Capsa Network Analyzer is an easy to use Ethernet network analyser(aka packet analyser) for network monitoring and troubleshooting purposes. It performs real time packet capturing, advanced protocol analysing, in-depth decoding. In this section we will see how capsa can be used for protocol analysis. It has a very user friendly and information rich tabbed view. Below is shown the start page of the application we click on start capture now button to then we get this form and over here we have enabled the checkbox for enable detail protocol statistics of each endpoint, enable conversation statistics of each endpoint and also enable detail statistics of packet size. Then click ok to start packet capture in real time.

After we finish capturing traffic click on stop button in the tool strip.  In the summary tab we get various kinds of information like the capture time, different errors, traffic, packet size distribution,  TCP packets and connections, HTTP analysis etc. Below is a snapshot showing the summary tab.

In the diagnosis tab we can get information which may require action to be taken by us. Some packets are shown that we need to take notice of such as these may be having slow response times from the servers, then there is the warning level of diagnostics which we may have to take action like a server may no longer be reachable which could be because the computer has been disconnected from the network.

In the endpoints tab we get information like the IP, MAC address of local host the packets it sends and receives their sizes, also shows the MAC address, URL of the web page. The number and size of packets sent and received by the server.

The next tab is the protocols tab. In this like in wire shark the packets along with the protocols used in communicating are shown. The various protocols that are used during the session are listed and if we want to know the packet information of each protocols we can do so by clicking on show details. In the screenshot below the packet details of HTTP protocol are shown along with the statistics of other protocols used. The packet information below shows the source, destination, size, the protocol used.

In the conversations tab the conversation between the network computers and the web servers is shown. The conversations are categorized into Physical, IP, TCP and UDP. On selecting the appropriate conversation we can see the source and destination’s MAC address (PHYSICAL conversation selected) or the IP addresses of the source and destination. Also shown will be the packets in each of the conversations along with the details like whether the packet was sent or received, its size. Shown below are the IP conversations, here endpoint1 is the local host and endpoint2 is the web server or another computer in the network.

In the matrix tab of the network analyser are shown the nodes used in the session i.e. the various URL’s that were accessed from the particular system.

In the packets tab we get information about individual packets. The information provided in this tab is similar to the information we get when we use wireshark. Also the packet information is displayed in HEX at the bottom of the screen. In the details of each packet we can get information like the source, destination of the packet. The ports used at either end. It also shows if the packet is received correctly or contains any errors when received by the destination. Below is a screenshot of the packets tab displaying the details of individual packet as well as the list of packets received.

The logs tab shows the log that is created during the session. It maintains different logs for HTTP requests,E-mails, messenger activities, etc. It shows the client’s IP address and the port number. The server URL and whether information is to be fetched(get) or posted (POST) onto the URL. It also gives us information if the server is found or not.

The next tab is the graphs tab. As we know that graphical data is easy to interpret even by layman. Capsa Network Analyzer provides us with a variety of graphs to view depending on the session. Here is a graph that can be used in TCP analysis. It’s called a TCP connection graph. It shows the TCP traffic in intervals of time. In this manner we can view the various graphs and analyse them.

thus we see that capsa network protocol analyzer is a very powerful tool. It provides us results that any one can understand.

Transport layer

The transport layer is fourth and middle layer of the OSI Reference Model protocol stack. This layer provides transparent transfer of data between end users, providing reliable data transfer services to the upper layers. The Transport Layer controls the reliability of a given link through flow control, segmentation/desegmentation, and error control. It can keep track of the segments and retransmit those that fail.

The transport layer acts as a link between the applications at the higher layers, and the concrete functions of the bottom layers. Its overall job is to provide the necessary functions to enable communication between software application processes on different computers.The transport layer is responsible for providing a means by which all different applications can all send and receive data using the same lower-layer protocol implementation. Thus, the transport layer is said to be responsible for end-to-end or host-to-host transport.
For transmission, the transport layer protocol must keep track of what data comes from each application, then combine this data into a single flow of data to send to the lower layers. The device receiving information must reverse these operations, splitting data and funneling it to the appropriate recipient processes. The transport layer is also responsible for defining the means by which potentially large amounts of application data are divided into smaller blocks for transmission.

The transport layer has three main responsibilities in terms of the exchange of data between systems. These include:

• Data segmentation.

Data segmentation is the process by which the Transport layer uniquely handles all data passed to and from different upper-level applications. This is usually implemented in the form of source and destination port numbers that are defined within a particular application.

• Establishment of end-to-end connections between hosts.

Connection oriented sessions: When a connection-oriented session is established between systems, acknowledgements are returned to the sender as proof that segments reached their destination. If an acknowledgement is not received, the associated data will be resent.

There are three main phases to a connection-oriented session. These include:

• Call Setup. When a connection is being established, a path known as a virtual circuit is created between the sender and receiver.
• Data Transfer. Once the path is created, data is transmitted sequentially to the receiver.
• Call Termination. When an established connection is no longer required, the virtual circuit is terminated.

Connectionless sessions: Connectionless sessions communicate without receipt acknowledgements or sequence numbers. Connectionless protocols don’t have any reliability mechanisms built in, since they’re mainly built for speed.

• Flow control

Using flow-control mechanisms to ensure that data is sent at rates that the receiver can handle.In network environments, systems use a portion of memory referred to as buffer space to hold data that has been received more quickly than they can process it. However, once this buffer space fills, systems run the risk of dropping data that they can’t find room for. To account for this, the Transport layer on the receiving machine will pass status information to the sender, asking it to stop sending segments if its buffers become full. Once buffer space becomes available, another message is passed to the sender allowing it to resume transmission.

Examples of transport layer protocols:

• Transmission Control Protocol (TCP) Connection-oriented sessions.
• User Datagram Protocol (UDP) Connectionless sessions.

Selective repeat is employed by the TCP transport protocol for error recovery during transmission of data packets which are referred to as PDUs,short for Protocol Data Units.

Features required for Selective Repeat ARQ

• To support Go-Back-N ARQ, a protocol must number each PDU which is sent. (PDUs are normally numbered using modulo arithmetic, which allows the same number to be re-used after a suitably long period of time. The time period is selected to ensure the same PDU number is never used again for a different PDU, until the first PDU has “left the network” (e.g. it may have been acknowledged)).
• The local node must also keep a buffer of all PDUs which have been sent, but have not yet been acknowledged.
• The receiver at the remote node keeps a record of the highest numbered PDU which has been correctly received. This number corresponds to the last acknowledgement PDU which it may have sent.

The above features are also required for Go-Back-N, however for selective repeat, the receiver must also maintain a buffer of frames which have been received, but not acknowledged.

Recovery of lost PDUs using Selective Repeat ARQ

The recovery of a corrupted PDU proceeds in four stages:

• First, the corrupted PDU is discarded at the remote node’s receiver.
• Second, the remote node requests retransmission of the missing PDU using a control PDU (sometimes called a Selective Reject). The receiver then stores all out-of-sequence PDUs in the receive buffer until the requested PDU has been retransmitted.
• The sender receives the retransmission request and then transmits the lost PDU(s).
• The receiver forwards the retransmitted PDU, and all subsequent in-sequence PDUs which are held in the receive buffer.

 A remote node may request retransmission of corrupted PDUs by initiating Selective Repeat error recovery by sending a control PDU indicating the missing PDU. This allows the remote node to instruct the sending node where to retransmit the PDU which has not been received. The remote stores any out-of-sequence PDUs (i.e. which do not have the expected sequence number) until the retransmission is complete.

Upon receipt of a Selective Repeat control PDU (by the local node), the transmitter sends a single PDU from its buffer of unacknowledged PDUs. The transmitter then continues normal transmission of new PDUs until the PDUs are acknowledged or another selective repeat request is received.

If the retransmission is not successful, the protocol relies upon a ‘protocal timer’ in the local node to detect that no acknowledgment was received. The lost PDUs may then be recovered by polling.

A proxy server for HTTP requests is typically an HTTP proxy or “web proxy” accepts HTTP requests containing URLs with a special prefix. The proxy removes the prefix and looks for the resulting URL in its local cache (if it is a caching proxy). If found, it returns the document immediately, otherwise it fetches it from the remote server, saves a copy in its cache and returns it to the requester. The cache will usually have an expiry algorithm which flushes documents according to their age, size and access history.

The purpose is to reduce the amount of data flowing over the proxy’s Internet connection and to speed up clients’ access to frequently requested pages, e.g. at an ISP or on a large company’s firewall. The proxy may also reject requests where the URL or content matches certain conditions.

The Apache HTTP server can be configured to act as a proxy server. Another popular software proxy is Squid.

However, their support is not realized at a level of an operating system – in order to use them, you should configure all programs, which should use proxies. In an appropriate way To organize proxies into a chain, it is necessary to organize tunneling of requests: there is created a virtual tunnel, which passes through an HTTP proxy and, using this tunnel, the program can “make a path” through some proxy servers to a specific web server.An HTTP proxy may support SSL (Secure Sockets Layer).

Session layer

The Session Layer is Layer 5 of the seven-layer OSI model of computer networking.

The Session layer provides the mechanism for opening, closing and managing a session between end-user application processes, i.e. a semi-permanent dialogue. Communication sessions consist of requests and responses that occur between applications. Session Layer services are commonly used in application environments that make use of remote procedure calls (RPCs).

Some of the protocols at this layer are PAP (Password Authentication Protocol), PPTP (Point-to-Point Tunneling Protocol), RPCP (Remote Procedure Call Protocol), ZIP (Zone Information Protocol) and so on.

Functions of Session layer:

• Dialog control

This layer allows two system to enter into a dialog. It also allows communication between two processes to take place either in half duplex i.e. one way at a time or full duplex i.e. two way at a time mode.

• Authentication/permission

When a user wants to access an application, password and usernames(credentials) need to be submitted. If the identity that the user is claiming is found to be true, user is said to be authenticated and permission to use application is provided.

• Synchronization

This layer is responsible for session check pointing and recovery. It allows information of different streams, perhaps originating from different sources, to be properly combined or synchronized. An example application is web conferencing, in which the streams of audio and video must be made synchronous.

Protocols of Session layer:

1. 1. Password Authentication Protocol (PAP)

• Authenticates a user to a network access server.
• Server sends acknowledgement based on credentials.
• It is used by point to point protocol.

1. 2. Point-to-Point Tunneling Protocol (PPTP)

• Implements virtual private networks.
• It does not provide confidentiality and encryption.

Presentation layer

The Presentation Layer is Layer 6 of the seven-layer OSI model of computer networking.

The Presentation Layer is responsible for the delivery and formatting of information to the application layer for further processing or display. It is concerned with the syntax and semantics of the data exchanged. It relieves the application layer of concern regarding syntactical differences in data representation within the end-user systems.

It is composed of two sublayers:

• CASE (Common Application Service Element) which asks service from presentation layer and provides service to application layer. Some service applications include

ROSE (Remote Operation Service Element)

RTSE (Reliable Transfer Service Element)

• SASE (Specific Application Service Element) which as the name suggests provides some specific application services like

VT (Virtual Terminal)

Tel Net(a remote terminal access protocol)

Some of the protocols at this layer are AFP (Apple Filing Protocol), NCP (NetWare Core Protocol), RDP (Remote Desktop Protocol), XDR (External Data Representation Protocol) and so on.

Functions of Presentation layer:

• Translation

Exchange of information between sender and receiver is in the form of character strings which needs to be converted into bit streams. Since encoding system is different in every computer, this layer acts as median which converts data from sender in sender dependant format to a common-format and the same to receiver dependant format at the receiver, thus ensuring compatibility.

• Encryption

To carry sensitive information, a system must be able to ensure privacy. This layer is responsible to transform the original information to another form and to send resulting information out over the network.

• Compression

This reduces the number of bits contained in the information. It becomes particularly important in the transmission of multimedia such as text, audio and video.

Protocols of presentation layer:

1. 1. Remote Desktop Protocol (RDP)

• It is a proprietary protocol developed by Microsoft.
• It is also a communications protocol.
• Provides a user with a graphical interface to another computer.

1. 2. NetWare Core Protocol (NCP)

• It is usually associated with the NetWare operating systems.
• It is used to access file, print and directory.
• It also provides clock synchronization by means of phase synchronization, messaging, remote command execution and other network service functions.