Colasoft Capsa Network Analyzer

Capsa Portable Network Analyzer

Monitor, Analyze, Troubleshoot your Wired & Wireless Network

Capsa is a tremendously powerful and comprehensive packet capture and analysis solution with an easy to use interface allowing both veteran and novice users the ability to protect and monitor networks in a critical business environment. Capsa aids in keeping you assessed of threats that may cause significant business outage.
Starts at $995

Capsa is a portable network analyzer application for both LANs and WLANs which performs real-time packet capturing capability, 24x7 network monitoring, advanced protocol analysis, in-depth packet decoding, and automatic expert diagnosis. Capsa's comprehensive high-level window view of entire network, gives quick insight to network administrators or network engineers allowing them to rapidly pinpoint and resolve application problems. With the most user-friendly interface and the most powerful data packet capture and analysis engine in the industry, Capsa is a necessary tool for network monitoring.

Capsa Enterprise

Capsa Enterprise, a flagship product of Colasoft, is designed for small business as well as enterprise users. Capsa performs network monitoring, troubleshooting and analysis for both wired & wireless networks including 802.11a/b/g/n. Whether you're a veteran with years of experience or new to network monitoring, if your requirements are to identify, diagnose, and solve network problems quickly, or monitoring user activity on your network, or you just need to ensure that the corporation's communications assets are safe, Capsa Enterprise is a must have network management tool.

Key Features of Capsa Enterprise:

Real-time Packet Capture

Real-time packet capture as well as the ability to save data transmitted over local networks, including wired network and wireless network like 802.11a/b/g/n.

Advanced Protocol Analysis

Identify and analyze 1040 protocols and sub-protocols, including VoIP, as well as network applications which are based on the protocol analysis.

User-friendly Dashboard

Easy to use Overview Dashboard allows you to view network statistics at a single glance, allowing for quick interpretation of network utilization data.

Multiple Network Behavior Monitoring

E-mail and instant messaging traffic can be monitored and stored, helping identify security and data handling violations.

Quickly Pinpointing Network Problems

Suspicious hosts can be detected and diagnosed enabling you to pinpoint network problems in seconds.

Extensive Statistics of Each Host

Map the traffic, IP address, and MAC of each host on the network, allowing for easy identification of each host and the traffic that passes through each.

Capsa Enterprise is the most robust packet sniffer and packet analysis application available. Capsa's Overview Dashboard and drill down functionality make it easy enough for a SOHO Network Manager but powerful enough for a Distributed Enterprise Network Engineer.

VoIP Analysis

By capturing and analyzing VoIP calls and displaying results, IT staff could baseline and troubleshoot VoIP-based networks.

Notifying Alarms by Emails & Audio

By sending an emails or play sounds, when an alarm is triggered.

Task Scheduler

It helps to run packet capture and analysis at pre-defined time automatically, which can be scheduled to run one time, daily or weekly.

TCP Flow Analysis

TCP packets reveal information to troubleshoot slow network, like slow website response, CRM transactions and downloading, etc.

Network Security Analysis

Accurately detects DoS (DDoS) attack, Worm activity, ARP attack, TCP port scanning and suspicious conversation and locates the source and target in real-time.

Versatile Traffic & Bandwidth Statistics

Monitors Network traffic and Network bandwidth details in graphs and numbers.

Network Protocol Analysis

Being able to support more than 300 protocols, Capsa make it easy to analyze protocols in network and understand what is happening.

In-depth Packet Decoding

It captures all network packets transmitted on network and displays detailed packet decoding information in Hex, ASCII and EBCDIC.

Multiple Network Behavior Monitoring

Monitors HTTP, Email, DNS, FTP, MSN and Yahoo! Messenger.

Extensive Statistics of Each Host

Lists all hosts in network with details (traffic, IP, MAC, etc.).

Automatic Expert Network Diagnosis

Automatically diagnoses network problems and suggests solutions.

Visualized Connections in Matrix

Visualizes the entire network in an ellipse, showing connections and traffic.

Powerful Conversation Analysis

Monitors all conversations and reconstruct packet stream.

Useful & Valuable Built-in Tools

Free built-in tools to create and replay packets; scan and ping IPs.

Quick & Intuitive Report

Quickly generates reports of most concerned items.

Software Systems

  • Windows Server 2008, 64bit Edition
  • Windows Vista, 64bit Edition
  • Windows 7, 64bit Edition
  • Windows 8, 64bit Edition
  • Windows 10, 64bit Edition
Relied Browser:
  • Internet Explorer 6.0 or higher

Hardware Requirements

Minimum Requirements:
  • CPU: P4 2.8GHz
  • RAM: 2GB
  • Internet Explorer 6.0
Recommended System:
  • CPU: Intel Core Duo 2.4GHz
  • RAM: 4GB or more
  • Internet Explorer 6.0 or higher
Supported Network
  • Ethernet
    Capsa will run with a NDIS 3 or higher compatible Ethernet, Fast Ethernet, or Gigabit promiscuous mode network adapter. Promiscuous mode is the ability to have Capsa take over the driver and put it into a mode that will allow it to passively capture all packets on an Ethernet wire, regardless of the address to which they are being sent/received.

  • Wireless
    Colasoft has tested adapters based on Atheros, Ralink, Marvell and Intel chipsets. Other wireless cards may work with this version to the same degree that they worked in prior versions.

  • Recommended wireless network adapters:
    Atheros AR7015, AR6004, AR9380, AR9382, AR9390, AR9485, AR9462, AR958x
    Intel 1000, 4965, 5100, 5150, 5300, 5350, 6200, 6250, 6300, 6350, AC 7260, 82579LM
    Realtek RTL8188CU, RTL8192CU, RTL8187
    Broadcom 4313GN, 80211bgn
    TP-Link TL-WDN3200(, TL-822N v2
    D-Link DWA-160 B2(

Key Feature Capsa Enterprise Capsa Professional Capsa Free
    Price $995 $695 Free
    Trial Download Free Trial Free Trial Download
    Monitors WiFi Connections No No
    IP Addresses Monitored Unlimited Unlimited 10
    Session Timeout Length Unlimited Unlimited 4 hours
    Adapter Monitors
    Manually Save Files
    Online Auto-update No
    Run Multiple Projects No
    Support Multiple Adapters No
    Support Network TAP No
    Printing No
    Export Data No
    Log Output Function No
    Fast Speed Packet Replay No
    Process View No
    Application View No
    TCP Port Scan View No No
    VoIP View No No
    Reports No No
    Diagnosis Function No No
    Security Analysis Profile No No
    Custom Reports No No
    Packet Auto-output Function No No
    Auto-Scheduling No No
    ARP Attack View No No
    Worm View No No
    DoS Attacking View No No
    DoS Attacked View No No
    Suspicious Conversation View No No
    Trial Download Free Trial Free Trial Download
    Price $995 $695 Free

How to Decrypt HTTPS Packets with Capsa

With the development of network security, HTTPS is a protocol for secure communication over a computer network and now is widely used on the Internet. As everything in the HTTPS message is encrypted, including the headers, and the request/response load, the analyzer can only know that a connection is taking place between the two parties and their domain names and IP addresses[...]

Read More

Conversation Filter

Working as an IT technician, sometimes it is really necessary to focus on conversations from one certain field. Colasoft Capsa 9.1 provides Conversation Filter to help you to do so. Conversation Filter allows users to filter conversations according to the Address and Port, Location, Conversation Protocol, Conversation Packets, Conversation Content, and Conversation Options [...]

Read More

Document Your Network - Capsa Log View & Output

As a networking manager, it is very important to document network log. By analyzing http log files, you will be able to see if your website blocking strategy is successfully set up; if there are any strange IPs in your network system. Colasoft Capsa enables you to do so with Log View and Log Output features. [...]

Read More

How to Analyze Network Traffic Based on Local Processes

Working as an IT engineer can be a very difficult and challenging task, especially when troubleshooting network problems. As more and more applications were published, and the internet speed goes higher and higher, it is a tough job to analyze the network traffic, even with a traditional packet capturing network analyzer. However, Capsa provides a process analysis feature, which makes the task easy. [...]

Read More

Improve Network Analysis Efficiency with Capsa New Conversation Colorization Feature

Troubleshooting network problems can be a very difficult and challenging task. While most IT engineers use a network analyzer to help solve network problems, when analyzing hundreds or thousands of packets, it can become very hard to locate and further research conversations between hosts. Colasoft's Capsa v8 now introduces a new feature that allows us to highlight-colorize relevant IP conversations in the network based on their MAC address, IP Addresses, TCP or UDP conversations. [...]

Read More

How to Detect Arp Attacks & Arp Flooding

ARP attacks and ARP flooding are common problems small and large networks are faced with. ARP attacks target specific hosts by using their MAC address and responding on their behalf, while at the same time flooding the network with ARP requests. ARP attacks are frequently used for 'Man-in-the-middle' attacks, causing serious security threats, loss of confidential information and should be therefore quickly identified and mitigated. [...]

Read More

How to Detect Routing Loops and Physical Loops with a Network Analyzer

When working with medium to large scale networks, IT departments are often faced dealing with network loops and broadcast storms that are caused by user error, faulty network devices or incorrect configuration of network equipment. Network loops and broadcast storms are capable of causing major network disruptions and therefore must be dealt with very quickly. [...]

Read More

Migrating Capsa Configuration Files

Capsa Professional and Capsa Enterprise packet capture application provides the ability feature to backup configurations, including analysis profile settings and network profile settings. [...]

Read More

How to Capture Wireless Network Traffic

As an innovative and high quality network analysis solution, Capsa network analyzer is not only designed to monitor and analyze wired network traffic, but also for wireless LAN traffic, including 802.11 a/b/g/n networks. [...]

Read More

How to Monitor Network Packet Loss

When data is transmitting over computer network, one or more packets may fail to reach their destinations, and this is packet loss. [...]

Read More

Task Scheduler: Auto-Run Packet Capture

Task scheduler provides the ability to run packet capture and analysis at pre-defined time automatically, which can be scheduled to run one time, daily or weekly [...]

Read More

Powerful TCP Flow Analysis

TCP packets reveal useful information to help us troubleshoot slow network, especially for the cases like slow website response, slow CRM transactions and slow downloading or uploading, etc [...]

Read More

How to Monitor Network Traffic

As a network analyzer (aka. packet sniffer & protocol analyzer), Capsa make it easy for us to monitor and analyze network traffic in its intuitive and information-rich tab views. With Capsa's network traffic monitor feature, we can quickly identify network [...]

Read More

Troubleshoot ARP Attacks with Colasoft Capsa

ARP, because of its simpleness, fastness, and effectiveness, is becoming increasingly popular among internet raggers, thus causing severe influence to the internet environment. With Colasoft Capsa, we can quickly and accurately locate ARP source [...]

Read More

How to Analyze Network Utilization Rate

Network utilization rate is the ratio of current network traffic to the maximum traffic that the port can handle. It indicates the bandwidth use in the network. High network utilization rate indicates the network is busy whereas low utilization rate indicates the network is idle [...]

Read More

How to Monitor MSN & Yahoo! Messenger

With Colasoft Capsa, you can monitor not only the original logs of HTTP Requests, Email Messages, FTP Transfers and DNS Queries, but also the real-time activities and detailed messages of four most poplar instant messengers: MSN and Yahoo Messenger [...]

Read More

24x7 Network Monitoring with Colasoft Capsa

As a delicate work, network analysis always requires us to view the original packets and analyze them. However, not all the network failures can be found in a very short period. Sometimes network analysis requires long time monitoring and must be based on the baseline of normal network [...]

Read More

Powerful Protocol Analyzer - Capsa

By analyzing network protocol distribution and learning what protocols are being used in the network, we can quickly find out what host is doing what activity [...]

Read More

Find Reasons for Slow Network with Colasoft Capsa

Slow network is a common phenomenon. For the diversity of the reasons causing slow network, to troubleshoot slow network is one of the most common and troublesome work in daily network management [...]

Read More

Learn more >

Shared network and switched network are two common network environments today, before install Colasoft Capsa, you should first know about the topology of your network.

  • Shared network
    A shared network is also known as hubbed network which is connected with a hub.

    Hubs are commonly used to connect segments of a LAN. When a packet arrives at one port, it is copied to the other ports so that all segments of the LAN can see all packets. A passive hub serves simply as a conduit for the data, enabling it to go from one device (or segment) to another. So-called intelligent hubs include additional features that enable an administrator to monitor the traffic passing through the hub and to configure each port in the hub. Intelligent hubs are also called manageable hubs. A third type of hub, called a switching hub, actually reads the destination address of each packet and then forwards the packet to the correct port.

    With a shared environment, Colasoft Capsa can be installed on any host in LAN. The entire network data transmitted through the Hub will be captured, including the communication between any two hosts in LAN.

    Topology illustration 1:

  • Switched network
    Switch is a network device working on the Data Link Layer of OSI. Switch can learn the physical addresses and save these addresses in its ARP table. When a packet is sent to switch, switch will check the packet’s destination address from its ARP table and then send the packet to the corresponding port.

    • Network with managed switches
      Generally all three-layer switches and partial two-layer switches have the ability of network management; the traffic going through other ports of the switch can be captured from the debugging port (mirror port/span port) on the core chip. To analyze the traffic going through all ports, Colasoft Capsa should be installed on this debugging port (mirror port/span port).

      The following table presents the advantages and disadvantages of using a switch with mirror port.

      Advantage Disadvantage
    • No additional facility required
    • No need to change network topology
    • Occupies a switch port
    • Possible influence to network transmission performance when meeting huge traffic
    • Topology illustration 2:

  • Network with unmanaged switches
    If your switch has no management function, you can:

    • Connect a tap with the line to be monitored
      Taps can be flexibly placed on any line in network. When the requirement for network performance is very high, you can add a tap to connect your network. The following table presents the advantages and disadvantages of using a tap.

      Advantage Disadvantage
    • No influence to network transmission performance
    • No interference with data stream and raw data
    • Does not occupy IP address, free from network attacks
    • No need to change network topology
    • High cost
    • Additional facility (tap) required
    • Requires dual adapters
    • Can not connect Internet
    • Topology illustration 3:

  • Connect a hub with the line to be monitored
    Working on share mode, hubs are applicable for small networks.

  • Advantage Disadvantage
  • Low cost
  • No need to be configured
  • No need to change network topology
  • Additional facility (hub) required
  • Interference to network transmission performance when meeting huge traffic
  • Not applicable for big networks
  • Topology illustration 4:

  • Monitoring a network segment
    In the case when you only need to monitor the traffic in a network segment (e.g. Finance department, Sales department, etc.), you can connect the server on which Colasoft Capsa is installed and the network segment with a exchange facility. The exchange facility can be hub, switch or proxy server.

    Topology illustration 5:

  • Note: Commonly management switches have the function of port mirroring (spanning); however, the port mirroring configuration of one brand’s switch may differ from others, please refer to the documentation that comes with your switch for information on the availability of this feature and the configuration instructions. For the information about management switches, please visit the "Switch Management" page.

    Want to Know More About Capsa

    Capsa is an expert network analyzer which helps network specialists detect and troubleshoot network problems, improve network performance, and enhance network security.

    With the abilities of real time packet capture, accurate protocol decoding and analysis, automatic network events diagnosis, combined powerful filters and statistic information of global network, Capsa quickly and efficiently lets you find what you want in your network.

    Network engineers & administrators - monitor network activities and troubleshoot network problems.
    Network application developers - troubleshoot and debug network applications.
    Teachers and students of network class - demonstrate network protocol structures and network theories.
    Parents - monitor children's email, web browsing and instant messenger talks.

    The Free Edition is provided to SMB with limited budget for a professional network analyzer to help their network administrators troubleshoot their network, and network training organizations and students to teach and learn network knowledge. Read Compare Editions for details

    No. Capsa itself only passively captures network traffic of your selected network adapters and it doesn't send any packets to your network.

    Please first figure out on what device you connect the machine with Capsa installed. If it's a HUB, you can see all traffic in that network. If a switch, check out whether its port mirroring powered.

    If the switch supports port mirroring, you just need to configure it to copy all traffic to your computer. If the switch doesn't support port mirroring, you may need to invest in a cheap HUB or TAP or switch with port mirroring function.

    To troubleshoot network problems, you should have basic knowledge of network protocols and know how the network devices work.

    If you just want to use Capsa for simple missions like monitoring network utilization, web browsing, email messages and IM talks, you don't have to go that far into network theory.

    Have Problem While Installation

    Yes. Besides Windows 7, you can read this document for more details about Capsa's specifications.

    50-Node-Limit means the Free Edition analyzes traffic of the first 50 captured local IP addresses (broadcast IP addresses and multicast IP addresses are not included) in your network by a default Serial Number. The other local IP addresses captured later on will be grouped into the Exceed Limit Group.

    The tabs in the main view will be disabled while any node in this group selected.

    To use Capsa Free, you are required to apply a Serial Number on this page.

    It may take a while to deliver the email to your mailbox. If you don't see the email in 15 minutes, please try another email address.

    When installing Capsa, if you get errors like "procedure entry point could not be located in the dynamic link library", please try to uninstall Capsa first and then install it again

    According to our license policy, one license can only be activated on one machine or one OS. If you want to reinstall Capsa on a new machine or on the same machine which is reinstalled with a new OS, there will be a notice: You have reached your installation limits. You should completely uninstall Capsa previously installed and then install it on a new machine or new OS, or you can just contact us for help.

    The error "invalid or corrupt signature" is probably caused by the operating system itself or browser settings.

    As a solution, please open the file folder containing the installation package and double-click to install it. If it still doesn't work, please send the MD5 value of the file to and we will check if the file is downloaded completely.

    Have Problem While Using

    Capsa provides a lot of statistics and functions in a single suite. You may get lost in different tabs when you are running a capture. Please tell yourself what problems you have in your network. Then try to focus on one problem at first.

    Please read your switch's manual or visit its website to learn how to setup port mirroring. Or you may ask their technicians for help.

    Generally, if your adapter supports promiscuous mode it can work well with Capsa. A possible reason is that you didn't connect your machine to the right network device, or misconfigured you switch to see all the traffic on your network. You should read this article to learn how to deploy Capsa.

    The Dashboard is visible only when you select the root node in the Node Explorer. That's because the Dashboard is global, which doesn't belong to any specific node in the Node Explorer. When a node selected in the Node Explorer, only the tabs relating to the selected is visible.

    Capsa is able to monitor the following instant messengers: Microsoft Live Messenger (MSN), ICQ and Yahoo! Messenger.

    You get this error message because you rerun the program too quickly while it is just closed. Therefore, please wait for a while (30 seconds will be enough) to rerun Capsa again after you close it. Or, you can kill the process, named Capsa, in the Task Manager if you need to rerun Capsa immediately.

    To create packet buffer, Capsa require a contiguous block of memory. It has nothing to do with your whole RAM value.

    You should be careful with packet buffer. It reduces the performance of the software. For an analysis mission, 256MB should contain enough packets for you to find out anomalies. If possible, you are recommended to enable the program to save the captured packets to disk if you really don't want to miss anything.

    In order to monitor the traffic for your remote business network, you should install Capsa on a workstation in your business network, and enable the Remote Desktop Access function of that workstation (Windows2000 Terminal Server, TeamViewer, Norton PcAnywhere, VNC Server, etc.), then you can access to Capsa via the local Remote Desktop client program.

    If you are using previous versions of Capsa, please update to the latest version. The previous versions of Capsa may not support the latest network adapter drivers.

    When Capsa captures only part of the traffic, please check following three items:

    1. If Capsa is deployed at the right place.

    As a network analyzer, Capsa captures the traffic that the monitored network adapter delivers. In other words, if the monitored network adapter is used by a machine for network connection, then Capsa captures the traffic of that machine. If the monitored network adapter is connected to the port mirroring destination port of a managed switch and the destination port gets a copy of the whole network, then Capsa captures the traffic of the whole network. For information on how to deploy Capsa, please refer to

    2. If the port mirroring is configured correctly.

    If you enable port mirroring function and the cables and network adapters are connected correctly, but you still didn't capture all the traffic, please check if the port mirroring settings are configured without fault. For information on how to configure port mirroring, please refer to

    3. If you enable capture filters.

    If everything works fine but Capsa still capture part of the traffic, please check if you enable any capture filters. Capture filters will screen out the unmatched packets. If you want to capture all packets, you should not enable any capture filters

    Yes. To view the total bandwidth utilization, just go to the Summary view. The column "Utilization" tells the total bandwidth utilization. You can also go to the Dashboard view; the chart "Global - Utilization" shows a trend chart of total bandwidth utilization.

    Please note that, to get an accurate utilization, you should set up an actual bandwidth in the Network Profile Settings dialog box.

    To know the bandwidth utilization of a single machine, just go to the IP Endpoint view. The column "bps" tells the throughput of that machine. You can get the bandwidth utilization of that machine via dividing the network bandwidth by the "bps" figure.

    Yes. To know which websites that an internal IP address visits, just go to the IP Endpoint view, highlight the IP address that you are interested in, then the lower IP Conversation tab shows the websites that the IP address visits.

    Please note that, to show the website domain name instead of IP address, you should enable a network profile and show the IP address as name.

    Yes. To know which websites that an internal IP address visits, just go to the IP Endpoint view, highlight the IP address that you are interested in, then the lower IP Conversation tab shows the websites that the IP address visits.

    Yes, you can use Capsa to replay the packet files saved from Wireshark. The packet files could be .cap, .pcap, and .pcapng formats.

    Please check if there is a crash report file under C:\Users\[username]\AppData\Roaming\Colasoft Capsa - Enterprise Edition\CrashReport. You should get it before re-opening Capsa after the crash happens, or the crash report file will disappear. If there is the crash report file, please send it to us for further research.

    Yes, Capsa is capable of analyzing VoIP traffic, but currently only the traffic of SIP protocol can be analyzed.

    Yes, Capsa supports command lines from v8.1, you can input command lines to run Capsa v8.1 and later versions.

    Yes, if Capsa starts capturing packets before the behavior of domain name resolution of DNS server, it will show it in the form of domain name instead of IP address.