Network Protocol Analyzer User Manual
About
Using the Protocol Analyzer
Traffic flow analysis
Other features
This section describes the features and options of the software that are not included elsewhere in this manual.
Ethernet card manufacturer lookup
This tool allows you to look up a manufacturer’s name by MAC address. To look up a manufacturer’s name, click Tools - Ethernet Card Manufacturer Lookup, enter the MAC address and then press the Lookup button:
Address book
The Address Book provides a convenient place to store information about network hosts for easy access. To open the address book, select Tools - Address Book in the main menu:
Net Stat
The SoftPerfect Network Protocol Analyzer includes a network tool called Net Stat. This tool allows you to see the network connections of your computer and find ports in “listen” mode (ready for connection processing). To activate Net Stat, select Tools - Net Stat in the main menu:
Export report
The SoftPerfect Network Protocol Analyzer can export captured packets to text files in various formats. To do this, select File - Save Report As in the main menu.
Merging/splitting captures
Sometimes you may want to split a large capture file into smaller files, or merge multiple capture files into a singe large file. Select File - Merge/Split Capture in the main menu.
Click the Add/Del buttons to choose capture files to be merged. Click the Merge Files button to merge the chosen files:
Click the Browse button to choose a capture file to be split. Click the Split File button to split the chosen file into smaller files of the specified size:
File Formats
This section describes the formats of the files that the SoftPerfect Network Protocol Analyzer uses. You can use files generated by the SoftPerfect Network Protocol Analyzer in other utility programs. Note that, unlike other network analysers, these file formats are all open. They are described below.
CAP is a capture file in which captured packets (sessions) are stored.
| Offset | Size | Name | Description |
|---|---|---|---|
| 0x0–0x2 | 3 Bytes | CAPSIGN | Signature line. This string value is always equal to “CAP”. |
| 0x3 | 1 Byte | CAPVER | In this version of the software the value is always 1. |
| 0x4–0x7 | 4 Bytes | VTOTAL | A long integer number (DWord). It is equal to the total number of data packets in a file. |
| The above header data is then followed by VTOTAL number of packet records. Here is the format of each variable length packet record: | |||
| 8 Bytes | TIMESTAMP | A Double type number holding the date and time the packet was received. | |
| 2 Bytes | PKTLEN | A Word type number, the packet’s length. | |
| PKTLEN | PKTDATA | A block of PKTLEN length. This is the packet’s data. | |
LCAP is a capture file in which packets captured on loopback are stored. Due to the nature of loopback communications, it is different from a CAP file.
| Offset | Size | Name | Description |
|---|---|---|---|
| 0x0–0x2 | 3 Bytes | LCAPSIGN | Signature line. This string value is always equal to “LCP”. |
| 0x3 | 1 Byte | LCAPVER | In this version of the software the value is always 2. |
| 0x4–0x7 | 4 Bytes | VTOTAL | A long integer number (DWord). It is equal to the total number of data packets in a file. |
| The above header data is then followed by VTOTAL number of packet records. Here is the format of each variable length packet record: | |||
| 8 Bytes | TIMESTAMP | A Double type number holding the date and time the packet was received. | |
| 4 Bytes | PROCESS_ID | A DWord type number, which contains the process identifier. | |
| 4 bytes+ | PROCESS_NAME | A DWord type number indicating the length of the following string. Then a UTF-8 encoded sequence of characters containing the process name. | |
| 4 Bytes | DIRECTION | A DWord type number. Can be either 0 for local-to-remote, or 1 for remote-to-local. | |
| 4 Bytes | PROTOCOL | A DWord type number containing the protocol type (6 for TCP, 17 for UDP). | |
| 4 Bytes | LOCAL_ADDRESS | A DWord type number containing the local IPv4 address. | |
| 4 Bytes | REMOTE_ADDRESS | A DWord type number containing the remote IPv4 address. | |
| 2 Bytes | LOCAL_PORT | A Word type number containing the local port. | |
| 2 Bytes | REMOTE_PORT | A Word type number containing the remote port. | |
| 4 Bytes | PKT_LEN | A DWord value containing the data length in bytes. | |
| PKT_LEN | PKT_DATA | A sequence of bytes of variable length (payload). | |
RAW is a type of file containing a saved packet as the original sequence of bytes.
XML is a filter file. It is a typical XML file where the filter settings are saved. You can gain more information about it by simply viewing it as a text file.