This site uses cookies for anonymized analytics. For more information or to change your cookie settings, view our Cookie Policy.

Network Traffic Monitoring

In order to be fully effective, network traffic monitoring software should keep a close eye on not only what is happening within your network, but what is happening on the perimeter of your network as well. In order to give network managers complete visibility over this area of activity, network traffic monitoring software must have deep packet inspection to identify the content of network packets originating from public IP addresses and subnets.

Network traffic monitoring software with this depth of visibility has many practical uses within the network as well. It can be used to troubleshoot network issues, conserve bandwidth, identify threats to the security of the network and enforce acceptable use policies. The monitoring can be done in real time of historically when real-time analysis is insufficient to identify trends or time-sensitive issues when certain network events occur.

LANGuardian is a leader in network traffic monitoring software. It is quick to install, easy to maintain and fully effective at monitoring the traffic on and around the perimeter of your network versatile. To find out more about LANGuardian, read our network traffic monitoring blog posts, contact us with any questions you have, or download a trial of LANGuardian today in order to evaluate our network traffic monitoring software free of charge in your own environment for thirty days.

Need to Know How to Exactly Check the Cause of Bandwidth Use

Find the Cause of Bandwidth Use

Customer Use Case – Check the Cause of Bandwidth Use

We had interesting use case from a customer in Singapore earlier today.

Today around noon there was traffic congestion on one Singapore site that has roughly around 25 users and an 8MB MPLS.

The business wanted to know what was the root cause. The main complaint was the video conferencing (an essential business requirement) was too slow, audio and video dropped so badly that neither party could hear each other.

For this investigation the LANGuardian search page was used, specifically the Network Forensics and Bandwidth Troubleshooting tab on LANGuardian, and spotted some huge zip and image files (some user in marketing), the most likely cause of congestion.

For the same network client there was spyware running that provided unusual behavior on the system that also may have provided some conflict on the traffic. The customer now plans to educate users to be more diligent on doing shared transfer of huge files during business hours.

Check the Cause of Bandwidth Use on YOUR Network

Download a 30 day trial of LANGuardian and find out what users are doing on your network. No need to install agents or client software. All you need is a SPAN or mirror port.

View this short video which looks at how you can find bandwidth hogs

How can we Monitor Network Traffic Associated with Remote Sites

Remote Site Traffic Analysis

Many IT teams are now tasked with managing remote sites without having the luxury of local IT support. Business owners expect everything to be done remotely, we do live in the connected age, don’t we? Is it possible to see what is happening in these networks without the need for installing client or agent software everywhere?

You can gather some network performance information using SNMP or WMI but you will be limited to alerts or high level information. What you need is some form of deeper traffic analysis. Software applications that do traffic analysis are ideal for troubleshooting LAN and link problems associated with remote sites.

There are two main technologies available to analyze network traffic associated with remote sites, those that do flow analysis and those that capture network packets. Flow statistics are typically available from devices that can route data between two networks, most Cisco routers support NetFlow for example. If your remote networks are flat (single subnet) or you don’t have flow options on your network switches then packet capture is a viable option.

You can implement packet capture by connecting a traffic analysis system to a SPAN or mirror port on a network switch at your remote site. You can then log onto your traffic analysis system remotely to see what is happening within these networks.

Traffic Associated with Remote Sites

NetFort LANGuardian has multiple means of capturing data associated with remote sites. The most popular option is to install an instance of the LANGuardian software at your HQ. Sensors can be deployed on physical or virtual platforms at important remote sites. Data from these is stored centrally to you get a single reference point for all traffic and security information across local and remote networks.

Download White Paper

How to monitor WAN connections with NetFort LANGuardian

Download this whitepaper which explains in detail how you can monitor WAN connections with NetFort LANGuardian

LANGuardian can also capture flow based statistics such as NetFlow, IPFix and SFlow, routers/switches on the remote sites can be configured to send flow traffic to LANGuardian. Watch out for issues associated with NetFlow as it has limitations when it comes to monitoring cloud computing applications.

Troubleshoot Broadcast Storms and ARP Conflicts

Troubleshoot broadcast storms

Did you know you can use LANGuardian to troubleshoot Layer 2 (data link layer) issues such as broadcast storms and ARP conflicts?

A broadcast storm occurs when a buggy or malevolent host emits a continuous stream of broadcast packets. Because these packets must traverse each link in the network, a broadcast storm from a single host can slow down the network for all other hosts on the same subnet.

ARP conflicts occur when two hosts with different MAC addresses resolve to the same IP address. Usually this happens as a result of human error or a misconfigured DHCP implementation, but it can also happen as a result of ARP spoofing, which hackers often use as the opening for denial of service, session hijacking, or man-in-the-middle attacks.

LANGuardian provides two reports that give a breakdown of Layer 2 activity on your network:

  • Ethernet :: Top Broadcasters
  • Ethernet :: Traffic Distribution

With these reports, you can see quickly locate a device that is causing a broadcast storm or identify the source of an ARP spoofing attack.

If you have any questions about troubleshooting Layer 2 activity, or indeed any other aspect of network monitoring with LANGuardian, please contact us any time.

I want to know who is streaming Netflix onto my network?

who is streaming Netflix

Users accessing media sites like Netflix and YouTube can consume massive amounts of bandwidth. What’s needed are performance management solutions that can 1) detect and notify you about network performance degradation and spikes in bandwidth utilization, and 2) give you visibility into what applications are running on the network and what IP addresses and usernames are associated with them.

For most media sites it is easy to start monitoring activity associated with them. Just follow these steps:

  1. Ping the website in question. For example comes back as
  2. Go to the website and enter this IP address in the top right hand corner.
  3. You will find that this IP address is part of the range Google this range to see if Netflix have any other subnet ranges registered to them. YouTube for example will have many subnets associated with their services
  4. Log onto LANGuardian (or other network activity monitoring tool) and select Reports\Bandwidth\IP\Top Talkers from the reporting menu on the top.
  5. Enter as the subnet and this will reveal if you have any Netflix traffic on your network. Drill down on the totals to reveal the most active clients

No network activity monitoring in place?

Use LANGuardian and the power of wire data analytics to find out what users are doing on your network.

Download a trial version of LANGuardian and find out who is streaming Netflix on your network.

If you have proxy servers on your network you don’t need to lookup the IP ranges. Logon to LANGuardian and go to Reports\Web\More\Proxy Sessions By IP. Enter Netflix as the website and run the report.

NetFort 12.4 – Network Traffic and Security Monitoring

LANGuardian 12.4

New Version of NetFort LANGuardian Provides Customers with a Single Point of Reference for Network Traffic and Security Monitoring.

NetFort, a leading provider of network traffic and security monitoring (NTSM) solutions, today unveiled version 12.4 of the LANGuardian application. The new version ensures network teams today have the visibility required to collaborate and work with their security colleagues and manage the daily security issues prevalent in today’s world.

Version 12.4 includes a number of significant changes:

  • SMTP Email Decoder Enhancements
  • HTTPS Website Use Reporting
  • Updated BitTorrent Decoder
  • Snort 2.9
  • SYSLOG Forwarding Feature

SMTP Email Decoder Enhancements

The SMTP decoder is a great feature from a network security monitoring point of view. It is a powerful tool if you want to monitor email for phishing type network attacks. Malicious attachments have made a comeback as top attack vector. An interesting post on this here.The SMTP decoder has been upgraded to record the following information

  • Attachments to SMTP emails, including attachment name, MIME type and description. A sample report is shown below, some information is blurred as it came from a live network.
  • Embedded hyper Link detection in emails. This is a beta release for evaluation. Where an SMTP email contains a hyper link, but the link target doesn’t seem to match the description, LANGuardian will log the link target and the description.
SMTP Decoder

HTTPS Website Use Reporting

The Website monitoring module has been upgraded to now report on HTTPS domains. Domain information (such as and traffic volumes are recorded. As packet payloads are encrypted, Individual URIs cannot be reported.

SSL Traffic Reports

Updated BitTorrent Decoder

BitTorrent continues to be a popular protocol for downloading and uploading media from the Internet. LANGuardian has the ability to detect  BitTorrent use and record metadata such as Infohash values and IP addresses. In 12.4 the BitTorrent decoder has been upgraded to record Peer Exchange messages (PEX). This increases the detection rate for BitTorrent activity and will record media titles, if included in the PEX message.

Bittorrent Protocol Decoder

Snort 2.9

Snort is a network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging. Snort performs protocol analysis, content searching and matching. LANGuardian 12.4 now includes Snort version 2.9.7. This allows LANGuardian to take advantage of new keywords supported in IDS signatures for Snort 2.9, distributed from the ET Open project

Snort 2.9

SYSLOG Forwarding Feature

Many customers choose LANGuardian as it can integrate with existing tools like SolarWinds, McAfee or WhatsUp. Version 12.4 extends this functionality with the addition of a new configuration page to manage the forwarding of events to external syslog collector (SIEM) systems.

This means you end up with a centralized dashboard for all network activity or as one customer described it “single point of reference for network and user activity monitoring and first stop in troubleshooting any issues”

LANGuardian SYSLOG Support

Version 12.4 is available from our download page and it can be deployed on physical or virtual platforms.

Download LANGuardian
LANGuardian Interactive Demo

Top 5 Alternatives For SPAN or Mirror Ports

Network Security Monitoring Software

Looking for an alternative for SPAN ports?

SPAN (Cisco) or mirror (everyone else) ports are an excellent data source for network security monitoring and traffic analysis. With them you can monitor single or multiple ports or VLANs and they give you access to packet payloads rather than just header information that you get with flow data.

What if you don’t want to use SPAN ports but you still need a source of network packets? Maybe you have used up your SPAN ports or maybe you don’t have access to your switch infrastructure. The good news is there are alternatives and here are the top 5 that you will get on most networks.

Top 5 Alternatives For SPAN or Mirror Ports

  1. Network TAP
  2. Port aggregator
  3. Network visibility solutions
  4. Virtual switches
  5. Use a spare switch to create more SPAN sessions

Network TAP

A network TAP (Test Access Point) is a hardware device that enables network and security personnel to access packet data passing through a network. Taps are passive devices.

Not so long ago, when TAPs were expensive, there was a cheaper option, a simple network hub! It is actually quite difficult to purchase a hub these days!

Most taps pass all seven layers of OSI network traffic (including layer 1 and layer 2 errors) and do not interfere with the performance of the network or the data stream of the network traffic.

They are a low cost option if you want to monitor single ports but more advanced versions are available which allow for many to one port mirroring. The following diagram shows a typical use case. A TAP is used to take a copy of traffic going to\from a firewall and it sends a copy to a network monitoring tool.

Garland TAP

Port Aggregation TAP

A port aggregation TAP is a hardware device which allows you to aggregate the data from multiple source or destination ports. It is not to be confused with the port aggregation protocol which is Cisco proprietary. The most common use case for port aggregators is where you have multiple source ports that you want to monitor with a single network monitoring tool.

Port Aggregation TAP

Network Visibility Solutions

Network visibility appliances include dedicated application processors pre-loaded with packet analyzers, network performance, and security/performance applications on a KVM software environment. Network engineers select traffic to stream or capture for diagnostics and on board storage is included for traffic analysis software and data files. Vendors such as Apcon develop solutions in this space.

Virtual Switch Monitoring

Most data centers now host one or more hypervisor platforms. VMWARE ESX and Microsoft Hyper-V are the most popular and both come with options for virtual packet capture.

VMWARE uses VLAN 4095 for monitoring purposes. You need to create a virtual switch for monitoring purposes and assign VLAN 4095 to this. Once the virtual switch is in place you can connect your network monitoring tools to this.

Hyper-V monitoring is very similar in that you create a virtual switch for monitoring purposes. Instead of VLAN 4095 you set ports as destinations for monitored traffic. Microsoft have more information on this blog post. We recently published a video which looks at how you can deploy LANGuardian on Microsofty Hyper-V servers. The steps shown can be used to deploy any type of monitoring tool which use network packets as a data source.

Use a Spare Switch To Create More SPAN Sessions

If you have a shortage of SPAN ports, network switches can be used to double the number available. You need to connect the SPAN port from one switch to another spare one. Create a new VLAN on the new switch which is used for network monitoring purposes. There is no need to replicate this VLAN on other switches on your network. Once the VLAN is configured you can create two SPAN sessions which use this VLAN as a data source.

Do you have any other ways for capturing network packets off a network? Suggestions welcome in the comments section below.


Darragh Delaney

Windows 10 Is Already Using Up Your Bandwidth

Windows 10 Upgrade

Windows 10 Downloads

A lot of people out there are looking forward to upgrading to Windows 10 and in less than 24 hours, Microsoft will start upgrading Windows 7 and Windows 8 machines to Windows 10. The release is scheduled for 12AM ET on July 29th (9PM PST on July 28th).

If you are responsible for the management of a network you should be aware that the software updates download in advance. Microsoft want to speed up the process by pre-loading the final version of Windows 10 on PCs eligible for the upgrade.

If you notice Internet connectivity slowdowns or if you are concerned about bandwidth use, you may see connections like the following on your Internet gateway. There are many ways to capture this information including logs, flow data and deep packet inspection.

Windows 10 upgrade IP addresses

One thing to watch out for if you are using logs or flow data is that reverse lookups of the IP addresses may be misleading. I noticed the IP addresses above using up a lot of bandwidth on my network. A reverse lookup using my favorite security lookup site ( reported that the IP address is registered to Eircom which at first seems strange. Further analysis of the IP address and DNS traffic also shows it to be associated with which is a content delivery network (CDN).

Content delivery network

What you need to do is look inside the network packets associated with this activity. The HTTP headers will reveal what is actually happening. Many organizations now use content delivery networks to distribute content like software. For the consumer this means fast and reliable downloads but it also means that the network traffic coming into your network is arriving from a third party. In my case the third party is Eircom who in turn host services for Akamai and Microsoft uses them to distribute content.

When the network packets are analyzed by a deep packet inspection engine we can see that the downloads are from Windows update and that they are associated with the Windows 10 upgrade. I saw over 1GB of downloads in less than 1 hour for a single client. Quick glance at the screenshot below shows some of the downloads and the level of detail that can be captured from network packets.

HTTP Header Analysis

I for one am looking forward to upgrading to Windows 10. My own experiences with Windows 8 were not good and I got rid of it after 1 month. Windows 7 has served me well but there is enough in 10 to convince me to upgrade. If you are responsible for the management of a network, watch out for heavy bandwidth use in the coming weeks which may be associated with this upgrade process. Ideally you should use a monitoring tool which can look inside HTTP headers so you can see exactly what is happening.

Darragh Delaney

Detecting Netflix Traffic On Your Network

Netflix is a provider of on demand internet streaming media and is available to users in the majority of locations all over the world. The service is becoming increasingly popular and by the end of last year had a total of 57.4 million subscribers. In parallel with this growth, we have seen a corresponding increase in the number of people questioning the impact that Netflix traffic is having on their network.

Watching Netflix can use around 1 GB of data per hour for each stream when viewing in standard definition and up to 3 GB per hour for streaming content in high definition. The ‘Internet is slow today’ could easily be as a result of a single user streaming Netflix.

Detect & Monitor Netflix Traffic on Your Network

Use the deep packet inspection features in LANGuardian to find the source of Netflix traffic on your network. No need to install client or agent software. Just setup a SPAN or mirror port

There are a couple of ways you can check for Netflix traffic on your network after installing LANGuardian. The easiest way to do this is to click on, reports, top website domains and simply type in Netflix into the appropriate field.

Example below from our demo system shows Skype appearing on the network. It is the same idea for Netflix, simply type in the website name and click on view. You can also drill-down from here to find the associated username and IP addresses.

An alternative way is to look at the IDS rule set in LANGuardian. The IDS in LANGuardian contains two signatures to detect Netflix on your network and they can be found under sid: 2007638 and 2013498 which are included below:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”POLICY Netflix On-demand User-Agent”; flow:to_server,established; content:”|0d 0a|User-Agent|3a| WmpHostInternetConnection”; nocase; reference:url,; classtype:policy-violation; sid:2007638; rev:5;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”POLICY Netflix Streaming Player Access”; flow:to_server,established; uricontent:”/WiPlayer?movieid=”; content:”|0d 0a|Host|3a||0d 0a|”; nocase; reference:url,; classtype:policy-violation; sid:2013498; rev:2;)

You could also create a custom report which would allow you to search for specific IDS events like Netflix by following the guide here on the forum.

Ray Barnes

Can one have too much visibility?

Looking deeper into what is happening on a network

An interesting problem cropped up during our company huddle this morning.  Our head of development had the floor and was giving us an update on some recent modifications to our Bittorent decoder.

Our LANGuardian Bittorent decoder is used heavily, especially by some of our University customers, to track DMCA notices. For example one can enter the info hash into a search field and get back information such as the IP address, user name, etc.

Bittorent is a complex protocol, tracking it and extracting/storing the critical detail is not that easy.   We have to issue regular updates to ensure accuracy and coverage.  Bit of a pain for our development team, I feel for them!

A nice side effect of our latest update is that for some downloads we can also report the actual file, movie, video names, plain text, readable, interpretable but as mentioned by the developer,  maybe too much visibility for some customers? The movie and video names can be very explicit and even upsetting for some people. So do we report the name or not?

Bittorrent file names

But, I also remember back to a meeting years ago in Dublin, where the network admin had investigated one user for continuous bandwidth abuse causing the other users to complain ‘the Internet is slow today’ on that site.  HR got involved, a meeting was called, and the user asked to explain.  User explained he was downloading research papers and doing nothing wrong.

The admin was able to instantly produce a report listing the movie names (including the complete Harry Potter box set) dates, times, the user had downloaded. The smoking gun, proof to eliminate guesswork and save time, stress for everybody. User owned up immediately and the issue was resolved.

And just last week, we had the following feedback from a new customer in the UK, food company.

This product is amazing… I’m getting an insight into the network that I have never had before and seeing activity that I just did know was going on!

This guy, Simon, was definitely not complaining about having too much visibility.

I guess it may be useful to have the information at your fingertips IF and WHEN you need it, the last step of a drill down, but, not in your face all the time? Back to the customer, let’s get their opinion, listen to them.

John Brosnan
NetFort CEO

Google has detected unusual traffic from your network

Google has detected unusual traffic from your network

How to deal with “Google has detected unusual traffic from your network” notifications

Malware on PCs and other devices can lead to all sorts of serious issues. From Ransomware to DDoS activity. Another symptom of malware that I come across a lot is when a Google displays the message “Google has detected unusual traffic from your network” when users search for something. One of the reasons behind this is that Google are probably receiving loads of automated searches from your IP addresses. Typically these searches are automated by Malware installed on one or more systems inside your network.

Unusual outbound connections

Your options are very limited when this happens. One thing would be to ignore it but each time you want to search for something you will have to solve a CAPTCHA (a squiggly word with a box below it). The recommended approach would be to find out what is causing the problem in the first place.

Find the Root Cause of Unusual Traffic on Your Network

Use the deep packet inspection features of LANGuardian to find the source of unusual traffic on your network. Reports based on MAC, IP address and Username. No need to install client or agent software. Just setup a SPAN or mirror port.

The Google notification will give you very little to go on so the main priority is to get visibility as to what is happening on your network. Forget about SNMP or NetFlow, you will need lots of detail to get to the root cause and neither of these protocols will do this.

An ideal data source is a SPAN or mirror port. This will give you access to network packets or wire data as I hear some people describe it. A SPAN port will give you access to crucial information like IP addresses, host-names, web domain names, email addresses, application payloads, or MAC addresses.

Once you have your SPAN port setup you just need to install LANGuardian and take a look at what is happening.

Watch out for systems connecting to external IP addresses or hosts associated with lots of traffic associated with the Google domains. LANGuardian will also associate this network activity with usernames so you know who is causing the problem.

See below for a recent quote from a customer. In this case they did not use LANGuardian to investigate a Google issue. However, it does goes to show how customers are really happy using LANGuardian to find out what is happening on their networks.

LANGuardian is a crucial part of our investigation tools within the network, gets right into what’s happening

James Barnes, ICT Team Leader, Ayrshire College, Scotland.

Please don’t hesitate to get in contact with our support team if you are having an issue with a Google notification. You can also download a free trial of LANGuardian which can help you get to the root cause of any issues fast.

Darragh Delaney

Network Activity Monitoring on Steroids

network monitoring on steroids

Networkshop 2015

I attended Networkshop in Exeter, UK earlier this week, a conference attended by primarily network and security administrators working in UK and Irish universities. Exeter is not that easy to get to from Galway, but it was well worth the trouble.

We made some of our first sales in this sector, it has been very rewarding for many reasons, the people are very technical, direct, know what they want and not afraid to tell you. It has also been an unbelievable testing ground for our software, huge networks, loads of traffic, flows and users, very diverse and at high rates. Almost impossible to replicate, survive here and you can be pretty confident in your software in any environment.

I have also met a lot of great people and made many friends. I easily remember one of my first demonstrations in the UK, with Heriot-Watt university over 7 years ago. As well as my laptop, I used to truck around with a mini PC running our LANGuardian software in a box with a handle, bit like Will Smith in that movie ‘The Pursuit of Happiness’! During this demo, I booted up the PC, connected it to my laptop with a crossover cable, and starting running the reports.

All was going very well, lots of discussion, but after 10 minutes, nothing, hard disk crashed.  I’d say I had a pretty red face after checking cables rebooting everything or trying to, but still nothing. Anyway, told them the truth and all worked well in the end. Heriot-Watt was our first Scottish customer and still are today.

Every product manager should attend conference like Networkshop, even if just to sit at the table during dinner and listen. You will hear stories about security incidents, bandwidth, wireless, data loss, DMCA notices, SPAM and of course the students. Fantastic data to come back to the office with and use to try and improve products and help address their pains.

One of the big trends I noticed at this year’s  conference was the number of times I heard the word visibility. I’m sure the huge growth in numbers of mobile devices on the network is a factor and it is not just one device per student any more. Also, due the number/types of apps available, video, music, etc, these devices are really pushing the wireless infrastructure to the limits, with respect to the number connections and of course bandwidth.  The ‘Millennials‘ are making their mark and when they move into the workplace they are demanding the same kind of access and flexibility. Some universities now even allow students to rent devices, laptops, iPads on a daily basis.

Now we really have BIG DATA, devices everywhere generating loads of traffic and logs, it is becoming very difficult to see the wood from the tress and find that smoking gun, that final piece of proof or evidence you need.

I was really delighted to hear our customers say how much they like our LANGuardian, used it regularly, to drill down and try to get the right level of visibility. I have always like that word, I still hear engineers say they want more visibility, deeper insight into what is happening at the core of their network. When there is an incident, getting the right visibility and getting it immediately is essential. Visibility can also help prevent the incident and save a lot of stress.

Then I came back to the office yesterday and saw the following quote we had just got from a user in Canada who had downloaded our trial and installed it on his network

“Your solution is like SolarWinds® but on steroids. It is amazing what kind of granularity you provide and how easy it is to get the information needed.”

What a way to end a fantastic week, could not have said it better myself.

John Brosnan
NetFort CEO

Tracking Web Activity by MAC Address

Tracking Web Activity

Associating Internet activity with MAC addresses

Tracking web activity is nothing new. For many years IT managers have tried to get some sort of visibility at the network edge so that they can see what is happening. One of the main drivers for this is the need to keep the network secure. As Internet usage is constantly growing, malicious, phishing, scamming and fraudulent sites are also evolving.

While some firewalls and proxy servers include reporting capabilities, most are not up to the job. These systems were designed to block or control access and reporting was just added on at a later date. Server log files do not always have the answer either. They are meant to provide server administrators with data about the behaviour of the server, not what users are doing on the Internet.

Some vendors are pitching flow type (NetFlow, IPFIX, etc…) tools to address the problem. The idea is that you get flow records from the edge of your network so you can see what IP address is connecting to what. However, as with server logs, NetFlow isn’t a web usage tracker. The main reason for this is that it does not look at HTTP headers where a lot of the important information is stored.

Track MAC Addresses on Your Network

Use the deep packet inspection engine of LANGuardian to report on network activity by MAC, IP address or Username. Real time and historical reports available.

One of the best data sources for web tracking is packet capture. You can enable packet capturing with SPAN\mirror ports, packet brokers, TAPs or by using promiscuous mode on virtual platforms. The trick is to pull the relevant information and discard the rest so you don’t end up storing massive packet captures.

Relevant information includes things like MAC address, source IP, destination IP, time, website, URI and username. You only see the big picture when you have all of these variables in front of you.

Tracking Web Activity Screenshot

Why track Internet activity?

  • Root out the source of Ransomware and other security threats. Track it down to specific users, IP addresses or MAC addresses
  • Maintain logs so that you can respond to third party requests. Finding the source of Bittorrent use would be a common requirement on open networks.
  • Find out why your Internet connection is slow. Employees watching HD movies is a frequent cause.
  • Out-of-band network forensics for troubleshooting or identifying odd network traffic.

Customer Use Case

End user is a very large airport in EMEA. Basic requirements and use case is tracking web activity, keeping a historical record of it for a period of one year, and because most of the users are just passing through (thousands of wireless users every hour!) the only way to uniquely identify each user or device is by MAC address.

Luckily for us, because the LANGuardian HTTP decoder captures and analyses wire data off a SPAN or mirror port it can easily track proxy or non-proxy traffic by IP or MAC address. The customer can also drill down to URI level when they need to investigate an incident. For them LANGuardian is an ideal solution for tracking BYOD activity as there are no modifications to the network and no agents, clients or logs required.

The MAC address variable is an important one when it comes to tracking devices on your network. Most networks use DHCP servers so you cannot rely on tracking activity based on IP addresses only. MAC addresses are unique per device so they will give you a reliable audit trail as to what is happening on your network.

Do you track web actvity on your network? If so, what data sources do you use? Comments welcome.

Darragh Delaney

Wire data – more flexible than log data?

Wire Data Analytics

Is Wire Data More Flexible Then Log Data?

Just after finishing a pretty long road trip around the US, New York, New Jersey, Washington DC, Chicago, Austin and San Francisco. Travelling around the US this time of year can be very ‘challenging’ for sure, some airports can handle the snow and some like Newark do an OK job. Although sitting in an airplane at the gate for over 3 hours in Newark Saturday night, waiting for my flight to Shannon to leave and one of the pilots to arrive was not an act of God. Imagine he was the one guy who got caught in traffic, all the other people on the flight knew bad weather was on the way and adjusted travel plans accordingly!

Anyway, it was a great trip, I met some partners and customers, really enjoyed and appreciate their time and feedback. One interesting term that was mentioned a lot was ‘wire data analytics’. Why? What are the use cases? How does ‘wire data’ add value?

A lot of the use cases seem to be security, data related. Comes down to the detail one can get from looking inside the packets and is not available from flow technologies like NetFlow.  Looking inside the packet, deep packet inspection does not always have to be about timings, latency QoE, etc. It can help provide the proof, that final piece of detail to really understand what happened, the domain name and URI for example and amount of data uploaded or downloaded. Critical pieces of information for security forensics.

Learn more about wire data analytics

For example, Ransomware is still very common. One user in a company got hit by cryptolocker, had no backup and were considering paying the ransom. These bad guys are targeting the file shares, creating files with strange file names, like ‘howdecrypt.txt’, encrypting, etc. Boy, do you miss your data when you can’t access it, like when your Windows laptop gets corrupted and will not boot, you will try anything to get your data back.

File Activity Monitoring

So, who does wire data help with Ransomware for example ? Well,  if you can capture the right level of detail ‘off the wire’, like the file name, the user name, the source IP address, the action (say ‘create file’) and  the server IP address. Then one can alert or block the source IP and prevent further infection. Also use the information to see if other hosts or servers have been infected. Comparing wire data and log data in this case is also very interesting.

Log data can also be very useful when troubleshooting, but crucially in this particular use case, if logging is enabled on the Windows file share server, the logged detail does not include the source or client IP address. It includes an awful lot of other detail, sometimes adding huge overhead to the server, but not the source IP, which is usually pretty useful!

But this also demonstrates the flexibility of ‘wire data’, you can of course capture it at any point across the network, SPAN multiple VLANS for example.  Also, if you have a SMB dissector available (as in our NetFort LANGuardian) and it is intelligent and fast enough, the dissector can decide which data to identify, extract, and keep.

You do not want to keep every single packet because then you will have a Big Data problem and you will not be able to see anything useful unless you are an expert. In the case above you can decide to extract and store the client IP address, easier than going back to Microsoft and telling to also log this in a future version!

Wire data is not dependent on the format or content of the log and can be a very flexible and independent option.

John Brosnan
NetFort CEO

Server log files do not always have the answer

In today’s world, security information and event management (SIEM) systems are hot technology. Some people deploy them because of compliance needs, others because they need access to data to troubleshoot problems. SIEM systems themselves are useless without sources of data and most of them connect to server log files and other network devices. The problem is that there are limitations with server log files when it comes to usability analysis.


A good example of this is Ransomware. It is a big issue at the moment and most IT managers want to detect and get rid of it as soon as possible. This can be challenging when you have hundreds if not thousands of users on your network.

Once Ransomware gets into a network it starts to encrypt files and every time it moves from a directory to another, it leaves an instruction note within a text file that leads to a website or TOR network site. If an event can be triggered when these files are created then it would be an excellent start. However, as you can see in this sample event, no IP address is shown for the problematic device that is spreading the malware. This makes it difficult to block the device from accessing the network.

Event Type:         Success Audit
 Event Source:      Security
 Event Category:    Object Access
 Event ID:          560
 Date:              2/24/2015
 Time:              12:40:46 PM
 User:              WIN2003DATABASE\Administrator
 Computer:          WIN2003DATABASE
 Object Open:
 Object Server:     Security
 Object Type:       File
 Object Name:       C:\Downloads\test.txt
 Handle ID:         5128
 Operation ID:      {0,2612512}
 Process ID:        4
 Image File Name:
 Primary User Name: WIN2003DATABASE$
 Primary Domain:    WORKGROUP
 Primary Logon ID:  (0x0,0x3E7)
 Client User Name:  Administrator
 Client Domain:     WIN2003DATABASE
 Client Logon ID:   (0x0,0x2708B4)
 Accesses:          SYNCHRONIZE
 Privileges:            -
 Restricted Sid Count:       0
 Access Mask:       0x100080

Some people suggest setting up SPAN or mirror ports which are excellent data sources. The problem is that you may need to work through millions of packets to find useful information. Make no mistake about it, packet analysis can reveal crucial detail like IP addresses as you can see in the image below.

Server Log Files

You could now use log data and information from your Windows log to build a complete picture. While this might be an option for a small network with a few clients, it does not scale well. The next option to consider is a system like LANGuardian which does the packet analysis for you. It analyses the packets as they come in from a SPAN or mirror port and it extracts the important metadata. Metadata would include things like IP addresses, filenames and actions.

File Activity Monitoring
File Share Activity

Systems like the LANGuardian can then export this information via SYSLOG or other formats to other network management systems which can then take an action.

Server log files do not always have the answer but there are other sources of data on your network.

Alternatives for log file monitoring

Multiple SPAN destinations on a Cisco switch

network switch

How to setup multiple SPAN destinations

SPAN or mirror ports are getting more and more popular. They provide such a rich source of user activity data that they can easily run out. Cisco switches for example will only allow you to setup two SPAN sessions per switch.

What if you want to connect up another monitoring tool and you find that both sessions are in use? The answer is very straightforward, you can actually specify two destinations for one SPAN session. In the following example we have our firewall connected to port 10 on the core switch and we want to send a copy of the traffic going to and from this port to ports 1 and 2. The main thing to watch out for is the use of spaces. There is a space after the 1 and after the comma.

monitor session 1 source interface Gi0/10

monitor session 1 destination interface Gi0/1 , Gi0/2

The following extract is from the Cisco configuration guide which gives a bit more detail on this feature. You can also get more information about setting up SPAN sessions on other switches on our core switch documentation page.

monitor session session_numberdestination {interfaceinterface-id [, | -] [encapsulation {dot1q |replicate}]}

For interface-id, specify the destination  port. The destination interface must be a physical port; it cannot be an  EtherChannel, and it cannot be a VLAN.

(Optional) [, | -] Specify a series or range of interfaces. Enter a space before and after the comma; enter a space before and after the hyphen.

(Optional) Enter encapsulation dot1q to specify that the destination interface uses the IEEE 802.1Q encapsulation method.

(Optional) Enter encapsulation replicate to specify  that the destination interface replicates the source interface  encapsulation method. If not selected, the default is to send packets in  native form (untagged).

Note You can use monitor session session_number destination command multiple times to configure multiple destination ports.

Why is data reduction, metadata important for SMEs?

Big Data

What is Metadata?

I attended a security conference in Washington DC recently with some engineers who worked for a  large enterprise partner.  These guys have considerable expertise in SIEM and log data so the subject of ‘big data’ came up a lot, particularly when we were exploring how the combination of wire and log data in a single system could benefit both IT security and network operations.

  • By monitoring, recording and analysing traffic at critical points across a network one can use the data to troubleshoot a variety of IT security and operational use causes. Find out what users are actually doing, how critical resources – servers, applications and bandwidth – are used. The detail provided by examining both the packet headers AND contents, not just the headers, ensures users can very quickly drill down to the root cause and view the granular information to really understand the problem. For example, the information required to prove it is NOT the network but the large ISO the user had been copying across a WAN link.
  • Combining this information with log data collected from critical servers, security appliances and network systems in one system leads to the ‘holy grail’ – ‘network aware’ data grabbed off the wire AND log data in one searchable database, all the detail and insight required always available through a ‘single pane of glass’.

Both sources of data – wire and log  – really complement each other, enabling users to pivot on an IP or user name and really see data in context.

Our discussion was enterprise focussed, and the single  term that kept popping up was ‘data reduction’. This is relevant because capturing all this data, traffic and logs and storing it all in ONE location will result in unbelievable levels of insight but a LOT of data. The hardware required to store and index it for even a few days could be very expensive not to mention the technical expertise to try and interpret and understand it. It is crucial to be able to see the ‘wood from the trees’ and quickly understand  the data you are looking at.

We have also heard from many customers that tools based on Netflow are very useful for troubleshooting, bandwidth issues for example but in many use cases lacks the drill down and detail to ‘find that smoking gun’, the user name who deleted/moved a folder or downloaded the customer database before resigning, user activity monitoring and troubleshooting.  But we also sometimes hear ‘DPI (Deep Packet Inspection)  based solutions are complex and expensive and there is nothing better out there ?’

One option is to NOT store every single packet, only the most important and useful information, the actionable data, the metadata.  Easier said than done, how does one predict the future and decide the information or metadata to retain, that packet data that will be useful in the future?  Not to mention accurately detecting the application in order to reassemble the stream, extract and store only the useful detail. As regards a user downloading something from the Internet for example this metadata would include the user name, domain name, the actual page or URI accessed, the video watched, the date and time and bandwidth consumed. So one could go back and say, do you know how much bandwidth that training video you were watching consumed on that link ?

NetFort solved this by listening to and working with our customers.  For example, a few years ago a UK financial customer said

‘Using the LANGuardian, I can see a user copying a large amount of data from an internal Windows file share. I can see the IP address, user name, source and destination ports, time and amount of data but I also really need to see the actual file names, is that possible?’

We started looking at the SMB protocol, broke it down and developed a follower or dissector. Now for certain critical protocols we can accurately identify, follow and reassemble them to extract the critical detail, the Netfort metadata and store it, all in real time.  Then we focussed on developing ‘a google type search’, GUI to try and make it easy to enter a query and search through all this data. This was and is probably more difficult than writing the protocol decoder, usability is a huge challenge.

It is also important to note that as this metadata contains rich granular information extracted from the packet contents and as it is stored in a built in database for long periods it can be very useful for many security, user related use cases and network forensics. Granted though, that there are also use cases where having access to ALL the packet contents is critical to complete the picture or for evidence. Maybe the ideal combination is full packet capture data retained for short periods, hours, days and metadata for weeks and months ?

This detail or metadata is protocol specific, for example for Windows file shares it includes the file name and action, for MS SQL the SQL query, etc. The effort required to develop each dissector depended on the protocol, SMB V2 was not trivial for example but both for our customers and NetFort, it was definitely worth it. All because of ‘data reduction’ and  building the intelligence into the software. Less is more and everybody wins. Now our customers get metadata they can understand, retain for long periods and use for many issues including  network operations, IT security and network/user forensics. NetFort get a new large sector to target, SMEs, because now they have the option of affordable network activity monitoring and forensic solution, a single reference point containing very useful  granular information they can understand and act on.

John Brosnan

NetFort CEO

Network monitoring options for a home lab

network switch

We have had a number of queries recently from people who want to setup network monitoring tools on their home lab networks. In most cases people want to track Internet activity or find out what users are doing on their networks so tools that use SNMP as a data source are usually not an option. The other barrier here is costs, most want a free or very cheap solution. So, what are the options? Based on my own experiences you can get a really good monitoring system in place by implementing one or more of the following:

  • Better firewall
  • Managed switch
  • TAP
  • Monitor virtual switches
  • Client software

Upgrade or add a new firewall

Companies like Untangle provide free versions of their software. Typically this is installed on a dedicated server\PC with two network cards. One network card is connected to your Internet connection (ISP router) and the other goes to your LAN. Firewalls like Untangle will include some reporting options so you will see what is happening on your Internet connection.

Pros – Reporting with blocking capabilities.
Cons – You will need a dedicated appliance which will need to be left powered on so be sure to pick a low power one. More advanced options may be chargeable.

Managed Switch

Gigabit Ethernet switches prices have dropped a lot in recent years and there is also huge choice in the second-hand market. Look out for models with SPAN or port mirroring options which will allow you to get a copy of network packets as they pass through the switch. Once you have a SPAN or mirror port setup you can then connect up your favourite packet analysis software.

Pros – Not inline. Get visibility of what is happening on your Internet connection and what is happening on your LAN. You have the flexibility to connect any traffic analyzer to the SPAN|mirror port.
Cons – Managed switches will not include decent traffic analysis options. You need to do this with another tool. Not all packets (error packets) are copied to the SPAN\mirror port.

TAP (Test Access Point)

A TAP is a device which that mirrors the traffic that passes between two network nodes. It is similar to a SPAN or mirror port but will not require the replacement of any switches. In recent years prices have dropped significantly and you can now get a USB powered TAP for less than $150 or a 100Mbs one for $10 . Companies like Garland Technology have more advanced units if you require more features.

Pros – Not inline so wont impact on your network. You get a mirror image of all packets on the network segment that you are monitoring.
Cons – The basic models will only allow you to monitor a single switch port.

Monitoring options on virtual switches.

Many home labs now include a hypervisor of some description. One of the most popular platforms, VMWARE, provide free license options but most other platforms will have license options for home labs. If you do have something like this in place you can enable promiscuous mode which allows you so see what traffic is moving around the virtual switches. The trick is to use VLAN ID 4095, all packets from all the port groups are forwarded to this VLAN.

Once you have the VLAN configured you just need to deploy a network analysis tool as a virtual machine and you then get visibility as to what is happening on your virtual switches. With a bit of cabling you can also link your virtual environment up with your physical network. More info in the video below.

Pros – Everything virtual, no hardware required.
Cons – You will need some sort of hypervisor. Unless you link up to your physical switches you may only see what is happening on the virtual switches.

Client software

Some home labs may only contain one or two systems so one option to consider is to install client software on each system. There are many free options. Wireshark is the most popular but tools like Glasswire can make it easier to understand what is happening.

Pros – Easy to use tools in some cases.
Cons – You will need a client on every system, this may not be possible for wireless devices. Difficult to get 24/7 monitoring in place without leaving all devices switched on.

Finally, contact the vendor if you come across a tool which is perfect for your requirements but the pricing is more geared towards large organizations. They may have options for home labs in return for some feedback or if you blog about your experiences with their products. It may be a long shot but no harm in trying.

If you need more infomation on network monitoring tools, click on the contact button at the top of this page, our support team is standing by to answer your questions.

Darragh Delaney
Follow me on Twitter @darraghdelaney

December 12th 2014

Open SNMP service used for an attack

Computer Hacker

Customer Use Case

At NetFort we keep talking about having a unified network visibility for both security and operations. The rationale for us is pretty simple; our already stressed customers have a reference point, a single pane of glass to monitor and troubleshoot any suspicious activity.  It does not matter whether the activity is security or performance related. If users are reporting the ‘network is slow’ or an ISP notifies you of suspicious activity, you need that single reference point to actually see what is going or for network forensics, to see what happened and fast.

This visibility is especially important for organizations such as universities, stadiums, airports that, due to the nature of their business, need to operate open, high speed networks.

In a recent case, one of our customers was running a server that was hijacked and participating in an attack, generating large UDP responses to spoofed SNMP queries.

This ‘SNMP speaking’ device, was configured with the default SNMP community string ‘public’, easily guessed by a third party. A really good example of the risks associated with SNMP and why some organizations disable it entirely. The server was accessible from the public internet.

The attacker identified the server and guessed the SNMP community string. SNMP normally runs on the UDP protocol (and did in this case). UDP doesn’t require a session, so IP addresses and port numbers in a packet can be faked. The attacker fabricated a UDP SNMP query packet (a getbulk request) and used the victims IP address as the source IP address. All that was required was to edit the address, recompute the header checksum and transmit the packet.

The server duly received the packet, verified the checksum, generated the SNMP response and sent it to the victims IP address. Further, the attacker fabricated the source port number and inserted port 80, instead of the usual ephemeral port number. This meant that responses were targeted at the victim’s web services. As responses were large, this constituted a DOS attack on the victim. Our customer appeared to be the source of the attack. This type of attack is know as an amplification attack.

In this case, the customer was immediately alerted because LANGuardian monitoring had been installed and configured and had detected large amounts of egress SNMP traffic on a non standard port number.

SNMP Attack

Recently we’ve all been hearing a lot about APTs (Advanced Persistent Threats) but a recent surveys reports that 90% of successful attacks are as a result of the basics not being covered off,  upgrade, patch, validate configurations, replace unsupported software, training and continuous monitoring.

If you do not continuously monitor so you can clearly see what is actually happening on your network, you will get that phone call or email soon….and it could be at the worst possible time.

John Brosnan
NetFort CEO

Network Activity Monitoring For Citrix Servers

Citrix develop virtualization platforms for managing cloud, server and desktop virtual infrastructures. The most popular deployment scenario is where user desktop environments are virtualized. This means that no matter where you log on to the network you always get access to the same applications and services.

Virtualization does bring some problems for IT managers. How can you monitor who is accessing what on your network. On more traditional networks, user activity can be logged by monitoring what applications and servers that their systems connect to.

In a virtual environment the user connections are all routed through network cards on the Citrix server through a process similar to network address translation (NAT). This means that traffic hitting the application servers will all come from the Citrix server IP address and not the IP address of the virtual desktops. This can make it difficult to track down what client is accessing what.


There is a solution to this problem and it is called Virtual IP Addresses (VIP). This is a feature of Citrix XenApp 6.x where all virtual clients are given their own unique IP address. Instead of a NAT type service you end up with bridging where the XenApp server acts as a bridge between the live and virtual networks.

How to enable  Remote Desktop IP Virtualization

Note: RD IP Virtualization is installed as part of the Remote Desktop Server Session Host role service, but by default it is set as “Not Enabled”

  1. Open the RD Session Host Configuration console.
  2. Locate the RD IP Virtualization setting.
  3. Double-click the IP Virtualization link to access the RD IP Virtualization properties dialog box.
  4. To enable Remote Desktop IP Virtualization, select the Enable IP virtualization check box.
  5. Check Select the network adapter to be used for IP Virtualization drop-down to list all the enabled network adapters that can be used for RD IP Virtualization.
  6. Select the appropriate network adapter to be used for RD IP Virtualization.
XenApp with VIP

This feature is not enabled by default on XenApp 6.x. One thing to watch out for is that when you enable this you will find that your DHCP address pools will fill up quickly. It is recommended that you shorten the duration of the lease time to free up IP addresses more quickly.

Is the PirateBay slowing down your network?

The PirateBay

PirateBay & Bandwidth Use

Can The PirateBay directly slow down your network? The short answer is actually no. PirateBay is a website that provides magnet links (and some torrent files) to facilitate peer-to-peer file sharing using the BitTorrent protocol. It does not host any movies, music or other types of data.

What it does provide is information like the content’s cryptographic hash value which then can be used to contact other peers which are downloading or uploading the same data. Once a BitTorrent client has established a connection with another peer it can then download and upload data. The BitTorrent protocol is very efficient and will use up lots of bandwidth so it is the protocol that will slow down your network and not websites like PirateBay.

If you want to prevent this from happening on your network you could block access to sites like PirateBay. This may work as users cannot download anything without getting some information from PirateBay. However, it will not solve the problem as users could access the site on another network or through mobile broadband and then use your network to download.

When it comes to monitoring bandwidth use, it is vital to have a network monitoring system in place. Once setup you should look for any clients connecting to systems outside your network on high port numbers. BitTorrent clients will use high port numbers over UDP. This is unusual as normal web browsing will be on ports 80(HTTP) and 443(HTTPS).

A connection from a local system to an external one over something like port 10921 would be unusual. Application recognition systems will help here as they will report on what protocols are in use, not just reports based on port numbers.

Also look out systems which are uploading a lot of data. Normally clients download a lot more data than they upload when accessing web pages. Client systems which upload a lot of data are sharing something and are always worth investigating.

Deep packet inspection (DPI) tools like LANGuardian use packet capture to analyse the data which is moving around your network. LANGuardian can track down BitTorrent use by extracting the info hash values from the BitTorrent traffic. This metadata makes it easier to track down and investigate BitTorrent use. Check out the video below which shows how LANGuardian can be used to track down the source of copyright violations.

How do you track down Bittorrent use? Is it possible without packet capture?

Darragh Delaney

Broadcast storm detected. All hands on deck!

Broadcast storm detected

Dealing With Network Broadcast Storm Detected Alerts

We really appreciate feedback and use cases from our customers, it is very interesting and satisfying for all the company to read these stories and understand how our system has helped make their lives easier.

One very interesting use case we’ve had recently was from an EMEA customer managing a large Cisco network, single site. During a very busy and critical time of the day, the switches were reporting ‘Broadcast storm detected’ and had applied filters as a defence mechanism. After a few minutes of panic they used the LANGuardian Ethernet:Top Broadcasters report, found the MAC address and a faulty IP Phone was quickly identified and shutdown.

Network Top Broadcasters

They also mentioned that they remembered back to a similar situation before they had the NetFort system and it taking a lot longer, even days with a packet sniffer to find the offender.  One of the benefits I sometimes mention to prospects is ‘Save time’ and in this case, this definitely applied.

Another benefit I really believe in is ‘internal visibility’, most organisations focus on the perimeter, but what about the internal network? How important is it to have a visibility into internal traffic,  network usage, activity, what users are doing, user to server and server to server traffic ? The right level of visibility, enough to see the ‘wood from the trees’ but with some drill down to understand the problem and resolve it quickly ?  Both real time and historical, not only to be able to see what is actually happening now but also to be able to pause, ‘go back’ minutes, hours, days, and see what actually happened. Network forensics is rapidly becoming a priority for organisations of all sizes, not just enterprise.

But, the real lesson for me here is that this organisation has been proactive, they already had deployed the LANGuardian to get visibility and monitor network activity.  They had a console, data to immediately access and to try and find the issue before it escalated.  A while back they recognised that it is important to continuously monitor, to also have internal visibility, cover off all the network, so that when there is a problem they are not running around, playing the blame game, under pressure or trying to find a ‘sniffer’ and then plug it into the right place.

Good story and we really appreciate that they went to the trouble of sending us an email with all the detail and thanking us for our support and the LANGuardian product.

John Brosnan

NetFort CEO

Could there be zombies lurking on your network?

Zombie host

A few years ago I covered the network zombie issue on my Computerworld blog. In it I looked at a couple of customer issues where a zombie client had caused network problems. Is this all a distant memory?

If anything the problem has become worse in 2014. The list below is just a sample of the threats and vulnerabilities that made the news so far in 2014.

No matter what size network you manage you can fall victim to any of the above. While the majority of issues that I hear about are still user and application ones, you should still have tools and procedures in place to deal with the really bad stuff. I could be generalising here too much but the majority of network issues are typically broken down as follows:

  • Equipment failures
  • User and\or application problems
  • Malware or other targeted attacks

Back to the subject of zombies and they are still a big problem. Recently I heard from a customer where an IP phone went faulty during a very busy time on their network. The phone started flooding the network with broadcast traffic and had the potential to grind things to a halt. Once they received an alert they got onto their network activity monitoring solution and weeded out the phone quickly. Metadata captured from network packets was used to identify the phones MAC and IP address and this information was then used to trace where the device was plugged in.

In another recent case where LANGuardian was used, a faulty network switch resulted in a network getting flooded with data from a number of hosts. What was once a managed switch doing its job suddenly became a zombie; under the control of no one and destined to cause havoc. If you manage a network you can use this to justify the investment in network monitoring tools.  You need to be able to get alerts and see what is happening on your network. This will save money with less downtime and quicker troubleshooting speeds.

Over the last 18 months a trend has emerged where zombie hosts are now trying to take control of your data. Cryptorbit and its variants actively seek out file share and encrypt all files found. In some cases you may be able to decrypt your data but in others you may need to pay a ransom.

As I mentioned previously, these zombies can arrive on any network. Now that we are entering the era of the Internet of Things, we are increasing the possibility of zombies appearing on networks. No matter what sized network you manage you need to be able to see what is happening.  When it comes to home networks, Wireshark can be a really useful tool. Just install it on a client and use it to monitor local traffic or connect the client to a SPAN or mirror port if the traffic rates are low. On larger networks you should look at commercial tools like LANGuardian.

Tell us about the zombies you found on your own network, comments welcome!


Bandwidth Increases and the Moving Bottleneck

network switch

Bandwidth Demands in the Modern World

For today’s post I am not going to talk about the challenges of managing large enterprise networks or spend the next 200 words trying to explain some complex network diagram. Instead I am going to look at some of the recent changes on my home network and how increasing bandwidth in one area moves the bottleneck to another.

My home network is split into two locations. I have an office where I have most of the storage and an ESX server for running all sorts of tests. It is connected via two 1Gbs Ethernet cables to the house where my broadband connects. When I was building the house 10 years ago I got the electrician to run Cat5 cabling to most rooms so I don’t need to rely on Wireless for everything.

Home Network

For those of you who don’t know me I live near a town called Claremorris which is in the west of Ireland. Internet connectivity speeds are decent enough around here as the town was chosen as one of Irelands first fibre connected towns. Most businesses in the area are connected via 250Mbs fibre connections.


I recently upgraded my broadband connection to vDSL. In Ireland the service is called eFibre and a company called Eircom look after most of the infrastructure. Prior to the upgrade I had an 8Mbs DSL connection which was okay but it was the bottleneck when it came to moving data around.

My new vDSL connection gives me a 60Mbs Internet connection so that has moved the bottleneck back into my network. All of the wired stuff is fine as it’s all connected via 1Gbs connections; problem is now with the wireless devices.  Maybe problem is too strong a word; I just want to make sure that all devices on my network are connecting at the fastest speed possible. I switched my wireless router over to 802.11n after the vDSL upgrade and I am now reading up about the 802.11ac standard. Do any of you have any opinion on this, what is best for a home network? Please leave your comments below.

Finally, my next project is to implement a new firewall on my network, one which has better filtering options. More and more devices are arriving in the door with wireless connectivity. My plan is to set up multiple VLANs. One open which can connect to all devices and the Internet, one restricted so it cannot connect to some devices on the network and one very restricted for kids devices that may need to download updates from the Internet. The latest version of Untangle looks interesting but more reading is required.

Do you have any recommendations for securing home networks? You can add comments below.

Darragh Delaney

Do you really know what is going in and out of your network?

Network Activity Reporting Software

It’s Friday and I am just back from visiting a number of LANGuardian customers in the UK. As usual it amounted to a very interesting few days with visits to public sector clients, a document management company and even a F1 team. The common use case which kept coming up was that IT managers within these organisations want to know what is going on within their networks. This is what is at the heart and soul of NetFort; we continue to develop LANGuardian so you can find out what users are doing on your network.

So why is this so important or a better way of asking this, do you really know what is happening on your network? A good example of why this is important is related to the potential issue discovered this week where LG televisions were transmitting user data out of their home networks. While I was waiting in an airport I noticed my Twitter and RSS feeds filling up with information and comments on this story. It really got the security community going. We now live in the age of the Internet of things; everything is getting connected to the Internet, from washing machines to fridges. It’s all become smart everything.

What is also interesting about the LG article is the means by which the issue was discovered. Wireshark was used to do deep packet inspection. Some vendors will suggest that SNMP or even flow (NetFlow, sFlow and others) tools will provide visibility on a network. In some cases they may provide okay levels of visibility in most however they fall well short. This is because they don’t work out what applications are in use and they don’t look at packet payloads. I know IPFIX and NBAR are supposed to address these deficiencies but you need really specialist equipment to work with these.

SPAN or mirror ports are available on all networks so why not make use of them. You can use Wireshark or better still check out our LANGuardian software which does the hard stuff for you. It will go though each packet and extract metadata so you can see users, application names and payload information. Wireshark is a fantastic tool but sometimes because of the low level of detail, the ‘bits and bytes’, it is hard to see the big picture and see activity first at a higher level,  show names for example, domains, URIs, files, users, a level of DPI that most people can use to understand exactly what is happening.

Back to the LG story. I have a Sony smart TV which is connected to the Internet. The online features are fantastic, great for watching YouTube and running other streaming apps. Earlier I switched it on while I was monitoring its traffic with my LANGuardian. I just left it running on one channel and did nothing else. Having read the article about the LG TV I got curious if my TV could be doing something similar. The screenshot below is from a forensics search where I focused in on the IP address of the television. Even without using any of its smart features it’s connecting to outside services. Most traffic is via HTTP but some is also sent encrypted by HTTPS.

sony forensics

Drilling down further reveals lots of connections to I did not spot anything sensitive as was shown with the LG story but I am going to keep a close eye on this just to make sure

sony uri

What all this shows is that if you really want to find what is going in and out of your network you really need deep packet inspection.

Darragh Delaney




More demand for Deeper Traffic Analysis?

What is Driving Demand for Deeper Traffic Analysis?

During a customer review call last week, we got a very interesting quote from a US based user who offers marketing services to the retail sector: ‘We need greater insight over what is taking place on our internal network, systems, services, and external web farm seen through a single portal. We need to keep downtime to a minimum both internally and on our external customer-facing web farm. We chose LANGuardian because of its integration with SolarWinds and its deep-packet inspection capabilities.”

Before discussing this in more detail, because of all the hype these days we also always ask about cloud now, so when we asked this contact about hosting these critical services in the cloud, he countered with 3 reasons for keeping them in house:

  1. Security
  2. Control
  3. Cost

When drilled on ‘cost’ he mentioned that they were shipping huge amounts of data and if hosting and storing this in the cloud, the bandwidth and storage related charges would be huge and did not make economic sense.

Back to Deeper Traffic Analysis, turns out this customer had already purchased and installed a NetFlow based product to try and get more visibility and try to focus on his critical server farm, his external/public facing environment. His business requires him to be proactive to keep downtime to a minimum and keep his customers happy. But, as they also mentioned to us: ‘With Netflow we almost get to the answer, and then sometimes we have to break out another tool like wireshark or something. Now with Netfort DPI (Deep Packet Inspection) we get the detail Netflow does NOT provide, true endpoint visibility

What detail? What detail did this team use to justify the purchase of another monitoring product to management? I bet it was not a simple as ‘I need more detail and visibility into traffic, please sign this’! We know with tools like wireshark one can get down to a very low level of detail, down to the ‘bits and bytes’.  But sometimes that is too low, far too much detail, overly complex for some people and very difficult to see the ‘wood from the trees’ and get the big picture.

One critical detail we in Netfort sometimes take for granted is the level of insight our DPI can enable into web or external traffic, does not matter if its via a CDN, or proxy or whatever, with deep packet inspection one can look deeper to get the detail required. Users can capture and keep every domain name, even URI and IP address AND critically the amount of data transferred, tie the IP address and URI to bandwidth.  As a result, this particular customer is now able to monitor usage to every single resource or service they offer, who is accessing that URI or service or piece of data, when, how often, how much bandwidth the customer accessing that resource is consuming, etc.

Users can also trend this information to help detect unusual activity or help with capacity planning. This customer also mentioned that with deeper traffic analysis they were able to take a group of servers each week and really analyze usage, find the busiest server, least busy, top users, who were using up their bandwidth and what they were accessing. Get to the right level of detail, the evidence required to make informed decisions and plan.

CDN(Content Delivery Networks)  usage has increased dramatically recently and are making life very difficult for network administrators trying to keep tabs and generate meaningful reports on bandwidth usage. We had a customer recently who powered up a bunch of servers and saw a huge peak in bandwidth consumption. With Netflow the domain reported was an obscure CDN and meant nothing. The LANGuardian reported huge downloads of data from from a particular IP address and also reported the user name.

What was that about justification? How about simply greater insight to reduce downtime, maximise utilisation, increase performance, reduce costs. All this means happier customers, less stress for the network guys and more money for everybody!

John Brosnan
CEO NetFort

The Network is slow….again…. What is the root cause this time?

Troubleshoot broadcast storms

During our Monday morning coffee break/meeting last week, I heard our engineers talking about a prospect in the Middle East. I’m an engineer (or I used to be!) so I usually immediately start asking questions and ‘drilling down’ to try and understand the real problem.  It is always critical to understand the real pain, not only to help with our roadmap and messaging but it is also very important (and getting more difficult) for management to try and keep in touch with the latest  ‘issues’

The prospect has about 2000 users, Cisco core, 3 or 4 sites. When I asked why they got in touch, how they found us, what PAIN caused them to search, download and install the LANGuardian on a virtual appliance and request a quote, I got a pretty simple answer, ‘sometimes their network is very slow, he wants to know what is happening on his network. A bit like the movies I guess, sometimes the old ones are the best.

I know some companies have worked this to death and you are probably sick and tired of receiving emails on this but why are organisations still having this problem? Now we have 10 gig at the core and even 10 Gig Internet pipes, surely even the students attending large universities cannot be using it all up?
Is it because users like the millenials are now more technical, sophisticated and demanding? As a network administrator mentioned to me recently, ‘they always blame the network but 90% of the time it is the users. I use the LANGuardian to generate evidence’

Is the transition to the cloud a factor ? Video especially HD quality on youtube for example is certainly a major contributor. Is it because organisations have to do more with less and network administrators are under more pressure?

This particular issue was related to security cameras hogging bandwidth internally so this traffic was not getting to the perimeter and not easily visible to the administrator. I’m not so sure logs would have helped here as are not really useful for troubleshooting bandwidth related issues on actual links to and from remote sites or the Internet. One usually needs to have the ability to only focus on a specific link or area of the network using traffic or flow based technologies. These traffic or flow based systems can capture a lot of detail on network usage, top clients, servers, amounts transferred, type of traffic, trends over long periods of time, all very useful for network forensics and troubleshooting.

Even with all the products available today, maybe due to cost, complexity (both networks and network management systems) budgets, having to do more with less, some companies do not monitor network usage or activity until there is a problem and then they resort to their favourite tool, google. I was talking to a security officer of a large US based multinational last week and even he mentioned to me that google was even his favourite security tool.

We are seeing a trend though, organisations are looking for more visibility on bandwidth consumption, they sometimes have flow tools for example that ALMOST give the answer.  As a guy said to me at an RSA conference ‘you have to look into the packets these days’. They want to know, be able to go deeper, get that final drill down to understand exactly what is going on and have all the information and evidence required to solve the problem. Even getting a simple report like a list of the Top 10 domains for a time period is sometimes not that easy due to proxies, CDNs, so much traffic now tunnelled over port 80, etc.

The information is in the traffic and all networks have traffic, if you can sniff if via a SPAN port or tap and present it at the right level it can help with so many pains including the network is slow. If you can keep it simple, easier said than done though.


John Brosnan
NetFort CEO

Finding Out What Users are Doing on Your Network

Network Users

A few weeks ago I published a blog article which asked the question; are forensics tools the new IDS. It proved to be very popular as it’s closely connected to one of the most common questions in IT, how can you find out what users are doing on a network. The challenge is that the digital footprints of users are spread all over networks and include data sources like:

  • Server and application log files
  • Network traffic
  • Profile information on computers and laptops
  • Network device logs

When it comes to server and application logs, one of the most important pieces of data to capture is when users are logging onto a network. This data can be sourced from the directory services infrastructure; you just need to make sure you have logging enabled on services like Microsoft Active Directory. Logs like this will give you usernames, IP addresses, date and time of logon. The username and IP address combination is very important as many other network systems will log data based on IP address so you will need an inventory of what usernames are associated with these. Once you have stored user logon data in a central location you can then look at capturing other network and application data.

Once you start to log who is logging onto your network you then need to identify what applications are in use and track activity associated with Internet use and file shares. This is just a basic list and you may need to look at other data sources if you have compliance or regulatory standards to adhere to.

Monitoring Internet usage
Monitoring Internet usage can be a contentious issue. Some say it is an invasion of personal privacy while others say it is necessary to keep a network running in an efficient and secure manner. Most network managers that I speak to adopt a fair use policy, they implement systems which can detect the top consumers of bandwidth and alert if zombies are detected on the network. When systems are infected with malware, you need to monitor what sites they are trying to connect to. You can start monitoring Internet activity by setting up logging on your proxy, Internet filtering server or firewall. As with all logging, make sure you have enough system resources so it does not impact on performance.

This information can also be captured from network traffic; you just need to get a deep packet inspection system which can extract HTTP header content and DNS query data from network traffic. Finally, make sure you are also monitoring your Internet connection for any users who may have found a way to bypass your proxy or filtering system.

Application recognition by looking at network traffic
Application recognition is the art and science of identifying the applications that are in use on a network and understanding the impact of each application in terms of bandwidth usage, user behaviour, security, and compliance. It has become vitally important for several reasons:

  • The growth in cloud computing and proliferation of OTT content has led to a huge increase in the number of applications that communicate over Layer 7 applications like HTTP. Effective monitoring of network activity requires looking deeper into Layer 7 traffic so that individual applications can be identified. The level of detail provided by NetFlow – source address, destination address, and port number – is no longer enough.
  • System administrators and network engineers are increasingly turning to random and non-standard ports to counteract threats that assume applications and protocols use standard port assignments. Monitoring tools that rely solely on port numbers typically report traffic on non-standard ports as “unknown.”
  • Many applications use more than one port. For example, web applications use port 80 for non-encrypted HTTP traffic and port 443 for encrypted HTTPS traffic.
  • Application developers do not always adhere to standard port assignments, and in some cases deliberately evade conventional security by using techniques such as port-hopping, SSL encryption, and tunnelling within commonly authorized protocols. Cyber attackers attempting to infiltrate networks often use similar techniques.

The main thing you need for application recognition is a source of data and a SPAN or mirror port is ideal for this. Ideally you would set this up at your network core for maximum visibility.

Monitoring file shares
There are a number of ways you can monitor what files and folders users are accessing on shared drives:

  1. Install software agents on the file servers or client systems
  2. Enable auditing on servers which host file shares.
  3. Capture the information passively from network traffic.

The requirement to install software agents is the least popular option as it is troublesome to manage. Users may find ways to uninstall or disable the agent which will leave you without an audit trail. Logging on servers can also be problematic as logs fill very quickly so you need to be careful that you don’t overwrite the data you need when the logs reach capacity.The easiest way to capture file and folder activity is to use a deep packet inspection system to capture the activity from network traffic. A quick test for any system is to see how long it takes you to find out when a file was deleted.

When it comes to monitoring what users are doing on your network, start off with the simple things like keeping a log of who is logging on, and to what systems. You can then start to extend monitoring to include applications, file shares, and Internet activity.

Darragh Delaney
Follow me on Twitter @darraghdelaney

You do not need to look into the packets, NetFort will

Deep Packet Inspection

DPI (Deep Packet Inspection) is a very useful and flexible technology used in many security and network products today. Recently I took a call from an engineer, John, working in the public sector in the US with a title ‘Senior Deep Packet Inspection Engineer’ really  friendly and experienced engineer, managing a team of 11 other engineers who was interested in our product and found it with a SEO search term.

He was interested for a number of reasons, including  its integration with some well known Network Management systems like SolarWinds and Splunk. His main pain though was ‘ease of use’. He already had a well known network management system which utilizes Deep Packet Inspection, really likes it, very powerful, can do a deep dive into the packets, extract some useful information, but very complex and difficult to use. As a result, the other engineers in his team keep coming to him for help when using the system, in order to troubleshoot and get to the information they need to understand and solve the problem.

John is what we call in NetFort a ‘power user’ , an expert, extremely technical, proactive, knowledgeable, he knows his network and technology.  John is a rare breed though, hard to find and retain, expensive, and usually extremely busy because they are asked to help with everything because they get the job done.

DPI based technology is usually ‘expensive’ not only in monetary terms, but also in terms of costs to deploy, train and manage.  Ease of use is not easy, by working closely with the customer we in NetFort tried to ensure even small and medium size organisations can easily look inside the packets and quickly get the level of visibility required to figure out what is going on.  The LANGuardian is a product  organisations of all sizes can easily download, install, use and afford to purchase and manage. It uses  DPI technology, traffic, no agents or clients,  to get to the right level of visibility, the information they require with minimum hand holding and support and ‘cost’.

DPI is complex but does NOT have to be always about ‘bits and bytes’ , ‘deep’ packet analysis, timings, errors, etc.  In some rare cases it is important to be able to get to that level  but these systems should take away the complexity until it is absolutely necessary, start at a high level, a level most of us can understand. Use the information pyramid, the software should be able to extract the complexity, to give the high level picture, to allow instant drill down, to generate reports with detail, actual NAMES, users, files, domains, normal users can understand!

You do not need to look into the packets, let NetFort do it for you!

More later…..

John Brosnan

Finding bandwidth hogs on your network

Bandwidth Hog

Bandwidth hogs can cause all sorts of problems on your LAN and WAN. From users copying large volumes of data, to application issues associated with the downloading of software update files

The support team here at NetFort recently worked with a number of customers who wanted to report on the top users of bandwidth on their networks. In most cases, the focus was on WAN links where bandwidth is both limited and expensive. Using LANGuardian they could not only drill down to traffic volumes, but also get detail like what files were being copied or what web sites were being accessed

Here is a quote we got from a customer earlier today who used the LANGuardian to troubleshoot a bandwidth issue

We had a live issue today which LANGuardian helped us get to the bottom of using the new GUI.  It was very easy using the “Bandwidth – Search by IP” option. 

The answer was right there in front of us by combining  a few of the reports. So you have a big thumbs up from me for the new GUI!

Root out bandwidth hogs within one hour!

Use the power of deep packet inspection to find out where all your bandwidth is going. With LANGuardian you just need to setup a SPAN or mirror port, no need for agents or client software. Active Directory integration also allows you to see what users are responsible.

PirateBay Now Favoring Magnet Links

The PirateBay

Did you know that the PirateBay is now favoring Magnet Links?

The PirateBay website recently announced that it is dropping torrent files in favour of magnet links. Magnet links are mainly used to reference resources available for download via peer-to-peer networks. Such a link typically identifies a file not by location or name, but by content; more precisely, by the content’s cryptographic hash value. This hash value is then used by a Bittorrent client to download data like videos or music files.

One of the main reasons behind it is that it makes it more difficult to detect if users on a network are using Bittorrent or other P2P networks. Some of you may have custom reports on your LANGuardians which focus on users downloading .torrent files and this method of detecting P2P activity is also covered in this video series. However, these reports will not work if magnet links are used.

The good news is that the LANGuardian has two other methods for detecting the presence of Bittorrent. The first uses a network traffic decoder which extracts the info hash values from packets. You can see how it works in this video. The second involves reporting on systems which are making lots of connections to systems outside of the local network. This is very typical of Bittorrent activity, lots of connections to random hosts. We are currently putting a new report together for this and we will let you know when it has been released.

In the meantime please don’t hesitate to contact us if you have any further questions about detecting Bittorrent or with the LANGuardian in general. Also, please keep an eye on our forum this month to win a free NetFort cycling jersey or polo shirt.