This site uses cookies for anonymized analytics. For more information or to change your cookie settings, view our Cookie Policy.

Internet Traffic Monitoring

Our blogs related to Internet traffic monitoring focus on detecting specific web activity, generating individual user reports and responding to unusual or suspicious notifications. In order to provide detailed analyses of these scenarios, we use LANGuardian´s deep packet inspection network monitoring software – software that provides network managers with complete visibility over network activity, rather than software that just records traffic flow or uses resource-intensive agents.

By using LANGuardian for effective Internet traffic monitoring, network managers can really find out what is happening on their networks. We reveal how to establish what movies users are downloading from illegal sources and what other breaches of acceptable use policies they are engaging in. As well as productivity- and bandwidth-sapping activities, we also demonstrate how to conduct forensic analyses on historical events such as ransomware or DDoS attacks.

If you would like to find out more about effective Internet traffic monitoring with LANGuardian, you are invited to review our blog posts and tell us what you think. If the scenarios are similar to what you have experienced, and have raised questions about dealing with these issues, feel free to contact us. Alternatively, if you would like to find out what is really happening on your network in relation to Internet traffic, click on the button to “Download Your Free Trial Now”.

DNSpionage. A DNS Server Hijacking Attack

Monitoring DNS requests so as to detect DNSpionage attacks

What is DNSpionage?

Late last year, Cisco Talos discovered a DNS hijacking attack targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company.

Talos said the perpetrators of DNSpionage were able to steal email and other login credentials by hijacking the DNS servers for these targets, so that all email and virtual private networking (VPN) traffic was redirected to an Internet address controlled by the attackers.

How can you detect the presence DNSpionage activity on your network?

Earlier this year, security firm CrowdStrike published a blog post listing IP addresses and domain names known to be used by the espionage campaign to date. If you want to check for the presence of DNSpionage activity on your network, you should monitor network traffic at your networks perimeter and watch out for any activity associated with the IP addresses or domains.

IP Address List,,,,,,,,,,,,,,,,,

Domain List||||

Using LANGuardian to detect DNSpionage activity

Our LANGuardian product includes both a network traffic analysis module which can capture IP addresses and a DNS decoder to extract metadata from DNS queries. You just need to monitor network traffic going to and from your Internet gateways to gain visibility into what is happening and root out any suspicious activity.

Once you have LANGuardian deployed, you need to check two reports for DNSpionage activity.

Check applications report for any traffic associated with the IP addresses connected to the espionage campaign.

  1. Log onto your LANGuardian and click on All Reports / Applications in Use
  2. Enter the IP range listed above into the Source or Destination IP/Subnet report filter
  3. Run report
  4. Optionally you can save this as a custom report by clicking on Actions / Save As

You should not see any results in the report when you run it. If you do, you need to check the systems on your network that are communicating with the IP addresses. The image below shows the report output from my lab network, no results returned which is what you are aiming for. Click on this image to access this report on our online demo.

A traffic report which is checking for any IP addresses associated with the DNSpionage attack

Check DNS queries for any lookups associated with the domains connected to the espionage campaign.

  1. Log onto your LANGuardian and type DNS Lookups into the search box top center. Select the report Network Events (DNS Lookups)
  2. Enter the domain list shown above into the Domain report filter. Select Matches regexp from the dropdown
  3. Run report
  4. Optionally you can save this as a custom report by clicking on Actions / Save As

You should not see any results in the report when you run it. If you do, you need to check the systems on your network that are trying to resolve one or more domains from the list. The image below shows the report output from my lab network. I do show some activity and I will need to do further analysis of the local client

A report showing DNS lookups associated with the DNSpionage attack

How to monitor network traffic going to and from the Internet.

The video below shows the steps needed to get traffic monitoring in place so that you can check for DNSpionage activity on your network

Beware of Exposed Ports at Your Networks Edge

More reasons to check inbound traffic on your network

Looking though the latest infosec news this week I spotted two exploits which use similar attack methods.

  • Printers targeted via TCP port 9100 by external clients
  • Poorly configured Ethereum nodes targeted over port 8545

In both cases hosts located outside your network try to connect to devices hosted inside your LAN or cloud environments. The printer exploit is an unusual one. It’s main purpose is to deliver PewDiePie propaganda around the world. PewDiePie is currently the most subscribed to channel on YouTube. Recently it has been in a battle for this position with an Indian company called T-Series.

Over the last couple of days, Twitter users have been posting screenshots of unsolicited printouts from internet-connected printers that say that PewDiePie needs their help. A Twitter user called TheHackerGiraffe has claimed responsibility but had claimed they did this to raise awareness of printers and printer security.

pewdiepie hack

The second inbound exploit attempt has a more sinister background. A cybercriminal group has managed to steal a total of 38,642 Ethereum, worth more than $20,500,000, from clients exposing the unsecured interface on port 8545. The process behind this is simple. External clients scan your network on port 8545, looking for geth clients and stealing their cryptocurrency. Geth is a multipurpose command line tool that runs a full Ethereum node implemented in Go.

How to monitor inbound traffic on your LAN

One quick check you can do to check for port 9100 or 8545 activity is to check if the ports are open on your firewall. While this is not an indication of activity you should consider shutting them down for all external clients.

A better approach is to monitor network traffic going to and from the Internet using a SPAN, mirror port or network TAP. Once a traffic source is established you can use a product like our own LANGuardian to report on what ports and applications are been used.

The image below shows an example of what to look out for. In this case we can see evidence of SMB activity. Ports like 9100 or SMB which uses 445 should not be open for unknown clients. Click on the image below to access this report on our online demo.

Inbound traffic on ports 9100 or 8545

In the next example we are looking at what ports are accepting connections from external clients. Again we can see the activity on TCP port 445. Looking though the results, I also need to check the activity on port 49158. Click on this image to access the report on our online demo.

Inbound TCP ports which are open on firewall

In order to check your firewall configuration and get visibility of traffic at an application level allowed in through your firewall, simply deploy a traffic analysis system such as LANGuardian and configure the sensor SPAN or mirror port correctly.

You can easily use a SPAN port for example to monitor traffic from your  internal network to and from the firewall. A very useful and simple validation of those firewall rules sometimes configured by an external consultant. The video below goes through what is needed to get network traffic analysis in place at your network edge together with the steps to get LANGuardian in place monitoring this traffic.

How to monitor inbound traffic in the cloud

When an infosec alert like the ones mentioned above goes out, the oblivious thing to do is check your on premise data centers for suspicious activity. This is certainly a good starting point. However, don’t forget about your cloud based networks. They may be targeted even more than your on premise networks. Getting visibility in the cloud is not as straightforward as with a more traditional on premise network.

Recently we announced support for AWS VPC Flow Log Analysis and we will also have an option for Azure monitoring shortly. I took a look at reports associated with our AWS estate and sure enough there is evidence of inbound activity on port 9100, see image below. In our case this was blocked. I observed similar activity for inbound connections on 8545.

AWS flow logs showing activity on ports 9100 and 8545

If you have any questions about how to monitor traffic on your network using LANGuardian, or would like to know more about how our network traffic monitoring tool can meet your organization´s requirements, do not hesitate to contact us and speak with one of our helpful technical support team.

5 Tips For Monitoring Network Traffic on Your Network

Monitor Network Traffic

Monitoring traffic on your network is important if you want to keep it secure and running efficiently. The information obtained by network traffic monitoring tools can be used in multiple security and IT operational use cases to identify security vulnerabilities, troubleshoot network issues and analyze the impact new applications will have on the network. These 5 tips should help you get the most out of your network traffic monitoring application.

1.    Choose the right data source

Whatever your motive for monitoring network traffic, you have two main data sources to choose from:

  1. Flow data: which can be acquired from layer 3 devices like routers
  2. Packet data: which can be sourced from SPAN, mirror ports or via TAPs

Flow data is great if you are looking for traffic volumes and mapping the journey of a network packet from its origin to its destination. This level of information can help detect unauthorized WAN traffic and utilize network resources and performance. However, flow-based tools for monitoring network traffic lack the detailed data to detect many network security issues or perform true root cause analysis.

Packet data extracted from network packets can help network managers understand how users are implementing/operating applications, track usage on WAN links, and monitor for suspicious malware or other security incidents. Deep packet inspection tools provide 100% visibility over the network by transforming the raw metadata into a readable format and enabling network managers to drill down to the minutest detail.

2.    Pick the correct points on the network to monitor

Naturally with agent-based software, you have to install software on each device you want to monitor. This is not only an expensive way of monitoring network traffic but it creates a significant implementation and maintenance overhead for IT teams. Furthermore, if your objective is to monitor activity on a BYOD or publicly-accessible network, agent-based software will not give you the full picture of user activity because it is impractical (and in some states illegal) to monitor activity on users´ personal devices.

Even with agent-free software, a common mistake many people make when deploying tools to monitor network traffic is that they include too many data sources at the start. There is no need to monitor every network point. Instead you need to pick points where data converges. Examples of this would be Internet gateways, Ethernet ports on WAN routers or VLANs associated with critical servers.

If you are new to getting tools in place to monitor network traffic, I would suggest you start by monitoring your Internet gateway(s). This can be an excellent source of security and operational data. This short video below explains how you can do this with Cisco switches – a similar approach can be applied to other switch vendors.

The image below shows a good approach when it comes to network traffic monitoring for most networks. A SPAN or mirror port is configured at the network core which allows for the capture of any traffic passing through. In my example this would allow me to capture traffic going to and from the Internet as well as traffic associated with important servers.

network diagram showing how you can monitor network traffic

3.    Sometimes real-time data is not enough

The ability to monitor network traffic in real-time is sufficient to achieve many objectives of network traffic monitoring, but sometimes real-time data is not enough. Historical traffic metadata is ideal for network forensics and is just as important if you want to analyze past events, identify trends or compare current network activity with the previous week. For these objectives, it is best to use tools for monitoring network traffic with deep packet inspection.

Some tools for monitoring network traffic choose to age data. This means the further back you go historically, the less detail you get. While this can save on disk space, it is not an ideal solution if you are trying to determine how an intruder managed to overcome your defenses to plant malware on the network. Without accurate and complete data relating to the event, you can be left looking for answers that no longer exist.

It is also a good idea to be aware that some SIEM and network traffic monitoring systems base their pricing on the amount of data you want to store. Keep a watchful eye out for this when you are evaluating solutions. Other appliance-based tools are limited based on the specifications of the system you buy, and an upgrade becomes a replacement appliance which can be expensive. The most flexible option is a network traffic monitoring tool that is software-based and allows you to allocate whatever disk space you think is appropriate.

4.   Associate the data with usernames

Traditional network traffic monitoring tools usually report on activity using IP or MAC addresses. While this is useful information, it can be problematic in DHCP environments if you are trying to find a problematic device. One piece of information that can bring together network activity and devices is usernames. Username association will let you know who is doing what on the network.

user network traffic

5.    Check the flows and packet payloads for suspicious content

Many networks have intrusion detection systems at the edge but very few have this type of technology monitoring internal traffic. All it takes is one rogue mobile or IoT device to compromise a network. Another issue I often see are firewalls allowing  suspicious traffic through where a rule was misconfigured.

The image below shows an example of this: someone created a rule to allow traffic inbound on TCP 5901 (VLC remote desktop sharing), but they did not limit it to one source and destination. The source addresses in this case appear to be registered in China and connections from this country would not be expected to connect to this network.

Detecting IoT devices with network traffic monitoring


Not all tools for monitoring network traffic are the same. Generally they can be broken down into two types – flow-based tools and deep packet inspection tools. Within these two types you have the choice of tools that use/don´t use software agents, tools that store/don´t store historical data, and tools with intrusion detection systems that monitor network traffic within the network as well as at the network edge.

  • Choose flow based analysis tools if you want to get traffic volumes and IP addresses associated with WAN or other layer 3 links
  • Choose packet analysis tools if you need traffic volumes, IP addresses and more detail to investigate security or operational issues.

If you would like to discuss any of the points raised in this article, do not hesitate to contact us.

How to check for HTTP servers on your network

HTTP servers on network

HTTP Background

Designed in the early 1990s, HTTP is an application layer protocol that is sent over TCP, though any reliable transport protocol could theoretically be used. Typically it uses TCP port 80 but this can be changed. Due to its extensibility, it is used to not only fetch hypertext documents, but also images and videos or to post content to servers, like with HTML form results. HTTP can also be used to fetch parts of documents to update Web pages on demand.

HTTP Protocol Design

Google are promoting a move away from HTTP

For the past several years, Google have moved towards a more secure web by strongly advocating that sites adopt HTTPS encryption. It started back in 2014 when they announced that they were using HTTPS as a ranking signal. If you moved your site away from HTTP and onto HTTPS you would receive a tiny boost in the Google search rankings.

Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”. If you host your own web servers it could mean that users will be less likely to interact with them if their browsers are marking them as insecure. Now is the time to move your websites from HTTP to HTTPS.

Generating an inventory of HTTP servers using network traffic analysis.

HTTP servers normally run over TCP port 80.However, you can configure HTTP servers to run over any port so generating a list of web servers running over TCP port 80 may not result in the complete list. Another method to detect webservers would be to use a network scanning too that would check for anything listening on port 80 or other ports.

One thing to watch with the scanning approach is to make sure all servers are powered up when you run the network scan. Another issue with this approach is that you won’t be able to find out if users from outside your network are accessing these servers, you will just know that they are active.

Our recommended appoach is to monitor network traffic going to and from your web servers. You can do this by setting up a SPAN\Mirror port or by using a TAP device. If you are only concerned about users outside of your network, you just need to monitor your Internet gateway points. The video below goes through the process of getting network monitoring in place at your network edge.

Once you have a data source in place (SPAN\Mirror\TAP) you can then check for web server activity by searching for specific metadata such as a HTTP GET. For small networks you can manually do this using tools like Wireshark. For larger networks you can automate this with an application such as our own LANGuardian. It has built in web traffic decoders which can automatically build a HTTP server inventory 24/7.

Using LANGuardian to passively detect HTTP servers on your network

LANGuardian comes with an application recognition engine which can report on what applications are in use on your network. If you combine these reports with filters you can quickly find out what web servers are on your network and also which are being accessed by clients and their countries outside your network.

The image below shows an example of the output. Here we can see that we had 6 HTTP servers active on our network for the past 1 hour sample time period. Also worth noting is that some of these web servers are running on non standard ports; 8080 and 5357.

If you have a LANGuardian on your network you need to select the “Top Website Domains” report and use these filters

  1. Source = External
  2. Destination = Internal
  3. Protocol = HTTP
Web servers on the network being accessed by external clients

Click on the image above to access this report directly on our live demo system and drill down.

Find Out What Web Servers Are Running on Your Network With LANGuardian

Use the deep packet inspection engine of LANGuardian to report on web server use on your network. Real time and historical reports available. No need to install any agents or client software.

  • Captures web traffic via SPAN\Mirror port or TAP.
  • Integration with Active Directory so you can see who is doing what on the Internet.
  • Passive monitoring so no proxy, agents or client software required.
  • Supports monitoring of direct and proxy based web traffic.
  • Captures domain names from SSL cert negotiation so you can accurately report on HTTPS activity.
  • GeoIP matching allows you to see the countries websites are located in.

All analysis is done passively using network traffic analysis and you will see results within minutes.

QUIC Protocol Detection Now Available in LANGuardian

QUIC Protocol

What is the QUIC Protocol?

QUIC (Quick UDP Internet Connections, pronounced quick) is a transport layer network protocol designed by Jim Roskind at Google. QUIC supports a set of multiplexed connections between two endpoints over User Datagram Protocol (UDP), and was designed to provide security protection equivalent to TLS/SSL, along with reduced connection and transport latency, and bandwidth estimation in each direction to avoid congestion. QUIC aims to be nearly equivalent to an independent TCP connection, but with much reduced latency.

The most common use of QUIC today is for streaming YouTube videos. If you use a Chrome browser then data associated with your YouTube activity uses the QUIC protocol. Some reports suggest that QUIC now accounts for more than 5% of Internet Traffic. Other browsers such as Opera version 16 and above also support the QUIC protocol but don’t have it enabled by default.

How to detect QUIC protocol use on your network

The most reliable way to detect QUIC protocol use on your network is to monitor network traffic at your network edge. Our LANGuardian product can use this data source to look at packet payloads and identify what protocols are in use. The video below shows how to set up a SPAN or mirror port to capture traffic at your network edge.

Once you have your LANGuardian in place you need to click on Reports \ Top Protocols. In my case the QUIC protocol account for 78% of bandwidth use.

Drilling down on this we can then see the Googlevideo domain and the usernames associated with this activity. Googlevideo is the domain Google use for streaming YouTube content.

Drilling down on QUIC traffic

Upgrade your LANGuardian to enable QUIC detection

QUIC detection was added to LANGuardian version 14.3.2. If you are a customer you must upgrade to this or higher version. Click on the gear symbol top right, then settings \ LANGuardian software upgrade. Your LANGuardian must have Internet access to check for and download the latest version.

If you are not a LANGuardian customer then you can download a 30 day trial and see within minutes how much bandwidth the QUIC protocol is using on your network.

Monitoring OneDrive Traffic

monitor onedrive traffic

How to monitor OneDrive traffic

OneDrive is a file hosting service developed by Microsoft that allows users to sync files and later access them from any web browser or mobile device. Presently, their basic OneDrive free package allows for 5GB of storage and you can upgrade to a premium offering which allows for 1TB of storage. This can result in high bandwidth use associated with OneDrive traffic.

A common question asked by our customers is how to provide reports about flow data usage by the Microsoft OneDrive application. The application requires access to a range of external websites and port numbers which can make it tricky to get a top level view of bandwidth use.

From an IP lookup point of view, all of the IP addresses are registered to Microsoft, so you may not be able to definitely say it was OneDrive traffic activity using IP look up alone.

Firstly, all of the traffic is encrypted, ignore the HTTP part as that was me browsing other sites. This would be standard practice for all cloud storage services; I would be very surprised to find one that was not using encryption and if so, I would refuse to use it.

Drilling down on the HTTPS traffic, it revealed that the data was associated with the domain. This would make perfect sense as OneDrive is included in the suite of online services formerly known as Windows Live.

onedrive domains

Further analysis highlights that this activity is associated with storage sub domains within LANGuardian captures this by dissecting the server’s SSL certificate (which is always required to be presented to the client) and at this point, it can extract the server\domain name. By filtering on this sub domain info, it would then be possible to show how much data is associated with OneDrive.

associated onedrive traffic domains

Finally, looking at the GeoIP data, I can see that the IP addresses are registered in the US. Nothing strange here, as I think all of Microsoft’s IP blocks are US registered.

onedrive geoip information

If you want to check for OneDrive traffic volumes on your network, download a 30 day trial of LANGuardian, install on a standard server or VMware and simply connect to a SPAN port or port mirror, to find out what is happening on your network within minutes.

Looking back at our 2016 Top Blog Posts

2016 Top Blog Posts

2016 Top Blog Posts

As we look back on 2016, we review our top 5 blog posts from the year that highlight key challenges and share solutions on how we have helped our customers (I know most like to show their top 10 blog posts, but we think that’s too many to read all at once!).

 1. Tracking Web Activity by MAC Address (Read)

Tracking web activity is nothing new! For many years, IT managers have tried to get some sort of visibility at the network edge so that they can see what is happening. One of the main drivers for this is the need to keep the network secure no matter what type of device gets connected. As Internet usage is constantly growing, malicious, phishing, scamming and fraudulent sites are also evolving. In this post, we take a look at how to track web activity back to MAC addresses.

2. Five Methods for Detecting Ransomware Activity (Read)

New variants of Ransomware are appearing on a daily basis and traditional security tools like antivirus are struggling to keep up. New variants have also changed the way they encrypt files and what happens your data once it is encrypted. Here, we take a look at 5 methods for detecting and alerting on Ransomware activity.

3. Forensic Analysis of a DDoS Attack (Read)

2016 was a busy year for DDoS style attacks and a recent article from the BBC also suggests that website-crippling cyber-attacks are set to rise. We look at what happens when a network is targeted and what you should watch out for on your own network.

4. Monitoring multiple VLANs with a single SPAN session (Read)

SPAN or mirror ports can be a rich source of network and user activity data. Most people set them up so that one port is mirroring another port. However, most switches support many-to-one port mirroring and some even support VLAN monitoring. In this post, we look at how you can configure VLAN monitoring on a Cisco switch.

5. Building Your Own Cryptolocker Monitoring Dashboard (Read)

This is the second Ransomware themed post in our top 5 which indicates how much of a problem Ransomware was in 2016. In this post, we look at how you can build a LANGuardian dashboard to focus on suspicious network file share activity.

Let us know what your favorite blogs were in 2016 in the comments below – and perhaps, tell us what you would like us to cover. We are always listening!

So, you don’t miss any of our blogs in 2017, subscribe here!

How to tell the difference between normal NTP traffic and DDoS NTP traffic

Monitor Network Traffic

Normal NTP traffic vs. DDoS NTP traffic

Yet again, DDoS attacks were in the news when the recent Dyn outage took a lot of popular websites and services offline. DDoS attacks of this nature are an ever present threat and are similar to ones which shutdown a number of government and college networks earlier this year.  I covered this attack in an earlier blog post which looked at the forensic analysis of a DDoS attack.

Each of these attacks used spoofed packets based on UDP protocols like NTP or DNS. Both of these protocols are vital when it comes to data communications, so we cannot just switch them off. What we all need to do is monitor network traffic on our networks and watch out for suspicious activity.

If you want to carry out detailed forensics on current and past events, packet capture is the recommended approach, as it will enable you to look at packet payloads which can reveal a lot about the nature of the attack. A SPAN, mirror port or network TAP are the most popular methods for getting a source of network packets.

Take a look at this short video, as it explains the basics of what you need to do to monitor Internet traffic on your network.

How to tell the difference between normal NTP and DDoS NTP traffic

Firstly, let us take a look at what a snapshot of normal NTP traffic looks like on a network. The screen shot below was taken from a LANGuardian system which was monitoring all traffic at the edge of a busy network.

Normal NTP Traffic
  1. The first thing we see is random external IP addresses sending UDP packets. This would suggest that this network is hosting open NTP servers. Unless, there is a specific reason for this, I would not allow inbound queries like these.
  2. The destination IP address is local to this network. I have blurred some of the information as it has IP addresses associated with this specific network.
  3. The destination port is 123 which is associated with NTP.
  4. The total amount of data sent back to the queries is small or zero in some cases. This is normal when it comes to NTP.

Now, lets take a look at NTP traffic associated with a DDoS attack. The image below was taken from the same network when it was targeted with a DDoS attack. The initial symptom was high CPU usage on firewalls which then lead to network congestion when Internet links became swamped with traffic. What was also interesting is the firewall logs were inaccessible, so it was vital, that we had a separate network traffic monitoring tool in place.

DDoS NTP traffic
  1. Random external source addresses. Nothing unusual here other than the question if this network should be providing open NTP services
  2. The destination IP is located inside this network. Note that the source IP is probably spoofed by the attackers. This is not the IP address of their system so its pointless blocking these source IP addresses.
  3. Targeted service is NTP.
  4. The crucial info is in the received column. Here, we can see that for a small amount of sent traffic there is a large reply. 18KB may not seem like a lot but when you have millions of queries it can add up to a massive DDoS NTP traffic attack.


  • Not matter what size of network you are responsible for, you need to monitor network traffic.
  • Don’t rely on log files as they may not be accessible if your network comes under attack.
  • Watch out for suspicious activity like DDoS NTP traffic where the received totals are much higher than what is been sent.
  • Make changes to firewall rules based on your findings. If you run public services inside your network, move them to a DMZ or block access if it something that should not be in place.

To find out if LANGuardian is the right solution for your business, visit

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring,bandwidth monitoring, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

Top wireless users downloading from the internet

Wireless Users Downloading

Customer Use Case: Top wireless users downloading from the internet

Last week, we had an interesting request from one of our customers. In their own words, they requested “I’m looking for a new report on our Internet Monitoring dashboard. I want to list the top wireless users downloading from the internet”.

Specifically, the customer had 3 questions they wanted answering:

(1) On average, how many users are downloading 5GB and over an hour?
(2) On average, how many users are downloading 2.5GB and over an hour?
(3) If we limit users to 5Mbps, how much bandwidth would we save for distribution between other users?

They really needed to see the level of downloads and gauge the effect of implementing rate limiting wireless users.

Our Support Team worked with them to update their LANGuardian dashboards, so that they had access to a new set of reports which focused on wireless client activity.  The response from the customer was “Excellent, exactly what I was looking for” needless to say, great to see another happy customer. The image below depicts what this dashboard looks like now.

Wireless Users Downloading From The Internet

Providing reliable wireless network access is a must for most Network Managers these days. Between the demands from network users to use their own wireless devices to the moves to an IoT connected world, it is vital that wireless networks are both secure and efficient. It simply just takes one or two wireless clients to hog bandwidth availability and suddenly all users are impacted.

One of the challenges with monitoring BYOD devices on wireless networks is that traditional monitoring tools which require logs or software agents won’t work. You will struggle to enable any sort of local logging on mobile devices and the owners of these devices never want to put monitoring agents/software on them.

If you want to monitor what wireless users are doing on your network, you can use network traffic analysis as a data source. Essentially, there are two main technologies that you can choose from, if you want to perform traffic analysis on your network:

(1) Flow analysis

(2) Packet analysis

Flow analysis tools struggle with wireless traffic as they only report on IP addresses and ports. Network traffic analysis tools which use deep packet inspection technologies can capture wireless device metadata from HTTP headers. A sample report from a traffic analysis application is shown below.

Wireless Downloads

A SPAN or mirror port is an ideal source if you want to monitor Internet traffic. It provides for a passive way of capturing network packets which means it will not impact on network performance. Network TAPs can be used as an alternative if you do not want to use SPAN ports. Check out this video below to see how you can set up a SPAN port to monitor internet activity.

Another advantage with using network packets as a data source is that you can identify what type of mobile devices are connecting to your network. When a mobile device connects to a web site, it transmits device specific information in the User-Agent field of the HTTP header. The image below shows how this information can be then used to report on what is connecting to your network via wireless.

Web Clients

To find out if LANGuardian is the right solution for your business, visit

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring,bandwidth monitoring, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

5 Points on your Network where you should be analyzing Network Traffic

Network Traffic Analysis Tools

Analyzing Network Traffic – Where To Start

If you want to find out what is happening on your network, analyzing network traffic is great way to start. By capturing traffic from a SPAN, mirror port or network TAP you have a non intrusive way for gaining visibility without the need for software agents or clients.

If you want to upgrade from capturing local traffic on a client using applications like Wireshark, it may not be obvious where to start capturing. In this blog post, I take a look at the most important points on a network which you should focus on. In all cases, you can use either a SPAN port, port mirror, TAP or network packet broker (NPB) to act as a data source for network packets.

1.  Network Perimeter \ Internet Gateway

The best starting point for any type of traffic analysis strategy is at the edge of your network. Many bandwidth or security issues can be investigated by implementing network traffic analysis at this point. With the traffic analysis tool, you can spot things like large downloads, streaming or suspicious inbound or outbound traffic. Make sure you start off by monitoring the internal interfaces of firewalls, this will allow to track activity back to specific clients or users.

This video explains how you can use a SPAN port to monitor internet activity.

2. Network Core

Once you have visibility at the network edge, you should then look at analyzing network traffic at the network core. Most managed switches will allow you to take a copy of traffic going to\from multiple ports and send it to a single port where you can plug in your traffic analysis tool. On certain switches such as Cisco, you can monitor entire VLANs so you don’t need to worry about monitoring specific ports.

The key thing to watch out for when monitoring at the core is that you don’t overload the SPAN port. If you max out the capacity, you may need to consider splitting the traffic across two SPAN\mirror ports or upgrading to 10gb, if you are currently using 1gb ports.

3. DMZ

Once you have got visibility inside your network, you should then consider monitoring activity just outside the networks edge. Typically, this is called the demilitarized zone (DMZ) and may contain web servers and other public facing resources.

A DMZ is a busy place when it comes to network events. Many devices here may have pubic IP addresses and so, will be constantly scanned and checked for vulnerability weaknesses.

Analyzing Network Traffic in DMZ

4. Remote Networks

If you are analyzing network traffic at your network core, you should be able to see what is happening on WAN links. This is possible through the use of filters based on the subnets in use at the remote sites. You can read more about this in my recent blog post which looked at a number of ways for generating reports on WAN bandwidth utilization.

However, you will need to analyze traffic locally at the remote sites if you want to see what is happening on these remote networks. A typical use case for this would be identifying the source of a broadcast or unicast storm at the remote network.

5. East West Traffic on Virtual Platforms

If you use virtual environments like VMware, Hyper-V or VirtualBox, you will have virtual networks in place. These networks are built up from virtual switches which are mapped to the physical interfaces on the Hypervisor. However, network traffic can flow between virtual hosts that will never appear on the physical network. This has now become a common blind spot for many Network Managers who have virtualized one or more servers.

In order to gain visibility within a virtual environment, you need to deploy a virtual machine capable of analyzing network traffic flowing through a virtual switch. The following video explains what needs to be done to implement this on an ESX server.

We have further videos available within the resources section on this website which looks at what you need to do on other Hypervisors.

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activitytofile activity monitoring, web activity monitoring, network security monitoring, bandwidth monitoring, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

Top 5 Reasons why you should be Monitoring Internet Traffic

Top 5 Reasons why you should be Monitoring Internet Traffic

The perimeter of most networks is a busy place. From the constant bandwidth battles with resource hungry applications to the security threats posed by malware like Ransomware. Gone are the days of SNMP graphs for monitoring the internet user; today’s IT professionals need the detail provided by deep packet inspection technologies and firewall logs. Monitoring internet traffic is vital for keeping a network running secure and efficient.

Deep packet inspection once had the name of an expensive and difficult to use technology, as most solutions were appliance based and required specific skill sets to use. However, there are many low cost and easy to use products available now. All you need to do is is setup a SPAN port or install a TAP and you will gain visibility of what is happening on your Internet connection.

Recently, we asked our customers what their top use cases were for internet traffic analysis. Interestingly, the results returned a number of operational and security use cases. Here, we just take a look at the top 5.

1. Look for unexpected traffic on specific ports

There are two primary TCP ports used for internet browsing. TCP port 80 for non-encrypted communications and TCP 443 for encrypted sessions. However, many applications can use these ports, such as Skype, Dropbox and Bitorrent. In today’s world, you cannot assume that all activity on port 80 or 443 is web page browsing.

Many of our customers want reports which look for all outbound traffic on port 80/443 but where the traffic type isn’t HTTP/HTTPS. They are struggling with flow tools as they were never designed as a web usage tracker. Monitoring tools which look at packet payloads and identify what applications are riding on ports 80 or 443 are a more accurate solution. This is the most common security use case we hear about when it comes to monitoring internet traffic.

unexpected traffic on specific ports

2.  Identify traffic which generated a large number of connections through firewalls

Almost all firewalls in use today are of a stateful variety. A stateful firewall is a network firewall that tracks the operating state and characteristics of network connections traversing it. The firewall is configured to distinguish legitimate packets for different types of connections. Only packets matching a known active connection are allowed to pass through the firewall. More recent firewalls are also application aware so that they can understand what applications are generating connections and apply filters based on this.

Our customers are reporting that in extreme cases their firewalls start dropping connections if there is a large increase in outbound or inbound connections. A typical example is the Bittorrent application which can generate hundreds of connections simultaneously. Make sure your monitoring tool has a means of tracking the number of network connections on a per client basis. When monitoring internet traffic, tools that look at traffic volumes alone will not spot the problems. You need tools which can report on the number on connections on a per user or IP address basis.

Identify traffic which generated a large number of connections through firewalls

3. Understand who is misusing\abusing the Internet at remote locations

Bandwidth capacity to remote networks is still an issue for most network managers. When links get busy, you can’t keep increasing the capacity. Once you do so, bandwidth hungry applications will chew up the new bandwidth. It may also be a very expensive option, so getting visibility as to what is happening on these links is vital.

One of the most common causes of WAN issues, is excessive internet traffic. Sometimes this is accidental; a user copying hundreds of HD images onto a Dropbox folder, to more deliberate like using the workplace network to download movies. If you experience concerns about remote networks or with the WAN links to them, you should start by monitoring internet traffic. Our video at the end of this blog post, explains what to do.

4. Report on proxied web activity on a per user basis

Proxy servers were once implemented to speed up access to popular sites. In theory, they would cache popular webpages which cut down on bandwidth use. This has become more complicated as most content is now dynamic such as Facebook news feeds; so proxy servers are now mostly used for their site blocking capabilities.

While proxy servers may be good at caching and filtering, they were never designed as a user web reporting tool. Flow based monitoring tools will not work either, as they will either report clients connecting to a proxy or the proxy connecting to external websites. Stitching this information together is a complicated process.

Packet capture applications solve this problem as they look inside HTTP headers to extract information like client, proxy and website. This is why, they are popular when it comes to reporting on proxied web activity on a per user basis.

5. Reports that can tell if users are streaming content like movies or games

The internet is a wonderful place, but it is also full of distractions; from watching live events to checking out recent movies or spending hours playing online games. While we all need our releases from everyday life, too much streaming can overload computer networks.

I recently worked with a client who had major issues at a remote site. Users there, were reporting that access to business applications was slow. They logged onto their LANGuardian application and found that a number of users at the remote site were streaming live soccer to their PC’s which overloaded the WAN connection.

How to monitor Internet activity using a SPAN port

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring, bandwidth troubleshooting, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

How to Setup SPAN Ports on Cisco Nexus Switches

etting up SPAN ports on Cisco Nexus switches

Setting up SPAN ports on Cisco Nexus switches

SPAN ports are commonly used for network traffic analysis applications. SPAN ports work by sending a copy of the traffic destined to one or more ports or VLANs to another port on the switch that has been connected to a network traffic analysis or security device. SPAN mirrors receive or send (or both) traffic on one or more source ports to a destination port for analysis.

The new generation of Cisco switches based on the Nexus platform have a slightly more complicated SPAN setup when compared to other Cisco switch platforms. In summary, you must set the mode or the destination port to monitor before you set it as a destination for the SPAN traffic.

In this blog post, we are going to look at two common network traffic monitoring scenarios and how to configure a SPAN port on a Cisco Nexus switch. For more a detailed configuration, check out this guide from the Cisco Nexus manual which looks at all SPAN options.

Monitoring a single switch port using a SPAN session

In this example, we are going to setup a SPAN port to monitor traffic going to and from the firewall. A copy of the traffic to be sent to the network traffic analyzer via its sensor port is shown as the red connection. For this  purposes, we are going to set the SPAN port as ethernet 2/10 and the firewall port as ethernet 1/1


Configuration Example

switch# configure terminal
switch(config)# interface ethernet 2/10
switch(config-if)# switchport monitor
switch(config-if)# exit
switch(config)# monitor session 2
switch(config-monitor)# destination interface ethernet 2/10
switch(config-monitor)# source interface ethernet 1/1 both

Monitoring a VLAN using a SPAN session

If you want to monitor multiple servers or devices on you network, you can monitor VLANs with a SPAN session. In the next example, we are going to setup a SPAN port to monitor traffic going to and from our server VLAN. For the purposes of this example, we are going to set the SPAN port as ethernet 2/10 and we will use it to monitor VLAN 100

Monitoring a VLAN with SPAN

Configuration Example

switch# configure terminal
switch(config)# interface ethernet 2/10
switch(config-if)# switchport monitor
switch(config-if)# exit
switch(config)# monitor session 2
switch(config-monitor)# destination interface ethernet 2/10
switch(config-monitor)# source vlan 1 both

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring, bandwidth troubleshooting, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!

How to Detect Pokémon Go Activity on Your Network

Pokémon Go Clients on Network

Pokémon Go – “Gotta catch’em all” (It’s not what you think!)

I don’t think anyone can have missed the phenomenon of Pokémon Go which has exploded into our lives over the last week or so. The objective is still the same, to capture ALL the Pokémon characters!

It’s a great news story as broadcasters scramble for headline stories,
Danger – Pokémon Go can seriously damage your health! Whether that’s the potential dangers of walking or driving while playing the game

Breaking News – “Kids have left their bedrooms” kids are actually going for walks this summer (motivated by hatching eggs within the game) rather than locked in their rooms playing computer games!

From a business perspective, we have also seen Boeing become the first corporate to ban the game, simply on the grounds of safety.

That got me thinking; in a work environment, Pokémon Go users are pretty easy to spot, as they walk along trance like staring at their phone…. there is clearly an addictive element to the game, but it’s no different to a lot of other computer games, media and social apps out there.

How to Detect Pokémon Go Activity on Your Network

A regular challenge we hear from Network Managers is around monitoring user’s “non-work related” online activities and the subsequent impact it has on, not only individual’s productivity, but also overall network performance. Network Managers are also concerned about the possibility of users downloading fake Pokémon Go apps. These do exist and when installed can introduce malware onto networks.

The good news is there is an effective, affordable solution for monitoring network activity – LANGuardian; LANGuardian enables Network Managers to use a SPAN (monitoring) port to monitor and report on network activities both internally (intranet servers and files shares) and externally (websites, cloud services and social media)

Easy to use; LANGuardian’s “deep packet inspection” provides the highest level of visibility into activity on the network. Its intuitive reporting and dashboards, drill down capabilities, and powerful searches provide extremely detailed information without requiring you to understand and interpret raw data packets

The old expression “You can’t manage, what you can’t see” is no longer a problem, thanks to LANGuardian we “Let you see, so you can manage” So in line with the Pokémon theme and from a LANGuardian view,

“Packets… Gotta catch’em all”

Detecting Pokémon Go activity with LANGuardian

The Pokémon Go application was developed in partnership with Niantic. When the app is loaded it communicates with the domain All communications are secured and the good news is that it does not use a lot of bandwidth.

To track down Pokémon Go users on your network you just need to detect what clients are connecting to the domain. To do this on LANGuardian, you just need to use the NetFort search feature.

Niantic Labs

Enter in the website field, select a time range and then click on the search button. If you see any activity associated with this domain, drill down to reveal what IP addresses are associated with this. You can then use the LANGuardian Network Inventory reports to get associated MAC addresses if you want to block the clients from accessing your network.

Pokemon Client Drilldown

Active directory and/or RADIUS integration can also reveal any associated usernames. The 2 minute video below shows you the basics of what you need to do to track down Pokémon Go activity on your network.

To see LANGuardian in action, try our interactive demo here

DNS Traffic is always worth watching very closely

But it is not a good excuse to forget your anniversary!

While visiting a large ISP type customer here in the Bay area, we started to discuss the value he could get from network traffic analysis. The volumes of traffic on his network are at a scale that he even struggles with summary information like Netflow; he has so much of it, it is almost impossible to get a handle on it and see anything useful – a real big data problem.  During our conversation, I mentioned that we have a number of dissectors (or application decoders as we call them) for protocols like SMB, NFS, SQL, web, DNS – ’STOP, what can you tell me about my DNS traffic, as my logs are limited’.  To be honest, I would have thought LANGuardian provided too much detail for his organization, but I guess DNS is a bit different.

Anyhow, I led on to explain that LANGuardian can:

  • Monitor DNS traffic, decode DNS replies
  • Inventory of responding DNS servers
  • Alert on rogue DNS servers
  • Review what resolutions clients receiving
  • Monitor client requests, validate DNS traffic (piggybacking)

To quote a good friend, Tim of #lovemytool ‘John, show me, don’t tell me’

So, I simply showed a short demo, which in summary was something like the following screen grabs:


Overall, it was a good meeting; the visibility and context one can get off the wire on DNS activity across a network can be really useful for multiple security related use cases and forensics. Our customer thought it was very interesting and useful for a network like his; especially as he is so heavily focused on security these days while helping and educating his customers.

However, when I got back to my Airbnb and opened up my laptop, a Skype chat message popped up on my screen. Now for a moment, just think of some of the worst text or voicemail’s you could get from your wife! Let’s face it, there are only 2 big dates one should ALWAYS remember and we all know what they are!

When I looked at my Skype text box at 6:00pm PST, 2:00am GMT a day late, I saw a message there for over 8 hours, with those 3 little words we dread to hear or read before we get to send them ourselves: ‘Happy Anniversary Darling’

Damn, I blamed DNS. I told her, I tried to send a nice message but we had a DNS issue and I was off the network! Now, even she knows that without DNS, everything stops working!


John Brosnan


How to do a URL search using network traffic analysis

URL search tips

What are your options to address URL search requirements?

Before I go into how you can do a URL search using network traffic as a data source, I want to go back over and explain what a URL string is.

A Uniform Resource Locator (URL) string is a subset of the Uniform Resource Identifier (URI) that specifies where an identified resource is available and the mechanism for retrieving it. Examples of  URLs would be:

URL: ftp://ftp.netfort.c0m/doc/languardian-tips.txt
URL: /download-languardian/

All of the above are also URI’s but a true URI may contain extra info like an anchor link which is used client side to automatically navigate to a particular section of a webpage.

URL String

For most use cases, a URL search involves searching for either a full or partial website name to see who is accessing it. Here is some feedback we recently got from a university customer which they sent back after evaluating our LANGuardian product. This is a very typical use case.

All those within the test group without exception found it (LANGuardian) to be a very useful tool for detecting suspicious traffic and for discouraging misbehavior.

A very popular feature mentioned by most users in the test group was the ability to search by URL. All the users were in agreement that it provides a very quick and easy way to extract the exact information management would like visibility of, particularly where cloud services are concerned“.

Building a database of URL search strings

There seems to be an increasing demand for more sophisticated analysis and visibility of the Internet link and activity probably driven by:

  • Security concerns,  continuous monitoring and rich visibility of activity on this link is an absolute must these days.
  • Cloud, hybrid cloud, etc. Many applications used across organizations today are hosted externally and as a result, the utilization of this link is critical.

Before you can search URL strings you need a data source. The most common ones I come across are:

  1. Local packet capture on a PC or laptop.
  2. Network wide packet capture through a SPAN, mirror ports or TAPs.
  3. Log file analysis on firewalls or proxy servers.

I am not including any flow based tools in this post as most are not good web usage trackers. Some IPFIX implementations can export HTTP header information but very few tools actually use this.

Local Packet Capture

Capturing network traffic locally on your PC or laptop is a great way to learn about packet capture and how you can use this to search for URL strings. Wireshark is the most popular tool and it allows you to capture all network traffic going in and out of local network adapters.

If you want to do a URL search, you simply use the display filter within Wireshark to search for a specific text string.


  • Free and easy way to capture local traffic
  • Great for learning about packet capture and traffic analysis


  • Does not scale up. Very easy to overload a system if you try and capture traffic at high data rates.
  • While it is fine for real time analysis, you wont get long term storage of data unless you have access to lots of disk space.
  • Complex, not that easy to read and interpret. Difficult to easily get the ‘big picture’.
URI String

Network wide packet capture through a SPAN, mirror port or TAP

If you want to scale up from local packet capture, then you should look at options like SPAN ports or TAPs. This approach will allow you to get a copy of all traffic flowing into and out of your network and so you will get a data source for all web activity on your network.

The video at the link below goes through the steps that are needed to monitor Internet activity via a SPAN port.


  • Visibility of all Internet activity on your network.
  • SPAN or port mirror options available on most managed switches with no impact on performance.
  • Works effectively whether a web proxy is in place or not.
  • Deploy in minutes, no agents, clients, no network downtime.


  • Free tools\software offerings that can connect to a SPAN or mirror ports are limited so you need to look at a commercial solution.

Web Users Report

Once you have got your SPAN port setup, you can use a tool like NetFort LANGuardian to process the packet data. The NetFort DPI engine extracts application level detail like URL strings from the traffic flows, discarding the remainder of the packet contents before storing them in the built in database.

This data reduction (400:1 over full packet capture and storage) results in cost effective long life historical storage of network and user activity, very useful for forensics, reporting and planning.

It stores all the critical details including IP address, user name, domain names, URI and bandwidth consumed in its own database. This gives you access to realtime and historical web usage reports.

If are considering other tools, make sure they include both realtime and historical reporting features to match you data retention requirements.

Log file analysis on firewalls or proxy servers

Many firewall and proxy servers will have logging options. These can be very useful for troubleshooting or checking if changes to firewall rules are working. However, server log files do have their limitations. They are meant to provide server administrators with data about the behavior of the server, not the behavior of the user like what URLs they are accessing.

I recently attended a conference which brought together network and security professionals from colleges and universities all over the UK. During the conference, one IT manager described how their network fell victim to multiple DDoS attacks. Their firewalls were under so much pressure, they could not access the logs and get any visibility. One recommendation from this was not to rely on firewall logs alone, you need another data source to troubleshoot problems.


  • Great for troubleshooting problems or checking if changes to block rules are working.


  • Enabling logging will impact on firewall or proxy performance. These devices were not designed for long term capturing of log information.
  • If your proxy or firewall is having performance issues you wont be able to access the logs to troubleshoot the problem.
Web Proxy Log

Do you have any other ideas on how to capture and search URL information? Comments welcome.

Forensic Analysis of a DDoS Attack

forensic analysis of a DDoS attack

In this blog post we are going to do a forensic analysis of a DDoS attack. The DDoS analysis is supported by screenshots captured from a LANGuardian system that was monitoring network edge traffic via a SPAN port at the time of the attack.

The purpose of our DDoS analysis is to demonstrate how DDoS monitoring can identify an attack in progress. With the information gathered by using a DDoS attack monitor, we can then take steps to mitigate against these types of DDoS attacks.

Why DDoS Monitoring is Important

Over the past ten days in Ireland, numerous online services and public networks have been targeted by DDoS attacks. A recent article from the BBC also suggests that website-crippling cyber-attacks are to rise in 2016 – the organization itself having been taken offline by a massive DDoS attack at the end of last year.

The majority of the recent attacks in Ireland were NTP amplification attacks. NTP is a popular vector for DDoS attacks because, like DNS, it is a simple UDP-based protocol that can be persuaded to return large replies to small requests. It has been estimated there are over a hundred thousand abusable NTP servers with administrative functions incorrectly open to the general Internet.

Using LANGuardian as a DDoS Attack Monitor

All of the following screenshots were taken using LANGuardian as a DDoS attack monitor on a real network. The network was one of many that suffered multiple DDoS attacks during January 2016. The first image below shows traffic associated with this network at a time when it was not under attack. What I am watching out for here is:

  1. The majority of the traffic is IPv4.
  2. Over 97% of traffic is TCP with small amounts of UDP. This is very normal and what I would expect.
  3. Drilldown on the UDP traffic shows the majority is DNS. For most networks DNS Would be the most active UDP protocol. Exceptions this this would be on networks where applications like Bittorrent are allowed.
DDoS monitoring dashboard

The next screen shot shows the network traffic profile during a time when the network was under attack. The main thing that stands out is the UDP traffic is now the majority. This is the classic fingerprint of a UDP based amplification attack. You can read more about amplification attacks here and here.

UDP Traffic associated with DDoS attack

Drilling down on the UDP traffic reveals that the network is receiving large amounts of NTP and DNS traffic. Both of these are important protocols so you cannot just block them. The other issue is that the network packets will contain spoofed IP addresses so basic firewall rules are useless.

Composed of legitimate-appearing requests, massive numbers of “zombies” and spoofed identities that make it virtually impossible to identify and block these malicious flows.

UDP Protocol Analysis

Drilling down further reveals that the traffic appears to originate from 4700 different servers.  We can do a WHOIS by IP address and determine that these are valid NTP servers, owned by reputable organizations.

It’s unlikely that 4700 reputable NTP servers are compromised and targeting an attack at the network, so something else is happening here.

The NTP protocol is based on UDP, a connection-less protocol. This means that a malicious client can create an NTP request, but instead of using its own IP address as the source, it uses the IP address of the target network. The NTP server assumes the request is genuine and responds, sending the response, not to the originating client, but to the target network.

This is known as a reflection attack. We can determine this is occurring, because our network has not sent any NTP packets to the NTP servers in question (zero packets sent, zero bytes sent) as seen here.

Further, we can calculate that the average received NTP response packet size is about 440 bytes, significantly larger than a standard NTP response packet (about 90 bytes). The 440 byte packet is likely a response to a ‘monlist’ request, a remote command in older NTP servers to return a list of the last clients to contact it. The ‘monlist’ command returns multiple packets of this size in response to a single request. This is known a amplification, where a small request generates big responses.

DDoS packet numbers

Finally, what of the client that originated the NTP request? We have no information about that client, as it successfully forged the source IP address in the original NTP request. We can assume that the client was a member of a botnet and was issued commands to target this network. There can be many thousands of compromised clients in a given botnet.

The scenario is shown in the diagram below, showing how a single C&C, controls many zombie clients, to generate malformed NTP requests to many servers, which in turn send amplified responses to the target network. Click on image to zoom in.

DDoS Amplification Traffic

Any local servers shown in the reports would need to be checked for malware activity. It could end up as a zombie host in a botnet or it may also be serving up Malware.

Using DDoS Analysis to Mitigate Against DDoS Attacks

When it comes to mitigating against DDoS attacks, you do have a number of options. It does depend on what stage you are at. If you are presently under attack, you may need to weather the storm a bit and avoid any rush decisions. Blocking traffic for example may only introduce other problems and you may end up with a network cut off from the outside world.

It is critical that you have some type of network activity monitoring in place prior to and during an attack. Make sure you can see where the traffic is coming from and what servers are being targeted. To try and mitigate against an attack you should consider the following.

  1. See if your ISP can black hole the suspicious traffic. Most will not get involved but if you are an education or government institute you may be able to address the issue at an ISP level.
  2. If you host your own web applications or servers you could consider a local DDoS protection system. These high-performance appliances enable attack traffic analysis and cleaning of the traffic, enabling a defense against large-scale DDoS attacks. Good traffic goes one way and bad traffic is dropped.
  3. If your website is hosted externally you could consider something like the Cloudflare DDoS protection infrastructure. They do the job of sorting out the good traffic from the bad in the cloud.
  4. In some extreme cases I have heard of companies changing their ISP to get away from the problem. Their public IP addresses seem to be a constant target to the only way out is to change them by moving to a different ISP.

Do you have any tips for mitigating against DDoS attacks? Comments welcome.

LANGuardian Online Demo
Download LANGuardian Trial

Taking a Deep Dive into Network Traffic

Taking a deep dive into network traffic

A term I often hear our customers say is that they use our LANGuardian product to “take a deep dive into network traffic“. When you hear something like ‘deep dive’ you could associate it with geeks in their Speedos taking a dive into a swimming pool. The reality is a lot more technical and maybe more boring; what they are trying to do is use network traffic as a data source to get to the root cause of network, security, application or user problems.

Client based traffic analysis

For a lot of network administrators the tool of choice may be Wireshark. It is excellent for taking a deep dive into network packets. I often use it to capture network traffic on my laptop and scroll through the packets to work out what traffic flows are present and see what packet payloads are associated with them.

Wireshark traffic analysis

The problem with this approach is that it can be very time consuming, this is especially so if you are dealing with high traffic volumes. Wireshark filters are useful but this is a foreign language to most people. Connect your laptop to a SPAN or mirror port and within minutes you could be dealing with a multi gigabyte packet capture file.

There is no doubt that tools like Wireshark or Microsoft Message Analyzer have their uses. However, if you want 24/7 traffic monitoring then you will need to look at a different solution.

Take a Deep Dive into Traffic on YOUR Network

Use the power of LANGuardian deep packet inspection to take a deep dive into traffic on your network. No need for client or agent software, just setup a SPAN or mirror port. Active Directory integration allows you to associate traffic flows with usernames too.

Flow based traffic analysis

Many layer 3 type network devices like routers and some switches have flow export features. Standards include NetFlow, sFlow, JFlow and IPFIX. Typically a network device extracts certain information from the packet headers. This will include IP addresses and port information together with a total amount of data contained within the packet payloads. This flow information is then sent to a flow collector where its is processed and stored.

If we think of it as diving into a swimming pool, flow analysis is like getting your Speedos on and approaching the pool. You dip your toes in but that is it. You have an idea how cold the water is but it is not a deep dive.

Flow analysis is great for getting a top level view of what is happening on a network. Some flow technologies have moved towards sampled packet analysis. I am not a big fan of this due to the resource demands it puts on networking devices.

Going deep with Deep Packet Inspection

If you want to take a deep dive into network traffic, you need deep packet inspection. Technologies like this automate packet analysis so that you have 24/7 monitoring. Some solutions will store all packet data on disk (packet recorder) while others will extract certain payload data like website or file names (known as meta data).

Deep packet inspection

Another feature of deep packet inspection tools is their ability to recognize applications based on packet payloads. Flow tools will make assumptions like all traffic on TCP port 80 is web but this is not always the case. Most firewalls available today include this functionality and it is vital in today’s world were so many applications are web based.

Traffic analysis tools that monitor traffic inside a network are getting more popular. The main driver for this is that IT managers want to get an insight into network activity so that they can increase security awareness. They also want historical reporting for seeing what happened at a particular point and time.

Before you make a decision on one you need to consider the following

  1. Do you need to record every packet or just capture important meta data. Unless you are monitoring a critical banking application or similar, meta data capture is recommended.
  2. Can the tool be deployed in remote data centers and provide a single console to monitor all activity.
  3. Don’t forget about virtual networks. Network packets can move around here and may never appear on the ‘wired’ network.
  4. Check if the tool supports username association. When you are dealing with LAN issues, it is very useful to be able to track activity back to actual users.
  5. Watch out for ease of use. Too many tools claim they can do deep packet inspection but are difficult to use. Ideally you want ‘management friendly’ graphics with drill down capabilities.

All of the solutions I mentioned above have their uses. Wireshark for client side diagnostics, flow tools for high level traffic reports, and deep packet inspection for taking a deep dive into network traffic. In some cases you may need all three, just make sure you don’t end up with the wrong solution if you only can pick one or two.

Learn more: Utilizing traffic fingerprinting for protocol analysis

Tunnelling Bittorrent Over Port 80 – How to Detect Activity on Your Network

Bittorrent Over TCP Port 80

Bittorrent is a very popular file sharing protocol. As a way of distributing content from many hosts, it is second to none. It is very popular with movie\music pirates as it does not require a central server for the storage of data. A downloader (peer) can contact other peers and download pieces of content and that peer will automatically share any content it has downloaded. It does have many other uses such as a platform for distributing software updates.

When it comes to network management, most administrators try to block Bittorrent use. The main reason behind this is that it can use up massive amounts of network bandwidth and disk storage. Many high definition movies are now 6GB+ in size so all it takes is for a few clients to clog up a network. Bittorrent clients also create thousands of network connections to other peers which can overload some firewalls.

Blocking access to sites like ThePirateBay may work in the short term but the introduction of magnet links makes site blocking more difficult. If you are successful in blocking the torrent sites, users can still access them at home and use your network to download the content.

How to detect Bittorrent tunnelling activity on your network

Traditional firewalls which use port blocking are useless when it comes to Bittorrent. The protocol will seek out open TCP or UDP ports and use these to tunnel\transfer data. Even newer firewalls struggle with the Bittorrent protocol due to encryption and other recent changes.

In today’s world, the only way to accurately identify Bittorrent is to be application aware. What I mean by this is to forget about identifying applications based on the port numbers they use to communicate. Assume that TCP port 80 could be any application, HTTP, Skype, Bittorrent, etc…. You need to take a look inside the network packets and work out what application it is based on what the packet payload or content is.

This all sounds very complicated and it is if you have to sort through packets using something like Wireshark. It is not impossible but you will find it is very time consuming. The other issue is scale, Wireshark works fine for analyzing a single client but it will get overloaded if you are monitoring hundreds of clients.

Find Out Who is Tunneling Bittorrent on YOUR Network

Use the power of LANGuardian deep packet inspection to find out who is tunneling Bittorrent traffic on your network. No need for client or agent software, just setup a SPAN or mirror port. Active Directory integration allows you to associate Bittorrent activity with usernames too.

What you are looking to do is extract certain metadata from the network packets. There is no need to store the contents of every packet unless you plan to replay the traffic for further analysis. This approach is also referred to as deep packet inspection.  Aim to capture these fields at a minimum:

  • Source IP Address
  • Source Port
  • Destination IP Address
  • Destination Port
  • Info_hash: urlencoded 20-byte SHA1 hash

A simple way to get visibility of Bittorrent on your network is via a SPAN or mirror port. Find where your Internet connection connects to your network switch infrastructure then configure it to send a copy of traffic going to and from the Internet to a switch port of your choice, this switch port is known as a SPAN or mirror port. It’s just a regular port but you configure it to be the destination for the SPAN traffic. See video below which covers this in more detail.

Tracking down Bittorrent activity with deep packet inspection

Once you have your SPAN port setup, you need to plug in a network analyzer which can process network packets. We develop one called LANGuardian but there are other options out there. For this example I will use a LANGuardian installed on my own network to track down Bittorrent tunneling. LANGuardian has the advantage of been able to report on real-time and historical activity.

Step 1 – Run a Top Applications Report

In my case I am going to take a look at activity over the past 4 hours and I also want to focus in on applications using port 80.

Top Network Applications

Step 2 – Drill Down on the Bittorrent Traffic

Most traffic on my network using port 80 is HTTP but I have a small amount of Bittorrent traffic using this port. To drill-down I click on the traffic volumes

Bittorrent Tunneling activity on network

Here I can clearly see the client IP address, host-name and info-hash values associated with this Bittorrent activity. Further details like other associated port numbers and external IP addresses can be got by drilling down further.

How to use LANGuardian to generate a detailed web activity report for a particular user

Person using laptop to browse web

LANGuardian Web Activity Report Features

The LANGuardian traffic analysis engine may also be used to passively report on web activity.  It is a very useful feature for organizations such as universities who for various reasons including performance, simplicity, and cost do not want to deploy a web proxy or any sort of inline device.

It is also very easy to deploy which is critical for the already pretty busy network engineer who would prefer to concentrate on other tasks and not on the relatively tricky subject of user Internet monitoring. No inline devices required, no agents or clients, no change to browser setting, completely transparent to the user. Just SPAN or mirror the Internet link, connect the LANGuardian to the SPAN port and away you go.

User Internet activity drilldown

The data is captured, stored and immediately accessible when you need it or when it is requested. One can search by IP or MAC address, user name or even part of the domain or URI. For example show me all the users who accessed Dropbox in the last week and how much data was uploaded. Or list all the domains accessed with resources or URIs containing the word Torrent and the user who accessed them.

Bittorrent Protocol Decoder

Whether a web proxy is in use on the network or not, all the detail required, including user name, IP address, domain, resource, size, date and time can be extracted from the raw traffic by the LANGuardian passively usually via a SPAN port or TAP and retained for months in the built in database.

How to focus in on a user

To instantly access and report on web activity for a particular user name, IP or MAC address:

  • Using the search box, top right, enter resource
  • Select the report Web :: Top Website Domains and resources
Sample Web Activity Report
  • Use the Time filter to select the required time period.
  • Using the logon name field enter the name of the user and click view to rerun the report for that particular user.

It is also possible to automatically send a daily or weekly email summarizing the web activity for a particular user by saving this report with the required user name and then under configuration, top right using the email settings to schedule the report.

Find out what users are doing on the Internet

Use the deep packet inspection engine of LANGuardian to collect all web activity down to the URL level from a span port. As a benefit it also provides unique out-of-band network forensics for troubleshooting or identifying odd network traffic.

How does it work?

LANGuardian passively captures HTTP and HTTPS header information from network traffic. In most cases a SPAN or mirror port is setup. There is no impact on network performance as this is not an inline solution. This approach also works for direct and proxy based activity. The video below explains how you can get this setup on your network.

5 Tips for Dealing with Unusual Traffic Detected Notifications

How to Deal With Unusual Traffic Detected Notifications

If you get an unusual traffic detected notification from Google, it usually means your IP address was or still is sending suspicious network traffic. Google can detect this and has recently implemented security measures to protect against DDoS, other server attacks and SEO rank manipulation.

The key thing to remember is that the notification is based on your Internet facing IP address, not your private IP address which is assigned to your laptop\PC\device. If you don’t know what your Internet facing (or public) IP address is you can use something like this service.

Top tips for dealing with unusual traffic detected messages:

  1. Get an inventory. Do you have unknown devices on your network? There are many free applications which can do network scans. Another option is to deploy deep packet inspection tools which will passively detect what is running on your network.
  2. Monitor traffic on your Internet gateway. Watch out for things like network scans, traffic on unusual port numbers, TOR traffic. I have included a video below which explains how you can do this.
  3. Track down the device using its MAC address. Network switches maintain a list of what MAC addresses are associated with what network switch ports. The guide at this link shows you how to do this on Cisco switches but similar commands are available on other switch models.
  4. See if your IP address is blacklisted  You can use something like this to see if your IP address is known black lists.
  5. If you cannot find any issues, talk to your ISP. Maybe you need an IP change. IP addresses are recycled so it could be that you were allocated a dodgy one. This is a remote possibility so make sure you cover tips 1 to 4 first.

Please don’t hesitate to get in contact with our support team if you are having an issue with a unusual traffic notification. They can help you quickly get to the root cause of issues associated with suspicious network traffic.

Darragh Delaney

How to Monitor Network Traffic For Suspicious Top-Level Domains

top level domains

Top-Level Domains – What are they and how to monitor traffic associated with them.

Back in 2011 ICANN approved a plan to expand the number of top level domains (TLDs). Shortly afterwards some analysts suggested that this could spell Dot-Trouble for businesses.

Move forward to 2015 and sure enough a few shady neighbourhoods have appeared on the Internet. Research done by Bluecoat shows that some of these Internet neighbourhoods have become almost exclusively the domain of people setting up hosts for spam e-mailing, scams, shady software downloads, malware distribution, botnet operations and “phishing” attacks, or other suspicious content.

Beware - Suspect Websites

Blue Coat asserts that more than 95% of the sites on these 10 Top-Level Domains (TLDs) are suspect:

  1. .zip
  2. .review
  3. .country
  4. .kim
  5. .cricket
  6. .science
  7. .work
  8. .party
  9. .gq
  10. .link

We recommend that you monitor Internet traffic on your network and watch out for any client connecting to these suspicious TLDs. The best way to do this is to setup a SPAN or mirror port and monitor network traffic at your Internet gateway.

Flow based tools are not a good option for monitoring Internet traffic as they cannot look inside the HTTP header to see what domains users are trying to access. The video below explains how you can setup a SPAN or mirror port to monitor Internet traffic. Most managed switches will allow you to do this.

If you don’t have a managed switch there are many alternatives for SPAN or mirror ports. You just need to pick one to match your requirements.

The image below shows an example of how Wireshark can be used to look inside HTTP headers to extract top-level domain information. Wireshark is very useful for troubleshooting issues associated with a single client. However, it may become data overload if you connect it up to a SPAN or mirror port. If you want to do this you need to look at a commercial network traffic analysis tool like LANGuardian.

Top-Level domains bad neighborhoods

Monitoring Suspicious Top-Level Domain Activity with NetFort

The following procedure describes the steps to show any activity associated with these top-level domains (TLDs). The report can be saved on your LANGuardian system as a custom report and can be re-run any time updated information is needed. Alerts and automated reports are also supported.

  1. Click on Reports in the LANGuardian menu bar.
  2. In the Web section, click on Top Website Domains, LANGuardian displays the Top Website Domains report.
  3. In the Website Domain Name field (Matches regexp selected) place \.link$|\.gq$|\.party$|\.work$|\.science$|\.cricket$|\.kim$|\.country$|\.review$|\.zip$
  4. Click View.
  5. When LANGuardian displays the report, click More Actions on the report menu bar and select Save Report.
  6. Enter a name and description for the report, then click Save. The new report will be listed in the Custom Reports section.

Most of the basic Regular Expressions (RegEx) and IP Address/Subnet needs are covered in the LANGuardian Tip Sheet.

And, of course, please contact us any time if you have any questions about web activity or indeed any other aspect of network monitoring with LANGuardian.

Find out who is accessing suspicious top-levels domains on YOUR Network

Download a 30 day trial of LANGuardian and find out what users are accessing suspicious top-level domains. No need to install agents or client software. All you need is a SPAN or mirror port.

If you have any tips for tracking down suspicious top-level domains, please use the comment section below.

Darragh Delaney

I want to know who is streaming Netflix onto my network?

who is streaming Netflix

Users accessing media sites like Netflix and YouTube can consume massive amounts of bandwidth. What’s needed are performance management solutions that can 1) detect and notify you about network performance degradation and spikes in bandwidth utilization, and 2) give you visibility into what applications are running on the network and what IP addresses and usernames are associated with them.

For most media sites it is easy to start monitoring activity associated with them. Just follow these steps:

  1. Ping the website in question. For example comes back as
  2. Go to the website and enter this IP address in the top right hand corner.
  3. You will find that this IP address is part of the range Google this range to see if Netflix have any other subnet ranges registered to them. YouTube for example will have many subnets associated with their services
  4. Log onto LANGuardian (or other network activity monitoring tool) and select Reports\Bandwidth\IP\Top Talkers from the reporting menu on the top.
  5. Enter as the subnet and this will reveal if you have any Netflix traffic on your network. Drill down on the totals to reveal the most active clients

No network activity monitoring in place?

Use LANGuardian and the power of wire data analytics to find out what users are doing on your network.

Download a trial version of LANGuardian and find out who is streaming Netflix on your network.

If you have proxy servers on your network you don’t need to lookup the IP ranges. Logon to LANGuardian and go to Reports\Web\More\Proxy Sessions By IP. Enter Netflix as the website and run the report.

Windows 10 Is Already Using Up Your Bandwidth

Windows 10 Upgrade

Windows 10 Downloads

A lot of people out there are looking forward to upgrading to Windows 10 and in less than 24 hours, Microsoft will start upgrading Windows 7 and Windows 8 machines to Windows 10. The release is scheduled for 12AM ET on July 29th (9PM PST on July 28th).

If you are responsible for the management of a network you should be aware that the software updates download in advance. Microsoft want to speed up the process by pre-loading the final version of Windows 10 on PCs eligible for the upgrade.

If you notice Internet connectivity slowdowns or if you are concerned about bandwidth use, you may see connections like the following on your Internet gateway. There are many ways to capture this information including logs, flow data and deep packet inspection.

Windows 10 upgrade IP addresses

One thing to watch out for if you are using logs or flow data is that reverse lookups of the IP addresses may be misleading. I noticed the IP addresses above using up a lot of bandwidth on my network. A reverse lookup using my favorite security lookup site ( reported that the IP address is registered to Eircom which at first seems strange. Further analysis of the IP address and DNS traffic also shows it to be associated with which is a content delivery network (CDN).

Content delivery network

What you need to do is look inside the network packets associated with this activity. The HTTP headers will reveal what is actually happening. Many organizations now use content delivery networks to distribute content like software. For the consumer this means fast and reliable downloads but it also means that the network traffic coming into your network is arriving from a third party. In my case the third party is Eircom who in turn host services for Akamai and Microsoft uses them to distribute content.

When the network packets are analyzed by a deep packet inspection engine we can see that the downloads are from Windows update and that they are associated with the Windows 10 upgrade. I saw over 1GB of downloads in less than 1 hour for a single client. Quick glance at the screenshot below shows some of the downloads and the level of detail that can be captured from network packets.

HTTP Header Analysis

I for one am looking forward to upgrading to Windows 10. My own experiences with Windows 8 were not good and I got rid of it after 1 month. Windows 7 has served me well but there is enough in 10 to convince me to upgrade. If you are responsible for the management of a network, watch out for heavy bandwidth use in the coming weeks which may be associated with this upgrade process. Ideally you should use a monitoring tool which can look inside HTTP headers so you can see exactly what is happening.

Darragh Delaney

Detecting Netflix Traffic On Your Network

Netflix is a provider of on demand internet streaming media and is available to users in the majority of locations all over the world. The service is becoming increasingly popular and by the end of last year had a total of 57.4 million subscribers. In parallel with this growth, we have seen a corresponding increase in the number of people questioning the impact that Netflix traffic is having on their network.

Watching Netflix can use around 1 GB of data per hour for each stream when viewing in standard definition and up to 3 GB per hour for streaming content in high definition. The ‘Internet is slow today’ could easily be as a result of a single user streaming Netflix.

Detect & Monitor Netflix Traffic on Your Network

Use the deep packet inspection features in LANGuardian to find the source of Netflix traffic on your network. No need to install client or agent software. Just setup a SPAN or mirror port

There are a couple of ways you can check for Netflix traffic on your network after installing LANGuardian. The easiest way to do this is to click on, reports, top website domains and simply type in Netflix into the appropriate field.

Example below from our demo system shows Skype appearing on the network. It is the same idea for Netflix, simply type in the website name and click on view. You can also drill-down from here to find the associated username and IP addresses.

An alternative way is to look at the IDS rule set in LANGuardian. The IDS in LANGuardian contains two signatures to detect Netflix on your network and they can be found under sid: 2007638 and 2013498 which are included below:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”POLICY Netflix On-demand User-Agent”; flow:to_server,established; content:”|0d 0a|User-Agent|3a| WmpHostInternetConnection”; nocase; reference:url,; classtype:policy-violation; sid:2007638; rev:5;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”POLICY Netflix Streaming Player Access”; flow:to_server,established; uricontent:”/WiPlayer?movieid=”; content:”|0d 0a|Host|3a||0d 0a|”; nocase; reference:url,; classtype:policy-violation; sid:2013498; rev:2;)

You could also create a custom report which would allow you to search for specific IDS events like Netflix by following the guide here on the forum.

Ray Barnes

Can one have too much visibility?

Looking deeper into what is happening on a network

An interesting problem cropped up during our company huddle this morning.  Our head of development had the floor and was giving us an update on some recent modifications to our Bittorent decoder.

Our LANGuardian Bittorent decoder is used heavily, especially by some of our University customers, to track DMCA notices. For example one can enter the info hash into a search field and get back information such as the IP address, user name, etc.

Bittorent is a complex protocol, tracking it and extracting/storing the critical detail is not that easy.   We have to issue regular updates to ensure accuracy and coverage.  Bit of a pain for our development team, I feel for them!

A nice side effect of our latest update is that for some downloads we can also report the actual file, movie, video names, plain text, readable, interpretable but as mentioned by the developer,  maybe too much visibility for some customers? The movie and video names can be very explicit and even upsetting for some people. So do we report the name or not?

Bittorrent file names

But, I also remember back to a meeting years ago in Dublin, where the network admin had investigated one user for continuous bandwidth abuse causing the other users to complain ‘the Internet is slow today’ on that site.  HR got involved, a meeting was called, and the user asked to explain.  User explained he was downloading research papers and doing nothing wrong.

The admin was able to instantly produce a report listing the movie names (including the complete Harry Potter box set) dates, times, the user had downloaded. The smoking gun, proof to eliminate guesswork and save time, stress for everybody. User owned up immediately and the issue was resolved.

And just last week, we had the following feedback from a new customer in the UK, food company.

This product is amazing… I’m getting an insight into the network that I have never had before and seeing activity that I just did know was going on!

This guy, Simon, was definitely not complaining about having too much visibility.

I guess it may be useful to have the information at your fingertips IF and WHEN you need it, the last step of a drill down, but, not in your face all the time? Back to the customer, let’s get their opinion, listen to them.

John Brosnan
NetFort CEO

How to detect Popcorn Time activity on your network

Popcorn Time is a multi platform, open source BitTorrent client which includes an integrated media player. It uses sequential downloading to play media. Torrent pieces are usually downloaded in an optimal order which maximizes speed and benefits to the swarm health. Sequential downloading allows you to download torrent pieces in sequentially order (from the beginning to the end) so it allows you to watch movies instantly.

It has become very popular since been abruptly taken down by its original developers on March 14, 2014 due to pressure from the MPAA. Since then, Popcorn Time has been maintained by other development teams.

Network managers are concerned about its use due to copyright issues and the fact that clients can consume vast amounts of bandwidth. Most people use Popcorn Time on portable devices so it makes it more difficult to track and control on networks.

Deep packet inspection technologies can be used to detect its presence. You need to use a SPAN or TAP and monitor traffic at your networks edge.

In the video below you can see what the application looks like and how it can be detected using network traffic analysis.

In the following example I used LANGuardian to extract certain information (metadata) from network traffic which shows Popcorn Time activity.

Popcorn Time Network Traffic

This screenshot above shows a typical network traffic breakdown for a client running Popcorn Time. This was captured after just a few minutes of video playback and amounts to almost 1GB of data. Most of the data is Bittorrent related with a small amount of web traffic (HTTP).

As well as streaming content via the Bittorrent protocol, the application also downloads other metadata from a number of websites. You can see some of the sites which the application communicates with in the images above. Blocking access to these sites will not stop the Popcorn Time applications. It just means that some images may be missing when users are browsing the app.

When it comes to Popcorn Time use, there are three issues you should consider if you are responsible for the operations and security of a computer network.

  1. Popcorn Time uses the Bittorrent protocol. A lot of the music and movies downloaded using Bittorrent clients are copyrighted. You may receive notifications from your ISP or from another third party if this type of activity is detected.
  2. Bittorrent will consume large amounts of bandwidth. During my tests I had downloaded almost 1GB of data in just a few minutes.If you allow it.
  3. If you allow it, Bittorrent is yet another way for Malware to get into your network.

Download a free trial of LANGuardian if you want to check for Bittorrent use on your network. The Bittorrent decoder is enabled in the trial version.

Darragh Delaney

Getting visibility of what is happening on your Internet connection

Internet connection slowed down

How to gain visibility of Internet usage

When it comes to understanding what is happening on your network, one of the most common questions I get is how you can find a data source to understand what is happening on an Internet connection. The most common data sources that people mention are

  1. Reports from an ISP
  2. Reports available directly from firewalls or routers
  3. SNMP data
  4. Log files
  5. Packet capture

The easiest reports to get are the ones from an ISP or directly from network devices. The image below shows an example of these.

SNMP Graph

While it does give us some idea as to what is happening, it lacks detail as to what is causing those peaks. The same problem will exist for any application which uses SNMP (simple network management protocol) as a data source. You will get an alert that there is excessive traffic on your Internet connection but you will lack the detail you need to troubleshoot why this is happening.

This then brings us on to gathering flow records like NetFlow. NetFlow and other flow standards allow you to see what systems are connecting to what and how much data is been exchanged. This is very useful information as we can now break down those peaks into what system is connecting to what.

NetFlow Record

The problem with this is that while this is a view of what system is connecting to what, it is hard to read. Users do not connect to IP addresses. They use applications and connect to services like YouTube. For that reason flow based tools are not a good option for monitoring Internet activity. The problem is even worse if you use proxy servers. Flow records will just show IP addresses connecting to the proxy server IP address and at the other side you have the IP of the proxy connecting to IP addresses outside your network.

Lets now look at two other sources of data; log files and packet capture. Server log files are inappropriate for gathering usability data. They are meant to provide server administrators with data about the behaviour of the server, not the behaviour of the user. The log file is a flat file containing technical information about requests for files or websites on the server. Log files can also be easily overwritten and need to be pulled back to a SIEM for indexing and storage.

The final data source is packet capture. The wonderful world of bits and bytes where only the geeks dare to travel. The thing is that modern deep packet inspection tools make the job of processing network packets really easy. You can download them and within minutes you can start to drill down and see what is actually moving around your network.

The following image is a good example of this. Here we can see two users downloading an OVA file from Really easy to read and it shows exactly what happened. No issues with trying to resolve IP addresses and no hours spent looking through packet capture files.

DPI Drilldown

Finally, I spoke to someone during the week and when I mentioned that you could monitor Internet traffic with a SPAN or mirror port he reported that he had no managed switch. In most cases you need a managed switch to setup a SPAN\mirror port. However, if you do not have a managed swich you can always deploy a cheap network TAP. These devices allow you to get a copy of traffic going in and out of a network connection.

In my case the network manager had a Cisco ASA 5505 deployed. This is actually a hybrid device with an 8 port switch and firewall features. To configure a SPAN port on an ASA 5505 you need to use the following commands.

ASA(config)# int ethernet 0/0

ASA(config-if)# description Firewall Connection

ASA(config-if)# exit

ASA(config)# int ethernet 0/1

ASA(config-if)# description Deep Packet Inspection Tool

ASA(config-if)# switchport monitor ethernet 0/0 both

ASA(config-if)# exit

If you need to check if your switch supports SPAN or mirror ports there is a good guide at this link.


So that is it for this post. If you really need to find out what is happening on your Internet connection, look inside the network packets!

Darragh Delaney

Is the PirateBay slowing down your network?

The PirateBay

PirateBay & Bandwidth Use

Can The PirateBay directly slow down your network? The short answer is actually no. PirateBay is a website that provides magnet links (and some torrent files) to facilitate peer-to-peer file sharing using the BitTorrent protocol. It does not host any movies, music or other types of data.

What it does provide is information like the content’s cryptographic hash value which then can be used to contact other peers which are downloading or uploading the same data. Once a BitTorrent client has established a connection with another peer it can then download and upload data. The BitTorrent protocol is very efficient and will use up lots of bandwidth so it is the protocol that will slow down your network and not websites like PirateBay.

If you want to prevent this from happening on your network you could block access to sites like PirateBay. This may work as users cannot download anything without getting some information from PirateBay. However, it will not solve the problem as users could access the site on another network or through mobile broadband and then use your network to download.

When it comes to monitoring bandwidth use, it is vital to have a network monitoring system in place. Once setup you should look for any clients connecting to systems outside your network on high port numbers. BitTorrent clients will use high port numbers over UDP. This is unusual as normal web browsing will be on ports 80(HTTP) and 443(HTTPS).

A connection from a local system to an external one over something like port 10921 would be unusual. Application recognition systems will help here as they will report on what protocols are in use, not just reports based on port numbers.

Also look out systems which are uploading a lot of data. Normally clients download a lot more data than they upload when accessing web pages. Client systems which upload a lot of data are sharing something and are always worth investigating.

Deep packet inspection (DPI) tools like LANGuardian use packet capture to analyse the data which is moving around your network. LANGuardian can track down BitTorrent use by extracting the info hash values from the BitTorrent traffic. This metadata makes it easier to track down and investigate BitTorrent use. Check out the video below which shows how LANGuardian can be used to track down the source of copyright violations.

How do you track down Bittorrent use? Is it possible without packet capture?

Darragh Delaney

Do you really know what is going in and out of your network?

Network Activity Reporting Software

It’s Friday and I am just back from visiting a number of LANGuardian customers in the UK. As usual it amounted to a very interesting few days with visits to public sector clients, a document management company and even a F1 team. The common use case which kept coming up was that IT managers within these organisations want to know what is going on within their networks. This is what is at the heart and soul of NetFort; we continue to develop LANGuardian so you can find out what users are doing on your network.

So why is this so important or a better way of asking this, do you really know what is happening on your network? A good example of why this is important is related to the potential issue discovered this week where LG televisions were transmitting user data out of their home networks. While I was waiting in an airport I noticed my Twitter and RSS feeds filling up with information and comments on this story. It really got the security community going. We now live in the age of the Internet of things; everything is getting connected to the Internet, from washing machines to fridges. It’s all become smart everything.

What is also interesting about the LG article is the means by which the issue was discovered. Wireshark was used to do deep packet inspection. Some vendors will suggest that SNMP or even flow (NetFlow, sFlow and others) tools will provide visibility on a network. In some cases they may provide okay levels of visibility in most however they fall well short. This is because they don’t work out what applications are in use and they don’t look at packet payloads. I know IPFIX and NBAR are supposed to address these deficiencies but you need really specialist equipment to work with these.

SPAN or mirror ports are available on all networks so why not make use of them. You can use Wireshark or better still check out our LANGuardian software which does the hard stuff for you. It will go though each packet and extract metadata so you can see users, application names and payload information. Wireshark is a fantastic tool but sometimes because of the low level of detail, the ‘bits and bytes’, it is hard to see the big picture and see activity first at a higher level,  show names for example, domains, URIs, files, users, a level of DPI that most people can use to understand exactly what is happening.

Back to the LG story. I have a Sony smart TV which is connected to the Internet. The online features are fantastic, great for watching YouTube and running other streaming apps. Earlier I switched it on while I was monitoring its traffic with my LANGuardian. I just left it running on one channel and did nothing else. Having read the article about the LG TV I got curious if my TV could be doing something similar. The screenshot below is from a forensics search where I focused in on the IP address of the television. Even without using any of its smart features it’s connecting to outside services. Most traffic is via HTTP but some is also sent encrypted by HTTPS.

sony forensics

Drilling down further reveals lots of connections to I did not spot anything sensitive as was shown with the LG story but I am going to keep a close eye on this just to make sure

sony uri

What all this shows is that if you really want to find what is going in and out of your network you really need deep packet inspection.

Darragh Delaney




Limitations of using NetFlow to monitor cloud computing

Cloud PCAP Analysis

For a variety of reasons we’re seeing more and more content being distributed via a content delivery network (CDN).  CDNs are used to distribute content in such a way that multiple copies of the data exist on the Internet. These copies are on servers at points of presence around the world, so they are always close to the end user, and hence the data is delivered to the user’s desk faster.

For a long time, CDNs were only available to large organisations such as Microsoft and Adobe. These companies typically engaged  Akamai™  for content delivery. Nowadays, thanks to services such as Amazon CloudFront™, CDNs are available to anyone who has a credit card. This is great news for people who are distributing content, but it’s bad news for network administrators who are relying solely on flow data, such as NetFlow, for visibility into activity on their networks.

Prior to the advent of CDNs, you could get a good understanding of a traffic flow by doing areverse DNS lookup of the source and destination IP address. Typically, the source address would correspond to a system on your network, while the destination address would correspond to an external host. For example, if the destination address resolved to, it would be clear to the network administrator that the flow would be attributable to someone downloading software from Acme, Inc.

Today, it’s very likely that the destination address for such a flow would resolve to or similar. This destination address is clearly part of a CDN, so resolving the IP address to a hostname provides no further insight and the network administrator is none the wiser as to the real origin of the downloaded data or why the user is downloading it.

One way to identify the real origin of the download is to check the access logs on the HTTP proxy server for occurrences of the source and destination address. This might help the network administrator to hone in on the time, host name, and URL details for the download, but this is cumbersome and not certain to yield accurate information.

NetFort LANGuardian overcomes this problem by gathering and correlating traffic information from full-packet capture based on deep packet inspection (DPI) techniques. The information is accessible through a browser-based user interface, enabling the administrator to drill down to application-level detail and gain a full understanding of the traffic flow. To install LANGuardian you just need to find your network core and enable port mirroring or a SPAN port.

In the following example, we see that there has been a peak in bandwidth usage over a remote link.


Clicking the graph enables the network administrator to drill down into details of traffic over the link and see the source and destination addresses that caused the peak to occur.
In this scenario, we see that the download was from an IP address whose reverse DNS is Beyond the fact that we now know the peak was caused by HTTP traffic, we still don’t know what the user was doing.


However, when DPI is enabled, we can easily identify the real origin of the download.


The network administrators we speak to need this level of information because they often encounter remote links that are experiencing network congestion due to software patches being deployed, and patches are often deployed using CDNs. Armed with the information LANGuardian provides, they can then work with their colleagues who manage desktop deployment to identify ways to roll out patches without using up all the capacity on a remote link.

In summary, increased use of CDNs highlights the value of DPI in helping to resolve bandwidth problems that are difficult if not impossible to resolve using flow data alone.

If you want to know more about monitoring CDN activity on your network, please don’t hesitate to contact our support team here at

Mark McDonagh