Overview of the network analyzer freeware – Capsa Free

June 6th, 2012 | Reviews | Comments Off

Troubleshooting network issues is one part of administrators’ daily challenges. It makes them nervous when a client sends a helpdesk request reporting that his computer has some network connection issue or it’s very slow to open websites, and you find nothing wrong after you checked all the settings. In a desperate time like this, you should try a network analyzer to capture its network data and see if you can find some hints down at the packet level. When it comes to network protocol and packets, most of us would think they are hard, and network analysis tools are hard to use as well. Capsa network analyzer, a product from Colasoft, is one network analyzer that comes in and changes my mind about the network analysis tools.

Capsa Free, as its name, is a freeware, with almost all functions that the commercial version has. Generally speaking, it can be used for network troubleshooting, bandwidth analysis and user activity monitoring, and also it’s a good choice for those who want to study network protocols. It’s just very easy to use. All data is nicely organized in tab views, and you get all types of important network statistics there, enough for you to troubleshoot network issues. The filer is my favorite, which is very easy to create and use, without learning to write any command and syntax. You can combine the filters to create complicated combinations to capture packet data you need.


For starters, you can see what network protocols are running, the IP address of hosts that using bandwidth. These data are useful. For example, with the protocol info, you can tell if there is anyone using bittorrent to download movies. And when the network gets slow, you can run a packet capture, and see if there is any host consuming too much bandwidth that causes network congestion. Capsa Free not only gives pages of numbers but also graphs them, which makes it much easier to find anomalies.


Besides to be used as network analyzer, Capsa Free can also be used to monitor user activities. Web browsing monitor will tell you what web sites are visited by whom at when. Email monitor will record all email exchanges and the content of emails will be saved to an email file. It also monitors three types of instant messenger communication, including ICQ, Yahoo Messenger and MSN. These data are useful for user activity auditing.


One more function is also powerful – alarm. Alarms are set of rules used to alert you when there’s any network anomaly happening. To create an alarm is easy; you don’t need to type commands but use its intuitive interface. For example, you can create an alarm to alert you when your network utilization reaches 70%. Alarms helps you notice anomalies as soon as it happens to prevent them grow into bigger issues.

Colasoft’s Mac Scanner by Tony Fortunato

May 16th, 2012 | Colasoft MAC Scanner | Comments Off

Mac Scanner is a free tool provided by Colasoft, it will display scan results in the list, including IP address, MAC address, Host Name and Manufacture. It will group all IP addresses according to MAC address if a MAC address is configured with multiple IP addresses. The scanned results can be exported into .txt file for future reference.

About Network Monitoring

February 21st, 2012 | Uncategorized | Comments Off

What is Network Monitoring?

Do you know the percentage of time your employees spend working, and the percentage of time they spend checking Facebook, Twitter, and MySpace, or reading news articles and browsing forums and playing games on the internet?

Lost productivity costs businesses a considerable amount of money each year, and one of the techniques increasingly used by companies seeking to reduce lost hours and productivity is network monitoring. Network monitoring is the process of reviewing information sent or received within a computer network.

Where Is Network Monitoring Used?

In a work setting, it may be used to block access to restricted sites, or to ensure employees are not surfing the internet during company time, or even to assess the amount of time necessary to complete tasks requiring internet access.

Network monitor can be used in the home environment to ensure children do not have access to adult websites, and is commonly used in both work and home settings to prevent unauthorized access to a computer network by individuals outside the network, such as hackers.

There are many more uses for network monitoring in home and work settings, but these are the most common.

What Tools Are Used For Network Monitoring?

Network monitoring is made possible by a variety of software packages and products that can typically be purchased online or in local stores and installed on an administrator’s computer. From there, the network monitor has access to the information sent and received over the network, as well as information regarding the amount of data transmitted and connection attempts made toward and from the computer network.

Which Factors Should I Look For In a Network Monitoring Product?

When looking for a network monitoring product, consider the following aspects:

  • The features of the software package
  • The level of analysis allowed by the software package
  • The reports provided by the software package
  • The remote access capabilities offered by the software package
  • The help and support accessible by the software package, and
  • The minimum system requirements of the software package.

Each aspect will be discussed in further detail below.

Software Package Features
  • Is the product designed to address security threats in work settings, home settings, or both?
  • Are there discounts available for corporate sized purchases?
  • What level of self maintenance is provided by the product?
  • Can the product be setup over a network, or must it be individually installed on every computer on the network?
  • To what degree is the software integrated with computers on the network?
  • Will you have the ability to monitor the network from multiple locations, or are you consigned to an administrator’s computer?
  • Can you capture screenshots from computers connected to the network?
  • Is there a stealth mode available to prevent employees or children from knowing that their computers are under surveillance?
Level of Analysis
  • What amount of detail does the software offer in analysis of network traffic and activity?
  • Where will the data be stored?
  • How long will data be logged?
  • Will the program offer means to monitor the amount of time spent in different activities on each computer? Such an ability may yield dividends for those seeking to increase work productivity.
Details in Reports

It is possible that you may someday need to generate reports from your network monitoring software–for example, to satisfy the requirements of a subpoena. How will the data look? Through which means will it be available? Consider how easy it will be to generate a report from the software.

Remote Access

Will you be able to access the network through a variety of wireless communication devices, or will you need to have a physical connection to the network to log into it?

Support and Help services

If something goes wrong, will you have help available?

  • If you have difficulty setting up the network, will there be technical assistance? If so, will it be accessible through chat, email, or phone contact? If so, what are the hours in which service will be available?
  • How much time typically elapses before support and help services will respond to your phone call or email?
  • How long will support be offered?
Minimum System Requirements

What does it take to run the network monitoring software on a computer, and does your primary computer meet these requirements? Is there a limit to the number of computers that can be monitored by the software?

nChronos FAQs

January 18th, 2012 | FAQs, nChronos | Comments Off

(1) I double-clicked the server icon on the desktop, but the web browser didn’t open server administration page, why?

The server administration is web-based. When double-clicking the desktop icon, it opens http://localhost in your web browser, which means the default port number is 80. Fail to see the administration page, it’s because the default port #80 has been engaged by other web applications. And nChronos will try to use port 81 (1 increment at a time). So you can try this URL in your browser: http://localhost:81. If port 81 is unavailable, try 82.

(2) What’s the difference between Administration port and Communication port under Basic Settings?

The administration port is used for the web browser to open nChronos Administration portal pages. The communication port is open for nChronos console to connect to the server.

(3) Is the communication between nChronos server and nChronos console encrypted?

Yes, the connections between nChronos server and console are encrypted by private encryption algorithm, which secures data transmissions and minimizes the length of data.

(4) I cannot connect to my nChronos server, what should I do?

First you need to make sure the server is up and running, and then check if you use the same communication port number as specified on the server (by default port # 3,000). Then you need to check your account and password.

(5) I don’t see any statistics in the views except “Please select a time span on the trend chart.”

You need to click-n-drag on the trend chart to select a time slice. When a time span specified, the views will show data among that time period only.

(6) How do I drill-down?

Please follow these steps to drill-down: check the items you need to drill-down in any view (except the Summary view) > right-click to open context menu > hover cursor on Drill Down > select a sub statistics type.

(7) I finished the configurations of the Email Options to alert me anomalies, but I never get an email, why?

This is because only the email server with port number 25 is supported. Therefore, you need to make sure the mail server accepts connections from port 25, and the port number is set 25 in Alarm Options.

(8) How can I download the packets on nChronos server to my local host?

In any view, check the items that you want to download the packets of them, right-click and choose Download Packets from the context menu. Then specify a local folder and file name to save the packets, and click Start button.

Note that you are not suggested to check too many items and download packets from a remote server because they may take a large volume of traffic and take a long time.

nChronos Study Guide Chapter 8 – Download Packets & Built-in Analyzer

December 31st, 2011 | Study Guide | Comments Off

Product Version: Colasoft nChronos 3.0

Intended Audience:

  • nChronos Standard users (including Evaluation users)

    nChronos Free users

In last chapter we’ve learned:

  1. The user interface and components of the stat view
  2. How to perform drill-down analysis among the views

Continue with our discussion on drill-down analysis that conversation (transport layer of OSI) is the deepest layer that nChronos goes, and, you may wonder, what if we need take one more step forward down to the packet level. So in this chapter we’ll see how to download the packets (remember that all packets are saved on the server now) to a local file. And then we can use common network analysis tools to look into the packets.

Before we jump into doing this we need to understand that the packets are on the server and we are probably using nChronos console to view the traffic analysis stats on our laptop. This means the server and console talk through network or even the Internet. Given that the server has been monitoring the network for a long time and there might be hundred gigabytes of packet volume stored on the server, it definitely not a good idea to download such huge volume of packets to our laptop through the network. Also this could be devastating to the server because it requires lots of CPU power to do this job and it dramatically affects the analysis performance (we shouldn’t forget that when we download packets, the server is still capturing, analyzing and storing the packets). We should also pay attention to this even when the console and server installed on the same machine.

Well, don’t be overwhelmed that we can still use packet download function. It’s just that we’d better not to download a big sum of packets. We should always use the drill-down feature to narrow down the time range, IP addresses counts and packet counts that we need to download to desktop. For example, we need to check all packets that related with the email server only between 23:00 – 23:15 PM yesterday. So here we know we should first locate the time range, from 23:00 – 23:15 PM yesterday night, and then we can go to the IP Address view, and find the email server’s IP. Then we check the checkbox of this IP, right-click on it and we have two options on the context-menu: Download Packets and Analyze Packets.

Download Packets

Download packets will retrieve the packets of the checked items on the server and send them to a packet file on our desktop. When we click the menu item, we see a new window showing the time range and filters which are the conditions to narrow down the packet range. Then select the file path and file name. We can see that nChronos is able to save the packets in two types of packet file formats; .rawpkt is Colasoft packet format and the popular Wireshark .pcap format. Lastly click Start to start downloading process. Downloading done, we can use analysis tools like Colasoft Capsa or Wireshark to load and analyze the packets.

Analyze Packets

Downloading packets to a local file and then running another analyzer to load the file takes too many clicks, don’t you think? Don’t be surprised that nChronos console has a professional network analyzer software provided by Colasoft, nChronos Network Analyzer, which is installed together with the console program. We save lots of click if we use Analyzer Packets function. It automatically downloads the packets to nChronos Network Analyzer’s buffer and starts analyzing. It’s a powerful yet free analyzer with all features that the commercial editions have.

nChronos Study Guide Chapter 7 – Analysis Views & Drill-down Analysis

December 30th, 2011 | Study Guide | Comments Off

Product Version: Colasoft nChronos 3.0

Target Audience:

  • nChronos Standard users (including Evaluation users)
  • nChronos Free users

In last chapter we’ve learned:

  • What is trend chart and how to move trend chart
  • How to select a specific time span on trend chart

From last chapter we understand that we first come to the trend chart and then select a time range we are interested in. Then we can have many types of traffic statistics on the analysis views below the trend chart. Go to User Interface Introduction chapter to see the introduction of each view. Each view has its own mission to provide a specific type of statistics. For example, the IP Address tab provides a list of the traffic statistics on all IP addresses of our selected time period on trend chart. In this view, we can see the top talkers of their traffic volume of bytes (sent/received), packet count (sent/received) and we can see their Geo location, etc.

Though the views provide different types of stats they have something in common, like short-cut buttons and context menus.

Short-cut Buttons

All views have some short-cut buttons above the column headers, each with different buttons. The functions of the short-cut buttons are listed below:

Export Save all statistic records into a csv file.
Drill-down Drill-down to next level on your selected items.
Record rows Set the number of the records to be displayed in the view.
Download packets Download the packets related to your selected objects to a packet file.
Analyze packets Retrieve packets from the server and download them to the built-in analyzer.

Context Menu

If we right-click in the views, we will see a context menu with the following functions:

Drill-down Drill-down to next level on your selected items.
Columns Show or hide columns in the view.
Copy Copy the column text you right-clicked on to the clipboard.
Download packets Download the packets related to your selected objects to a packet file.
Analyze packets Retrieve packets from the server and download them to the built-in analyzer.

Search Items with Keywords

By default only the first 1,000 statistic items are showing in the views and sometimes a thousand items are still too many to find a specific item. In most of the views there is a search box. We can simply type in a keyword to search the item we want to locate no matter the keyword is in which column. For example, we can find an application by typing in its name and only the applications containing that keyword will be displayed on the screen.

Manage Columns

When we select a time span on the trend chart, the statistic views will retrieve columns of data from the server of than time span. These statistics enables us to sort, order and compare to help us when analyzing the network. Also we can choose to hide the columns that we don’t need. By default, only the necessary columns are displayed in the views and only the first 1,000 records of each column are showing under the columns. There are some abbreviations and conventions used in the column headers. The list below describes all the column abbreviations and conventions:

Rx Received
Tx Transmitted
pps Packets per second
bps Bit per second
Bps Bytes per second
In Inbound (packets or bytes received from the Internet to a local host)
Out Outbound (packets or bytes sent from a local network host to the Internet)
S/R Sent/Received
I/O Inbound/Outbound

To hide or show a column, do one of the following:

  • Right-click on the column header area, and then check or uncheck column title.
  • Right-click on the statistic item in the view, and choose Columns > column title.

The statistic items are sortable. We can click on all column headers to rearrange and resort the items in descending order or ascending order.

Drill-down Analysis

Now we’ve learnt the basic function, the buttons, context-menus and other components of each view. And we can start our real analysis right away. Once again, let’s go over again to remember the process of doing an analysis. First, we connect to an nChronos server, open a monitoring link. Set the time window for the trend chart, select a time period, and then look down to the views.

First we come to the Summary view, which gives us overall stats of the time window (left-side of the view). If we select a time period on the trend chart, the summary of the selection will be shown on the right side of the Summary view. Then we can come to other views, and use them to drill-down analysis. For example, in the Application view, there is a BitTorrent item and we want to know which IPs had bittorrent communications during the selected time period. We can double-click the bittorrent protocol item, and a new sub-view shows on the right side. In the sub-view, we can see the IPs that involved the bittorrent traffic. So by this way, we can drill-down to the conversation level (transport layer of OSI) which shows us the port number of the TCP and UDP conversations. And this is the deepest level that nChronos can get, what if we want to go down to packet level analysis? We are going to talk about downloading packets on nChronos server to our desktop in next chapter

nChronos Study Guide Chapter 6 – Move Trend Chart & Select Time Range

December 30th, 2011 | Study Guide | Comments Off

Product Version: Colasoft nChronos 3.0

Intended Audience:

  • nChronos Standard users (including Evaluation users)
  • nChronos Free users

In last chapter we’ve learned:

  • What are the components of nChronos Console
  • The description and use of each statistic view

When we are familiar with the user interface of the console program we can move on and focus on how to use the program. The trend chart is the place where we start our journey. The biggest advantage of this retrospective network analysis product is that we can either have a long term or short term view on our network running status, and we can choose to look into a specific period of time.

By default the trend chart show traffic stats of past 4 minutes and we can see the traffic utilization, packet count, and traffic volume of each second. If we change the window size to 10-day, each scale on the trend chart represents one hour, and the statistics are the sum of each hour. The bigger the window size value, the more resources are required on the server to retrieve and analyze the statistic data.

Move Trend Chart

We can move the trend chart backwards or forwards to see traffic trends. We can do as following to move the time on trend chart:

  • Move the cursor to the bottom of the trend chart, the cursor reshapes as a hand. Press and move left or right to slide the time window.
  • We can also manually specify the accurate time range by clicking icon (upper left corner of the time window), and inputting accurate time value in either the start time or end time textbox, and the other one will be worked out automatically.

Looking at the icon area, we still have other icons.  First Time Window icon () moves to the first time window, Last Time Window icon () moves to the last time window, and Auto-refresh icon () enables trend chart to refresh automatically, and click it again to cancel auto-refresh.

Select Time Span on Trend Chart

The trend chart shows stats of a settled time length, 4-min, 20-min to 10-day. We click and drag on the trend chart to specify a time period of any smaller size and have a closer look into stats of that time period. Once we select a time span on the trend chart, the views down below the trend chart will automatically retrieve the statistics on that period.

To select a time span:

  • Click and drag, back or forth, on the trend chart to specify a time span.

Besides, when a time span is selected, you can move the time span. To move the time span:

  • Move the cursor a little above the chart top area, the cursor displays as a hand, Press and left or right to move the time span.

So now we can understand the time concepts of trend chart and time span. The trend chart can show stats from 4 minutes to as long as 10 days. And we can select a small portion of time range on the trend chart, and the views down below will give us stats only on that selected time range.

nChronos Study Guide Chapter 5 – Console User Interface Introduction

December 29th, 2011 | Study Guide | Comments Off

Product Version: Colasoft nChronos 3.0

Intended Audience:

  • nChronos Standard users (including Evaluation users)

    nChronos Free users

In last tutorial we’ve learned:

  1. How to connect to a nChronos server from console
  2. How to troubleshoot connection error issues

Before heading into this chapter, please make sure you’ve fully got the answers to these questions. If you have doubts about them, you are recommended to go back to take a look at last chapter first, or you can turn to us for help on your specific case.

In this chapter we’ll take a look at the user interface of nChronos Console. nChronos Console is the component that we use to view network analysis stats, perform drill-down analysis and also manage server settings, etc. So we use nChronos Console more often that the server program. When we run the console program first we come to the Start Page, where we can find the latest official news, product documents, learning resources and the contact info. If we add a server connection (more details on last chapter) on the Server Explorer (left-side panel), we can connect to the server, and it opens the stats view. The view contains a trend chart and several stats views.

Packet File Explorer

In last chapter we’ve learnt what Server Explorer is. If you look down under this panel, you can find there is something called Packet File Explorer. This is another important function that not only monitoring real-time traffic traveling through your network by nChronos server, nChronos console has the ability to analyze the packet files (also known as trace files). nChronos console supports to open  the packet files generated by Colasoft portable network analyzer – Colasoft Capsa (also the packets downloaded from nChronos Server), and .cap and .pcap files by Wireshark. This is useful when we have a large sized packet file, and we just need to concentrate on a part of the packet file. We use nChronos console to open the file and lock down to the specific time period and analyze into the packets of that period.

So it means we can analyze traffic either from real-time capture, or also from packet files. And we use same experience to analyze them with the following given views.

The Trend Chart (Time Window)

The trend chart and the time window are the same thing. With the trend charts, we are able to have a graphical view of traffic trends. It helps us identify when the traffic drops and when climbs more visually than just numbers, and then we can focus on the abnormal time period to see what happened during that period closely. So it’s often the starting point where we start out retrospective and drill-down analysis. By default, the time window shows the traffic trend of past four minutes. When we change or move the time window, the chart refreshes automatically. We can zoom in to time unit of second and zoom out to hour, which means if we have a 4-minute time window we can view traffic stats of every second, while 10-day window shows stats of each hour.

If we are interested in looking into a specific time period, we can click and drag to select a time span on the trend chart to view traffic statistics of that period. By selecting a time span on the trend chart, the views down below displays only the statistics of that time period, it helps us focus on only that small slice of time. For example, we are reported that users cannot access the webserver at about 7:00 AM to 7:15 AM, and we need to figure out the causes of this downtime. Now we can connect to nChronos server, and rewind back to the time window of that period, select time period between 7:00 – 7:15. And the views will refresh to show the traffic statistics between those 15 minutes. Next we can analyze by using the drill-down feature to focus on the webserver address, and check if its data link layer, Internet layer, and its TCP transports are stable.

Statistic Views

There are several views below the trend chart which display types of statistics in different tabs. They work together with trend charts and time span selection to reduce statistic data volumes and let us focus on analyzing and drill-down to look into network issues. The views are described below:

  1. Summary view: overall summary statistics of alarms, total traffic, inbound traffic, outbound traffic, IP and non-IP traffic and TCP packets statistics. If you select a time span on the trend chart, the summary statistics of this time span are displayed on the right side.
  2. Application view: traffic statistics of network applications, such as TCP, HTTP, POP3, etc.
  3. IP Address view: traffic statistics based on every IP address, including bytes, packets, pps, etc.
  4. Physical Address view: traffic statistics based on every MAC address, including bytes, packets, pps, etc.
  5. IP Conversation view: traffic statistics on IP address pairs. You can know which nodes are communicating and their connection statistics.
  6. Physical Conversation view: traffic statistics on MAC address pairs.
  7. TCP Conversation view: statistics, on the transport layer, of the IP addresses and ports, including packets sent and received, conversation duration, Bps etc.
  8. UDP Conversation view: statistics, another important transport layer protocol, of the IP addresses and ports, including packets sent and received, conversation duration, Bps etc.
  9. Alarm Log view: the log records of the alarm trigger and release records.

The views above mentioned, except the Summary view, will have records displayed only when you select a time span on the trend chart. And when you change the selection of the time span, the statistics on the views will refresh automatically. And you can select records in the views and right-click to select drill-down analysis, by this way, you are able to focus on specific network objects and find the source of what you want.

So far, we can see that nChronos console user interface is clear and simple to understand. The Free and commercial editions have the same look and we are going to talk about how to use the console program in next chapter.

nChronos Study Guide Chapter 4 – Connect to nChronos Server from Console

December 28th, 2011 | Study Guide | Comments Off

Product Version: Colasoft nChronos 3.0

Target Audience:

  • nChronos Standard users (including Evaluation users)
  • nChronos Free users

In last tutorial we’ve learned:

  1. What is Network Link on nChronos Server
  2. How to start a link monitoring mission

Before heading into this chapter, please make sure you’ve fully got the answers to these questions. If you have doubts about them, you are recommended to go back to take a look at last chapter first, or you can turn to us for help on your specific case.

From this chapter on we’ll move our focus to nChronos Console program because the server’s mission is to monitor and analyze the traffic and we don’t need to change the settings now and often on it. nChronos console is the software component that we use to view the analysis statistics and conduct in-depth analysis, etc. nChronos console is able to interactive with the server, such as retrieving analysis stats from the server and sending operation commands to manage the server, etc.

nChronos Server Network Connection Setup

We can install nChronos Console and Server software on same machine if we just want to know how they work. But that’s not how they designed to make the most out of their remote and distributive advantages. If to install them on different machines we need to make sure they can communicate to each other smoothly.

  1. Both the server and console machines can communicate on the network. Note that if you use nChronos server to capture packets from a switch’s mirror port, your server might not be able to communicate on the network. If that’s the case you need to add an additional network card and connect it to a normal port of the switch to communicate with nChronos console.
  2. The firewall on the server needs open the TCP port number that the console can use to connect to the server. The default port number is TCP #3,000.

Then we can use nChronos console to try our first connection to nChronos server. Run nChronos Console and follow the instructions bellow to establish a connection with the server.

  1. Double-click nChronos Console icon on the desktop to run the program.
  2. Click Click to add server link on the left-side Server Explorer panel.
  3. Enter the IP address of the nChronos server.
  4. Enter port number.
  5. Enter account name and password. This user name and password can be the one you use to login the server’s administration portal. It’s the admin account.
  6. Enter a label for this server (can be ignored) and click Save.
  7. Double-click the server name or right-click and choose Connect from the context menu on the Server Explorer.
  8. Double-click the network link name to view analysis statistic on the right panel.

If we’ve followed nChronos Server Network Connection Setup to make sure the server is connected to the network we should be able to connect to the server successfully. But if it turns out to be any error while trying to connect to the server, we can do the following step to troubleshoot the connectivity.

  1. Username or password error: it means the server can be connected but the account isn’t correct to login. We should check entries of step #4 and #5.
  2. Unable to connect to the server: check the IP address entry in step #3 and retry. If it fails, try a PING test to see if your machine’s able to talk to the server. Then check firewall setup of the server machine.

Connect to nChronos Server from the Internet

There is also a requirement of connecting to the server from the Internet. For example, there is an nChronos server implemented in your network, and you want to check your network status from your home. We know we can’t access the private IP address from the internet. So we can use our preferred methods to help us access nChronos server from the Internet. We can either use a VPN connection, or assign the server with a public IP address, and so on. If you still have issues with connecting to your nChronos server, please feel free to contact our support or leave a comment below.

nChronos Study Guide Chapter 3 – Start Monitoring Session

December 27th, 2011 | Study Guide | Comments Off

Product Version: Colasoft nChronos 3.0

Target Audience:

  • nChronos Standard users (including Evaluationusers)nChronos Free users

In last tutorial we’ve learned:

  1. What are the components of Colasoft nChronos
  2. How and where to install nChronos Server and Console software
  3. How to initialize nChronos Server
  4. How to login and activate nChronos Server

Before heading into this chapter, please make sure you’ve fully got the answers to these questions. If you have doubts about them, you are recommended to go back to take a look at last chapter first, or you can turn to us for help on your specific case.

In this chapter we’ll learn how to start a monitoring mission. First we should take a look at this term – Network Link. A network link is defined as a logical link which collects network packets from one or multiple NICs then analyze all of them. If it’s hard to understand we can easily think network link as Project. Depending on different editions, higher edition enables you to use one nChronos server to monitor traffic from multiple NICs in one link, while basic edition (such as nChronos Free) only supports capture traffic from a single NIC, which means you can’t use nChronos Free to capture both inbound and outbound traffic on a normal 4-port network tap because they have two monitor ports, one for inbound packets and another for outbound. Now let’s see how to create a network link to start an analysis mission.

  1. Click Network Link on the left panel.
  2. Click Add New Link button on the right side.
  3. Enter link name, such as Core Switch.
  4. Choose the traffic source type (where to capture traffic). If nChronos server is connected with a standard tap, you’ll need two NICs to separately capture the inbound and outbound packets from two of the monitor ports of the tap. But if to capture from an aggregation tap or switch’s SPAN, we need only one capture NIC. Note that we don’t mention another NIC that we’ll use if we want to remotely use nChronos Console to connect the server, so it requires additional NIC.
  5. Click Next, select the adapters that we want to use for packet capture.
  6. Check Calculate inbound & outbound traffic volume option. This option checked, we can see the inbound and outbound statistics on the charts of nChronos console; otherwise, we can only get total utilization or output there. So this is always the option that we should keep it checked.
  7. Enter the IP segment value to identify your Intranet IP addresses. This textbox is used to help nChronos server identify which IPs are our local hosts and what traffic are internal traffic. The IPs not included in our inputs will be recognized as foreign hosts.
  8. Check Calculate inbound & outbound utilization. This option has almost the same meaning as the option in item 6. We’d better keep it check either.
  9. Enter Inbound Bandwidth and Outbound Bandwidth. If we want to see bandwidth chart on nChronos console, we need to define what our bandwidths are, inbound and outbound. For example, in our 1,000M LAN, we have both 1,000 Mbps uplink and 1,000 Mbps downlink. So we input 1000 in both of the textbox. Be careful of the values because the utilization that nChronos works out is based on these two values. If it’s a 100 Mbps network, and we mistype in 1000, the utilization will be 10 times small that what it should be.
  10. Click Save to finish settings.
  11. The last step, click Start button to start the link monitoring session.

Now the link is running and capturing packets from the NIC we choose. Every captured packet will be analyzed and stored to hard disk, and analysis statistics are also saved on the server. Now we can close the web browser and the monitoring mission will run continuously and there is no worry that the capture will be stopped accidently because nChronos server is able to automatically recover when it finds a link status goes down abnormally. And even rebooting the server, nChronos server will also automatically recover to continue packet capture.