Corai network analysis software-assistant to network administrators

Enterprise network administrators face many challenges: Abnormal LAN traffic, BT download, ARP spoofing, illegal browsing ...... So who did all this? Flexible application of network monitoring software can help us find the culprit. Next, we will use the "kelai network analysis software" (hereinafter referred to as kelai) as an example to demonstrate the operation.

1. who occupies a large amount of bandwidth?

Requirements:

Speed is an important indicator of the enterprise lan. enterprise network administrators often encounter LAN speed problems. For example, file sharing is too slow, websites cannot be opened, and emails cannot be received. When the network becomes slow, we often need to check which IP addresses are occupying the bandwidth. The following example shows how to find the IP address of the host with the largest bandwidth in the intranet.

Operation:

First, we need to capture packets for network segments with network speed faults. That is, the host (notebook) installed with the monitoring software is connected to the central node of the CIDR Block switch, the monitoring software is opened, and packet capture is set. Packet Capture takes 20 minutes.

After packet capture, we stop data capture and analyze network data. Go to the "endpoint View" of corai software, where you can see the traffic statistics of hosts for all Mac or IP addresses in this section. You can see both the local MAC address and a large number of Internet IP addresses through the legend. If you only want to view the IP address, you can click the "ip endpoint" tree in the left-side pane and expand "local subnet" in sequence. We can see the following in brackets: the local subnet only contains the B network segment (10.8.0.0/16), and there are 284 nodes under this network segment, that is, there are 284 IP addresses in this network segment. In the view on the right, we can see that the total traffic of this network segment is 1.529 GB. The "endpoint View" is displayed in descending order of the total traffic by default. We can easily see the Host IP address with the highest traffic. Select 10 lines from top to bottom. In this way, we can find the top 10 IP addresses that occupy the most bandwidth in the intranet. (Figure 1)

 

2. Who is downloading BT?

Requirements:

BT downloading is an enemy of slow lan network speed. If someone uses BT downloading in the LAN, the speed will be slow. We often say that Bt is essentially a point-to-point communication, using the BitTorrent protocol. During BT download, the two "handshakes" of the BT peer protocol must be passed ". If someone uses BT to download files in the Intranet, it will occupy a lot of network resources, making it difficult for other machines to access the Internet. How can we find out who is using BT for download? Using Network Analysis Software to start with the Protocol in the network, it is easy to find out who is using BT to download.

Operation:

First, we capture data packets in a similar way. After packet capture, select "Node Browser" in the left pane of the software and find the BitTorrent protocol, which is the BT protocol. Click the "protocol" tab in the right pane. In the application layer, we can easily find the BitTorrent protocol. We can also locate the BitTorrent protocol node to find the host under this node. Let's look at the BitTorrent protocol's endpoints. Select the BitTorrent protocol option and click the "endpoints" tab to view its endpoints. From this we can see that there is a host in the Intranet: 192.168.1.128 is very suspicious, but we still cannot determine whether it is a host downloaded by Bt. We need to further analyze it. (Figure 2)

 

 

[1] [2] [3] [4] Next page