Author: Mark Gibbs

Dec 4, 2006

Capsa captures and cooks net comms

We have tested products from many countries, but today we have a first: a Windows network packet capture and protocol analyzer from China. Capsa Enterprise is made by Colasoft, and we are very impressed.

The core features of Capsa Enterprise provide real-time packet capture, in-depth protocol analysis, automatic network-event diagnosis and reporting. Beyond looking good, what makes this product stand out is the depth and range of the ways it analyzes captured network packets.

Capsa Enterprise monitoring sessions are set up as projects. A project consists of the adapters to be monitored, the filters used to restrict the endpoints and protocols that are tracked, the diagnosis analyzers (routines that watch for and analyze events that are not to specification) that are to be applied and other options.

You can specify how big Capsa's buffer should be and whether the buffer is used as a circular (ring) buffer or a linear buffer. The linear buffer simply stops capturing packets when the buffer is full, keeps the buffer and analyzes new packets that then are dropped, or it dumps the entire buffer, keeping the stats gathered up to that point, and starts refilling the buffer.

While packet capture is proceeding, you can examine the data from multiple viewpoints. The user interface is divided into a Project Explorer panel on the left and a reporting panel on the right.

In the Project Explorer, you can select the entire project or a project subset by protocol, by physical address and by IP address. Each of these groups is broken down further. For example, the protocol group has Ethernet II and Ethernet 802.2 subgroups, of which the former in turn has IP Address Resolution Protocol subgroups. The IP subgroup has TCP, Internet Group Management Protocol, User Datagram Protocol and Internet Control Messaging Protocol subgroups and so on.

When you select a group, a subgroup or a final item (a protocol, a physical connection or an IP address), the reporting window displays the related data. You select the views of the data by tabs.

The Summary tab shows, for example, an analysis of packet sizes; and traffic inflow and outflow in bytes, packets, utilization, bits per second and packets per second.

The Diagnosis tab shows notable events, which are classified as notices, information, warnings or critical events. A summary of events at the top of the pane is divided into sections covering all events, just application events, just transport events, and just network events and listing each observed type of event and the total times it was seen.

Clicking on an event section or specific type lists all observed events in detail in a tabbed subpane below the summary. When an event type is selected, a new tab appears in this subpane and shows the explanation of the event.

Double-clicking on an event will bring up a protocol-decoder window that breaks the packets down to bit level.

There are also tabs are ones for analyzing endpoints, protocols and conversations, and a list of packets and logs.

Capsa Enterprise includes Packet Builder, which helps you create custom packets, and Packet Player, which transmits packets. There's also a Mac scanner and a ping tool. The combination of Capsa Enterprise and its bundled tools provides just about all the tools you need for exercises such as intrusion testing and performance analysis.

Capsa Enterprise pricing starts at $499 for a single-user license without maintenance. A simpler Professional Edition starts at $299 without maintenance. It supports only projects with one Ethernet adapter and leaves out such features as reporting and graphing.

Bottom Line: Capsa Enterprise is an enormous, well-engineered, technical and highly professional product that provides almost everything you could want for network and protocol analysis and reporting at a reasonable price.