How to Use Multi-Segment Analysis to Troubleshoot Network Delay and Packet Loss

2015年10月8日 没有评论

Troubleshooting network problems can be a very intensive and challenging process. Intermittent network problems are even more difficult to troubleshoot as the problem occurs at random timeswith a random duration, making it very hard to capture the necessary information, perform troubleshooting, identify and resolve the network problem.

While Network Analyzers help reveal problems in a network data flow, they are limited to examining usually only one network link at a time, thus seriously limiting the ability to examine multiple network segments continuously.

Colasoft’s nChronos is equipped with a neat feature called multi-segment analysis, providing an easy way for IT network engineers and administrators to compare the performance between different links. IT network engineers can improve network performance by enhancing the capacity of the link according to the comparison.

Let’s take a look how we can use Colasoft nChronos’s multi-segment analysis feature to help us detect and deal effectively with our network problems.

Multi-segment analysis provides concurrent analysis for conversations across different links, from which we can extract valuable information on packet loss, network delay, data retransmission and more.

To being, we open nChronos Console and select a portion of the trend chart in the Link Analysis window, then from the Summary window below, we right-click one conversation under the IP Conversation or TCP Conversation tab. From the pop-up menu, selectMulti-Segment Analysis to open the Multi-Segment Analysis window:

Figure 1. Launching Multi-Segment Analysis in nChronos

In the Multi-Segment Analysis window, select a minimum of two and maximum of three links, then choose the stream of interest for multi-segment analysis:

Figure 2. Selecting a stream for multi-segment analysis in nChronos

When choosing a conversation for multi-segment analysis, if any of the other selected network links has the same conversation, it will be selected and highlighted automatically. In our example, the second selected link does not have the same data from the primary selected conversation and therefore there is no data to display in the lower section of the analysis window.

Next, Click Start to Analyze to open the Multi-Segment Detail Analysis window, as shown in the figure below:

Figure 3. Performing Multi-Segment analysis in nChronos

The Multi-Segment Detail Analysis section on the left provides a plethora of parameter statistics (analyzed below), a time sequence chart, and there’s a packet decoding pane on the lower right section of the window.

The left pane provides statistics on uplink and downlink packet loss, uplink and downlink network delay, uplink and downlink retransmission, uplink and downlink TCP flags, and much more.

The time sequence chart located at the top, graphically displays the packet transmission between the network links, with the conversation time displayed on the horizontal axis.

When you click on a packet on the time sequence chart, the packet decoding pane will display the detailed decoding information for that packet.

Using the Multi-Segment Analysis feature, Colasoft’s nChronos allows us to quickly compare the performance between two or morenetwork links. If you’re a network administrator, engineer or IT manager, we strongly suggest you try out nChronos today and see how easy you can discover and deal with network problems.



Colasoft Capsa Free is a comprehensive network analyzer

2015年10月8日 没有评论

By Mike Williams

Colasoft Capsa 8 Free is a powerful tool for monitoring and analyzing network traffic, the free version of an enterprise package normally costing from $695.

The program has a vast and lengthy list of features, yet it’s also accessible to regular users. Just choosing an adapter and clicking “Start” gets you an attractive dashboard, with graphs showing network utilization, traffic, and top traffic by protocol and domain (keep in mind that Wi-Fi devices can’t be monitored in the free edition).

That’s just the start. Click the Summary tab and you’ll see the data behind the charts, the total numbers of IP and MAC addresses used in this session, the various protocols, DNS queries and responses, SMTP/ POP3/ IMAP 4 connections and a whole lot more.

Maybe you want to zoom in? Choosing one of the Conversation tabs — TCP, say — allows you to drill down, see which packets went to/from which addresses, the packet size, time sent, and more.

Colasoft Capsa 8 Free captures data packets, too, so you’re not restricted to summaries. Selecting any of these items displays the individual packets, and you can choose one, view any text it contains (maybe the password in a POP3 exchange, say). There’s even a detailed breakdown of the exchange, so for example you might view an IP packet to check its IP flags or TTL value.

This level of analysis isn’t just for a few internet standards, either. The program understands and can decode hundreds of protocols, and show you precisely what’s happening in every exchange.

Unsurprisingly, considering the full Enterprise version costs $995, the free build has a lot of restrictions. No monitoring of Wi-Fi devices, only one network adapter may be monitored, only one capture project can be run at a time, that’s limited to 4 hours maximum, only the first 10 private IP addresses will be analyzed, and so on.

Colasoft Capsa 8 Free has more than enough functionality left to make it interesting, though, for everyone from casual users to network experts. Give it a try.


How to Detect Routing Loops and Physical Loops with a Network Analyzer

2015年7月28日 没有评论

When working with medium to large scale networks, IT departments are often faced dealing with network loops and broadcast storms that are caused by user error, faulty network devices or incorrect configuration of network equipment.  Network loops and broadcast storms are capable of causing major network disruptions and therefore must be dealt with very quickly.

There are two kinds of network loops and these are routing loops and physical loops.

Routing loops are caused by the incorrect configuration of routing protocols where data packets sent between hosts of different networks, are caught in an endless loop travelling between network routers with incorrect route entries.

A Physical loop is caused by a loop link between devices. A common example is two switches with two active Ethernet links between them. Broadcast packets exiting the links on one switch are replicated and sent back from the other switch. This is also known as a broadcast storm.

Both type of loops are capable of causing major network outages, waste of valuable bandwidth and can disrupt network communications.

We will show you how to detect routing loop and physical loop with a network analyzer such as Colasoft Capsa or Wireshark.

We’ve selected Colasoft Capsa 8.0 as our preferred packet analyzer because of its new feature that allows the quick diagnosis of routing loops and physical loops.

If there are routing loops or physical loops in the network, Capsa will immediately report them in the Diagnosis tab as shown below. This makes troubleshooting easier for network managers and administrators:


Figure 1. Capsa quickly detects and displays Routings and Physical Loops

Further examination of Capsa’s findings is possible by simply clicking on each detected problem. This allows us to further check the characteristics of the related packets and then decide what action must be taken to rectify the problem.


Let’s take a routing loop for example. First, find out the related conversation using Filter (red arrow) in the MAC Conversation tab. MAC addresses can be obtained easily from the notices given in the Diagnosis tab:


Figure 2. Obtaining more information on a Routing Loop problem

Next, Double-click the conversation to load all related packets and additional information. Click on Identifier, to view the values of all packets under the Decode column, which in our case are all the same, This effectively means that the packets captured in our example is the same packet which is continuously transiting our network because its caused in a loop.  For example, Router-A might be sending it to Router-B, which in turn sends it back to Router-A.


Figure 3. Decoding packets caught in a routing loop

Now click on the Time To Live section below, and you’ll see the Decode value reduces gradually. It is because that TTL value will decreased by 1 after transiting a routing device. When TTL reaches the value of 1, the packet will be discarded, to help avoid ICMP packets travelling indefinitely in case of a routing loop in the network. More information on the ICMP protocol can be found in our ICMP Protocol page:


Figure 4. Routing loop causing ICMP TTL to decrease

The method used to analyze physical loops is almost identical, but the TTL values of all looped packets remain the same, instead of decreasing as we previously saw. Because the packet is trapped in our local network, it doesn’t traverse a router, therefore the TTL does not change.

Below we see a DNS Query packet that is trapped in a network loop:


Figure 5. Discovering Network loops and why their TTL values do not decrease

Advanced network analyzers such as Colasoft’s Capsa allows us to quickly detect serious network problems that can cause network outages, packet loss, packet flooding and more. If you’re a network administrator, engineer or IT manager, we strongly suggest you try out Capsa v8 today and discover how easy you can discover and deal with network problems.

View more:

Colasoft Announces the Release of Capsa Network Analyzer 8.0

2015年6月17日 没有评论

June 16, 2015– Colasoft LLC, a leading provider of innovative and affordable network analysis software solutions, today announced the release of the latest version of Capsa network analyzer, a real-time portable network analyzer for wired and wireless network monitoring, bandwidth analysis, and intrusion detection. Capsa Network Analyzer 8.0 is based on the Third-generation Colasoft Traffic Recognition Engine (CSTRE), which substantially improved the accuracy and efficiency of protocol & application recognition.

Two Expert Diagnosis Events are added to Capsa 8.0, they are Physical Loop Diagnosis and Routing Loop Diagnosis. Capsa 8.0 makes it very easy for network administrators to locate network loop anomaly without looking into packet details. By providing possible reasons and solutions to each Diagnosis Event, it helps network administrators to quickly pinpoint and solve complicated network problems.

Another prominent feature is that packets can be colorized in Conversation Views, including Physical Conversation View, IP Conversation View, TCP Conversation View and UDP Conversation View. The relevance between a session and a packet is enhanced by colorizing packets which greatly improves performance analysis efficiency.

“In addition to concentrated development of new features, we also take great efforts to enhance user experience”, said Brian K. Smith, Vice President at Colasoft LLC, “Upon requests of many users, now Capsa 8.0 can easily be launched by command line. Packet timestamp shift function is added and host names can be resolved actively. Capsa 8.0 now offers the Network Engineer one of the most robust Bandwidth and Packet Analysis tools available”.

Capsa 8.0 is compatible with Windows XP/2003/2008/Vista/Windows 7/Windows 8. A free trial is available for download at:


About Capsa

Capsa is an easy-to-use packet sniffer (network analyzer or network sniffer) for network monitoring and troubleshooting purposes. It performs real-time packet capturing, 24×7 network monitoring, reliable network forensics, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. By giving you insights into all of your network’s operations, Capsa makes it easy to isolate and solve network problems, identify network bottleneck and bandwidth use, and detect network vulnerabilities.


About Colasoft

Since 2001, Colasoft, an Oklahoma Company, has been an innovative provider of all-in-one and easy-to-use software solutions for users to monitor network activities, analyze network performance, enhance network security, and troubleshoot network problems. Currently, more than 5,000 customers in over 90 countries trust the company’s flagship product, Capsa Packet Sniffer, as their network monitoring and troubleshooting solution.  Please visit for more information.

分类: News & Events 标签:

Find Out Who’s Eating Your Bandwidth With These Tips

2015年6月3日 没有评论

Click….wait. Click….wait. Click….ARG! Sound familiar? That’s the sound of someone running out of Internet bandwidth.

A lot of things can drain away the capacity of that pipe that connects your computer to the Internet. It could be other people or devices on your network, or it could even be malicious applications or services running on the PC itself. The problem can get so bad that some people will toss out their computer and buy a new one.

It doesn’t have to be that way. While the problem could be coming from anywhere, it isn’t impossible to troubleshoot if you know where to look, what tools to use, and what to do when you find the culprit. In this article, I’m going to give you a hand and walk you through the process of tracking down that bandwidth hog and shutting him down.

Track Down The Bandwidth Bandit Via Your Router

You could start just about anywhere when it comes to isolating the bandwidth hog on your network or inside your computer, but in order to grab at the low-hanging fruit, it’s best to start with your network. A few of the solutions below can focus in on a culprit quickly and resolve your problems immediately. So why waste time troubleshooting your own computer before canceling out the external issues as a possibility?

The first and quickest way to check what’s connected to your Internet through your router is the DHCP Client table. Each router is a little different, so you may need to search for which menu the table comes under. For Linksys, it’s typically under the “Status” Tab, and then the “Local Network” menu item.


Next, just click the “DHCP Client Table” button, and that’ll take you to a list of all clients that are currently logged into your network. Are there any there that you don’t recognize? If so, there could potentially be a neighbor that’s drawing out much of your bandwidth.


Ads by Google

All you have to do to put an end to it is click on the “Delete” button to the right of that client. Just be careful not to inadvertently delete one of your own clients, because to reconnect to the network with that device, you may need to re-enter your security password again. Not a big deal, just a hassle.

Use Third Party Utilities To Unravel Bandwidth Problems

Another option is to turn to software tools that can reach out and monitor devices on your network. One of those utilities is a free app called Capsa, which Matt actually mentioned in his Guide to Home Networking.

Capsa is really impressive, and it’s hard to believe that it’s free software. Running Capsa, you can see traffic on your network and associated data transfer rates to and from the various hosts, which you can find under the “Protocol” tab once you press “Start” on the main welcome screen.


This is even better organized on the IP Endpoint tab, which lines up all of the hosts in one area and then in the lower pane, shows you all of the remote IP connections of the host you selected in the top pane. By the way, this is a great way to check out what your kids are up to on your network without actually installing monitoring software on their computer.


Capsa is by far my favorite. This is similar to using another bandwidth monitoring app I covered recently called NetworkMiner, except that Capsa is less about network hacking and packet sniffing, and more about monitoring your network for activities and different traffic protocols. Either application would serve you well, though.

View more:

分类: Tips & How-tos 标签:


2015年5月29日 没有评论

If you’re tired of setting up SPAN sessions to capture network traffic transiting your network and Cisco router, it’s time to start usingCisco’s Embedded Packet Capture (EPC), available from IOS 12.4.20T and above. We will show you how to configure Cisco’s Embedded Packet Capture, to capture packets transiting a Cisco router, save them to its flash disk or export them directly to anftp/tftp server for further analysis with the help of a packet analyzer such as Colasoft Capsa or Wireshark.

We’ve selected to Colasoft Capsa as our packet analyzer because of its amazing breakdown and presentation of captured packets.

Finally, we’ve also included a number of useful Embedded Packet Capture troubleshooting commands to monitor the status of thecapture points and memory buffer.

Let’s take a look at some of the basic features offered by Embedded Packet Capture:

  • Capture IPv4 and IPv6 packets in the Cisco Express Forwarding path
  • Ability to specify various capture buffer parameters
  • Export packet captures in PCAP format, enabling analysis with external tools such as Colasoft Capsa, Wireshark.
  • Display content of the capture buffer
  • Granularity of captured packets via Standard or Extended Access Control Lists (ACLs)


cisco-router-embedded-packet-capture-1Figure 1. Understanding Basic Embedded Packet Capture Terminology

Before we dive into the configuration of Cisco EPC, let’s explain the two terms used during the EPC configuration:  Capture Buffer &Capture Point.  We’ll use figure 1 to help illustrate the terms.


Capture buffer is an area in memory for holding packet data.  There are two types of Capture Buffers: Linear and Circular.

Linear Capture Buffer: When the capture buffer is full, it stops capturing data.
Circular Capture Buffer: When the capture buffer is full, it continues capturing data by overwriting older data.


Capture point is a traffic transit point where a packet is captured. Capture points need to define the following:

  • IPv4 or IPv6
  • CEF (Cisco Express Forwarding or Process-Switched
  • Interface e.g Fast Ethernet0, Dialer0 etc.
  • Direction of traffic to the interface: in (ingress), out (engress) or both



EPC configuration is an easy 5 step configuration process. Examining the diagram below, our goal is to capture ingress & egress packets on interface FastEthernet0 from workstation to and from
cisco-router-embedded-packet-capture-2Figure 2. Capturing packets betwen host and

Note: None of the below configuration commands, except the optional access lists (filters), will be stored in the router’s running-configuration or startup-configuration. ‘Monitor’ commands are only stored in the router’s RAM and are lost after a router reboot.


The capture buffer will store the packets to be captured. Our capture buffer will be named firewallcx_cap and will have size of 1024KB (1 Mb), which is the default size and will be set to linear type buffer:

R1# monitor capture buffer firewallcx_cap size 1024 linear


We can optionally configure to capture specific traffic. In our case, we need to capture traffic between hosts and (  This is accomplished with the use of access control lists. We can make use of standard or extended access lists depending on the granularity required. If no access list is configured, all traffic will be captured.

R1(config)# ip access-list extended selected-traffic 
R1(config-ext-nacl)# permit ip host host
R1(config-ext-nacl)# permit ip host host
R1(config-ext-nacl)# end
R1# monitor capture buffer firewallcx_cap filter access-list selected-traffic

Filter Association succeeded

Note: Our access list includes traffic originating from both hosts because we want to capture bidirectional traffic.  If we included only one ACL statement, then only one-way traffic would be captured.

Our filter is now in place and we are ready for the next step.



Here we define which interface will be the capture point. In our case, this is Fast Ethernet0 and we’ll capture both ingress and egress packets. During this configuration phase, we need to provide a name for the capture point, we selected CPpoint-FE0 to make it easy to distinguish.

Note: It is highly advisable to ensure ip cef is enabled to ensure minimum impact on the router’s CPU. If ip cef is not enabled, a message like the one below will appear, in which case you need to enable ip cef and re-enter the command.

R1# monitor capture point ip cef CPoint-FE0 FastEthernet 0 both
IPv4 CEF is not enabled

R1# config t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)# ip cef
R1(config)# exit
R1# monitor capture point ip cef CPoint-FE0 FastEthernet 0 both
*May 25 14:54:40.383: %BUFCAP-6-CREATE: Capture Point CPoint-FE0 created.


Here we associate the configured capture point with the capture buffer:

R1# monitor capture point associate CPoint-FE0 firewallcx_cap

At this point, we are ready to start capturing packets!



It’s now time to start capturing those packets using the monitor capture point start command:

R1# monitor capture point start CPoint-FE0

*May 25 14:57:02.091: %BUFCAP-6-ENABLE: Capture Point CPoint-FE0 enabled.

At this point, the router is capturing all traffic between our two hosts.

To stop the capturing process, use the monitor capture point stop command:

R1# monitor capture point stop CPoint-FE0

*May 25 15:00:51.419: %BUFCAP-6-DISABLE: Capture Point CPoint-FE0 disabled.



1. To monitor the status of our buffer, we can use the show monitor capture buffer command:

R1# show monitor capture buffer all parameters
Capture buffer firewallcx_cap (linear buffer)
Buffer Size : 1048576 bytes, Max Element Size : 68 bytes, Packets : 263
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : CPoint-FE0, Status : Active
monitor capture buffer firewallcx_cap size 1024 linear
monitor capture point associate CPoint-FE0 firewallcx_cap
monitor capture buffer firewallcx_cap filter access-list selected-traffic


2. To view Capture Point details, use the show monitor capture point all command:

R1# show monitor capture point all
Status Information for Capture Point CPoint-FE0
Switch Path: IPv4 CEF            , Capture Buffer: firewallcx_cap
Status : Active

monitor capture point ip cef CPoint-FE0 FastEthernet0 both

3. To see all information about the captured packets, use the ‘show monitor capture buffer’ command:

R1# show monitor capture buffer firewallcx_cap
15:04:50.835 UTC May 25 2015 : IPv4 LES CEF    : Fa0 None
15:04:51.015 UTC May 25 2015 : IPv4 LES CEF    : Fa1 Fa0
15:04:51.015 UTC May 25 2015 : IPv4 LES CEF    : Fa0 None
15:04:51.015 UTC May 25 2015 : IPv4 LES CEF    : Fa0 None
15:04:51.195 UTC May 25 2015 : IPv4 LES CEF    : Fa1 Fa0
15:04:51.443 UTC May 25 2015 : IPv4 LES CEF    : Fa1 Fa0
15:04:51.443 UTC May 25 2015 : IPv4 LES CEF    : Fa1 Fa0
15:04:51.443 UTC May 25 2015 : IPv4 LES CEF    : Fa1 Fa0


4. To examine the buffer’s contents, use the ‘show monitor capture buffer dump’ command:

R1# show monitor capture buffer firewallcx_cap dump
15:04:50.835 UTC May 25 2015 : IPv4 LES CEF    : Fa0 None86621680: 5475D061 2856F4CE 469A161C      TuPa(VtNF…
86621690: 08004500 00347440 40007F06 57B7C0A8  ..E..4t@@…W7@(
866216A0: 0302D056 9BCBC6BC 00506100 C18E0000  ..PV.KF<.Pa.A…
866216B0: 00008002 20003676 00000204 04EC0103  …. .6v…..l..
866216C0: 03020101 040200                      …….

15:04:51.015 UTC May 25 2015 : IPv4 LES CEF    : Fa1 Fa0

86621680: F4CE469A 161C5475 D0612856      tNF…TuPa(V
86621690: 08004500 00340000 40003406 16F8D056  ..E..4..w.4..xPV
866216A0: 9BCBC0A8 03020050 C6BC8F58 11D26100  .K@(…PF<.X.Ra.
866216B0: C18F8012 39087B6D 00000204 05AC0101  A…9.{m…..,..
866216C0: 04020103 030700                      …….

15:04:51.015 UTC May 25 2015 : IPv4 LES CEF    : Fa0 None

86621680: 5475D061 2856F4CE 469A161C      TuPa(VtNF…
86621690: 08004500 00287443 40007F06 57C0C0A8  ..E..(tC@…W@@(
866216A0: 0302D056 9BCBC6BC 00506100 C18F8F58  ..PV.KF<.Pa.A..X
866216B0: 11D35010 4137B408 00000000 00000000  .SP.A74………
866216C0: 04



In most cases, the data captured will need to be exported to a network analyzer for additional analysis within a user friendly interface.

Note: Captured buffer can be exported to a number of locations including: flash: (on router), ftp, tftp, http, https, scp (secure copy) and more.

Export the captured buffer using the monitor capture buffer export command. Keep in mind that we must stop the capturing process before exporting the data, and also have our tftp server ready to accept the captured data:

R1# monitor capture point stop CPoint-FE0
*May 25 15:35:31.975: %BUFCAP-6-DISABLE: Capture Point CPoint-FE0 disabled.
R1# monitor capture buffer firewallcx_cap export tftp://

At this point, the capture.pcap file should be located on our workstation.

We are now ready to import the data into our network analyzer Capsa for further analysis:

cisco-router-embedded-packet-capture-3Figure 3. Importing packets into Colasoft Network Analyzer

Once the import process is complete, our captured packets are displayed and we can analyse them in a more user-friendly environment:

cisco-router-embedded-packet-capture-4Figure 4. Packets displayed inside Colasoft Capsa network analyzer


This article introduced the Cisco Embedded Packet Capture feature offered on all Cisco router IOS platforms from version 12.4.20T and above. We explained terms used by the Embedded Packet Capture feature (Capture Buffer, Capture Point) and showed how toconfigured Embedded Packet Capture using 5 simple steps, but also how to export captured data from the Cisco router so that it can be imported into a network analyzer.


分类: Tips & How-tos 标签:


2015年4月22日 1 条评论

Network Analyzers, also known as Packet Sniffers, are amongst the most popular network tools found inside any Network Engineer’s toolkit. A Network Analyzer allows users to capture network packets as they flow within the enterprise network or Internet.

Engineers usually make use of Network Analyzers to help uncover, diagnose andfix network problems, but they are also used by hackers to obtain access tosensitive information and user data.



When dealing with network problems, engineers usually follow standard tests to try to identify the source of the problem and make any necessary corrections. These tests usually involve checking the source (Client or Network device) IP address, Gateway, DNS server, Nslookup and performing a few ICMP Echo Requests (aka Ping) to verify connectivity with the local network and destination IP.

These methods are usually enough to diagnose simple problems, but are clearly inadequate when dealing with complex network problems. This is where a high-quality network analyzer comes into play.

Any typical network analyzer will capture and display packets, providing basic packet information such as time of capture, source & destination MAC address, source & destination IP address, Layer 4 protocol information (TCP/UDP flags, ports, sequence/acknowledgement numbers) and the data payload. While this information is extremely useful information, it often means that additional time is required by the engineer to locate the data stream/conversation of interest and track down all associated packets.

Further analysis of the captured data usually increases the difficulty and expertise level required to make sense of the information captured.

Let’s take a look at the most important features high-end network analyzers have, that helps simplify complex troubleshooting in our everyday routine.

Download your copy of Capsa Enterprise Network Analyzer now!


Real-time network card utilization is a very handy ‘visual tool’ as it shows the bandwidth utilization of the network card used to capture packets.

When configuring SPAN on Cisco Catalyst switches to monitor a switchport that connects to a router or server, the real-time visual representation of network traffic has proven to be extremely useful as it’s much easier spot packet bursts and other traffic patterns.


Figure 1. Capsa Enterprise real-time network utilization


All traffic captured by the network analyzer is stored in a special buffer. This buffer usually resides in the workstation’s RAM and can be saved on the hard disk, so that additional analysis can be performed later. While most packet analyzers allow the buffer size to changed, its size is usually restricted to a few MB.

The ability to use an extremely large capture buffer e.g 1024MB or 1 Gigabyte, is necessary when performing analysis of heavy traffic where a couple of hundreds of MBs are typically required.



A high-quality network analyzer smartly presents all captured information in an easy-to-understand manner, making it easy and fast to locate any IP Conversation between hosts:


Figure 2. Capsa Enterprise displays IP Conversations between our workstation and

Having the ability to drill-down into each IP Conversation is equally important. Colasoft Capsa provides this important feature by simply double-clicking on any of the displayed conversations:


Figure 3. Capsa Enterprise allows us to drill-into each IP Conversation

The Transaction Sequence Diagram section on the left side displays the flow of packets of the displayed IP Conversation. Tracking TCP sequence numbers and TCP acknowledgements is often a very time-consuming process but tools such as Capsa Enterprise makes it easy and allows engineers to focus on the more important information.



Network engineers often need to deal with network problems that occur either from user configuration errors (e.g invalid Domain, incorrect URL etc) or other problems that are often difficult to identify.

Considering the fact your network analyzer captures all traffic, it should be able to automatically identify network/session problems anderrors. This helpful feature helps dramatically when dealing with various network issues as it provides an overall view of problems that have been identified.

In many cases, these errors can lead to uncovering suspicious user activity or hacking attempts:

Figure 4. Capsa Enterprise automatically identifies problems that would otherwise be missed

As shown in the screenshot above, our network analyzer has identified 36 events that can be examined by double-clicking on the specific event in the left window and then selecting the associated addresses from the right window. Packets are then displayed at the bottom area. Double-clicking on these packets will open them for further examination.



During times of excessive traffic, it is usually required to identify the network’s top talkers and take action. When supported by the network analyzer, it makes life very easy. When not supported, a sample of network traffic must be taken and sorted by the IP address with the greatest amount of data transferred.


Figure 5. Capsa Enterprise provides the network’s top talkers and their traffic

Capsa provides 4 reports of Top Talkers: Top100 IPv4 Nodes (shown above), Top100 IPv4 Conversations (IP Based), Top100 Physical Nodes (MAC Based) and Top100 Physical Conversations (MAC Based).

Top IP’s can also be obtained via Capsa’s Dashboard (shown below) which provides Global Utilization (% of total interface bandwidth) and Traffic (bytes) within a specific timeframe, Top IPs based on bytes transferred, and Top Application Protocols based on the protocol used:

Figure 6. Capsa’s Dashboard provides a healthy amount of real-time information and traffic captured


Filtering is a core feature that allows network engineers to select specific type of traffic based on its characteristics. Common filtering found on most network analyzers includes: Source/Destination MAC or IP address, Protocol and Port numbers.

Advanced filtering is a feature most engineers require in their network analyzer, but often don’t have. Advanced filtering allows special complex filters to be created based on additional characteristics such as Time, Packet size, Data Payload values in conjunction with AND/OR/NOT logical operations.


Figure 7. Capsa’s Advanced Filtering leaves nothing to be desired


A high-quality network analyzer bundled with useful advanced features as the above will help any engineer or administrator diagnoseand deal with network problems quickly and efficiently, but also capture suspicious network traffic patterns often associated withhacking attempts. When selecting your network tools, ensure they are of the highest quality and provide features that will help make your job easier.




分类: Articles, Reviews, Tips & How-tos 标签:

Capsa by Colasoft: A Network Engineer’s Product Review

2015年2月9日 没有评论

By Shane Killen

I wanted to take the opportunity to do a review of the Colasoft Capsa program.  I have been asked about this program often, and I think it is time I do a review. Everyone knows that I like this program and I personally use this network analyzer all the time in my consulting position.  I love it and I have recommended this program on my blog and to customers of the company I work for.  It has saved me time and money in diagnosing problems.  And if I’m saving money, that means my customers are saving money.  And everyone loves that!

A personal story:
Just to start this out, I want to tell you a quick, condensed story.  I had a customer that called me up one morning.  They told me that their network was “crawling” and they wanted to know if I knew of anything going on.  I was at another client at the time, and all I knew to say at that point was that I could come over and take a look.  They told me to hold off at the moment, and they would call me if you needed me.  By the time 4PM came, I called that customer back to see what they had found.  He told me that they still had the problem, and they wanted me to come on in and see if I could find the problem.  I did just that.  From the time I got there and started working on the problem, I set up a monitor session and connected my laptop up.  Within 10 minutes, I told them what was the problem, what was causing the problem, and how it needed to be resolved.  It was a device that had a NIC that started flooding the network.  180K packets per second (Capsa told me this).  They went and disconnected the offending network cable for the device, and everything came back up without issue.  Key NOTE:  They had been working all day on this problem without resolution.  I came in and within 10 minutes pointed out what the problem was, what was causing the problem, and what to do to fix it.  I was able to do this with the Capsa network analyzer within 10 minutes of starting the troubleshooting.  In this example, think of how much money and productivity was lost. The very next day, this customer bought Capsa.

Now, the review:
At first look, the Capsa dashboard has a very nice look and feel to it. The dashboard colors are easy on the eyes when looking at it for long periods time, which is important when needing to troubleshoot problems.  You don’t need something hard to look at on top of using your brain to pinpoint issues, and Capsa is certainly easy on the eyes.  See below for the first look.

The layout is also well designed.  The tabs across the display make it easy to navigate to areas you need to get to.  Its almost like the company had true technical engineers design the layout.

The first display I tend to look at and use is the default view.  You can easily customize this to whatever it is you are looking for.  Capsa puts out some displays for you by default.  The defaults are good, but if you need more for what you are trying to accomplish, they made it very easy to add to this display if you want to.  I personally modify it to what I like to see.

The “Summary” tab has very good statistical information in it.  I personally dont use this tab much, but if you are looking for general statistical information about your network, this is a good place to view.  I do know engineers that just want to take samplings on a network, and this is a good tab to view for just that.  Things like Diagnosis statistics, Traffic statistics, Packet size Distribution statistics, Protocol statistics by OSI model, etc.  Again, very good for taking statistical snapshots during timed intervals.

This next tab is really handy for doing network assessments.  Its called the “Diagnose” tab, and this tab will tell you potential problems on the network that Capsa sees.  Anything from delays, re-transmissions, SMTP server slow response, HTTP client error, etc. And when I say “etc”, I mean a lot of “etc”s.  I use this all the time, and its very handy and helpful for the network engineer.  Its handy because it even makes suggestions on what the actual problem resolution might be.  That is a pretty cool feature.

The next tab shows a “Protocol” view of the network.  This is an excellent view into what protocols are traversing your network.  If you see a protocol in this display that you didn’t want on the network, this is a great place to see it quickly.  Easy to see and right in front of your eyes without the need to sift through traffic or selecting a column view and then finding the protocol.  Its just right in front of you with ease to see.  This is very helpful when in a hurry to hunt down what you don’t want on the network, as far as protocol view is concerned.  I have had plenty of times when trying to see what protocol is running on a network, just to know for sure what is there and what is not there.  And when Im doing a deep inspection of a network, this is definitely one view I look at.

The “Physical Endpoint” tab gives you a view into the layer 2 and layer 3 view into the network for statistics.  I personally don’t use this view much.  However, I do see the benefit of this tab.  You can find problems by either MAC address or IP address, like a malfunctioning NIC.  This is a good statistical view of that.  I personally will see it in the default view, because Ill customize the view there to see such things.  But, this is also a great place for that sort of detail.  One thing I really like about this view is that you can see the actual packets if you choose to.  Just like what you would see in a wireshark packet capture.  This is a great feature.

The “IP Endpoint” is a layer 3 view only into this view.  Its very similar to the “Physical Endpoint” tab, with the same features for the most part.  This is mostly a statistical view.  Again, you can see the actual packet here if you want to see it, just like in wireshark.  I have used this screen to find packets from a particular IP address, so that I can use the packet view before.  This is very handy and easy to find what you are looking for if you are looking for a particular IP address.  From the “offender”, you can view all you want as far as raw packets go.  I personally like this and have used this often in the past.

The “Physical Conversation” and “IP conversation” tabs has some important information for troubleshooting delays, etc.  I personally have used this tab a lot, especially when looking for delays in traffic to find out what is actually happening.  There is a lot of good information in these tab views.

The “TCP Conversation” view is an excellent view for seeing delays, etc.  In application type delays, you can easily prove where delta delays are when everyone is pointing at the network as fault.  I have used this many times to prove application delays, and where the network was fine.  This view makes it very easy to see these types of delays with transaction sequence diagrams, along with seeing the actual packet if you want to (which I do).  Again, it just makes it easy.  See below for a screenshot.

The “UDP Conversation” view is similar, with the exception of a data flow view.  After all, its UDP.  I personally dont utilize this tab much.  Although, I do see the value in seeing the conversations between devices.

There is now a new section called “VoIP Call” tab.  I have experimented with this and I do like this tab.  It will show you the calls made via SIP, the status of the calls, duration, invite time, etc.  It even has a “translatorX” like view if you are a visual person and want to see the call setup steps that each call has taken.  This is especially helpful when troubleshooting failed SIP calls.  This is a welcomed addition to the Capsa package.  With that said, I must tell you that for now, it only will recognize SIP calls.  It will not recognize H323, MGCP, or SCCP.  I have to admit, that is a little disappointing.  However, that is really the only negative thing I can say about this tab.  But, I suspect that will change in the future.  But, keep in mind, you can still view H323, MGCP, and SCCP in the other tabs if you looking for them.  Its just not in this tab.  Overall, I’m still impressed with this VoIP capability.  I’d really like to show you this screen, but there is just too much sensitive information I cant give out in my capture.  So I’m only going to show you a piece of the screen, so that you get the idea of what you will see.  I did blot out the personal info on this screenshot, but again, there is more to this screen than what I’m showing below.

There is a new “Ports” tab that shows all the ports being used on the network.  From here, you can view the traffic conversations, along with the data flows.  Again, this is really important in finding delays, etc.  I really like this new addition to the Capsa product.

There is a “Matrix” tab which shows you in a circular diagram the traffic from source to destination.  I dont use this much, except to get an impression on how many devices are actually talking to each other.  From here, you can, again, look at the raw packets.  I have heard other engineers say they like this view.  I think this must be just personal preference.

The “Packet” tab takes you right to the raw packet view.  Again, this is convenient, as you can go directly to search for specific IPs or MAC addresses quickly. And again, with all the info you would need in the display for finding what you want in the packet capture.

The “Log” view is just that.  It shows you a log of successful and failed events.  Anything from a global view of all traffic, to seeing only DNS, Email, HTTP, etc types of traffic.  This is an excellent addition to the product when you need to see events outside a packet view.

The last tab is called “Report”.  I absolutely love this tab.  For the executives, you can run the reports they want to see without them actually being technical in nature.  Lets face it, they just want the high level overview.  They dont want to see the packet details, the troubles, etc.  They just want the facts, and these canned reports will give them just that.  Also, you can customize your own reports as well.  You can even customize this to your company name, logo, etc.  This is a nice feature.

Other features:
You can get Capsa to send you an audible alarm when an event happens, something you customize yourself.  You can also get it to send you an email when the event happens, if you happen to not be in front of your Capsa PC/Server.

I also like the displays across the top of the program.  I use the “utilization” and “pps” (packets per second) displays almost every time I use Capsa.  These views are easy to detect broadcast storms, over utilization, etc. There is also a “Traffic Chart (bps)” chart that is a visual of the amount of traffic that is on the network.  I like these views for sure.  They are always up front and if something starts happening on the network, you can easily see some of these types of events in these displays.  Very handy when you are going through the tabs and still able to see these views at the top.  I personally like that this was carefully thought of for the network engineer.

Another thing I like, is that if you are looking for only certain types of traffic, you can filter Capsa to only display that traffic without seeing all the other traffic you are not looking for.  This is handy when you know where the problem is, but dont know the cause of the problem.

One thing to note here in this review.  I have mentioned a lot of features in this program.  However, what I have not mentioned is ALL of the capabilities in each tab.  There are a ton of things you can do in most of the tabs.  Don’t think I covered everything.  I have only covered a fraction of what you get out of this product. What I suggest is that you go and download a demo of this product.  Try it for yourself and download a trial of this to see if you like it.  Visit Colasoft at, and let me know how you like it.

About Shane Killen

Shane Killen currently works at a consulting company in Birmingham, Alabama.  It is a consulting firm that deals with most aspects of IT Technology.
He works as a IT consultant, serving as a Senior Network Engineer. Shane Killen has been working in IT professionally since 1996.  Certifications currently hold –  Cisco CCNP (R&S), Cisco CCNP Voice, Cisco CCDP, Brocade BCNP, ShoreTel Advance Systems and Troubleshooting, CompTIA Network+, CompTIA A+, CSSA, Palo Alto ACE.


What’s New in nChronos 4.3?

2014年11月25日 没有评论

Service Port Monitor

nChronos 4.3 provides a Port view and a Service Access view to monitor and analyze service ports. The Port view calculates the statistics based on IP address + TCP/UDP service port. Together with the sorting function of nChronos, you can easily know which service ports are running on the network, and running for which IPs. The Port view further provides other information about the service port, including the application, the uplink and downlink traffic, the service access time, access times, etc. The Service Access view calculates the statistics based on server and client IPs, port number and applications. It provides the access details for each service port. You can drill a service port down to a specific service access session.

Request a demo

VLAN and VPN Virtual Link Support

nChronos 4.3 provides support for virtual links, including VLAN and MPLS VPN. You can add virtual interfaces and set up network links based on the virtual interfaces. There is a VLAN view, which displays traffic statistics based on VLAN ID. An MPLS VPN view is also provided to display traffic statistics based on MPLS VPN label. Together with the name table function of nChronos, you can add names for VLANs and MPLS VPNs.

Millisecond Analysis

Millisecond analysis provides traffic analysis accurate to one millisecond. It is important for users who care about transient traffic burst. Colasoft nChronos 4.3 provides millisecond traffic statistics and millisecond traffic alarm. Users can define any millisecond traffic alarm according to the need. The Millisecond Analysis window displays the millisecond traffic statistics trend charts in real-time.

Multi-Segment Analysis

Sometimes the responses from large websites are very slow, and to find out the system bottleneck for the websites, it is necessary to analyze each link of the websites. Colasoft nChronos 4.3 provides a multi-segment analysis function, which associates and correlates the data of the same conversation collected on two or more network segments, and displays graphical performance analysis results, like packet loss, delay, retransmission, etc., thus providing visibility into the areas where bottlenecks may occur. A Multi-Segment Analysis window has a timeline pane to show the traffic trends of monitored links. When a conversation is analyzed, the conversations on other segments will be picked up and analyzed automatically.

A Multi-Segment Detail Analysis window shows the detailed analysis results and visualizes the conversation flow across multiple segments. When clicking and hovering a packet, correlated packets will be highlighted, the time difference between the packets will be displayed, and the packet view will show the in-depth decoding information for that packet.

Storage Filter

nChronos 4.3 provides Storage Filter for users to store packets that match the filer rules. You can define the filter rules based on IP/MAC address, port number, protocol type, packet size, etc., and only packets matching the rules will be stored. Besides the filter rules, Storage Filter provides a functionality to truncate the stored packet to a specified size. With Storage Filter, you can store interested packets, and even store only the first few bytes of interested packets. It saves storage space, and helps you avoid from policy problems in some environment.

Request a demo


Colasoft Delivers nChronos v4.3 with Multi-Segment Analysis

2014年11月23日 没有评论

Colasoft Delivers nChronos v4.3 with Multi-Segment Analysis

Tulsa, OK – November 19, 2014– Colasoft LLC (, an innovative provider of network analysis solutions, today announced a new version of its flagship product, nChronos Forensic Network Analysis Application. The multi-segment analysis leverages the packets recorded by nChronos to make it easier and quicker for network professionals to analyze the root cause of distributed application performance issues.

Most IT managers are have similar difficulty in diagnosing and solving application performance issues. It’s difficult to determine if the fault is in the network, the application, the server, or something else that is unknown. Hours or days are wasted in “finger pointing”. There are many components involved and troubleshooting a multi-segment network is difficult at best. In the past, IT professionals had to capture traffic separately from different points and manually merge the information into a single trace file to determine the root cause. nChronos will now automatically discover which packets and applications were seen at multiple points in the network. nChronos packet data recorder uses advanced algorithms to match data packets across the network. With nChronos v4.3, network problems such as latency, application errors, network anomalies or slow response can be tamed with greater ease and expediency.

nChronos v4.3 provides an even greater user experience with new and useful functionality and improvements. Below are some of the highlights of these new features included in nChronos v4.3:

  1. New views are added including a VLAN View, a MPLS VPN View, a Service Access View and a Port View.
  2. Provides millisecond-level traffic statistics and alarms for network links.
  3. Storage filter is available and packets can be stored with specified length.
  4. Application transaction alarms and application transaction alarm logs are now available.
  5. Packets can be downloaded from multiple network links.
  6. Combination analysis for IPv4 and IPv6 is available.
  7. The packets can now be stamped with switch time.

“We continue to provide an increase in value with additional functionality without sacrificing our easy to use interface. With the addition of multi-segment analysis, as well as the improved Alarm and Reporting function, nChronos now automates the previously tedious process of troubleshooting distributed network issues, with greater efficiency and ease.”, said Brandon Lewis, Director of Customer Support at Colasoft ”.

The evaluation version of nChronos 4.3 is now available on the Colasoft website