Chances are, if you’re in charge of supporting a network of any size, you’ll need to look at the actual packets that are passing back and forth across that network. Whether it’s to see whether a specific machine is sending or receiving packets as it should, or you want to see the contents of the packets themselves, you’ll need to break out a packet sniffer. There are lots of packet sniffers out there, with lots of different features and lots of different pricing models. Today we’ll look at Colasoft’s Capsa network analyzer.
At first blush, Capsa is like just about any other packet capture program available. It puts the network card into promiscuous mode and records all the packets it sees on the wire. Running counts are displayed showing information about the various packets on the network. As you can see in the image below, I captured almost 2000 packets in a minute and a half. No physical errors were seen, but 130 802.3 errors were recorded. Farther down you can also see a distribution of packet sizes.
One of the things I found immediately useful with Capsa is the Diagnosis tab. Capsa pays attention to more than just plain old packet details. As you can see, Capsa identified slow ACKs, fast retransmissions, and more.
Without a doubt, Capsa is a user-friendly program. Even if you don’t know much about the IP stack, you can learn a lot about what’s happening on your network with Capsa. It presents data in a very easy-to-read way. The Graphs tab shows some great visualizations of various network statistics. Such graphs are always appreciated by pointy haired bosses.
Want a breakdown of all the traffic flowing across your network? Check out the Protocols tab to see a breakdown of traffic types on your network.
The question I had when using Capsa was: Why would I pay cash money for it, when I can use Wireshark for free? I suppose there are still business entities out there that don’t truly understand — or trust — free software. Such companies would prefer the warm and fuzzy feeling they get knowing that there’s some commercial support behind the products they use, rather than a bunch of long-haired Linux-loving commie weirdos.
The real benefit to Capsa, from my point of view, is the user interface. It presents the data in an extremely easy-to-read way, such that you don’t need to be a hard-core network engineer to see what’s happening. So for a couple hundred bucks, even an entry level tech can reasonably understand what’s going through your network. And as previously noted, the pretty graphs will make managers happy.
Wireshark can do pretty much everything that Capsa does, but the interface isn’t as slick. Below are a few Wireshark screenshots, demonstrating some of the differences. There’s not a one-to-one comparison for each of them, obviously. Also, accessing some of this information is not as easy in Wireshark as in Capsa. For example, the packet breakdown is only available in the Advanced Info report in Wireshark, rather than a top-level tab.
Bottom Line: If you don’t want to become a network engineer, but want to get a better understanding of what’s happening on your network, Colasoft’s Capsa network analyzer is a pretty good choice.