Author Archive


November 10th, 2015 No comments

ARP attacks and ARP flooding are common problems small and large networks are faced with. ARP attacks target specific hosts byusing their MAC address and responding on their behalf, while at the same time flooding the network with ARP requests. ARP attacks are frequently used for ‘Man-in-the-middleattacks, causing serious security threats, loss of confidential information and should be therefore quickly identified and mitigated.

During ARP attacks, users usually experience slow communication on the network and especially when communicating with the host that is being targeted by the attack.

In this article, we will show you how to detect ARP attacks and ARP flooding using a network analyzer such as Colasoft Capsa.

Colasoft Capsa has one great advantage – the ability to identify and present suspicious ARP attacks without any additional processing, which makes identifying, mitigating and troubleshooting much easier.

Download your copy of Colasoft Capsa and discover how easy it is to identify network & security related problems.

The Diagnosis tab provides real-time information and is extremely handy in identifying potential threats, as shown in the screenshot below:


Figure 1. ARP Scan and ARP Storm detected by Capsa’s Diagnosis section.

Under the Diagnosis tab, users can click on the Events area and select any suspicious events. When these events are selected, analysis of them (MAC address information in our case) will be displayed on the right as shown above.

In addition to the above analysis, Capsa also provides a dedicated ARP Attack tab, which is used to verify the offending hosts and type of attack as shown below:


Figure 2. ARP Attack tab verifies the security threat.


We can extend our investigation with the use of the Protocol tab, which allows us to drill into the ARP protocol and see which hosts MAC addresses are involved in heavy ARP protocol traffic:


Figure 3. Drilling into ARP attacks.

Finally, double-clicking on a MAC address in the ARP Protocol section will show all packets related to the selected MAC address.

When double-clicking on a MAC address, Capsa presents all packets captured, allowing us to drill-down to more useful information contained in the ARP packet.


Figure 4. Drilling-down into the ARP attack packets.

By selecting the Source IP, in the lower window of the selected packet, we can see the fake IP address This means that any host on the network responding to this packet will be directed to an incorrect and non-existent IP address, indicating an ARP attack of flood.

Download your copy of Colasoft Capsa and discover how easy it is to identify network & security related problems.

If you’re a network administrator, engineer or IT manager, we strongly suggest you try out Colasoft Capsa today and see how easy you can troubleshoot and resolve network problems and security threats such as ARP Attacks and ARP Flooding.



Capsa network analyzer review

October 12th, 2015 No comments

Capsa network analyzer review from

Capsa is a powerful network analyzer for Ethernet analysis, troubleshooting and monitoring. Not only does it provide users with a series of powerful features that help them learn more about improving network security, pinpoint network issues and monitor network activities, but it also features a user-friendly interface that makes using it a breeze. The software is generally targeted at computer professionals and/or teachers who want to learn more about networking technology, protocols, monitoring and security.


Real time monitoring

As a packet sniffer, Capsa is capable of real time packets monitoring and can also presents the data visually by using logs and a GUI for future reference. Given the fact the software is capable if easily analyzing and diagnosing problems on a network, it can tell the user in minutes what is causing it to be slow or if there is an attack that may be the culprit for its poor performance.

In identifying network issues, Capsa can find the top ten local hosts that slow down the network and can also detect whether someone is using a Bit torrent client to download files off the web which is obviously a prime cause of slow network performance.

Safety and security

Should an attack be responsible for the network’s poor performance, the software will immediately locate the packet info and source codes from the host so that the admin can promptly begin investigating the issue. There are 2 types of worms the software can locate, including operating system works and E-mail worms. This functionality is paramount in identifying the infected computers which eventually allows the admin to fix these issues.

Available filters

In order to be able to focus on specific packets, administrators can use a wide range of filters right from Capsa’s dashboard. For instance, admins can monitor real time messages, http requests, E-mail messages and more of the 4 most popular IM apps including YM, ICQ, AIM and MSN.

Other features

There are of course many other features that Capsa incorporates, such as the ability to generate reports of a certain group or global networks automatically, but also customize the data on different charts. As a network administrator, you can also use the software to remotely monitor traffic by installing the application on the business network (on a workstation of course) and using the Remote Desktop Access function.


All in all, Capsa is by far one of the most reliable and simply the best network analyzers out there. Not only does it offer a wide range of improvements that make using it a breeze, but it makes it very easy for anyone who uses it to find the info they need. On top of that, thanks to functions such as reports, Matrix and Diagnosis, it definitely stands out from the large crowd of similar programs available today.


Improve Network Efficiency With Colasoft Capsa Conversation Colorization Feature

October 10th, 2015 No comments

Troubleshooting network problems can be a very difficult and challenging task. While most IT engineers use a network analyzer to help solve network problems, whenanalyzing hundreds or thousands of packets, it can become very hard to locate and further research conversations between hosts. Colasoft’s Capsa v8 now introduces a new feature that allows us to highlight-colorize relevant IP conversations in the network based on their MAC address, IP Addresses, TCP or UDP conversations.

Download your copy of Colasoft Capsa v8 and discover how easy it is to identify network related problems.

This great new feature will allow IT engineers to quickly find the related packets of the conversations they want to analyze emphatically, using just a few clicks.

As shown in the screenshot below, users can colorize any Conversation in the MAC Conversation View, IP Conversation View, TCP Conversation View and UDP Conversation View. Packets related to that Conversation will be colorized automatically with the same color.

Take TCP conversation for example, choose one conversation, right-click it and choose “Select Conversation Color” in the pop-up menu:

Figure 1. Selecting a Conversation Color in Capsa v8.0

Next, select the color you wish to use to highlight the specific conversation:

Figure 2. Selecting a color

Once the color has been selected, Capsa will automatically find and highlight all related packets of this conversation using the same background color:

Figure 3. Colasoft Capsa automatically identifies and highlights the conversation

The relevance between a conversation and its packets is enhanced by colorizing packets which greatly improves analysis efficiency.

If you’re a network administrator, engineer or IT manager, we strongly suggest you try out Capsa and see how easy you can discoverand resolve network problems.



How to Use Multi-Segment Analysis to Troubleshoot Network Delay and Packet Loss

October 8th, 2015 No comments

Troubleshooting network problems can be a very intensive and challenging process. Intermittent network problems are even more difficult to troubleshoot as the problem occurs at random timeswith a random duration, making it very hard to capture the necessary information, perform troubleshooting, identify and resolve the network problem.

While Network Analyzers help reveal problems in a network data flow, they are limited to examining usually only one network link at a time, thus seriously limiting the ability to examine multiple network segments continuously.

Colasoft’s nChronos is equipped with a neat feature called multi-segment analysis, providing an easy way for IT network engineers and administrators to compare the performance between different links. IT network engineers can improve network performance by enhancing the capacity of the link according to the comparison.

Let’s take a look how we can use Colasoft nChronos’s multi-segment analysis feature to help us detect and deal effectively with our network problems.

Multi-segment analysis provides concurrent analysis for conversations across different links, from which we can extract valuable information on packet loss, network delay, data retransmission and more.

To being, we open nChronos Console and select a portion of the trend chart in the Link Analysis window, then from the Summary window below, we right-click one conversation under the IP Conversation or TCP Conversation tab. From the pop-up menu, selectMulti-Segment Analysis to open the Multi-Segment Analysis window:

Figure 1. Launching Multi-Segment Analysis in nChronos

In the Multi-Segment Analysis window, select a minimum of two and maximum of three links, then choose the stream of interest for multi-segment analysis:

Figure 2. Selecting a stream for multi-segment analysis in nChronos

When choosing a conversation for multi-segment analysis, if any of the other selected network links has the same conversation, it will be selected and highlighted automatically. In our example, the second selected link does not have the same data from the primary selected conversation and therefore there is no data to display in the lower section of the analysis window.

Next, Click Start to Analyze to open the Multi-Segment Detail Analysis window, as shown in the figure below:

Figure 3. Performing Multi-Segment analysis in nChronos

The Multi-Segment Detail Analysis section on the left provides a plethora of parameter statistics (analyzed below), a time sequence chart, and there’s a packet decoding pane on the lower right section of the window.

The left pane provides statistics on uplink and downlink packet loss, uplink and downlink network delay, uplink and downlink retransmission, uplink and downlink TCP flags, and much more.

The time sequence chart located at the top, graphically displays the packet transmission between the network links, with the conversation time displayed on the horizontal axis.

When you click on a packet on the time sequence chart, the packet decoding pane will display the detailed decoding information for that packet.

Using the Multi-Segment Analysis feature, Colasoft’s nChronos allows us to quickly compare the performance between two or morenetwork links. If you’re a network administrator, engineer or IT manager, we strongly suggest you try out nChronos today and see how easy you can discover and deal with network problems.



Colasoft Capsa Free is a comprehensive network analyzer

October 8th, 2015 No comments

By Mike Williams

Colasoft Capsa 8 Free is a powerful tool for monitoring and analyzing network traffic, the free version of an enterprise package normally costing from $695.

The program has a vast and lengthy list of features, yet it’s also accessible to regular users. Just choosing an adapter and clicking “Start” gets you an attractive dashboard, with graphs showing network utilization, traffic, and top traffic by protocol and domain (keep in mind that Wi-Fi devices can’t be monitored in the free edition).

That’s just the start. Click the Summary tab and you’ll see the data behind the charts, the total numbers of IP and MAC addresses used in this session, the various protocols, DNS queries and responses, SMTP/ POP3/ IMAP 4 connections and a whole lot more.

Maybe you want to zoom in? Choosing one of the Conversation tabs — TCP, say — allows you to drill down, see which packets went to/from which addresses, the packet size, time sent, and more.

Colasoft Capsa 8 Free captures data packets, too, so you’re not restricted to summaries. Selecting any of these items displays the individual packets, and you can choose one, view any text it contains (maybe the password in a POP3 exchange, say). There’s even a detailed breakdown of the exchange, so for example you might view an IP packet to check its IP flags or TTL value.

This level of analysis isn’t just for a few internet standards, either. The program understands and can decode hundreds of protocols, and show you precisely what’s happening in every exchange.

Unsurprisingly, considering the full Enterprise version costs $995, the free build has a lot of restrictions. No monitoring of Wi-Fi devices, only one network adapter may be monitored, only one capture project can be run at a time, that’s limited to 4 hours maximum, only the first 10 private IP addresses will be analyzed, and so on.

Colasoft Capsa 8 Free has more than enough functionality left to make it interesting, though, for everyone from casual users to network experts. Give it a try.


How to Detect Routing Loops and Physical Loops with a Network Analyzer

July 28th, 2015 No comments

When working with medium to large scale networks, IT departments are often faced dealing with network loops and broadcast storms that are caused by user error, faulty network devices or incorrect configuration of network equipment.  Network loops and broadcast storms are capable of causing major network disruptions and therefore must be dealt with very quickly.

There are two kinds of network loops and these are routing loops and physical loops.

Routing loops are caused by the incorrect configuration of routing protocols where data packets sent between hosts of different networks, are caught in an endless loop travelling between network routers with incorrect route entries.

A Physical loop is caused by a loop link between devices. A common example is two switches with two active Ethernet links between them. Broadcast packets exiting the links on one switch are replicated and sent back from the other switch. This is also known as a broadcast storm.

Both type of loops are capable of causing major network outages, waste of valuable bandwidth and can disrupt network communications.

We will show you how to detect routing loop and physical loop with a network analyzer such as Colasoft Capsa or Wireshark.

We’ve selected Colasoft Capsa 8.0 as our preferred packet analyzer because of its new feature that allows the quick diagnosis of routing loops and physical loops.

If there are routing loops or physical loops in the network, Capsa will immediately report them in the Diagnosis tab as shown below. This makes troubleshooting easier for network managers and administrators:


Figure 1. Capsa quickly detects and displays Routings and Physical Loops

Further examination of Capsa’s findings is possible by simply clicking on each detected problem. This allows us to further check the characteristics of the related packets and then decide what action must be taken to rectify the problem.


Let’s take a routing loop for example. First, find out the related conversation using Filter (red arrow) in the MAC Conversation tab. MAC addresses can be obtained easily from the notices given in the Diagnosis tab:


Figure 2. Obtaining more information on a Routing Loop problem

Next, Double-click the conversation to load all related packets and additional information. Click on Identifier, to view the values of all packets under the Decode column, which in our case are all the same, This effectively means that the packets captured in our example is the same packet which is continuously transiting our network because its caused in a loop.  For example, Router-A might be sending it to Router-B, which in turn sends it back to Router-A.


Figure 3. Decoding packets caught in a routing loop

Now click on the Time To Live section below, and you’ll see the Decode value reduces gradually. It is because that TTL value will decreased by 1 after transiting a routing device. When TTL reaches the value of 1, the packet will be discarded, to help avoid ICMP packets travelling indefinitely in case of a routing loop in the network. More information on the ICMP protocol can be found in our ICMP Protocol page:


Figure 4. Routing loop causing ICMP TTL to decrease

The method used to analyze physical loops is almost identical, but the TTL values of all looped packets remain the same, instead of decreasing as we previously saw. Because the packet is trapped in our local network, it doesn’t traverse a router, therefore the TTL does not change.

Below we see a DNS Query packet that is trapped in a network loop:


Figure 5. Discovering Network loops and why their TTL values do not decrease

Advanced network analyzers such as Colasoft’s Capsa allows us to quickly detect serious network problems that can cause network outages, packet loss, packet flooding and more. If you’re a network administrator, engineer or IT manager, we strongly suggest you try out Capsa v8 today and discover how easy you can discover and deal with network problems.

View more:

Colasoft Announces the Release of Capsa Network Analyzer 8.0

June 17th, 2015 No comments

June 16, 2015– Colasoft LLC, a leading provider of innovative and affordable network analysis software solutions, today announced the release of the latest version of Capsa network analyzer, a real-time portable network analyzer for wired and wireless network monitoring, bandwidth analysis, and intrusion detection. Capsa Network Analyzer 8.0 is based on the Third-generation Colasoft Traffic Recognition Engine (CSTRE), which substantially improved the accuracy and efficiency of protocol & application recognition.

Two Expert Diagnosis Events are added to Capsa 8.0, they are Physical Loop Diagnosis and Routing Loop Diagnosis. Capsa 8.0 makes it very easy for network administrators to locate network loop anomaly without looking into packet details. By providing possible reasons and solutions to each Diagnosis Event, it helps network administrators to quickly pinpoint and solve complicated network problems.

Another prominent feature is that packets can be colorized in Conversation Views, including Physical Conversation View, IP Conversation View, TCP Conversation View and UDP Conversation View. The relevance between a session and a packet is enhanced by colorizing packets which greatly improves performance analysis efficiency.

“In addition to concentrated development of new features, we also take great efforts to enhance user experience”, said Brian K. Smith, Vice President at Colasoft LLC, “Upon requests of many users, now Capsa 8.0 can easily be launched by command line. Packet timestamp shift function is added and host names can be resolved actively. Capsa 8.0 now offers the Network Engineer one of the most robust Bandwidth and Packet Analysis tools available”.

Capsa 8.0 is compatible with Windows XP/2003/2008/Vista/Windows 7/Windows 8. A free trial is available for download at:


About Capsa

Capsa is an easy-to-use packet sniffer (network analyzer or network sniffer) for network monitoring and troubleshooting purposes. It performs real-time packet capturing, 24×7 network monitoring, reliable network forensics, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. By giving you insights into all of your network’s operations, Capsa makes it easy to isolate and solve network problems, identify network bottleneck and bandwidth use, and detect network vulnerabilities.


About Colasoft

Since 2001, Colasoft, an Oklahoma Company, has been an innovative provider of all-in-one and easy-to-use software solutions for users to monitor network activities, analyze network performance, enhance network security, and troubleshoot network problems. Currently, more than 5,000 customers in over 90 countries trust the company’s flagship product, Capsa Packet Sniffer, as their network monitoring and troubleshooting solution.  Please visit for more information.

Categories: News & Events Tags:

Find Out Who’s Eating Your Bandwidth With These Tips

June 3rd, 2015 No comments

Click….wait. Click….wait. Click….ARG! Sound familiar? That’s the sound of someone running out of Internet bandwidth.

A lot of things can drain away the capacity of that pipe that connects your computer to the Internet. It could be other people or devices on your network, or it could even be malicious applications or services running on the PC itself. The problem can get so bad that some people will toss out their computer and buy a new one.

It doesn’t have to be that way. While the problem could be coming from anywhere, it isn’t impossible to troubleshoot if you know where to look, what tools to use, and what to do when you find the culprit. In this article, I’m going to give you a hand and walk you through the process of tracking down that bandwidth hog and shutting him down.

Track Down The Bandwidth Bandit Via Your Router

You could start just about anywhere when it comes to isolating the bandwidth hog on your network or inside your computer, but in order to grab at the low-hanging fruit, it’s best to start with your network. A few of the solutions below can focus in on a culprit quickly and resolve your problems immediately. So why waste time troubleshooting your own computer before canceling out the external issues as a possibility?

The first and quickest way to check what’s connected to your Internet through your router is the DHCP Client table. Each router is a little different, so you may need to search for which menu the table comes under. For Linksys, it’s typically under the “Status” Tab, and then the “Local Network” menu item.


Next, just click the “DHCP Client Table” button, and that’ll take you to a list of all clients that are currently logged into your network. Are there any there that you don’t recognize? If so, there could potentially be a neighbor that’s drawing out much of your bandwidth.


Ads by Google

All you have to do to put an end to it is click on the “Delete” button to the right of that client. Just be careful not to inadvertently delete one of your own clients, because to reconnect to the network with that device, you may need to re-enter your security password again. Not a big deal, just a hassle.

Use Third Party Utilities To Unravel Bandwidth Problems

Another option is to turn to software tools that can reach out and monitor devices on your network. One of those utilities is a free app called Capsa, which Matt actually mentioned in his Guide to Home Networking.

Capsa is really impressive, and it’s hard to believe that it’s free software. Running Capsa, you can see traffic on your network and associated data transfer rates to and from the various hosts, which you can find under the “Protocol” tab once you press “Start” on the main welcome screen.


This is even better organized on the IP Endpoint tab, which lines up all of the hosts in one area and then in the lower pane, shows you all of the remote IP connections of the host you selected in the top pane. By the way, this is a great way to check out what your kids are up to on your network without actually installing monitoring software on their computer.


Capsa is by far my favorite. This is similar to using another bandwidth monitoring app I covered recently called NetworkMiner, except that Capsa is less about network hacking and packet sniffing, and more about monitoring your network for activities and different traffic protocols. Either application would serve you well, though.

View more:

Categories: Tips & How-tos Tags:


May 29th, 2015 No comments

If you’re tired of setting up SPAN sessions to capture network traffic transiting your network and Cisco router, it’s time to start usingCisco’s Embedded Packet Capture (EPC), available from IOS 12.4.20T and above. We will show you how to configure Cisco’s Embedded Packet Capture, to capture packets transiting a Cisco router, save them to its flash disk or export them directly to anftp/tftp server for further analysis with the help of a packet analyzer such as Colasoft Capsa or Wireshark.

We’ve selected to Colasoft Capsa as our packet analyzer because of its amazing breakdown and presentation of captured packets.

Finally, we’ve also included a number of useful Embedded Packet Capture troubleshooting commands to monitor the status of thecapture points and memory buffer.

Let’s take a look at some of the basic features offered by Embedded Packet Capture:

  • Capture IPv4 and IPv6 packets in the Cisco Express Forwarding path
  • Ability to specify various capture buffer parameters
  • Export packet captures in PCAP format, enabling analysis with external tools such as Colasoft Capsa, Wireshark.
  • Display content of the capture buffer
  • Granularity of captured packets via Standard or Extended Access Control Lists (ACLs)


cisco-router-embedded-packet-capture-1Figure 1. Understanding Basic Embedded Packet Capture Terminology

Before we dive into the configuration of Cisco EPC, let’s explain the two terms used during the EPC configuration:  Capture Buffer &Capture Point.  We’ll use figure 1 to help illustrate the terms.


Capture buffer is an area in memory for holding packet data.  There are two types of Capture Buffers: Linear and Circular.

Linear Capture Buffer: When the capture buffer is full, it stops capturing data.
Circular Capture Buffer: When the capture buffer is full, it continues capturing data by overwriting older data.


Capture point is a traffic transit point where a packet is captured. Capture points need to define the following:

  • IPv4 or IPv6
  • CEF (Cisco Express Forwarding or Process-Switched
  • Interface e.g Fast Ethernet0, Dialer0 etc.
  • Direction of traffic to the interface: in (ingress), out (engress) or both



EPC configuration is an easy 5 step configuration process. Examining the diagram below, our goal is to capture ingress & egress packets on interface FastEthernet0 from workstation to and from
cisco-router-embedded-packet-capture-2Figure 2. Capturing packets betwen host and

Note: None of the below configuration commands, except the optional access lists (filters), will be stored in the router’s running-configuration or startup-configuration. ‘Monitor’ commands are only stored in the router’s RAM and are lost after a router reboot.


The capture buffer will store the packets to be captured. Our capture buffer will be named firewallcx_cap and will have size of 1024KB (1 Mb), which is the default size and will be set to linear type buffer:

R1# monitor capture buffer firewallcx_cap size 1024 linear


We can optionally configure to capture specific traffic. In our case, we need to capture traffic between hosts and (  This is accomplished with the use of access control lists. We can make use of standard or extended access lists depending on the granularity required. If no access list is configured, all traffic will be captured.

R1(config)# ip access-list extended selected-traffic 
R1(config-ext-nacl)# permit ip host host
R1(config-ext-nacl)# permit ip host host
R1(config-ext-nacl)# end
R1# monitor capture buffer firewallcx_cap filter access-list selected-traffic

Filter Association succeeded

Note: Our access list includes traffic originating from both hosts because we want to capture bidirectional traffic.  If we included only one ACL statement, then only one-way traffic would be captured.

Our filter is now in place and we are ready for the next step.



Here we define which interface will be the capture point. In our case, this is Fast Ethernet0 and we’ll capture both ingress and egress packets. During this configuration phase, we need to provide a name for the capture point, we selected CPpoint-FE0 to make it easy to distinguish.

Note: It is highly advisable to ensure ip cef is enabled to ensure minimum impact on the router’s CPU. If ip cef is not enabled, a message like the one below will appear, in which case you need to enable ip cef and re-enter the command.

R1# monitor capture point ip cef CPoint-FE0 FastEthernet 0 both
IPv4 CEF is not enabled

R1# config t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)# ip cef
R1(config)# exit
R1# monitor capture point ip cef CPoint-FE0 FastEthernet 0 both
*May 25 14:54:40.383: %BUFCAP-6-CREATE: Capture Point CPoint-FE0 created.


Here we associate the configured capture point with the capture buffer:

R1# monitor capture point associate CPoint-FE0 firewallcx_cap

At this point, we are ready to start capturing packets!



It’s now time to start capturing those packets using the monitor capture point start command:

R1# monitor capture point start CPoint-FE0

*May 25 14:57:02.091: %BUFCAP-6-ENABLE: Capture Point CPoint-FE0 enabled.

At this point, the router is capturing all traffic between our two hosts.

To stop the capturing process, use the monitor capture point stop command:

R1# monitor capture point stop CPoint-FE0

*May 25 15:00:51.419: %BUFCAP-6-DISABLE: Capture Point CPoint-FE0 disabled.



1. To monitor the status of our buffer, we can use the show monitor capture buffer command:

R1# show monitor capture buffer all parameters
Capture buffer firewallcx_cap (linear buffer)
Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 263
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : CPoint-FE0, Status : Active
monitor capture buffer firewallcx_cap size 1024 linear
monitor capture point associate CPoint-FE0 firewallcx_cap
monitor capture buffer firewallcx_cap filter access-list selected-traffic


2. To view Capture Point details, use the show monitor capture point all command:

R1# show monitor capture point all
Status Information for Capture Point CPoint-FE0
Switch Path: IPv4 CEF            , Capture Buffer: firewallcx_cap
Status : Active

monitor capture point ip cef CPoint-FE0 FastEthernet0 both

3. To see all information about the captured packets, use the ‘show monitor capture buffer’ command:

R1# show monitor capture buffer firewallcx_cap
15:04:50.835 UTC May 25 2015 : IPv4 LES CEF    : Fa0 None
15:04:51.015 UTC May 25 2015 : IPv4 LES CEF    : Fa1 Fa0
15:04:51.015 UTC May 25 2015 : IPv4 LES CEF    : Fa0 None
15:04:51.015 UTC May 25 2015 : IPv4 LES CEF    : Fa0 None
15:04:51.195 UTC May 25 2015 : IPv4 LES CEF    : Fa1 Fa0
15:04:51.443 UTC May 25 2015 : IPv4 LES CEF    : Fa1 Fa0
15:04:51.443 UTC May 25 2015 : IPv4 LES CEF    : Fa1 Fa0
15:04:51.443 UTC May 25 2015 : IPv4 LES CEF    : Fa1 Fa0


4. To examine the buffer’s contents, use the ‘show monitor capture buffer dump’ command:

R1# show monitor capture buffer firewallcx_cap dump
15:04:50.835 UTC May 25 2015 : IPv4 LES CEF    : Fa0 None86621680: 5475D061 2856F4CE 469A161C      TuPa(VtNF…
86621690: 08004500 00347440 40007F06 57B7C0A8  ..E..4t@@…W7@(
866216A0: 0302D056 9BCBC6BC 00506100 C18E0000  ..PV.KF<.Pa.A…
866216B0: 00008002 20003676 00000204 04EC0103  …. .6v…..l..
866216C0: 03020101 040200                      …….

15:04:51.015 UTC May 25 2015 : IPv4 LES CEF    : Fa1 Fa0

86621680: F4CE469A 161C5475 D0612856      tNF…TuPa(V
86621690: 08004500 00340000 40003406 16F8D056  ..E..4..w.4..xPV
866216A0: 9BCBC0A8 03020050 C6BC8F58 11D26100  .K@(…PF<.X.Ra.
866216B0: C18F8012 39087B6D 00000204 05AC0101  A…9.{m…..,..
866216C0: 04020103 030700                      …….

15:04:51.015 UTC May 25 2015 : IPv4 LES CEF    : Fa0 None

86621680: 5475D061 2856F4CE 469A161C      TuPa(VtNF…
86621690: 08004500 00287443 40007F06 57C0C0A8  ..E..(tC@…W@@(
866216A0: 0302D056 9BCBC6BC 00506100 C18F8F58  ..PV.KF<.Pa.A..X
866216B0: 11D35010 4137B408 00000000 00000000  .SP.A74………
866216C0: 04



In most cases, the data captured will need to be exported to a network analyzer for additional analysis within a user friendly interface.

Note: Captured buffer can be exported to a number of locations including: flash: (on router), ftp, tftp, http, https, scp (secure copy) and more.

Export the captured buffer using the monitor capture buffer export command. Keep in mind that we must stop the capturing process before exporting the data, and also have our tftp server ready to accept the captured data:

R1# monitor capture point stop CPoint-FE0
*May 25 15:35:31.975: %BUFCAP-6-DISABLE: Capture Point CPoint-FE0 disabled.
R1# monitor capture buffer firewallcx_cap export tftp://

At this point, the capture.pcap file should be located on our workstation.

We are now ready to import the data into our network analyzer Capsa for further analysis:

cisco-router-embedded-packet-capture-3Figure 3. Importing packets into Colasoft Network Analyzer

Once the import process is complete, our captured packets are displayed and we can analyse them in a more user-friendly environment:

cisco-router-embedded-packet-capture-4Figure 4. Packets displayed inside Colasoft Capsa network analyzer


This article introduced the Cisco Embedded Packet Capture feature offered on all Cisco router IOS platforms from version 12.4.20T and above. We explained terms used by the Embedded Packet Capture feature (Capture Buffer, Capture Point) and showed how toconfigured Embedded Packet Capture using 5 simple steps, but also how to export captured data from the Cisco router so that it can be imported into a network analyzer.


Categories: Tips & How-tos Tags:


April 22nd, 2015 1 comment

Network Analyzers, also known as Packet Sniffers, are amongst the most popular network tools found inside any Network Engineer’s toolkit. A Network Analyzer allows users to capture network packets as they flow within the enterprise network or Internet.

Engineers usually make use of Network Analyzers to help uncover, diagnose andfix network problems, but they are also used by hackers to obtain access tosensitive information and user data.



When dealing with network problems, engineers usually follow standard tests to try to identify the source of the problem and make any necessary corrections. These tests usually involve checking the source (Client or Network device) IP address, Gateway, DNS server, Nslookup and performing a few ICMP Echo Requests (aka Ping) to verify connectivity with the local network and destination IP.

These methods are usually enough to diagnose simple problems, but are clearly inadequate when dealing with complex network problems. This is where a high-quality network analyzer comes into play.

Any typical network analyzer will capture and display packets, providing basic packet information such as time of capture, source & destination MAC address, source & destination IP address, Layer 4 protocol information (TCP/UDP flags, ports, sequence/acknowledgement numbers) and the data payload. While this information is extremely useful information, it often means that additional time is required by the engineer to locate the data stream/conversation of interest and track down all associated packets.

Further analysis of the captured data usually increases the difficulty and expertise level required to make sense of the information captured.

Let’s take a look at the most important features high-end network analyzers have, that helps simplify complex troubleshooting in our everyday routine.

Download your copy of Capsa Enterprise Network Analyzer now!


Real-time network card utilization is a very handy ‘visual tool’ as it shows the bandwidth utilization of the network card used to capture packets.

When configuring SPAN on Cisco Catalyst switches to monitor a switchport that connects to a router or server, the real-time visual representation of network traffic has proven to be extremely useful as it’s much easier spot packet bursts and other traffic patterns.


Figure 1. Capsa Enterprise real-time network utilization


All traffic captured by the network analyzer is stored in a special buffer. This buffer usually resides in the workstation’s RAM and can be saved on the hard disk, so that additional analysis can be performed later. While most packet analyzers allow the buffer size to changed, its size is usually restricted to a few MB.

The ability to use an extremely large capture buffer e.g 1024MB or 1 Gigabyte, is necessary when performing analysis of heavy traffic where a couple of hundreds of MBs are typically required.



A high-quality network analyzer smartly presents all captured information in an easy-to-understand manner, making it easy and fast to locate any IP Conversation between hosts:


Figure 2. Capsa Enterprise displays IP Conversations between our workstation and

Having the ability to drill-down into each IP Conversation is equally important. Colasoft Capsa provides this important feature by simply double-clicking on any of the displayed conversations:


Figure 3. Capsa Enterprise allows us to drill-into each IP Conversation

The Transaction Sequence Diagram section on the left side displays the flow of packets of the displayed IP Conversation. Tracking TCP sequence numbers and TCP acknowledgements is often a very time-consuming process but tools such as Capsa Enterprise makes it easy and allows engineers to focus on the more important information.



Network engineers often need to deal with network problems that occur either from user configuration errors (e.g invalid Domain, incorrect URL etc) or other problems that are often difficult to identify.

Considering the fact your network analyzer captures all traffic, it should be able to automatically identify network/session problems anderrors. This helpful feature helps dramatically when dealing with various network issues as it provides an overall view of problems that have been identified.

In many cases, these errors can lead to uncovering suspicious user activity or hacking attempts:

Figure 4. Capsa Enterprise automatically identifies problems that would otherwise be missed

As shown in the screenshot above, our network analyzer has identified 36 events that can be examined by double-clicking on the specific event in the left window and then selecting the associated addresses from the right window. Packets are then displayed at the bottom area. Double-clicking on these packets will open them for further examination.



During times of excessive traffic, it is usually required to identify the network’s top talkers and take action. When supported by the network analyzer, it makes life very easy. When not supported, a sample of network traffic must be taken and sorted by the IP address with the greatest amount of data transferred.


Figure 5. Capsa Enterprise provides the network’s top talkers and their traffic

Capsa provides 4 reports of Top Talkers: Top100 IPv4 Nodes (shown above), Top100 IPv4 Conversations (IP Based), Top100 Physical Nodes (MAC Based) and Top100 Physical Conversations (MAC Based).

Top IP’s can also be obtained via Capsa’s Dashboard (shown below) which provides Global Utilization (% of total interface bandwidth) and Traffic (bytes) within a specific timeframe, Top IPs based on bytes transferred, and Top Application Protocols based on the protocol used:

Figure 6. Capsa’s Dashboard provides a healthy amount of real-time information and traffic captured


Filtering is a core feature that allows network engineers to select specific type of traffic based on its characteristics. Common filtering found on most network analyzers includes: Source/Destination MAC or IP address, Protocol and Port numbers.

Advanced filtering is a feature most engineers require in their network analyzer, but often don’t have. Advanced filtering allows special complex filters to be created based on additional characteristics such as Time, Packet size, Data Payload values in conjunction with AND/OR/NOT logical operations.


Figure 7. Capsa’s Advanced Filtering leaves nothing to be desired


A high-quality network analyzer bundled with useful advanced features as the above will help any engineer or administrator diagnoseand deal with network problems quickly and efficiently, but also capture suspicious network traffic patterns often associated withhacking attempts. When selecting your network tools, ensure they are of the highest quality and provide features that will help make your job easier.




Categories: Articles, Reviews, Tips & How-tos Tags: