This is important for those who are new to network analysis because they need to connect the machine to the right device to capture ALL traffic on a WIRED network. The users of the following product are recommended to read this post:
- Capsa Free
- Capsa Enterprise
- Capsa Professional
- nChronos Standard
- nChronos Free
If you use Capsa WiFi, you can leave alone this part and take a look at Getting Started with Capsa WiFi.
Using Colasoft Capsa network analyzer (aka. packet sniffer, network analyzer, protocol sniffer, protocol analyzer) to capture network traffic to analyze and troubleshoot network problem is an important job for network management. The charm of the packet analyzer software is that you can use them to listen on a cable (or even wireless magnetic signal) and know what the machines are transmitting and communicating with other hosts and services without installing anything backdoor or keylogger on those machines like a hacker. If you want to use Capsa to capture your network traffic, you need to capture on the right device, because you can’t just install it on a system like common software and capture traffic from other machines. This blog post covers the basics that where you should capture with Capsa network analyzer on your network so you get traffic to your interest.
Whose Packets Do You Want to Capture?
We all know the nouns, hubs, switches, routers, firewall, etc., but there is possible that some of us may not know how the packet analyzers process the packets. So we should always think first which hosts’ packets we want to sniff, and on which device we should connect the machine with the packet analyzer software to capture traffic. This’s the first discipline. You can’t analyze and troubleshoot into network packets unless you capture them.
It’s quite often that someone new comes to Capsa network analyzer, he installs it on his PC. And then he fires it up expecting to capture all packets traversing through his network. Well, he’ll be disappointed that he can only see packets of his own machine in today’s network. But back to the 1990’s, when hubs were popular then, he could capture all traffic of a hub network without a problem. So today, besides hubs, we have more devices, switches, routers, firewalls, etc. Let’s see how we can capture packets if we are connected with these networking devices.
- I need to capture packets from my own system
- I need to capture packets from a hub
- I need to capture packets from a managed switch
- I need to capture packets from an unmanaged switch
- I need to capture packets from a network tap
Capture Particular PC’s Packets
This is the simplest scenario that you are a network administrator suspecting the guy at marketing dept. is infected with a worm or virus because his machine keeps sending large volume of packets to consume the network bandwidth. So it’s a brilliant idea that you install a packet analyzer tool on his machine and look into his traffic pattern to prove it. Or you may just curious what applications are consuming your network bandwidth. And the answer to capture packets of a particular machine, you only need to install Capsa network anlayzer on your system. What is really required is a network interface card (NIC) which is able to run in promiscuous mode.
Economic Choice - Use Dumb Hub
Hubs are rarely these days, but if you're fortunate enough to own one of those old jewels then make sure to hold on to it. If you have a 100M network, a cheap hub would be the perfect choice to be used to intercept the network packets. You might take advantage of ebay to find a second-hand hub if you are lucky enough. Be careful, some vendors tell you it’s a hub, but in fact it’s a switch.
So when you connect your machine (with Capsa network analyzer installed) to any port on the hub, you can sniff packets of all machines because the hub repeats all Ethernet frames arriving at on port to all other ports of the hub. The figure below shows how to capture packets on a hub. For example, in your home network, all your machines are connected with cables to a home router, and the router connects to the Internet. In this network, we can place a hub behind the router, and move all cables to the hub. So now, you can use any port to sniff all packets with Capsa network analyzer.
Cons of Capturing Packets on Hub
But there is a downside of using a hub. Because the hub repeats all packets to all ports, it increases packet collisions. And packet collision slows down your network connection rate. If you use a packet sniffer software to capture the packets, you will see more TCP retransmissions. So make sure you take out the hub and put the network back to its original topology when you finish packet sniffing.
Configure Port Mirroring (SPAN) on Managed Switch
There are two categories of switches, managed switch and unmanaged switch. It’ll be great if you have a managed switch over a hub. So as we mentioned at the beginning of the post, you can only sniff traffic of your own PC and some broadcast and multicast traffic, if you sniff on a PC which is connected to a switch (no matter managed or unmanaged ones).
How can we sniff all packets on a switch? Don’t worry, the managed switches have a function called Port Mirroring. While this function has different names depending on the vendor, Cisco calls it SPAN. You can go to the switch management portal, and configure the switch to copy all sent (Tx) and received (Rx) frames, (or one part of it), of particular ports to a monitor port. You can connect your protocol analyzer software to the monitor port and sniff the traffic. The figure below shows how to use Capsa network analyzer to sniff all traffic on a managed switch with port mirroring.
Notes on Sniffing Traffic on Managed Switch Port Mirroring
- On some switches you can also configure to copy traffic of all ports to a monitor pot, but this causes duplicate packets since each packet will be seen twice, the first time on the receive port and then another port it leaves on another port. It’s therefore usually wise to monitor only the uplink port if you wish to monitor all hosts connected to the switch.
- You should also be careful using port mirroring over a high load switch. We shouldn’t forget that the primary functionality of a switch is to switching and forwarding traffic from the source port to the destination port rather than copying or mirroring the packets. This means if the switch’s load is high, it will prioritize switching the frames from source port to destination port over copying them to the monitor port. So on a high load switch, you may not get all traffic on the monitor port, and it’s unacceptable if you are on a network forensics investigation. So if this is your case, you may consider a network tap to precede your task.
Capture Unmanaged Switch Traffic
If your switch isn’t a managed switch but an unmanaged switch, you have two choices.
- Use a hub, and connect the network as figure below.
- Use a network tap.
Use Network Tap to Capture Packets
What is a network tap? A network tap is a hardware device which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. If the network between points A and B consists of a physical cable, a "network tap" may be the best way to accomplish this monitoring. The network tap has (at least) three ports: an A port, a B port, and a monitor port. A tap inserted between A and B passes all traffic through unimpeded, but also copies that same data to its monitor port, enabling a third party to listen.
Using a network tap is the most reliable way to sniff traffic, which is easy to use and doesn’t affect your network performance (comparing with the hub and the switch’s port mirroring). The function of a network tap is to make a copy of each frame on a wire. Typically you insert a network tap between two nodes of your network, such as between the switch and the router, and you get all traffic between these two devices and it doesn’t affect the quality of the line. The figure below shows how to use a network tap to sniff traffic of the uplink of an unmanaged switch.
Cons of Capturing Packets with Network Tap
But, network taps are expensive, and a good network tap will cost you more than 1,000 dollars, but it’s a reasonable choice between network monitoring reliability and budget. If you are considering investing in a network tap I recommend an aggregation tap, which is able to merge uplink and downlink traffic to a single monitor port. So you don’t need to have two NICs on your sniffing computer.
If you need any help on deciding where to capture network packets on your network, please leave a comment and we are happy to give you advice.
Comments
Yes, you can monitor the bandwidth consumed by smartphones which are connected to the wifi. Use Capsa Enterprise to monitor the wifi network, find your MAC address/IP address of your phone on the Physical Endpoint view or the IP Endpoint view, then you can view the traffic.
Is this software will not monitor all the bandwidth consumed by an android phone which is connected to the wifi.If it can then how to know?Plz let me know.
Thanks
If you have that many switches surely they are managed. Just a thought.
Hi Shelly, it depends on the capability of the switch.
If your switch has port mirroring function, just mirror the traffic to a destination port and then connect Capsa to the destination port, then you can monitor the whole network.
If your switch does not have port mirroring function, you need to plug a tap between the swtich and the router, in such way that you can get all the traffic through the switch to thereby monitor the whole network.
Isn't there any way to scan the entire network and see what's going first???? Is there some way to at least get an idea where to start? Our network seems to be running slow and I suspect either a couple of bad network cards, a user watching youtube, or a bad switch. Can this software help me figure out what's going on?
I'm confused! I thought this software was to find the pc causing the trouble. Where to start?
Thanks right, Darren. You are a pro.
Maybe a hub between the switch and Modem would work? I haven't tried, but it should let you monitor traffic bound for the internet
i have unmanaged 32 ports switch. i have internet connected to adsl modem then modem is connected to this unmanaged switch and then 20 computers are connected from this switch. so now i want to see who is using facebook/yahoo/gmail or other sites or emails, what should i do. thanks for your help..
shrawan..
What should I do to sniffing the packets of all hosts?
RSS feed for comments to this post