This builds off of Sniffing Networks Part 3- Understanding what you’re seeing.  This article introduces another tool to use for network sniffing and compares it to the previously mentioned Wireshark.

You’ve already been introduced to Wireshark and learned how to use it.  We now consider another tool, Colasoft Capsa Enterprise Edition, which can be used for network sniffing as well.  Colasoft Capsa offers many of the same features as Wireshark and introduces new features in analysis.  Similar to Wireshark, Colasoft Capsa captures and decodes packets, and supplies a hex view of each packet.  Below is a screenshot of the packet view in Colasoft Capsa.  Both programs automatically color code protocols.

Colasoft Capsa allows you to apply filters to view select types of packets or view all but the selected packets.  Filters can be applied by address, port, or protocol as well.  It is also possible to enable advanced filters which are similar to Wireshark’s filters.  In advanced filters, you can combine specific addresses, ports, protocols, and packets by size, value, or pattern in any combination using “and,” “or,” and “not” logic modifiers.

It is possible to view related packets in Colasoft Capsa by right-clicking a packet and choosing an option from “Select Related Packets.”  This action will highlight packets related in the specified manner.  Choosing “By Flow” from the related packets menu results in highlighting the packets that Wireshark glues together when selecting “Follow TCP Stream.”  While this shows the related packets, Colasoft Capsa does not show all packets of a stream in one window as Wireshark does.  Other relations for grouping packets in Colasoft Capsa include by source, destination, or protocol.

Colasoft Capsa offers many of the analysis features that are found in Wireshark.  For example, both programs can display endpoints and protocols from the captured packets along with statistics on the amount of information sent and received for each.  The difference is that Colasoft Capsa adds a visual interpretation to the statistics.

Colasoft Capsa offers other visual aids such as graphs and a matrix view in which all endpoints that communicate are connected.  Additional features include reports, logs, and diagnostic capabilities that can be used to discover network problems.  All of Colasoft Capsa’s features are discussed in more detail in the article Using Colasoft Capsa.

This article builds off of the Sniffing Networks series and introduces Colasoft Capsa Enterprise Edition, which can be used for network sniffing and analysis.

To get started capturing packets with Colasoft Capsa, click on the “Start Capture Now” button on the opening screen. Clicking this will open the project settings, which can be customized depending on the project. The project settings can also be modified later by the toolbar at the top of the window. Click OK to get started. This starts the capture which can be stopped at any time by clicking the stop button along the top toolbar.

After capturing packets there will be two additional docked windows to the left, and the main window now contains ten tabs. The top left window labeled Explorer can be used as a filter of sorts to change the data seen and analyzed in the tabs to the right. The Project Status window gives a general overview of the project and packets captured. The summary tab provides a more in-depth look at the packets collected.

The diagnosis tab can be helpful for monitoring and solving problems on the network. Each diagnosis event falls under one of four network layers: application, transport, network, or data link; each event is also given a severity level depending on the type of event. All diagnosis events are predefined by the software. Clicking on a diagnosis event brings up a references tab within the window, which gives a description of the event and possible causes and solutions. The endpoints tab gives statistics for each of the physical endpoints of the network, which illustrates the flow of traffic.

The protocols tab separates the information by protocol. As seen above, the bytes used for each are displayed as a bar. The protocols are listed as a hierarchy, so there is overlap within the total bytes. The conversation tab is divided into two windows. The top window shows all the connections made between different endpoints. The type of endpoint can be changed to represent either physical, IP, TCP, or UDP endpoints. All packages that relate to the conversation are displayed on the bottom window on the screen.

The matrix view, as seen below, visually shows all the endpoints and the connections they make with each other. Essentially, every conversation is shown as a line. The endpoints displayed can be sorted by physical or IP, as well as any combination of unicast, multicast, and broadcast traffic types.

The packets tab displays the packets as they are captured and provides information on source, destination, size, and protocol. The packets tab also has a window that decodes the selected packet. To help sort through the packets, you can right click on a packet and choose “Select Related Packets” to show packets related by source, destination, flow, or protocol.

The logs view keeps track of events such as HTTP requests, email messages, DNS queries, and instant messenger activities. All logs are enabled in the default project settings, but any or all can be excluded. The logs can also be set to be automatically saved to a file.

The graphs can be useful for presenting data because they give a visual interpretation of the numbers. There are many groupings of information for the graphs and many types of graphs, including line graphs, area graphs, bar graphs, pie charts, and 3-D options. It is also possible to compare two graphs. The last tab, reports, is similar to the summary tab but presents data by integrating numbers and graphics. This tab contains packet and protocol statistics, diagnosis events, and charts such as top ten IP protocols and top ten physical addresses.

As mentioned earlier, the explorer window is one way to limit the information analyzed, but it is also possible to apply filters. Filters can be formed by packet, address, port, and protocol type, as well as more advanced filtering options.

In addition, Colasoft Capsa comes with four extra tools. These consist of a MAC Scanner, Packet Builder, Packet Player, and Ping tool. For more information on Colasoft Capsa and these tools, visit the Colasoft website at http://www.colasoft.com/.