This article builds off of the Sniffing Networks series and introduces Colasoft Capsa Enterprise Edition, which can be used for network sniffing and analysis.
To get started capturing packets with Colasoft Capsa, click on the “Start Capture Now” button on the opening screen. Clicking this will open the project settings, which can be customized depending on the project. The project settings can also be modified later by the toolbar at the top of the window. Click OK to get started. This starts the capture which can be stopped at any time by clicking the stop button along the top toolbar.
After capturing packets there will be two additional docked windows to the left, and the main window now contains ten tabs. The top left window labeled Explorer can be used as a filter of sorts to change the data seen and analyzed in the tabs to the right. The Project Status window gives a general overview of the project and packets captured. The summary tab provides a more in-depth look at the packets collected.
The diagnosis tab can be helpful for monitoring and solving problems on the network. Each diagnosis event falls under one of four network layers: application, transport, network, or data link; each event is also given a severity level depending on the type of event. All diagnosis events are predefined by the software. Clicking on a diagnosis event brings up a references tab within the window, which gives a description of the event and possible causes and solutions. The endpoints tab gives statistics for each of the physical endpoints of the network, which illustrates the flow of traffic.
The protocols tab separates the information by protocol. As seen above, the bytes used for each are displayed as a bar. The protocols are listed as a hierarchy, so there is overlap within the total bytes. The conversation tab is divided into two windows. The top window shows all the connections made between different endpoints. The type of endpoint can be changed to represent either physical, IP, TCP, or UDP endpoints. All packages that relate to the conversation are displayed on the bottom window on the screen.
The matrix view, as seen below, visually shows all the endpoints and the connections they make with each other. Essentially, every conversation is shown as a line. The endpoints displayed can be sorted by physical or IP, as well as any combination of unicast, multicast, and broadcast traffic types.
The packets tab displays the packets as they are captured and provides information on source, destination, size, and protocol. The packets tab also has a window that decodes the selected packet. To help sort through the packets, you can right click on a packet and choose “Select Related Packets” to show packets related by source, destination, flow, or protocol.
The logs view keeps track of events such as HTTP requests, email messages, DNS queries, and instant messenger activities. All logs are enabled in the default project settings, but any or all can be excluded. The logs can also be set to be automatically saved to a file.
The graphs can be useful for presenting data because they give a visual interpretation of the numbers. There are many groupings of information for the graphs and many types of graphs, including line graphs, area graphs, bar graphs, pie charts, and 3-D options. It is also possible to compare two graphs. The last tab, reports, is similar to the summary tab but presents data by integrating numbers and graphics. This tab contains packet and protocol statistics, diagnosis events, and charts such as top ten IP protocols and top ten physical addresses.
As mentioned earlier, the explorer window is one way to limit the information analyzed, but it is also possible to apply filters. Filters can be formed by packet, address, port, and protocol type, as well as more advanced filtering options.
In addition, Colasoft Capsa comes with four extra tools. These consist of a MAC Scanner, Packet Builder, Packet Player, and Ping tool. For more information on Colasoft Capsa and these tools, visit the Colasoft website at http://www.colasoft.com/.