Author: Rick Vanover
July 19, 2009

Test-drive: Colasoft Capsa network analyzer

Having the right tools on the network is critical to a network administrator' s success. In this TechRepublic blog post, IT Jedi Rick Vanover takes a look at the Colasoft Capsa tool for network analytics.

Recently, I had a chance to evaluate the Colasoft network analyzer or Capsa. Capsa offers a lot of features in a small package, though the network analyzer field is very crowded. One thing that can differentiate a network tool is ease of use. While test-driving Capsa on my lab network, I immediately saw a message coming in through a conversation detail indicating an incorrect network configuration, shown in Figure A.

Sure enough, this message quickly pointed out that the host was incorrectly configured to look to for the default gateway and DNS server. So, right away, Capsa saved me needless broadcasts on my network by identifying this issue on one host.

But what else did I see with the tool? Well, of course, I confirmed again that my Yahoo Instant Messenger traffic is sent plain text -- we all knew that, right? The Capsa tool identified remote desktop connectivity on port 3389 TCP from my Windows 7 host (rick-vanover-w7) to the system mentioned above with the incorrect default gateway and DNS configuration. Figure B shows this traffic pattern.

The capture worked pretty good; the next observation I had is that I was able to see Windows file sharing going on between two hosts. This is important as it may be a way to determine if any authorized peer-to-peer file exchanges are occurring. Here is a capture from the Capsa system; notice the Windows 7 host mentioned earlier copying a file from a file and print resource. Figure C shows this traffic pattern with the highlighted row.

This traffic was expected, but it can be monitored in ways such as this to capture the traffic patterns to identify unauthorized file exchanges.

How do you go about monitoring your traffic? Do you want to see more of the Capsa tool? There are a lot of filters, address tools, protocol awareness configuration, and other parts to the product.