Cascade Pilot Personal Edition Frequently Asked Questions

Cascade Pilot Personal Edition is a powerful network analysis tool with a visually-oriented user interface that is fully integrated with Wireshark, allowing you to leverage your team's existing expertise and to quickly diagnose networking issues.

Views are the core analysis and visualization paradigm in Cascade Pilot Personal Edition. A View is instantiated by dragging it over a source (capture device or file). This triggers the Cascade Pilot Personal Edition network analysis engine to execute the associated analysis on the source file or device providing the results in preformatted, easily readable displays.

Cascade Pilot Personal Edition's drill-down analysis comes from selectable graphical elements within Views. These selections can be thought of as visual filtering steps to which new Views can be applied, thereby drilling down into the traffic source.

Comprehensive reporting features incorporating Cascade Pilot Personal Edition’s extensive data visualization options, including charts, graphs, and more, provide Wireshark users with the ability to instantaneously create and customize professionally-formatted, management-ready reports.

Operating systems: Windows XP, Windows Vista, and Windows 7 (32 and 64 bit)
Suggested Hardware Platform:
A dual-core 2.0 GHz CPU or better
2 GB RAM
300MB free disk space plus additional space for trace files and reports
Support for graphics cards with a minimum resolution of 1024 x 768

Cascade Pilot Personal Edition can be uninstalled through the Add/Remove process. Uninstalling will deactivate your product key, which will then be available for activation on another system. Make sure you get a deactivation confirmation number when uninstalling or the installation on the new system will fail.

Yes. Version 2.4 fully supports Windows 7.

Cascade Pilot Personal Edition works with our AirPcap adapters for wireless LAN analysis. Standard wireless NICs and built-in wireless NICs are not currently supported.

Complete the support form available through the Support Tab at www.cacetech.com and request an additional activation for the product key you provide on the form.

Cascade Pilot Personal Edition is able to open .pcap files only at present. There are, however, several flavors of .pcap-formatted files. Wireshark can read all of them, but Cascade Pilot Personal Edition only reads one particular format. To read .pcap traces generated by your Sniffer, you have two options:

1. Open the .pcap file with Wireshark and save it as a .pcap file. This .pcap file will then be able to be read by Cascade Pilot Personal Edition.

2. If you want to avoid opening Wireshark to convert the file (this will also speed up the conversion), you can use the following command line:
editcap -F libpcap
editcap.exe is located in “\Program Files\Wireshark\”, more information about editcap can be found at: editcap

Go to the Reporting tab on the Main Menu bar. Within the Settings panel, you can change the default Cascade Pilot Personal Edition Title page by editing the Title field. Also within Settings, you can add edit the Analyst and Client information to customize your reports.

There are currently five preformatted style sheets for Reporting. If you need to create more, this can be tricky. There is an XML file in C:\Program Files\CACE Technologies\CACE Pilot called Pilot.Client.config. The tag identifies the place in this file where the reporter “styles” are defined.

To annotate any report, use the handle at the bottom of any chart display and type your text in the space that opens. The text will then appear with each display in your report.

With a full single-seat license purchase of Cascade Pilot Personal Edition, you can run the software on one machine only. So that would mean that, yes, if you were doing Ethernet-based data collection, you would either move your laptop with Cascade Pilot Personal Edition around to various segments in order to analyze them, connect the Cascade Pilot Personal Edition-outfitted laptop to the management port of a switch, or collect traces from multiple instances of Wireshark and open and analyze them in Cascade Pilot Personal Edition.

A distributed client-server version of Cascade Pilot Personal Edition is in development and will ship in January 2010. This will allow you to setup Shark Appliance software analysis engines on multiple segments and display and interact with that data from one or more Pilot Consoles.

We will support more file formats in future releases of Cascade Pilot Personal Edition, yes. For now, Cascade Pilot Personal Edition only reads one particular .pcap format. To read the formats not native to Cascade Pilot Personal Edition, you have two options at present, delineated below.

1. Open the .pcap file with Wireshark and save it as a .pcap file. This .pcap file will then be able to be read by Cascade Pilot Personal Edition.

2. If you want to avoid opening Wireshark to convert the file (this will also speed up the conversion), you can use the following command line:
editcap -F libpcap
editcap.exe is located in “\Program Files\Wireshark\”, more information about editcap can be found at: editcap

Cascade Pilot Personal Edition is not a discovery tool, but it will, like any network analyzer, capture all packets from all communicating devices on the wired and/or wireless network segment or channel to which it is attached and report on their activity. So, if you have Linux, Unix, or any other OS-based device on the network that you’re sniffing and they are sending packets onto that network, Cascade Pilot Personal Edition will capture and analyze them.

Cascade Pilot Personal Edition’s current roster of Views are weighted towards IP communications, but include a growing roster of VoIP Views as well. As the product matures, we will add more custom Views specific to VoIP, VoWLAN, video communications, and more.

Not at this time. However, if you have a specific View in mind that you would like added to Cascade Pilot Personal Edition, please send a description and, if possible, packet trace to support@cacetech.com and we will add it to our development schedule.

The “Data Bandwidth over Time” View shows you the amount of TCP or UDP data bytes in strip chart form. It can be compared with the “Bandwidth over Time” View to measure the layer 1 to 4 protocol overhead.

Set a filter for your application (e.g. “TCP port 80”) and then apply a simple View like “Bandwidth over Time”.

When you apply a View with filter (by dragging it and holding CTRL key, or right-clicking on the View and choosing 'Apply with Filter') you can choose two types of filters: BPF (performed at the capture driver level) or Wireshark Display (performed by the Wireshark engine). The former is faster but less flexible, the latter is slower but you can take advantage of the Wireshark filtering capabilities (mainly the first time when the Wireshark engine must be loaded).

In your case, the filter can be applied in two ways:
- BPF filter, e.g. “net 10.20.172.0 mask 255.255.255.0”;
- Wireshark Display filter, e.g. “ip.addr == 10.20.172.0/24”. The result is the same, apart from performance, as explained above.

Right now, the shortest interval Cascade Pilot Personal Edition supports is 1 second. The limitation is there to prevent users from saturating their CPU with extremely high refresh times. We can remove this limitation in future releases, but it needs to be justified.

That depends on the View, but normally it is the average. The View documentation (in the tool tip) normally gives this kind of detail.

Look for Views for this under “802.11Over Time”.

Yes. To apply a subnet filter to a View:

1. Hold the CTRL key while you apply the View to the source. The filter panel will pop up.
2. In the filter panel, click on “new” to create a new filter
3. Specify “Wireshark Capture Filter (BPF)” as filter type
4. Specify “net 192.168.1.0 mask 255.255.255.0” as a filter string

To specify more than one subnet , use the following syntax: “(net 192.168.1.0 mask 255.255.255.0) or (net 192.168.2.0 mask 255.255.255.0)”

Hold the CTRL key while you apply a View, or apply the View by right-clicking on it and selecting the “apply with filter” context menu item. The filter panel will appear. From the filter panel, you can:

- pick one of the predefined filters
- create your own filter using the Wireshark display or capture syntax

Yes, in the same way as described above.

You can attach a filter to the “overview” View, in the same way described above. The resulting filtered “overview” screen view will contain only the packets that the filter accepts.

Yes. We routinely use Cascade Pilot Personal Edition on VMware VMs at our labs.

If you want to analyze the actual T1 signaling, you can use a DAG card from Endace ( Endace DAG Card http://www.endace.com/our-products/dag-network-monitoring-cards/pdh-tdm) or GL's USB capture boxes ( GL Capture Box ).

If you’re just interested in capturing and analyzing IP traffic and are using Cisco gear, you can use IP Traffic Export:
Cisco IP Traffic Export

Yes. We have a pretty complete set of 802.11 Views that cover all of the most important metrics. Of course, upon request, we can build specific Views to cover specific needs.

Regarding Wireshark dissector support, from the filtering point of view, the answer is yes. From the point of view of charting UMA, ESP or Radius fields, the answer again is yes, but in early Cascade Pilot Personal Edition releases we will have to build the Views for you, since there's no “drag & drop” method yet to chart a field from Wireshark. If you give us some specs, however, we'll be able to make Views for you.

We have a View, called Retransmissions, that gives this information. Another useful View that we provide charts the rate over time on a per-transmitter basis. Such a View is normally extremely useful in detecting rate shifts.

The number in the chart shows the average RTO, i.e., how long a TCP transmission was delayed before a segment was retransmitted. This value is a time value. If you need to know the number of retransmissions, you can use the “Transport\TCP\Wireshark TCP Metrics” View. To chart the number of tcp retransmissions, you can select the “Suspected TCP Retransmissions” line (second line), and drill down with the “Bandwidth over Time” View. To see the endpoints that generated tcp retransmissions, you can select the “Suspected TCP Retransmissions” line and drill down with the “IP Conversations” View. And so on.

With this View, you will see a sample point only when a TCP segment has finished transmitting and the corresponding ack is sent. This doesn't happen with every packet. Your chart may show many sample points, but some of them are so high that they hide everything else. Click on the chart and rotate the mouse wheel while holding the CTRL key to zoom in: you then should be able to see the sample points that are down close to the “x” axis.

The problem of file sharing, IM, chat and other programs using the well-known ports of common applications is a difficult problem requiring deep packet inspection. Riverbed is working on a solution to better identify these types of applications and alert you when they are running on your network. We will have more features supporting this in the future.

No wireless analyzer in the world, as far as we know, allows decryption of WPA professional, because the lack of a pre-shared key makes it virtually undecryptable.

According to the information provided, you have captured on the “any” interface on Linux. When you use this interface, libpcap prepends each packet with an SLL header which contains DLT information, similar to PPI. SLL is described at wiki.wireshark.org/SLL. The header is described in “sll.h” in the libpcap sources.

Cascade Pilot Personal Edition doesn't currently support SLL encapsulation. You can work around this by using Editcap, one of the command-line utilities that comes with Wireshark. E.g.,the command:

editcap -T ether sll.pcap ether.pcap

will read the SLL-encapsulated file “sll.pcap” and write an Ethernet-encapsulated file “ether.pcap”.

Using Wireshark to capture packets is not advised, specifically for the reason you have provided.

To capture, use dumpcap manually or Cascade Pilot Personal Edition (send to file), or windump. After you have the file, you can start slicing and dicing it with Cascade Pilot Personal Edition.

The easiest way to use dumpcap is:

List your interfaces:
c:\Program Files\Wireshark\dumpcap -D

Start capturing:
c:\Program Files\Wireshark\dumpcap -i <interface number>

-w \path\to\capture\file

Full documentation is at: http://www.wireshark.org/docs/man-pages/dumpcap.html

The numbers in Pilot and Wireshark actually correspond. The differences in the charts are explained by the fact that Wireshark plots all of the samples, while Cascade Pilot Personal Edition gives you the average value over the sampling time. Cascade Pilot Personal Edition v2.2 includes some additional Views (MAX/MIN RTT and subsecond RTT) that should provide more granularity in RTT analysis.

You can see the MOS value for the caller and the receiver RTP stream using the View:

“\Performance and Errors\VoIP\Call Quality MOS\VoIP Call Summary - MOS”

You need to open 61899 for Cascade Pilot Personal Edition as well as for the data connection with Wireshark.

The client is not bound to a specific port. The Server uses ports 61898 and 61899, but you can change them to whatever you prefer.

You can actually do what you need, even though this is still an “internal” feature of Cascade Pilot Personal Edition. You can add your custom http port, say 8050, as Web traffic, for example.

To do this, you can edit the file “proto-groups” in the folder “[Pilot installation dir]\server\configuration”. Please, close Pilot before editing the file. When you open such a file, you should get these first lines:

# Web

Web   80/tcp   HTTP

Web   8080/tcp   HTTP

Web   443/tcp   HTTPS

To add your port, you can add this line:

Web   8050/tcp   CustomHTTP

Cascade Pilot Personal Edition includes some layer 2 analysis. Have a look at the Views in the “LAN and Network” folder, and read the ToolTips for more information on what each View provides. If you have specific needs beyond the Views available, please let us know what you would like to see in as much detail as possible through our on-line tech support form and we will add this to our development list.

Cascade Pilot Personal Edition does not support raw 802.11 pcap files. To do its analysis, Cascade Pilot Personal Edition needs to know if a packet contains the FCS. With the raw 802.11 link type, there is no way to know unless we use some heuristics.

Cascade Pilot Personal Edition only supports Radiotap and PPI link types which specify if the packets include the FCS.

This message appears when you have a View with a grid control (“All Requested Web Objects” is one of them), and the control is not displaying all elements because there are too many.

A way to avoid this is by applying these Views after a drill down exercise. For example, after selecting a host in “Top IP Talkers” or “IP Conversations”.

For the moment, the only way to disable the support for WinPcap adapters in Pilot is to manually delete the following file:

c:\Program Files\CACE Technologies\CACE Pilot v2.1\server\plugins\inputs\InputPcapAdapter.dll

In the future, we'll include a more user-friendly way of doing this.

The ERF file format is supported by Pilot, but not in all of its flavors. For example, we only support files with ethernet link layer data. ERF support has been added to Pilot through a partnership with Endace, so you will probably have a better chance addressing this question to Endace support.

Pilot shows times according to the machine time zone. Currently, it is not possible to configure the time zone of visualized times. However, time filters specify the time zone (in the form “GMT +/-x”, e.g.,GMT -8). You can try this by applying a view and, from the Time Control ribbon bar, using the “Copy” button (right side) and paste it in notepad. If you paste a time filter (or just set it in the Filters panel), you can use a filter specified in a different time zone, and it will be adjusted to work in your local zone.

Use of Cascade Pilot Personal Edition on a Windows Server 2008-based platform depends on the video card employed in your system. If the video card is up to the task, it should work now.

The problem you are seeing is most likely due to Microsoft's .NET Framework 4 being installed. While Cascade Pilot Personal Edition 2.3 and below require either versions 2.x or 3.x of .NET, installing .NET 4.0 will prevent Cascade Pilot Personal Edition 2.3 (and below) from functioning. You will see an hour glass icon for a brief period before it disappears and nothing further happens.

The solution is to obtain and upgrade Pilot to version 2.3.1 or greater or uninstall any .NET 4 components. Note that the Microsoft Windows automatic update feature may install .NET 4 automatically. Unless you are upgrading to Pilot 2.3.1 or above, disallow the Windows Update feature from installing any .NET4 components. To uninstall, use Windows 7/Vista's Control Panel > Programs and Features function or Windows XP's Control Panel > Add/Remove Programs function.

Our Pilot applications are occasionally associated with false positives by anti-virus scanners due to the security used in our application. We suggest deactivating your A/V software before installing Pilot, after which A/V can be re-enabled. In some instances an exclusion must be permanently applied within the A/V program for the specific files triggering the false positives. For your safety, all of our installers are thoroughly scanned for malware before being placed on our website for download. MD5 hash codes are also available as double-check and can be found in your 'My Account' page when downloading the Pilot installer.

Below are links from two well-known anti-virus companies with information on setting up exclusions. If you have a different brand of A/V, please contact your manufacturer for additional assistance:

Symantec Exclusion:
http://www.symantec.com/connect/articles/centralized-exceptions-policies-why-use-them-and-how-configure-them

McAfee Exclusion:
https://kc.mcafee.com/corporate/index?page=content&id=KB69805&actp=LIST_RECENT