Protocol analyzers are often used to capture, decode, and evaluate traffic flows and packets for network debugging, troubleshooting, and optimization. But did you know that a protocol analyzer can also be indispensable for security incident investigation?

CACE Pilot logo

CACE Pilot logo

Perhaps the best-known open source protocol analyzer is Wireshark (nee Ethereal), capable of decoding scads of protocols, captured from wired or wireless networks using nearly any laptop, desktop, or dedicated "shark appliance." Wireshark is freely-available and community-supported by plug-ins (dissectors) for new protocols.

But, even though Wireshark is free and flexible, there are times when it could use an assist – or as CACE Technologies might put it, a pilot to guide this large, complex "fish" through a narrow passage. That's the purpose of CACE Pilot ($1295), a product that cuts large-volume traffic captures down to size through visualization, drill-down, reporting, and more – eventually kicking off Wireshark when and if necessary to complete a task.

Security depends on knowledge

We've been using CACE Pilot to watch live traffic and dig into capture files for several months. Pilot can be handy for many different tasks – especially those that benefit from large-volume traffic visualization and statistical analysis, such as performance reporting.

But we focused on using CACE Pilot for network security tasks, such as spotting unexpected protocols on a WLAN or determining which infected hosts are DoS-ing a LAN. After all, you can't know that a network is really secure if you can't see who's using it and how.

Of course, there are many ways to monitor traffic, from router and firewall logs to network intrusion detection and forensics appliances. These and other tools can save capture files for future use. Where protocol analyzers excel is by interpreting those captured bits and bytes to deliver insight into sources/destinations, conversations, applications, and user activity.

If you're only interested in history, you can drill into saved captures with a protocol analyzer. If you're responding to an incident, you can use a protocol analyzer directly for live capture. Either way, protocol analysis is a fast way to get a grip on network activity by drilling down until you find what you're looking for (or hoping that you wouldn't find).

But it's far too easy to get lost in packet details. Browsing a long list of decodes is an inefficient way to understand who is talking to whom in a large active LAN. With an analyzer like Wireshark, you can filter on most protocol fields/values – but constructing long nested filters to drill-down is tedious. Wireshark can also reconstruct TCP sessions or conversation lists, letting you work your way back from selected packet details to deliver some higher-level perspective.

You can do a lot with a good protocol analyzer and a small, focused capture file. But when you start with a huge file, much of it unrelated to the task at hand, this process can be slow, labor-intensive, and yield results that are hard to communicate to less technical folk. In our view, this is where CACE Pilot adds value—by reducing the time it takes to focus on what's important, and making it easier to recall and share what you found.

Pilot fundamentals

So what does it take to buy and use Pilot? This software package starts at $1295/seat. We tested a Pilot + AirPcap NX bundle ($1923) – the latter is a USB stick that can scan 802.11a/b/g/n on Windows PCs. Updates are included with Pilot for one year and $300/year thereafter.

Each license lets Pilot run on a single Windows 7 (32 or 64-bit), Vista, or XP PC with min 1024x768 display. CACE recommends a dual-core 2.0 GHz CPU, 2GB RAM and 300 MB storage. We installed Pilot on an XP laptop with min specs and a slightly more powerful 64-bit Win7 PC. Pilot was responsive and reliable on both, capturing 10/100/1000 Ethernet and 802.11a/b/g/n Wi-Fi frames, except for one repeatable XP crash that CACE is investigating.

Although you don't have to use Wireshark to use Pilot, the installer also includes Wireshark and its faithful companion WinPcap. CACE participates in community efforts surrounding Wireshark, but Wireshark updates are released independently. Fortunately, we had no trouble upgrading Wireshark to a new version released after we'd installed Pilot v2.2.

After installation, Wireshark can be conveniently launched from within Pilot as needed. For example, when drilling into a large capture file, a filtered subset can be sent to Wireshark to view per-packet decodes. Alternatively, Pilot can launch Wireshark to capture live packets, with or without filtering. Here, Pilot serves as a GUI-driven shortcut to opening captures in Wireshark; you don't need to know filter syntax or fiddle with NIC parameters to do so.

But Pilot does require one or more traffic sources. When Pilot opens, available sources appear in a control panel as Devices or Files. To perform historical analysis, just add one or more .pcap files (or folders) to the Files list. However, Pilot can only handle .pcap files (including Radiotap files); other file formats (including raw 802.11 files) must be converted to .pcap first.

For live analysis, just choose a source NIC from Devices. Pilot supports any Ethernet NIC, but due to Windows RFMON limitations cannot scan with ordinary Wi-Fi NICs. To get around this, CACE sells RFMON-capable AirPcap USB sticks, starting with the b/g Classic ($198). Using an AirPcap, Pilot can scan a configurable set of channels or inject Wi-Fi packets. However, Pilot can still only capture packets from one Wi-Fi channel at a time. Capturing from several channels requires multiple AirPcaps. If you need to dig into non-802.11 RF as well, purchase sibling product WiFi Pilot instead, which includes the MetaGeek Wi-Spy spectrum analyzer.

Visualizing traffic

Pilot decodes, filters, and performs statistical analysis on supplied packets, displaying graphical results using "Views." To watch live traffic, drag and drop desired View(s) onto a capture Device. To crank through previously-captured traffic, drag View(s) onto File(s). To narrow any View's scope, select/edit a Wireshark-formatted filter (e.g., "port 80 or port 443"). Although you can't change a filter applied to an active View, any filtered (or otherwise modified) View can be saved for later reuse.

Pilot groups dozens of predefined Views into seven categories:

  • Generic
  • 802.11 Troubleshooting
  • LAN/Network Troubleshooting
  • Bandwidth Usage
  • Top Talkers and Conversations
  • Performance and Errors
  • Web/VoIP User Activity

This list is growing as CACE develops new Views based upon customer requests. For example, v2.2 included new VoIP SEER, Wi-Fi roam time, and TCP RTT Views. Unfortunately, there is no SDK to develop your own View – for example, if you wanted to dig into streaming video sessions at the same level of detail now supported for Web and VoIP.