Colasoft Capsa 7 Enterprise User Manual
Contents
1. Creates filters using the specific node See Creating Filters for details e Creates graphs using the specific node See Creating Graphs for details do Creating alarms using the specific node See Creating Alarms for details Nodes The Node Explorer window includes the name of selected analysis profile which is called as the root node and three node explorers which are called as Protocol Explorer Physical Explorer and IP Explorer Each explorer includes many nodes The Protocol Explorer groups the protocol nodes by protocol layer The Physical Explorer and IP Explorer group the address nodes by the node groups You can group local MAC addresses and local IP addresses See Node Group for details You can operate the nodes by keyboard press UP arrow on the keyboard to select the upper node Down to select the lower node LEFT to collapse the node and Right to expand the node In the Node Explorer window both a single node and a node group can be called as a node 1 For the protocols not identified by the program they will be displayed as Other 2 For wireless network adapter some IP addresses will not be displayed due to encryption Protocol icon There are three types of icons in front of each protocol node The red icon T indicates there is data transmission in five seconds the green icon I indicates there is data transmission in thirty seconds and the grey icon I indicates there is no data transmission in t2. 439001 Server IP 192 168 20 1 192 168 20 1 192 168 20 1 192 168 20 1 192 168 20 1 192 168 20 1 192 168 20 1 192 168 20 1 192 168 201 192 168 20 1 192 168 201 192 168 20 1 192 168 20 1 192 168 20 1 192 168 201 192 168 20 1 61 139 2 69 192 168 20 1 192 168 20 1 192 168 20 1 192 168 20 1 192 168 20 1 192 168 20 1 The DNS Log includes columns Date and Time Client MAC Client IP Client Port Server MAC Server IP Server Port Query Status and Summary To show a column right click the column header and select the column Copyright 2013 Colasoft LLC All rights reserved Maximize Network Value gv Colasoft Log Types Email Log The Email Log records the information about the emails sent and received using SMTP and POPS protocols Double click any item of the email log list the email will be opened It appears as below Data and Time Protocol Sender Email Address 2012 04 01 09 27 41 i 1381 2012 04 01 09 27 50 TT Global Log 2012 04 01 09 27 55 ET 5 Y ga 8 DNS Log 2012 04 01 09 28 00 s raat 2012 04 01 09 28 07 2012 04 01 09 28 14 2012 04 01 09 29 26 2012 04 01 09 29 51 tn ay 2012 04 01 09 30 03 ty 2012 04 01 09 30 09 2012 04 01 09 30 33 2012 04 01 09 30 38 t 2012 04 01 09 30 43 HTTP Log 2012 04 01 09 30 52 2012 04 01 09 31 00 2012 04 01 09 31 06 ICQ Log 2012 04 01 09 32 18 a 2012 04 01 09 32 32 A 2012 04 01 09 34 29 MSN Log 2012 04 01 09
3. Matrix view The Matrix view dynamically shows the network traffic status in graph The graph consists of nodes and lines the nodes representing the nodes on the network and the lines representing the conversations on the network The number after the node represents the number of peer hosts Move your mouse over a node the nodes and the lines connected with the node will be yellow highlighted and traffic statistical information about the node will be displayed Move your mouse over a line the line and two nodes connected by the line will be yellow highlighted and traffic statistical information about the conversations will be displayed When there are too many nodes on the graph you can drag the node to another position to view the traffic status clearly and you can also hide unnecessary nodes You can also select other types of matrix or create a new matrix through the left pane See Matrix left pane for details Toolbar The following table lists the items on the toolbar di Select Matrix gt Click the little triangle to choose a matrix type in the list Simply click the button to hide or show the matrix left pane Sets the font size of the nodes in the matrix graph Sets the color for the items of the matrix graph Refreshes the matrix graph or sets display refresh interval by clicking the little triangle If the interval is set to Manually Refresh display will update only when the Refresh button is clicked Copyright O
4. 4 Click OK on the Packet Filter dialog box and click OK on the Packet Filter Settings dialog box To create a filter based on a selected object which could be an address node a port number or a protocol follow the steps below G 1 Select an object and click __ _ on the toolbar or right click an object and select Make Filter to open the Packet Filter dialog box 2 Select a simple filter or an advanced filter and set the filter including the filter name filter description and filter rules 3 Click OK on the Packet Filter dialog box and click OK on the Packet Filter Settings dialog box 2 Note After creating a filter if you want to apply the filter you should select the Accept or Reject checkbox to enable the filter Simple filters When creating a filter you can choose to create a simple filter or an advanced filter The Simple Filter tab appears as below Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Creating Filters Simple Filter Name Description Address Rule Address Address 7 Physical Address g 2 an Any Address Le oowoo A Eee 0 a Port Rule Portl Direction AnyPot 2 B Em er Protocol Rule Select Remove The Simple Filter tab allows you to create simple filters by address port and protocol When multiple parameters are set they are connected by logical AND statements That is packets must match all of the conditions to match the filter
5. each packet and then forwards the packet to the correct port With a shared environment Colasoft Capsa can be installed on any host in LAN The entire network data transmitted through the Hub will be captured including the communication between any two hosts in LAN Router sll ai Colasoft Capsa la y Metwork Analyzer Server A Server B Switched network managed switches Port mirroring Switch is a network device working on the Data Link Layer of OSI Switch can learn the physical addresses and save these addresses in its ARP table When a packet is sent to switch switch will check the packet s destination address from its ARP table and then send the Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Deployment packet to the corresponding port Generally all three layer switches and partial two layer switches have the ability of network management the traffic going through other ports of the switch can be captured from the debugging port mirror port span port on the core chip To analyze the traffic going through all ports Colasoft Capsa should be installed on this debugging port mirror port span port internet Analysis Pori Router o A Colasoft Capsa Network Analyzer Server A Server B Switched network unmanaged switches Some switches do not have the network management function So there is no mirroring port as well You can either in this scenario use
6. 1 ENDE AE de ER ED E Create Traffic Utilization C ab 7 ES GQ Ent Start a Wireless Capi Malaysia 1 Singapore a l Gl I cannot ck H del Who Is Using Network Bandwi El Capsa 7 User Interface Indi iL Full Analysis W Local Area Connection Node Explorer window Status Bar Statistical views Online Resource Menu Button m a The Menu button is on the top left corner of a project window and appears as 9 Items on the menu button The following table lists and describes the items on the menu button Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Main User Interface Ctrl N Creates a new analysis project Imports or exports global configurations See Global configurations for details Import Imports global configurations from a file Export Exports current configurations of the program to a file Prints current page or sets print configurations Print Prints the current window in a format appropriate to its type Print Settings Configures printer functions in the Print Setup dialog box Print Preview Preview the print page Offers Internet information about Colasoft and network analysis Colasoft Home Page Opens Colasoft home page Tech Forum Opens the technical forum where you can get help and learn more skills on network analysis Provides product information Product License Renews your license key Register Registers at Colasoft official website to get timely
7. All rights reserved ya Colasoft Network Tools External Tools Parameter 5 Click the Macro gt gt button to view the details External Tools Parameter Colasoft Capsa lists the parameters IP Address Physical Address Port and Protocol in the wndow You can add a parameter by selecting its name and clicking the Insert button If the parameters are not listed you can enter the parameters into the upper window manually like as d h j and w in Tracert command Every parameter should be separated with a blank space 6 Choose the IP Address and click Insert and then click OK to save the settings and back to the External Tools Management dialog box Now you can find Tracert icon in Tools tab of the Ribbon Click it to open tracert command System l Tools View Tool Ping Packet Packet MAC Settings Player Builder Scanner Tools Copyright 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value A D pe n d ce S Appendices FAQ Q What can I do with Capsa A Network administrators Diagnose network faults detect the PC infected virus monitor network traffic analyze network protocols and detect network vulnerability Company IT administrators Monitor the overall network health and infrastructure health and view the statistics and reports Security managers Monitor all network activities to detect any violations of the company security p
8. Check if the source host has a program performing scan End the monitor process Use antivirus software to scan the host which performs ARP scan Close the scan application Check if there is ARP spoofing on the host which sends a lot of ARP response packets The Protocol view visually provides statistics of the network traffic on the basis of protocols By default protocols are displayed in an expanded hierarchical structure Each protocol has its own color that you can easily find out your target protocol in the list by color You can click any column header to sort the list The items on the protocol list changes along with the selection in the Node Explorer window When you select the root node Protocol Explorer node Physical Explorer node or IP Explorer node the Protocol view will present all protocols on the network and their statistical information When you select a specific node in the Node Explorer window the Protocol view will only present the protocols relating to the node and their statistical information When you select a specific item on the protocol list the lower pane tabs will provide detailed information about the item See Protocol lower pane tabs for details You can also double click a protocol to view detailed packet information in the Packet window which is named with the protocol and is just the same as the Packet view See Packet view for more information Toolbar The following table lists
9. If you don t want to save email copies just cancel the selection on this item Log Output When you need to automatically save the log records on the Log view you can enable Log Output Save log to disk This function is enabled to automatically save the log records on the Log view e File Path Specifies a folder to save the log files e Save as The file format for storing the logs e Split file every The rule for splitting the log file when the file size is too big You can split files by time or file size e Save all files Saves all log files e Save the latest Saves the latest number of log files Not all logs will be saved when this function is enabled See Log Settings for more information All logs are saved into different folders according to the log type See Log Settings for more information Security Analysis This tab is only available when the analysis profile of Security Analysis is selected lt includes six types of malicious activities Worm attack settings The worm analysis detects suspicious worm activities and the settings part appears as follows Copyright O 2013 Colasoft LLC All rights reserved O yy Colasoft Analysis Profile Worm analysis provides related statistics and IP addresses of the hosts which may be attacked by worm virus Set following fields to define the thresholds for worm recognition criteria Suspicious Worm Activity AND Relationship IP conversation gt 50 E Average packet length lt
10. Node 2 The window size information of node 2 A window size of 0 indicates that Node 1 should stop transmitting The information about sequence number acknowledgement number next sequence number of the packet sent by node 2 Relative Time Summary gt lt Summary You can double click the conversation selected on the TCP Conversation view to open TCP Flow Analysis window to know the details of the conversation Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics TCP Flow Analysis window To open TCP Flow Analysis window double click any item in the conversation list on the TCP Conversation view or right click any item and select Packet TCP Flow Details The TCP Flow Analysis window appears as below Analysis Project 1 Full Analysis 192 168 5 250 lt gt 192 168 0 183 TCP Flow Analysis st Transaction Summary TCP Transaction Packets Bytes Duration Interval Retransmission Bitrate TCP Turns Summary Three way Handshake 3 0 00 00 00 017998 0 N A 1 N A Request 1 1 98 0 00 00 00 00 000000 N A 1 N A Response 1 1 46 0 00 00 00 00 001057 N A N A Request 2 1 78 0 00 00 00 00 000310 N A N A 1 70 0 00 00 00 00 000856 N A N A gt O 00 00 00 000419 00 00 00 000000 N A g w Packet Info ig Packet Nu Packet Number 192 168 0 183 8010 Load Length E Da Packet Length 0 000000 q 0 Next Seq o W Ethernet type II 0 017922 SYN ACK M Destination Address
11. Performance Requested host or domain name cannot be found DNS server returns an error other than an invalid name The response time is equal to or higher than the threshold Performance A connection uses TCP port 25 to transmit non SMTP data An SMTP connection or request is rejected by an SMTP server after a TCP Security Copyright O 2013 Colasoft LLC All rights reserved Network congestion The route between client and DNS server is slow The DNS server is overloaded Poor DNS server performance The IP address or domain name is invalid The DNS server has incomplete DNS table Reverse DNS lookup is disabled Query format error Query failure DNS server returns Not Implemented Refused or Reserved Network congestion The connection between client and SMTP server is slow The SMTP server is overloaded Poor SMTP server performance An application running on TCP port 25 produces non SMTP traffic The client program executes invalid commands The client application configures incorrect user name and password SMTP server is overloaded Check the application services running on the network Use other DNS server addresses Check the security and the working status of DNS server Upgrade the DNS server Ensure the IP address or domain name is listed on the DNS table Check the IP address or domain name is typed correctly Change DNS server address Check if the DNS query
12. 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics Nodes T Nod apa Shows the count of nodes in the matrix graph The first number is the count of showed nodes Pio she pra and the second number is the count of total nodes Pop up menu Right click a selected node on the matrix graph to get a pop up menu with items as follows Views the decoding information of the packets of the conversation in the Packet window which is just the same as the Packet view See Packet view for more information Re arrange Nodes Rearranges the position of nodes Hide Hides selected node selected node and its peer nodes or other nodes Packet Details Resolve Address Resolves the host name of the selected node or the selected node and its peer nodes Make Filter Makes a packet filter based on the selected node See Creating Filters for details Locate in Node Explorer Display All Hidden Nodes Locates the selected node in the Node Explorer window Shows all user hidden nodes Matrix left pane The matrix left pane contains three sections as follows e Matrix type e User Hidden Nodes e Invisible Nodes Matrix type There are four types of matrix by default e Top 100 Physical Conversation e Top 100 Physical Node e Top 100 IPv4 Conversation e Top 100 IPv4 Node You can edit default matrixes or create a new matrix by the icons on the toolbar 2 Opens Add Matrix dialog box to create a new matrix _ O
13. 250 2012 06 13 15 20 23 192 168 5 250 2012 06 13 15 20 24 192 168 5 250 2012 06 13 15 20 24 192 168 5 250 2012 06 13 15 20 27 192 168 5 250 _ 2012 06 13 15 20 27 192 168 5 250 2012 06 13 15 20 27 192 168 5 250 2012 06 13 15 20 27 192 168 5 250 2012 06 13 15 20 27 192 168 5 250 2012 06 13 15 20 53 192 168 5 250 2012 06 13 15 20 27 192 168 5 250 2012 06 13 15 20 23 192 168 5 250 2012 06 13 15 20 54 192 168 5 250 2012 06 13 15 21 30 192 168 5 250 2012 06 13 15 21 33 192 168 5 250 2012 06 13 15 20 27 192 168 5 250 2012 06 13 15 21 33 192 168 5 250 2012 06 13 15 21 32 192 168 5 250 2012 06 13 15 21 33 192 168 5 250 IP Endpoint Protocol DNS HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP Physical Conversation k Summary Log Types IP Com ALL Query www colasoft com GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www colasoft c GET http www google ar GET http
14. 3 41 Unix mod auth passthrough 1 8 mod log bytes 1 2 mod bwlimited 1 4 PHP 4 4 7 FrontPage 5 0 2 2635 mod 381 2 8 31 OpenS5L 0 9 7a You may get unreadable symbols because some data are encrypted in transmission By default the Data Flow tab presents the whole data flow between two nodes You can distinguish the data of different nodes by colors blue is for data from node 1 to node 2 and green is for data from node 2 to node 1 Toolbar The following table lists and describes the items on the toolbar To choose flow direction for displaying the data flow Bidirectional Displays the whole data flow Node 1 to Node 2 Only displays the data from node 1 to node 2 Node 2 to Node 1 Only displays the data from node 2 to node 1 Limits the first number of packets in the conversation to display on the Data Flow tab Saves the data flow as a txt file El Refreshes the data flow If the interval is set to Manually Refresh display will update only when the Refresh button is clicked 192 168 1 104 1546 lt gt 202 719 210 121 8014Flor The number of packets displayed in the flow Pop up menu Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Vi ewi n g Stat sti CS Right click the conversation list on this view to get a pop up menu with items as follows ac aan Time Sequence tab The Time Sequence tab provides a time sequence diagram of the TCP conversation selecte
15. 8062 Counterpoint Computers 32869 8065 Univ of Mass WA mherst 32870 8066 Univ of Mass Amherst 32871 8067 Veeco Integrated Auto Copyright 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value A D pe n d Ce S 32872 8068 General Dynamics 32874 806A Autophon 32876 806C ComDesign 32878 806E 8077 Landmark Graphics Corp 32890 807A Matra 32891 807B Dansk Data Elektronik 32892 807C Merit Internodal 32896 8080 Vitalink TransLAN III 32897 8081 8083 Counterpoint Computers 32923 809B Appletalk 32924 809C 809E Datability 32931 80A3 Nixdorf Computers 32932 80A4 80B3 Siemens Gammasonics Inc 32960 80C0 80C3 DCA Data Exchange Cluster 32964 80C4 Banyan Systems 32965 80C5 Banyan Systems 32966 80C6 Pacer Software 32967 80C7 Applitek Corporation 32973 80CD 80CE Harris Corporation 32975 80CF 80D2 Taylor Instrument 32979 80D3 80D4 Rosemount Corporation 32981 80D5 IBM SNA Service on Ether 32990 80DE 80DF Integrated Solutions TRFS 32992 80E0 80E3 Allen Bradley 32996 80E4 80F0 Datability 33010 80F2 Retix 33012 80F4 80F5 Kinetics 33015 80F7 Apollo Computer 33031 8107 8109 Symbolics Private 33072 8130 Hayes Microcomputers 33073 8131 VG Laboratory Systems 33074 8132 8136 Bridge Communications 33081 8139 813D KTI 8148 Logicraft 814A Alpha Micro 814D BIIN 814
16. Attack view The ARP Attack view is only available when you are using the analysis profile of Security Analysis The ARP attack analysis is able to detect ARP scanning ARP spoofing ARP request storm All these ARP problems will be identified according to default setting values and you can also customize these values to let the program find out the problems more accurately See ARP Attack settings for details The ARP Attack view will not be available when you select any nodes on the Protocol Explorer and the IP Explorer or IP address nodes on the Physical Explorer This view lists all MAC addresses and their traffic information of the hosts which may be subject to ARP attack You can double click any item on the list to view detailed packet information in the Packet window which is named with the node and is just the same as the Packet view See Packet view for more information Toolbar The following table lists and describes the items on the toolbar of this view E Exports current MAC address statistical list as a csv file Shows or hides the lower pane NA Makes a packet filter based on the selected node See Creating Filters for details A mn Adds an alias to the Name Table for selected node See Name Table for details El Locates the selected node in the Node Explorer window Refreshes the node list or sets display refresh interval by clicking the little triangle If the interval is set to Manually Refresh display will upda
17. Capsa 7 and all of its components from your machine click YES to continue or click NO to quit uninstall 2 If you want to delete the license information click YES or click NO to remain license information on your machine to continue Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft ibi Installation and Uninstall You are recommended to click NO to keep license information on your machine in case you want to install Colasoft Capsa on your computer again 3 If you want to delete your customized alias in Name Table and filters in Colasoft Capsa click YES or NO to remain them on your machine to continue 4 To finish uninstall click YES to restart your machine Copyright O 2013 Colasoft LLC All rights reserved gv Colasoft Maximize Network Value P FO d u ct Act l vati 0 n Product Activation Colasoft Product Activation is an anti piracy technology designed to verify that software products have been legitimately licensed This aims to reduce a form of piracy known as casual copying Activation also helps protect against hard drive cloning Activation is quick simple and unobtrusive and it protects your privacy Product Activation works by verifying that a software program s license key has not been used on more personal computers than intended by the software s license You must use the license key and a serial number in order to install the software and then it is transformed into an installa
18. Conversation columns By right clicking the column header you can specify which columns to show in the list Choose Default to show default columns and choose More to open Display Column dialog box to set which columns to show and to set the position the alignment and the width of the column See Conversation columns for details Pop up menu Right click the node list to get a pop up menu with items as follows Packet TCP Flow Details To open TCP Flow Analysis window See TCP Flow Analysis window for details Copy Copies the selection and the header row in original format to the clipboard Copy Column Copies the selected column in original format to the clipboard Shows or hides columns or changes the position of columns This command is just the same as right Display Column clicking the column header Export Conversation mae Statistics Exports current statistical list as a csv file Find Calls out Find dialog box to search only in the conversation list Make Filter Makes a packet filter based on the node of selected conversation See Creating Filters for details Make Graph Makes a graph in the Dashboard view on the basis of the node of selected conversation See Creating p Graphs for details Ping Calls out the build in Ping Tool to ping the node of selected conversation Select All Selects all items in the conversation list Refresh Refreshes the conversation list Lower pane tabs When you select a specific item in the c
19. Cr E ee Ce Cee Te ee Lee ee Te CC Tee Te eee eee rere rr 72 Node Group CAER AED lease COCR CET CET RCC Ce TT TT CRE TER ee CT ee ae CRETE Cae eee a ee 13 Name Table cidad aaa dara dada ea 74 Adding to Name Table A A 74 Address resolution RN RR ERROR E 75 Alarm Settings aia aaa aaa a nata a oa ee ee ee aa 76 Alarm Notification ace e a aa a cae aca Am ee a a E ee ee ada ee a ae 77 Email notification doin rtorras 77 Sound notification O RR RS AR NARRAR 77 Analysis Profile ia oia daa aos 78 Analysis Settings OIEA EA E AAC AAA ACARREAR 79 Analysis Object Arana aida aaa aaa ada Aa 79 Diagnosis Settings TCCerr Tee Corre ere Tere Tere eerie Cera Tee AAA AAA AECA Cer LEA AE 80 View Display na aa eae eee a a ee a 82 Packet Buffer CAME CELE AED AE CECT Te CECE CE CETTE CR CETTE T CAER CIA CREE eT ee AAA 82 Packet Filter ERA A A O ARA AA A AAA N el ee A 82 Packet Output DARAS eC TR TORE CRE TCR eT IES ACA 83 Log Settings AAA gs ks a ge as ms ne eee en se ee ee ek 84 Log Output TTT T CCC CROC RCE CCRT TEPC TE TE Cee CECE TE TET CEC CET ETC CTE CET Tee Tee eee eee 84 Security Analysis OR ERAS ae 84 Creating Filters EDESA AAA 90 Simple filters ER e a o a ee mae ee ae 90 Advanced filters EA AAA AA ee es 93 Display Filter no RR RR RA RCA 95 Creating Alarms naa asias 96 Alarm Explorer window salirse isis 97 Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Creating Graphs e E E ee Tee ee ee ee ee ee ee ee ee ce er
20. Ellen PC SUCCESS Ellen 192 168 0 183 COLASOFT RTX Success Select All Add to Name Table The Address Resolver contains four columns e Address The address to be resolved e Name The resolved name for the address e Status The resolution status e Name Table Alias The alias of the address on the name table Add to Name Table Adds selected items to Name Table and removes them from the Address Resolver To use Address Resolver right click an IP address node and select Address Resolve Only IP addresses can be resolved by Address Resolver Alarm Settings The Alarm Settings tab manages all alarms available in a network profile and lists these alarms hierarchically according to alarm type The buttons on the Alarm Settings tab are described as follows e Add Creates a new alarm See Creating Alarms for details e Delete Deletes the selected alarm e Properties Views or modifies the properties of the selected alarm e Import Loads the alarm settings from an csalam file e Export Saves the alarm settings as an csalam file e Enable all Enables all the alarms in the list e Disable all Disables all the alarms in the list Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value N etwo rk P rofi e Invert Inverts the selection on the alarms in the list Save alarm logs Saves triggered alarm records as a txt file Enable this option and click to specify the path and
21. Time Bytes per Second at Client Server Transfer Time Client Transfer Time W Connection Completion Time 00 00 00 001913 The left pane provides statistical items listed as below e Transaction Time Summary Includes Start Time End Time TCP Flow Duration Three way Handshake Time Connection Close Time Server Data Transfer Time Server Response Time Client Idle Time e Data Flow Summary Includes Sum of Packets Packets at Client Side Packets at Server Side Sum of Bytes Bytes at Client Side Bytes at Server Side e TCP Summary Includes TCP Connections Successful TCP Connections Packets per Second at Client Side Packets per Second at Server Side Bytes per Second at Client Side Bytes per Second at Server Side Sum of Client Retransmissions Sum of Server Retransmissions Lost TCP Segments at Client Side Lost TCP Segments at Server Side Max Ack Time Min Ack Time Average Ack Time at Client Side Average Ack Time at Server Side e TCP Transaction Summary Includes Sum of Transactions Transaction Processing Time Average Transaction Processing Time Max Transaction Processing Time Min Transaction Processing Time The right pane prevents a pie chart of global TCP flow statistics including six items on the pie chart Three way Handshake Time Server Response Time Client Idle Time Server Transfer Time Client Transfer Time and Connection Completion Time and visually showing Copyright O 2013 Colasoft LLC All
22. and you also can create new analysis profiles See Analysis Profile for details 5 Click the Start button on the bottom right to start an analysis project The Packet Files section appears as below Name size Format Date Modified Path Add ftp cscpkt 32 100 ME Colasoft Packet File 2012 04 20 16 57 32 F packets yahoo rawpkt 315 846 KE Colasoft Raw Packet File 2012 04 20 16 47 12 F packets Quick hi e Add Adds the files to be replayed When multiple packet files are replayed simultaneously packets will be replayed according to time stamps instead of file listing order in the packet file list e Remove Removes the selected packet file from the list e Clear All Empties the packet file list e Replay Speed The speed to replay the packets including Quick Packets will be replayed by ignoring the time intervals Capsa replays packets with Quick speed by default Normal Packets will be replayed at capturing speed which is slow Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value M Pa n U S e r n te rfa ce Main User Interface After starting an analysis project whether real time capturing or replaying packets Capsa enters the main user interface in which you still can start a new analysis project set network profile and analysis profile and which show you all statistics and the root of network problems All functions provided at the Start Page can be realized on the mai
23. can specify the protocol name the alias and the port number for the protocol You can add up to forty protocols The Add Protocol dialog box appears as below Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Syste m O pti O n S Add Protocol Protocol Name New Protocol Alias Alias Port Number 3000 Use to separate multiple value eg 80 83 85 Task Scheduler To capture network packets of a specific period of time you can utilize the function of scheduling project which makes the program run a new project to capture packets at the specified time To schedule a project a 1 i 1 Click menu button SY click Options and then click the Task Scheduler tab 2 Click Add and then type the name of the project set the frequency for running the project and select appropriate analysis profile network profile and network adapter 3 Click OK to close the Schedule Project dialog box The Task Scheduler tab provides a list of all scheduled projects you created and five buttons wherein the list contains Name which means the name of the project Create Time which indicates the time when the scheduled project was created Schedule which shows times that the scheduled project runs and Start Time showing the specific time to run the scheduled project The five buttons on the right includes e Add Schedules a new analysis project e Edit Edits the selected projec
24. click Browse to choose another installation location Space requirement display on the bottom of the dialog box make sure you have enough space for the installation Click Next to continue Select Start Menu Folder screen Click the Browse button to designate an alternate start menu folder Click Next to continue 6 Select Additional Tasks screen Create a Desktop Icon and Create a Quick Icon are checked by default Uncheck any checkbox if you do not want to create the icon Click Next to continue 7 Now you are ready to install Colasoft Capsa on your machine Click Install to start installation or click Back to change your settings 8 When installation is complete the completing screen appears Click Finish to close the setup wizard Colasoft Capsa will be started if you checked Launch Program If no changes on default create desktop icon and shortcut icon check boxes you will see an icon on the desktop and one in Quick Start Uninstall To open Colasoft Capsa Uninstall dialog box do one of the following e To uninstall Colasoft Capsa choose Start gt All Programs gt Colasoft Capsa 7 Enterprise gt Uninstall Colasoft Capsa 7 Enterprise e Open the Control Panel gt double click Add Remove Programs icon the Add Remove Programs window appears gt find Colasoft Capsa 7 in the list and click Remove The Uninstall dialog box appears Follow these steps to uninstall Colasoft Capsa 1 If you want to completely remove Colasoft
25. customer services and product Product information Check Update Checks new versions About Opens the About dialog box where you can find the version copyright and license information of the product Close Closes current analysis project and goes back to the Start Page Recent Files A list of recently opened packet files for you to conveniently select a file to open Options Configures some settings for the analysis project See System Options for details Exit Exits the program Configurations Backup Resource Quick Access Icons After starting an analysis project there are three quick access icons beside the Menu button Creates a new analysis project Calls out Task Scheduler to add new task See Task Scheduler for details Closes current project and goes back to the Start Page Saves packets in the buffer to disk You can save packets in twelve formats including Colasoft Packet File cscpkt Colasoft Raw Packet File rawpkt Colasoft Raw Packet File v2 rawpkt Accellent 5Views Packet File 5vw EtherPeek Packet File a V9 pkt HP Unix Nett Packet File TRCO TRC1 libocap Wireshark Ethereal Tcodump etc cap pcap Microsoft Network Monitor 1 x 2 x cap Novell LANalyzer tr1 NetXRay2 0 and Windows Sniffer cap Sun_Snoop Snoop and Visual Network Traffic Capture cap Ribbon The Ribbon section includes four tabs as follows Analysis Configures setting
26. e and 3 is set by default The second setting value is an integer between 1 and 100 and 20 is set by default 4 Itis supposed to be DoS Attacked when the ratio of received packets to sent packets is greater than its setting value and the received packets per second is greater than its setting value The first setting value is an integer between 1 and 5 and 3 is set by default The second setting value is an integer between 50 and 1000 and 500 is set by default Default Resets the setting of that type of security analysis to default Copyright 2013 Colasoft LLC All rights reserved yy Colasoft Creating Filters Creating Filters Filters are utilized to separate particular packets If no filter was enabled Capsa will capture and analyze all the packets transmitted over the adapter Once a filter was created you can apply it to any analysis projects To create a filter follow the steps below Y 1 Click filter icon on the Analysis tab of the Ribbon section to open the Packet Filter Settings dialog box See Packet Filter for details You can also click filter icon F Inactive on the Status Barto open the Packet Filter Settings dialog box 2 Click on the Packet Filter Settings dialog box to open the Packet Filter dialog box 3 Select a simple filter or an advanced filter and set the filter including the filter name filter description and filter rules See Simple filter and Advanced filter for details
27. ee ee ee ee 3 Connect a hub with the line to be Monitored sett rete eens enna eens ee nneeees 4 Monitoring a network segment cananea alocado neos 4 Proxy GOPVO rrr ttre e ence eee eee cece eee eee eee eee enna eee eee eeaeeeaaeeaaeaaeeaceeaaeeaeeaseeaaeeaaeeaaeaaes 5 Port mirroring TITTECTICTCC ETTORE TPCT TLE ECCS CE TEC R CARA CECT eee E TEC AAA EE Ea ee AAA 5 system requirements E Oe Sheed A E E ER RE RR RRA RR 5 Minimum requirements ee e o A 6 Recommended requirements were eee E E E aia ee A SUBIR E a ee ee ee mea ae a aca de eee eee a ea ee aa ee eee a een eee eee ae 6 Supported windows operating systems TENT TEE ELT EET EEE ETE EEE TEE EL rT cree eee ee ree 6 Wireless adapters NA 6 Installation and Uninstall rrrrsrrrrrrrr rr rr rro 7 Before installation RR NA 7 Installation Sn EE E OR O RS RR ee AO 7 Uninstall as 7 Product Activation AAA Ce A 9 Activation guide Jevcewid dete ee used e ce eeeee eee a as 9 Getting Started A 11 Start Page TTPTEE CECE TECEOCCR EEE ECE ECE ELE ETE EE CTT E EEE CECE CCE EE TEC TEER TEC EET Te TE eee Eee 1 1 Starting a captu CI 12 Capturing with wireless network adapters ssereermmnnnnnnnnnnennnnnnnnnanannnonnnos 12 Replaying captured packets AAA AAA 14 Main User Interface ESPEREN EEE ee er ee A 15 Menu Button SEE eee AAA AAA AA RARA 15 Ribbon AAA EA A AAA AR i 1 6 Analysis tab eee eee ee ee ee ee ee rara sas 17 System tab aa ecerura eeu erat ere ace ace aca ecu ECE acu ucel ere ure ace a
28. ee rer en 100 Graph types caras rra rs Te Cee ee Tee ETT TT ee eee Te ee ee ee ee ee ee ee ee ERT 101 Creating Reports NO 104 Report items o da eee ee eee 104 Log Types AED ee ee en ee ee eee ee eee eee ee ee AA 106 Global Log A om mente ein etm od nom E Se pcm RUE em E A E in et a ee eee 106 DNS Log Te Cree ee eT eT ee Tee Tee eT ee An A E 107 Email Log o aaa eee esas eee eee eee eee nes cae nao peau e ee AA 108 FTP Log ara as a ona ara aa as a a a is 108 HTTP Log EAU AEREO AAA N RA IA ERA AMAN AAA AA AA AA 109 ICQ Log Tee ee eT ee eee ee Ce E eC E RR ee ee re ee E A ee AOS 109 MSN Log RR RR RR AR sed eee ee ER CR RR RR RR A 10 YAHOO Log RR ee EN RR ee eee ee eee CR CR NN 1 1 1 Configurations in Capsa O a o Oo PEI 113 Global configurations RR AA NO 1 13 System Options A ard 115 Basic Settings aa OE as 1 15 Decoder Settings ibis wie Pie e rei iii died 115 Protocol Settings Di Ai A A A AN MA Al 116 Task Scheduler rare rra aras ra 1 17 Report Settings E E RR RN ae ae E 1 18 Display Format DUE AAA A ARA aa 1 18 Network Tools ss s 5 5 5 ussusuusunnnnnnunnunnunnunnunnunnunnunnnnnnnnnn 120 Tool Settings nidad arcada edo ea iaa aaa iia 120 Appendices AREA AENA 1 23 FAQ EA A CCRT TET ee eT Ue TT AR AAA 123 Ethernet Type Codes Cid MARTEL CIAO RECAE DARA DAA ARE 124 HTTP Status Codes Trieste Tenet ee TE Cee Tee AAA ee ee ee eee ee ee ee ee 128 Copyright O 2013 Colasoft LLC All rights reserved V ya Colasoft Maximize Network Val
29. for details o The IP Endpoint tab lists all IP address nodes and their traffic information about the protocol selected on the Protocol view The toolbar and columns are just the same as those on IP Endpoint view See P Endpoint for details o You can double click any item on the node list to view detailed packet information in the Packet window which is named with the protocol and the node name and is just the same as the Packet view See Packet view for more information e Choosing any nodes except MAC address and IP address nodes on the Physical Explorer the lower pane includes Physical Endpoint tab and Physical Conversation tab o The Physical Conversation tab lists all MAC address conversations about the protocol selected on the Protocol view The toolbar and columns are just the same as those on Physical Conversation view See Physical Conversation for details o You can double click any item in the conversation list to view detailed packet information in the Packet window which is named with the protocol and the conversation and is just the same as the Packet view See Packet view for more information e Choosing MAC address nodes on the Physical Explorer the lower pane includes Physical Conversation tab and IP Conversation tab o The IP Conversation tab lists all IP address conversations using the protocol selected on the Protocol view The toolbar and columns are just the same as those on IP Conversation view See P Conve
30. in large traffic network No matter in 100M or 1000M network Colasoft Capsa provides you with efficient and complete network analysis solution Capsa Enterprise just adopted the support for wireless networks which enables you to capture monitor and analyze traffic from any of the 802 11 a 802 11 b 802 11 g 802 11n wireless networks Conformance to the latest Network Driver Interface Specification NDIS 6 0 library Capsa Enterprise will run on almost all popular wireless cards in the market which means almost every wireless card working under Windows Vista and Windows 7 will work with Capsa Enterprise With the help of Capsa Enterprise you can easily accomplish the following tasks e Network traffic analysis e Network communication monitoring e Network problems diagnosis e Network security analysis e Network performance detecting e Network protocol analysis Capsa Enterprise analyzes your wired and wireless networks from the lowest level and all the way up to the application level so that it finds out all the problems of your network Colasoft Capsa 7 Enterprise in cooperation with other network management tools will maximize your network value Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Deployment Deployment Note that the following parts are only for wired networks If you just need to analyze wireless networks you can skip this chapter Installation environment Colasoft Capsa is prof
31. in the list Choose Default to show default columns and choose More to open Display Column dialog box to set which columns to show and to set the position the alignment and the width of the column See Endpoint columns for details Pop up menu Right click the node list to get a pop up menu with items as follows Packet Details Views the decoding information of the packets of the node in the Packet window which is just the same as the Packet view See Packet view for more information Copy Copies the selection and the header row in original format to the clipboard Copy Column Copies the selected column in original format to the clipboard Shows or hides columns or changes the position of columns This command is just the same as right clicking the Display Column column header Export Node Statistics Adds an alias to the Name Table for the IP address or MAC address of selected item See Name Table for details Resolve Address Only available when an IP address node is selected Resolves the host name of selected node Locate in Node Explorer Saves current list of the node statistics as a csv file Add to Name Table Locates the selected node in the Node Explorer window Only available with right clicking IP address node Calls out the build in Ping Tool to ping selected node Select All Selects all items in the node list Refresh Refreshes the node list Worm lower pane When you select a specific item in the nod
32. is correct Change DNS server address Check the application services running on the network Update the configurations of route Check the security and the working status of SMTP server Upgrade SMTP server Check the applications that are using port 25 Check the traffic content of source port and destination port Ensure the client executes correct commands Check user name and password on the client application Look for attempted spam ya Colasoft Maximize Network Value Vi ewi n g Stat sti CS connection has Incorrect configurations of SMTP Check the configurations of SMTP already been server software server software established Check the application services Network congestion running on the network MN The connection between client and POP3 Server response time is Bavonnance POPO carver is Slow Update the configurations of route Slow Response equal to or higher The POP3 server is overloaded Check the security and the working than the threshold p POP3 i status of POP3 server oor server performance Upgrade POP3 server A connection uses Check the applications using port Suspicious POP3 TCP port 110 to An application running on TCP port 110 Conversation transmit non POP3 110 produces non POP3 traffic Check the traffic content of source traffic port and destination port A POP3 connection The client executes invalid Ensure the client executes correct or request is commands commands rejected
33. is filter flow chart which shows all selected filter items on the filter list including Accept ones and Reject ones It refreshes upon any changes on the filters You can double click a filter on the flow chart to edit it Buttons There are six buttons for setting packet filters e E Creates a new filter e EJ Edits the selected filter x Deletes the selected filter a e E Imports saved filter files to current filter list When a filter file was imported all the filters in current list will be replaced g Saves all filters in current filter list to disk e e Resets the filter to default As how to create a packet filter read Creating Filters for details Packet Output When you need to automatically save all packets on the Packet view you can enable Packet Output Save Packets to disk This function is enabled to automatically save all packets as rawpkt file e Limit each packet to Limits the size of each single packet When this function is enabled the Packet view will only decode the packet of specified size lt is recommended to you to disable this function when you want to view the detailed decoding information of the packets e Single file All packets are saved as one file e Multiple files Packets are saved as multiple files split by time or size To reduce the total size you may choose to only keep the latest files e Save into folder The path to store the multiple packet files e Prefix name The
34. is named with the conversation and is just the same as the Packet view See Packet view for more information Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Vi ewl n g Stat sti CS When an IP address node under an MAC address node is selected on the Physical Endpoint view the lower pane provides IP Conversation tab TCP Conversation tab and UDP Conversation tab e The IP Conversation tab lists all IP address conversations of the node selected on the Physical Endpoint view The toolbar and columns are just the same as those on IP Conversation view See P Conversation for details e The TCP Conversation tab lists the conversations using TCP protocol of the node selected on the Physical Endpoint view The toolbar and columns are just the same as those on TCP Conversation view See TCP Conversation for details e The UDP Conversation tab lists the conversations using UDP protocol of the node selected on the Physical Endpoint view The toolbar and columns are just the same as those on UDP Conversation view See UDP Conversation for details o You can double click any item in the conversation lists to view detailed packet information in the Packet window which is named with the conversation and is just the same as the Packet view See Packet view for more information Endpoint columns The following table lists and describes the columns for endpoint views including Physical Endpoint view IP E
35. its IP address or by the alias for the IP address if it exists in the Name Table The source MAC address for the packet The node is identified by its MAC address or by the alias for the MAC address if it exists in the Name Table The destination IP address for the packet The node is identified by its IP address or by the alias for the IP address if it exists in the Name Table Destination MAC The destination MAC address for the packet The node is identified by its MAC address or by the alias for the Address MAC address if it exists in the Name Table Source Port The source port for the packet Destination Port The destination port for the packet Source IP Address Source MAC Address Destination IP Address You can double click an item to view detailed packet information in the Packet window You can also right click an item and select Display Packet in New Window The window will be named with a prefix just the same as Event Description and a postfix of Data Stream of Diagnosis Information and the window is just the same as the Packet view See Packet view for more information Application layer events Capsa can diagnoses application layer events as below DNS Server Slow Response DNS Non existent Host or Domain DNS Server Returned Error SMTP Server Slow Response Suspicious SMTP Conversation SMTP Server Returned Error The response time from the DNS server is equal to or higher than the threshold
36. may be attacked by DoS Set following fields to define the thresholds for worm recognition criteria Attacked OR Relationship Received TCP SYN PPS gt s EH And average packet length lt B 128 Ea Received TCP SYN PPS gt 500 y Received Sent packets ratio gt 3 And received BPS gt M 2 E Received Sent packets ratio gt 3 H And received PPS gt 500 e DoS Attacked Enables DoS attacked analysis or else there will be no item to show on the DoS Attacked view OR Relationship means one of the four conditions below is met to define the DoS attacked activity 1 It is supposed to be DoS Attacked when received TCP SYN packet per second is greater than its setting value and the average packet length is less than its setting value The first setting value is an integer between 5 and 500 and 50 is set by default The second setting value is an integer between 64 and 1518 and 128 is set by default 2 Itis supposed to be DoS Attacked when received TCP SYN packet per second is greater than its setting value The setting value is an integer between 5 and 1000 and 500 is set by default 3 Itis supposed to be DoS Attacked when the ratio of received packets to sent packets is greater than its setting value and the received bytes per second is greater than its setting value The first setting value is an integer between 1 and 5 Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value A n a ys S P rofi
37. measure By default the program displays packets sizes and the traffic in an appropriate byte unit such as B KB MB GB or TB Which unit is selected depends on how large each packet or the current traffic is e Bit measure By default the program displays packets sizes and the traffic in an appropriate bit unit such as b kb Mb Gb or Tb Which unit is selected depends on how large each packet or the current traffic is e Byte second measure The measure of bytes per second It could be Bps KBps MBps GBps and TBps which means bytes per second kilobytes per second megabytes per second gigabytes per second and terabytes per second respectively Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Syste m O pti O n S e Bit second measure The measure of bits per second It could be bps Kbps Mbps Gbps and Tbps which means bits per second kilobits per second megabits per second gigabits per second and terabits per second respectively e Default Resets all the settings on this tab to default Copyright 2013 Colasoft LLC All rights reserved ya Colasoft Network Tools Network Tools For your convenience on network management Capsa provides four network tools on the Tools tab which appears as follows Analysis System e Tool Ping Packet Packet Settings Player Builder niin Tools e Tool Settings Opens the External Tools Management dialog
38. not identical to the value of IP checksum field in the received packet The IP Time To Live TTL is equal to or less than the threshold indicating that the packet can only traverse that many routers before it is discarded A host detects that another device is trying to use its IP address and notifies the device by ARP information A router is reporting to the source host unreachable messages except network unreachable host unreachable and Security Copyright O 2013 Colasoft LLC All rights reserved Viewing Statistics The ACK packet is lost or damaged during transmission A router between the sending host and the receiving host is overloaded TCP segment is lost due to network congestion Packets are lost due to other network problems The other side of TCP connection is unresponsive There is DOS or DDOS attack The source host is sending faulty TCP packets A local host infects worm to automatically scan TCP ports Scan software scans TCP ports The packet is damaged during transmission Calculating IP checksum may be disabled if IP checksum of all packets is wrong The source stack does not calculate IP checksum Network loop The originating IP host transmitted the packet with a low TTL A device tries to use an IP address which has been used The transport protocol used by source host is unavailable on the destination host or on the router Segmenting is disabled on the rou
39. prefix of the file name Click the button to view an example Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value A n a ys S P rofi e e Split file every The rule for splitting the packet file when the file size is too big You can split files by time or file size e Save all files Saves all split packet files e Save the latest Saves the latest number of split files Log Settings Capsa can analyze and log the application layer traffic e g DNS HTTP Email FTP traffics and also monitors MSN and Yahoo Messenger chatting messages This tab allows you to configure log settings to get more useful logs of these traffics and save the logs to disk This page contains two parts e Log Settings To specify which types of log to be displayed on the Log view and to set the display buffer for each type of log You can click the number to change the value The maximum value of each log buffer is 16MB Diagnosis Log is selected to display the detailed information of diagnosis events on the Diagnosis Events pane of the Diagnosis view or else there will be no item on the Diagnosis Events pane e Output Settings To specify which types of log to be saved when the Log Output function is enabled The column Folder shows the folder name for saving the logs of the type and the column File Prefix shows the prefix of the log file name The Email Copy is for saving copies of monitored emails on your network
40. the toolbar of this tab described as below Reverses the transaction list to reverse between requests and responses Saves the packets of selected transaction in the transaction list You can save packets in any format selected from the Save as type drop down list box Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Vi ewl n g Stat sti CS ICF Transaction Count Shows the number of the transactions Transaction List columns The following table lists and describes the columns of Transaction List TCP Transaction Source The source of the transaction including IP address and port number Destination The destination of the transaction including IP address and port number Lists the name of a transaction including Three way Handshake Request count Response count and Closed Packets The number of packets for the transaction Bytes Total bytes of load length which is the size of the data portion of TCP segment Duration Duration of the transaction Interval The interval between two adjacent transactions Retransmission The retransmission times for the transaction Bitrate The bitrate of the transaction Only available when the packet number is greater than or equal to 10 The times of TCP turns TCP turn means the number of paired ACKnowledgement packet and packet with data TCP Turns portion plus1 when there is a packet with data portion at the tail of a transaction TCP turn will b
41. type of Statistics will not display in the analysis profiles of Email Analysis FTP Analysis and HTTP Analysis List the number of SMTP and POP3 connections Email Analysis SMTP Connections POP3 Connections This type of statistics will not display in the analysis profiles of DNS Analysis FTP Analysis and HTTP Analysis List the number of FTP upload and download This type of statistics will not display in the LEANAS ic analysis profiles of DNS Analysis Email Analysis and HTTP Analysis List the number of HTTP application HTTP Analysis HTTP Request Sent HTTP Request Received HTTP Connections ls type of plastics an display is the analysis profiles of DNS Analysis Email Analysis and FTP Analysis Security Worm DoS Attacking DoS Attacked Suspect Conversation TCP za pl Pelis dica vara able Analysis Port Scan ARP Attack O y Ae in the analysis profile of Security Analysis Protocol Conversation List the number of four types of conversation Diagnosis view The Diagnosis view presents the real time network events of the entire network down to a specific node via analyzing captured packets The network events were defined by Capsa according to large amount of network data and can be defined by users through defining diagnosis settings See Diagnosis settings for details The Diagnosis view contains three panes e Diagnosis Item e Diagnosis Address e Diagnosis Events To change the size of the panes move the mouse pointer
42. well but it will not capture packets 3 One analysis project only captures traffic data from one wireless network adapter If you have multiple wireless network adapters on your machine you should create new analysis projects one wireless network adapter for one analysis project AP Status section Once a wireless network adapter is selected all detected APs are listed on the AP Status section immediately with AP name signal intensity encryption keys media type AP channel and MAC address This section appears as follows Name Signal Encryption Key Media Channel MAC ATAT Wireless i N A 802 11n 9 38 83 45 15 74 dd A ChinaNet Kg40 all N A 802 119 8 54 89 98 Ga 8d 21 Y csapl Al Entered 802 11n 5 00 27 19 76 34 0 2 CU_3Nnm aill N A 802 11n 1 bO 75 d5 12 cf 90 Zi gigiq al N A 802 11g 1 02 e0 ed b5 7d 90 B gigig al N A 802 11g 1 02 e0 ed b5 7d 90 jiyund al N A 802 11g 11 02 10 65 01 2b 50 A 505 WAPO1 4 N A 802 119 6 00 1 b 11 a8 2 98 Atangyong wf N A 80211n 11 34 08 04 d1 5e 94 ATenda 4D1AC8 all N A 802 11n 11 c 3a 35 4dlacs T To refresh the AP list right click and choose Refresh To edit the properties of an AP double click the AP or right click the AP and choose Properties to open a Wireless Network Properties dialog box which is used to configure the settings of an AP including alias and encryption keys You can give the AP an alias to be easily identified Capsa can identify t
43. www colasoft c GET http www colasoft c GET http www google ar The Global Log includes columns Date and Time Source MAC Source IP Destination MAC Destination IP Protocol and Summary To show a column right click the column header and select the column DNS Log The DNS Log records DNS query application It appears as below e HTTP Log ICQ Log B MSN Log y YAHOO Log _ 2012 04 01 09 26 31 d DNS Log Al 67 Ep7 G Filter Date and Tirne 2012 04 01 09 22 37 2012 04 01 09 22 37 2012 04 01 09 22 37 2012 04 01 09 22 37 2012 04 01 09 22 37 2012 04 01 09 22 37 2012 04 01 09 23 29 2012 04 01 09 23 38 2012 04 01 09 24 28 2012 04 01 09 24 58 2012 04 01 09 25 15 2012 04 01 09 25 43 2012 04 01 09 26 49 2012 04 01 09 27 00 2012 04 01 09 27 01 2012 04 01 09 27 09 2012 04 01 09 27 41 Eo 2012 04 01 09 28 24 2017 04 01 00 28 47 ul Client IP 192 168 5 14 192 168 5 14 192 168 5 14 192 168 5 14 192 168 5 14 192 168 5 14 192 168 5 14 192 168 5 14 192 168 5 14 192 168 5 14 192 168 5 14 192 168 5 14 192 168 514 192 168 5 14 192 168 514 192 168 5 14 2012 04 01 09 27 01 192 168 5 14 192 168 514 192 168 5 14 192 168 5 14 192 168 514 192 168 514 192158 514 Client Port 58994 64655 54990 51816 49675 49361 54409 52914 _ 57641 64254 53008 50749 51736 59016 54255 54225 54223 56532 50931 AUN 63608
44. 0 and 20 is set by default e Request Times The times of ARP Request If the time is greater than the setting value in the sampling duration it is supposed that there is ARP request storm attack on the network The value is an integer between 1 and 10 000 and 10 is set by default e ARP Scanning Enables ARP scanning analysis Click Settings to locate the ARP Scanning diagnosis event on the Diagnosis Settings tab There are two main parameters for this event e Scan sampling duration The sampling time with the unit of second The value is an integer between 15 and 180 and 60 is set by default e No response packet percentage The percentage of no response packets If the percentage is greater than the setting value in the scan sampling duration it is supposed that there is ARP scanning attack on the network The value is an integer between 1 and 100 and 20 is set by default e Excessed active ARP response Enables excessed active ARP response analysis Click Settings to locate the ARP Too Many Active Response diagnosis event on the Diagnosis Settings tab There are two main parameters for this event e Unit Time The sampling time with the unit of second The value is an integer between 30 and 3 600 and 60 is set by default e Number of Sent Response The number of sent response If the number is greater than the setting value in the unit time it is supposed that there is excessed active ARP response on the network The value is
45. 0 017922 Seq 1963810318 Ack 3713044665 Next Seq 1963810319 li source Address 0 000076 ACK i P ase 0 017998 Seq 3713044665 Ack 1963810319 Next Seq 3713044665 y ae IP Internet Protocol i Version E Header Length ACK Duplicated i 39 Differentiated Servic ARE Seq 3713044665 Ack 1963810319 Next Seq 3713044665 A LO Differentiated Ser 0 000076 PSH ACK DATA Load Length 98 toe Trans p 1 0 273828 E port rotoco Seq 3713044665 Ack 1963810319 Next Seq 3713044763 Y 0 774885 0 001057 PSH ACK DATA Seq 1963810319 Ack 3713044763 Next Seq 1963810365 0 275195 0 000310 PSH ACK DATA Seq 3713044763 Ack 1963810365 Next Seq 3713044841 0 276051 0 000856 PSH ACK DATA a Seq 1963810365 Ack 3713044841 Next Seq 1963810435 0 039038 0 255754 Load Length 46 AAA Load Length 78 Load Length 70 ACK FIN 0 315089 Seq 3713044841 Ack 1963810435 Next Seq 3713044842 The TCP Flow Analysis window provides detailed transaction information packet information and data flow information of the conversation selected on the TCP Conversation view including two views e Transaction List e Transaction Summary Transaction List The Transaction List view includes an upper pane which provides transaction list information about the conversation selected on the TCP Conversation view and a lower pane which contains Transaction Sequence Diagram tab and Data Flow tab Transaction List toolbar There are only three items on
46. 2 06 13 15 20 24 192 168 5 250 51333 www colasoft com http www colas Y a 2012 06 13 15 20 27 192 168 5 250 51323 www colasoft com http www colas E 2012 06 13 15 20 27 192 168 5 250 51325 www colasoft com http www colast hia 2012 06 1315 20 27 192 168 5 250 51324 www colasoft com http www colas US 2012 06 13 15 20 27 192 168 5 250 51335 www colasoft com http www colas 2012 06 13 15 20 27 192 168 5 250 51336 www colasoft com http www colas 2012 06 13 15 20 53 192 168 5 250 51341 www colasoft com http www colast 2012 06 13 15 20 27 192 168 5 250 51338 www colasoft com http www colas ICQ Log 2012 06 13 15 19 33 192 168 5 250 51315 www google analyt http www googl a 2012 06 13 15 20 23 192 168 5 250 51321 www colasoft com http www colast De 2012 06 13 15 20 54 192 168 5 250 51341 www colasoft com http www colast MSN Log 2012 06 13 15 21 30 192 168 5 250 51376 www colasoft com http www colas 2012 06 13 15 21 33 192 168 5 250 51378 www colasoft com http www colas e 2012 06 13 15 20 27 192 168 5 250 51337 www google analyt http www googl YAHOO Log 2012 06 13 15 21 33 192 168 5 250 51380 www colasoft com http www colast 2012 06 13 15 21 32 192 168 5 250 51376 www colasnfteam httn www rolase The HTTP Log includes columns Date and Time Client MAC Client IP Client Port Server MAC Server IP Server Port Client Serv
47. 34 37 e 2012 04 01 09 34 42 2012 04 01 09 34 49 YAHOO Log 2012 04 01 09 34 55 SMT to FTP Log Ge A e e e e mm Lime The Email Log includes columns No Date and Time Protocol Client MAC Client IP Client Port Server MAC Server IP Server Port Server Client Sender Sender Email Address Recipient Recipient Email Address Cc Subject Send Time Client Software Account Attachment File Size Byte Duration s Average Speed Bps and Path for Email Copy To show a column right click the column header and select the column FTP Log The FTP Log records the uploading and downloading from FTP server It appears as below 4 FTP Log a Br Bay La Se Filter pe Date and Time Client Port Transmission 2009 08 25 17 15 6400 2009 08 25 17 E if Global Log Y TE DNS Log ANS BVA Email Log gt HTTP Log ICQ Log PA MSN Log F YAHOO Log 2009 08 25 17 15 6402 2009 08 25 17 15 2009 08 25 17 15 6413 2009 08 25 17 15 6423 2009 08 25 17 15 2009 08 25 17 15 6425 2009 08 25 17 15 2009 08 25 17 15 6426 2009 08 25 17 15 6427 2009 08 25 17 15 6401 2009 08 25 17 15 2011 12 14 21 30 Copyright 2013 Colasoft LLC All rights reserved 2009 08 25 17 2009 08 25 17 2009 08 25 17 2009 08 25 17 2009 08 25 17 2009 08 25 17 2009 08 25 17 2009 08 25 17 2009 08 25 17 2009 08 25 17 2009 0
48. 8 25 17 2011 12 14 21 Maximize Network Value ya Colasoft Log Types The FTP Log includes columns Date and Time Client MAC Client IP Client Port Server MAC Server IP Server Port Server Client Start Time End Time Duration s Account Operation Type File Transmission Mode Total Bytes Server Bytes Client Bytes Total Packets Server Packets Client Packets and Average Speed Bps To show a column right click the column header and select the column HTTP Log The HTTP Log records all web activities and provides log information including time client and server addresses requested URL content length content type It appears as below HTTPLog Lg Br Bar Ed Se Filter ALL Log Date and Time Client Server Requested URL SF 2012 06 13 15 20 24 192 168 5 250 51326 www colasoft com http www colast 9 2012 06 13 15 20 24 192 168 5 250 51327 www colasoft com http www colas Global Log 2012 06 13 15 20 24 192 168 5 250 51328 www colasoft com http www colast Y 2012 06 13 15 20 24 192 168 5 250 51329 www colasoft com http www colast iia 2012 06 13 15 20 24 192 168 5 250 51330 www colasoft com http www colast DNS Log 2012 06 13 15 20 24 192 168 5 250 51331 www colasoft com http www colast Q 2012 06 13 15 20 23 192 168 5 250 51322 www colasoft com http www colast l 2012 06 13 15 20 24 192 168 5 250 51332 www colasoft com http www colast Email Log 201
49. B 512 Sent Received packets ratio gt 2 e Suspicious Worm Activity Enables worm analysis or else there will be no item to show on the Worm view AND Relationship means the three conditions below should all be met to define the worm activity e IP conversation Sets the IP conversation count of a host If the IP conversation count of a host is greater than the setting value it is supposed that the host may be attacked by worm virus The value is an integer between 1 and 1 000 and 50 is set by default e Average packet length The unit is byte If the average packet length of a host is less than the setting value it is supposed that the host may be attacked by worm virus The value is an integer between 64 and 1 514 and 512 is set by default e Sent Received packets ratio The ratio of sent packets to received packets If the ratio is greater than the setting value it is supposed that the host may be attacked by worm virus The value is an integer between 1 and 100 and 2 is set by default TCP Port Scan settings The TCP port scan analysis detects the TCP port scanning activities and the settings part appears as follows TCP Port Scan analysis provides related statistics and IP addresses of the hosts which may be attacked by TCP port scan Click Settings to set related parameters TCP Port Scan _ Settings e TCP Port Scan Enables TCP port scan analysis or else there will be no item to show on the TCP Port Scan view e Setti
50. Copyright O 2013 Colasoft LLC All rights reserved gv Colasoft Maximize Network Value Vi ewl n g Stat sti CS Refreshes the conversation list or sets display refresh interval by clicking the little triangle If the interval is set to Manually Refresh display will update only when the Refresh button is clicked Displays particular items of the list See Display Filter for details ES E Shows the number of the conversations in the list The name changes along with the ee ae selection in the Node Explorer window TCP Conversation columns By right clicking the column header you can specify which columns to show in the list Choose Default to show default columns and choose More to open Display Column dialog box to set which columns to show and to set the position the alignment and the width of the column See Conversation columns for details Pop up menu Right click the conversation list on this view to get a pop up menu with items as follows Packet TCP Flow Details To open TCP Flow Analysis window See TCP Flow Analysis window for details Copy Copies the selection and the header row in original format to the clipboard Copy Column Copies the selected column in original format to the clipboard Shows or hides columns or changes the position of columns This command is just the same as right Display Column clicking the column header Export Conversation o Statistics Exports current statistical list as a csv file
51. E BIIN 814F Technically Elite Concept 8150 Rational Corp 8151 8153 Qualcomm 815C 815E Computer Protocol Pty Ltd Copyright 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value A D pe n d ce S 8164 8166 Charles River Data System 817E SGI Time Warner prop 8180 HIPPI FP encapsulation 8182 Reserved for HIPPI 6400 8183 Reserved for HIPPI 6400 8184 8180 Silicon Graphics prop 818D Motorola Computer 819A 81A3 Qualcomm 81A4 ARAI Bunkichi 81A5 81AE RAD Network Devices 81B7 81B9 Xyplex 81CC 81D5 Apricot Computers 81D6 81DD Artisoft 81E6 81EF Polygon 81F0 81F2 Comsat Labs 81F3 81F5 SAIC 81F6 81F8 VG Analytical 8203 8205 Quantum Software 8221 8222 Ascom Banking Systems 823E 8240 Advanced Encryption Syste 827F 8282 Athena Programming 8263 826A Charles River Data System 829A 829B Inst Ind Info Tech 869E 86A1 Computer Network Tech 86A3 86AC Gateway Communications 86DB SECTRA 86DE Delta Controls 34543 86DF ATOMIC 34667 876B TCP IP Compression 34668 876C IP Autonomous Systems 880B PPP 8848 MPLS Multicast 8A96 8A97 Invisible Software 36864 9000 Loopback 36865 9001 3Com Bridge XNS Sys Mgmt 36867 9003 3Com Bridge loop detect 65280 FFOO BBN VITAL LanBridge cache FFOO FFOF ISC Bunker Ramo 65535 FFFF Reserved Copyright 2013 Colasoft L
52. EE Total Traffic Statistics Gal Packets Statistics H E Packet Size Distribution Statistics Gg Broadcast Statistics E Multicast Statistics oe Communication Statistics E Address Statistics a g Conversation Statistics a g Protocol Statistics oe Diagnosis E Diagnosis Statistics a Tan Statictice 2 Specify a name for the report 3 Select the statistical items for the report type the reference value and specify the unit for each statistical item See Report items for all report items 4 Click OK on the dialog box 1 The items of Diagnosis Statistics as well as Top Statistics have no reference value 2 Only statistical items of Top Address and Host as well as TOP Application have counter unit After creating the report you can click io on the toolbar of the Report view to set the name of the company the prefix of the report name the creator of the report the logo of the company whether or not to show the created time See Report Settings for more details Report items The following table lists all available report items Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Traffic Statistics Communication Statistics Diagnosis Top Statistics Total Traffic Statistics Packets Statistics Packet Size Distribution Statistics Broadcast Statistics Multicast Statistics Address Statistics Conversation Statistics Protocol Statistics Diagnosis Stati
53. Ensure the client works in a mode already been unmatched with the server supported by the server established Incorrect configurations of FTP Check the configurations of POP3 server software server software Check the syntax in the original pbs Me dt EE request packet that generated the HTTP server returns malformed syntax error other than 404 aunn nose AN other than Request Not The aa manad rot alowed Suid acount Found to indicate a Th Change the request method client error ae A a The client repeats the request The requested URL is too long Change the requested URL Unsupported media type Modify the media type Returned Error HTTP Client Error A connection uses Suspicious HTTP TCP port 80 to Conversation transmit non HTTP traffic Check the applications using port 80 Check the traffic content of source port and destination port An application running on TCP port Securty 80 produces non HTTP traffic Invalid URL DNS server table does not contain Checkit the UB the map relationship between the entered domain name and mapped IP address HTTP server returns HTTP Request this error when the Not Found requested URL was not found Change DNS server address HTTP server returns Internal server error not Update the configurations of HTTP HTTP Server a 5xx error code to implemented gateway timeout or server Returned Error indicate a server unavailable service Upgrade the HTTP server to support error us
54. Find Calls out Find dialog box to search only in the conversation list Make Filter Makes a packet filter based on the node of selected conversation See Creating Filters for details Makes a graph in the Dashboard view on the basis of the node of selected conversation See Creating Make Graph Graphs for details Ping Calls out the build in Ping Tool to ping the node of selected conversation Select All Selects all items in the conversation list Refresh Refreshes the conversation list Lower pane tabs When you select a specific item in the conversation list on the TCP Conversation view the lower pane tabs will provide detailed information about the item By default the lower pane is visible You can click Details button on the TCP Conversation view to close it and you can also click Details button to show the lower pane when it is invisible The TCP Conversation lower pane includes Packets tab Data Flow tab and Time Sequence tab e The Packets tab lists all packets for the TCP conversation selected in the TCP Conversation view The toolbar and columns are just the same as those on Packet view See Packet view for details e The Data Flow tab provides reassembled data flow for the TCP conversation selected in the TCP Conversation view See Data Flow tab tor details Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Vi ewi n g Stat sti CS e The Time Sequence tab displays TCP conversation
55. For distinction and readability you can define filters by specifying the name the color and the description about them In order to capture packets precisely you can specify packet transmission direction address 1 gt address 2 address 2 gt address 1 and address 1 lt gt address 2 in IP address rule MAC address rule and port rule In simple filter you can customize filters by combining conditions among address port and protocol rules You can further define simple filters in Advanced Filter tab Defining address rule To set an address rule follow the steps below 1 Select the Address Rule checkbox 2 Select an address type from Address 1 You can select MAC address IP address IP range or IP subnet 3 Click the text box below the address type and type the address 4 Click the direction drop down list box and select packet transmission direction between the two addresses 5 Select an address type from Address 2 6 Click OK on the Packet Filter dialog box Click the icon to get references if you are not familiar with address format Click the icon gt to delete all items typed before Defining port rule Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value C re ati n g F Ite rs To set a port rule follow the steps below 1 Select the Port Rule checkbox 2 Select a port type from Port 1 You can select single port port range or multiple port 3 Click the text box
56. LC All rights reserved ya Colasoft Maximize Network Value A D pe n d ce S HTTP Status Codes 100 Continue the request can be continued 101 Switch protocols the server has switched protocols in an upgrade header 200 OK the request was fulfilled 201 Created the request successful and a new resource was created 202 Accepted the request has been accepted for processing but processing is not completed 203 Non Authoritative Information the returned information is only partial 204 No Content the request received but no information exists to send back 205 Reset Content the request was successful but the User Agent should reset the document view that caused the request 206 Partial Content the partial GET request has been successful Multiple Choices the request resource has multiple possibilities each with different locations 302 Found the data requested has a different URL temporarily 304 Not Modified the document has not been modified as expected 305 Use Proxy the requested resource can only be accessed through the proxy specified in the location field 307 Redirect Keep Verb the redirected request keeps the same HTTP verb HTTP 1 1 behavior a 401 Unauthorized the client is not authorized to access data 404 Not found server could not find the given resource 406 Not Acceptable no responses acceptable to the client were found 407 Proxy Auth Req the request first requires authenti
57. P attack Access the server using an internal IP address Look for the attack source address according to the packet ICMP Host Redirect A host in LAN uses an external domain to access internal server after port mapping configuration There is an ICMP attack Access the server using an internal IP address Look for the attack source address according to the packet ICMP Network Redirect Performance Network congestion The destination host has inadequate space or the service is not available unnecessary services The router has inadequate cache Enlarge the size of route cache space Check if there are malicious attacks There is DOS or DDOS attack from the source host Check the application services running on the network Check the destination host and close A router or the destination host sends an ICMP source quench packet to the source host ICMP Source Quench Data link layer events Capsa can diagnoses data link layer events as below Unable to operate correctly on the Ethernet and violate the frame format defined by RFC For Invalid ARP example source Format MAC address is multicast address or the address information in ARP header does not match that in The address information in ARP Security header is falsified or forged for attack Check if there is ARP attack Copyright O 2013 Colasoft LLC All rights reserved gs Colasoft Maximize Network Value Viewing Statis
58. Shows or hides the lower pane 7 Makes a packet filter based on the selected node See Creating Filters for details Ea Adds an alias to the Name Table for selected node See Name Table for details Bi Locates the selected node in the Node Explorer window Refreshes the node list or sets display refresh interval by clicking the little triangle If the interval is set to Manually Refresh display will update only when the Refresh button is clicked Displays particular items of the list See Display Filter for details E Port 5 Shows the number of worm attacks in the list The name changes along with the selection in SS the Node Explorer window TCP Port Scan columns By right clicking the column header you can specify which columns to show in the list Choose Default to show default columns and choose More to open Display Column dialog box to set which columns to show and to set the position the alignment and the width of the column See Endpoint columns for details Pop up menu Right click the node list to get a pop up menu with items as follows Views the decoding information of the packets of the node in the Packet window which is just the same as the Packet view See Packet view for more information Copy Copies the selection and the header row in original format to the clipboard Copy Column Copies the selected column in original format to the clipboard Shows or hides columns or changes the position of columns This com
59. Slow Response POPS Server Returned Error Description FTP Server Slow Response The response time from the DNS server 15 equal to or higher than the threshold FTP Server Returned Error HTTP Client Error A A i Suspicious HTTP Conversation a ee Event HTTP Request Not Found 1 Network congestion Descri ATTP Server Returned Error 2 The route between client and DNS server is slow HTTP Server Slow Response a E Transport 9 TCP Connection Refused TCP Repeated Connect Attempt The Diagnosis Settings tab includes three sections 3 The ONS server 15 overloaded 4 Poor DNS server performance e Event List Lists all available diagnosis events of current analysis profile The occurred diagnosis events will display on the Diagnosis view only when they are selected on the Event List section e Event Setting Allows you to edit the options of a specific event selected on the Event List section just by clicking the options The options include color severity type and other available parameters which depend on the event e Event Description Provides the event description and possible reasons and resolutions for you to quickly throubleshoot the network when there are network problems There are five buttons on the bottom of this window to help you manage all your diagnosis events Selects all the diagnosis events in the list Clears the selection on all the diagnosis events in the list i i i Inverts the selection on the dia
60. TCP Conversation Top UDP Conversation Top Application Protocol Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value L 0 g Ty p e S Log Types Capsa provides eight types of log in total Click following links to view the detailed information of each log type e Global Log e DNS Log e Email Log e FTP Log e HTTP Log e ICQ Log e MSN Log e YAHOO Log Not every analysis project has all log types What log types will display in an analysis project depends on the analysis modules selected Different analysis profiles have different log types The following table lists the log types for every analysis profile DNS Analysis Global Log DNS Log IM Analysis Global Log ICQ Log MSN Log YAHOO Log Security Analysis is only available in Capsa Enterprise Global Log The Global Log collects the logs of other seven log types and displays the log information based on date and time It appears as below Copyright O 2013 Colasoft LLC All rights reserved PARO olasoft Maximize Network Value Dashboard Y y o i A A DNS Log Globallogy 4 Gr En A Filter YAHOO Log Physical Endpoint Date and Time Source IP 2012 06 13 15 20 21 61 139 2 69 2012 06 13 15 20 24 192 168 5 250 2012 06 13 15 20 24 192 168 5 250 2012 06 13 15 20 24 192 168 5 250 2012 06 13 15 20 24 192 168 5 250 2012 06 13 15 20 24 192 168 5 250 2012 06 13 15 20 24 192 168 5
61. a Hub or a TAP to monitor and analyze your network with Colasoft Capsa Connect a TAP with the line to be monitored TAPs can be flexibly placed on any line in network When the requirement for network performance is very high you can add a TAP to connect your network internet Colasoft Capsa Network Analyzer Tap A Port Y aa Tap B Port Server A Server B Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Deployment Connect a hub with the line to be monitored A Hub costs lower than a TAP but lower performance than a TAP in large traffic network Internet Colasoft Capsa Metwork Analyzer Router tia Unmanaged Switch Server A Server B Monitoring a network segment In the case when you only need to monitor the traffic in a network segment e g Finance department Sales department etc you can connect the server on which Colasoft Capsa is installed and the network segment with an exchange facility The exchange facility can be hub switch or proxy server internet L1 Router E Single port Tap Colasoft Capsa Metwork Analyzer Workstation Servers Application Servers Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value D e D oy m e nt Proxy server In small network a proxy server is a reliable choice to deploy a network Under this circumstance you can install Colasoft Capsa directly on t
62. ab contains the following items e Show Hide Enables the Node Explorer Alarm Explorer and Online Resource windows to show or hide e Physical Address Display Sets the display format of MAC addresses e Physical Address Only Only shows the MAC addresses in hex e g AA BB CC 33 44 55 e Physical Name Only Only shows the MAC addresses in alias e g localhost e Physical Name and Address Shows the MAC addresses in hex and alias if any e g localhost AA BB CC 33 44 55 e Show Manufacturers Hides or shows the adapter vendor e IP Address Display Sets the display format of IP addresses e P Address Only Only shows the IP addresses in digits e g 192 168 1 7 e IP Name Only Only shows the IP addresses in alias e g Localhost e IP Name and Address Shows the IP addresses in digits and alias if any e g Localhost 192 168 1 1 Node Explorer window The Node Explorer window is functionally a display filter by which you can view various conversation data of a node quickly and accurately So when you select different type of nodes in the Node Explorer window the statistical views will show different tabs and the tabs will present different statistics Buttons The Node Explorer window includes the following buttons Copyright O 2013 Colasoft LLC All rights reserved gv Colasoft Maximize Network Value M Pa n U S e r n te rfa ce Adds specific node to name table See Name Table for details Ye
63. abs Toc i ee ee ee A A ee ee A EE 38 Endpoint columns AEREA TROP ECETE CREE CECE TEER ECE Ce ee ee EA 39 IP Endpoint view a E T A EAE EE EEEE AA 40 IP Endpoint lower pane tabs Vict Ra 41 Physical Conversation view E EA ELE ERA AAN 42 Conversation columns MC E A A CAC A LORS CT ERAS AICA ARA E 43 IP Conversation view E NA RAE MAA MARCAR LEE AAA E AA 44 IP Conversation lower pane tabs a a CTE ETT ET Ee TE PT ee Eee eee er 45 TCP Conversation view ARANA Le CRE eee E T 45 Data Flow tab NARA AAA A A A AA A EEL E A A A A CCRC IELE 47 Time Sequence tab TULLE ETT TCE CLC EC LETTE AA EET EEC Ee EE Ee Ce ee 48 TCP Flow Analysis window TTT CCE LCT ECL Cee Ee TET CTC TEE CTE C ECT CCRT TCC ETE CECT CeCe Cre re rer 49 UDP Conversation view AAA r A E Tee eT eT ree E ee ree 52 Matrix view a E A A E AE A E EE E AAA E E AAA A 53 Matrix left pane TTT A et E Ee TE CTE TE CE eT a Te Te CT Te Cee ee CL ee ONE AE E a ee 54 Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Packet view ERES AAA O A Te Ee TEE eS E AAA 56 Packet columns TTT Te Cee eee ee ee ee ee ee ee ree ee ee a di 58 Log view E EE AE ria a 59 Report view ii AAA AAA AAA AAA AAA 59 ARP Attack view Vee ANA DAA ARE AAA AAA T 61 Worm view E RR A E A E RN AN A E NR 62 DoS Attacking view A RS RR A RA RN 64 DoS Attacked view gia rok E EAA E NR 66 TCP Port Scan view A RN 67 Suspicious Conversation view URREA AAA E E 69 Network Profile RAR 72 General Settings
64. adapters for details and to replay packet files see Replaying captured packets for details To quickly start a live network data capture select a network adapter and click the Start button on the Start Page To start a capture with user defined configurations follow the steps below 1 Select the Capture tab on the Analysis Mode Tabs 2 Select a network adapter on the Adapter List section The Adapter Status section shows the traffic status of selected adapter You can choose one or more wired network adapters at the same time 3 Click Set Network Profile on the Configuration Info section to select a network profile A network profile includes the settings about node group name table and alarms See Network Profile for details 4 Select a proper analysis profile on the Analysis Profile section An analysis profile includes the settings about analysis modules analysis objects packet buffer packet filters logs diagnosis events packet output and view display Capsa provides six analysis profiles by default and you also can create new analysis profiles See Analysis Profile for details 5 Click the Start button on the bottom right to start an analysis project 1 You can run up to four analysis projects on the same machine at the same time 2 If you just want to analyze some specific packets on the network you should use packet filters Click Creating Filters for details Capturing with wireless network adapters Besides ca
65. ail com lt gt lay 1980 niebetty ymail com said Send message Y 2010 05 06 10 34 53 P2P Session nieb mail com lt gt legend niebetty ymail com said Send message ia a 2010 05 06 10 39 56 P2P Session cccwq lt gt lay 1980 cccwg said dasda Send message DNS Log 2010 05 06 10 43 57 P2P Session cccwq lt gt atef elashmony atef_elashmony said hi Receive messa 6 2010 05 06 10 45 43 P2P Session nieb mail com lt gt niebetty ymail com log off Log off N 2010 05 06 10 46 01 P2P Session nieb mail com lt gt niebett niebetty ymail com login Login Email Log 2010 05 06 10 50 07 P2P Session cccwq lt gt phoolon ke mehak phoolon_ke_mehak said hi Receive messa t M 2010 05 06 10 50 25 P2P Session cccwg lt gt phoolon ke mehak cccwgq said Send message y 2010 05 06 10 50 34 P2P Session cccwg lt gt phoolon ke mehak phoolon_ke_mehak said asl Receive messa iN _ 2010 05 06 10 53 40 P2P Session cccwg lt gt dr zsmbukhari dr_zsmbukhari said hi Receive messa HTTP Log ICQ Log e MSN Log You can click the session name or double click the items to open the Notepad to view the detailed communication of the session name The YAHOO Log includes columns Date and Time Client MAC Client IP Client Port Server MAC Server IP Server Port Session Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value L 0 g Ty p e S Name Content Action Sender Ac
66. ails Analysis l araia the log count of selected log type The name changes along with the selection in the Node Explorer Log left pane This section lists all the log types of current analysis profile Click one log type the Log List section on the right will lists the detailed log information See Log Types for more information You can save the log list of current log type by clicking the export icon on the toolbar and you can also automatically save all logs See Log Output for more information The logs will be displayed only when the log type is selected in the Log Settings See Log Settings for more information Report view The Report view provides the real time statistics of the whole network by reports By default the program provides a Global Report which includes all report items of the analysis project See Report items for details You can also create new reports See Creating Reports for details Toolbar The following table lists and describes the items on the toolbar of this view Copyright 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics a Global Report Click the little triangle to choose a report and simply click the button to hide or show the Report left pane LE Saves the report as html odf or mht file E Opens Report Settings dialog box to set reports properties Refreshes the report Report left pane This section lists all reports including the d
67. ails Make Alarm Makes an alarm on the basis of the node of selected conversation See Creating Alarms for details Add to Name Table Adds an alias to the Name Table for the node of the selected conversation See Name Table for details Resolve Address Resolves the host name of the node of selected conversation Locate in Node Explorer Ping Calls out the build in Ping Tool to ping the node of selected conversation Select All Selects all items in the conversation list Refresh Refreshes the conversation list Locates the node of selected conversation in the Node Explorer window UDP Conversation Lower pane tabs When you select a specific item in the conversation list on the UDP Conversation view the lower pane tabs will provide detailed information about the item By default the lower pane is visible You can click Details button on the TCP Conversation view to close it and you can also click Details button to show the lower pane when it is invisible The UDP Conversation lower pane includes Packets tab and Data tab e The Packets tab lists all packets for the UDP conversation selected in the UDP Conversation view The toolbar and columns are just the same as those on Packet view See Packet view for details e The Data tab provides original data for the UDP conversation selected in the UDP Conversation view The toolbar and columns are just the same as those on Data Flow tab on the TCP Conversation view See Data Flow tab for details
68. an alias to the Name Table for the IP address or MAC address of selected item See Name Table for Add to Name Table des Resolve Address Only available when an IP address node is selected Resolves the host name of selected node Locate in Node Locates the selected node in the Node Explorer window xplorer Only available with right clicking IP address node Calls out the build in Ping Tool to ping selected node Select All Selects all items in the node list Refresh Refreshes the node list DoS Attacking lower pane When you select a specific item in the node list on the DoS Attacking view the lower pane tabs will provide detailed information about the item By default the lower pane is visible You can click Details button on the DoS Attacking view to close it and you can also click Details button to show the lower pane when it is invisible The DoS Attacking lower pane provides IP Conversation tab TCP Conversation tab and UDP Conversation tab e The IP Conversation tab lists all IP address conversations of the node selected on the Worm view The toolbar and columns are just the same as those on IP Conversation view See P Conversation for details e The TCP Conversation tab lists the conversations using TCP protocol of the node selected on the Worm view The toolbar and columns are just the same as those on TCP Conversation view See TCP Conversation for details e The UDP Conversation tab lists the conversations using UDP pr
69. an integer between 30 and 20 000 and 300 is set by default Suspicious Conversation settings This function detects the suspicious conversations of HTTP FTP SMTP and POPS and the settings part appears as follows Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value A n a ys S P rofi e Suspicious Conversation analysis provides related statistics and displays suspect HTTP FTP SMTP POPS conversations Click following checkboxes to select conversation types you want to display Suspicious Conversation OR Relationship Suspicious HTTP Conversation Suspicious POPS Conversation Suspicious FTP Conversation Suspicious SMTP Conversation e Suspicious Conversation Enables suspicious conversation analysis or else there will be no item to show on the Suspicious Conversation view OR Relationship means one of the four conditions below is met to define the suspicious conversation attack activity e Suspicious HTTP Conversation Enables suspicious HTTP conversation analysis which is set by the program on the Diagnosis Settings tab It is supposed that there is suspicious HTTP conversation on the network when port 80 is connected without HTTP data e Suspicious POP3 Conversation Enables suspicious POP3 conversation analysis which is set by the program on the Diagnosis Settings tab It is supposed that there is suspicious POP3 conversation on the network when port 110 is connected without POP3
70. and describes the items on the toolbar E Exports all of the protocol statistics as a csv file Shows or hides the lower pane NA Makes a packet filter based on the selected protocol See Creating Filters for details Copyright O 2013 Colasoft LLC All rights reserved gv Colasoft Maximize Network Value Vi ewl n g Stat sti CS Locates the selected protocol in the Node Explorer window Refreshes the protocol list or sets display refresh interval by clicking the little triangle If the interval is set to Manually Refresh display will update only when the Refresh button is clicked Displays particular items of the list See Display Filter for details E et eae eae S number in the list The name changes along with the selection in the Node Protocol columns By right clicking the column header you can specify which columns to show in the list Choose Default to show default columns and choose More to open Display Column dialog box to set which columns to show and to set the position the alignment and the width of the column See Protocol columns for details The following table lists and describes the columns of Protocol view Pop up menu Right click the protocol list to get a pop up menu with items as follows Packet Details Views the decoding information of the packets of the protocol type in the Packet window which is just the same as the Packet view See Packet view for more information Copy Copies the selection an
71. ans the node group of Physical Explorer IP Explorer in the Node Explorer window 2 Different Top items have different Top numbers e g the top item Top Physical Group by Total Traffic will have only Top 3 if the Physical Explorer has only 3 groups Fig below gt Physical Explorer 3 Global Top Physical Group by Total Traffic X i C Local Segment 108 E a Broadcast Addresses 1 EE Multicast Addresses 53 O IP Explorer 6 E Local Subnet 1 DAA Mts srn Alter FA 3 You can change the Top number by right clicking the chart Fig below and selecting Top Number on the pop up menu Top Application Protocols by Bytes rx Pause Refresh Legend Box Bar Chart Pie Chart Titles y Mumber E Top 5 Sampling Value x Top10 Refresh Interval Top 20 a Save Graph a 4 You can change the sampling value of TOP Chart by right clicking the chart and selecting Sampling value on the pop up menu Copyright O 2013 Colasoft LLC All rights reserved gs Colasoft Maximize Network Value C re ati n g Re D O rts Creating Reports Besides the default Global Report you can create new reports according to the need To create a report follow the steps below 1 Click on the Report view to pop up the New Report dialog box which appears as below Report Name New Report Please select statistical items for the report Traffic Statistics
72. ard panels and all charts on the panels e All matrices and the settings for each matrix e All reports and the settings for each report e All settings for system options e The settings for address display format e All settings from toolbars and pop up menus of all statistical views The selection on network adapters the selection on network profile and the selection on analysis profile will be memorized only when these selections are applied to an analysis project If you want the programs installed on different machines have the same analysis settings you should use global configurations See Global configurations tor details Global configurations Global configurations mean the configurations for the program Global configurations contain configurations as follows e Network profile settings including default network profiles user defined network profiles the selection on the network profile General Settings Node Group Name Table and Alarm Settings e Analysis profile settings including default analysis profiles user defined analysis profiles Basic Settings of the analysis profiles Analysis Object Packets Buffer Packet Filter Log Output Log settings Diagnosis Settings Packets Output and View Display e Dashboard including default dashboard panel and user defined dashboard panels and the charts on the panels Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Conf
73. below the port type and type the port number 4 Click the direction drop down list box and select packet transmission direction between the two ports 5 Select a port type from Port 2 6 Click OK on the Packet Filter dialog box Defining protocol rule To define a protocol rule follow the steps below 1 Select the Protocol Rule checkbox 2 Click Select to open the Protocol Rule dialog box which appears as below List l POM cr _ AARP VLAN _ IP 3 Choose the protocols you want to define the rule and click OK 4 Click OK on the Packet Filter dialog box The chosen protocols are listed in Protocol Rule section You can delete a protocol item from the list with the Remove button Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Creating Filters Advanced filters When creating a filter you can choose to create a simple filter or an advanced filter The Advanced Filter tab appears as below The filter rules are arranged in a filter relation map The map shows the logical relations among the rules from adapter to an analysis project You can double click the rule to edit it Toolbar The toolbar contains the following items e And The rules connected by and are in logical and relationship e Or The rules connected by or are in logical or relationship e Not Only packets unmatched the condition will be captured The Not rules are marked as red ones 4 Edits the selected rul
74. box to manage the external tools e Ping Launches Colasoft Ping Tool e MAC Scanner Launches Colasoft MAC Scanner e Packet Player Launches Colasoft Packet Player e Packet Builder Launches Colasoft Packet Builder Tool Settings In addition to the four tools provided by default users can add other Windows applications and tools into Colasoft Capsa with the External Tools Management dialog box You cannot only invoke but also execute the added applications and tools via Colasoft Capsa To open External Tools Management dialog box click Tool Settings in Tools tab of the Ribbon The External Tools Management dialog box appears Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Network Tools External Tools Management Ping Packet Player Packet Builder New Tool 1 Moves Movedown uN You can click New to attach new tools Delete to delete your selected Tool in Left pane And also you can rearrange the listed items order by Move up and Move Down To demonstrate you can follow the steps below to attach the Tracert command of Windows into Colasoft Capsa 1 Click the New button the Attribute pane appears 2 Enter Tracert in Title textbox as its name 3 Enter the path of the program in Command C WINDOWS system32 tracert exe or click Lo to choose the path 4 Click Lo after Parameters textbox The External Tools Parameter dialog box appears Copyright O 2013 Colasoft LLC
75. by a POP3 The client application configures Check user name and password on server after a TCP incorrect user name and password the client application connection has POP3 server is overloaded Check if POP3 server is attacked already been Incorrect configurations of POP3 Check the configurations of POP3 established server software server software Check the application services running on the network Update the configurations of route Check the security and the working status of FTP server Upgrade FTP server The average Security POP3 Server Returned Error Network congestion The response time The connection between client and ql eee ow is equal to or higher Performance FTP server is slow p than the threshold The FTP server is overloaded Poor FTP server performance A connection uses Suspicious FTP TCP port 21 to Conversation transmit non FTP traffic Check the applications using port 21 Check the traffic content of source port and destination port An application running on TCP port Security 21 produces non FTP traffic The client executes invalid Ensure the client executes correct An FTP connection commands commands or request is The client application configures Check user name and password on FTP Server rejected by an FTP incorrect user name and password the client application server after a TCP Fault POP3 server is overloaded Check if POP3 server is attacked connection has The client has a work mode
76. cation with the proxy 409 Conflict the request was unsuccessful due to a conflict in the state of the resource 410 Gone the resource requested is no longer available and o forwarding address is available 411 Length Required the server cannot accept the request without a defined content length Precondition Failed a precondition specified in one or more Request Header fields returned false 413 Request Entity Too Large the request was unsuccessful because the request entity is larger than the server will allow 414 Request URI Too Long the server cannot service the request because the request URI is longer than the server can interpret 415 Unsupported Media Type a server refuses a request because the message body is in an inappropriate format 416 Requested Range Not Satisfiable the server could not process the client s partial GET request 417 Expectation Failed the expectation given in the Expect request header could not be fulfilled by the server 449 Retry With the request should be retried after doing the appropriate action ee 501 Not implemented the sever does not support the facility requested 504 Gateway timeout server waited for another service that did not complete in time 505 HTTP n Not Supported the server does not support or is not allowing the HTTP protocol version specified in the request Copyright 2013 Colasoft LLC All rights reserved
77. ceive mes ae Send messagi Send messac Receive mess _ Send messag _ Login Log in The ICQ Log includes columns Date and Time Client MAC Client IP Client Port Server MAC Server IP Server Port Session Name Content Action Sender Account Receiver Account and IM Type To show a column right click the column header and select the column MSN Log The MSN Log records MSN communications over the network including communication date and time session name message content action status and the communication accounts You can read the messages in plain text and login and logout status records It appears as below Copyright O 2013 Colasoft LLC All rights reserved Maximize Network Value gv Colasoft MSNLog ig Gr yr LG Filter z 7 Log Session Name Content Action ra Multi Session 33 BE Quit chat 9 Multi Session 35 smmm a a Log in Global Log Multi Session 35 in s ee Send message Y Multisession 26 MI Join in the chat Fia Multi Session 36 a m me ee Join in the chat DNS Log Multi Session 36 NN m a cdg n Send message Multi Session 36 MI Receive messa Multi Session 36 IA A A Send message Email Log Multi Session 36 e A AAA A Receive messa ty Multi Session 36 e Send message va Multi Session 36 IS aS _ Send message eee Multi Session 36 ct a me EE feet Receive messa e Multi Session 36 A Send
78. ck activities and provides source MAC addresses to locate the infected hosts Detects suspicious worm activities and provides details including source IP addresses to locate the infected hosts DoS Attacking Detects the hosts which attack a remote site and provides details of the hosts DoS Attacked Detects the hosts under a DoS attack and provides details of the hosts TCP Port Scan Detects suspicious TCP port scanning activities Suspicious Conversation Detects suspicious conversations of HTTP FTP SMTP and POPS Worm Dashboard view The Dashboard view is visible only when the root node of the Node Explorer window was selected If it is still invisible click View Display icon on the Analysis tab on the Ribbon section and check Dashboard in the list See View Display for details Capsa provides lots of statistical graphs which are managed by panels on the Dashboard view So you should first create dashboard panel before you create graphs See Creating Graphs to know how to create a graph Toolbar There are four button icons on the Dashboard view M Creates a new dashboard panel A Renames the selected panel Cr Deletes the selected panel Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Vi ewl n g Stat sti CS Resets the Dashboard view to default settings and all user defined graphs will be deleted By default Capsa provides a dashboard panel named Default w
79. cket See Display Filter for details Shows the number of packets in the list The name changes along with the selection in the Node Explorer window Packet columns By right clicking the column header you can specify which columns to show in the list Choose Default to show default columns and choose More to open Display Column dialog box to set which columns to show and to set the position the alignment and the width of the column See Packet columns for details Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Vi ewi n g Stat sti CS Pop up menu Right click the packet list on this pane to get a pop up menu with items as follows tn pew Opens a new window to show packet decode information alternatively you can double click the packet Copy Ctrl C Copies the selection in original format to the clipboard Copy Column Copies the selected column in original format to the clipboard Display Column Shows or hides columns or changes the position of columns Shows the packet summary Automatic Shows the uppermost protocol summary IP Summary Shows the packet summary of IP protocols if no IP protocols show the uppermost protocol summar TCP UDP Summary Shows the packet summary of TCP UDP protocols if no TCP UDP protocols show the uppermost protocol summary Saves selected packets or exports all packets in the packet list You can save packets in any format selected from the Sa
80. cksum field in the received packet The response time for ACK packet is higher than the threshold Performance Copyright O 2013 Colasoft LLC All rights reserved A client is requesting a service that the host does not offer There are no more available resources on the host to handle the request The server does not exist or is not powered on A client requests a service that is not available on the server The SYN packet from a client or the ACK packet from a server is lost or damaged The SYN packet from a client or the ACK packet from a server is blocked by a firewall Network congestion A packet from a client or the ACK packet from the server is lost because the switch or the router is overloaded The connection between a client and the server is slow The buffer of server side overflows The TCP packet is lost or damaged during transmission A segment of a segmented TCP packet is lost or damaged during transmission The packet is damaged during transmission Calculating TCP checksum may be disabled if TCP checksum of all packets is wrong The source stack does not calculate TCP checksum Network congestion The connection between the sending host and the receiving host is Slow Check for service availability at the host Check for the maximum number of incoming connections that a host can handle Make sure the server is existent and is powered on Open the port for the service on th
81. count Receiver Account and IM Type To show a column right click the column header and select the column Copyright 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Config u rations Ta Capsa Configurations in Capsa Before using Capsa to capture network traffic you may do some configurations about the program like configurations for system options network profile settings and analysis profile settings and after starting an analysis project you may also do some configurations about the project like settings for address display format settings for the columns of statistical views operations on graphs and reports and other settings for the program All of said settings can be memorized by Capsa so there is no need for you to do the configurations every time when launching the program For example you can specify the arrangement order and the width for the columns of IP Endpoint view for an analysis project The IP Endpoint view will display the columns with specified order and width the next time you launch the program The configurations that can be memorized by Capsa and need no repeated operations include e The selection on network adapters the selection on network profile and the selection on analysis profile e The keys for APs e All settings for network profile e All settings for analysis profile e The show status and width for the columns of all statistical views e All dashbo
82. cu ere ura ace aca ere ural are a E EO ace weal ace wre ce ra ere aca are E a are acu ace uc ura aca ETE aca ace ure a ara aen ure 18 Tools tab e EE E AE arena eat ae iase ana a ane a aane maaan ariana asar eae are auaneed ae 18 View tab o amv om TaN Navas NF a Ca ae a name mn a te ee Le eee ee ee wa te a ae le wee ee a 19 Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Node Explorer window CUA ERA EEE AER AAA CAMARA PET Ee Teer Te er ee er eee 19 Statistical views RN MN A EA AE E A Te Ee TE E L A AA EE 21 Online Resource window CAMARERA ACA AA AAA AAA AAA 21 Status Bar NERAL IAS AAA ANA DAA 21 Viewing Statistics E ERAN RARA EEE RARA A 23 Dashboard view RARA CECT AS A A E re ree oe 23 Summary view ADE AR ARA RAR A A AAA o 24 Summary items AAA AAA AAA AA 25 Diagnosis view aaa a Cee TT ere A a ETE CR eC ee re oa 26 Diagnosis ltem pane AD A CTE CLEC Te TCC TE Te ECT CTE CTE ee TE Te Te Ce Ce A Te CE E 26 Diagnosis Address pane SCT TTT ee Te a TELE EL Te ee a ee ee 27 Diagnosis Events pane aa A A AAA re er 28 Application layer events a aa a a eee ao Ee ee ee a et alas 29 Transport layer events A AAA AAA AAA CEE ree cr 31 Network layer events A A A A A Cee eT ee ee 32 Data link layer events a 33 Protocol view AAA 34 Protocol lower pane tabs ERRE 35 Protocol columns SRA ASA AAA a a a 37 Physical Endpoint view EAS AREA ROR ee CURT TREC CP eT E TRE EEE E 37 Physical Endpoint lower pane t
83. current statistical list as a csv file Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics Graphs for details Make Alarm Makes an alarm on the basis of the node of selected conversation See Creating Alarms for details Add to Name Table Adds an alias to the Name Table for the node of the selected conversation See Name Table for details Resolve Address Resolves the host name of the node of selected conversation ee mone Locates the node of selected conversation in the Node Explorer window Ping Calls out the build in Ping Tool to ping the node of selected conversation Select All Selects all items in the conversation list Refresh Refreshes the conversation list IP Conversation lower pane tabs The IP Conversation lower pane tabs display the details of the conversation selected on the IP Conversation view By default the lower pane is visible You can click Details button on the IP Conversation view to close it and you can also click Details button to show the lower pane when itis invisible The IP Conversation lower pane provides TCP Conversation tab and UDP Conversation tab e The TCP Conversation tab lists the conversations using TCP protocol of the conversation selected on the IP Conversation view The toolbar and columns are just the same as those on TCP Conversation view See TCP Conversation for details e The UDP Conversation tab lists the conversations using UDP protocol of the conve
84. d into simple filters but some filter rules will be lost because advanced filters have more filter conditions than simple filters Display Filter Filters are utilized to separate particular packets The packet filters are utilized to restrict the packets into the buffer of a capture However the Display Filter is utilized only to isolate particular some of the captured packets to display The Display Filter is available on many statistical views and shows as follows Filter ALL Q Filter Rule Filter Field Display Filter e The text box Filter Rule is for you to type filter rule You can use gt lt gt and lt to set the filter rule e The drop down list Filter Field is the columns of each view or tab and the field changes due to different views or tabs Copyright O 2013 Colasoft LLC All rights reserved gv Colasoft Maximize Network Value C re ati n g Al a rm S Creating Alarms To open the Make Alarm dialog box to create a new alarm you can perform one of the following operations e Click Add Alarm button on the Alarm Explorer window e Open Network Profile Settings dialog box select Alarm Settings tab and click Add button Read Network Profile to know how to open the Network Profile Settings dialog box e Click icon amp in the Node Explorer window e Choose Make Alarm on the pop up menu from the Node Explorer window and statistical views 1 Alarms created by the first two methods above will be tr
85. d is just the same as right clicking the column header Packet Details Display Column Export Node Statistics Adds an alias to the Name Table for the IP address or MAC address of selected item See Name Table for Add to Name Table details Resolve Address Only available when an IP address node is selected Resolves the host name of selected node Locate in Node Explorer Saves current list of the node statistics as a csv file Locates the selected node in the Node Explorer window Only available with right clicking IP address node Calls out the build in Ping Tool to ping selected node Select All Selects all items in the node list Refresh Refreshes the node list Physical Endpoint lower pane tabs The Physical Endpoint lower pane tabs display the details of the node selected on the Physical Endpoint view By default the lower pane is visible You can click Details button on the Physical Endpoint view to close it and you can also click Details button to show the lower pane when it is invisible By default there is only a Physical Conversation tab on the lower pane e The Physical Conversation tab lists all MAC address conversations of the node selected on the Physical Endpoint view The toolbar and columns are just the same as those on Physical Conversation view See Physical Conversation for details o You can double click any item in the conversation list to view detailed packet information in the Packet window which
86. d on the TCP Conversation view You can view the diagram to understand the packet transmission mechanism in a TCP conversation Grey is for packet from node 1 to node 2 and yellow is for packet from node 2 to node 1 Toolbar There are only three items on the toolbar of this tab described as below The type to display the sequence number of the byte flow in data transmission including S Show Absolute Seq Shows the real sequence number in the packet Show Relative Seq Shows relative sequence number with the first packet of the conversation being 0 Refreshes the diagram If the interval is set to Manually Refresh display will update only when the Refresh button is clicked 192 168 1 104 1558 lt gt 74_125 71 99 80 Sequence 8 I the number of packets of the conversation Time sequence diagram The time sequence diagram is organized by six columns which are described as below The time from the timestamp of selected packet to that of the first packet in the conversation with the first packet of the conversation being set as the reference object The information about sequence number acknowledgement number next sequence number of the packet sent by node 1 Node 1 gt The window size information of node 1 A window size of 0 indicates that Node 2 should stop transmitting Flag and Load Flags that are control flags in TCP segment header and load length which is the size of the data portion of TCP Length segment lt
87. d the header row in original format to the clipboard Copy Column Copies the selected column in original format to the clipboard Shows or hides columns or changes the position of columns This command is just the same as right clicking the Display Column column header Export Protocol l l Statistics Saves current list of the protocol statistics as a csv file Locate in Node Explorer Select All Selects all items on the protocol list Refresh Refreshes the protocol list Locates the selected protocol in the Node Explorer window Protocol lower pane tabs The Protocol lower pane tabs display the details of the protocol selected on the Protocol view By default the protocol lower pane is visible You can click Details button on the Protocol view to close it and you can also click Details button to show the lower pane when it is invisible The tabs showing on the lower pane are different with different selection in the Node Explorer window e Choosing the root node or any nodes on the Protocol Explorer the lower pane includes Physical Endpoint tab and IP Endpoint tab o The Physical Endpoint tab lists all MAC address nodes and their traffic information using the protocol selected on the Copyright 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Vi ewi n g Stat sti CS Protocol view The toolbar and columns are just the same as those on Physical Endpoint view See Physical Endpoint
88. d to stop all captures and go back to the Start Page In a capture you can only view the existing protocols Protocol List You can click any of the column headers to rearrange the protocols in descending order or in ascending order You can double click a protocol item to edit it You are not allowed to modify the color of the pre specified protocols Display Filter There are two protocol filters on the top for you to locate a certain type of protocol e Select protocol Displays the selected type of protocol in the list and hide the rest e g Ethernet ll IP TCP and UDP e Filter display Displays the protocols by their status e g All Protocols built in Protocols Customized Protocols and Modified Protocols Buttons e Add Creates a new rule to identify a new protocol e Edit Edits a highlighted protocol item e Delete Deletes a highlighted protocol item e Import Reads the protocol list from a cscpro file e Export Saves the protocol list to a cscpro file e Default Resets the protocol list All user defined protocols will be deleted and built in protocols will be reset You should be careful of clicking this button You cannot delete any built in protocols and when you are running a capture the buttons above will be disabled You need to stop all the captures and go back to the Start Page then the buttons will be enabled again Adding protocols To add a protocol click Add to open the Add Protocol dialog box in which you
89. data e Suspicious FTP Conversation Enables suspicious FTP conversation analysis which is set by the program on the Diagnosis Settings tab It is supposed that there is suspicious FTP conversation on the network when port 21 is connected without FTP data e Suspicious SMTP Conversation Enables suspicious SMTP conversation analysis which is set by the program on the Diagnosis Settings tab It is supposed that there is suspicious SMTP conversation on the network when port 25 is connected without SMTP data DoS Attacking settings The DoS attacking analysis detects the hosts which perform DoS attack and the settings part appears as follows Do Attacking analysis provides related statistics and IP addresses of the hosts which may perform DoS attack Set following fields to define the thresholds for worm recognition criteria DoS Attacking OR Relationship PPS gt 100 Or Multicast packets gt 100 E Sent Received packets ratio gt 3 And TCP SYN PPS gt so Sent Received packets ratio gt 3 EH And sent BPS gt M 10 HH Sent Received packets ratio gt 3 E And sent BPS gt 500 B Copyright O 2013 Colasoft LLC All rights reserved O yy Colasoft Analysis Profile e DoS Attacking Enables DoS attacking analysis or else there will be no item to show on the DoS Attacking view OR Relationship means one of the four conditions below is met to define the DoS attacking activity 1 It is supposed to be DoS Attacking wh
90. de window The Filed Decode pane presents information based on the protocol used in packet transmission click the minus or plus signs in the margin to collapse or expand the hierarchy of any header section The following table lists and describes all the items on the pop up menu from right clicking the Field Decode pane Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics Collapse All Collapses all items of the display Select All Selects all rows in the Field Decode pane Refresh Refreshes the current pane Hex Decode pane This pane interworks with the Field Decode pane and when you select a portion of packet content in the Field Decode pane Capsa highlights the selected portion and the corresponding Hex data and ASCII or EBCDIC data in this pane The following table lists and describes all the items on the pop up menu from right clicking the Hex Decode pane Packet columns The following table lists and describes the columns of Packet view No The relative time when the packet is captured To set relative time right click an item on the packet list and choose Set Relative Time The note about the selected packet To make notes of a packet right click an item on the packet list and choose Note gt Edit Note Source The source of the packet Destination The destination of the packet Relative Time Notes Protocol The name of the highest layer protocol of the packet Siz
91. ded to set the packet buffer size to be less than half of the available physical memory of the operating system When buffer is full When the Packet Buffer is full with captured packets you can choose to e Discard oldest packets circulative buffer It is recommended to discard the oldest packets to store the latest packets e Discard new packets after analyzing All new captured packets will be discarded after being analyzed and will not be saved to the packet buffer e Discard all old packets The program will empty the packet buffer and then store new packets to it e Stop capture or replay Stop the current capture or replay If you do not want to miss any packets during the capture read Packet Output to learn how to save all packets Packet Filter Packet Filter is utilized to set the conditions for capturing the traffic on the network Filter You can click filter icon to open Packet Filter Settings dialog box which includes a right pane and a left pane Copyright O 2013 Colasoft LLC All rights reserved gv Colasoft Maximize Network Value A n a ys S P rofi e The left pane lists all available filters including built in filters and user defined filters For each filter there are two options Accept and Reject Accept means only packets matching the filter will be captured by Capsa while Reject means only packets unmatched will be captured by Capsa All selected filters are in OR relationship The right pane
92. directly affecting others computers or sending out by emails Worm attacks will be identified according to default setting values and you can also customize these values to let the program find out the attacks more accurately See Worm attack settings for details The Worm view will not be available when you select any nodes on the Protocol Explorer and all nodes except IP address nodes on the Physical Explorer This view lists the IP addresses and their traffic information of the hosts which may be affected with worm You can double click any item on the list to view detailed packet information in the Packet window which is named with the node and is just the same as the Packet view See Packet view for more information Toolbar The following table lists and describes the items on the toolbar of this view Copyright 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics Shows or hides the lower pane Refreshes the node list or sets display refresh interval by clicking the little triangle If the interval is set to Manually Refresh display will update only when the Refresh button is clicked r vr Displays particular items of the list See Display Filter for details A z m Shows the number of worm attacks in the list The name changes along with the selection in the Security Analysis Worm Node Explorer window Worm columns By right clicking the column header you can specify which columns to show
93. e X Deletes the selected rule i Shows the icon for each rule e El Shows the details of the rules Ad e Shows the logical relationships of the rules For advanced filters there are six kinds of rules including Address Port Protocol Size Value and Pattern The Address Port and Protocol rules are the same to those in simple filters See Simple filters for details Defining size rule Size rule is for defining the rule on packet size Only packets of the size satisfying the rule will be captured Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value C re ati n g F Ite rs To define a size rule click And or Or on the toolbar and select Size to open the Size Rule dialog box which appears as below Size Rule Packet Size You can choose lt less than lt less than or equal to gt greater than gt greater than or equal to equal to not equal to Between size range to define the size rule Defining value rule Value rule is for defining the rule on the value of decoded field of a packet To define a value rule click And or Or on the toolbar and select Value to open the Value Rule dialog box which appears as below Value Rule lth From l al Offset 0 E Mask OxFF Byte Order Host Byte Order x Oper OO e Length Specifies the length of the mask and the length of the value for the rule It could be 1 byte 2 by
94. e e Profile Name The name of the network profile e Profile Description The description about the network profile e Bandwidth The real bandwidth of current network The bandwidth is very important It is the benchmark of calculating the network utilization By default this value is calculated from the properties of the adapter Node Group In Capsa all IP address nodes and MAC address nodes on the network can be divided into different node groups so that it will be easy to identify local traffic from internet traffic and broadcast traffic from multicast traffic For MAC addresses there are three node groups Local Segment Broadcast Addresses and Multicast Addresses For IP addresses there are six node groups Local Subnet Private use Networks Multicast Addresses Broadcast Addresses Internet Addresses and Link Local All these node groups will be displayed in the Node Explorer window when available The Node Group tab is utilized to manage local MAC and IP addresses of the network and contains an upper pane called as node group list which lists all node groups a lower pane called as node list which lists all nodes for the node group selected in the node group List and multiple buttons described as follows e Add Adds a new node group which belongs to the node group selected in the node group List e Edit Edits the name of selected node group in the node group list e Delete Deletes the selected node group from the node gr
95. e server Make sure the SYN packet is reaching the server lf the server ACKs make sure the ACK packet reaches the client Open the access control policy on the firewall Check the application services running on the network Check the working status of switches and routers Update the configurations of routes Check the working status of the host at the receiving side Check if there are electromagnetic interference devices on the transmission line or if there is faulty transmission device Check if it is necessary to enable calculating checksum Disable TCP Checksum Offload Check the application services running on the network Update the configurations of routes Check if the ACK packet is lost or gs Colasoft Maximize Network Value TCP Duplicated Acknowledgement TCY SYN Storm TCP Header Offset Error TCP Port Scan There are at least three packets have identical ACK number and SEQ number A lot of TCP SYN packets are being sent at a speed higher than the threshold TCP header offset is less than 5 A local or remote host scans TCP ports the number of which is higher than the threshold Network layer events Performance Security Security Security Capsa can diagnoses network layer events as below IP Invalid Checksum IP Too Low TTL IP Address Conflict ICMP Destination Unreachable The destination host calculates IP checksum of received packet which is
96. e 1 when there is only one pair of adjacent ACKnowledgement packets There are at least one TCP turn in one transaction Start Time The time when the transaction started End Time The time when the transaction ended Summary Summary for the transaction When a specific transaction is selected the Transaction Sequence Diagram tab will auto scroll to display corresponding transaction information in diagram type Transaction Sequence Diagram When a transaction item is selected on the transaction list the Transaction Sequence Diagram will display corresponding packet information for the transaction with a background color of grey On the diagram one horizontal line with arrow represents one packet and the arrow represented the direction of the packet The green lines represents packets of Three way Handshake the blue ones represent packets with application data the yellow ones represent ACKnowledgement packet and the red ones represent packets with something wrong lick retransmission repeated ACKnowledgement and so on Click an arrow the arrow becomes thick yellow and the right section will display the decoding information of the packet The following table lists and describes the buttons on the toolbar of this tab Displays load length information of the packet Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics Sets relative time for the packets q Calls out Find dialog box t
97. e Filter Sets packet filters See Creating Filters for details e Start Starts the replay e Pause Pauses the replay e Stop Stops the replay e Network Profile Sets the parameters for network profile Read Network Profile for more details e Analysis Profile Sets the parameters for analysis profile Read Analysis Profile for more details e Gauge e Utilization Shows network bandwidth utilization in gauge e pps Shows the number of captured packets in gauge Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value M Pa n U S e r n te rfa ce e Traffic Chart bps Shows the traffic of chosen adapter with refreshing every second Move your mouse over the chart and you will see the traffic number and specific time e Packet Buffer e Buffer Map Shows how much buffer for the analysis project was used with total buffer size below the Buffer Map See Packet Buffer to know how to set buffer size e Export Saves the packets in packet buffer in a format selected from the Save as type drop down list box e Clear Clears the data in the packet buffer e Lock Stops storing packets in the buffer The program still captures packets upon locking the packet buffer System tab The System tab appears as follows NA Analysis System Tools View 042190 Decoder Task Home Tech Product Register Checkfor About Scheduler Page Forum License Update System Options Resou
98. e The size of the packet Source MAC The source MAC address of the packet a The destination MAC address of the packet Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics Decode The decoding information of selected field on the Field Decode pane Summary The summary information of the packet Log view Logs are provided by different analysis modules which focus on recording different sorts of operations in detail by analyzing the captured packets The program automatically analyzes the commands in the captured packets and recognizes the application type If logging function of the application is activated the commands and actions will be recorded to the corresponding log Toolbar The following table lists and describes the items on the toolbar of this view d Global Log pa the little triangle to choose a log type in the list and simply click the button to hide or show the log type Exports the log list of selected log type as a csv file Makes a packet filter based on the node in the selected log See Creating Filters for details Locates the node in the selected log in the Node Explorer window Automatically scrolls down to display the newest logs Refreshes the log list or sets display refresh interval by clicking the little triangle If the interval is set to Manually Refresh display will update only when the Refresh button is clicked Views particular logs See Display Filter for det
99. e are eight built in analysis profiles as follows Full Analysis Provides comprehensive analysis of all the applications and network problems Provides traffic statistics and high efficient analysis of main objects including MAC addresses IP addresses and Traffic Monitor protocol Security ae Analysis Provides dedicated analysis of potential network security risk HTTP Analysis Analyzes Web applications based on HTTP and record clients web activities and web communication logs Analyzes Email applications based on POP3 and SMTP and monitor Email content and attachments and log Email transactions DNS Analysis Analyzes DNS applications diagnose DNS applications errors and record DNS application logs FTP Analysis Analyzes FTP applications based on TCP port 21 and 20 and FTP transaction logs IM Analysis Provides instant messenger analysis Email Analysis Different analysis profiles load different analysis modules and have different packet filters to analyze specific network traffic You can also create edit duplicate and delete an analysis profile by right clicking any analysis profile on the Analysis Profile section Edit E Duplicate C Delete D Reset R 2 Analysis Email Analysis DNS Analysis FTP Analysis e Edit Opens the Analysis Profile Settings dialog box to edit the selected analysis profile e New Opens the Analysis Profile Settings dialog box to create a new analysis p
100. e details Adapters In Capture analysis mode this part shows the name or the number of selected wireless AP or wired network adapter You can click it to view the details In Replay analysis mode this part shows the total size of replayed files and the replay status You can click it to view the details Filter This part shows filter information It shows Inactive as OF Inactive when no filters are utilized or shows the numbers of Accept filters and Reject filters as Y Accept 3 Reject 1 You can click this part to open the Filter dialog box to set filters See Creating Filters for details Duration In Capture analysis mode this part shows duration of current analysis project In Replay analysis mode this part shows the time to replay the packet files Captured and Filtered Packets This part shows the number of the packets captured by the program as Y 2 658 and shows the number of the packets filtered out by a the filters as WU Button and Menu Tips This part shows tips of focused items when the mouse pointer moves over an item on the Menu or over a button on the Ribbon section and showing Ready by default Alarm Notification Area This part includes an Alarm Explorer icon and three counters of triggered alarms See Alarm Explorer window for more details Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Vi ewi n g Stat sti CS Viewing Statistics Capsa provides a wid
101. e display refresh interval If the interval is set to Manually Refresh display will update only when the Refresh button is clicked A 5 The count of the rows of current list Not the diagnosis event count The name changes along with the selection in the Node Explorer window You can expand collapse the event list by clicking the plus minus sign If you want to save all events in csv format you should first expand all and then click Save as or else you only save the current event list which means the specific events that were collapsed will not be saved Diagnosis Address pane This pane displays the address of the event that is selected in the Diagnosis Item pane Note that the column IP Address is not available for events on data link layer The buttons of the toolbar are listed in the following table E Saves the address list as a csv file z Makes a packet filter based on the IP address or MAC address of selected item on the address list See Creating Filters for details E Adds an alias to the Name Table for the IP address or MAC address of selected item on the address list See Name Table for gt details Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics Refreshes the address list or set display refresh interval If the interval is set to Manually Refresh display will update only when the Refresh button is clicked Right click the address list to get a pop up menu with item
102. e list on the Worm view the lower pane tabs will provide detailed information about the item By default the lower pane is visible You can click Details button on the Worm view to close it and you can also click Details button to Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Vi ewl n g Stat sti CS show the lower pane when it is invisible The Worm lower pane provides IP Conversation tab TCP Conversation tab and UDP Conversation tab e The IP Conversation tab lists all IP address conversations of the node selected on the Worm view The toolbar and columns are just the same as those on IP Conversation view See P Conversation for details e The TCP Conversation tab lists the conversations using TCP protocol of the node selected on the Worm view The toolbar and columns are just the same as those on TCP Conversation view See TCP Conversation for details e The UDP Conversation tab lists the conversations using UDP protocol of the node selected on the Worm view The toolbar and columns are just the same as those on UDP Conversation view See UDP Conversation for details You can double click any item in the conversation lists to view detailed packet information in the Packet window which is named with the conversation and is just the same as the Packet view See Packet view for more information DoS Attacking view The DoS Attacking view is only available when you are using the anal
103. e variety of statistics presented on the statistical views each focusing on statistics of different types The table below describes all statistical views briefly and you can click the links to know the details Please note that different analysis profiles may have different views Dashboard Provides various graphs and charts of the statistics Summary Provides general statistical information of the selected node in the Node Explorer window Diagnosis Presents the real time diagnosis events of global network by groups of protocol layers or security levels Protocol Lists statistics of all protocols used in network transactions hierarchically Physical Endpoint Lists statistics of all MAC addresses that communicate in the network hierarchically IP Endpoint Lists statistics of all IP addresses that communicate in the network hierarchically IP Conversation Lists the conversations between two IP addresses TCP Conversation Lists TCP conversations Matrix Visually presents the communications among nodes dynamically Packet Provides the details of a packet by which you can get the original information of conversations Log Provides the logs of DNS Email communications FTP transfer web accesses etc Physical Conversation Lists the conversations between two MAC addresses UDP Conversation Lists the conversations using UDP protocols Report Provides a wide range of statistics reports from global network to a specific node ARP Attack Detects ARP atta
104. e view e To arrange views click View Display icon on the Analysis tab of the Ribbon section and click Move Up or Move Down Meanwhile the statistical view section provides different statistical views when selecting different type of nodes in the Node Explorer window Online Resource window Online Resource window provides much online resource including how to use Capsa live demo and technical forum Online Resource window is displayed on the right section of the main user interface by default You can close it by clicking the close button on the top right corner If you do not want to show it when starting analysis projects click Menu button select Options and on Basic Settings tab cancel the selection on Show Online Resource window on start Status Bar The Status Bar presents you the general information of current project It is at the bottom of an analysis project and appears as below Copyright 2013 Colasoft LLC All rights reserved gv Colasoft Maximize Network Value M Pa n U S e r n te rfa ce p Capture Full Analysis WP Local Area Connection gt F Inactive Duration 00 26 34 7 2 658 40 Ready From left to right the Status Bar includes seven parts as below Analysis Mode Analysis Profile This part shows the analysis mode and the analysis profile you selected You can click this part to open the Analysis Profile Settings dialog box to configure settings See Analysis Profile for mor
105. efault one and the reports created by users There are four icon buttons on the report list pane Opens the New Report dialog box M Opens the Edit Report dialog box ME Deletes selected report qu Resets the report list to default Default report cannot be deleted but can be edited Report content The Report view presents report items in different tables with statistic numbers and some with bar charts The Report view has the following three parts 1 Report Head The Report head has four components e Name Shows the prefix of the report name and the name you specified when creating the report e Create Time Displays the time for creating the report e Logo Shows the logo image of the company e Company Name Shows the name of the company All the four components can be edited on the Report Settings 2 Report Body The Report Body is the main part of the report It consists of multiple tables statistics and bar charts Some report items contain many sub report items With the bar charts the report viewer can have a clear understanding of the percentage comparison All selected items for creating reports will be listed here with sort by Item Statistical Value and Reference Value which can be modified by editing a report 3 Report Footer Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics This part displays the name of the creator which can be edited on the Report Settings ARP
106. en broadcast packet per second is greater than its setting value or multicast packet per second is greater than its setting value Both the setting values are an integer between 10 and 500 and 100 is set by default 2 Itis supposed to be DoS Attacking when the ratio of sent packets to received packets is greater than ts setting value and sent TCP SYN packet per second is greater than its setting value The first setting value is an integer between 1 and 5 and 3 is set by default The second value is an integer between 3 and 200 and 50 is set by default 3 Itis supposed to be DoS Attacking when the ratio of sent packets to received packets is greater than its setting value and sent bytes per second is greater than its setting value The first setting value is an integer between 1 and 5 and 3 is set by default The second value is an integer between 1 and 100 and 10 is set by default 4 Itis supposed to be DoS Attacking when the ratio of sent packets to received packets is greater than its setting value and sent packet per second is greater than its setting value The first setting value is an integer between 1 and 5 and 3 is set by default The second value is an integer between 100 and 1 000 and 500 is set by default DoS Attacked settings The DoS attacked analysis detects the hosts which are under DoS attack and the settings part appears as follows DoS Attacked analysis provides related statistics and IP addresses of the hosts which
107. er Requested URL Method User Agent Quote Content Length Content Type Authentication Client HTTP Version Duration Average Speed Bps Status Code and Server Response To show a column right click the column header and select the column ICQ Log The ICQ Log records ICQ conversations automatically in real time and exports all intercepted messages to files for later processing and analyzing lt appears as below Copyright O 2013 Colasoft LLC All rights reserved Maximize Network Value gv Colasoft Global Log 9 Ea DNS Log ay i 1 ai Email Log y FTP Log MSN Log y YAHOO Log i el do 643090822 lt gt 643090822 A L A L gt mit PeP session 643090822 lt gt 643090822 A 1 P2P Session 643090822 lt gt 111812561 oe tte P2P Session i P2P Session P2P Sess ion 643090822 lt gt 111812561 643090822 lt gt 111812561 543090822 lt gt 1118125 e er jit ure Er 643090822 lt gt 111812561 l P2P Session 643090822 lt gt 111812561 P2P Session P2P Session 643090822 lt gt 643090822 643090822 lt gt 643090822 ae ah a ue Petites p Log Types Ed _ Login Login Login Login Send messagi Re
108. er the network via network adapters also known as Network Interface Card NIC for short and network analyzers capture the data through network adapters 3 Adapter Status section e When a wired network adapter on the Adapter List section is selected this section shows the real time traffic status of the adapter Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Getting Started e When a wireless network adapter on the Adapter List section is selected this section will be AP Status section and lists all available APs 4 Analysis Profile section Lists all available analysis profiles See Analysis Profile for details 5 Configuration Info section Displays the configuration info of the analysis project and includes following parts e Adapter Displays the adapter selected on the Adapter List section e Network Profile Displays the selected network profile To edit or change a network profile click Set Network Profile on the right side See Network Profile for details e Analysis Profile Shows some details of the analysis profile selected on the Analysis Profile section including loaded analysis modules packet filters and data storage information You can click 7 on the right side to get related tips and introductions Starting a capture This page mainly describes the steps to start a capture with wired network adapters To start a capture with wireless network adapters see Capturing with wireless network
109. ersations are identified according to default setting values configured by the program and you can also choose not to detect suspicious conversations See Suspicious Conversation settings for details The Suspicious Conversation view will not be available when you select any nodes on the Protocol Explorer and all nodes except IP address nodes on the Physical Explorer This view lists the traffic statistical information of Suspicious conversations You can double click any item on the list to view detailed conversation information in the TCP Flow Analysis window See TCP Flow Analysis window for more information Toolbar The following table lists and describes the items on the toolbar of this view E Exports current statistical list as a csv file Shows or hides the lower pane Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Vi ewl n g Stat sti CS Makes a packet filter based on the selected node See Creating Filters for details Refreshes the node list or sets display refresh interval by clicking the little triangle If the interval is set to Manually Refresh display will update only when the Refresh button is clicked Displays particular items of the list See Display Filter for details A z Shows the number of worm attacks in the list The name changes along with the Security Analysis Suspicious Conversation 1 SSjection in the Node Explorer window Suspicious
110. essional in monitoring and analyzing intranet packets and packets from internet even packets crossing VLAN Colasoft Capsa only need to be installed on the management machine but other managed clients need not Administrator needs to decide which machine to install Colasoft Capsa Installation on different nodes total captured packets number may differ Therefore you are recommended that you install or connect Colasoft Capsa to the central switch equipment so that Colasoft Capsa will capture packets of your entire network to have a comprehensive monitoring and analysis Of course you can use a TAP to capture packets and analyze any network segment Here we introduce you some common topology environments that Colasoft Capsa could have a sufficient monitor and analysis Shared network Hub A shared network is also known as hubbed network which is connected with a hub Hubs are commonly used to connect segments of a LAN When a packet arrives at one port it is copied to the other ports so that all segments of the LAN can see all packets A passive hub serves simply as a conduit for the data enabling it to go from one device or segment to another So called intelligent hubs include additional features that enable an administrator to monitor the traffic passing through the hub and to configure each port in the hub Intelligent hubs are also called manageable hubs A third type of hub called a switching hub actually reads the destination address of
111. etwork Profile Name Table The Name Table tab manages symbolic names for all MAC addresses and IP addresses You can use the Select name table to select between MAC name table and IP name table If you have too many items in the list you can type a key word in the Search textbox to find your item The buttons on this tab are described as follows e Add Adds a name for an address See Adding to Name Table for details e Modify Edits the selected alias item e Delete Deletes the selected alias item e Import Reads the filters from a csccont file or cscntab file e Export Saves the filters to a csccont file e Options Sets Name Table options Click the Options button the Name Table Options dialog box appears Name Table Options Auto resolve host names Save auto resolved host names Save unused names for El e Auto resolve host names Enabled by default to automatically resolve the names for the hosts e Save auto resolved host names Enabled by default to save auto resolved host names e Save unused names Specifies the days to save unused names and 2 days by default The host will be displayed with the resolved names instead of IP addresses ELO The function of automatically resolving will only be valid when a network profile is applied Adding to Name Table To add a name for an address follow the steps below 1 Click Name Table button on the Analysis tab of Ribbon section select a name table and click Add b
112. first packet that is sent from node 2 to node 1 Copyright 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Vi ewl n g Stat sti CS IP Conversation view The IP Conversation view shows statistics of the network traffic on the basis of IP address conversations to help you know the traffic status between IP addresses of the network The IP Conversation view will not be available when you select node group or MAC address on the Physical Explorer or some protocol nodes on the Protocol Explorer When you select a specific item in the conversation list on the IP Conversation view the lower pane tabs will provide detailed information about the item See P Conversation lower pane tabs tor details You can double click any item in the conversation list to view detailed packet information in the Packet window which is named with the conversation and is just the same as the Packet view See Packet view for more information Toolbar The following table lists and describes the items on the toolbar of this view E Exports current statistical list as a csv file e Shows or hides the lower pane z Makes a packet filter based on the node of selected conversation See Creating Filters beet for details Refreshes the conversation list or sets display refresh interval by clicking the little triangle If the interval is set to Manually Refresh display will update only when the Refresh button is clicked D
113. for details Shows the number of the nodes in the list The name changes along with the selection in the Node Explorer window IP Endpoint columns By right clicking the column header you can specify which columns to show in the list Choose Default to show default columns and choose More to open Display Column dialog box to set which columns to show and to set the position the alignment and the width of the column See Endpoint columns for details Pop up menu Right click the node list to get a pop up menu with items as follows Packet Details Copy Column Display Column Export Node Statistics Find Make Filter Make Graph Make Alarm Add to Name Table Resolve Address Locate in Node Explorer Select All Refresh Views the decoding information of the packets of the node in the Packet window which is just the same as the Packet view See Packet view for more information Copies the selection and the header row in original format to the clipboard Copies the selected column in original format to the clipboard Shows or hides columns or changes the position of columns This command is just the same as right clicking the column header Exports current statistical list as a csv file Calls out Find dialog box to search only in the node list Makes a packet filter based on the selected node See Creating Filters for details Makes a graph in the Dashboard view on the basis of the selected node See Creating Grap
114. for details e The UDP Conversation tab lists the conversations using UDP protocol of the node selected on the IP Endpoint view The toolbar and columns are just the same as those on UDP Conversation view See UDP Conversation for details You can double click any item in the conversation lists to view detailed packet information in the Packet window which is named with the conversation and is just the same as the Packet view See Packet view for more information Physical Conversation view The Physical Conversation view shows statistics of the network traffic on the basis of MAC address conversations to help you know the traffic status between MAC addresses of the network The Physical Conversation view will not be available when you select IP address nodes on the Physical Explorer or any nodes on the IP Explorer You can double click any item in the conversation list to view detailed packet information in the Packet window which is named with the conversation and is just the same as the Packet view See Packet view for more information Toolbar The following table lists and describes the items on the toolbar of this view E Exports current conversation list as a csv file Makes a packet filter based on the node of selected conversation See Creating Filters for details Refreshes the conversation list or sets display refresh interval by clicking the little triangle If the interval is set to Manually Refresh display wil
115. gnosis events in the list Reads the diagnosis event settings from a cscdiag file Saves the diagnosis event settings to a cscdiag file Copyright 2013 Colasoft LLC All rights reserved gv Colasoft Maximize Network Value A n a ys S P rofi e View Display This tab is utilized to specify which statistical views to be shown or hidden and the order to show the views For Full Analysis all statistical views are shown by default To hide a statistical view cancel the selection on the Show column of the view To rearrange the display order of the statistical views click Move Up or Move Down Packet Buffer Capsa captures traffic on the network and stores the analyzed packets into the buffer All packets displayed on the Packet view are stored in the Packet Buffer Therefore the buffer size decides how many packets you can see on the Packet view Enable packet buffer Packet buffer is enabled to store packet information If this function is disabled all statistical information based on packet will not be available including detailed packet decoding information on the Packet view the statistics on the Packet tab the Data Flow tab the Time sequence tab on the TCP Conversation view the Packet window and the TCP Flow Analysis window Buffer size By default the packet buffer size is set to be 16 MB You can change the value but you should take the size of your system memory into consideration You are recommen
116. he encryption type and you should just enter the encryption keys The program can memory the settings of an AP If it is not the first time you select an AP you would just select the AP without enter the keys To manage the APs that have been used right click and choose Wireless Network Manager to open the Wireless Network Manager window in which you can find a history list for all the wireless APs that have been monitored You can change their encryption keys and Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Getting Started delete the old entries Replaying captured packets Capsa analyzes not only live network data but also captured packets including packets captured by Capsa as well as packets captured by other programs such as Wireshark Omnipeek and other packet files To replay captured packets follow the steps below 1 Select Replay tab on the Start Page 2 Add the packet files from Packet Files section 3 Click Set Network Profile on the Configuration info section to select a network profile A network profile includes the settings about node group name table and alarms See Network Profile for details 4 Select a proper analysis profile on the Analysis Profile section An analysis profile includes the settings about analysis modules analysis objects packet buffer packet filters logs diagnosis events packet output and view display Capsa provides six analysis profiles by default
117. he little triangle If the interval is set to Manually Refresh display will update only when the Refresh button is clicked Conduct DoS Attac Shows the number of worm attacks in the list The name changes along with the y nieis ds selection in the Node Explorer window Q Displays particular items of the list See Display Filter for details Copyright O 2013 Colasoft LLC All rights reserved gs Colasoft Maximize Network Value Vi ewl n g Stat sti CS DoS Attacking columns By right clicking the column header you can specify which columns to show in the list Choose Default to show default columns and choose More to open Display Column dialog box to set which columns to show and to set the position the alignment and the width of the column See Endpoint columns for details Pop up menu Right click the node list to get a pop up menu with items as follows Views the decoding information of the packets of the node in the Packet window which is just the same as the Packet view See Packet view for more information Copy Copies the selection and the header row in original format to the clipboard Copy Column Copies the selected column in original format to the clipboard Shows or hides columns or changes the position of columns This command is just the same as right clicking the column header Packet Details Display Column Export Node l l Statistics Saves current list of the node statistics as a csv file Adds
118. he proxy server internet Server Client Ways of configuring port mirroring would be different from different switches or models See Switch and Port Mirroring to learn common used switch port mirroring configurations Port mirroring Switch is a network exchange facility operating at the data link layer layer 2 and sometimes the network layer layer 3 of the OSI Reference Model Classified by working protocols there are two layer switch three layer switch four layer switch and multiple layer switch Switch also can be classified into managed switch and unmanaged switch Generally three layer switch and above has management function managed switch Unlike hubs switches prevent promiscuous sniffing In a switched network environment Colasoft Capsa or any other packet analyzer is limited to capturing packets only from the port the machine connected to and broadcast packets and multicast packets However most modern switches management switches support port mirroring which allows users to configure the switch to redirect the traffic that occurs on some or all ports to a designated monitoring port on the switch With this feature you can monitor the entire LAN segment in switched network environment Please refer to the configuration documents shipped with your switch for this feature and configuration instructions If your switch does not support port mirroring you can install Colasoft Capsa on a workstation connected
119. hich includes three graphs and which can be renamed and be deleted after you have created a new panel The close icon on the top right corner of a graph means deleting the graph from the dashboard panel instead of closing it Pop up menu Right click charts of Sample Chart type to get a pop up menu with items as follows Pause Refresh Pauses the refresh Sets display options Legend Box Show Legend Box Hide Legend Box and Auto show Legend Box Set whether show Legend Box or not Pos Top Pos Bottom Pos Left and Pos Right Select the position where Legend Box shows Line Chart Displays the graph in line chart Area Chart Displays the graph in area chart Titles Shows the title of the graph the title of X coordinate and the title of Y coordinate Shows a horizontal line which moves with mouse pointer and shows the value of Y coordinate where the mouse Indicatrix pointer locates Sample Interval Save Graph Saves the current graph to disk You can save graphs in png emf and omp formats Sets the sample interval Right click charts of Top Chart type to get a pop up menu with items as follows Pause Refresh Pauses the refresh Sets display options Legend Box Show Legend Box Hide Legend Box and Auto show Legend Box Set whether show Legend Box or not Pos Top Pos Bottom Pos Left and Pos Right Select the position where Legend Box shows Refresh Interval Sets the refresh interval Save Graph Saves the curren
120. hirty seconds Traffic direction icon You may have noticed the arrow icons in front of each node with different directions and colors The upper arrow indicates packets transmitted to the node the middle line indicates transmission inside the node and the lower arrow indicates packets transmitted out from the node Green indicates ongoing transmission and grey indicates completed transmission Address type icon In front of arrow icons there are icons indicating the address type of the node E and both indicating broadcast address a and both indicating multicast address and indicating Internet address Internet address group By default Internet IP addresses are hierarchically grouped by countries or areas To display the Internet IP addresses flat click Node Copyright 2013 Colasoft LLC All rights reserved gv Colasoft Maximize Network Value M Pa n U S e r n te rfa ce Node Group icon amp roup on the Analysis tab of the Ribbons section and cancel the selection on Enable Country Group Statistical views The statistical views provide huge amount of statistics on the network See Viewing Statistics for more information The default visibility status of statistical views changes along with analysis profile The following table lists the statistical views for each analysis profile Dashboard Summary Diagnosis Protocol Physical Endpoint IP Endpoint Physical Conversation IP Conversation TCP Co
121. hout stop Capsa from capturing e Disable list smooth scrolling Instant scrolling will be enabled if you select this option e Disable list sorting if item count reaches If the item count reaches the limitation the columns of the statistical views cannot be automatically sorted by clicking the column headers e Show Save Packet dialog box on exit The program will pop up a dialog box to remind you to save the packets in the buffer when exiting the program e Show Online Resource window on start The Online Resource window will be shown on the right side of the program when launching the program e Show wireless network disconnection message on starting wireless analysis Shows wireless network disconnection message when starting a wireless analysis project using the wireless network adapter Default Click to reset all settings on this tab Decoder Settings This tab lists all decoding modules of Capsa All decoders are modularized and you can enable or disable them by the check boxes By default all decoders are enabled There are only two buttons Copyright O 2013 Colasoft LLC All rights reserved gv Colasoft Maximize Network Value Syste m O pti O n S Fal Enables all decoders En Disables all decoders Protocol Settings This tab is used to manage default protocols and user defined protocols Note that you cannot make any changes to the protocols or create a new one when there is a capture running You nee
122. hs for details Makes an alarm on the basis of the selected node See Creating Alarms for details Adds an alias to the Name Table for the IP address in the node list See Name Table for details Only available when an IP address node is selected Resolves the host name of selected node Locates the selected node in the Node Explorer window Only available with right clicking IP address node Calls out the build in Ping Tool to ping selected node Selects all items in the node list Refreshes the node list IP Endpoint lower pane tabs The IP Endpoint lower pane tabs display the details of the node selected on the IP Endpoint view By default the lower pane is visible Copyright 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics You can click Details button on the IP Endpoint view to close it and you can also click Details button to show the lower pane when it is invisible The IP Endpoint lower pane provides IP Conversation tab TCP Conversation tab and UDP Conversation tab e The IP Conversation tab lists all IP address conversations of the node selected on the IP Endpoint view The toolbar and columns are just the same as those on IP Conversation view See P Conversation for details e The TCP Conversation tab lists the conversations using TCP protocol of the node selected on the IP Endpoint view The toolbar and columns are just the same as those on TCP Conversation view See TCP Conversation
123. ig u rations Ta Capsa e Matrix including default matrix and user defined matrices e Report including default report and user defined reports This function is very useful when you want Capsa on different machines to have the same configurations or when you configure Capsa after reinstalling the operating system Just by some simple clicks you can achieve said purposes e To export global configurations click Menu Button point Global Configurations and select Export global configurations to export the global configurations as csbak file e To import global configurations click Menu Button point Global Configurations and select Import global configurations Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Syste m O pti O n S System Options To open the System Options dialog box click the Menu button and select Options on the bottom right corner of the menu The System Options dialog box includes six tabs as below e Basic Settings e Decoder Settings e Protocol Settings e Task Scheduler e Report Settings e Display Format Basic Settings This tab includes six options e Always maximize the window when starting the program Always maximizes the program window when launching the program e Disable windows from suspending during capture The power option schema in your system control panel will be ignored You cannot standby or hibernate your system wit
124. iggered or dismissed according to the statistics of all packets captured by the analysis project 2 Alarms created by the last two methods above will be trigged or dismissed according to the statistics about the node which you right clicked or which you selected in the Node Explorer window 3 You can get pop up menu with Make Alarm on it by right clicking in the Node Explorer window and on all statistical views except the Dashboard the Summary the Matrix and the Report views The Make Alarm dialog box shows as follows Make Alarm Name WELLAE UL acs Object Global Counter Counter Value Type Trigger Condition Counter b y 1 Duration 1 second s Release Condition Counter lt 1 Duration second s Top10 Traffic Statistics Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value C re ati n g Al a rm S The Make Alarm dialog box has the following parts e General Information Sets the general information of the alarm including alarm name alarm type object and alarm severity wherein the object option is set by the program automatically e Counter Sets the statistic items of the alarm with different alarm object having different statistics items e Trigger Condition Sets the trigger conditions for the alarm e Release Condition Sets the release conditions for the alarm e Top 10 Traffic Statistics This functionality enabled top 10 traffic statistics wil
125. ill only display the events of selected address in detail The buttons of toolbar are listed in the following table Saves the list of this pane as a csv file Bs Makes a packet filter based on the IP address or MAC address of selected item in the list See Creating Filters for details ft Locates the IP address or MAC address of selected item in the list in the Node Explorer window ea Refreshes the list or sets display refresh interval by clicking the little triangle If the interval is set to Manually Refresh display lol will update only when the Refresh button is clicked Diagnosis Events columns By right clicking the column header you can specify which columns to show in the list Choose Default to show default columns and choose More to open Display Column dialog box to set which columns to show and set the position the alignment and the width of the column The following table lists and describes the columns of this pane Time The date and time the event occurred Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Viewing Statistics Severity The severity of the event including Pp o A a Type The type of the event including performance security and fault Layer The network layer that the event belongs to Event Description The description of the event including event reason and packet number etc The source IP address for the packet The node is identified by
126. in time sequential order See Time Sequence tab for details Data Flow tab This tab presents original information of the conversation selected on the TCP Conversation view A TCP conversation realized on the network may be sliced into multiple packets and the packets are transmitted over the network out of order Capsa organizes these packets in correct orders and reconstructs these packets into a TCP flow The conversations using TCP protocol including Web HTTP Email SMTP POP3 FTP and MSN and so on can be reconstructed The Data Flow tab appears as follows 192 168 5 24 50005 lt gt 207 218 235 182 80Stream gt IP 192 166 5 24 TCP port 50005 IP 207 216 235 182 TCP port 0 GET HTTP 1 1 Host www colasoft com Connection keep alive User Agent Mozilla 5 0 Windows U Windows NI 6 1 en US AppleWebKit 532 0 KHIML like Gecko Chrome 3 0 195 38 Safari 532 0 Accept application xml application xhtml xml text html q 0 9 text plain gq 0 8 image png q 0 5 Accept Encoding gzip deflate sdch Cookie InternalAccess capsa2007 utmz 1 1261018522 1 1 utmesr direct utmecn direct utmemd none csoot 1269390245863 csuid 4b1l7794f4e3cd2cbh wutma 1 733326784 1261018522 1264147614 1264390235 44 utmv 1 220 23E320http33A532F3 Fcolasoft com 2F Accept Language en 05 en 0 0 8 Accept Charset 150 2259 1 utf 8 0q 0 7 0 0 3 HITP 1 1 200 OK Date Mon 25 Jan 2010 06 23 07 GMT Server Apache 1
127. ion in the Node Explorer window DoS Attacked columns By right clicking the column header you can specify which columns to show in the list Choose Default to show default columns and choose More to open Display Column dialog box to set which columns to show and to set the position the alignment and the width of the column See Endpoint columns for details Pop up menu Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Vi ewi n g Stat sti CS Right click the node list to get a pop up menu with items as follows Views the decoding information of the packets of the node in the Packet window which is just the same as the Packet view See Packet view for more information Copy Copies the selection and the header row in original format to the clipboard Copy Column Copies the selected column in original format to the clipboard Shows or hides columns or changes the position of columns This command is just the same as right clicking the column header Packet Details Display Column Export Node Statistics Add to Name Table Aa alias to the Name Table for the IP address or MAC address of selected item See Name Table for Resolve Address Only available when an IP address node is selected Resolves the host name of selected node Locate in Node Explorer Saves current list of the node statistics as a csv file Locates the selected node in the Node Explorer window Only avai
128. isplays particular items of the list See Display Filter for details A se Shows the number of the conversations in the list The name changes along with the selection in the Node Explorer window IP Conversation columns By right clicking the column header you can specify which columns to show in the list Choose Default to show default columns and choose More to open Display Column dialog box to set which columns to show and to set the position the alignment and the width of the column See Conversation columns for details Pop up menu Right click the conversation list on this view to get a pop up menu with items as follows Views the decoding information of the packets of the conversation in the Packet window which is just the same as the Packet view See Packet view for more information Copies the selection and the header row in original format to the clipboard Copy Column Copies the selected column in original format to the clipboard Shows or hides columns or changes the position of columns This command is just the same as right clicking the column header Packet Details Display Column Export Conversation Statistics Find Calls out Find dialog box to search only in the conversation list Make Filter Makes a packet filter based on the node of selected conversation See Creating Filters for details Make Graph Makes a graph in the Dashboard view on the basis of the node of selected conversation See Creating Exports
129. ith the selection in the Node Explorer window UDP Conversation columns By right clicking the column header you can specify which columns to show in the list Choose Default to show default columns and choose More to open Display Column dialog box to set which columns to show and to set the position the alignment and the width of the column See Conversation columns for details Pop up menu Right click the conversation list on this view to get a pop up menu with items as follows Views the decoding information of the packets of the conversation in the Packet window which is just the same as the Packet view See Packet view for more information Copies the selection and the header row in original format to the clipboard Copy Column Copies the selected column in original format to the clipboard Shows or hides columns or changes the position of columns This command is just the same as right clicking the column header Packet Details Display Column Export Conversation Statistics Find Calls out Find dialog box to search only in the conversation list Make Filter Makes a packet filter based on the node of selected conversation See Creating Filters for details Exports current statistical list as a csv file Copyright 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics Makes a graph in the Dashboard view on the basis of the node of selected conversation See Creating Make Graph Graphs for det
130. k Click here to add a new chart on the dashboard panel e Click B icon in the Node Explorer window e Choose Make Graph on Pop up menu which are available for the Node Explorer window and all statistical views except Dashboard Summary Matrix and Report views 1 Graphs that are created by the first two methods above show the statistics of all packets captured by the analysis project 2 Graphs that are created by the last two methods above show the statistics of the packets about the node which you right clicked or which you selected in the Node Explorer window For example when you want to view the total traffic status of a specific network segment in a graph you should first locate the segment in the Node Explorer window right click the segment and choose Make Graph and then check Total in the Traffic list The Make Graph dialog box appears as follows Copyright O 2013 Colasoft LLC All rights reserved yy colasoft Creating Graphs Make Graph bi Sample Chart Top Chart Graph Name 192 168 5 250 Total Graph Object 192 168 5 250 Dashboard Pane My dashboard Please select statistics counter e Conversation C IP Conversation gt TCP Conversation C UDP Conversation h TCP 7 TCP SYN Sent C TCP SYN Received 7 TCP SYNACK Sent The Make Graph dialog box contains two tabs Sample Chart and Top Chart both including the following items e Graph Name The name of the graph which ca
131. l be recorded in the alarm log when the alarm was triggered Different alarm object have different traffic statistic items Each alarm has its unique name and you cannot create an alarm with a name that already exists in the list Edit Alarm You can double click any alarm to open the Edit Alarm dialog box to edit the alarm The Edit Alarm dialog box is just the same as the Make Alarm dialog box You can only edit Alarm Name and Type Value Type of Counter Trigger Condition and Release Condition in the Edit Alarm dialog box If you need to edit other options you should delete it first and then create a new one Alarm Explorer window When you view the statistics of the network you may want a tool to alert you some specific statistics or traffic status of the network The alarm function is the tool For your convenience Capsa provides an Alarm Explorer window to manage alarms in which you can create edit and view alarms You can also get triggered alarm info in the alarm notification area on the right side of the Status Bar Read Creating Alarms to learn how to create and edit an alarm To open the Alarm Explorer window click in the alarm notifications area on the right side of the Status Bar If you want to show the Alarm Explorer window when starting analysis projects click View tab of the Ribbon section and select Alarm Explorer The Alarm Explorer window appears as below Copyright O 2013 Colasoft LLC All rights re
132. l update only when the Refresh button is clicked Displays particular items of the list See Display Filter for details A Ss Shows the number of the conversations in the list The name changes along Bull la ed ello Pret uk with the selection in the Node Explorer window Physical Conversation columns By right clicking the column header you can specify which columns to show in the list Choose Default to show default columns and choose More to open Display Column dialog box to set which columns to show and to set the position the alignment and the width of the column See Conversation columns for details Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Vi ewl n g Stat sti CS Pop up menu Right click the conversation list on this view to get a pop up menu with items as follows Views the decoding information of the packets of the conversation in the Packet window which is just the same as the Packet view See Packet view for more information Copy Copies the selection and the header row in original format to the clipboard Copy Column Copies the selected column in original format to the clipboard Shows or hides columns or changes the position of columns This command is just the same as right clicking the column header Packet Details Display Column Export Conversation Statistics Make Graph Makes a graph in the Dashboard view on the basis of the node of selected conve
133. lable with right clicking IP address node Calls out the build in Ping Tool to ping selected node Select All Selects all items in the node list Refresh Refreshes the node list DoS Attacked lower pane When you select a specific item in the node list on the DoS Attacked view the lower pane tabs will provide detailed information about the item By default the lower pane is visible You can click Details button on the DoS Attacked view to close it and you can also click Details button to show the lower pane when it is invisible The DoS Attacked lower pane provides IP Conversation tab TCP Conversation tab and UDP Conversation tab e The IP Conversation tab lists all IP address conversations of the node selected on the Worm view The toolbar and columns are just the same as those on IP Conversation view See P Conversation for details e The TCP Conversation tab lists the conversations using TCP protocol of the node selected on the Worm view The toolbar and columns are just the same as those on TCP Conversation view See TCP Conversation for details e The UDP Conversation tab lists the conversations using UDP protocol of the node selected on the Worm view The toolbar and columns are just the same as those on UDP Conversation view See UDP Conversation for details You can double click any item in the conversation lists to view detailed packet information in the Packet window which is named with the conversation and is just the same a
134. loaded Over 20 of broadcast or multicast traffic utilization broadcast multicast storm and ARP attack List byte packet number utilization bps Diagnosis Information Events Notice Events Warning Events Error Events Packet Size packets per second of each packet size type lt 64 65 127 128 255 256 511 512 1023 1024 1517 gt 1518 Distribution Large portion of traffic at lt 64 or gt 1518 fragment attack or flood attack List the number of each address type A ddress MAC Address IP Address Local IP Address Remote IP address Too large number MAC flooding attack TCP Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics flooding attack etc Total Protocols Data Link Layer Network Layer Transport Layer List the number of total protocols and Session Layer Presentation Layer Application Layer protocols of six layers Physical Conversations IP Conversations TCP Conversations UDP Conversations TCP SYN Sent TCP SYNACK Sent TCP FIN Sent TCP Reset List the number of each flag of TCP Sent plus TCP SYN Received TCP SYNACK Sent TCP FIN conversation Received and TCP Reset Received when a specific node of IP Large number of TCP SYN packets port Explorer is selected scanning TCP SYN flooding attack Security Alarms Performance Alarms Fault Alarms List the number of each alarm type List the number of DNS query and response DNS Analysis DNS Queries DNS Responses This
135. mand is just the same as right clicking the column header Packet Details Display Column Export Node Statistics Find Calls out Find dialog box to search only in the node list Saves current list of the node statistics as a csv file Make Filter Makes a packet filter based on the selected node See Creating Filters for details Make Graph Makes a graph in the Dashboard view on the basis of the selected node See Creating Graphs for details Make Alarm Makes an alarm on the basis of the selected node See Creating Alarms for details Adds an alias to the Name Table for the IP address or MAC address of selected item See Name Table for Add to Name Table details Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics Resolve Address Only available when an IP address node is selected Resolves the host name of selected node SEFE in Node Locates the selected node in the Node Explorer window xplorer Only available with right clicking IP address node Calls out the build in Ping Tool to ping selected node Select All Selects all items in the node list Refresh Refreshes the node list TCP Port Scan lower pane When you select a specific item in the node list on the TCP Port Scan view the lower pane tabs will provide detailed information about the item By default the lower pane is visible You can click Details button on the TCP Port Scan view to close it and you can also click Details b
136. message _ HTTP Log Multi Session 29 S Sat ss e gee ee Receive messa MultiSession 26 RTE A A a Receive messa Multi Session 37 MI A a _ Join in the chat ICQ Log Multi Session 37 Seema con emnt oe tee Join in the chat Multi Session 37 MI Send message Multi Session 37 SED eee g Receive messa MultiSession 37 MAI Receive messa _MultiSession 37 MI Send message Multi Session 37 A NN AS Log Types Send message YAHOO Log i The MSN Log includes columns Date and Time Client MAC Client IP Client Port Server MAC Server IP Server Port Session Name Content Action Sender Account Receiver Account and IM Type To show a column right click the column header and select the column YAHOO Log The YAHOO Log records YAHOO communications over the network including communication date and time session name message content action status and the communication accounts It appears as below Dashboard Physical Endpoint IP Endpoint Physical Conversation TCP Conversation UDP Ca YAHOO Log Lg Br Bar Ed Ge Filter Session Name Q Log Date and Time Session Name Content Action 2010 05 06 09 27 40 P2P Session niebetty ymail com lt gt niebett niebetty ymail com login Login 9 2010 05 06 10 34 38 P2P Session nieb mail com lt gt lay 1980 niebetty ymail com said Send message Global Log 2010 05 06 10 34 41 P2P Session nieb m
137. mmary view provides e For Full Analysis Traffic statistics Conversation statistics TCP statistics DNS Analysis statistics Email Analysis statistics FTP Analysis statistics and HTTP Analysis statistics of the node e For Security Analysis Security Analysis statistics Traffic statistics Conversation statistics TCP statistics DNS Analysis statistics Email Analysis statistics FTP Analysis statistics and HTTP Analysis statistics of the node e For HTTP Analysis Traffic statistics Conversation statistics TCP statistics and HTTP Analysis statistics of the node e For Email Analysis Traffic statistics Conversation statistics TCP statistics and Email Analysis statistics of the node e For DNS Analysis Traffic statistics Conversation statistics TCP statistics and DNS Analysis statistics of the node e For FTP Analysis Traffic statistics Conversation statistics TCP statistics and FTP Analysis statistics of the node Summary items The Summary view provides statistics changed along with Analysis Profile and the node in the Node Explorer window With Full Analysis and choosing the root node on Node Explorer window the statistics items for Summary view include List the number of each event type See Diagnosis for more information List byte packet number utilization bps packets per second of each traffic type Over 50 of total traffic utilization network Traffic Total Broadcast Multicast Average Packet Size may be over
138. mple you can find the IP address with the largest traffic volume on a local network The IP Endpoint view will not be available when you select node group or MAC address on the Physical Explorer When you select a specific item in the node list on the IP Endpoint view the lower pane tabs will provide detailed information about the item See IP Endpoint lower pane tabs for details You can double click an item in the node list to view detailed packet information in the Packet window which is named with the node and is just the same as the Packet view See Packet view for more information Toolbar The following table lists and describes the items on the toolbar of this view Copyright O 2013 Colasoft LLC All rights reserved gv Colasoft Maximize Network Value CE Viewing Statistics Shows the node list in hierarchical type or in flat type E Exports current statistical list as a csv file 2 x Shows or hides the lower pane Makes a packet filter based on the selected node See Creating Filters for details Ea Adds an alias to the Name Table for selected node See Name Table for details E Locates the selected node in the Node Explorer window ral Fiaa Refreshes the node list or sets display refresh interval by clicking the little triangle If the interval is set to Manually Refresh display will update only when the Refresh button is clicked Displays particular items of the list See Display Filter
139. n be automatically generated or defined by users e Graph Object Show the statistical object of the graph which is defined by the program e Dashboard Panel For you to choose the dashboard panel for managing the graph and listing all created dashboard panels on the combo box e Statistics Counters Showing all available statistical items which are changed along with the Graph Object e Counter Unit Showing the unit for the Statistics Counters Graph types Capsa provides a wide range of statistics items for you to create graphs generalizing as two types e Sample chart e Top chart Sample chart Sample Chart includes statistics items as follows e Diagnosis Statistics Information Diagnosis Notice Diagnosis Alarm Diagnosis and Error Diagnosis e Wireless Analysis Noise Traffic Control Frame Traffic Management Frame Traffic Decrypted Data Frame Traffic Unencrypted Data Frame Traffic and Undecrypted Data Frame Traffic e Traffic Total Broadcast Multicast Average Packet Size and Utilization Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value C re ati n g G ra p h S e Packet Size Distribution lt 64 65 127 128 255 256 511 512 1023 1024 1517 and gt 1518 e Address Physical Address Count IP Address Count Local IP Address Count and Remote IP Address Count e Protocol Total Protocols Data Link Layer Protocols Network Layer Protocols Transport Layer Protocols Session Layer Pro
140. n user interface By adopting new Microsoft Office UI Capsa intends to present statistics and diagnosis data in a simple straight and graphical style From the figure below you can learn that an analysis project window is mainly divided into six sections Menu Button Ribbo Analysis Project 1 Full Analysis Colasoft Capsa Y Enterprise Analysis System Tools View aaa ae E oe PP EJ Name Table E TY r bn nn ad i af MEN OA Adapter Star Stop General i Log Log partera Settings AN Alarm Settings E3 del Settings Output a i y E 16 5 Capture Metwork Profile Analysis Profile a it Protocol Explorer 2 E P Ethernet I 4 B T IEEE 802 3 1 o Physical Explorer 3 a Local Segment 115 SJ Broadcast Addresse oe LJ Multicast Addresses 32 Be Apne i dE Start Page Introduction Local Subnet 1 RS E PR A caus A E A El How to Monitor IM Message Ll 5 Link Local 6 El How to Monitor amp Save Emails ul Private use Networl n a e a nee Top IP Total Traffic by Bytes i plicati otoc Se Pia S Multicast Addresses i a How to Detect ARP Attacks Gl Broadcast Addresse 1 90 MB 1 83 MB dEl How to Create a Filter 2 Internet Addresses 1 52 MB ee ae Hest iaa N AG Linin del How to Use Alarms 1 10 MB a China 11 A More Videos SiS United States 2 388 53 KB q HE United Kingdorr 374 66 KB How To s Y Netherlands 1 PAG BM LY sie Canada
141. nalysis module is not compatible with this operation system Wireless adapters e All integrated USB Express Card and PCI wireless adapters with Network Driver Interface Specification NDIS 6 0 driver library Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Installation and Uninstall Installation and Uninstall Before installation 1 Carefully read Installation Environment and check if your network topology is fit for Colasoft Capsa working environment Carefully read System Requirements and make sure your machine meets the minimum requirements at least Close all running applications on your machine a Uninstall any earlier or trial versions of Colasoft Capsa on your machine You can skip the uninstall step Colasoft Capsa will automatically check the older versions and ask you to uninstall them in the installation wizard Installation 1 Double click the installation file Welcome screen appears telling you that Colasoft Capsa will be installed on your machine Click Next to continue or Cancel to exit setup 2 Read the License Agreement carefully in the next screen to learn our terms and conditions concerning possession and use of Colasoft Capsa You must accept the terms of the license agreement to continue the installation The screen presents the important information from the ReadMe file Select Destination Location screen It suggests the default location to install Colasoft Capsa You may
142. nalysis profile It includes following items e Name The name for the analysis profile e Description Description about the analysis profile to make it identified e Profile Icon Click the Change button to select an image for the analysis profile e Analysis Module To choose the analysis modules to analyze the specific traffic over the network Analysis Object The Analysis Object settings are used to customize the objects to be analyzed such as protocols addresses conversations and the maximum number of the objects There are three columns on this tab e Analysis Object Includes Network Protocol Physical Address Local IP Address Remote IP Address Physical Group IP Group Physical Conversation IP Conversation TCP Conversation and UDP Conversation All analysis objects on the list are selected by default The program will not analyze the analysis object if it is not selected For example if analysis object Local IP Address is not selected all statistical information based on local IP address will not be available including local IP addresses on the IP Explorer and all statistics about local IP address on the statistical views e Protocol Details Sets the display of detailed traffic information for the Protocol view The table below lists the function of this column when it is enabled Copyright O 2013 Colasoft LLC All rights reserved O yy Colasoft Analysis Profile The Protocol view will display detailed pr
143. ndpoint view ARP Attack view Worm view DoS Attacking view DoS Attacked view and TCP Port Scan view Name The name of the node The node may be MAC addresses IP addresses node groups or resolved names Bytes Total bytes sent and received by the node Packets The number of packets sent and received by the node Internal Bytes tte eae for node group items Total bytes transmitted inside the node group See Node Group for more Internal Packets Only available for node group items Total packets transmitted inside the node group Broadcast Bytes Total broadcast bytes sent and received by the node Broadcast Packets Total broadcast packets sent and received by the node Multicast Bytes Total multicast bytes sent and received by the node Multicast Packets Total multicast packets sent and received by the node bps Bits per second Bytes s Bytes per second Packets s Packets per second Bytes In Received bytes Packets In Received packets Bytes Out Sent bytes Packets Out Sent packets Bytes Out In The ratio of sent bytes to received bytes Packets Out In The ratio of sent packets to received packets IP Count The number of IP addresses Only available for node group items and MAC address items in the list Physical Conversation IP Conversation The number of IP conversations TCP Conversation The number of TCP conversations UDP Conversation The number of UDP conversations TCP SYN Sent The number of sent packets wi
144. ngs Locates to the TCP Port Scan diagnosis event on the Diagnosis Settings tab The count on the Event setting pane means the count of TCP port connected by a local or a remote host If the count is greater than the setting value it is supposed that the host is performing TCP port scan The value is an integer between 5 and 50 and 6 is set by default ARP Attack settings The ARP attack analysis detects ARP attack activities and the settings part appears as follows Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value A n a ys S P rofi e ARP Attack analysis provides related statistics and physical addresses of the hosts which may be attacked by ARP scan ARP request storm ARP too many unrequested responses Click Settings to set related parameters Suspicious ARP Attack OR Relationship ARP Request Storm Settings ARP Scanning Settings Sethi Excessed active ARP response e Suspicious ARP Attack Enables ARP attack analysis or else there will be no item to show on the ARP Attack view OR Relationship means one of the three conditions below is met to define the ARP attack activity e ARP Request Storm Enables ARP request storm analysis Click Settings to locate the ARP Request Storm diagnosis event on the Diagnosis Settings tab There are two main parameters for this event e Sampling Duration The sampling time with the unit of second The value is an integer between 1 and 3 60
145. nversation UDP Conversation Matrix Packet Log Report Full Analysis All available statistical views are displayed The views except TCP Conversation All views in Full Analysis with different display order UDP Conversation and Packet are displayed Traffic Monitor All views in Full Analysis with different display order plus ARP Attack Worm DoS Attacking DoS Attacked TCP Port Scan and Suspect Conversation views HTTP E ee ee The views except Physical Conversation Analysis All views in Full Analysis with different display order and Packet are displayed Email The views except Dashboard Physical Analysis Conversation and Packet are displayed DNS The views except Physical l All views in Full Analysis with different display order Conversation TCP Conversation and Analysis i Packet are displayed FTP T ae The views except Physical Conversation Analysis All views in Full Analysis with different display order and Packet are displayed The views except Dashboard Packet and Report are displayed Security Analysis The views except Dashboard Protocol UDP conversation are displayed All views in Full Analysis with different display order IM Analysis All views in Full Analysis with different display order Security Analysis is only available in Capsa Enterprise You can also show or hide or arrange statistical views e To show a view click View Display icon on the Analysis tab of the Ribbon section and select th
146. o search in the packet decoding section on the right When finding the result the horizontal line for the packet will be highlighted Data Flow tab This tab presents original information of the transaction selected on the transaction list See Data Flow tab for more information You may get unreadable symbols because some data are encrypted in transmission Transaction Summary The Transaction Summary view displays TCP transaction statistics on the left pane and related metrics with pie chart on the right pane The Transaction Summary view appears as below Analysis Project 1 Full Analysis 192 168 5 250 lt gt 192 168 0 183 TCP Flow Analysis Transaction List Transaction Summary Current Value Global TCP Flow Summary Pie Chart Transaction Time Summary Second Start Time 09 21 01 568396 End Time 09 21 01 883904 TCP Flow Duration 00 00 00 315508 Three way Handshake Time 00 00 00 017998 Connection Close Time 00 00 00 000419 Server Data Transfer Time 00 00 00 000000 Server Response Time 00 00 00 001913 Client Idle Time 00 00 00 000310 Data Flow Summary Sum of Packets 12 i k Packets at Client Side q 00 00 00 000310 Packets at Server Side A Sum of Bytes Bytes at Client Side Bytes at Server Side 00 00 00 000000 TCP Summary TCP Connections Successful TCP Connections Packets per Second at Clie Packets per Second at Serv Dz Three way Handshake Time y Server Response Time Client Idle
147. olicy with forensic analysis Consultants Analyze network troubleshoots solve network problems for customers and optimize network capability Network application developers Debug network applications optimize program capability test the content sent received and examine network protocols Q Can I set up my own traffic filter A Yes in Capsa setting up a set of rules can help you filter the traffic you are interested in The filters help user to speed up analyzing and displaying packets enabling you to focus on what you are really interested in Capsa has two kinds of filters global filters and project filters Global filters are some commonly used protocols filters which can be applied to the current project Project filters are only applied to the current project Q Can Capsa monitor the traffic utilization in the network A Yes Capsa provides users with detailed network statistics information of the overall network or each network segment traffic utilization status top talkers congestion MAC IP address or protocol bitrate and TCP transaction statistic etc Q Our LAN is connected with a hub but I can only detect my own traffic A Generally if a NIC supports promiscuous mode it can work well with Capsa a possible reason is your hub actually acts as a switch though labeled as a hub e g Linksys hubs Another possible reason is you are using a multi speed hub in which case you can t see the traffic from the stations ope
148. on the border between panes and when the pointer becomes a double headed arrow drag the pointer to move the split line Diagnosis Item pane This pane lists the name and the count of all diagnosis events according to layers which the events belong to All events are grouped into four types on the basis of security levels as follows Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics You can change the severity level and the trigger condition of diagnosis events in Diagnosis Settings When selecting a specific node in the Node Explorer window this pane will only show the events related to the node Different analysis profiles may have different event items See Application layer events Transport layer events Network layer events and Data link layer events for all available events You can click Name and Count to sort the items Note that only father nodes and number on the father nodes such as Transport Layer Application Layer Network Layer and Data Link Layer can be sorted Toolbar The buttons of the toolbar are listed in the following table E Displays the settings of selected event You can also view the settings of an event by double clicking the event EN Saves the current list of diagnosis events as a csv file Hides or shows the Diagnosis Address pane and show it by default Hides or shows the Diagnosis Events pane and show it by default Refreshes the event list or set th
149. onversation list on the Suspicious Conversation view the lower pane tabs will provide detailed information about the item By default the lower pane is visible You can click Details button on the Suspicious Conversation view to close it and you can also click Details button to show the lower pane when it is invisible The Suspicious Conversation lower pane includes Packets tab Data Flow tab and Time Sequence tab e The Packets tab lists all packets for the conversation selected in the Suspicious Conversation view The toolbar and columns are just the same as those on Packet view See Packet view for details e The Data Flow tab provides reassembled data flow for the TCP conversation selected in the TCP Conversation view See Copyright 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Vi ewi n g Stat sti CS Data Flow tab for details e The Time Sequence tab displays TCP conversation in time sequential order See Time Sequence tab for details Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Network Profile Network Profile Network Profile is designed to store general properties of different networks Different network segments may have their own environment Colasoft Capsa lets you save the most common used properties including bandwidth network structure name table and alarms By default a network profile is not applied but when you make changes to network group name
150. ost name of selected node Locate in Node Explorer Select All Selects all items in the node list Refresh Refreshes the node list Saves current list of the node statistics as a csv file Locates the selected node in the Node Explorer window ARP Attack lower pane When you select a specific item in the node list on the ARP Attack view the lower pane tab will provide detailed information about the item By default the lower pane is visible You can click Details button on the ARP Attack view to close it and you can also click Details button to show the lower pane when it is invisible There is only a Physical Conversation tab on the lower pane The Physical Conversation tab lists all MAC address conversations of the node selected on the ARP Attack view The toolbar and columns are just the same as those on Physical Conversation view See Physical Conversation for details You can double click any item in the conversation list to view detailed packet information in the Packet window which is named with the conversation and is just the same as the Packet view See Packet view for more information Worm view The Worm view is only available when you are using the analysis profile of Security Analysis A computer worm is a self replicating malware computer program It uses the computer network to send copies of itself to other nodes and it may do so without any user intervention To spread itself it always needs network either
151. otocol of the node selected on the Worm view The toolbar and columns are just the same as those on UDP Conversation view See UDP Conversation for details You can double click any item in the conversation lists to view detailed packet information in the Packet window which is named with the Copyright O 2013 Colasoft LLC All rights reserved gv Colasoft Maximize Network Value Vi ewl n g Stat sti CS conversation and is just the same as the Packet view See Packet view for more information DoS Attacked view The DoS Attacked view is only available when you are using the analysis profile of Security Analysis DoS Attacked means that a host in your network has been under a DoS or DDoS attack A denial of service DoS attack or distributed denial of service DDoS attack is an attempt to make a computer resource unavailable to its intended users One common method of attack involves saturating the target victim machine with external communications requests such that it cannot respond to legitimate traffic or responds so slowly as to be rendered effectively unavailable In general terms DoS attacks are implemented by either forcing the targeted computer s to reset or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately DoS attacked problems are identified according to default se
152. otocol statistics information when a specific MAC address on the Physical MAC Address Explorer is selected and the Physical Endpoint tab on the Protocol view will display the detailed traffic information of a single MAC address or else said information will not be available The column Protocol Details is selected the Protocol view will display detailed protocol statistics information when a specific local IP address on the IP Explorer is selected and the IP Endpoint tab on the Protocol view will display the detailed traffic information of a single local IP address The Protocol view will display detailed protocol statistics information when a specific remote IP address on the IP Explorer is selected and the IP Endpoint tab on the Protocol view will display the detailed traffic information of a single remote IP address The Protocol view will display detailed protocol statistics information when an MAC address group on the Physical Explorer is selected and the Physical Endpoint tab on the Protocol view will display the detailed traffic information of an MAC address group The Protocol view will display detailed protocol statistics information when an IP address group on the IP Explorer IP Group is selected and the IP Endpoint tab on the Protocol view will display the detailed traffic information of an IP address group Physical The Physical Conversation tab on the Protocol view will display the detailed traffic information of the MAC Conver
153. oup list e Move Up Moves the selected node group up e Move Down Moves the selected node group up e Import Imports current node group list from cscnp file e Export Exports current node group list as cscnp file e Auto Detect Detects and groups local MAC addresses and IP addresses of current network e Enable Country Group Groups the node group Internet Addresses by countries or areas In the node group list the node Local Segment manages the node groups of local MAC addresses and the node Local Subnet manages the node groups of local IP addresses By default there are automatically generated node groups which are detected through the network adapter You can also get the same result by clicking Auto Detect e To add anode group of MAC addresses select Local Segment in the node group list click Add type the name for the new node group and click OK on the pop up dialog box and type MAC addresses for the new node group on the node list with one MAC address one line e To add anode group of IP addresses select Local Subnet in the node group list click Add type the name for the new node group and click OK on the pop up dialog box and type IP addresses for the new node group on the node list with one IP address one line one IP address range one line or one IP address mask one line The new node group will be the sub node group of the selected node group Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft N
154. ow to set alarm logs The corresponding alarm bubble on the right side of the Status Bar starts flashing when an alarm was triggered 1 Pop up shows and keeps for only one second and then fades away 2 There is no link of Click here to view alarms log if you didn t save alarm log Alarm Notification Area The Alarm Notification Area is utilized to display the real time triggered alarm information The Alarm Notification Area appears as follows You can click the Alarm Explorer icon to open or close the Alarm Explorer window The three bubbles represent three alarm types Security Performance and Fault The numbers following the bubbles represent the number of triggered alarms of every alarm types Click the bubbles and you will get an Alarm Statistics pop up showing the details of the alarm types as follows Performance Alarms 1 Security Alarms 2 O Fault Alarms 1 Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Creating Graphs Creating Graphs You may want to view specific statistics graphically and Capsa provides you two types of graphs See Graph types for details You can customize statistical graphs based on from global network to a specific node including an MAC address an IP address and a protocol To open the Make Graph dialog box to create a graph you can perform one of the following operations Click i on the top right corner of every dashboard panel e Click the lin
155. ox It will be displayed on the top left corner of Report tab Prefix Enable this item disabled by default enter a name into the textbox which will be added before all report title as a prefix You can find it on the top left corner of a report in title area Author Enable this item disabled by default enter the name of whoever generate the reports which will be displayed on the bottom right corner of reports Show Create Time This item enabled the time when a report is generated will be displayed on the top left corner of the report This item is disabled by default with nothing shown in that area Company logo Enable this item disabled by default select a picture file on your machine or shared network folder as the logo of your company which will be displayed on the top right corner of Report tab Display Format The Display Format tab lets you customize the format of decimals and measures You can define the formats for data display including decimal places of normal number decimal places of percentage byte format bit format bytes per second format and bits per second format The items on this tab are described as below e Precision after decimal The display precision of a number You can customize the decimal places though the thousandth in default e Precision behind percentage decimal The display precision of a percentage You can customize the decimal places though the thousandth in default e Byte
156. pens Modify Matrix dialog box to edit the selected matrix Deletes the selected matrix Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics The Add Matrix dialog box appears as follows Matrix name Top 10 lPv4 Conversation Maximum node number 10 Matrix type 0 Physical IP Traffic type Unicast Multicast Sort by Object 3 Conversion Node Value Total Packets ka Descending order Ascending order The Add Matrix dialog box includes items as follows e Matrix name The name of the matrix e Maximum node number The maximum number of the nodes You can type any integer between 1 and 1000 e Matrix type Physical means that the statistics are based on MAC addresses and IP means that the statistics are based on IP addresses e Traffic type The traffic type for statistics e Object The statistical object for the matrix e Value The value type of the statistical object e Descending order The matrix will display the top number of statistics e Ascending order The matrix will display the bottom number of statistics User Hidden Nodes This section lists the nodes which have been hidden by user The number in the bracket on this section shows the number of hidden nodes To display user hidden nodes right click this section and choose Display Selected Nodes to display selected nodes or choose Display All Nodes to display all user hidden nodes You can also right click
157. protocol on the router Add a default route for the router Add a route for the destination network to the router or add a default route Add a default route to the router Change the routing protocol on the router A router is reporting to the source host that a network is unavailable or the path for destination network is unavailable ICMP Network Unreachable ICMP Host Unreachable A router is reporting to the source host that the destination host is unavailable The destination host or a router is The destination host does not exist The destination host is not powered on The service for the requested port is not enabled Check the existence of the destination host Check if the destination host is powered on Enable the service for the requested port ICMP Port Unreachable reporting to the The service for the requested port Check the configurations for the source host that the is in error service requested port is A firewall blocks the access to the Enable the access control policy on inactive port the firewall or the router for the port A router is reporting to the source host that it should use an Performance alternate route for the destination host A router is reporting to the source host that it should use an alternate route for the destination network A host in LAN uses an external domain to access internal server after port mapping configuration There is an ICM
158. pturing traffic data with wired network adapters Capsa can capture packets with wireless network adapter To start a capture with wireless network adapters follow the steps below 1 Select the Capture tab on the Analysis Mode Tabs 2 Select a wireless network adapter on the Adapter List section and then the Adapter Status section will be AP Status section and lists all available APs Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Getting Started 3 Select an AP then you will be asked to type the key if the AP is encrypted You can also select more than one AP but the APs must be of the same channel 4 Click Set Network Profile on the Configuration Info section to select a network profile A network profile includes the settings about node group name table and alarms See Network Profile for details 5 Select a proper analysis profile on the Analysis Profile section An analysis profile includes the settings about analysis modules analysis objects packet buffer packet filters logs diagnosis events packet output and view display Capsa provides six analysis profiles by default and you also can create new analysis profiles See Analysis Profile for details 6 Click the Start button on the bottom right to start an analysis project 1 Itis only available in Windows Vista and Windows 7 to capture packets with wireless network adapters 2 If you enter the wrong key the analysis project will run as
159. rating at the speed that is different from your NIC s speed e g if you have a 10 Mbit NIC you can t see the traffic generated by 100 Mbit NICs Q How to configure port mirroring A Please read your switch s manual or visit its website to learn how to setup port mirroring Or you may ask their technicians for help Q Does Colasoft Capsa enable me as a network administrator to easily see who is listening to the radio and downloading music online A Yes The standard ports for media protocols are RTSP port 554 PNM port 7070 also known as PNA port MMS port 1755 By setting port filters in the Project Settings Filter dialog box you can easily find out who is visiting media resources to monitor the downloads of media files e g rm you can set a URL filter for HTTP analysis in the Project Settings Advanced Analyzer dialog box Q Why don t I see the Dashboard tab sometimes A The Dashboard is visible only when you select the root node in the Node Explorer That s because the Dashboard is global which doesn t belong to any specific node in the Node Explorer When a node selected in the Node Explorer only the tabs relating to the Copyright 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value A D pe n d ce S selected is visible Q After I entered the serial number and license key they didn t work A Please copy and paste the serial number and license key you received from us to
160. rce Product e Decoder Calls out Decoder Settings tab to set decoders e Custom Protocol View user defined protocols e Task Scheduler Calls out Task Scheduler to add new tasks Only available in Capsa Enterprise e Home Page Opens Colasoft home page e Tech Forum Opens the technical forum where you can get help and learn more skills on network analysis e Product License Renews the license key e Register Registers at Colasoft official website to get timely customer services and product information e Check for Update Checks new versions e About Opens the About dialog box where you can find the version copyright and license information of the product Tools tab The Tools tab appears as follows Copyright O 2013 Colasoft LLC All rights reserved gs Colasoft Maximize Network Value M Pa n U S e r n te rfa ce A Analysis System Tools View Tool Packet Packet Settings Player Builder Seer Tools For more information about Tools tab see Network Tools View tab The View tab appears as follows Aa Analysis System Tools View Node Explorer OI Physical Address Only Show Manufacturers C IP Address Only 4 Alarm Explorer Physical Name Only IP Name Only Online Resource Physical Name and Address Oi IP Name and Address Show Hide Physical Address Display IP Address Display The View t
161. rights reserved ya Colasoft Maximize Network Value Vi ewl n g Stat sti CS the TCP flow time information of the TCP conversation selected on the TCP Conversation view UDP Conversation view The UDP Conversation view provides you with all UDP conversation statistics of the network The UDP Conversation view will not be available when you select node group or MAC address on the Physical Explorer or the protocol nodes other than UDP on the Protocol Explorer When you select a specific item in the conversation list on the UDP Conversation view the lower pane tabs will provide detailed information about the item See UDP Conversation lower pane tabs for details You can double click any item in the conversation list to view detailed packet information in the Packet window which is named with the conversation and is just the same as the Packet view See Packet view for more information Toolbar The following table lists and describes the items on the toolbar of this view E Exports current statistical list as a csv file Shows or hides the lower pane Refreshes the conversation list or sets display refresh interval by clicking the little triangle If the interval is set to Manually Refresh display will update only when the Refresh button is clicked Displays particular items of the list See Display Filter for details Fali Analy AIF Conversation Shows the number of the conversations in the list The name changes along w
162. rkeley Trailer nego 4097 1001 100F Berkeley Trailer encap IP 5632 1600 Valid Systems Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value A D pe A d Ce S 16962 4242 PCS Basic Block Protocol 24576 6000 DEC Unassigned Exp 24577 6001 DEC MOP Dump Load 24579 6003 DEC DECNET Phase IV Route 24580 6004 DEC LAT 24581 6005 DEC Diagnostic Protocol 24582 6006 DEC Customer Protocol 24584 6008 6009 DEC Unassigned 24586 6010 6014 3Com Corporation 25944 6558 Trans Ether Bridging 25945 6559 Raw Frame Relay 28674 7002 Ungermann Bass dia loop 28704 7020 7029 LRT 28720 7030 Proteon 28724 7034 Cabletron 32771 8003 Cronus VLN 32772 8004 Cronus Direct 32773 8005 HP Probe 32776 8008 AT amp T 32784 8010 Excelan 32787 8013 SGI diagnostics 32788 8014 SGI network games 32789 8015 SGI reserved 32790 8016 SGI bounce server 32793 8019 Apollo Domain 32815 802E Tymshare 32816 802F Tigan Inc 32821 8035 Reverse ARP 32822 8036 Aeonic Systems 32824 8038 DEC LANBridge 32829 803D DEC Ethernet Encryption 32830 803E DEC Unassigned 32831 803F DEC LAN Traffic Monitor 32832 8040 8042 DEC Unassigned 32838 8046 AT amp T 32839 8047 AT amp T 32841 8049 ExperData 32859 805B Stanford V Kernel exp 32861 805D Evans amp Sutherland 32864 8060 Little Machines 32866
163. rofile e Duplicate Duplicates the selected analysis profile and make changes on the copy e Delete Deletes the selected analysis profile Reset Resets the Analysis Profile The Analysis Profile Settings dialog box includes following tabs e Analysis Settings Configures the basic settings of an analysis profile Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value A n a ys S P rofi e e Analysis Object Sets which objects to be analyzed and the maximum number of each object e Diagnosis Settings Sets the thresholds for diagnosis events e View Display Shows hides the statistical views and rearranges the order of those views e Packet Buffer Configures the buffer size buffer mode and configure how to save packets in the buffer to disk e Packet Filter Sets filters for capture e Packet Output Automatically saves packets e Log Settings Customizes all available log settings to get useful log records e Log Output Automatically saves logs e Security Analysis Sets the conditions to detect the hidden security problems Only available when the analysis profile of Security Analysis is applied 1 You can also configure the analysis profile settings when the analysis project is running 2 The Analysis Settings tab is only available when the Analysis Profile Settings dialog box is opened from the Start Page Analysis Settings The Analysis Settings tab contains options for an a
164. rsation See Creating p Graphs for details Make Alarm Makes an alarm on the basis of the node of selected conversation See Creating Alarms for details Locate in Node Explorer Select All Selects all items in the conversation list Refresh Refreshes the conversation list Saves current list as a csv file Locates the selected node in the Node Explorer window Conversation columns The following table lists and describes the columns of Conversation view including Physical Conversation view IP Conversation view TCP Conversation view UDP Conversation view and Suspicious Conversation view Node 1 gt The source address of the first packet in the conversation lt Node 2 The destination address of the first packet in the conversation Duration of the conversation that is from the timestamp of the first packet to the timestamp of the last packet in the conversation Bytes Total bytes sent and received in this conversation Bytes gt Bytes sent from node 1 to node 2 lt Bytes Bytes sent from node 2 to node 1 Duration a ume The timestamp of the first packet that is sent from node 1 to node 2 lt Start Time End Time The timestamp of the last packet in the conversation End Time gt The timestamp of the last packet that is sent from node 1 to node 2 lt End Time The timestamp of the last packet that is sent from node 2 to node 1 Protocol The protocol for the conversation The timestamp of the
165. rsation for details o You can double click any item in the conversation list to view detailed packet information in the Packet window which is named with the protocol and the conversation and is just the same as the Packet view See Packet view for more information O The IP Conversation tab will have statistics only when there is IP address node under the MAC address node on the Physical Explorer or else there are no items on this tab e Choosing any nodes except IP address nodes on the IP Explorer the lower pane includes IP Endpoint tab and IP Conversation tab e Choosing IP address nodes on the Physical Explorer or IP Explorer the lower pane includes IP Conversation tab TCP Conversation tab and UDP Conversation tab o The TCP Conversation tab lists the conversations using TCP protocol The toolbar and columns are just the same as those on TCP Conversation view See TCP Conversation for details o The UDP Conversation tab lists the conversations using UDP protocol The toolbar and columns are just the same as those on UDP Conversation view See UDP Conversation for details o You can double click any item in the conversation lists to view detailed packet information in the Packet window which is named with the protocol and the conversation and is just the same as the Packet view See Packet view for more information Copyright O 2013 Colasoft LLC All rights reserved gs Colasoft Maximize Network Value Vi ewi n g Sta
166. rsation selected on the IP Conversation view The toolbar and columns are just the same as those on UDP Conversation view See UDP Conversation for details o You can double click any item in the conversation lists to view detailed packet information in the Packet window which is named with the conversation and is just the same as the Packet view See Packet view for more information TCP Conversation view The TCP Conversation view shows statistics of the network traffic on the basis of TCP conversations TCP conversation is identified by the flag fields set to be 1 or the load length of greater than 0 The TCP Conversation view will not be available when you select node group or MAC address on the Physical Explorer or protocol nodes not belonging to TCP protocol on the Protocol Explorer When you select a specific item in the conversation list on the TCP Conversation view the lower pane tabs will provide detailed information about the item See TCP Conversation lower pane tabs for details You can double click any item in the conversation list to open TCP Flow Analysis window to view detailed conversation information See TCP Flow Analysis window for details Toolbar The following table lists and describes the items on the toolbar of this view E Exports current statistical list as a csv file Shows or hides the lower pane z Makes a packet filter based on the node of selected conversation See Creating Filters for details
167. s as follows Find Calls out Find dialog box to search only on the Diagnosis Address pane Copy Copies the selection and the header row in original format to the clipboard Save Log Saves current address list as a csv file Resolve Address Only available when the address is IP address Resolves the IP address of selected address item Makes a packet filter based on the IP address or MAC address of selected item on the address list See Creating Filters for details Adds an alias to the Name Table for the IP address or MAC address of selected item on the address list See Name Table for details Makes a graph in the Dashboard view on the basis of the IP address or MAC address of selected item on the address list See Creating Graphs for details Makes an alarm on the basis of the IP address or MAC address of selected item on the address list See Creating Alarms for details Make Filter Add to Name Table Make Graph Make Alarm Locate in Node Explorer Select All Selects all items on the address list Refresh Refreshes the address list Locates the IP address or MAC address of selected item on the address list in the Node Explorer window Diagnosis Events pane This pane lists the detailed information of diagnosis events The list of this pane changes according to the selections on the Diagnosis Item pane and the Diagnosis Address pane When you select a specific item on the Diagnosis Address pane the Diagnosis Events pane w
168. s for the analysis project System Contains Resources and Product sections Tools Provides Colasoft network tools View Configures the display of the program You can use the mouse scroll wheel to navigate from one tab to another when the mouse pointer is over the Ribbon section Copyright O 2013 Colasoft LLC All rights reserved gs Colasoft Maximize Network Value M Pa n U S e r n te rfa ce Analysis tab The Analysis tab appears as follows uz Analysis System Tools View Ep anal a Node Group amp Analysis Object p Packet Buffer A 3 2 Name Table Diagnosis Settings Y Packet Filter Adapter Start Stop General a Log Log Settings A Alarm Settings ES View Display il Packet Output Settings Output Capture Network Profile Analysis Profile Utilization 096 pps 4 Traffic Chart bps Packet Buffer 16 MB When the Replay analysis mode is selected the Capture part will be Replay as follows w7 Analysis System File Start Pause Stop Replay The Analysis tab includes the following sections e Capture e Adapter Click to open the Select Network Adapter dialog box to view the adapter properties or change the selection on the adapters e Filter Sets packet filters See Creating Filters for details e Start Starts capturing packets e Stop Stops capturing packets e Replay e File Opens the Packet File Management dialog box which is just the same as the Packet Files section on the Start Page
169. s the Packet view See Packet view for more information TCP Port Scan view The TCP Port Scan view is only available when you are using the analysis profile of Security Analysis A scanning is always the first step of a malware to infect other hosts or of a hacker to intrude your system Network administrators should also pay attention to the port scanning If a host send a group of TCP SYN packets to a target host continuously in a short time it is identified as a TCP port scan TCP Port Scan attacks are identified according to default setting values and you can also customize these values to let the program find out the root of the problem more accurately See TCP Port Scan settings for details Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Vi ewl n g Stat sti CS The TCP Port Scan view will not be available when you select any nodes on the Protocol Explorer and all nodes except IP address nodes on the Physical Explorer This view lists the IP addresses and their traffic information of the hosts which may be under TCP Port Scan attacks You can double click any item on the list to view detailed packet information in the Packet window which is named with the node and is just the same as the Packet view See Packet view for more information Toolbar The following table lists and describes the items on the toolbar of this view E Exports current statistical list as a csv file de
170. sation address conversation when any node except IP address node on the Physical Explorer is selected The IP Conversation tab on the Protocol view will display the detailed traffic information of the IP address conversation when any node on the IP Explorer or IP address node on the Physical Explorer is selected Local IP Address Remote IP Address MAC Address Group IP Conversation e Max Object Count The maximum analysis object count for each analysis object and 10 000 is set by default You can click the number to set it The value for the number is from 1 to 10 000 Reset Resets the settings on this tab Diagnosis Settings This tab lists all available diagnosis events of the loaded analysis module of the current analysis project All diagnosis events are hierarchically grouped in protocol layers Application layer events Transport layer events Network layer events and Data link Layer events You can easily find which layer a network problem belongs to The Diagnosis Settings tab appears as follows Copyright O 2013 Colasoft LLC All rights reserved O yy Colasoft Analysis Profile Event List DNS Server Slow DNS Server Slow Response Type Performance DNS Non Existent Host or Domain Color 133 0 0 0 DNS Server Returned Error Severity Notice Event SMTP Server Slow Response Response time ms 200 settings Suspicious SMTP Conversation Suspicious POPS Conversation SMTP Server Returned Error POPS Server
171. served gv Colasoft Maximize Network Value C re ati n g Al a rm S Alarm Explorer A Toolbar Security TE Global Diagnosis Information Events LS Performance Alarm List Status Information Details Statistics Infomation Statistics Object Global Statistics Item Diagnosis Statistics Counter Information Events Status Statistics Unit Count Information Statistics Type Cumulative Value Condition Infomati Trigger Condition gt 10 Duration 1 Second Release Condition The last infomation Triggered Time 2012 05 29 14 06 25 Released Time E Duration Toolbar The toolbar includes six items as follows Alarm List All created alarms are hierarchically grouped in three types Security Performance and Fault You can double click an alarm item to open the Edit Alarms dialog box to edit it Click an alarm item and the Status Information panel will display the details of the alarm Status Information Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value C re ati n g Al a rm S The Status Information pane displays the properties of the selected alarm in detail You can click to collapse the details Alarm Pop ups When an alarm is triggered or dismissed a pop up fades in to inform you the alarm information even when the program window is not active You can click the link Click here to view alarms log to view alarm log Read Alarm Settings to know h
172. stics Top Address and Host Top Conversation Top Application Creating Reports Bytes Bits per second Bytes per secona Utilization Total packets Packets per second Average packet size lt 64 65 127 128 255 256 511 512 1023 1024 1517 gt 1518 Broadcast bytes Broadcast packets Broadcast bytes per second Broadcast packets Multicast bytes Multicast packets Multicast bytes per second Multicast packets MAC address count IP address count Local IP address count Remote IP address count Physical conversation count IP conversation count TCP conversation count UDP conversation count Total protocol count Data link layer protocol count Network layer protocol count Transport layer protocol count Session layer protocol count Presentation layer protocol count Application layer protocol count Information events Notice events Warning events Error events Top MAC Address by Total Traffic Top MAC Address by Received Traffic Top MAC Address by Sent Traffic Top IP Address by Total Traffic Top IP Address by Received Traffic Top IP Address by Sent Traffic Top IP Address Connection Count Top Local IP Address by Total Traffic Top Local IP Address by Received Traffic Top Local IP Address by Sent Traffic Top Local IP Address Connection Count Top Remote IP Address by Total Traffic Top Remote IP Address by Received Traffic Top Remote IP Address by Sent Traffic Top Physical Conversation Top IP Conversation Top
173. t e Delete Deletes the selected project e Import Removes existing projects in the list and imports new scheduled tasks e Export Exports existing projects in the list as a dat file The New Task dialog box includes following parts e Name Shows the name of the scheduled project named with time by default e Schedule Sets the schedule to run a task You can choose to schedule the task at one time or on a daily or weekly schedule The time you set is relative to the time zone that is set on the computer that runs the task e If you select the One time radio button you set a start date and time to start the task and an end date and time to end Copyright O 2013 Colasoft LLC All rights reserved gv Colasoft Maximize Network Value Syste m O pti O n S the task e f you select the Daily radio button you set a start time to start the task and an end time to end the task The task will run at the start time every day as long as the program is on e f you select the Weekly radio button you set a start time to start the task an end time to end the task and the days of the week in which to start the task The task will run at the specified time on each of the specified days e Options Sets analysis profile network profile and network adapter for the scheduled task Report Settings You can configure the following options listed below Company Name Enable this item disabled by default enter your company name into the textb
174. t back to you with a license file Import the license file and your product will be activated immediately Copyright 2013 Colasoft LLC All rights reserved yy Colasoft Getting Started Getting Started Start Page The Start Page is the first screen you see when starting the program which guides you to start an analysis project step by step and appears as below Analysis Mode Tabs Adapter List Adapter Status Adapter wa Mame Speed yt Local Area Connection Wired Network Adapter s Network Profile i Local Area Connection 192 168 5250 1 000 0 Mbps i C VMware Network Adapter VMnetl 192 168 147 1 100 0 Mbps 1 30 s ig Network arene a C VMware Network Adapter VMnet8 192 168 218 1 100 0 Mbps ds Wireless Network Adapter s Analysis Profile aa Traffic Monitor To provide rapid and efficient statistic analysis for huge network traffic No plugin module loaded Packet Filter No filter applied all traffic will Data Storage Packet output disabled Log output disabled Full Analysis Analysis Profile Configuration Info The Start Page includes following parts 1 Analysis Mode tabs Includes Capture tab and Replay tab The Capture tab is for capturing live network data The Replay tab is for replaying captured network data See Replaying captured packets for details 2 Adapter List section Lists all available network adapters including wired and wireless ones Data is transmitted ov
175. t graph to disk You can save graphs in png emf and omp formats Change graph position Position of a graph is changeable You can click and drag the head of a graph to rearrange its position go get a better view Summary view Toolbar There is only a Refresh button on the toolbar of this view to refresh the display The little triangle is for setting the refresh interval 1 second is selected by default If the interval is set to Manually Refresh display will update only when Refresh buiton is clicked Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Vi ewl n g Stat sti CS Statistics item The Summary view provides statistics of the whole network traffic and refreshes automatically Different selections on the node on Node Explorer result in different statistics items For all analysis profiles Choosing the root node of Node Explorer the Summary view provides all available statistics items of selected analysis profile See Summary items for all statistics items Choosing a specific node of Protocol Explorer the Summary view provides Total Traffic and Packet Size Distribution statistics of the node Choosing a specific MAC address of Physical Explorer the Summary view provides Traffic statistics Conversation statistics and TCP statistics of the node plus ARP Attack statistics in the analysis profile of Security Analysis Choosing a specific node of IP Explorer the Su
176. t sti CS In combination with Node Explorer you can conveniently view the statistics that you are care about Protocol columns The following table lists and describes the columns of Protocol view Physical Endpoint view The Physical Endpoint view hierarchically shows statistics of the network traffic on the basis of MAC addresses or node groups of MAC address to help you find useful information on MAC addresses For example you can find the physical endpoints with the largest traffic volume or check if there is any broadcast storm or multicast storm on the network The Physical Endpoint view will not be available when you select IP address nodes on the Physical Explorer or any nodes on the IP Explorer When you select a specific item in the node list on the Physical Endpoint view the lower pane tabs will provide detailed information about the item See Physical Endpoint lower pane tabs for details You can double click an item on the MAC address list to view detailed packet information in the Packet window which is named with the node and is just the same as the Packet view See Packet view for more information Toolbar The following table lists and describes the items on the toolbar of this view Shows the node list in hierarchical type or in flat type Exports current MAC address statistical list as a csv file Shows or hides the lower pane Makes a packet filter based on the selected node See Creating Filters for de
177. table or alarms you are required to create a network profile first When you installed Colasoft Capsa on a laptop and need to move it between different network segments you are recommended to save the network properties in a network profile and recall the profile when you come to the network again You can open the Network Profile dialog box by one of the following e Onthe Start Page Click Set Network Profile link on the Configuration info section to open the Network Profile Settings dialog box Double click the network profile you need to edit e In an analysis project Click any icon on the Network Profile group on the Analysis tab of the Ribbon The Network Profile dialog box contains the following tabs e General Settings e Node Group e Name Table e Alarm Settings The Network Profile Settings dialog box appears as follows Network Profile Settings Narne Bandwidth 3 Network Profile 1 1000 Mbps Network Profile 2 100 Mbps 3 Network Profile 3 10 Mbps Network Profile 4 2 Mbps 100 Mbps cs la es e 8 e The Network Profile Settings dialog box includes all available network profiles You can use the buttons on the bottom of the dialog box to add edit and delete a network profile or import export a network profile file General Settings The General Settings tab contains following options Copyright O 2013 Colasoft LLC All rights reserved gv Colasoft Maximize Network Value N etwo rk P rofi
178. tails Adds an alias to the Name Table for selected node See Name Table for details Locates the selected node in the Node Explorer window Refreshes the node list or sets display refresh interval by clicking the little triangle If the interval is set to Manually Refresh display will update only when the Refresh button is clicked Copyright O 2013 Colasoft LLC All rights reserved gv Colasoft Maximize Network Value Vi ewl n g Stat sti CS Displays particular items of the list See Display Filter for details Shows the number of the nodes in the list The name changes along with the selection in the Node Explorer window Physical Endpoint columns By right clicking the column header you can specify which columns to show in the list Choose Default to show default columns and choose More to open Display Column dialog box to set which columns to show and to set the position the alignment and the width of the column See Endpoint columns for details Pop up menu Right click the MAC address list to get a pop up menu with items as follows Views the decoding information of the packets of the node in the Packet window which is just the same as the Packet view See Packet view for more information Copy Copies the selection and the header row in original format to the clipboard Copy Column Copies the selected column in original format to the clipboard Shows or hides columns or changes the position of columns This comman
179. te only when the Refresh button is clicked Displays particular items of the list See Display Filter for details Shows the number of ARP attacks in the list The name changes along with the selection in A A A the Node Explorer window ARP Attack columns By right clicking the column header you can specify which columns to show in the list Choose Default to show default columns and choose More to open Display Column dialog box to set which columns to show and to set the position the alignment and the width of the column See Endpoint columns for details Pop up menu Right click the MAC address list to get a pop up menu with items as follows Packet Details Views the decoding information of the packets of the node in the Packet window which is just the same as the Packet view See Packet view for more information Copy Copies the selection and the header row in original format to the clipboard Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics Copy Column Copies the selected column in original format to the clipboard Shows or hides columns or changes the position of columns This command is just the same as right clicking the Display Column column header Export Node Statistics Add to Name Table fie a alias to the Name Table for the IP address or MAC address of selected item See Name Table for Resolve Address Only available when an IP address node is selected Resolves the h
180. ter The routing is failed The router cannon forward the damaged Upgrade the router Check if there is network congestion Check if packets are lost due to other network problems Check if the hosts of TCP connection are working regularly Check if there is DOS or DDOS attack Check if there is attack on the source host Check if the progresses are regular Check if the host is infected with worm Check if there is manual scanning on the source host Check if there are electromagnetic interference devices on the transmission line or if there is faulty transmission device Check if it is necessary to enable calculating checksum Disable IP Checksum Offload Check for routing table information There is something wrong on the source host Assign an IP address to the device Change the transport protocol on the source host or add transport protocols supported by the router and the destination host Check and update the configurations of the router ya Colasoft Maximize Network Value Viewing Statistics port unreachable messages packets with specified Type of Service TOS Limited by the communication management rules on the router The router is not configured with a default route The destination network does not exist The router cannot find the path to the destination network The number of hops to destination network exceeds the maximum hop limit specified by the routing
181. tes and 4 bytes e From Specifies where to offset in a packet It could be Raw data IP Header ARP Header TCP Header and UDP Header e Offset Specifies the bytes to be offset The unit is byte e Mask The hexadecimal mask of the value e Byte order The order of the bytes It could be network byte order and host byte order e Operator It could be equal to not equal to lt less than lt less than or equal to gt greater than gt greater than or equal to Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value C re ati n g F Ite rs e Type The type of the value It could be binary octal unsigned decimal and hex e Value The value for the rule When a value rule is enabled do logical AND operation between the specified bytes in a packet and the mask and compare the operation result with the value for the rule If the compare result is consonant the packet will be captured or else the packet will be filtered out Defining pattern rule Content rule is for defining the rule on the content of a packet To define a content rule click And or Or on the toolbar select Pattern to open the Pattern Rule dialog box which appears as below select the type for the content type the content set the offset options and click OK Type Pattern Match Case Start Offset End Offset The unit for offset is byte Advanced filters can also be converte
182. th SYN flag set to be 1 TCP SYN Received The number of received packets with SYN flag set to be 1 The number of sent packets with ACK and SYN flags both set to be 1 The value of this item should be equal to TCP SYNACK Sent that of TCP SYN Received for a normal TCP connection establishment TCP SYNACK The number of received packets with ACK and SYN flags both set to be 1 The value of this item should be The number of physical conversations Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value Vi ewi n g Stat sti CS Received equal to that of TCP SYN Sent for a normal TCP connection establishment Location Country or Area that the node belongs to TCP FIN Sent The number of sent packets with FIN flag set to be 1 The number of received packets with FIN flag set to be 1 The value of this item should be equal to that of TCP TOP FIN Received FIN Sent for a normal TCP connection close Broadcast packets s Peak cdi packets S The peak value of multicast packets per second The peak value of broadcast packets per second ala Senis The peak value of packets with SYN flag set to be 1 sent per second is RECEMEOS The peak value of packets with SYN flag set to be 1 received per second IP Endpoint view The IP Endpoint view hierarchically shows statistics of the network traffic on the basis of IP addresses or node groups of IP address to help you find useful information on IP addresses For exa
183. the fields required it may include unnecessary blank or input error if you type in the numbers If you are Free edition user you need to apply for a serial number first at Apply License and the serial number will be sent to your mailbox in a minute Q Can I export packets captured log reports and graphs in different formats A Yes Capsa can export packets in many formats and export log reports and graphs in many file and image formats Please check the relative section to get the details Q Does Capsa support RADIUS protocols A Yes Capsa can capture and analyze RADIUS packets and protocols We keep updating more FAQs on our official website Please visit Colasoft com to learn more Ethernet Type Codes decimal Hex decimal octal 0000 0000 05DC IEEE802 3LengthField 0257 0101 01FF Experimental 0512 0200 512 1000 XEROX PUP see 0A00 0513 0201 PUP Addr Trans see 0A01 0400 Nixdorf 1536 0600 1536 3000 XEROX NS IDP 0660 DLOG 0661 DLOG 2048 0800 513 1001 Internet IP IPv4 2049 0801 X 75 Internet 2050 0802 NBS Internet 2051 0803 ECMA Internet 2052 0804 Chaosnet 2053 0805 X qe Level 3 2054 0806 2055 0807 XRS Compatability 2056 0808 Frame Relay ARP 2076 081C Symbolics Private 2184 0888 088A Xyplex 2304 0900 Ungermann Bass net debugr 2560 0A00 Xerox IEEE802 3 PUP 2561 OA01 PUP Addr Trans 2989 OBAD Banyan VINES 2990 OBAE VINES Loopback 2991 OBAF VINES Echo 4096 1000 Be
184. the file name for the log file Alarm Notification This tab is for setting alarm notification options The alarms will be notified with emails and or sound when they are triggered Email notification To notify alarms with emails follow the steps below i 2 Select the checkbox Email notification on the Alarm Notification tab At the textbox Email server type the email server address by which the emails are sent and then type the port number that the email server applies Type the sender address and the password of the sender address Type the recipient address You can click Send Test Email to test if the configurations are correct You can type multiple recipient addresses and use semicolon to separate them Sound notification To notify alarms with sound follow the steps below 1 Select the checkbox Sound notification on the Alarm Notification tab 2 Click to select the sound file Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value A n a ys S P rofi e Analysis Profile Analysis Profile is just like the container for containing the settings for an analysis project to provide flexible extensible and effective analysis performance All settings in analysis profile are memorized by the program when the program or even the operating system is shut down and can be applied to other analysis projects On the Analysis Profile section on the Start Page ther
185. the matrix graph and choose Display All Hidden Nodes to display all user hidden nodes Copyright O 2013 Colasoft LLC All rights reserved yy Colasoft Viewing Statistics Invisible Nodes The section lists the nodes which have been temporarily hidden in the matrix because they do not match the settings of the matrix The number in the bracket on the Invisible Nodes pane head shows the number of invisible nodes Packet view The Packet view displays captured packets and provides packet decoding information This view includes three panes as follows e Packet List pane e Field Decode pane e HEX Decode pane Packet List pane This pane lists captured packets by number and the list changes aong with the selection in the Node Explorer window The packet list only displays the packets for the node selected in the Node Explorer window Toolbar The following table lists and describes the items on the toolbar of this view Saves selected packets or exports all packets in the packet list You can save packets in any format selected from the Save as type drop down list box Automatically scrolls down to display the newest packets Note that this button will be invalid when an item on the packet list is selected Refreshes the packet list or sets display refresh interval by clicking the little triangle If the interval is set to Manually Refresh display will update only when the Refresh button is clicked Separates particular pa
186. tics Ethernet MAC header In a predetermined sampling duration the number of ARP request packets per second is higher than the threshold ARP Request Storm Security In a predetermined sampling duration the percentage of unresponsive ARP request packets is equal to or higher than the threshold ARP Scan Security In a predetermined sampling duration the number of unrequested ARP response packets of a host is equal to or higher than the threshold ARP Too Many Unrequested Responses Security Protocol view Check if the source host sends a lot of ARP requests The host infects virus which is automatically performing ARP scan A scan application is performing ARP scan The port for capturing traffic is not mirrored or the machine with the program is not connected with the mirrored port The source host sending ARP packets has a program performing scan There is monitor application on the network The host infects virus which is automatically performing ARP scan A scan application is performing ARP scan There is ARP spoofing on the network The program is installed on a central switching device and ARP request packets are isolated Use antivirus software to scan the host which sends a lot of ARP requests Close the application which performs ARP scan Mirror the port which is for capturing traffic and install the program on the machine which is connected with the mirrored port
187. tion ID number You use an activation wizard to provide the installation ID number and serial number to Colasoft either through a secure transfer over the Internet or by fax email A Activation Number is sent back to your machine to activate your product If you overhaul your computer by replacing a substantial number of hardware components it may appear to be a different PC You may have to reactivate the program It is allowed to reactivate the program no more than five times per day Activation guide The product activate process is very important to against privacy To activate Capsa you need to correctly enter the serial number and a dialog box will appear to require you to activate your product You may choose to activate product over the Internet or by fax or email Colasoft Product Activation Wizard Colasoft Capsa Enterprise Welcom to activation guide please input the product serial number Activate online Recommended 5 Activate by e mail Within two business days e Activate online It is very quick and easy the activation process will only take a few seconds with a couple of clicks e Activate by email If you select to activate product manually it will need more time to finish Please send us via email the Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value P FO d u ct Act l vati 0 n Serial Number and Machine Number After receiving your request we will ge
188. to the same hub as your Internet gateway or on your Internet gateway if acceptable thus you can monitor all network traffic between your intranet and the Internet Read Installation Environment to know how to deploy Colasoft Capsa A list of some managed switches with port monitoring spanning which are commonly used is available on our website please visit the Switch Management page for references System requirements Colasoft Capsa does not need a high performance machine and can be installed on many Windows operation systems such as Windows XP Windows 2003 Windows Vista and x64 Edition and the latest Windows 7 Your system s performance and configuration Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value D e p oy m e nt will affect the running of Colasoft Capsa The following minimum requirements are the bottom line to install and run Colasoft Capsa normally it would be better if your system has a higher configuration especially in a busy or big network Minimum requirements e P4 2 8GHz CPU e 2 GB RAM e Internet Explorer 6 0 Recommended requirements e Intel Core Duo 2 4GHz CPU e 4 QB RAM or more e Internet Explorer 6 0 or higher Supported windows operating systems e Windows XP SP 1 or later and 64bit Edition e Windows Server 2003 and 64bit Edition e Windows Vista and 64bit Edition e Windows 2008 and 64bit Edition e Windows 7 and 64bit Edition The wireless a
189. tocols Presentation Layer Protocols and Application Layer Protocols e Conversation Physical Conversation IP Conversation TCP Conversation and UDP Conversation e TCP TCP SYN Sent TCP SYNACK Sent TCP FIN Sent and TCP Reset Sent e Alarm Security Performance and Fault e DNS Analysis DNS Query and DNS Response e Email Analysis SMTP Connection and POP3 Connection e FTP Analysis FTP Upload and FTP Download e HTTP Analysis HTTP Request HTTP Requested and HTTP Connection Top chart Top Chart includes statistics items as follows e Top Physical Group by Total Traffic e Top Physical Group by Received Traffic e Top Physical Group by Sent Traffic e Top IP Group by Total Traffic e Top IP Group by Received Traffic e Top IP Group by Sent Traffic e Top Physical Address by Total Traffic e Top Physical Address by Received Traffic e Top Physical Address by Sent Traffic e Top IP Address by Total Traffic e Top Local IP Address by Total Traffic e Top Remote IP Address by Total Traffic e Top IP Address by Received Traffic e Top IP Address by Sent Traffic e Top Local IP Address by Received Traffic e Top Local IP Address by Sent Traffic Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Maximize Network Value C re ati n g G ra p h S e Top Remote IP Address by Received Traffic e Top Remote IP Address by Sent Traffic e Top Application Protocols e Packet Size Distribution 1 The Physical Group IP Group me
190. tting values and you can also customize these values to let the program find out the root of the problem more accurately See DoS attacked settings for details The DoS Attacked view will not be available when you select any nodes on the Protocol Explorer and all nodes except IP address nodes on the Physical Explorer This view lists the IP addresses and their traffic information of the hosts which may be under a DoS or DDoS attack You can double click any item on the list to view detailed packet information in the Packet window which is named with the node and is just the same as the Packet view See Packet view for more information Toolbar The following table lists and describes the items on the toolbar of this view E Exports current statistical list as a csv file e Shows or hides the lower pane KA Makes a packet filter based on the selected node See Creating Filters for details Adds an alias to the Name Table for selected node See Name Table for details oA El Locates the selected node in the Node Explorer window Refreshes the node list or sets display refresh interval by clicking the little triangle If the interval is set to Manually Refresh display will update only when the Refresh button is clicked Displays particular items of the list See Display Filter for details z 7 q Shows the number of worm attacks in the list The name changes along with the Security Analysis nder DoS Attack A Se eee select
191. ually the HTTP version is not supported the version type Copyright 2013 Colasoft LLC All rights reserved ya Colasoft Viewing Statistics Maximize Network Value client s request is valid Check the application services running on the network Update the configurations of routes Check the security and the working status of HTTP server Network congestion The connection between client and HTTP server is slow The HTTP server is overloaded The average response time is equal to or higher than the threshold HTTP Server Performance Slow Response Poor HTTP server performance Upgrade HTTP server What diagnosis events will display in the Diagnosis view depend on the Diagnosis Settings See Diagnosis settings for details Transport layer events Capsa can diagnoses transport layer events as below TCP Connection Refused TCP Repeated Connect Attempt TCP Retransmission TCP Invalid Checksum TCP Slow Response A client s initial TCP connection attempt is rejected by the host A client is attempting multiple times to establish a TCP connection The source host is sending another TCP packet with the sequence number identical to or less than that of a previously sent Performance TCP packet to the same destination IP address and TCP port number The destination host calculates TCP checksum of received packet which is not identical to the value of TCP che
192. ue Ove AA ew Overview Welcome to Capsa Enterprise the portable network analyzer from Colasoft Designed for Ethernet and wireless network packet decoding and network diagnosis Capsa Enterprise monitors the network traffic transmitted over a local network helping network administrators troubleshoot network problems With the ability of real time packet capture and accurate data analysis Capsa Enterprise makes your network transparent before you letting you fast locate network problems and efficiently resolve hidden security troubles You may install Colasoft Capsa on a laptop and analyze monitor and diagnose anywhere in your network you want to Colasoft Capsa analyzes and diagnoses either real time network traffic or problems in replayed saved packet files To realize accurate problem location and efficient analysis you can use application analysis profile to lock down problems in real time Colasoft Capsa 7 adopts new user interface style of Microsoft Office 2007 which intends to display analysis statistics in a more simple straight and graphical style The new organized statistics tabs will really help shorten network engineers time spent on finding useful information to diagnose the network New Dashboard tab gives you enough choices to customize and create almost any kind of statistics graphs you want Based on the second generation Colasoft Packet Analysis Engine CSPAE platform Colasoft Capsa 7 enhances its performance
193. utton to open the Add Name dialog box which appears below Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Network Profile 2 Type the address and the name for the address 3 Click OK on the dialog box and click OK on the Name Table tab When you do not know the name for the address you can use Resolve address button to automatically resolve the address or when you do not know the address for a name you can use Resolve name button to automatically resolve the name See Address resolution for details To add a name for a specified address follow the steps below E 1 Select an address node and click 2 on the toolbar of Node Explorer window or on the toolbar of some statistical views to open the Add Name dialog box You can also right click the selected address node and select Add to Name Table to open the Add Name dialog box 2 Type the name for the address and click OK on the dialog box For auto resolved address you can also add the name to Name Table by right click the auto resolved name and select Add to Name Table Address resolution You not only can add names to Name Table but can use Address Resolver to auto resolve addresses and names The Address Resolver appears as below Copyright O 2013 Colasoft LLC All rights reserved ya Colasoft Network Profile Success 2 Faik 0 Address es remaining to be resolved 0 Address Name Status Name Table Alias 197 168 5 250
194. utton to show the lower pane when it is invisible The TCP Port Scan lower pane provides IP Conversation tab TCP Conversation tab and UDP Conversation tab e The IP Conversation tab lists all IP address conversations of the node selected on the Worm view The toolbar and columns are just the same as those on IP Conversation view See IP Conversation for details e The TCP Conversation tab lists the conversations using TCP protocol of the node selected on the Worm view The toolbar and columns are just the same as those on TCP Conversation view See TCP Conversation for details e The UDP Conversation tab lists the conversations using UDP protocol of the node selected on the Worm view The toolbar and columns are just the same as those on UDP Conversation view See UDP Conversation for details You can double click any item in the conversation lists to view detailed packet information in the Packet window which is named with the conversation and is just the same as the Packet view See Packet view for more information Suspicious Conversation view The Suspicious Conversation view is only available when you are using the analysis profile of Security Analysis The conversations with TCP port connected and without corresponding data traffic are identified as suspicious conversations The program identifies suspicious HTTP conversations suspicious POP3 conversations suspicious SMTP conversations and suspicious FTP conversations Suspicious conv
195. ve as type drop down list box Packet Summary Export Packets Set Relative Time your selected item as the reference time point and recalculates the relative time based on the selected Resolve Address old the host name of your selected item With the resolved name you can easily find the machine in your Add to Name Table Add an alias for the selected node to the Name Table Make Graph Generates a new graph item in Graph tab based on the selected item Make Alarm Generates a new alarm item in Alarm Explorer window to alert you anomalies based on the selected item ee node Locates the current node in the Explorer xplorer Ping Invokes the build in Ping Tool to ping the endpoints tal ae ROCKS Sends the selected packets to the build in tool Packet Builder Select Relative Highlights the related packets by source destination source and destination conversation or protocol Packets Hide Selected nn Packets Hides the highlighted packets Hide Unselected l a Packets Hides all the packets in the list except the highlighted ones Unhide All Packets Shows all hidden packets back to list Select All Selects all items in the list Notes Makes notes for selected packet Highlight Highlights the selected packet Refresh Refreshes the current list Field Decode pane To view the decode information of the current packet press the Decode View icon in the toolbar to open the pane or double click the packet to open the Packet Deco
196. ya Colasoft ximize Network Val eo apsa Real time Portable Network Analyzer User Manual Enterprise Edition ya Colasoft Maximize Network Value Copyright 2013 Colasoft LLC All rights reserved Information in this document is subject to change without notice No part of this document may be reproduced or transmitted in any form or by any means electronic or mechanical including photocopying for any purpose without the express written permission of Colasoft Colasoft reserves the right to make changes in the product design without reservation and without notification to its users Contact Us Telephone 800 381 6680 8 00AM 6 00PM CST Sales sales colasoft com Technical Support support colasoft com Website http www colasoft com Mailing Address Colasoft LLC 8177 South Harvard Ave Suite 101 Tulsa OK 7413 Copyright O 2013 Colasoft LLC All rights reserved PARO olasoft Maximize Network Value Contents Overview E E E a ns cent Gk wee eee eee ee ee 1 Deployment PEE N E S T iaa erro gt Installation environment CAU TT eT Te Te ETE Tee Tee Tee Tee Cee Te ee ee ee ee eer ee Te ee AAA AAA 2 Shared network Hub RR E E RA Geto ae ete ERROR RRA RA RRA RARA AER ERRANTE 9 Switched network managed switches Port mirroring ee AE As 2 Switched network unmanaged switches RR RR RRA ARA RAN 3 Connect a TAP with the line to be monitored TTC rT eer ere ee ee ee eR ee
197. ysis profile of Security Analysis If there is an item on this view it means that the listed computers has been compromised and been manipulated to join in an attack of some remote or local sites A compromised machine like this is called a botnet A botnet consumes the network bandwidth dramatically DoS attackings are identified according to default setting values and you can also customize these values to let the program find out the root of the problem more accurately See DoS attacking settings for details The DoS Attacking view will not be available when you select any nodes on the Protocol Explorer and all nodes except IP address nodes on the Physical Explorer This view lists the IP addresses and their traffic information of the hosts which may perform DoS attack You can double click any item on the list to view detailed packet information in the Packet window which is named with the node and is just the same as the Packet view See Packet view for more information Toolbar The following table lists and describes the items on the toolbar of this view E Exports current statistical list as a csv file Shows or hides the lower pane 4 Makes a packet filter based on the selected node See Creating Filters for details Ea Adds an alias to the Name Table for selected node See Name Table for details El Locates the selected node in the Node Explorer window Refreshes the node list or sets display refresh interval by clicking t
Download Pdf Manuals
Related Search