CACE Pilot is a powerful network analysis tool with a visually-oriented user interface that is fully integrated with Wireshark, allowing you to leverage your team's existing expertise and to quickly diagnose networking issues.

Views are the core analysis and visualization paradigm in CACE Pilot. A View is instantiated by dragging it over a source (capture device or file). This triggers the CACE Pilot network analysis engine to execute the associated analysis on the source file or device providing the results in preformatted, easily readable displays.

CACE Pilot's drill-down analysis comes from selectable graphical elements within Views. These selections can be thought of as visual filtering steps to which new Views can be applied, thereby drilling down into the traffic source.

Comprehensive reporting features incorporating CACE Pilot’s extensive data visualization options, including charts, graphs, and more, provide Wireshark users with the ability to instantaneously create and customize professionally-formatted, management-ready reports.

The minimum recommended system configuration for CACE Pilot is a Pentium dual core 2.0 GHz CPU with 2 GB RAM, 300MB free disk space on the hard drive plus additional space for capture files, support for Direct X 9.0c-capable graphics card with a minimum of 128MB of dedicated video memory and a resolution of 1024 x 768 and Windows XP or Vista.

It supports both.

CACE Pilot works with our AirPcap adapters for wireless LAN analysis. Standard wireless NICs and built-in wireless NICs are not currently supported.

CACE Pilot can be uninstalled on one system through the Add/Remove process. Uninstalling will deactivate your product key, which will then be available for activation on another system. Make sure you get a deactivation confirmation number when uninstalling or the installation on the new system will fail.

CACE Pilot is able to open .pcap files only at present. There are, however, several flavors of .pcap-formatted files. Wireshark can read all of them, but CACE Pilot only reads one particular format. To read .pcap traces generated by your Sniffer, you have two options:

1. Open the .pcap file with Wireshark and save it as a .pcap file. This .pcap file will then be able to be read by CACE Pilot.
2. If you want to avoid opening Wireshark to convert the file (this will also speed up the conversion), you can use the following command line: editcap -F libpcap editcap.exe is located in "\Program Files\Wireshark\", more information about editcap can be found at: editcap

For now, the best way to handle this is to generate a Word (rtf) document and replace the Title page with whatever you want.

This can be a bit tricky. There is an XML file in C:\Program Files\CACE Technologies\Pilot v1.1 called Pilot.Client.config. The tag identifies the place in this file where the reporter "styles" are defined. There are five styles in this section.

One way to create your own style is to duplicate one of the styles, rename it, and then modify it to meet your needs. Make sure you back up this file if you try to change it.

NOTE THAT modifying the Pilot.Client.config file can be difficult, can easily crash CACE Pilot, and no support or documentation is available to support this exercise. For a "styles" expert, however, this is the way, at present, to develop your own report style.

To annotate any report, use the handle at the bottom of any chart display and type your text in the space that opens. The text will then appear with each display in your report.

With a full single-seat license purchase of CACE Pilot, you can run the software on one machine only. So that would mean that, yes, if you were doing Ethernet-based data collection, you would either move your laptop with CACE Pilot around to various segments in order to analyze them, connect the CACE Pilot-outfitted laptop to the management port of a switch, or collect traces from multiple instances of Wireshark and open and analyze them in CACE Pilot. A client-server version of CACE Pilot is in development and should ship either late this year or early next year. This will allow you to install CACE Pilot analysis engines on multiple segments and collect that data at one or more CACE Pilot consoles for analysis.

We will support more file formats in future releases of CACE Pilot, yes, including the NetScout Infinistream. For now, CACE Pilot only reads one particular .pcap format. To read the formats not native to CACE Pilot, you have two options at present, delineated below. 1. Open the .pcap file with Wireshark and save it as a .pcap file. This .pcap file will then be able to be read by CACE Pilot. 2. If you want to avoid opening Wireshark to convert the file (this will also speed up the conversion), you can use the following command line: editcap -F libpcap editcap.exe is located in "\Program Files\Wireshark\", more information about editcap can be found at: editca

Complete the support form available at techsupport and request an additional activation on the product key you provide.

CACE Pilot is not a discovery tool, but it will, like any network analyzer, capture all packets from all communicating devices on the wired and/or wireless network segment or channel to which it is attached and report on their activity. So, if you have Linux, Unix, or any other OS-based device on the network that you’re sniffing and they are sending packets onto that network, CACE Pilot will capture and analyze them.

CACE Pilot’s current roster of 130+ Views are weighted towards IP communications at this point. As the product matures, we will add custom Views specific to VoIP, VoWLAN, and more.

Can I write my own CACE Pilot Views?

Not at this time. However, if you have a specific View in mind that you would like added to CACE Pilot, please send a description and, if possible, packet trace to support@cacetech.com and we will add it to our development schedule.

Not in the current release, though this in our development plan for a future release of CACE Pilot.

The "Data Bandwidth over Time" View shows you the amount of TCP or UDP data bytes in strip chart form. It can be compared with the “Bandwidth over Time” View to measure the layer 1 to 4 protocol overhead.

Set a filter for your application (e.g. "TCP port 80") and then apply a simple View like “Bandwidth over Time”.

Not yet. This is planned for a future CACE Pilot release.

When you apply a View with filter (by dragging it and holding CTRL key, or right-clicking on the View and choosing 'Apply with Filter') you can choose two types of filters: BPF (performed at the capture driver level) or Wireshark Display (performed by the Wireshark engine). The former is faster but less flexible, the latter is slower but you can take advantage of the Wireshark filtering capabilities (mainly the first time when the Wireshark engine must be loaded).

In your case, the filter can be applied in two ways: - BPF filter, e.g. "net 10.20.172.0 mask 255.255.255.0"; - Wireshark Display filter, e.g. "ip.addr == 10.20.172.0/24". The result is the same, apart from performance, as explained above.

The CACE Pilot engine is already running under linux in our labs. In the next few months, we plan to release a linux version of the engine that you'll be able to connect to from the CACE Pilot user interface installed on your laptop. The linux engine will support Endace DAG 1GB cards natively, and will allow you to perform all of the analysis on a remote box what you now do with your local copy of CACE Pilot, including drilling down and viewing files with Wireshark.

Right now, the shortest interval CACE Pilot supports is 1 second. The limitation is there to prevent users from saturating their CPU with extremely high refresh times. We can remove this limitation in future releases, but it needs to be justified.

That depends on the View, but normally it is the average. The View documentation (in the tooltip) normally gives this kind of detail.

Look for Views for this under “802.11Over Time”.

Yes. To apply a subnet filter to a View:

1. Hold the CTRL key while you apply the View to the source. The filter panel will pop up.
2. In the filter panel, click on "new" to create a new filter
3. Specify "Wireshark Capture Filter (BPF)" as filter type
4. Specify "net 192.168.1.0 mask 255.255.255.0" as a filter string

To specify more than one subnet , use the following syntax: "(net 192.168.1.0 mask 255.255.255.0) or (net 192.168.2.0 mask 255.255.255.0)"

Hold the CTRL key while you apply a View, or apply the View by right-clicking on it and selecting the "apply with filter" context menu item. The filter panel will appear. From the filter panel, you can:

- pick one of the predefined filters
- create your own filter using the Wireshark display or capture syntax

Yes, in the same way as described above.

You can attach a filter to the "overview" View, in the same way described above. The resulting filtered "overview" screen view will contain only the packets that the filter accepts.

Yes. We routinely use CACE Pilot on VMware VMs at CACE.

If you want to analyze the actual T1 signaling, you can use a DAG card from Endace ( Endace DAG Card ) or GL's USB capture boxes ( GL Capture Box ).

If you’re just interested in capturing and analyzing IP traffic and are using Cisco gear, you can use IP Traffic Export: Cisco IP Traffic Export

Yes. We have a pretty complete set of 802.11 Views that cover all of the most important metrics. Of course, upon request, we can build specific Views to cover specific needs.

Regarding Wireshark dissector support, from the filtering point of view, the answer is yes. From the point of view of charting UMA, ESP or Radius fields, the answer again is yes, but in early CACE Pilot releases we will have to build the Views for you, since there's no "drag & drop" method yet to chart a field from Wireshark. If you give us some specs, however, we'll be able to make Views for you.

We have a View, called Retransmissions, that gives this information. Another useful View that we provide charts the rate over time on a per-transmitter basis. Such a View is normally extremely useful in detecting rate shifts.

The pie chart actually offers this feature (see https://www.cacetech.com/media/5_controls/barchart-piechart/), but for the moment it's the only chart that can do that. We will be adding this feature to the other charts in future releases of CACE Pilot.

The number in the chart shows the average RTO, i.e., how long a TCP transmission was delayed before a segment was retransmitted. This value is a time value. If you need to know the number of retransmissions, you can use the "Transport\TCP\Wireshark TCP Metrics" View. To chart the number of tcp retransmissions, you can select the “Suspected TCP Retransmissions" line (second line), and drill down with the "Bandwidth over Time" View. To see the endpoints that generated tcp retransmissions, you can select the "Suspected TCP Retransmissions" line and drill down with the "IP Conversations" View. And so on.

When I use the “TCP Round Trip Time over Time” View, it only shows 2 results. When I changed the “y” axis to a smaller number, there was still no information. I’m sending a screenshot of a CACE Pilot chart to illustrate this. Is this a bug?

The application analysis you’re after will be in a future CACE Pilot release.

No wireless analyzer in the world, as far as we know, allows decryption of WPA professional, because the lack of a pre-shared key makes it virtually undecryptable.

According to the information provided, you have captured on the "any" interface on Linux. When you use this interface, libpcap prepends each packet with an SLL header which contains DLT information, similar to PPI. SLL is described at wiki.wireshark.org/SLL. The header is described in "sll.h" in the libpcap sources.

CACE Pilot doesn't currently support SLL encapsulation. You can work around this by using Editcap, one of the command-line utilities that comes with Wireshark. E.g.,the command:

editcap -T ether sll.pcap ether.pcap

will read the SLL-encapsulated file "sll.pcap" and write an Ethernet-encapsulated file "ether.pcap".

The next version of CACE Pilot will have improvements that will push the performance up considerably, especially in the area of large file access. For the moment, the only solution is reducing the file size with the drill-down feature before applying views like TCP Protocol Distribution.