Tuesday, October 28, 2008

Colasoft Packet Sniffer Capsa 6.9 Released

colasoft logo(colasoft.com) – Oct 21, 2008 - Colasoft, a dedicator in network analysis field, recently released version 6.9 of its flagship product – Capsa, a packet sniffer software designed for network monitoring and troubleshooting purpose. Two new protocols, Cisco Inter-Switch Link (ISL) and Fibre Channel over Ethernet (FCoE) now can be recognized and decoded. This latest version also improved user’s experience based on user’s feedbacks.

Capsa is packet sniffer software which can perform real-time packet capturing, 24/7 network monitoring, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. By giving users insights into all of the network's operations, Capsa makes it easy to isolate and solve network problems, identify network bottleneck and bandwidth use, and detect network vulnerabilities, external attacks and insecure applications.

"We'll always take into consideration good suggestions from our customers", Said Roy Luo, the CEO of Colasoft, "and include them in future releases to ensure highest satisfaction."

What’s New in Capsa 6.9

Support ISL Protocol Decoding: Cisco Inter-Switch Link (ISL) is a Cisco Systems proprietary protocol that maintains VLAN information as traffic flows between switches and routers, or switches and switches. It is a protocol to encapsulate traffic from different vlans, and tag them for latter specification. Now all trunk traffic between switch -- switch or router -- switch can be decoded and the context inside of the trunk link can be analyzed.

Support FCoE Protocol Decoding: Fibre Channel over Ethernet (FCoE) is a proposed mapping of Fibre Channel frames over selected full duplex IEEE 802.3 networks. This allows Fibre Channel to leverage 10 Gigabit Ethernet networks while preserving the Fibre Channel protocol. The specification is supported by a large number of network and storage vendors, including Cisco, EMC, HP, IBM, Intel, and Sun Microsystems.

View IP address and Hostname in One Tab: Capsa will automatically resolve hostname and display it in its interface. In previous versions users may view only the hostname or the IP address at a time, they will need to switch manually if they want to view another value. In 6.9 users can directly view both the IP address and the hostname at the same time, which provides correlation between the two values

"It's the easiest product to use. The support is excellent and the features added in subsequent releases are always well thought-out and beneficial to our company." Eric Gomez, CSO, InfoSight, Inc.

Whether for a network administrator who needs to identify, diagnose, and solve network problems quickly, an IT professional who wants to monitor user activities on the network, a security manager who needs to ensure that the corporation's communications assets are safe, or a consultant who has to quickly solve network problems for clients, Capsa has the functions that satisfy the diversified needs perfectly.

Capsa 6.9 runs under Windows 2000/XP/2003/Vista. A trial version is available at the company's web site: http://www.colasoft.com/

About Colasoft

Ever since 2001, Colasoft has been dedicated in providing all-in-one and easy-to-use network analysis software for customers to monitor, analyze, and troubleshoot their network. Up to now, more than 4000 customers in over 70 countries trust the flagship product – Capsa as their network monitoring and troubleshooting solution. The company also offers four free network utilities: Colasoft Packet Builder, Colasoft Packet Player, Colasoft MAC Scanner, and Colasoft Ping Tool. Learn more today at http://www.colasoft.com/



Saturday, October 25, 2008

Wireshark 1.0.4 Just Released, Download Now

(Oct 20, 2008) Wireshark 1.0.4 has been released. Installers for Windows, Mac OS X Intel 10.5, and source code is now available.

In this release

Security-related bugs in the Bluetooth ACL, Bluetooth RFCOMM, PRP, Q.931, MATE, and USB dissectors, as well as the Tammos CommView file parser have been fixed. See the advisory for details.

Many other bugs have been fixed.

What's New

Bug Fixes

The following vulnerabilities have been fixed. See the security advisory for details and a workaround.

1. Florent Drouin and David Maciejak found that the Bluetooth ACL dissector could crash or abort. (Bug 1513)

Versions affected: 0.99.2 to 1.0.3

2. The Q.931 dissector could crash or abort. (Bug 2870)

Versions affected: 0.10.3 to 1.0.3

3. Wireshark could abort while reading Tamos CommView capture files. (Bug 2926)

Versions affected: 0.99.7 to 1.0.3

4. David Maciejak found that the USB dissector could crash or abort. This led to the discovery of a similar problem in the Bluetooth RFCOMM dissector. (Bug 2922)

Versions affected: 0.99.7 to 1.0.3

5. Vivek Gupta and David Maciejak found that the PRP and MATE dissectors could make Wireshark crash. (Neither PRP nor MATE are enabled by default.) (Bug 2549)

Versions affected: 0.99.2 to 1.0.3

The following bugs have been fixed:

Let MP2T call its subdissectors, even without tree (Bug 2627)

Wireless Toolbar not enabled (using AirPcap) if PCAP_REMOTE=1 (Bug 2685)

Failure to dissect long SASL wrapped LDAP response (Bug 2687)

Fix compiler warnings (Bug 2823)

Homeplug dissection bugs (Bug 2859)

Malformed Packet DCP ETSI error (Bug 2860)

Wrong size of selected_registrar in WPS dissector (Bug 2865)

Dissector assertion displaying cookies in DTLS frames (Bug 2876)

Missing field type in documentation (Bug 2889)

Wireshark -p switch seems to have no effect to PROMISCUOUS mode (Bug 2891)

Misspelled PPI error vector magnitude filter (Bug 2903)

Modbus Function 43 Encapsulated Interface Transport decoding (Bug 2917)

Crash when printing or exporting some protocol data (Bug 2934)

Crash when selecting "Export Selected Packet Bytes" (Bug 2964)

New and Updated Features

There are no new or updated features in this release.

New Protocol Support

There are no new protocols in this release.

Updated Protocol Support

AFP, Bluetooth ACL, Bluetooth RFCOMM, DCP ETSI, DTLS, Homeplug, IEEE 802.11, IP, Modbus TCP, MP2T, NSIP, NCP, PPI, Q.931, SASL, SNMP, USB, WPS

What is Wireshark?

Wireshark is the world's most popular network protocol analyzer. It is used for troubleshooting, analysis, development, and education.

Download Wireshark 1.0.4

The latest version can be downloaded here: http://www.wireshark.org/download.html


Friday, October 24, 2008

Wireshark Multiple Vulnerabilities

Wireshark (http://www.wireshark.org/) is the most popular network protocol analyzer (aka "sniffer").

A memory corruption vulnerability exists in Wireshark, potentially allowing a remote attacker to compromise targeted systems by sending them specially crafted "live" network traffic or malicious network trace files (pcap files).

Multiple denial of service vulnerabilities also exist in Wireshark, allowing a remote attacker to crash targeted systems upon sniffing network traffic or viewing network trace files (pcap files).

Impact:

Full compromise of the targeted system.

Risk:

High

Affected Software:

Wireshark version older than 1.0.4

Additional Information:

The Bluetooth HCI memory corruption vulnerability lies in the BTHCI packet dissector and is caused by insufficient checking of packet parameters. This issue occurs either when Wireshark is configured to sniff Bluetooth traffic (with an USB dongle for example) and sent "live" malicious traffic, or upon opening a crafted Bluetooth HCI encapsulation format traffic file.

The Parallel Redundancy Protocol post-dissector (not enabled by default) is vulnerable to a denial of service when handling specially crafted Ethernet frames; the issue is caused by a missing exception handling.

The USB URB denial of service vulnerability lies in the USB packet dissector, where insufficient checking of packet parameters is performed; the vulnerability is present only when Wireshark is configured to sniff packets from USB ports or opens a crafted USB traffic pcap file.

The two denial of service conditions above may be used by an attacker as a Cyber Counter-Measures tool, in order to render the network surveillance systems "blind" before engaging in further deleterious action.

Solutions:

Upgrade to latest version available from http://www.wireshark.org/download.html.

Do not open pcap traffic files received from unknown source.

References:

Wireshark advisory is available at http://www.wireshark.org/security/wnpa-sec-2008-06.html

Bluetooth HCI memory corruption

Parallel Redundancy Protocol denial of service

USB URB dissector denial of service

Acknowledgment:

David Maciejak of Fortinet's FortiGuard Global Security Research Team

Disclaimer:

Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.

About Fortinet ( www.fortinet.com ):

Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.

Wednesday, October 15, 2008

How to Monitor Network Traffic with Packet Sniffer

colasoft logoThere are quite a lot of software (both free and commercial) out there that perform network traffic monitoring tasks. But this article is to discuss how we can monitor network traffic with packet sniffer software. Among these packet sniffers, Colasoft Packet Sniffer is highly recommended as it is easy to use and thorough in data analysis. You can click here to download a trial version of Colasoft Packet Sniffer.

Get a Real-ime network traffic Trend Chart

If we want to get a trend chart of the network traffic, then we need to use the "Graphs" tab. "Graphs" view allows us view network statistics dynamically in different chart types, such as ling chart, bar chart, and pie chart. By selecting "Utilization" we get a real-time network traffic trend chart.

monitor network traffic with colasoft packet sniffer graph1

Learn How Much network traffic Has Been Generated by What Network Protocol


"Protocols" view will list all protocols applied in network transmission. In "Protocols" view we can monitor network traffic by each protocol. By analyzing network traffic by protocol, we can understand what applications are using the network bandwidth, for example "http" protocol stands for website browsing, "pop3" stands for email, etc.

monitor network traffic with colasoft packet sniffer graph2

Learn Which Host Has Generated or Is Generating How Much network traffic

In "Endpoints" view, we can monitor network traffic information of each node, both local and remote. In this tab we can monitor the aggregated network traffic and the real-time network traffic generated by each host (listed as IP addressess and MAC addresses). With its easy sorting feature we can easily find out which host is generating or has generated the largest network traffic.

monitor network traffic with colasoft packet sniffer graph3

Monitor network traffic Generated by Each Network Conversation

In "Conversations" tab we can monitor network traffic by each conversation and the figure out which conversation has generated the largest network traffic.

monitor network traffic with colasoft packet sniffer graph4

Inbound network traffic, Outbound network traffic, Broadcast network traffic and So on


In "Summary" we can get a quick view of the total network traffic, real-time network traffic, broadcast network traffic, multicast network traffic and so on. When we switch among the node from the explorer, corresponding network traffic information will be provided.

monitor network traffic with colasoft packet sniffer graph5

Colasoft Packet Sniffer - Capsa

Capsa is packet sniffer software designed for network monitoring and troubleshooting purpose. It performs real-time packet capturing, 24/7 network monitoring, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. By giving users insights into all of the network's operations, Capsa makes it easy to isolate and solve network problems, identify network bottleneck and bandwidth use, and detect network vulnerabilities, external attacks and insecure applications.

Capsa runs under Windows 2000/XP/2003/Vista. A trial version is available at the company's web site: http://www.colasoft.com/

Monday, October 13, 2008

How to Deploy a Packet Sniffer

colasoft logoBefore we can analyze and monitor a network with a packet sniffer, we must make sure the packet sniffer is correctly deployed at the right place, so that we can capture all the traffic running in and out. The installation of a packet sniffer is easy, it is always a good idea to install a packet sniffer on a laptop, so that the laptop can be shifted around to troubleshoot different network segments. This article will discuss how to deploy a packet sniffer based on the different network device that is used.

How to Deploy a Packet Sniffer in a Switched Network

Switch is a network device working on the Data Link Layer of OSI. Switch can learn the physical addresses and save these addresses in its ARP table. When a packet is sent to switch, switch will check the packet’s destination address from its ARP table and then send the packet to the corresponding port.

Condition 1: Manageable Switch

Generally all three-layer switches and partial two-layer switches are manageable; the traffic going through other ports of the switch can be captured from the debugging port (mirror port/span port) on the core chip. To analyze the traffic going through all ports, we should deploy a packet sniffer at this debugging port (mirror port/span port). In a manageable switch network environment, we should deploy a packet sniffer like this:

packet
Condition 2: Unmanageable Switch

If our switch has no management function, we can connect a tap with the line to be monitored. Taps can be flexibly placed on any line in network. When requiring high network performance, we can add a tap to our network. In an unmanageable switch network environment, we should deploy a packet sniffer like this:



How to Deploy a Packet Sniffer in a Hubbed Network

A hubbed network is also known as shared network which is connected with a hub. In a hubbed environment, packet sniffer can be installed on any host in LAN. The entire network data transmitted through the Hub will be captured, including the communication between any two hosts in LAN, because when a packet arrives at one port, it is copied to the other ports so that all segments of the LAN can see all packets. In a hubbed network, we should deploy a packet sniffer as shown below:

packet sniffer deployment1

Friday, October 10, 2008

NetScout has released nGenius Performance Manager and nGenius InfiniStream version 4.5

Netscout logoNetScout Systems, a provider of network performance management software, has released nGenius Performance Manager and nGenius InfiniStream version 4.5 software, and the evolution of its nGenius InfiniStream continuous capture Deep Packet Inspection devices, the company's next step in executing on the integration of its acquisition of Network General.

The result is a unified solution that raises the bar in service assurance and performance management by combining early-warning capabilities, real-time and historical application flow analysis, and deep-packet forensics. The result of this evolution will have a profound impact on IT operations by enabling network, datacenter and application managers to dramatically improve productivity through more effective collaboration to address the operational challenges of managing the modern IP network posed by virtualization, convergence, SOA and highly distributed network-centric operations.

According to the company, the evolution of the nGenius Performance Management solution integrates the functionality of NetScout's real-time monitoring and rapid top-down troubleshooting and analysis with the former Network General's expert packet analysis and data-mining capabilities.

As part of the product unification, elements from both product lines have come together under the nGenius Performance Management umbrella, with application intelligence and data mining capabilities retaining the well-established Sniffer branding. NetScout has also unified its family of continuous capture Deep Packet Inspection (DPI) devices, formerly known as nGenius AFMon and Sniffer InfiniStream, as nGenius InfiniStream. The new nGenius InfiniStream DPI devices retain important elements from both product lines delivering operational consistency with a flexible range of interface options and storage capacities to meet the most demanding high-performance requirements.

NetScout's thoughtful approach to the integration of Sniffer portfolio into the nGenius portfolio enables customers to efficiently leverage their existing investments and benefit from the blended technical capabilities of two platforms. Companies that have deployed both platforms further benefit as this latest software release allows for the consolidation and unification of performance management tools with an easy-to-deploy migration path that delivers a best of both worlds approach.

Michael Szabados, COO of NetScout, said: "The integration of nGenius and Sniffer technologies into a single, unified solution brings enormous power to our expanded customer base and new customers alike. Managing the Modern IP Network requires a transformative approach to how networks are managed. This latest release of NetScout's nGenius technology addresses this need by bringing top-to-bottom intelligent views that empowers IT managers to solve the hardest performance challenges while providing unmatched investment preservation and delivering greater business value to our customers."

Thursday, October 9, 2008

Top Reasons Why Academic Users Need Packet Sniffer Software

Academic users need packet sniffer software for various reasons in their daily works, such as network performance monitoring, network behaviors supervising ,conceptual items demonstrating and so on. Two packet sniffers are highly recommended for such users.

Why Academic Users Need Packet Sniffer Software

For an academic network administrator who needs to make sure the network is running smoothly and reliably, he will need packet sniffer software for:
  • Monitoring network performance around the clock,
  • Supervising various kinds of network behaviors,
  • Protecting network from suspicious intentions and attacks,
  • Discovering network loopholes and network bottlenecks,
  • Identifying and troubleshoot network problems in time,

For an academic teaching staff who needs to explain and demonstrate conceptual items to his students, he will need packet sniffer software for:
  • Demonstrating how a service (such as DNS, DHCP) works for your network,
  • Demonstrate the detail information within a packet of some sort of specific protocol,
  • Demonstrate the network behaviors of an application,

For an academic researcher and developer, he will need packet sniffer software for:
  • Network protocols research purpose
  • Debug network relied applications

For an academic student, he will need packet sniffer software for his studying and researching purposes.

Suggested Packet Sniffer Software

Wireshark

Wireshark is a free network packet sniffer developed by an international team of networking experts. Its key features include:
  • Deep inspection of hundreds of protocols, with more being added all the time
  • Live capture and offline analysis
  • Standard three-pane packet browser
  • Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
  • Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
  • The most powerful display filters in the industry
  • Rich VoIP analysis

Colasoft Packet Sniffer

If you are looking for a cost-effective and easy-to-use packet sniffer, then you should take a look at Capsa, a packet sniffer produced by Colasoft Co., Ltd. Its key features include:

  • Monitor traffic and bandwidth details in graphs and numbers.
  • Automatically diagnoses network and suggests solutions.
  • Able to identify and analyze 300+ network protocols.
  • Provides packet summary and decoding information.
  • Monitors site visits, email contents, online chats, and more.
  • Lists all hosts in network with details (traffic, IP, MAC, etc.).
  • Visualizes the entire network in an ellipse, showing connections and traffic.
  • Monitor all conversations and reconstruct packet stream.
  • Free built-in tools to create and replay packets; scan and ping IPs.
  • Quick generates reports of most concerned items.


Capsa runs under Windows 2000/XP/2003/Vista. You can click here to download a trial version of Capsa.

Packet Sniffer, A Brief Introduction

A packet sniffer is a piece of software that grabs all of the traffic flowing into and out of a computer attached to a network. They are available for several platforms in both commercial and open-source variations. Some of simplest packages are actually quite easy to implement in C or Perl, use a command line interface and dump captured data to the screen. More complex projects use a GUI, graph traffic statistics, track multiple sessions and offer several configuration options. Packet sniffer are also the engines for other programs. Intrusion Detection Systems (IDS) use packet sniffer to match packets against a rule-set designed to flag anything malicious or strange. Network utilization and monitoring programs often use packet sniffer to gather data necessary for metrics and analysis. Law enforcement agencies that need to monitor email during investigations, likely employ a packet sniffer designed to capture very specific traffic.

A packet sniffer can be an invaluable tool for administrators, security professionals, programmers and even beginners. They are excellent utilities for troubleshooting any type of network problem, since they provide a window into local traffic. I personally have used packet sniffer on multiple occasions for security work and once discovered a compromised machine that periodically sent updates to a cracker. For network programming, a packet sniffer is a necessity for debugging in the development stages. Packet sniffer are an outstanding resource for the curious beginner, who hopes to understand both networks and security. Nothing can bring you closer to what really happens, when computers communicate, than these tools.

It should be noted that the casual user should be very cautious when, where and how they use these programs. Never employ packet sniffer on a local network without checking with an administrator. It's best to try these techniques at home, or on a network you run.
 
Free counter and web stats