Remember that NOBODY should see this packet, because as the frame goes down the wire, each Ethernet adapter matches the MAC address with their own MAC address. If none matches, then they ignore the frame.

If you see the response, then the suspect wasn't running this "MAC address filter" on the card, and is hence sniffing on the wire.

There are ways defending against this. Now that this technique is widely publicized, newer hackers will enabled a virtual MAC address filter in their code. Many machines (notably Windows) have MAC filtering in drivers. (There is a hack for Windows: most drivers just check the first byte, so a MAC address of FF-00-00-00-00-00 looks like FF-FF-FF-FF-FF-FF (the broadcast address which all adapters accept). However, some adapters implement multicast in such as way that this address will match as a multicast, which is any address whose first byte is an odd number. Thus, this can result in false positives).

This technique will usually work on switched/bridged Ethernets. When switches see an unknown MAC address for the first time, they will "flood" the frame to all segments.

Ping method, part 2

The ping method can be enhanced in a number of ways:

Any protocol that generates a response can be used, such as a TCP connection request or a UDP protocol such as port 7 (echo).

Any protocol that might generate an error on the target machine might be used. For example, bad IP header values might be used to generate an ICMP error.

Sometimes a broadcast address (either a "local broadcast" like 255.255.255.255 or a "directed broadcast" like 10.0.0.255) needs to be used in order to bypass software IP address filtering. This then encounters another problem in that many machines do not respond to broadcast requests (responses to broadcasts causes network problems, such as the 'smurf' hack).

ARP method

The ARP method is similar to the ping method, but an ARP packet is used instead. An explanation (in Spanish) is given at http://www.apostols.org/projectz/neped/ which includes a program called neped to do this detection.

The simplest ARP method transmits an ARP to a non-broadcast address. If a machine responds to such an ARP of its IP address, then it must be in promiscuous mode.

A variation of this technique takes advantage of the fact that machines "cache" ARPs. Each ARP contains the complete information of both the sender as well as the desired target information. In other words, when I send out a single ARP to the broadcast address, I include my own IP-to-Ethernet address mapping. Everyone else on the wire remembers this information for the next few minutes. Therefore, you could do something like sending out a non-broadcast ARP, then a broadcast ping. Anybody who responds to your ping without ARPing you could only have gotten the MAC address from a sniffed ARP frame. (To make double-sure, use a different source MAC address in the ping).

DNS method

Many sniffing programs do automatic reverse-DNS lookups on the IP addresses they see. Therefore, a promiscuous mode can be detected by watching for the DNS traffic that it generates.

This method can detect dual-homed machines and can work remotely. You need to monitor incoming inverse-DNS lookups on the DNS server in your organization. Simply do a ping sweep throughout the company against machines that are known not to exist. Anybody doing reverse DNS lookups on those addresses are attempting to lookup the IP addresses seen in ARP packets, which only sniffing programs do.

This same technique works locally. Configure the detector in promiscuous mode itself, then send out IP datagrams to bad addresses and watch for the DNS lookups.

One interesting issue with this technique is that hacker-based sniffing programs tend to resolve IP addresses as soon as they are found, whereas commercial programs tend to delay resolution until the point where the protocol analyzer user views the protocol decodes.

Source-route method

Another technique involves configuring the source-route information inside the IP header. This can be used to detect protocol analyzers on other, nearby segments.

Create a ping packet, but put a loose-source route to force it by another machine on the same segment. This machine should have routing disabled, so that it will not in fact forward it to the target.

If you get a response, then it is likely the target sniffed the packet off the wire.

In the response, doublecheck the TTL field to find out if it' came back due to sniffing (rather than being routed correctly)

Details:

In loose source-routing, an option is added to the IP header. Routers will ignore the destination IP address and instead forward to the next IP address in the source-route option. This means when you send the packet, you can say "please send packet to Bob, but route it through Anne first".

In this scenario, both "Anne" and "Bob" are on the segment. Anne does not route, and therefore will drop the packet when received. Therefore, "Bob" will only respond if he has sniffed the packet from the wire.

On the off chance that Anne does indeed route (in which case Bob will respond), then the TTL field can be used to verify that Bob responded from routing through Anne, or answering directly.

The decoy method

Whereas the ping and ARP methods only work on the local network, the decoy method works everywhere.

Since so many protocols allow "plain text" passwords, and hackers run sifters looking for those passwords, the decoy method simply satisfies that need. It consists simply of setting up a client and a serve on either side of the network, which the client runs a script to logon to the server using Telnet, POP, IMAP, or some other plain-text protocol. The server is configured with special accounts that have no real rights, or the server is completely virtual (in which case, the accounts don't really exist).

Once a hacker sifts the usernames/passwords from the wire, he/she will then attempt to log on using this information. Standard intrusion detection systems or audit trails can be configured to log this occurance, alerting the fact that a sniffing hacker has found the traffic and attempted to use the information.

http://www.zurich.ibm.com/~dac/Prog_RAID98/Full_Papers/sniffer_detector.html/index.htm

Host method

When hackers break into your systems, they will often leave behind wiretap programs running in the background in order to sniff passwords and user accounts off the wire. These are often imbedded (as a trojan) in other programs, so the only way to find if something like this is running is to query the interfaces to see if they are running in promiscuous mode.

The most technique is to run the program "ifconfig -a". On my computer (Solaris 2.6) the output looks like:

# ifconfig -a

lo0: flags=849<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232

inet 127.0.0.1 netmask ff000000

hme0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,MULTICAST> mtu 1500

inet 192.0.2.99 netmask ffffff00 broadcast 192.0.2.255

ether 8:0:20:9c:a2:98

Of course, the first thing a hacker will do is replace the 'ifconfig' program to hide this. There are other utilities you can download from the net that will query the hardware directly in order to discover this information, or you could run the 'ifconfig' program directly from a CD-ROM distribution.

Latency method

This is a more evil method. On one hand, it can significantly degrade network performance. On the other hand, it can 'blind' protocol analyzers by sending too much traffic.

This method functions by sending huge quantities of network traffic on the wire. This has no effect on non-promiscuous machines, but has a huge effect on sniffing machines, especially those parsing application layer protocols for passwords. Simply ping the machine before the load and during the load and testing the difference in response time can indicate if the machine is under load.

One problem with this technique is that packets can be delayed simply because of the load on the wire, which may case timeouts and therefore false positives. On the other hand, many sniffing programs are "user mode" whereas pings are responded to in "kernel mode", and are therefore independent of CPU load on a machine, thereby causing false negatives.

TDR (Time-Domain Reflectometers)

A TDR is basically RADAR for the wire. It sends a pulse down the wire, then graphs the reflections that come back. An expert can look at the graph of the response and figure out if any devices are attached to the wire that shouldn't be. They also roughly tell where, in terms of distance along the wire, the tap is located.

This can detect hardware protocol analyzers that might be attached to the wire, but which are completely silent otherwise.

TDRs used to be used a lot in the old days of coax Ethernet in order to detect vampire taps, but these days with star topologies, they are used very rarely.

There also exist OTDR equipment, but this is really only for the truely paranoid.

Hub lights

You can manually check hub-lights to see if there are any connections you don't expect. It helps to have labeled cables to figure out where (physically) a protocol analyzer might be located.

SNMP monitoring

Smart hubs with SNMP management can provide automated monitroning of Ethernet (and other) hubs. Some management consoles will even let you log connections/disconnections to all your ports. If you've configured the system with the information where all the cables terminate, you can sometimes track down where a protocol analyzer might be hiding.

Ten Reasons Make protocol analyzers an Essential Network Tools

2009-05-14T02:00:00.001-07:00

No matter whether you are network administrators or IT managers, you should not be unfamiliar to the network analysis tool - protocol analzyer, also known as a network analyzer, protocol analyzer or sniffer) which has been widely used by kinds of organizations, schools, enterprises, government institutions etc.

Maybe you are yet supirsed at why more and more enterprises, like IBM, Intel, Epson, Airbus, Ericsson etc, love to deploy protocol analzyer to their company’s network? OK, take a fresh coffee now, then look at the following problems, and ask yourself, as a network administrator or IT manager, if these issues are just what you have met?

Rushing from one network problem to another every day?

Have no way to judge if your network has been intruded?

Helpless collecting convincing information to submit your boss even if you have realized that your network system has been intruded.

No idea if current network usage is equal to actual need?

Know nothing of how many staffs are not killing their time by chatting with friends, browsing irrelevant webpage etc, but focusing on their job?

Yes, every question listed above has puzzled many network administrators, but no worry, protocol analzyer can easily help you out with its strong functions, here are ten reasons make protocol analzyers an essential network tools.

* Analyze network problems
* Detect network intrusion attempts
* Gain information for effecting a network intrusion
* Monitor network usage
* Gather and report network statistics
* Filter suspect content from network traffic
* Spy on other network users and collect sensitive information such as passwords (depending on any content encryption methods which may be in use)
* Reverse engineer proprietary protocols used over the network
* Debug client/server communications
* Debug network protocol implementations

Currently, there are dozens of protocol analzyers in the market, some are very complex to use like wireshark, you must be versed in networking,; some are designed for common network administrators, such as Colasoft Network Analyzer, all- in-one & easy –to use, which are more and more accepted and welcome.

Top 5 Most Welcomed Protocol Analyzers

2009-05-13T02:31:00.000-07:00

According to the latest statistic from famous download sites regarding to downloads of protocol analyzer softwares, the following products are very honored to be listed as top 5 most welcome protocol analyzers by network engineers, IT managers, and network administrators etc.

#1 Wireshark- A Free Open Source Network Sniffer for Top Network Engineers

Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic open source network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types. A tcpdump-like console version named tethereal is included. One word of caution is that Ethereal has suffered from dozens of remotely exploitable security holes, so stay up-to-date and be wary of running it on untrusted or hostile networks (such as security conferences).

#2 Colasoft Capsa - All-In-One & Easy-To-Use Network Analyzer and protocol analyzers Available For Most Network Administrators.

Colasoft Network Analyzer - Capsa performs real-time packet capturing, 24/7 network monitoring, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. It allows you to get a clear view of the complex network, conduct packet level analysis, and troubleshoot network problems.

Whether you're a network administrator who needs to identify, diagnose, and solve network problems, a company manager who wants to monitor user activities on the network and ensure that the corporation's communications assets are safe, or a consultant who has to quickly solve network problems for clients, Capsa is the tool you need.

#3 Tcpdump: The Classic Sniffer For Network Monitoring And Data Acquisition

Tcpdump is the IP sniffer we all used before Ethereal (Wireshark) came on the scene, and many of us continue to use it frequently. It may not have the bells and whistles (such as a pretty GUI or parsing logic for hundreds of application protocols) that Wireshark has, but it does the job well and with fewer security holes. It also requires fewer system resources. While it doesn't receive new features often, it is actively maintained to fix bugs and portability problems. It is great for tracking down network problems or monitoring activity. There is a separate Windows port named WinDump. TCPDump is the source of the Libpcap/WinPcap packet capture library, which is used by Nmap among many other tools.

#4 Etherdetect : Connection-Oriented Packet Sniffer And Protocol Analyzer

EtherDetect protocol analyzer is an easy for use and award-winning protocol analyzer and network protocol analyzer, which provides a connection-oriented view for analyzing packets more effectively. With the handy tool, all you need to do is to set up the filter, start capturing, and view connections, packets as well as data on the fly.

#5 Ettercap : In Case You Still Thought Switched Lans Provide Much Extra Security

Ettercap is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like ssh and https). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

How to Find MAC Address with Colasoft MAC Scanner and More

2009-05-12T00:28:00.000-07:00

In computer networking, a Media Access Control address (MAC address) is a unique identifier assigned to most network adapters or network interface cards (NICs) by the manufacturer for identification, and used in the Media Access Control protocol sublayer. If assigned by the manufacturer, a MAC address usually encodes the manufacturer's registered identification number. It may also be known as an Ethernet Hardware Address (EHA), hardware address, adapter address, or physical address.

Since a MAC Address is unique for most network adapters or network interface cards (NICs), it is important for IT administrators to know all the MAC addresses in LAN so as to quickly locate a network device when a network issue arises. Luckily we have tools to help us out. Let’s see how we can easily find MAC address in LAN with Colasoft MAC Scanner.

Colasoft MAC Scanner is a Free software to find MAC address and IP address. It can automatically detect all subnets according to the IP addresses configured on multiple NICs of a machine and find MAC addresses and IP addresses of defined subnets as your need. Users can custom own scan process by specifying the subsequent threads.

Step 1. Download Colasoft MAC Scanner

Step2. Install Colasoft MAC Scanner

The installation of Colasoft MAC Scanner is quick and easy, it is suggested to install Colasoft MAC Scanner on a laptop as it only scans and finds MAC addresses and IP addresses in the subnet to which the laptop is connected.

Step3. Start a Scan

It’s easy and quick, just press the start button, the Colasoft MAC Scanner will scan and find MAC addresses and IP addresses in the subnet and list them out. The results can be “copy and paste” or exported for future reference.

Now the problem is: if a LAN is divided into several subnets, we’ll have to move the laptop around and scan each subnet in order to find all MAC addresses and IP addresses. Then what’s the solution?

Find MAC Address and IP Address with Colasoft protocol analyzer

Colasoft protocol analyzer allows us to find MAC addresses and IP addresses both local and remote in the network as long as there is network communication initiated.

>>>>Download Colasoft protocol analyzer Now

Find Out the Top Network Administrator Tools

2009-05-11T02:21:00.000-07:00

Packet Sniffers / Network Protocol Analyzer

With packet sniffers and network protocol analyzers, you can monitor network activity, analyze network performance, enhance network security, and troubleshoot network issues.

1, Colasoft packet sniffer - Capsa http://www.colasoft.com/ Colasoft Capsa performs real-time packet capturing, 24/7 network monitoring, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. It allows you to get a clear view of the complex network, conduct packet level analysis, and troubleshoot network problems.

2, Ethereal – http://www.ethereal.com/

3, EtterCap – http://ettercap.sourceforge.net/

4, Snort – http://www.snort.org/

5, WinDump / TCPDump - http://www.tcpdump.org/wpcap.html/

6, DSniff – http://naughty.monkey.org/~dugsong/dsniff/

Scanning Tools 1, Nmap – http://www.nmap.org/ Nmap is a port scanner. A port scanner scans for open ports, such as 80 (http) or 25 (SMTP)

2, Sam Spade – www.samspade.org/ Sam Spade is a multi network query tool with many extra built in utilities, even a tool for spam. It includes utilities such as ping, whois, traceroute, and finger 3, NetScanTools Pro ($199) –http://www.netscantools.com/nstmain.html NetScanTools Pro Edition is an integrated collection of internet information gathering utilities for Windows Vista/2008/2003/XP/2000. Use it to research IP addresses, hostnames, domain names, email addresses, URLs automatically** or with manual tools. 4, SuperScan – http://www.foundstone.com/ SuperScan has the primary purpose of scanning an IP range. It supports extremely fast Host Discovery lookups as well as TCP and UDP port scans thanks to its multi-threaded and asynchronous techniques.

UserManagement - http://www.tools4ever.com/ Complete user account management featuring advanced user creation, modification, removal, mass creation/removal and delegation of administrative tasks. The UserManagemeNT Suite consists of three modules, Professional, Import and Delegation. These modules can operate independently or seamlessly integrated with each other.

AdminMagic - http://www.tools4ever.com/ Full control: Using AdminMagic, you can take over and control users' desktops from your own workstation. Featuring complete mouse and keyboard emulation, you can execute programs, login/logoff, modify device drivers and reboot all from a central location. You can also take screenshots of remote desktops and store/print them for later use. Remote users will not be interrupted and can continue working as they always do. Advanced System Optimizer - http://www.systweak.com/ Advanced System Optimizer is a system tweaking suite that includes around 30 tools to improve and tweak your PC's performance. It offers an attractive and easy to use interface that organizes all tasks into categories and provides graphical statistics whenever possible. The tools include junk file cleaner, memory optimizer, system information, system files backup, file encryption, safe uninstaller, duplicate file finder, taskbar manager and much more. Advanced System Optimizer also includes an Internet tracks eraser with cookie manager and secure deletion, and even a desktop sticky notes application. Overall, a great bundle that offers a wide range of system tools with extra benefits that are hardly ever found.

Monitor Your Network Traffic with Colasoft protocol analyzer

2009-05-06T02:06:00.000-07:00

Importance of network monitoring

Reading network traffic is essential for system administrators, network engineers, and security analysts. At some point there will be a need to read the network traffic directly instead of monitoring application level details. Examples of situations that might require monitoring network traffic are, auditing network security, debugging network configurations, and analyzing usage patterns. For this task we use network monitoring software, or protocol analyzers, that sniff the traffic your computer is able to see on the network. What exactly your computer can see really depends on how the network is laid out, but the easiest way to figure out what it can see is just start sniffing.

The most common tool to do the job is readily available. One of the most popular and easy – to - use tool for monitoring network traffic is Colasoft protocol analyzer.

How to Monitor Network Traffic

As a protocol analyzer, Capsa make it easy for us to monitor and analyze network traffic in its intuitive and information-rich tab views. With Capsa's network traffic monitor feature, we can quickly identify network bottleneck and detect network abnormities. This article is to discuss how we can monitor network traffic with Capsa's network traffic monitor feature.

1,Monitor network traffic in "Summary" tab

"Summary" is a view that provides general information of the entire network or the selected node in the "Explorer". In "Summary" we can get a quick view of the total traffic, real-time traffic, broadcast traffic, multicast traffic and so on. When we switch among the node from the explorer, corresponding traffic information will be provided.

(pic 1. monitor-network-traffic-in-summary)

2,Monitor network traffic in "Endpoints" tab

In "Endpoints" view, we can monitor network traffic information of each node, both local and remote. With its easy sorting feature we can easily find out which host is generating or has generated the largest traffic.

(pic 2. monitor-network-traffic-in-endpoints)

3,Monitor network traffic in "Protocols" tab

"Protocols" view will list all protocols applied in network transmission. In "Protocols" view we can monitor network traffic by each protocol. By analyzing network traffic by protocol, we can understand what applications are using the network bandwidth, for example "http" protocol stands for website browsing, "pop3" stands for email, etc.

(pic 3. monitor-network-traffic-by-protocol)

4,Monitor network traffic in "Conversations" tab

In "Conversations" tab we can monitor network traffic by each conversation and the figure out which conversation has generated the largest network traffic.

(pic 4. monitor-network-traffic-by-conversation)

5,Monitor network traffic in "Matrix" tab

"Matrix" is a view that visualizes all network connections and traffic details in one single graph. The weight of the lines between the nodes indicates the traffic volume and the color indicates the status. As we move the cursor on a specific node, network traffic details of the node will be provided.

(pic 5. monitor-network-traffic-in-Matrix)

6,Monitor network traffic in "Graphs" tab

If we want to get a trend chart of the network traffic, then we need to use the "Graphs" tab. "Graphs" view allows us view network statistics dynamically in different chart types, such as ling chart, bar chart, and pie chart. By selecting "Utilization" we get a real-time traffic trend chart.

(pic 6. monitor-network-traffic-in-graphs)

As we can see, with Capsa we can not only monitor network traffic in convenience, but also analyze network traffic in deferent levels, thus enables us quickly and efficiently detect network abnormities and troubleshoot network problems.

Kismet, an 802.11 Layer2 Wireless Network Detector and protocol analyzer

2009-05-06T02:03:00.000-07:00

What is Kismet

Kismet is an 802.11 layer2 wireless network detector, protocol analyzer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, 802.11n, and 802.11g traffic (devices and drivers permitting). Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and inferring the presence of non-beaconing networks via data traffic.

Feature Overview

Kismet has many features useful in different situations for monitoring wireless networks:

- Ethereal/Tcpdump compatible data logging
- Airsnort compatible weak-iv packet logging
- Network IP range detection
- Built-in channel hopping and multicard split channel hopping
- Hidden network SSID decloaking
- Graphical mapping of networks
- Client/Server architecture allows multiple clients to view a single Kismet server simultaneously
- Manufacturer and model identification of access points and clients
- Detection of known default access point configurations
- Runtime decoding of WEP packets for known networks
- Named pipe output for integration with other tools, such as a layer3 IDS like Snort
- Multiplexing of multiple simultaneous capture sources on a single Kismet instance
- Distributed remote drone sniffing
- XML output

Typical Uses

Common applications Kismet is useful for:

- Wardriving: Mobile detection of wireless networks, logging and mapping of network location, WEP, etc.
- Site survey: Monitoring and graphing signal strength and location.
- Distributed IDS: Multiple Remote Drone sniffers distributed throughout an installation monitored by a single server, possibly combined with a layer3 IDS like Snort.
- Rogue AP Detection: Stationary or mobile sniffers to enforce site policy against rogue access points.

Download

Kismet can be downloaded here

How to Monitor Internet Traffic with protocol analyzer?

2009-04-28T01:04:00.000-07:00

Internet traffic is the flow of data around the Internet. It includes web traffic, which is the amount of that data that is related to the World Wide Web, along with the traffic from other major uses of the Internet, such as electronic mail and peer-to-peer networks.

In case we want to monitor internet traffic generated or is generating in LAN, here is a detailed process how we can do it with Colasoft protocol analyzer – Capsa.

Again we must make sure the protocol analyzer software is correctly implemented so we can capture all the traffic in LAN, if you don’t know how to do it, please make sure you read how to implement a protocol analyzer.

First let’s launch a new project with Colasoft protocol analyzer, then do some online activities, such as chatting, browsing a website, sending and receiving emails, downloading some files. All these activities will generate different kinds of internet traffic. We may keep the project running to continuously monitor internet traffic or stop the project to do some analysis.

To monitor internet traffic, we’d better first select the “Internet Addresses” in the “Explorer” on the left window:

We can see that all the internet addresses are listed by countries, to monitor internet traffic of a specific country, we just need click on it; If we want to monitor internet traffic of a specific IP address within one country, we need to expand the country node and select the IP address in it.

Also we can monitor internet traffic aggregated or internet traffic in real-time

To view what online activities have generated or are generating internet traffic, we need to use the “Protocols” Tab.

We can see there are protocols which separately stand for different internet activities:

HTTP – Website browsing

MSN – online chatting with Live Messenger

POP3 – Email

HTTPS - Website browsing via a secure link

QQ- online chatting with QQ

DNS – Domain Name System

About Capsa

Colasoft Capsa is a network analyzer (protocol analyzer or protocol analyzer) designed for network monitoring and troubleshooting. It performs packet capturing, network monitoring, protocol analyzing, packet decoding, and automatic diagnosing. By giving users insights into all of network's operations, Capsa makes it easy to isolate and solve network problems, identify network bottleneck and bandwidth use, and detect network vulnerabilities. Learn more about Capsa, please visit http://www.colasoft.com/capsa/

How to Monitor http Traffic with protocol analyzer?

2009-04-23T20:37:00.000-07:00

Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. Its use for retrieving inter-linked resources led to the establishment of the World Wide Web.

In order to monitor http traffic, we will need a protocol analyzer (or a protocol analyzer) software. Here is a detail process how we can monitor http traffic in LAN with Colasoft protocol analyzer – Capsa.

Again let’s launch Colasoft protocol analyzer and start a new project. Don’t forget one thing, we have to deploy the protocol analyzer to the mirror port of the core switch in order to monitor all http traffic in LAN, if not, we can only monitor http traffic of our own computer.

Then let’s start browsing a website, for example, www.colasoft.com, to generate some http traffic. Now let’s get back to the protocol analyzer and see if there is http traffic. OK, we can see the protocol analyzer has already captured some http traffic in the “Protocols” Tab

We can see both the aggregated http traffic since start capturing and the real-time http traffic in this tab.

If we want to do a deeper analysis on http traffic, we will need to use the “Locate” function to locate http protocol in the Explorer to let the protocol analyzer display only the data that is http protocol. Right click on the protocol and select “Locate Explorer Node” in the pop-up menu.

If we want to know who are using http protocol and what they are actually browsing, we are going to use two tabs, the “Endpoints” Tab and “Logs” Tab.

Let’s see who are using http protocol:

And what they are actually browsing:

What Can Hackers Do with Packet Sniffer

2009-04-22T23:11:00.000-07:00

What Can Hackers Do with a network sniffer?

A network sniffer in the wrong hands is a deadly weapon. A network sniffer is a real danger because it is a very powerful and difficult to detect tool

Security breaches of all kinds are reported all the time. Everyday we hear of hackers who managed to steal sensitive data, of people who become victims of identity theft, etc. Very often the breaches are so incredible that you wonder if hackers have supernatural powers. Well, hackers hardly have supernatural powers but they don't need them –supernatural powers are not necessary when a networklacks security and one has the right tools to break in.

Hackers Can Monitor Networks With a network sniffer

The tools hackers use to break into networks are more or less the same tools network admins use to monitor and maintain their network with. For example, network sniffers are among the tools hackers love most. A network sniffer captures packets and shows you their contents.This means that with the help of a network sniffer running somewhere into the network, hackers can monitor all the unencrypted traffic to and from this network.

This is really scary – just imagine a malicious hacker who knows all the secrets of your company. It gets even more dangerous for networks, where hubs (and not switches) are used because in this case a network sniffer can be installed on any computer and the hacker will monitor all the traffic in that segment, not only the traffic to and from the host. The good news is that hubs are almost out of use today and because of that hackers can do less damage with a network sniffer.

Hackers Can Obtain Passwords and Credit Card Numbers With a network sniffer

When a hacker uses a network sniffer to monitor your network, this is not nice but when he or she steals passwords, credit card numbers and other types of sensitive data, this is a real danger. Unencrypted passwords, credit card numbers and other sensitive data are an easy target for a hacker with a network sniffer.

In many of the cases of mass theft of credit card numbers and passwords happen because hackers use a network sniffer on an unencrypted network. For truth's sake, it is important to mention that even if all the traffic is encrypted, there are still many other ways to obtain sensitive data. But when the traffic over a network is not encrypted and nobody monitors the network for unauthorized network sniffers, sooner or later data will be stolen.

One of the greatest achievements for hackers with a network sniffer is to capture the administrator's password. When the administrator's password is transmitted over the network in an unencrypted form, this is an easy target for hackers. If hackers manage to intercept the admin password, they have the power to do everything they want to on your network – delete data, modify data, etc. So, do you see why hackers don't need supernatural powers but only the admin password?

5 Things Our IT Department had to skip

2009-04-22T18:38:00.000-07:00

In last blog, we have talked about the 5 items our IT department must do even in the big recession, in addition to the things we can't do without, there are many more things we had to skip. We are not exactly happy to stop doing these things but desperate times cry for desperate measures and since these activities are something we can do without we had to either quit them, or drastically reduce them:

No purchases of new hardware. Though it is not precise to say that we haven't bought a single piece of hardware in the last year, we have definitely cut hardware spendings. For the time being we do not plan to make major hardware purchases.
Capital expenditures. Capital expenditures are another budget item we had to drastically shrink. We had schedules projects but the current economic situation made us have second thoughts and now capital expenditures are on hold.
Software that is nice to have but we can do without it. Similarly to hardware and capital expenditures, some major software expenses had to be cut. Yes, there are many products, for instance accounting, HR, or ERP modules, which are great to have but we'll go for them when the economic outlook is less gloomy.
Standardization. You know that IT people generally hate when they have to deal with bureaucracy and standardization, so if there is an item, we are happy to skip, this is standardization. More or less we skipped all standardization-related activities except those, that are related to regulations compliance. Standardization is put on hold, especially if it requires investment or other resources.
No infrastructure upgrades. We are not exactly happy about this one but since there are more important items we can't skip, we had to significantly reduce the planned network upgrades. Some of the projects in this area are put on hold, while others are canceled.

It wasn't easy to decide what to skip and what to keep but when times are tough, it is not possible to pretend that everything is OK and go on as planned. We hope that we are right in our choices and time will show if we did wise choices or not.

James Ackland is Author of this article from www.Colasoft.com.

About Colasoft Co., Ltd.
Ever since 2001, Colasoft has been dedicated in providing all-in-one and easy-to-use protocol analyzer software for network administrators and IT managers to monitor network activities, analyze network performance, enhance network security, and troubleshoot network problems. Up to now, more than 5000 customers in over 70 countries trust the flagship product – Colasoft protocol analyzer as their network monitoring and troubleshooting solution. Colasoft also offers four free network utilities: Colasoft Packet Builder, Colasoft Packet Player, Colasoft MAC Scanner, and Colasoft Ping Tool. Learn more about Colasoft and its solutions, please visit http://www.colasoft.com/.

Top 5 Items Our IT Department Must Do.

2009-04-19T23:43:00.000-07:00

Even though it is a basic economic fact that recessions happen once or twice in a decade, when the economy is in a good shape, like it was a couple of years ago, people, including IT managers, tend to forget that the summer will be over and hard times will come soon. On the other hand, recessions might be bad but the current one is certainly worse than many of the ones before. Actually, this is the worst recession since the Great Depression in the 1930s and even the most optimistically-minded managers have really serious reasons to fear and be cautious.

We can't say that the recession took us by surprise but certainly we didn't expect it to be that fierce. However, recession or no recession, life must go on and if a company wants to make it, there are many things which can't be skipped. So, no matter that IT budgets are tight, there are items a company can't save on. Here are the top 5 items our IT department will not sacrifice:

1, Network security and security in general. Being in the network security business themselves, we know that network security and security in general is paramount and no matter how hard the economic situation might be, this is not an item to save on because the price is too high. Certainly, we are not buying the most expensive solutions, even though they are incredibly great but we also do not make compromises with the quality either.

2, Going green. Going green is also an item we can't skip. Green technology saves money and now this benefit is more important than ever. So, if we buy new IT stuff, we definitely go for the green items.

3, Compliance. Regulations compliance is another item we can't afford to skip, unless we really want to go out of business (and we don't). So, when there are steps in this direction to be taken, we do them – no way!

4, Training. Training is also important and even though our training budget has shrunk, we still try to keep our staff qualified.

5, Outsourcing. Outsourcing has been a successful strategy for our company at all times and now, when money issues start to surface, we are happy that outsourcing helps us cut cost with no sacrifice of quality.

Kevin Chou is Author of this article from www.Colasoft.com.

About Colasoft Co., Ltd.
Ever since 2001, Colasoft has been dedicated in providing all-in-one and easy-to-use protocol analyzer software for network administrators and IT managers to monitor network activities, analyze network performance, enhance network security, and troubleshoot network problems. Up to now, more than 5000 customers in over 70 countries trust the flagship product – Colasoft protocol analyzer as their network monitoring and troubleshooting solution. Colasoft also offers four free network utilities: Colasoft Packet Builder, Colasoft Packet Player, Colasoft MAC Scanner, and Colasoft Ping Tool. Learn more about Colasoft and its solutions, please visit http://www.colasoft.com/.

How to Protect Your Network with protocol analyzer

2009-04-16T20:50:00.000-07:00

A network sniffer (also called a network analyzer) can help you make your network more secure by identifying what's going on in it

Networks are large entities, even if they don't consist of thousands of machines. Large networks are especially vulnerable because they are a fruitful ground for attacks and hacking of all kinds. Even if a system administrator is a genius, he or she can't fight network security threats with bare hands.

Why Do You Need to Protect Your Network?

One of the major principles in network security is that a network is as secure as its weakest part is. In other words, it makes no sense to invest tons of money and spend many hours to secure some of the parts of a network, when there are small vulnerabilities that can be easily abused.

With networks small vulnerabilities are very common and even though one can never be sure that his or her network is secure, when no efforts in that direction are made, it is as sure as hell that this network is at risk. That is why it is absolutely clear that nobody can afford to leave a network unprotected. Fortunately, there are many tools, which help to protect a network and protocol analyzers are one of them.

How a protocol analyzer Can Protect Your Network?

protocol analyzers (or network analyzers, as they are also called) can be one of the best tools you can use to protect your network. There are many types of network threats and there is no universal tool that can help you protect your network against all of them, so if you expect that a packet sniffer can safeguard your network against all kinds of threats, this is not so but it is a fact that a protocol analyzer can help you against many threats, both internal and external.

A protocol analyzer captures all the packets which go to and from your network and shows you their contents. While a protocol analyzer is helpless against encrypted traffic, with unencrypted traffic a protocol analyzer is an indispensable tool. When you have the chance to know what's going on in your network, you can easily spot the activities, which shouldn't be taking place.

For instance, if somebody is downloading files with BitTorrent, or is generating any other kind of substantial traffic, a protocol analyzer, such as Colasoft protocol analyzer, will display this immediately and you will know that you should take the adequate measures to stop it. Actually, a protocol analyzer allows to monitor all incoming and outgoing traffic and keep logs of this, so even if you don't react immediately when suspicious traffic occurs, all the traffic is logged and you can view it later.

Depending on the features of the protocol analyzer you have selected, you will have different options to protect your network. Some of the protocol analyzers with a rich feature set, for instance Colasoft protocol analyzer, offers a lot in terms of traffic monitoring. Generally, even the protocol analyzers with less features allow to monitor suspicious activity at least from a given host or protocol.

One of the cases when protocol analyzers don't offer much help is with encrypted traffic. This is a technical limitation and even though protocol analyzers can intercept encrypted packets, they can't break the encryption and show the actual content of the packet. However, when you are monitoring a network and you notice that there is unauthorized encrypted traffic (for instance from a given host), this should ring a bell that something not nice is probably going on and you should take the adequate measures to investigate what exactly is happening.

How-to-sniff-all-images-of-a-webpage.

2009-04-16T01:36:00.000-07:00

In case we want to sniff all images of a webpage, here is a detailed process how we can do it with Colasoft Packet Sniffer’s "Logs" feature. I will take the CNN.com home page as an example.

Step 1. Open Log Settings

Log settings allows us to set up some conditions or exceptions whether or not record some logs in the Logs tab. If we want to display just images in the Logs tab, we must enable the HTTP Log conditions.

Step 2. Enable Http Log Conditions

We must tick before Conditions to enable it

Step 3. Input "Image" into Content Type

On the right hand, lets’ input the content type in order to filter contents

Here is an explanation of Content Type

Step 4. "OK" to Activate the Setting

Now we’ve done with the Log Settings, let’s see whether we can sniff all images of CNN.com index page. First of all, let’s start capturing with Colasoft Packet Sniffer, then let’s input the URL into the address bar and start browsing.

Results start showing in the Logs Tab – Http Request Option, we can see all results are in image formats. We have successfully sniffed all the images on this webpage.

To view the image, we can click on the record, and it will be shown in a browser.

The hottest Protocol Analyzer of IT administrators

2009-04-14T02:10:00.000-07:00

Overview
Not so hard for a freshman.
Auto diagnosis.
Real time capture.
If it's cheaper, I will definitely buy it!
After using Colasoft protocol analyzer, I found 3 features of this product:

a.supports the real-time capturing and monitoring
b.excellent capability of protocol analyzing (approximately 300 types) and packet decoding
c.Well, the most exciting part is the automatic expert diagnosing! That really saves so much money and time for me,and I do not worry about the solution of failure again!

Cost and performance are in desired level .

What It Is and What It Can Do

Colasoft protocol analyzer is an expert protocol analyzer designed for packet decoding and network diagnosis; it monitors the network traffic transmitted over a local host and a local network, with the ability of real time packet capture and accurate data analysis. Colasoft protocol analyzer makes your network operations completely transparent before you, letting you isolate and troubleshoot network problems quickly and efficiently. The flexible and intuitive user interface lets either IT professionals or novice users skilfully handle it in a few moments.

Easily understand how to use this protocol analyzer with samples provided with the Tool. Sample packets helps me a lot for my first time deployment by avoiding contacting the Technical Support during my initial days of using this tool.

For a Small Business Enterprise, This tool’s network diagnosis helps me to detect slow network and upgraded speed for better utilization.

I prefer this for a Medium Business Enterprise as troubleshooting network issues is simply superb.

For Medium and a Large Business Enterprises, Security is an issue .This protocol analyzer enhances Network Security by monitoring the network with Logs. As every packet is recorded and analyzed, loopholes can easily detect.

For every organization, security is a major concern. By using this tool Monitoring of Email Contents and Monitoring IMs, Chats is easy. Every information in Messegers, chats, HTTP Requests is logged .

Can easily find where the problem from the Packet Analysis without letting the user to report about his huge traffic.

For Internet Service Provider, this is very very useful tool. ISPs have problems of Server down issues due to huge traffics. By diagnosing with this tool, Server down issues can be reduced.
Prevent hibernation while capturing and view both IP Addresses and Hostnames. This is a good feature in upgraded version.

Colasoft protocol analyzer Supports Windows Vista-64 bit Edition. Able to identify and Analyze 300+ Network Protocols.

By going through the site www.colasoft.com, I came to know thatColasoft protocol analyzer Professional Edition available and used it for Analyses. It really good to use and operate. Everything is logged and my network usage is monitored.

Videos in the website help me to understand the ARP Attacks, Monitoring Network traffic. So I can protect my network now by identifying the deceived hosts and by identifying who is consuming maximum bandwidth in a Local Segment.

I can monitor the traffic either by protocol, IP or MAC Address. So much flexibility in using this protocol analyzer.

Internet Service Providers can use this tool for quick issue troubleshooting. Easy to identify problems and minimizes the time to service the customer.

The reports are displayed with Graphs and Tables .Viewing the connection in a matrix is wonderful and it is something special in Colasoft protocol analyzer. This pictorial epresentation is really good to sort out the issue by easily detecting.

Colasoft protocol analyzer has the tools that would not find in other protocol analyzers, including ping and scan IPs and MACS across the LAN.

Summary
Colasoft protocol analyzer is an easy-to-use and all-in-one tool for IT Network Administrator, IT Consultant and for a Security Manager in IT Company.

Protocol Analyzer，Basic Tools of Network Administrators

2009-04-08T19:51:00.000-07:00

protocol analyers are a valuable tool for both network administrators and hackers. There are many protocol analyers on the market and one of the most sophisticated is the protocol analyer from Colasoft

protocol analyers are one of the best tools a network administrator has at his or her disposal to analyze network traffic and to troubleshoot problems. On the other hand, when a protocol analyer is in the wrong hands – i.e. hackers use it – this can cause quite a lot of damage to a company or an individual, especially if the victim hasn't taken the required protective measures. You see, as with many things in life, protocol analyers can be a great tool to maintain a network, yet they can be very destructive, if misused.

protocol analyers are very common, choose a best protocol analyer for you. There are many protocol analyers on the market and they range from free, to cheap, to expensive, from very simple, to advanced, to packed with features. Each type of protocol analyers has its purposes and if you need a simple tool for quick results on a small network, you don't have to buy the most expensive protocol analyers, no matter that they have tons of features. But in reality, if you need a protocol analyer for professional use, low-end sniffers are not the answer and you need something more sophisticated, for example Colasoft Network Analyzer. Colasoft Network Analyzer is built around packet sniffing but includes many other useful features as well.

As any other protocol analyer, the protocol analyer from Colasoft, intercepts and logs traffic, transmitted within a network (or a network segment). A protocol analyer can be really invisible because it monitors the network (almost) unobtrusively. Since a protocol analyer just sniffs the packets without modifying them, it doesn't cause disturbances to alert the administrator that something is going on. Unless the administrator doesn't run an anti-sniffer, the traffic can be eavesdropped and nobody will know about it.

Of course, a good network administrator knows how to detect a protocol analyer, so if you plan to get Colasoft protocol analyer and use it in a malicious way, don't expect that this will go unnoticed. The protocol analyer in the Colasoft Network Analyzer is not stealth but since anyway Colasoft Network Analyzer is intended for network troubleshooting, not network hacking, there is no reason to worry that the protocol analyer is not hidden. When a network administrator uses a protocol analyer in order to legitimately monitor network traffic, he or she doesn't need cover.

One of the most important features of a protocol analyer is the protocols it can sniff. In this aspect Colasoft Network Analyzer is an unbeaten protocol analyer because it can monitor over 300 protocols. Colasoft knows that when the packets of major protocols are not captured, this gives a wrong impression about the traffic in the network and that is why Colasoft Network Analyzer supports so many protocols. And no, the protocols Colasoft Network Analyzer can sniff are not exotic ones – they are protocols used frequently in networks.

Additionally, new and new protocols are added to the protocol analyer from Colasoft, so even if your network uses some really rare protocols, which are currently not supported by Colasoft Network Analyzer, they could be added in the future. Well, if you expect that the protocol analyer from Colasoft will sniff encrypted traffic, this will not happen because no can do it!

Detailed explanation about the filter settings of Colasoft Capsa

2008-12-17T22:55:00.000-08:00

Advantages to set filter before using a network packet sniffer:
First of all, we should confirm what kind of data we need before start capturing data, so as to set the filter settings to capture the specific data packet in a short time, while all the data packets will be captured without this step.

About the filter settings in detail:
Take Colasoft Capsa for example, I’ll show you the process of the filter setting.
1. On the toolbar in the main software interface, Open the “Project Settings” by clicking the “Filter”:

2. The default setting on this page is “No filter, accept all packets.” We have to choose “Add” to add new filter. There are two options under “Add” – “New…” & “From Filter Tale…”. “New…” means add a new filter; “From Filter Table” means to add the condition from the default filter list in the system. As shown in the following figure:

3. This is a default protocol filter list in the system. We can add the protocol or protocol assemble that we need here to capture the related packets. If we choose “Add”→ “New…”, it is shown as the following figure:

4. Add new filter is divided into 2 ways: “Simple Filter” & “Advanced Filter”. In the upper figure we can see that there are 3 filter ways in the simple filter: Address Filter, Port Filter, Protocol Filter: (they are relatively simple)

5. What we should focus on is the “Advanced Filter”. Click “Advanced Filter”, it shows:

Advanced Filter supply 3 logical relationship “And”, ”Or”, “Not” to assemble the different added conditions, and, In the drop-down menu:”And” & “Or” supplying 6 filter conditions:

e.g. If we want to set a filter that capture all the hosts who are using MSN messenger and Yahoo messenger in a network (192.168.1.10—192.168.1.16), we can set the filter as follows:

e.g. If you want to set filter of the packet value, packet size, or packet pattern, you can set the filter according to the condition of the packet decoding. For example, if we want to capture all the Synchronous Connection TCP packets, we can set filter as follows:

After we know, During the TCP decoding process, the length of the flag is 1 byte, the offset value in the packet is 47, mask is 0x02, binary value is 10, then we can capture all the synchronous packets in the network according to the upper filter set.

Conclusion:
In short, the settings of filter is flexible. We can capture the specific packets in a short time according to the filter setting, in order to carry out fixed-point analysis.

About Capsa
Capsa is packet sniffer software designed for network monitoring and troubleshooting purposes. It performs real-time packet capturing, 24/7 network monitoring, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. By giving users insights into all of the network's operations, Capsa makes it easy to isolate and solve network problems, identify network bottleneck and bandwidth use, and detect network vulnerabilities, external attacks and insecure applications.

About Colasoft
Ever since 2001, Colasoft has been dedicated in providing all-in-one and easy-to-use network analysis software for customers to monitor, analyze, and troubleshoot their network. Up to now, more than 4000 customers in over 70 countries trust the flagship product – Capsa as their network monitoring and troubleshooting solution. The company also offers four free network utilities: Colasoft Packet Builder, Colasoft Packet Player, Colasoft MAC Scanner, and Colasoft Ping Tool. Learn more today at http://www.colasoft.com

Find Out The Host Causing Network Congestion In Local Subnet.

2008-11-23T21:09:00.000-08:00

About the Network Congestion
In data networking and queuing theory, network congestion occurs when a link or node is carrying so much data that its quality of service deteriorates. The majority of network congestion happens in the local subnet as un-identified IP causing a huge instantaneous traffic.

Symptom & Influence
Typical effects include queuing delay, packet loss or the blocking of new connections. A consequence of these latter two is that incremental increases in offered load lead either only to small increase in network throughput, or to an actual reduction in network throughput.
Network protocols which use aggressive retransmissions to compensate for packet loss tend to keep systems in a state of network congestion even after the initial load has been reduced to a level which would not normally have induced network congestion. Thus, networks using these protocols can exhibit two stable states under the same level of load. The stable state with low throughput is known as congestive collapse.

Solution
Modern networks use congestion control and network congestion avoidance techniques to try to avoid congestion collapse. These include: exponential backoff in protocols such as 802.11's CSMA/CA and the original Ethernet, window reduction in TCP, and fair queuing in devices such as routers.

The most common phenomenon of the network congestion is abnormal traffic, and there are many reasons may cause the abnormal traffic, like BT download, P2P transmission, HTTP illegal access etc.

How to detect such host causing the abnormal traffic? The first step is to find out the host (IP address) which caused the largest traffic in the network.

With Colasoft Capsa, we can quickly detect the IP/Mac address of the host(s) which engrosses the largest traffic in local subnet.

1. Choose “Local Subnets” under “IP Explorer” in Node Browser;

2. Choose “Endpoints” on the right navigation bar. It is automatically aligned according to the largest to smallest size of the total traffic each IP consumed. We can find the IP engrossed the largest traffic on the top of the Endpoints view intuitionistic.

How to locate the Mac Address via the IP address?

1. Right-click on the IP, and choose “Locate Explorer Node” in the drop-down menu;

2. Right-click on the navigation bar, and choose “Source Physical” in the drop-down menu. Then, you’ll get it.

And also, Capsa can help us find out more related network problems based on the traffic. Like the Bandwidth utilization, network rate, abnormal traffic etc. For more solution of network problems, please go to http://www.colasoft.com/capsa/network_solution.php

Conclusion
Network congestion is a very common phenomenon in the network, especially in local subnet. It makes great influence .to our normal works. What we can do is to find out these iffy hosts quickly once the congestion happens, locate its IP/Mac address, then give a best solution. Colasoft Capsa is a good choice in this aspect, and of course we need such a powerful network analyzer to monitor our network.

About Capsa
Capsa is packet sniffer software designed for network monitoring and troubleshooting purposes. It performs real-time packet capturing, 24/7 network monitoring, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. By giving users insights into all of the network's operations, Capsa makes it easy to isolate and solve network problems, identify network bottleneck and bandwidth use, and detect network vulnerabilities, external attacks and insecure applications.

About Colasoft
Ever since 2001, Colasoft has been dedicated in providing all-in-one and easy-to-use network analysis software for customers to monitor, analyze, and troubleshoot their network. Up to now, more than 4000 customers in over 70 countries trust the flagship product – Capsa as their network monitoring and troubleshooting solution. The company also offers four free network utilities: Colasoft Packet Builder, Colasoft Packet Player, Colasoft MAC Scanner, and Colasoft Ping Tool. Learn more today at http://www.colasoft.com

A freeware PC optimization tool --- CCleaner

2008-11-10T19:19:00.000-08:00

Download CCleaner now...

CCleaner v2.13

- Added support for Firefox 3.1.
- Added right-click cleaning and analysis for individual items in the tree.
- Added icons to tree parent items.
- Added cleaning for Windows Error Reporting files.
- Added Include/Exclude list editing.
- Improved TypeLib registry cleaning.
- Fixed Index.dat bug that could cause a crash.
- Fixed bug with INI warning messages.
- Internal architecture improvements.
- Fixed minor GUI errors.

Over 200 million downloads!!!
CCleaner is a freeware system optimization, privacy and cleaning tool. It removes unused files from your system - allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history. Additionally it contains a fully featured registry cleaner. But the best part is that it's fast (normally taking less than a second to run) and contains NO Spyware or Adware! :)

Cleans the following

	-Internet Explorer__Temporary files, URL history, cookies, Autocomplete form history, index.dat.
	-Firefox__Temporary files, URL history, cookies, download history.

	-Opera__Temporary files, URL history, cookies.
	-Windows__Recycle Bin, Recent Documents, Temporary files and Log files.

	-Registry cleaner Advanced features to remove unused and old entries, including File Extensions, ActiveX Controls, ClassIDs, ProgIDs, Uninstallers, Shared DLLs, Fonts, Help Files, Application Paths, Icons, Invalid Shortcuts and more... also comes with a comprehensive backup feature.
	-Third-party applications Removes temp files and recent file lists (MRUs) from many apps including Media Player, eMule, Kazaa, Google Toolbar, Netscape, MS Office, Nero, Adobe Acrobat, WinRAR, WinAce, WinZip and many more...

-100% Spyware FREE__This software does NOT contain any Spyware, Adware or Viruses.

Analyze Network Utilization Rate

2008-11-05T17:41:00.000-08:00

Summary
Network utilization is the ratio of current network traffic to the maximum traffic that the port can handle. Through monitoring network utilization, we can understand whether the network is busy, normal or idle. Capsa make it easy for us to monitor the network utilization, so as to find out the bottleneck and improve network performance.

What is Network Utilization?
Network utilization is the ratio of current network traffic to the maximum traffic that the port can handle. It indicates the bandwidth use in the network. While high network utilization indicates the network is busy, low network utilization indicates the network is idle. When network utilization exceeds the threshold under normal condition, it will cause low transmission speed, intermittence, request delay and so on.

Networks of different types or in different topology have different theoretical peek value under general conditions. However, this doesn't mean that the higher the network utilization is the better. We must make sure there is no packet loss when network utilization reaches a certain value. For a switched Ethernet, 50% network utilization can be considered as high efficiency. If using hub as core switch device in the network, the network utilization should be lower for the increasing collisions.

Through monitoring network utilization, we can understand whether the network is idle, normal or busy. It also helps us to set proper benchmark and troubleshoot network failures.

Monitor Network Utilization in "Summary" Tab
"Summary" is a view that provides general information of the entire network. In "Summary" we can get a quick view of the real-time network utilization and average network utilization

Monitor Network Utilization in "Graphs" Tab
If we want to get a trend chart of the network utilization, then we need to use the "Graphs" tab. "Graphs" view allows us view network utilization dynamically in different chart types.

Conclusion
By monitoring and analyzing network utilization with Capsa we can understand the performance of the entire network. Network utilization also plays an important role in benchmark setting and network troubleshooting.(Download Capsa now)

What is a Packet Sniffer?

2008-11-03T21:49:00.000-08:00

A packet sniffer is a device or program that allows eavesdropping on traffic traveling between networked computers. The packet sniffer will capture data that is addressed to other machines, saving it for later analysis.

All information that travels across a network is sent in "packets." For example, when an email is sent from one computer to another, it is first broken up into smaller segments. Each segment has the destination address attached, the source address, and other information such as the number of packets and reassembly order. Once they arrive at the destination, the packet's headers and footers are stripped away, and the packets reconstituted.

In the example of the simplest network where computers share an Ethernet wire, all packets that travel between the various computers are "seen" by every computer on the network. A hub broadcasts every packet to every machine or node on the network, then a filter in each computer discards packets not addressed to it. A packet sniffer disables this filter to capture and analyze some or all packets traveling through the ethernet wire, depending on the sniffer's configuration. This is referred to as "promiscuous mode." Hence, if Ms. Wise on Computer A sends an email to Mr. Geek on Computer B, a packet sniffer set up on Computer D could passively capture their communication packets without either Ms. Wise or Mr. Geek knowing. This type of packet sniffer is very hard to detect because it generates no traffic of its own.

A slightly safer environment is a switched Ethernet network. Rather than a central hub that broadcasts all traffic on the network to all machines, the switch acts like a central switchboard. It receives packets directly from the originating computer, and sends them directly to the machine to which they are addressed. In this scenario, if Computer A sends an email to Computer B, and Computer D is in promiscuous mode, it still won't see the packets. Therefore, some people mistakenly assume a packet sniffer cannot be used on a switched network.

But there are ways to hack the switch protocol. A procedure called ARP poisoning basically fools the switch to substituting the machine with the packet sniffer for the destination machine. After capturing the data, the packets can be sent to the real destination. The other technique is to flood the switch with MAC (network) addresses so that the switch defaults into "failopen" mode. In this mode it starts behaving like a hub, transmitting all packets to all machines to make sure traffic gets through. Both ARP poisoning and MAC flooding generate traffic signatures that can be detected by packet sniffer detection programs.

A packet sniffer can also be used on the Internet to capture data traveling between computers. Internet packets often have very long distances to travel, passing through several routers that act like intermediate post offices. A packet sniffer might be installed at any point along the way. It could also be clandestinely installed on a server that acts as a gateway or collects vital personal information.

A packet sniffer is not just a hacker's tool. It can be used for network troubleshooting and other useful purposes. However, in the wrong hands, a packet sniffer can capture sensitive personal information that can lead to invasion of privacy, identity theft, and other serious eventualities.

The best defense against a packet sniffer is a good offense: encryption. When strong encryption is used, all packets are unreadable to any but the destination address, making packet sniffers useless. They can still capture packets, but the contents will be undecipherable. This illustrates why it is so important to use secure sites to send and receive personal information, such as name, address, passwords, and certainly any credit card information or other sensitive data. A website that uses encryption starts with https. Email can be made secure by encrypting with a program like PGP (Pretty Good Privacy), which comes with seamless plug-ins for all major email programs.

Using a packet sniffer for network packet analysis

2008-10-29T18:56:00.000-07:00

A packet sniffer may seem like a humble addition to a network professional's toolkit, but when used correctly, packet sniffers (also known as protocol analyzers) can hone in on any number of network problems. "Practical Packet Analysis: Using Wireshark to solve real-world network problems" author Chris Sanders uses protocol analyzer Wireshark for packet analysis almost daily for his network administration job, where he manages nearly 5,000 users (plus 20 servers and more than 1,800 workstations).

To learn from Sanders' experiences and to help you troubleshoot your network, SearchNetworking.com interviewed Sanders by email. Here, Sanders explains how packet sniffers sniff and analyze network traffic.
_____________________________
By Tessa Parmenter
29 Oct 2007 | SearchNetworking.com

What are the main things a sniffer can detect on a network?
I think that network admins, much of the time, are only as good as the collection of tools they have at their disposal. A packet sniffer is just that, a tool. With computer networks, we often have to rely for our troubleshooting on what interfaces tell us is happening. A packet sniffer is a tool that allows you to get past all of the fancy interfaces and misleading error messages to see what exactly is going on at the lowest levels of network communication. Packet sniffers can show you all sorts of things going on behind the scenes, including unknown communication between network devices, actual detailed error codes provided by layer-specific protocols, and even poorly designed programs going crazy. As [radio broadcaster] Paul Harvey would say, a packet sniffer is a tool that lets you find "the rest of the story." It is essential for any network admin's toolkit.

When you're selecting a packet sniffer, what should you be looking for?
There are several considerations, but some of the biggest are the supported protocols of a sniffer, the platforms the sniffer runs on, the support provided for the software, and the cost. However, the most important thing is your level of comfort with using the software. Some packet sniffers are totally command-line based. Many people just aren't comfortable with that; others wouldn't want to use anything else. Once you get past all of the technical considerations, it is really just a matter of what you feel comfortable using. I typically find that once people get into packet analysis, they usually spend a lot of time doing it. I like to think of it like decorating your office. If you are going to be spending a lot of time in it, you want it to be a place where you are comfortable. The same goes for selecting a packet sniffing application!

What are the commercial products that compare with Wireshark? Are there similar open source and/or free tools, and how do these compare with Wireshark and one another?
Some of the alternatives to Wireshark include commercial products such as Etherpeek, Colasoft Capsa and Sniff'Em, as well as free products such as Ettercap and Tcpdump. What sets Wireshark apart from most of these is that it is the most widely used, so it provides a larger number of supported protocols and has a user-driven support base that is unrivaled. The only thing the commercial products typically offer special is their ability to produce reports that are more suited to less technical users.

How does a packet sniffer relate to the OSI model?
In order to really understand what is going on when you try to analyze things at the packet level, you have to have a very thorough understanding of what the OSI model is and how data moves through it. Trying to sniff packets without understanding the basic concepts of the OSI model is like trying to drive a race car without knowing how to drive a stick shift.

Is packet sniffing one of the causes of a slow network?
The only time packet sniffing can cause a network to run slow is when it is placed improperly on a network. One of the most crucial parts of the packet sniffing process is placing your sniffer in an appropriate location on the network. Not only will this ensure you get the exact data you need, but it will also make absolutely certain that your presence on the network doesn't affect its performance. I devote a whole chapter of my book to analyzer placement.

How is sniffing wireless any different from sniffing any wired network traffic?
Wireless sniffing is a completely different animal from that of a wired network. You have to employ different strategies of analyzer placement, put extra consideration into wireless-specific things such as signal strength, and deal with all kinds of extra wireless management packets. It is usually a good idea to understand basic packet sniffing before moving into the realm of wireless sniffing. My book includes an entire chapter devoted to the particulars of wireless packet sniffing.

How can you prevent someone with a packet sniffer from hacking your network?
Unfortunately, hackers are always going to be one step ahead. There is no such thing as an unbreakable network, and if a hacker wants in badly enough, he will probably get in. The most a network admin can hope to do is take steps to prevent this type of thing from happening. This starts and ends with the most overlooked aspect of security: physical security. It is amazing how easily a stranger can walk into a company, plug a laptop into an empty port in a vacant room, and begin to sniff network secrets. The key here is to focus on your organization's front door as much as you do on its firewall doors.

Capsa 6.9 Newly Released!!

2008-10-21T02:09:00.000-07:00

Capsa 6.9 Newly Released

Packet Sniffer for Network Monitoring and Troubleshooting.Most easy-to-use network analyzer (packet sniffer or protocol analyzer) for performance monitoring, protocol analyzing, packet decoding, and network diagnosing.

What's New

View IP address and Hostname at Same Time
Capsa will automatically resolve hostname and display it in its interface. In version 6.8 users may view only the hostname or the IP address at a time, if they want to view another value, they need to switch manually. In 6.9 users can directly view both the IP address and the hostname at the same time, which provides correlation between the two values

Support ISL Protocol Decoding
Cisco Inter-Switch Link (ISL) is a Cisco Systems proprietary protocol that maintains VLAN information as traffic flows between switches and routers, or switches and switches. It is a protocol to encapsulate traffic from different vlans, and tag them for latter specification. Now all trunk traffic between switch -- switch or router -- switch can be decoded and the context inside of the trunk link can be analyzed.

Support FCoE Protocol Decoding
Fibre Channel over Ethernet (FCoE) is a proposed mapping of Fibre Channel frames over selected full duplex IEEE 802.3 networks. This allows Fibre Channel to leverage 10 Gigabit Ethernet networks while preserving the Fibre Channel protocol. The specification is supported by a large number of network and storage vendors, including Cisco, EMC, HP, IBM, Intel, and Sun Microsystems.

Gorgeous matrix view in capsa new 6.9!!!

2008-10-15T02:14:00.000-07:00

click here to enlarge the img.

Academic Users Need Packet Sniffer Software.

2008-10-13T20:27:00.000-07:00

A packet sniffer (also known as a network sniffer, network analyzer or protocol analyzer or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network. As data streams flow across the network, the sniffer captures each packet and eventually decodes and analyzes its content according to the appropriate RFC or other specifications.

Why Academic Users Need Packet Sniffer Software

For an academic network administrator who needs to make sure the network is running smoothly and reliably, he needs packet sniffer software for:

-Monitoring network performance around the clock, -Supervising various kinds of network behaviors, -Protecting network from suspicious intentions and attacks, -Discovering network loopholes and network bottlenecks, -Identifying and troubleshoot network problems in time, For an academic teaching staff who needs to explain and demonstrate conceptual items to his students, he needs packet sniffer software for:

-Demonstrating how a service (such as DNS, DHCP) works for your network, -Demonstrate the detail information within a packet of some sort of specific protocol, -Demonstrate the network behaviors of an application,

For an academic researcher and developer, he needs packet sniffer software for:

-Network protocols research purpose -Debug network relied applications

For an academic student, he needs packet sniffer software for his studying and researching purposes.

Suggested Packet Sniffer Software Wireshark Packet Sniffer

Wireshark is a free network packet sniffer developed by an international team of networking experts. Its key features include:

-Deep inspection of hundreds of protocols, with more being added all the time -Live capture and offline analysis -Standard three-pane packet browser -Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others -Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility -The most powerful display filters in the industry -Rich VoIP analysis

Colasoft Packet Sniffer

If you are looking for a cost-effective and easy-to-use packet sniffer, then you should take a look at Capsa, a packet sniffer produced by Colasoft Co., Ltd. Its key features include:

-Monitor traffic and bandwidth details in graphs and numbers. -Automatically diagnoses network and suggests solutions. -Able to identify and analyze 300+ network protocols. -Provides packet summary and decoding information. -Monitors site visits, email contents, online chats, and more. -Lists all hosts in network with details (traffic, IP, MAC, etc.). -Visualizes the entire network in an ellipse, showing connections and traffic. -Monitor all conversations and reconstruct packet stream. -Free built-in tools to create and replay packets; scan and ping IPs. -Quick generates reports of most concerned items.

You can download a trial version of Colasoft packet snfifer at www.colasoft.com Willis is a professional writer in network management field.You can find more information about packet sniffer and network analyzer software at www.colasoft.com

Quick Detect ARP Poisoning & ARP Flooding

2008-10-12T20:02:00.000-07:00

Some other related network sniffer video tutorial:(High Definition)
Monitor realtime network utilization
Top 10 network traffic hosts
Track Down Bittorrent Protocol
Network Traffic Monitor
More...

Discussion: What's the best choice in your mind in these Sniffer Tools?

2008-09-02T23:45:00.000-07:00

1.Capsa compare with CommView:

2.Capsa compare with OmniPeek:

3.Capsa compare with Wireshark:

4.Capsa compare with ClearSight:

Capsa network capture and analyser review ---Packet capture and protocol analysis from China.

2008-08-18T00:01:00.000-07:00

By Mark Gibbs, techworld.com

List price: $250 (single-user licence without maintenance)
Pros: In-depth packet analysis; Packet building tool; Diagnostics
Cons: Exchange messaging not supported
Buying advice: Capsa Enterprise is an enormous, well-engineered, technical and highly professional product that provides almost everything you could want for network and protocol analysis and reporting at a reasonable price.

We have tested products from many countries, but today we have a first: a Windows network packet capture and protocol analyser from China. Capsa Enterprise is made by Colasoft, and we are very impressed.

The core features of Capsa Enterprise provide real-time packet capture, in-depth protocol analysis, automatic network-event diagnosis and reporting. Beyond looking good, what makes this product stand out is the depth and range of the ways it analyses captured network packets.

Capsa Enterprise monitoring sessions are set up as projects. A project consists of the adapters to be monitored, the filters used to restrict the endpoints and protocols that are tracked, the diagnosis analysers (routines that watch for and analyse events that are not to specification) that are to be applied and other options.

You can specify how big Capsa's buffer should be and whether the buffer is used as a circular (ring) buffer or a linear buffer. The linear buffer simply stops capturing packets when the buffer is full, keeps the buffer and analyses new packets that then are dropped, or it dumps the entire buffer, keeping the stats gathered up to that point, and starts refilling the buffer.

While packet capture is proceeding, you can examine the data from multiple viewpoints. The user interface is divided into a Project Explorer panel on the left and a reporting panel on the right.

In the Project Explorer, you can select the entire project or a project subset by protocol, by physical address and by IP address. Each of these groups is broken down further. For example, the protocol group has Ethernet II and Ethernet 802.2 subgroups, of which the former in turn has IP Address Resolution Protocol subgroups. The IP subgroup has TCP, Internet Group Management Protocol, User Datagram Protocol and Internet Control Messaging Protocol subgroups and so on.

When you select a group, a subgroup or a final item (a protocol, a physical connection or an IP address), the reporting window displays the related data. You select the views of the data by tabs.

The Summary tab shows, for example, an analysis of packet sizes; and traffic inflow and outflow in bytes, packets, utilisation, bits per second and packets per second.

The Diagnosis tab shows notable events, which are classified as notices, information, warnings or critical events. A summary of events at the top of the pane is divided into sections covering all events, just application events, just transport events, and just network events and listing each observed type of event and the total times it was seen.

Clicking on an event section or specific type lists all observed events in detail in a tabbed subpane below the summary. When an event type is selected, a new tab appears in this subpane and shows the explanation of the event.

There are also tabs are ones for analysing endpoints, protocols and conversations, and a list of packets and logs.

Capsa Enterprise includes Packet Builder, which helps you create custom packets, and Packet Player, which transmits packets. There's also a MAC scanner and a ping tool. The combination of Capsa Enterprise and its bundled tools provides just about all the tools you need for exercises such as intrusion testing and performance analysis.

The simpler Professional Edition supports only projects with one Ethernet adapter and leaves out such features as reporting and graphing.

Network Packet Sniffer and Network Analyzer

2008-08-17T23:23:00.000-07:00

Brief Introduction

Features

Smart Real-time packet capturing and analyzing
Reconstructs TCP/IP sessions and enables you to see data in their original format
Capture, display and save transaction information such as user name and password and the entire message
Capture Pop3 and SMTP emails, display and save in Outlook Express Message Format
Capture HTTP traffic for you to view all Internet web traffic
Powerful Packets Viewer to examine data in plain English
Protocol decodes on TCP/UDP//IP suite and application protocols including POP3, SMTP, HTTP, TELNET, FTP
Powerful filter provides a general and flexible mechanism for user to focus on useful packets
Trace TCP connection states and display bandwidth usage and other critical information
Support multiple monitors and terminal server
Suppot both Ethernet and 802.11 wireless infrastruture.

External links