1 Ethical Network Monitoring Using Wireshark and Colasoft Capsa as Sniffing Tools Nedhal A. Ben-Eid Computer Trainer, Computer Department, HITN, Shuweikh, State of Kuwait Abstract: With the development and popularization of network, the management and monitoring of network traffic is important to keep the network smooth and efficient. It is increasingly critical that an organization secure the system to avoid external hacking and employee abuse of computers in the workplace. This paper study the problem of employee abuse of computers in the workplace and discuss ethical and legal dimensions of the decision facing employers and network administrators regarding whether it is appropriate to monitor the employee's workstation in the organizations. Packet Sniffer is a tool used by network administrators to capture all the packets on the network and monitor the bottlenecks, alarm the irregular behavior, capture passwords and VoIP from any workstation in that network to keep network secured. We give a brief introduction of what is a packet sniffer, its structure, uses and types. Two of the most popular packet sniffing software are discussed and examined; Wireshark and Colasoft Capsa. They are compared according to their features, characteristic behavior, qualitative and quantitative parameters. Keywords: Packet capture, Traffic analyzer, Network monitoring, Network Sniffing, Network analyzer, Packet sniffer, Wireshark, Colasoft Capsa. I. INTRODUCTION Information technology has emerged as an integral part of today's organizational infrastructure. These technologies have the potential to improve worker efficiency and effectiveness. However, there are risks associated with any technology including the potential for employee abuse resulting in negative consequences . This abuse mostly happened when the employee accessing the Internet using the organization's workstation for non-work related purposes, which will affect the performance of the network and decrease the productivity of the employees at work. Network monitoring is the best solution to capture each packet sent or received in the network in order to keep the network secured and efficient. This monitoring is done by the network administrator who watches all the inappropriate actions happened in the network . II. THE PROBLEM OF ABUSING THE COMPUTER AT WORK As evidenced by various surveys and studies conducted by media research companies, including Nielson, Burst Media, and emarketer, the average employee spends between one and two hours each day using the Internet for personal reasons. Another recent survey shows that 51% of employees who use the Internet at work spend between 1 to 5 hours per week surfing the web for personal reasons . A field survey is tested on 500 employees working in different organizations in state of Kuwait to know whether there is a real problem concerning computer abuse in the organizations, which will be reflected on the performance of the network and employees productivity. The survey consists of 20 questions and tested outside the organizations environment due to privacy reasons, and 12 papers have been excluded due to inconsistence. The results of the survey are shown in the following four figures. Figure (1) shows that 86 % of the employees in the survey are using Internet during the work hours for personal purposes, which is a very high percentage and indicates that there is a real problem that needs to be controlled by the employers as well as the network administrator. Fig. 1. The percentage of Internet usage at workplace Most of employees would be hard pressed to deny their use of the Internet at work for non-work related purposes. With sites like YouTube, ebay, Face book, shopping and banking, tempting them at every turn, it can be difficult to resist personal Internet usage at work. While not every person has access to the Internet at work, the majority do . Figure (2) shows the applications that attract the employees during work time in the organization % % Percentage of employees using Internet at Workplace for Non- Work related purposes Percentage of employees not using Internet at workplace 100 Fig. 2. The Internet activity that attract employees at workplace 0 Shopping Banking chatting Youtube Searching Copyright to IJARCCE DOI /IJARCCE
2 It is clearly seen that the first attracting action is "searching" about some topics or images that may be useful for researchers. And the last attracting application is "chatting" because mobiles have substituted this application by WhatsApp, Viber and other mobile chatting applications, which are easier and more practical than desktop chatting applications. The enormity of potential productivity loses, as reported by Court (2004), is approximately one million dollars annually for a company with 500 employees surfing the Internet for just a half hour a day. Using these facts, if an employee spends two hours per day on the Internet, and the organization has 500 unmonitored employees, the potential annual loss could be nearly $4 million. If a business owner does nothing to stop these counterproductive activities, then it is not likely the owner could stay in business. Workplace monitoring can be beneficial for an organization to obtain productivity and efficiency from its employees . According to our survey, figure (3) shows that 40% of the employees spend 6 hours a week or more using Internet at work for personal purposes; which is equivalent to 1.2 hours a day of computer abuse. 29 % 12 % 19 % 40 % hours a week 2-0 hours a week 4-2 hourse a week 6-4 Fig. 3. Number of hours employees spend using Internet at workplace Every Employee accessing the Internet at work for nonwork related purposes has some personal purpose or reason to do so. Figure (4) shows some suggested reasons and the percentage of employees that consider it the main reason that force them for computer abuse at workplace. 24 % 21 % 5 % 50 % hours a week6 More than To Improve my skills & knowledges Not have Internet connection at home High Internet speed at workplace Overcome weariness Fig. 4. The main reason for using Internet at workplace As we can see from the previous figures that there is a real problem concerning the computer abuse at workplace, which will affect the performance of the network and requires some kind of control and monitoring. Security is yet another reason that gives rise to an organization s need for employee monitoring at workplace. Woodbury (2003) explains that opening unsolicited at work creates danger because attached files could contain a virus, wreaking havoc on a workstation hard drive and then spreading through a business entire computer network. Many articles from Management and law journals such as the American Management Association and Mealey s Cyber Tech Litigation Report support a perceived need for employers to monitor their employees. The need comes from more than just a desire to increase productivity, but there are also issues relating to protection from potential legal liability . III. NETWORK MONITORING In most workplaces, all employees' computers are connected to the system administrator's computer. This allows the system administrator to gain access to an employees' computers, which will facilitate his work when a specific problem occurs. However, remote access also allows the system to check log files, including s, web site visits, and even downloads, that the user might believe to be deleted or cleared. Internet surveillance and desktop surveillance are the two basic types of administrator monitoring. Internet surveillance is the active monitoring of a user's online activity. And desktop surveillance involves the physical monitoring of a specific computer and every action taken by its users . Network monitoring provides information regarding network related problems even before a problem develops. It also provides guidance on how to improve the network by studying performance charts of the network activities. Built- in pagers and alarm keeps network administrator informed on all the important happening in the network . Although the employees' monitoring technology is extremely sophisticated, it is in practice by large and small businesses throughout the world and it is growing rapidly . The American Management Association (AMA) survey reported that 82% of employers engage in some form of network monitoring (AMA,2001). In USA an estimated 14 million employees have their Internet use under continuous monitoring. Worldwide, an estimated 27 million workers are under such monitoring (Firoz et al,2006) . People, the employees, by nature generally tend to desire more freedom and less monitoring. Many people and organizations are against monitoring the activities of people in the work place. Opponents include civil liberty groups, privacy advocates, and many employees themselves. Among the major criticisms of electronic employee monitoring, as noted by Watson (2001), are increased levels of stress, decreased job satisfaction, decreased work life quality, lower levels of customer Copyright to IJARCCE DOI /IJARCCE
3 service and employers can use it unfairly, which will create a hostile workplace. On the other hand, giving employees open, unmonitored, computer access causes productivity and efficiency to suffer. There has to be a balance between protecting the company s information assets without going overboard to the point where employees feel alienated. Education and communication are the best tools to attain this balance . IV. LEGAL AND ETHICAL ISSUES OF NETWORK MONITORING This paper takes a look at a neglected area of most computer security professional's training; how to deal with the ethical issue that can crop up during the course of doing their job. Physicians, attorneys and other professionals whose job duties affect other's lives usually receive, as part of their formal training courses that address ethical issues common to their professions. IT security personnel often have access to much confidential data and knowledge about individuals and companies networks and systems that give them a great deal of power. That power can be abused, if it is not controlled with ethical issues. The education and training of IT professionals, including security specialist, usually focuses on technical knowledge and skills. You learn how to perform tasks, but with little consideration of how those abilities can be misused. A common concept in any ethics discussion is the "slippery slope". This pertains to the ease with which a person can go for doing something that doesn't really seem unethical to doing things that are increasingly unethical. So, it's easy to notice that each legal action could "morph" into much less justifiable actions. For example, the information you gained from reading someone's could be used to embarrass that person, to gain political advantage within the company . New technologies often create the need for new rules. Marshall (2001) uses the example of the U.S. postal system to show how laws change to address new technologies. In 1825, Congress enacted mail antitampering laws in response to increased reliance on the mail system, brought about because of growing literary in the young nation. However, it was not until 1877 did the Supreme Court extend Fourth Amendment Constitutional protection to mail, requiring government officials to get a court order to open mail. Marshall s postal system example shows how laws often lag behind technological development. is like a new version of postal mail. While laws currently protect someone from opening or tampering with postal mail, the same type of laws do not currently (and may never) protect . However, the question of ethical behavior in IT professions is beginning to be addressed. Voluntary professional associations such as the Association for Computing Machinery (ACM) have developed their own codes of ethics and professional conduct, which can serve as a guideline for individuals and other organizations . Current laws do not specifically state that monitoring employees is illegal. In fact, some organizations have used information obtained from monitoring employees as key evidence in many legal cases. An article by Meade (2001) on workplace privacy notes that e mail and Internet-use evidence has been used to prove critical legal issues in a wide variety of lawsuits. More than one fourth of employers have fired workers for misusing and approximately one third have fired employees for misusing the Internet, according to the 2007 Electronic Monitoring & Surveillance Survey from American Management Association (AMA, 2008) and The epolicy Institute. Another legal issue arising from employee monitoring is an organization s legal obligation to do so. Court (2004) discusses a survey reporting that 68% of employers who monitor employees' computer activities cite legal liability as their main motivation. Although Court writes, no court of law has ever ruled that an employer is required to monitor employees electronic communications; some have suggested that such monitoring would be wise. The courts can hold companies liable if they do not seek to prevent other employees from creating a hostile work environment. Ethically speaking, create and update a clear Acceptable Use Policies is essential to outline how employees can use company system and what they can expect as privacy. This must be done by cross-functional team effort that includes, representatives from human resources and if available, legal council, along with system administrators. Educate the workers about the privacy issues of the workplace and let them know what monitoring is, what it will monitor, and convey the message that this monitoring is not due to lack of trust, but is being used to protect the organization. Training session can be established to notify all employees about organization's monitoring . V. NETWORK SNIFFING Network sniffing describes the process of monitoring, capturing and interpreting all incoming and outgoing traffics as it flows across a network, it is typically performed by a packet sniffer; a tool used to capture raw network data going across the wire . Network sniffing can help to understand network characteristics, learn who is on the network, determine who and what is utilizing available bandwidth, identifying peak network usage time, identifying possible attacks or malicious activity, and find unsecured and bloated applications . The information that travels across a network is transmitted in form of "packets" that is broken up into smaller segments with destination and source address attached. A Packet sniffers can show you all sorts of things going on behind the scenes, including unknown communication between network devices, actual detailed error codes provided by layer-specific protocols, and even poorly designed programs going crazy . Copyright to IJARCCE DOI /IJARCCE
4 A. Types of Packet Sniffing There are basically three types of packet sniffing methods: IP Sniffing: This is the original way of packet sniffing. It works by putting the network card into promiscuous mode and sniffing all packets matching the IP address filter. This method only works in nonswitched networks  MAC Sniffing: MAC sniffing also works through a network card which allows the device to sniff all of the information packets that correspond with the MAC address filter . ARP Sniffing: ARP sniffing involves information packets that are sent to the administrator through the ARP cache of both network hosts. Instead of sending the network traffic to both hosts, it forwards the traffic directly to the administrator . This method works a little different. It doesn t put the network card into promiscuous mode. This isn t necessary because ARP packets will be sent to us. This happens because the ARP protocol is stateless. Because of this, sniffing can be done on a switched network . B. How a Packet Sniffer Works? The packet sniffing process can be broken down into three steps: collection, conversion and analysis Collection: Packet sniffer switches the selected network interface into promotion mode. In this mode, the network card can listen for all network traffic on its particular network segment to capture the raw binary data from the wire. Conversion: The captured binary data is converted into readable form. This is where most of advanced command-line-driven packet sniffers stop. At this point, the network data is in a form that can be interpreted only on a very basic level, leaving the majority of the analysis to the end user. Analysis: The packet sniffer takes the captured network data, verifies its protocol based on the information extracted, and begins its analysis of the protocols specific features . Each machine on a local network has its own hardware address which differs from other machines. When a packet is sent, it will be transmitted to all available machines on local network. Owing to the shared principle of Ethernet, all computers on a local network share the same wire, so in normal situation, all machines on network can see the traffic passing through but will be unresponsive to those packets which do not belong to them by just ignoring them. However, if the network interface of a machine is in promiscuous mode, the NIC of this machine can take over all packets and frames it receives on network, namely this machine is a sniffer . The sniffer program tells a computer's NIC to stop ignoring all the traffic headed to other computers and pay attention to them. It does this by placing the NIC in a state known as promiscuous mode. Once a NIC is promiscuous, a status that requires administrative or root privileges, a machine can see all the data transmitted on its segment. The program then begins a constant read of all information entering the PC via the network card. As we know, data traveling along the network comes as frames, or packets, bursts of bits formatted to specific protocols. Because of this strict formatting, a packet sniffer can peel away the layers of encapsulation and decode the relevant information stored within: source computer, destination computer, targeted port number, payload, in short - every piece of information exchanged between two computers. Sniffers can work differently depending on the type of network they are in. Here is a good set of definitions on the two types of Ethernet environments. Shared Ethernet: In a shared Ethernet environment, all hosts are connected to the same bus and compete with one another for bandwidth. In such an environment packets meant for one machine are received by all the other machines. Thus, any machine in such an environment placed in promiscuous mode will be able to capture packets meant for other machines and can therefore listen to all the traffic on the network. Switched Ethernet: An Ethernet environment in which the hosts are connected to a switch instead of a hub is called a Switched Ethernet. The switch maintains a table keeping track of each computer's MAC address and delivers packets destined for a particular machine to the port on which that machine is connected. The switch is an intelligent device that sends packets to the destined computer only and does not broadcast to all the machines on the network, as in the previous case. This switched Ethernet environment was intended for better network performance, but as an added benefit, a machine in promiscuous mode will not work here. As a result of this, most network administrators assume that sniffers don't work in a Switched Environment . There are many software solutions available on the market to monitor a vast array of activities which ranges from several thousand dollars down to free. Most solutions can log keystrokes typed, application and website usage, detailed file usage, incoming and outgoing chats and e- mails, internet connections, windows interacted with, internet packet data, desktop screenshots, software installations, and much more. The software can present all activities logged in easy-to-read graphical reports . We will study and compare between two of the most popular Sniffing Programs; Wireshark and Colasoft Capsa. VI. WIRESHARK Wireshark is one of the most popular open-source packet analyzer. Originally named Ethereal, in May 2006 the project was named Wireshark due to trademark issue. Wireshark is cross-platform using pcap to capture packets; it runs on Microsoft Windows as well as various Unix-like operating systems including Linux, Mac OS X, BSD, and Solaris . It uses the GTK+ widget toolkit to implement its user interface . Wireshark is an open source software Copyright to IJARCCE DOI /IJARCCE
5 project, and is released under the GNU General Public License (GPL). You can freely use Wireshark on any number of computers you like, without worrying about license keys or fees or such. In addition, all source code is freely available under the GPL. Because of that, it is very easy for people to add new protocols to Wireshark, either as plugins, or built into the source. It can read hundreds of protocols, which can provide a deluge of data. Viewing the raw information has its benefits, but users can filter and parse the captured data using a mouse click interface to create Boolean filters. Users can also create and save filters for later use. Wireshark supports built-in searches to hone in on specific data or conditions, and will even build I/O graphs to show usage by packet type .Wireshark is a versatile and flexible network protocol analyzer that can be extended using plugins and dissectors. Since it is open-source and freely available, it can be adapted to the needs of specific applications. Wireshark can be attached to local network interfaces, thereby overhearing incoming packets that are subsequently analysed and presented to the user. It allows to save packets into files for later analysis and to filter the displayed data. In addition, it allows colorizing the output to ease the interpretation . One specific advantage of Wireshark is that multiple dissectors can analyze the same packet. If a UDP packet is found, the payload of the packet can be passed on to the next dissector for further analysis. This is especially helpful if IPv6 packets are wrapped in IEEE frames. At the moment, Wireshark supports dissecting IEEE , Zigbee, IPv4, IPv6 and a large number of other protocols . Its output can be exported for use by a variety of popular network analysis products, including Wild Packets Inc.'s Ether Peek and Airo Peek products, Cisco Systems Inc.'s Secure Intrusion Detection System, Microsoft's Network Monitor, Network General Corp.'s Sniffer, Novell Inc.'s LANalyzer, and various other tools using tcp dump's capture format including snoop and libpcap . A. Key Features of Wireshark: Data can be captured from the wire from a live network connection or read from a file that recorded already-captured packets. Live data can be read from a number of types of network, including Ethernet, IEEE , PPP, and loopback. Captured network data can be browsed via a GUI, or Command Line. Captured files can be programmatically edited or converted via command-line switches to the "editcap" program. Data display can be refined using a display filter. Plug-ins can be created for dissecting new protocols. VoIP calls in the captured traffic can be detected. If encoded in a compatible encoding, the media flow can even be played. Raw USB traffic can be captured. Open and Save packet data captured. Display packets with very detailed protocol information. Import and Export packet data from and to a lot of other capture programs. Filter packets on many criteria; So, it is not for layman as it involves a lot of network layer filtering options . Search for packets on many criteria. Colorize packet display based on filters. Create various statistics . Here are some things Wireshark does not provide: Wireshark isn't an intrusion detection system. It will not warn you when someone does strange things on your network that he/she isn't allowed to do. However, if strange things happen, Wireshark might help you figure out what is really going on. Wireshark will not manipulate things on the network, it will only "measure" things from it. Wireshark doesn't send packets on the network or do other active things (except for name resolutions, but even that can be disabled) . What sets Wireshark apart from most of these is that it is the most widely used, so it provides a larger number of supported protocols (more than 500) and has a user-driven support base that is unrivaled. The only thing the commercial products typically offer special is their ability to produce reports that are more suited to less technical users For the development of protocols, it is essential to have a good and powerful protocol analyzer at hand . VII. COLASOFT CAPSA Colasoft Capsa is a portable network analyzer application for both LANs and WLANs which performs real-time packet capturing capability, advanced protocol analysis, in-depth packet decoding, and automatic expert diagnosis. Capsa's comprehensive high-level window view of your entire network gives quick insight to network administrators or network engineers allowing them to rapidly pinpoint and resolve application problems. With the most friendly graphical user interface and the most powerful data packet capture and analysis engine in the industry . Capsa assists the user in the specification and in the analysis of cryptographic protocols. It provides an editor for protocol specifications and offers a quick loading procedure for the protocols specified in underlying protocol libraries, and a convenient parsing procedure for user-defined protocol specifications. It gives us, the tool features of a graph management. This automatically generates and displays graphs. Capsa gives us a fully mechanized analyzer that verifies secrecy and authenticity properties on a given graph and displays the results. More precisely, Capsa allows for analyzing the security properties secrecy, weak authenticity, and strong authenticity . Copyright to IJARCCE DOI /IJARCCE
6 It diagnoses the network problems by detecting and locating suspicious hosts, causing the problem and alerts computer against network anomalies. Additional features include reports, logs, and diagnostic capabilities that can be used to discover network problems. One of the demerits of Colasoft Capsa is that it is quite expensive. Whereas, a free version is available with limited features . Some advanced sniffing products (like Colasoft's Capsa Enterprise sniffer) are able to replay the contents of captured packets. These advanced sniffers may even allow you to edit the contents and retransmit the packets to the network. Capsa can be scheduled to run capture periodically. And it also provides real-time and post-event application performance monitoring with alarms for problem identification. When the alarm is triggered, the s notifications can be sent to the IT administrators. The Logging function is a quite useful feature for Capsa. It is used to monitor and audit user activities of DNS queries, SMTP and POP3 s, FTP operations and Yahoo Messenger etc. All activity logs can be saved to files automatically. Even the content of each sent or received can be saved as well. Another utility feature of Capsa is the valuable built-in tools, including MAC Scanner, Ping Tool, Packet Builder and Packet Player. All are simple but powerful. Colasoft Capsa offers other visual aids such as graphs and a matrix view in which all endpoints that communicate are connected. We can summarize some Capsa's features: A. Key Features of Capsa Enterprise: Real-time packet capture as well as the ability to save data transmitted over local networks, including wired network and wireless network. Identify and analyze about 300 network protocols, and Capsa Enterprise can identify more than 500 protocols, including VoIP, as well as network applications based on the protocol analysis. Identify "Top Talkers" by monitoring network bandwidth and usage through packet capture of transmissions over the network and providing summary and decoding information about these packets. Easy to use Overview Dashboard allows you to view network statistics at a single glance, allowing for quick interpretation of network utilization data. Internet and instant messaging traffic can be monitored and stored, helping identify security and confidential data handling violations. Suspicious hosts can be detected and diagnosed enabling you to pinpoint network problems in seconds. Map the traffic, IP address, and MAC of each host on the network, allowing for easy identification of each host and the traffic that passes through each segment. Visualize the entire network in an ellipse that shows the connections and traffic between each host . VIII. WIRESHARK VS. COLASOFT CAPSA Colasoft Capsa offers many of the analysis features that are found in Wireshark. For example, both programs can display endpoints and protocols from the captured packets along with statistics on the amount of information sent and received for each. The difference is that Colasoft Capsa adds a visual interpretation to the statistics. Colasoft Capsa offers other visual aids such as graphs and a matrix view in which all endpoints that communicate are connected. Additional features include reports, logs, and diagnostic capabilities that can be used to discover network problems . It is possible to view related packets in Colasoft Capsa by right-clicking a packet and choosing an option from "Select Related Packets". This action will highlight packets related in the specified manner. Choosing "By Flow" from the related packets menu results in highlighting the packets that Wireshark glues together when selecting "Follow TCP Stream". While this shows the related packets, Colasoft Capsa does not show all packets of a stream in one window as Wireshark does. Other relations for grouping packets in Colasoft Capsa include by source, destination, or protocol. Colasoft Capsa supports most of the features of Wireshark with powerful TCP flow analysis and its easier interpretation. It has versatile network traffic, bandwidth and utilization analysis. It has in-depth packet decoding feature with multiple network behavior monitoring. It has a matrix representation and eclipse visualization of the network. Colasoft Capsa extends the network security analysis with notifying alerts only by and audio. A disadvantage of Colasoft Capsa is that, it works only on windows platform. Further, it covers only about 300 protocols which is very less when compared to Wireshark s 1100 protocols . Capsa Free is a great combination of powerful monitoring, in-depth packet decoding, reliable network diagnosing, real-time alerting and thorough reporting ability, it provides you innovative solutions to numerous network problems. Compared with Wireshark, Capsa free has a more friendly Windows 7 style, it provides more visibility as to the status of your network, and it is an simple graphic network analyzer. There no need to worry about those command, you can do everything by clicking the mouse. Without a doubt, Capsa is a user-friendly program. Even if you don t know much about the IP stack, you can learn a lot about what s happening on your network with Capsa. It presents data in a very easy-to-read way. The Graphs tab shows some great visualization of various network statistics. Copyright to IJARCCE DOI /IJARCCE
7 Table 1 summarizes the properties of Wireshark and Colasoft Capsa: TABLE 1 No. Property Wireshark Colasoft Capsa 1 OS supported Windows and Unix Windows 2 Disk usage 81 MB (Windows) & 449MB 32 MB (Unix) 3 Cost Free $999 4 Open source No 5 No. of More than protocols Libpcap based No 7 Multiple interfaces at a No single instance 8 Alarms on traffic, No protocol 9 User interface GUI and CLI GUI Decode 10 protocol Only Hex (Hex, ASCII, and ASCII EBCDIC) Identify abnormal protocol Identify packets with forged data Display protocol in OSI 7 layers structure Locate hosts running a specific service Network communicatio n in matrix map Evaluate critical business traffic and nonbusiness traffic No (only creates a warning) No (by creating filters) (inbuilt) Wireshark and Colasoft Capsa have similar characteristics. Hence, there is a need to find out distinct parameters which may define the internal load and performance of the tool. Dr. Charu Gandhi "the assistant professor in the department of computer science of JIIT, Noida" and four of his students have tested some parameters to compare between packet sniffing tools, by applying same scenario for them. The result is as follows: A. Packet size distribution Long packets increase load on the network which means less the long packets, less will be the stress on network. Further, dealing with long packets means dealing with high ratio of packet payload and packet headers. After applying the scenario of the experiment, it is seen that the average length packet size measured in Wireshark is B and in Colasoft Capsa is 434B; which means that Colasoft Capsa gets a slight edge over Wireshark. Hence, Colasoft Capsa neither stresses the network nor does it stress the system by sending too many small sized or medium sized packets. B. Throughput (bits per second bps) Throughput is the amount of data processed by the system in a second. It is seen that Colasoft Capsa has large range of throughput and is changing swiftly. These random changes in the throughput are not good as it hinders the systems performance and is not good with respect to a network performance. Whereas, Wireshark is ranging in a pattern which is good for the network and shows a constant behavior. The average bps in Colasoft Capsa is 6.34 Kbps whereas in Wireshark it is kbps as we know more the bps, better would be the packet sniffer s performance. Hence, here Wireshark has an edge over Colasoft Capsa due to constant variation and not showing high cut- offs. C. Packets per Second (PPS) Packets per second refer to the number of packets transferred in one second. It is seen clearly that Wireshark has lesser packet loss than Colasoft Capsa and hence is preferred over Colasoft Capsa for less packet retransmissions. D. Response Time Response time means the length of time taken to respond a given event. Hence, lesser the response time, better the performance. It can be seen after applying the experiment that the response time of Colasoft Capsa is much higher than Wireshark. Hence, in this benchmark too, Wireshark is better than Colasoft Capsa. The previous experiment shows that none of the tool leads all the parameters. On the one hand, Colasoft Capsa has maximum network security. The present study has been made to suggest best packet sniffing tool, according to the user s requirements. The advantages and disadvantages would help to develop a new packet sniffer which could hide all the disadvantages of the most used packet sniffers and could outperform them on quantitative and qualitative parameters . Copyright to IJARCCE DOI /IJARCCE
8 Table 2 summarizes the previous results: TABLE 2 No. Case Best Tool 1 Packet Drop Wireshark 2 Network Security Colasoft Capsa 3 Response Time Wireshark 4 Network Alarms Colasoft Capsa 5 Throughput (bps) Wireshark 6 Packet Size Colasoft Capsa 7 PPS Wireshark 8 User Interface Colasoft Capsa 9 Number of Protocols Wireshark 10 Network Communication Colasoft Capsa In my point of view, Wireshark and Capsa are both very powerful and popular packet sniffing tools. But Colasoft Capsa has more user friendly interface and the data in an extremely easy-to-read manner, especially when talking about the graphs and matrix that can be readable from the managers that are not network specialist, which is considered as one of the most advantage of Capsa. Moreover, when talking about network analyzing, both Wireshark and Capsa can auto-detect network errors, but Capsa provides more detailed information on reason and resolution to help resolve errors. IX. CONLUSION Maintaining a safe and efficient workplace requires organizations to monitor the employees' computers at workplace. Employees must be educated about monitoring so that they can understand the lack of privacy that currently exists at work as well as to understand the capabilities and limitations. Employers who monitor must be responsible and reasonable. They must explain to workers what they monitor. As the law slowly catches up with technology, many questions remain. Privacy advocates will likely continue to push for reforms that would offer greater protection for employees. Although some people and organizations believe that employee monitoring is wrong or unethical, there is a clear need for such practice. Employee monitoring is here to stay. The status of employee monitoring may change if laws tailor to the always-changing computer technology - but employee monitoring will not go away. In this paper, we studied the problem of Internet usage by employees in the organizations for personal purposes and the need for some kind of network sniffing tool in the workplace to keep watchful eyes on any computer abuse in the organization. We explore network monitoring as a sniffing tool used by network administrator in the organization and the ethical issue concerning this kind of surveillance. Packet sniffer is not just a hacker's tool. It can be used for network traffic monitoring, traffic analysis, troubleshooting and other useful purposes. There are many tools which are used for network traffic sniffing but there are some limitations regarding these packet sniffing tools i.e. some tools are only used for packet capturing without any kind of analyzing them. Some tools trace IP packets and some tools only capture TCP packets. At the end, we concluded that with these tools, we can do intrusion detection and penetration testing against particular network. Two packet sniffers are tested, Wireshark and Colasoft Capsa. A comparison based on their features and weakness had been made. Each software has its weakness and strength, and each of them has been designed for some purposes in mind. Capsa is more practical, user friendly and provides more detailed and readable information, whereas Wireshark is more powerful. REFERENCES  C. Sanders, Practical Analysis Using Wireshark to Solve Real- World Network Problems, 2 nd ed., W. Pollock, USA,  T. Dean, Network+ Guide to Networks, 6 th ed., D. Garza, S. Helba, Nelson Education, Canada,  A. Orebaugh, Wireshark and Ethereal: Network Protocol Analyzer Toolkit, A. Williams, Canada, Syngress,  K. Hassan, A. Ahsan, and M. Rahman, "IEEE b Packet Analysis to Imrove Network Performance", in JUJIT, 2012, Vol.1, p  P. Asrodia, H. Patel, "Analysis of Various Packet Sniffing Tools for Network Monitoring and Analysis", in IJEECE, 2012, paper , p  D. Shinder (2005) Ethical-Issues-IT-Security-Professionals homepage on windowsecurity. [0nline]. Available: curity/ethical-issues-it-security- Professionals.html  S. Venkatramulu, C. V. Rao, "Various Solutions for Address Resolution Protocol Spoofing Attack", in IJSRP, 2013,  S. Suri, V. Batra, "Comparative Study of Network Monitoring Tools", in IJITEE, 2012, paper , p  J. Yerby, "Legal and Ethical issues of employee monitoring", in OJAKM, 2013, Vol. 1, Issue 2, p  G. S. Alder, M. Schminke, T. W. Noel, and M. Kuenzi, "Emplyee Reactions to Internet Monitoring: The Moderating Role of Ethical Orientation", in JBE, 2008, paper , p  [online]: usage-at- work.htm#didyouknowout  S. Ansari, R. G. Rajeev, H. S. Chandrashekar, "Packet Sniffing: A Brief Introduction", in IEEE, 2003, paper , p  C. Gandhi, G. Suri, R. P. Golyan, P. Saxena, and B. K. Saxina, "Packet Sniffers- A Comparative Study", IJCNCS, paper , p  R. Spangler, "Packet sniffer Detection with Antisniff", University of Wisconsin-Whitewater, department of Computer and Network Administration,  [online]. Available:  W. B. Pottner, L. Wolf, "IEEE Packet Analysis with Wireshark and off-the-shelf Hardware", in Proc. SICNSS,  U. Banerjee, A. Vashishtha, and M. Saxena, "Evalualtion of the Capabilities of Wireshark as a Tool for Intrusion Detection", in IJCA, 2010, paper  [online]. Available:  [online]. Available:  S. Dhar, "Switch Sniff", in LJ, 2002, paper 5869, p  [online].available: ttp://securitymusings.com/article/1161/colasoftcapsa-vs-wireshark Copyright to IJARCCE DOI /IJARCCE
International Journal of Computer Networks and Communications Security VOL. 2, NO. 5, MAY 2014, 179 187 Available online at: www.ijcncs.org ISSN 2308-9830 C N C S Packet Sniffer A Comparative Study Dr.
1 st International Conference of Recent Trends in Information and Communication Technologies Detecting Threats in Network Security by Analyzing Network Packets using Wireshark Abdulalem Ali *, Arafat Al-Dhaqm,
Lab VI Capturing and monitoring the network traffic 1. Goals To gain general knowledge about the network analyzers and to understand their utility To learn how to use network traffic analyzer tools (Wireshark)
A Research Study on Packet Sniffing Tool TCPDUMP ANSHUL GUPTA SURESH GYAN VIHAR UNIVERSITY, INDIA ABSTRACT Packet sniffer is a technique of monitoring every packet that crosses the network. By using this
When Recognition Matters THE COMPARISON OF PROGRAMS FOR NETWORK MONITORING www.pecb.com Imagine a working environment comprised of a number of switches, routers, some terminals and file servers. Network
6. INTRODUCTION TO THE LABORATORY: SOFTWARE TOOLS 6.1. Wireshark network sniffer Wireshark (originally called Ethereal) is a freeware network sniffer. A sniffer investigates and analyzes network traffic.
Network Security: Workshop Protocol Analyzer Network analysis is the process of capturing network traffic and inspecting it closely to determine what is happening on the network decodes,, or dissects,,
Objectives Sniffing Become aware of a class of vulnerabilities known as sniffing. Learn how to use a sniffer tool. What is a packet sniffer? Sniffing is eavesdropping on the network and A packet sniffer
INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY A PATH FOR HORIZING YOUR INNOVATIVE WORK PACKET SNIFFING MS. SONALI A. KARALE 1, MS. PUNAM P. HARKUT 2 HVPM COET Amravati.
Cover White Paper (nchronos 4.1) Copyright Copyright 2013 Colasoft LLC. All rights reserved. Information in this document is subject to change without notice. No part of this document may be reproduced
UNIVERSITI MALAYSIA PERLIS SCHOOL OF COMPUTER & COMMUNICATIONS ENGINEERING EKT 332/4 COMPUTER NETWORK LABORATORY MODULE LAB 2 NETWORK PROTOCOL ANALYZER (SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK)
Ryan Spangler University of Wisconsin - Whitewater Department of Computer and Network Administration May 2003 Abstract Packet sniffing is a technique of monitoring every packet that crosses the network.
Session Title: Network Traffic Analysis -- It's not just for fun anymore. Session Type: 50 Min. Breakout Session Presentation Day: Tuesday, February 11 Network Traffic Analysis It s not just for fun anymore.
Own your LAN with Arp Poison Routing By: Rorik Koster April 17, 2006 Security is a popular buzzword heard every day throughout our American culture and possibly even more so in our global economy. From
Sniffer s Network Packet Analyzer Basics Sniffer Network Analysis Range of techniques that network engineers and designers employ to study the properties of networks, including connectivity, capacity and
Intrusion Detection, Packet Sniffing By : Eng. Ayman Amaireh Supervisor :Dr.: Lo'ai Tawalbeh New York Institute of Technology (NYIT)- Jordan s s campus-2006 12/2/2006 eng Ayman 1 What is a "packet sniffer"?
Assignment One ITN534 Network Management Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition) Unit Co-coordinator, Mr. Neville Richter By, Vijayakrishnan Pasupathinathan
Xerox Multifunction Devices Customer Tips January 15, 2004 This document applies to these Xerox products: Network Packet Analyzer Tips Purpose This document contains a procedure that Xerox customers can
Network Monitoring Tool with LAMP Architecture Shuchi Sharma KIIT College of Engineering Gurgaon, India Dr. Rajesh Kumar Tyagi JIMS, Vasant Kunj New Delhi, India Abstract Network Monitoring Tool enables
Cover User Guide (Enterprise Edition) Copyrig ht Copyright 2015 Colasoft LLC. All rights reserved. Information in this document is subject to change without notice. No part of this document may be reproduced
Transformation of honeypot raw data into structured data 1 Majed SANAN, Mahmoud RAMMAL 2,Wassim RAMMAL 3 1 Lebanese University, Faculty of Sciences. 2 Lebanese University, Director of center of Research
User Manual (Enterprise Edition) Copyright 2013 Colasoft LLC. All rights reserved. Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted
Introduction to Network Security Lab 1 - Wireshark Bridges To Computing 1 Introduction: In our last lecture we discussed the Internet the World Wide Web and the Protocols that are used to facilitate communication
SOUTHERN POLYTECHNIC STATE UNIVERSITY Snort and Wireshark IT-6873 Lab Manual Exercises Lucas Varner and Trevor Lewis Fall 2013 This document contains instruction manuals for using the tools Wireshark and
November 2, 1999 www.wwgsolutions.com Network Troubleshooting with the LinkView Classic Network Analyzer Network Troubleshooting Today The goal of successful network troubleshooting is to eliminate network
A Seminar report On Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA SUBMITTED TO: www.studymafia.org SUBMITTED BY: www.studymafia.org Preface I have made
Network Probe User Guide Network Probe User Guide Table of Contents 1. Introduction...1 2. Installation...2 Windows installation...2 Linux installation...3 Mac installation...4 License key...5 Deployment...5
Introduction CSC 5991 Cyber Security Practice Lab 1: Packet Sniffing and Wireshark The first part of the lab introduces packet sniffer, Wireshark. Wireshark is a free opensource network protocol analyzer.
3. MONITORING AND TESTING THE ETHERNET NETWORK 3.1 Introduction The following parameters are covered by the Ethernet performance metrics: Latency (delay) the amount of time required for a frame to travel
Packet Sniffing with Wireshark and Tcpdump Capturing, or sniffing, network traffic is invaluable for network administrators troubleshooting network problems, security engineers investigating network security
An introduction to Network Analyzers Dr. Farid Farahmand 9/15/2016 Network Analysis and Sniffing Process of capturing, decoding, and analyzing network traffic Why is the network slow What is the network
International Journal of Research Studies in Computing 2012 April, Volume 1 Number 1, 11-20 Establishing a valuable method of packet capture and packet analyzer tools in firewall Kumar, P. Senthil Nandha
Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds email@example.com What is Firewall? A firewall
The following article was published in ASHRAE Journal, November 2008. Copyright 2008 American Society of Heating, Refrigerating and Air- Conditioning Engineers, Inc. It is presented for educational purposes
, pp.61-70 http://dx.doi.org/10.14257/ijdta.2016.9.4.05 A Review on Network Intrusion Detection System Using Open Source Snort Sakshi Sharma and Manish Dixit Department of CSE& IT MITS Gwalior, India Sharmasakshi1009@gmail.com,
EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL PREPARATIONS STUDYING SIP PROTOCOL The aim of this exercise is to study the basic aspects of the SIP protocol. Before executing the exercise you should
5 Steps to Avoid Network Alert Overload By Avril Salter 1. 8 0 0. 8 1 3. 6 4 1 5 w w w. s c r i p t l o g i c. c o m / s m b I T 2011 ScriptLogic Corporation ALL RIGHTS RESERVED. ScriptLogic, the ScriptLogic
Ethereal: Getting Started Computer Networking: A Topdown Approach Featuring the Internet, 3 rd edition. Version: July 2005 2005 J.F. Kurose, K.W. Ross. All Rights Reserved Tell me and I forget. Show me
Packet Capture and Expert Troubleshooting with the Viavi Solutions T-BERD /MTS-6000A By Barry Constantine Introduction As network complexity grows, network provider technicians require the ability to troubleshoot
Online Application Monitoring Tool A Project Presented to The Faculty of the Department of Computer Science San José State University In Partial Fulfillment Of the Requirements for the Degree Master of
Unified network traffic monitoring for physical and VMware environments Applications and servers hosted in a virtual environment have the same network monitoring requirements as applications and servers
Tell me and I forget. Show me and I remember. Involve me and I understand. Chinese proverb 2005-21012, J.F Kurose and K.W. Ross, All Rights Reserved Wireshark Lab: Assignment 1w (Optional) One s understanding
Section 1 Network Systems Engineering Implementing Network Monitoring Tools V.C.Asiwe and P.S.Dowland Network Research Group, University of Plymouth, Plymouth, United Kingdom e-mail: firstname.lastname@example.org
Lab Exercise ARP Objective To see how ARP (Address Resolution Protocol) works. ARP is an essential glue protocol that is used to join Ethernet and IP. The trace is here: http://scisweb.ulster.ac.uk/~kevin/com320/labs/wireshark/trace-arp.pcap
Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.
CET442L Lab #2 IP Configuration and Network Traffic Analysis Lab Goals: In this lab you will plan and implement the IP configuration for the Windows server computers on your group s network. You will use
New York University Computer Science Department Courant Institute of Mathematical Sciences Course Title: Data Communication & Networks Course Number: g22.2662-001 Instructor: Jean-Claude Franchitti Session:
TAKE CONTROL IT'S YOUR SECURITY TAMOSOFT df TamoSoft Throughput Test Help Documentation Version 1.0 Copyright 2011-2014 TamoSoft Contents Contents... 2 Introduction... 3 Overview... 3 System Requirements...
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network
CMSC 355 Lab 3 : Penetration Testing Tools Due: September 31, 2010 In the previous lab, we used some basic system administration tools to figure out which programs where running on a system and which files
CompTIA Network+ N10 005 Official Cert Guide Mapping Guide to CompTIA Network+ Simulator Labs Domain 1.0: Network Concepts 1.1 Compare the layers of the OSI and TCP/IP Models TCP/IP Model Layer Matching
Snoopy Due Date: Nov 1 Points: 25 Points Objective: To gain experience intercepting/capturing HTTP/TCP traffic on a network. Equipment Needed Use the Ubuntu OS that you originally downloaded from the course
INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM Okumoku-Evroro Oniovosa Lecturer, Department of Computer Science Delta State University, Abraka, Nigeria Email: email@example.com ABSTRACT Internet security
Lab Exercise Ethernet Objective To explore the details of Ethernet frames. Ethernet is a popular link layer protocol. Modern computers connect to Ethernet switches rather than use classic Ethernet. The
Application-Centric Analysis Helps Maximize the Value of Wireshark The cost of freeware Protocol analysis has long been viewed as the last line of defense when it comes to resolving nagging network and
ManageEngine OpManager A FAULT MANAGEMENT WHITEPAPER Fault Management Perception The common perception of fault management is identifying all the events. This, however, is not true. There is more to it
Diagnosing the cause of poor application performance When it comes to troubleshooting application performance issues, there are two steps you can take to make diagnosis easier, faster and more accurate.
FortKnox Personal Firewall User Manual Document version 1.4 EN ( 15. 9. 2009 ) Copyright (c) 2007-2009 NETGATE Technologies s.r.o. All rights reserved. This product uses compression library zlib Copyright
Cyber Forensics Laboratory 1 Tcpdump Lab: Wired Network Traffic Sniffing Copyright c 2012 Hui Li and Xinwen Fu, University of Massachusetts Lowell Permission is granted to copy, distribute and/or modify
Agenda Richard Baskerville P Principles of P Terms & -based Tracing P Application Layer Analysis P Lower Layer Analysis Georgia State University 1 2 Principles Kim, et al (2004) A fuzzy expert system for
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
Packet Sniffing: What it s Used for, its Vulnerabilities, and How to Uncover Sniffers Mathurshan Vimalesvaran Tufts University Abstract Packets are the base of all data sent on the internet, yet they are
PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security
VisuSniff: A Tool For The Visualization Of Network Traffic Rainer Oechsle University of Applied Sciences, Trier Postbox 1826 D-54208 Trier +49/651/8103-508 firstname.lastname@example.org Oliver Gronz University
How To Sniff Network Traffic Neighborhood Network Watch Home Network Awareness Program Introduction The communities across our beloved nation have never been at a greater risk than they are today. However,
1.pcap - File download Network Security: Workshop Dr. Anat Bremler-Barr Assignment #2 Analyze dump files Solution Taken from www.chrissanders.org Downloading a file is a pretty basic function when described
CompTIA Security+ Lab Series Lab 1: Network Devices and Technologies - Capturing Network Traffic CompTIA Security+ Domain 1 - Network Security Objective 1.1: Explain the security function and purpose of
REVIEW ON RISING RISKS AND THREATS IN NETWORK SECURITY Babul K Ladhe 1, Akshay R Jaisingpure 2, Pratik S Godbole 3, Dipti S Khode 4 1 B.E Third Year, Information Technology JDIET, Yavatmal email@example.com
No one knows the value of an Network Analysis Solution Total integration Total control Total Network SuperVision integrated solution better than network engineers and Fluke Networks. Our Network Analysis
An Approach to Detect Packets Using Packet Sniffing Rupam 1, Atul Verma 2, Ankita Singh 3 Department of Computer Science, Sri Ram Swroop Memorial Group of Professional Colleges Tiwari Gang Faizabad Road,
Extending Network Visibility by Leveraging and sflow Technologies This paper shows how a network analyzer that can leverage and sflow technologies can provide extended visibility into enterprise networks
No one knows the value of an Network Analysis Solution Total integration Total control Total Network SuperVision integrated solution better than network engineers and Fluke Networks. Our Network Analysis
WhatsUp Gold v11 Features Overview This guide provides an overview of the core functionality of WhatsUp Gold v11, and introduces interesting features and processes that help users maximize productivity
BASIC ANALYSIS OF TCP/IP NETWORKS INTRODUCTION Communication analysis provides powerful tool for maintenance, performance monitoring, attack detection, and problems fixing in computer networks. Today networks