Windows

Test-drive: Colasoft Capsa network analyzer

Having the right tools on the network are critical to a network administrator's success. In this TechRepublic blog post, IT Jedi Rick Vanover takes look at the Colasoft Capsa tool for network analytics.

Having good insight to your network is critical. There are so many potential issues that can be going on that any additional tool can be welcome. This can include attacks, transmissions and applications without encryption, or incorrect configurations bogging down the network.

Recently, I had a chance to evaluate the Colasoft network analyzer or Capsa. Capsa offers a lot of features in a small package, though the network analyzer field is very crowded. One thing that can differentiate a network tool is ease of use. While test-driving Capsa on my lab network, I immediately saw a message coming in through a conversation detail indicating an incorrect network configuration, shown in Figure A. Figure A

Figure A

Click to enlarge

Sure enough, this message quickly pointed out that the 10.187.187.200 host was incorrectly configured to look to 10.187.187.2 for the default gateway and DNS server. So, right away, Capsa saved me needless broadcasts on my network by identifying this issue on one host.

But what else did I see with the tool? Well, of course, I confirmed again that my Yahoo Instant Messenger traffic is sent plain text -– we all knew that, right? The Capsa tool identified remote desktop connectivity on port 3389 TCP from my Windows 7 host (rick-vanover-w7) to the system mentioned above with the incorrect default gateway and DNS configuration. Figure B shows this traffic pattern. Figure B

Figure B

Click to enlarge

The capture worked pretty good; the next observation I had is that I was able to see Windows file sharing going on between two hosts. This is important as it may be a way to determine if any authorized peer-to-peer file exchanges are occurring. Here is a capture from the Capsa system; notice the Windows 7 host mentioned earlier copying a file from a file and print resource. Figure C shows this traffic pattern with the highlighted row. Figure C

Figure C

Click to enlarge

This traffic was expected, but it can be monitored in ways such as this to capture the traffic patterns to identify unauthorized file exchanges.

How do you go about monitoring your traffic? Do you want to see more of the Capsa tool? There are a lot of filters, address tools, protocol awareness configuration, and other parts to the product. Share your comments below.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

20 comments
Jackiesolution
Jackiesolution

I have used Capsa for 3 years...excellent features in network troubleshooting, graphical interface and resonable price impressed me deeply. Wireshark is good, but the command line is terrible, just use it for linux server.

dwhite10
dwhite10

I used Colasoft and found it inconsistent and unreliable 50% of the time. Angry IP was always my backup and since it was more accurate, I choose it over Colasoft.

nkhaghani8
nkhaghani8

Hello Rick, Can you explain the problem described in Figure A. How do you say it shows the Wrong configuration. Thanks. nkhaghani8@yahoo.com

saqgoku
saqgoku

This is an interesting network analyzer - Good comprehension.

joshi_at
joshi_at

wireshark. helped me out of troubles many times, since the time of ethereal

wbaltas
wbaltas

The items you mentioned have a lot do do with the intelligence built into the analyzer. Can you provide more details into the decodes that the analyzer offers and how often the decodes are updated i.e. VoIP, Microsoft authentication, etc. Also how easy is it to see traffic levels between all hosts on a trace. Sniffer has a matrix tab which I find very useful; while wireshark is a little more complicated. How easy is it to define a filter on the fly. Once you get familiar with syntax, wireshark is great while sniffer is a little heavy on the labor side. Finally, when defining a filter, how deep into the packet can you go with Capsa. With sniffer, I can go to a particular byte anywhere in the packet if I choose. I have not figured out how to do this with wireshark. Thank you, Bill Baltas

vic
vic

I've been using Capsa for years - it is (or at least was) the only one I could find that could give me an overview of the entire network rather than only detail of a single workstation. It's invaluable for troubleshooting zombie machines and smtp viruses.

Brett_H
Brett_H

Are you on a switched network? If so, where did you place the analyzer? Did you use a network tap or port mirroring? Sorry for the multiple questions, just trying to get a feel for the product. :)

kevinzhou
kevinzhou

Thank you Jackie, for the recommendation :D

kevinzhou
kevinzhou

Would you provide more details about this issue? Since you said unreliable 50% of the time?

b4real
b4real

And to tell 10.187.187.200, it is telling me that the .200 host is looking for the .2 host and is not successful.

Craig_B
Craig_B

I have used Ethereal/Wireshark for years and it has been great. Microsoft Network Monitor 3.3 is really nice and has some features that are better than Wireshark. Both are free!

b4real
b4real

The capture was on a VM, I will do more on bigger and better networks - I am gauging the interest level at this point for more material for the product. Additional functionality overviews will go into detail on switched, unmanaged, or other network configurations.

antonio.araujo
antonio.araujo

what happened if on a switched network i don?t configure mirror port on a colasoft capsa host?

csmith.kaze
csmith.kaze

But only one is "Free." :) I love Wireshark, and it has helped with some virus's (viri?) we have had in the past in tracking it down. Would be interesting to look into this Capsa (must have Linux client, though(and that is a no: http://www.colasoft.com/capsa/system.php))

al
al

Thanks for a good overview. Understanding the reported information seems to be easy enough with this product. Understanding how to get a switched network to report this information to the product is not clear. The days of the "hub" had one good(?) thing that we no longer have with switches - all information on the wire available to all ports... Sniffing was relatively easy back then. Just set the recording device to "promiscuous mode" and capture away. I'll look forward to finding out how to do this today.

kevinzhou
kevinzhou

In this case, only local traffic be captured and analyzed. Any communication related to the host which had Capsa installed can be analyzed, but it wouldn't be able to check other traffic in your network.

vic
vic

I keep a couple old hubs around and swap one of them into the internet stream. Since most of what I'm concerned with sniffing is going to the internet, I get a good analysis of the overall network since everything passes through the hub. Also, since most internet traffic isn't going to stress even a 10mb hub for a short time (I can usually pinpoint the problem in less than 10 minutes of capture) it doesn't cause a speed issue that I've ever had any complaint about.