Read SPP_UG.book text version

Sniffer® Portable Professional User's Guide

293 -2235 R ev A

Contents

NetScout® Systems, Inc.

Westford, MA 01886 Telephone: 978.614.4000 Fax: 978.614.4004 Web: http://www.netscout.com

Use of this product is subject to the NetScout Systems, Inc. End User License Agreement, which accompanies the product at the time of shipment. Notice of Restricted Rights: Use, duplication, release, modification, transfer, or disclosure (for purposes of this section, "Use") of the Software is restricted by the terms of NetScout Systems, Inc.'s End User License Agreement and further restricted in accordance with FAR 52.227-14 for civilian Government agency purposes and 252.227-7015 of the Defense Federal Acquisition Regulations Supplement ("DFARS") for military Government agency purposes, or the similar acquisition regulations of other applicable Government organizations, as applicable and amended. The Use of Software and the Product is restricted by the terms of NetScout Systems, Inc.'s End User License Agreement, in accordance with DFARS Section 227.7202 and FAR Section 12.212. The information in this manual is subject to change without notice. NetScout, the NetScout logo, Network General, the Network General logo, nGenius, Quantiva, NetVigil, InfiniStream, Business Container, and Sniffer are registered trademarks of NetScout Systems, Inc. and/ or its affiliates in the United States and/or other countries. The CDM logo, MasterCare, the MasterCare logo, Visualizer, and HyperLock are trademarks of NetScout Systems, Inc. All other registered and unregistered trademarks herein are the sole property of their respective owners. NetScout Systems, Inc. reserves the right, at its sole discretion, to make changes at any time in its technical information, specifications, service and support programs. All other brand names, company identifiers, trademarks, service trademarks, registered trademarks and registered service marks mentioned in this document or the NetScout Systems license agreement are properties of their respective owners, and protected as such against unlawful use or distribution. This product includes software developed by the Apache Software Foundation (http://www.apache.org/). Copyright 1997-2008 The Apache Software Foundation. All rights reserved. THE SOFTWARE DEVELOPED BY APACHE SOFTWARE FOUNDATION AND INCLUDED HEREIN IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

2

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (<http://www.openssl.org/)>" Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. "This product includes cryptographic software written by Eric Young ([email protected]) <mailto:[email protected])>" "This product includes software written by Tim Hudson ([email protected]) <mailto:[email protected])>" Copyright (c) 1995-1998 Eric Young ([email protected]) <mailto:[email protected])> All rights reserved. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Sniffer® Portable Professional User's Guide 293-2235 Rev A Copyright 2009 NetScout Systems, Inc. Printed in the USA. All rights reserved.

3

Contacting NetScout Systems

Customer Support

The best way to contact Customer Support is to submit a Support Request: http://www.netscout.com/support Telephone: In the US, call 888-357-7667; outside the US, call +011 978-614-4000. Phone support hours are 8 a.m. to 8 p.m. Eastern Standard Time (EST). E-mail: [email protected] When you contact Customer Support, the following information can be helpful in diagnosing and solving problems: -- Type of network platform -- Software and firmware versions -- Hardware model number -- License number and your organization's name -- The text of any error messages -- Supporting screen images, logs, and error files, as appropriate -- A detailed description of the problem

Sales

Call 800-357-7666 for the sales office nearest your location.

Training and Online Learning

For end-user and partner training information, online course listings, and extensive learning materials, visit the Training and Online Learning Center websites: http://www.netscout.com/training http://www.netscout.com/training/about_olc.asp

Documentation

Send comments or questions about nGenius documentation to the following address: [email protected]

User Forum

To join a customer-driven user group connecting the worldwide community of NetScout users, visit the following website: http://www.netscoutuserforum.com/

4

Related Information Resources

NetScout Systems provides the documentation listed in the table below to support Sniffer Portable Professional. NetScout MasterCare customers can access all documentation online at www.netscout.com/support.

Document Sniffer Portable Professional Documentation

Sniffer Portable Professional Release Notes Sniffer Portable Professional User's Guide

Description

Describe enhancements, new features, known issues, and system requirements for Sniffer Portable Professional. Describes how to install and license Sniffer Portable Professional. Describes how to use Sniffer Portable Professional for network monitoring and analysis.

Online help Decode/Expert Reference

Provides details on all product features and options. Provides a complete reference for all Expert displays and alarms; also summarizes Decode and Expert Pack features. Available in PDF format in Decode and Expert Pack installation directory.

5

6

Contents

1 Introducing Sniffer Portable Professional . . . . . . . . . . . . 11

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Product Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Major Components of Sniffer Portable Professional . . . . . . . . . . . . . . . . . 14 Sniffer Portable Professional Features for Wireless Networks . . . . . . . . . . 15

2 Installing Sniffer Portable Professional . . . . . . . . . . . . . . 17

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Uninstalling Previous Versions of Sniffer Portable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Installing the Sniffer Portable Professional Application . . . . . . . . . . . . . . . 22 Installing Sniffer Enhanced Drivers (802.11) . . . . . . . . . . . . . . . . . . . . . 23 Authorizing Sniffer Portable Professional . . . . . . . . . . . . . . . . . . . . . . . . 30 Starting Sniffer Portable Professional . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Tuning Settings for Sniffer Portable Professional . . . . . . . . . . . . . . . . . . . 36

3 Introducing the Sniffer Window . . . . . . . . . . . . . . . . . . . 41

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Navigating the Sniffer Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

4 Setting Options in the Sniffer Window . . . . . . . . . . . . . . 47

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Setting the General Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Setting the Real Time Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Setting the MAC Threshold Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . 51 Setting the App Threshold Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . 52 Setting the Alarm Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Setting the Protocols Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Setting the Protocol Forcing Tab Options . . . . . . . . . . . . . . . . . . . . . . . . 53 Setting Tools > Wireless Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Adding Tools to the Tools Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

User's Guide

7

5 Monitoring Your Network . . . . . . . . . . . . . . . . . . . . . . . 67

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 About Sniffer Portable Professional Monitor Views . . . . . . . . . . . . . . . . . . 67 Monitoring Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Monitor Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Monitor Applications and Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Monitor Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Exporting Monitor Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

6 Capturing Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 About Capturing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Capture Controls Capture Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Capture Buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Capturing from Specific Stations (Visual Filters) . . . . . . . . . . . . . . . . . . 128 Capture Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Capture Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

7 Real-Time Expert Display . . . . . . . . . . . . . . . . . . . . . . 131

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 About the Expert Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Setting Expert Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Setting Automatic Expert Display Filters . . . . . . . . . . . . . . . . . . . . . . . 151 Displaying Context-Sensitive Explain Messages Exporting the Contents of the Expert Database . . . . . . . . . . . . . . . . . . 153 . . . . . . . . . . . . . . . . . . 154 Rearranging the Expert Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

8 Displaying Captured Data . . . . . . . . . . . . . . . . . . . . . . 157

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Displaying Captured Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Postcapture Views for Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . 160 Postcapture Expert Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Postcapture Decode Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Postcapture Matrix Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Postcapture Host Table Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Postcapture Protocol Distribution Tab . . . . . . . . . . . . . . . . . . . . . . . . . 208

8

Sniffer Portable Professional

Postcapture Statistics Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

9 Working with Real-Time Decodes . . . . . . . . . . . . . . . . 213

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Enabling and Setting Real-time Decodes . . . . . . . . . . . . . . . . . . . . . . . 213 Viewing Real-time Decodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

10 Defining Filters and Triggers . . . . . . . . . . . . . . . . . . . . 219

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Defined Filters vs. Automatic Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Define Filter Options for Wireless Networks . . . . . . . . . . . . . . . . . . . . . 220 Defining Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Sharing Filters between Systems and Products . . . . . . . . . . . . . . . . . . . 241 Defining Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

11 Using the Address Book . . . . . . . . . . . . . . . . . . . . . . . 249

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 About Address Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Creating Address Book Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

12 Managing Alarms

. . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 The Alarm Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Setting Alarm Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Setting Alarm Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

13 Network Adapters and Settings . . . . . . . . . . . . . . . . . . 267

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Removing Network Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Selecting Network Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Creating Sniffer Monitoring Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

9

Sniffer Portable Professional

10

Sniffer Portable Professional

Introducing Sniffer Portable Professional

Overview

1

This documentation describes Sniffer® Portable Professional. Sniffer Portable Professional is ideally suited for a range of usage scenarios, including:

On-site application and network troubleshooting by Field Service engineers. Analysis of enterprise network links not permanently instrumented with NetScout appliances. Analysis of network equipment in lab environments prior to roll-out on a production network.

By incorporating Expert analysis capabilities and advanced protocol decodes, Sniffer Portable Professional can determine, pinpoint, and analyze the toughest performance problems automatically. You can use Sniffer Portable Professional on network segments running Ethernet, Gigabit Ethernet, and Wireless LANs. See also:

Product Comparison Major Components of Sniffer Portable Professional Sniffer Portable Professional Features for Wireless Networks

User's Guide

11

Chapter 1

Product Comparison

The following table summarizes the key differences between Sniffer Portable Professional, Sniffer Global, and the legacy Sniffer Portable product.

Table 1-1. Product Comparison Feature

Operating System

Legacy Sniffer Portable

Windows 2000 Windows XP

Sniffer Portable Professional

Sniffer Global

Windows XP Windows 2003 Windows Vista Windows 2008 Support for 64-bit Windows OS Note: Windows 2003 and 2008 support is primarily for Ethernet. Multiple instances over Terminal Server is not supported.

Topologies

Ethernet 10/100/1000 Wireless 802.11 a/b/g

· Ethernet 10/100/1000 · Wireless 802.11 a/b/g on Windows XP and Windows 2003 · Wireless 802.11 a/b/g/n on Windows Vista and Windows 2008

Wireless Cards

Atheros AR5001X, AR5002X & AR5004X chipset based PCMCIA & Cardbus cards Sniffer .CAP, .CAZ and legacy formats (.ENC and so on) Optional

Atheros AR5002X, AR5004X, AR5005X, AR5006X & AR5008X chipset based PCMCIA, Cardbus, ExpressCard, PCI, PCI-e, mini-PCI, mini-PCIe cards (USB not supported) Sniffer .CAP, .CAZ and LibPcap formats

Trace File Formats Sniffer VoIP Intelligence Sniffer Mobile Intelligence (Decode and Expert) Application Intelligence Sniffer Reporter

Yes All Decode and Expert functionality associated with these legacy modules included in base installation.

Optional

No Use Sniffer Intelligence with nGenius InfiniStream instead.

Yes

No Use nGenius Performance Manager with nGenius InfiniStream instead.

12

Sniffer Portable Professional

Introducing Sniffer Portable Professional

Table 1-1. Product Comparison Feature

Sniffer Global Server Integrated Updates

Legacy Sniffer Portable

No No

Sniffer Portable Professional

No No

Sniffer Global

Yes Yes. Check for updates and install them within Sniffer Global application user interface.

User's Guide

13

Chapter 1

Major Components of Sniffer Portable Professional

The major components of Sniffer Portable Professional include:

Monitor. Calculates and displays real-time network traffic data. Capture. Captures network traffic and stores the actual packets in a buffer (and optionally to a file) for later analysis. Real-time and Postcapture Expert. Analyzes the network packets during capture and alerts you to potential problems on your network. These problems are categorized as either symptoms and/or diagnoses. Expert analysis is also available postcapture. Real-time and Postcapture Decode. Displays protocol decodes in real-time as packets arrive. You do not have to stop a capture session to see protocol decodes. Decodes are also available postcapture. Display. User-interface that provides decodes and analysis of the captured packets in a variety of easy to view and navigate windows.

14

Sniffer Portable Professional

Introducing Sniffer Portable Professional

Sniffer Portable Professional Features for Wireless Networks

Sniffer Portable Professional includes many features specifically for 802.11 wireless networks, as summarized in Table 1-2.

Table 1-2. Features for Wireless Networks Feature

Different wireless LAN frame type counters are included in the Dashboard. The Monitor's Host Table includes an 802.11 tab with entries for all detected wireless stations. Each station is listed with several wireless LAN-specific counters. The Monitor's Host Table includes a zoomed view for Access Points only. Rogue identication is included in both Host Table and Expert displays. The Monitor's Global Statistics application includes a Topology Surfing tab with statistics for each wireless channel selected for monitoring. The Matrix, Host Table, and Protocol Distribution post-analysis tabs in the Display window each include 802.11 views, allowing you to focus specifically on 802.11 statistics for wireless stations. The postcapture Statistics tab in the Display window includes multiple wireless-specific statistics. The Advanced tab in the Define Filter dialog box includes wireless LAN packet types on which you can filter (such as PLCP Errors and WEP-ICV Errors). The 802.11 tab in the Define Filter dialog box allows you to filter on packets seen on a channel to which they do not belong, packets matching different speeds, or packets seen on a particular channel. Sniffer Portable Professional can perform both WPA/WPA2 and WEP decryption both during capture if the keys are specified in the Tools > Wireless > Decryption dialog box and after capture using the Wireless Decryption option in the Decode tab's context menu.

See this topic:

Dashboard Counters for Wireless Networks on page 75 Host Table Counters for Wireless Networks on page 85 Viewing Access Points Only on page 88 Identifying Rogue Hosts on the Wireless Network on page 91 The Global Statistics > Topology Surfing Tab on page 117 Monitor Applications and Toolbar on page 71

Postcapture Statistics Tab on page 210 Setting Filter Options in the Advanced Tab on page 235 Setting Filter Options in the 802.11 Tab on page 238

· Configuring Wireless Encryption Settings on page 56 · Postcapture 802.11 Decryption on page 199

User's Guide

15

Chapter 1

Table 1-2. Features for Wireless Networks Feature

The Decode display can completely decode 802.11 traffic (if the correct decryption keys are specified and, in the case of WPA, if the initial EAPOL handshake packets are seen). Since wireless LAN services take place at the lower network layers, you can see the wireless-specific decodes by examining the DLC layer in the Detail pane of the Decode display. In addition, the Decode display indicates the channel from which each packet was captured inside brackets in the Status column of the Summary pane (for example, an entry of [1] in the Status column indicates that the packet was captured from channel number 1 on the wireless LAN). The Expert analyzer creates network objects at the DLC layer for wireless stations. There are also several Wireless-specific Expert alarms. In addition, all of the usual upper layer Expert analysis is provided. During monitoring or capture, the title bar of the Sniffer window shows the channel currently being monitored, the signal strength, and the network topology. You can use this display to get a quick feel for the strength of the signal being monitored and determine whether you need to move the analyzer closer to an access point to get a stronger signal.

See this topic:

Postcapture Decode Display on page 162

Decode and Expert Reference Guide in Decode & Expert installation directory. Navigating the Sniffer Window on page 41

16

Sniffer Portable Professional

Installing Sniffer Portable Professional

2

This chapter provides the system requirements and installation for Sniffer Portable Professional. It also lists supported cards and enhanced drivers.

System Requirements on page 18 Uninstalling Previous Versions of Sniffer Portable on page 21 Installing the Sniffer Portable Professional Application on page 22 Installing Sniffer Enhanced Drivers (802.11) on page 23

Sniffer Enhanced Driver Installation Procedure on page 24 802.11 a/b/g/n Card Installation Notes and Issues on page 27 Using the 802.11 a/b/g/n Card as a Normal Network Card on page 29

Authorizing Sniffer Portable Professional on page 30 Starting Sniffer Portable Professional on page 34 Tuning Settings for Sniffer Portable Professional on page 36

User's Guide

17

Chapter 2

System Requirements

Table 2-1 lists the system requirements to install and run the Sniffer Portable Professional application.

Table 2-1. Sniffer Portable Professional System Requirements Item

Operating System

Requirement

· Microsoft Windows XP Professional Edition with SP2 or higher NOTE: Wireless is not supported on Windows XP 64-bit. · Windows Server 2003 NOTE: Wireless is not supported on Windows Server 2003 64-bit. · Microsoft Windows Vista · Windows Server 2008 NOTE: The Wireless LAN Service must be installed to use wireless NICs on Windows 2008 machines ­ by default it is not. You can add this service using the Features > Add Features option in Administrative Tools > Server Manager. · Virtualized environments configured to emulate these operating systems. Tested with VMware workstation 6.x and Microsoft Virtual-PC 2007. NOTE: Virtualized environments are only supported for Ethernet adapters. Wireless adapters are not supported in virtualized environments.

CPU

Intel or AMD processor running at 1.6 GHz or higher. · Dual or more core running at 1.0 GHz or higher NOTE: Sniffer Portable Professional is supported on multi-processor, multi-core, and hyperthreaded platforms.

RAM Storage

512 MB of RAM or higher. 200 MB or more of free hard drive space (all supported operating systems) CD-ROM Drive

Monitor

VGA color monitor with 1024x768 resolution (with 256 color support or updated VGA driver)

18

Sniffer Portable Professional

Installing Sniffer Portable Professional

Table 2-1. Sniffer Portable Professional System Requirements Item

Network Interface Cards

Requirement

Ethernet 10/100/1000 cards with native driver provided by vendor (no Sniffer enhanced driver required or provided). Wireless cards with Atheros AR5002X+ chipset: · Windows XP and Windows Server 2003 ­ 802.11 a/b/g; Sniffer enhanced driver required; see Installing Sniffer Enhanced Drivers (802.11) on page 23 for details. Combo cards only supported if 802.11 a/b/g (b/g only not supported). · Windows Vista and Windows Server 2008 ­ 802.11 a/b/g/n; Native Atheros driver required (available both on Microsoft website and packaged with Sniffer Portable Professional application installation). See Installing Sniffer Enhanced Drivers (802.11) on page 23 for details. Combo cards with any combination of 802.11 a/b/g/n are supported on Windows Vista/Windows 2008. Combo cards with any combination of 802.11a/b/g are supported on Windows XP/Windows 2003.

Software

Microsoft .NET Framework 3.0 or higher

User's Guide

19

Chapter 2

Sniffer Portable Professional Application Coexistence with other Products

NetScout Systems does not support installation of Sniffer Portable Professional on a machine running any of the following NetScout products:

Sniffer Global application, Sniffer Portable (legacy versions), Sniffer Pro, or Netasyst Sniffer Distributed Agent

Notes on Installing in Virtual Environments

Installing the Sniffer Portable Professional application in a virtual environment (such as those provided by VMware) requires some additional configuration. Keep in mind the following:

Only Ethernet adapters are supported. Wireless 802.11 adapters are not supported in virtualized environments. Bridged networking mode is the only supported mode. Select an Ethernet card in your virtual operating system in the VMNet0 virtual network from Edit > Virtual Network Settings > Host Virtual Network Mapping. Make sure the Ethernet card drivers for VMNet0 are properly installed by selecting the VM > Install VMware Tools command. Running this command will select the correct drivers from the host machine automatically. However, keep in mind that Sniffer Portable Professional's File > Adapter Settings dialog box will show the device name as VMware Accelerated AMND PCNet Adapter rather than the name of the bridged adapter. The VMWare Virtual Network acts as a 1000-Mbps virtual hub with uplink based on the speed of the actual physical port to which it is bridged (100 or 1000 Mbps). Sniffer Portable Professional detects the virtual network's 1000-Mbps speed and will report this as the network speed, regardless of the physical port's actual speed. Because of this, when the physical port's speed is only 100 Mbps instead of the 1000 Mbps detected, utilization calculations reported in Sniffer Portable Professional will be less than the actual utilization by a factor of ten.

20

Sniffer Portable Professional

Installing Sniffer Portable Professional

Uninstalling Previous Versions of Sniffer Portable

Sniffer Portable Professional can not be installed on the same system as legacy versions of Sniffer Portable ­ you must first uninstall the previous Sniffer Portable installation. The following procedure explains how.

To uninstall a previous version of Sniffer Portable:

1

Log in to the Sniffer Portable machine with Administrator privileges. Go to Start > Settings > Control Panel > Add/Remove Programs. In the Add/Remove Programs window that appears, is there an entry for Sniffer VoIP?

2

3

If yes -- Uninstall Sniffer VoIP and reboot the computer before uninstalling. Then access the Add/Remove Programs window again (Step 2) and uninstall the Sniffer Portable software. If no -- Select the entry for the Sniffer Portable software and click Add/Remove.

4

During the uninstallation, the wizard will ask you if you would like to remove unused shared files. Click Yes to all to remove all unused shared files. Reboot the computer.

5

The target PC is now ready to download and install the Sniffer Portable Professional software.

User's Guide

21

Chapter 2

Installing the Sniffer Portable Professional Application

Use the following procedure to install the Sniffer Portable Professional application.

To install Sniffer Portable Professional :

1

Make sure you have uninstalled any existing Sniffer Portable or Global applications. Double-click the Sniffer Portable Professional installation file. Follow the instructions in the InstallShield Wizard to install Sniffer Portable Professional. Reboot the PC before using Sniffer Portable Professional.

2 3

4

22

Sniffer Portable Professional

Installing Sniffer Portable Professional

Installing Sniffer Enhanced Drivers (802.11)

NOTE: Sniffer enhanced drivers are not included for 10/100/1000 Ethernet cards. Sniffer Portable Professional supports 10/100/1000 Ethernet cards without using a Sniffer enhanced driver on both Windows XP and Windows Vista.

Sniffer Portable Professional supports wireless adapters based on the Atheros AR5002X+ chipset. The table below provides the details:

Table 2-2. Supported Wireless Chipsets and Drivers Chipset Windows XP and Windows Server 2003

Tested on Atheros-based Cisco CB21, D-Link, Proxim, and NETGEAR Cardbus Adapters

Windows Vista and Windows Server 2008

Tested on Atheros-based D-Link, NETGEAR, Cisco CB21, Trendnet, and Gigabyte Cardbus, PCI/PCIe, mini-PCI/PCIe adapters (USB not supported). Supported with the native Atheros driver, which you can install using either Microsoft Windows Update or one of the bundled drivers: · Cisco adapters ­ Use the7.4 driver located at <install path>\Sniffer Portable\ driver\en\cisco\vista. · All other adapters ­ Use the 7.6 driver located at <install path>\Sniffer Portable\ driver\en\atheros\vista.

Atheros AR5008X (802.11n) Atheros AR5006X Atheros AR5005x Atheros AR5004X Atheros AR5002X

Not supported. Supported with enhanced drivers stored in <install path>\Sniffer Portable\Driver\en\atheros \winxp

You install drivers for wireless cards differently depending on whether you are using Microsoft Windows XP or Microsoft Windows Vista:

Wireless Adapters in Windows XP

You must install a Sniffer enhanced driver before you can use Sniffer Portable Professional on Windows XP with a wireless LAN card. Sniffer Portable Professional includes enhanced drivers for wireless cards based on the Atheros AR5002X+ chipsets as summarized in the table above. See Sniffer Enhanced Driver Installation Procedure on page 24 for information on how to install the Sniffer enhanced driver for wireless cards based on these chipsets.

User's Guide

23

Chapter 2

Wireless Adapters in Windows Vista

You must install the latest native Atheros driver to use Sniffer Portable Professional on Windows Vista or Windows Server 2008 with a wireless card. The native Atheros driver is included with Sniffer Portable Professional under <install path>\Sniffer Portable\driver\en\atheros\vista. Select netathr.inf if path>\Sniffer Portable\driver\en\cisco\vista folder.

installing on a 32-bit machine or netathrx.inf if installing on a 64-bit machine. For Cisco cards, use the driver in the <install

See Native Atheros Driver Update Procedure on page 26 for information on how to install the native Atheros driver.

Combo Cards and Supported 802.11 Versions

Sniffer Portable Professional supports 802.11 combo cards using the chipsets listed in the table above differently depending on your operating system:

Windows XP or Windows Server 2003 ­ 802.11 a/b/g combo cards only. Other combinations (including cards that support only 802.11 b/g) are not supported. Windows Vista or Windows Server 2008 ­ Any combination of 802.11 a/b/g/n.

Sniffer Portable Professional can monitor, capture, and display statistics for wireless cards supporting the Japanese W52 and W53 standards.

Sniffer Enhanced Driver Installation Procedure

Sniffer enhanced drivers for wireless LAN cards are located in intuitively named subdirectories under the following default path:

<install path>\NetScout\Sniffer Portable\driver\en\

To install a Sniffer enhanced driver:

1

Make sure the Sniffer Portable Professional software is installed. If it is not installed, install it now. Log in to Windows as an Administrator. Insert the card in an available card slot on the target machine. Windows automatically detects the new card and installs its native device driver.

2 3

24

Sniffer Portable Professional

Installing Sniffer Portable Professional

4 5 6 7

Right-click My Computer. Select Manage > Device Manager. In the Network Cards list, select the card you inserted. Right-click on the card and select Update Driver. The Hardware Update Wizard displays. If a dialog box displays prompting to you to connect to Windows Update to search for software, select No, not this time and click Next. Select the Install from a list or specific location (Advanced) option. and click Next. Select the Don't search option and click Next.

8

9

10 Click Have Disk.

The Install from Disk dialog box appears prompting you to supply the path to the driver to install.

11 Click Browse and navigate to the path where the driver for the

selected card is installed. Drivers for 802.11 a/b/g/n cards are located at the following path:

<install path>\NetScout\Sniffer Portable\driver\en\

Use the driver found in the subdirectory corresponding to your chipset and operating system (for example, \atheros\winxp\ for an Atheros chipset on Windows XP).

12 Click Open in the Browse dialog box.

You are returned to the Install from Disk dialog box.

13 Click OK on the Install from Disk dialog box. 14 If the operating system is configured to alert you to unsigned

drivers, a dialog box will appear warning you that you are about to install a driver that has not been verified by Microsoft Corporation. Click Continue Anyway to continue the installation. The wizard installs the driver. When it has finished, it displays a screen indicating that the driver is installed.

15 Click Finish. 16 Click OK to clear the Card Properties dialog box. 17 Reboot the system.

User's Guide

25

Chapter 2

Native Atheros Driver Update Procedure

Use the following procedure to update the existing driver for an Atheros-based wireless adapter to the latest version in Windows Vista.

To update the native Atheros driver in Windows Vista:

1

Make sure the Sniffer Portable Professional software is installed. If it is not installed, install it now. Log in to Windows as an Administrator. Right-click Computer and select Manage. Select the Device Manager entry in the Computer Management pane (left pane). In the Network adapters list, select the wireless card you want to use with Sniffer Portable Professional on Windows Vista. Right-click on the card and select Update Driver Software. The Update Driver Wizard displays. Select the Browse my computer for driver software option. The Browse for driver software on your computer dialog box appears prompting you to supply the path to the driver to install.

2 3 4

5

6 7

8

Click Browse and navigate to the path for your card:

Cisco adapters (7.4 version):

<install path>\Sniffer Portable\driver\en\cisco\vista

All other adapters (7.6 version):

<install path>\Sniffer Portable\driver\en\atheros\vista

9

Click Next. if installing on a 64-bit machine and click Next.

10 Select netathr.inf if installing on a 32-bit machine or netathrx.inf 11 Follow the wizard's instructions to complete the driver update. 12 Close the Computer Management window. 13 Reboot the system and start Sniffer Portable Professional to use the

new driver.

26

Sniffer Portable Professional

Installing Sniffer Portable Professional

802.11 a/b/g/n Card Installation Notes and Issues

Keep the following notes and tips in mind when working with 802.11 a/b/g/n wireless cards:

After removing and replacing PCMCIA adapters, it's a good idea to restart the system before launching Sniffer Portable Professional. This is especially important if you replace an Ethernet card with an 802.11 adapter, or vice-versa. After exiting Sniffer Portable Professional, it may take up to a minute for the wireless card to transition to normal wireless network participation. Wireless Client Utilities provided by your card's vendor will not function with the Sniffer enhanced driver installed. Use the Wireless Network Connection utility included with Microsoft Windows instead. While configuring the 802.11 a/b/g/n card, you may see the following warning: Can not access your wireless card. Please remove and reinsert PC card to activate settings. This warning can safely be ignored.

Use the Safely Remove Hardware option when removing the cardbus card. Make sure Sniffer Portable Professional is properly shut down before the card is removed. For improved performance, you can unbind the Aegis Protocol (IEEE802.1x) from the card driver, as shown in Figure 2-1. However, keep in mind that unchecking this option can interfere with any VPN clients you may be using. If you do decide to disable the Aegis Protocol during Sniffer Portable Professional analysis, reenable it before connecting to your VPN.

User's Guide

27

Chapter 2

Figure 2-1. 802.11a/b/g/n Wireless Card Properties Dialog Box

28

Sniffer Portable Professional

Installing Sniffer Portable Professional

Using the 802.11 a/b/g/n Card as a Normal Network Card

When Sniffer Portable Professional is connected to the 802.11a/b/g/n wireless card, the card operates in promiscuous mode and cannot participate as an active member of the wireless LAN. However, when Sniffer Portable Professional is not connected to the 802.11a/b/g/n card, you can use the card to participate actively in a wireless network. During a normal installation of the 802.11a/b/g/n wireless card, you are given the option of configuring a profile for normal wireless network participation (including configuring the ESSID, WEP keys, and so on). If you did not configure these settings during the initial installation of the card (or if you want to change the current settings), you can configure them later using the Wireless Network option in the Control Panel. However, do not make changes to the 802.11a/b/g/n card's configuration while Sniffer Portable Professional is running.

NOTE: For Windows XP, use the Wireless Network tab in the Wireless Network Connection Properties dialog box to set wireless network participation parameters.

NOTE: Wireless Client Utilities provided by your card's vendor will not function with the Sniffer enhanced driver installed. Use the Wireless Network Connection utility included with Microsoft Windows instead.

User's Guide

29

Chapter 2

Authorizing Sniffer Portable Professional

Before you can use Sniffer Portable Professional, you must authorize your copy using the License Utility (Start > (All) Programs > NetScout > Sniffer Portable Professional > License Utility). Review the topics in this section for more information about licensing:

Registering the Software on page 30 Entering Licensing Information in the License Utility on page 32

Use Same Serial Number After Uninstall/Reinstall

If you uninstall and reinstall Sniffer Portable Professional, you can reapply your original serial number and password in the License Utilty to authorize the product.

Lost Serial Number?

If you lose your serial number or password, you will need to request a new one from the MasterCare Portal. Before doing so, however, check your old email to see if you still have the original serial number mailed to you from NetScout Systems (if you supplied an email address during product registration).

Registering the Software

Visit the NetScout website to register your product and obtain the information required for licensing.

IMPORTANT: Make sure you have the License Coupon that came with your Sniffer Portable Professional product shipment. This coupon includes the Registration Key required to generate the license file. 1

Locate the License Coupon in your Sniffer Portable Professional product shipment. This form includes the product's registration key. Launch your Web browser and enter the following URL: http://www.netscout.com/support/

2

3 4 5

From Product Registration, select the License Request All link. Accept the End User License Agreement by clicking I Agree. Log in using your MasterCare credentials. If you do not have an account yet, the site will assist you in creating one.

30

Sniffer Portable Professional

Installing Sniffer Portable Professional

6

Once you have logged in, locate the Sniffer Portable Professional entries in the Product Registration page and click the link corresponding to the type of license to activate. Enter the requested information (all fields are required) and click Submit. In response, you will receive the information listed in the Output column in the table below. You will enter this information in Sniffer Portable Professional's License Utility.

7

Table 2-3. License Page Input/Output License Type

Trial

License Page Input

Registration Key from License Coupon

License Page Output

Serial Number Expiration Date Password

Permanent

Registration Key from License Coupon IP or MAC address of Sniffer Portable Professional PC Choosing an Address Type for the License (MAC or IP) Permanent Sniffer Portable Professional licenses can be based on either a MAC or an IP address. If the IP address changes on a system using IP-based licensing, you will need to request and apply a new serial number based on the new IP address. Because of this, you should only use the IP-based option if you are using a static IP address. · If you use a static IP address for the Sniffer Portable Professional PC, you can use either the IP or MAC address. · If you use a dynamic IP address for the Sniffer Portable Professional PC, you should use the MAC address option.

Serial Number IP Address or MAC Address Password

8

Start the License Utility and enter the information provided by the MasterCare Portal. See Entering Licensing Information in the License Utility on page 32 for instructions.

User's Guide

31

Chapter 2

Entering Licensing Information in the License Utility

You can obtain Sniffer Portable Professional's serial number from the MasterCare Portal and apply it in the License Utility immediately after you install the software or at any later time prior to using the product.

NOTE: Each Sniffer Portable Professional unit requires a separate serial number.

To apply a Sniffer Portable Professional serial number:

1

Register the software and obtain the serial number. Refer to Registering the Software on page 30. Start the License Utility on the Sniffer Portable Professional PC: Start > (All) Programs > NetScout > Sniffer Portable Professional > License Utility

NOTE: You must run this utility as an administrator. If you are not currently logged in as an administrator, you can right-click the utility and select the Run as administrator command.

2

3

Enter the information you received from the MasterCare Portal's Licensing page in Registering the Software on page 30. All fields must match the values specified during product registration.

Table 2-4. Sniffer Portable Professional License Fields Field

Serial Number Expiry Date (Trial Licenses only) IP/MAC (Permanent Licenses only) Password

Description

Provided by MasterCare Portal during product registration. Provided by MasterCare Portal during product registration.

Select the radio button corresponding to the type of adddress you supplied during registration and enter the address in the adjacent field. This was specified during product registration. Provided by MasterCare Portal during product registration.

4

When you have filled in all the fields, click OK. The License Utility applies the license, informing you of its success or failure.

32

Sniffer Portable Professional

Installing Sniffer Portable Professional

5

If licensing was not successful, make sure you entered all information correctly. Verify the values against those you received from the MasterCare Portal during product registration.

User's Guide

33

Chapter 2

Starting Sniffer Portable Professional

After you have installed and authorized Sniffer Portable Professional and any necessary enhanced drivers, start the application as follows:

1 2

Log in to the Sniffer Portable Professional application PC. Go to Start > (All) Programs > NetScout > Sniffer Portable Professional > Sniffer Portable. The Adapter Settings dialog box appears, allowing you to choose which capture card on the PC you'd like to use for network monitoring and analysis.

3

Check the Post Capture box to open the application without monitoring a specific card. Check the Real Time box to begin monitoring the selected card.

4

Click OK to open the Sniffer Portable Professional application.

No Network Cards Listed in Adapter Settings Dialog Box?

If you start the Sniffer Portable Professional application and do not see any network cards listed in the Adapter Settings dialog box, you may need to install the Sniffer Portable Professional Protocol Driver manually. Use the procedure corresponding to your operating system, as follows:

To install the Sniffer Portable Professional Protocol Driver on Windows XP:

1

Open the Network Connections Control Panel (Start > Control Panel > Network Connections). Right-click the entry for a network adapter (for example, Local Area Connection) and select the Properties command from the context menu that appears. Click the Install button, select the Protocol entry in the list of components that appears, and click Add. Click Have Disk, use the Browse button to navigate to the following path, and click OK:

C:\Program Files\NetScout\Sniffer Portable\driver\en\sniffer\winxp

2

3

4

5

Select the Sniffer Portable Professional Protocol Driver entry and click OK. After installation, close out of Local Area Connection Properties and reboot the system.

6

34

Sniffer Portable Professional

Installing Sniffer Portable Professional

After rebooting the system, Sniffer Portable Professional will list network cards in the Adapter Settings dialog box.

To install the Sniffer Portable Professional Protocol Driver on Windows Vista:

1

Open the Network Connections Control Panel (Start > Control Panel > Network and Sharing Center). Select the Manage network connections option. Right-click the entry for a network adapter (for example, Local Area Connection) and select the Properties command from the context menu that appears. Click the Install button, select the Protocol entry in the list of components that appears, and click Add. Click Have Disk, use the Browse button to navigate to the following path, and click OK:

C:\Program Files\NetScout\Sniffer Portable\driver\en\sniffer\vista

2 3

4

5

6

Select the Sniffer Portable Professional Protocol Driver entry and click OK. After installation, close out of all open dialogs and reboot the system.

7

User's Guide

35

Chapter 2

Tuning Settings for Sniffer Portable Professional

There are several settings you can make to the Microsoft Windows operating system that will improve Sniffer Portable Professional performance. See the following sections:

Power Considerations for Sniffer Portable Professional Laptops on page 36 Uninstalling the QoS Packet Scheduler Service on page 37 Removing the MAC Bridge Miniport Driver on XP on page 39

Power Considerations for Sniffer Portable Professional Laptops

Most laptop computers include power configuration options that let you specify whether the computer should be allowed to go into a standby or hibernate mode after a specified period of inactivity. For computers actively running Sniffer Portable Professional, these options should always be disabled to preserve stable system performance! For example, MS-Windows 2000 and XP laptop computers include a Power Options Properties control panel. The Power Options Properties control panel is accessed by starting the Display control panel (Start > Settings > Control Panel > Display), clicking on the Screen Saver tab, and then clicking the Power button. In this example, the following settings should be made for active Sniffer Portable Professional operations:

Power Schemes Tab - Turn off hard disks = Never - System standby = Never

Hibernate Tab - Enable hibernate support = Disabled

NOTE: Some laptop vendors include their own proprietary software to perform power configuration tasks. In these cases, you may need to make similar changes in the configuration menu provided by the vendor.

36

Sniffer Portable Professional

Installing Sniffer Portable Professional

Uninstalling the QoS Packet Scheduler Service

The QoS Packet Scheduler service supports the 802.1P traffic prioritization system, allowing for the implementation of best-effort Quality of Service by conforming 802.1P equipment. This service is automatically bound to each installed card driver in Windows XP. To improve analyzer performance, NetScout recommends that the QoS Packet Scheduler service be unbound from any cards used with Sniffer Portable Professional.

IMPORTANT: Uninstalling the QoS Packet Scheduler service removes it from all installed cards. Unbinding from individual cards allows you to preserve the service for use with any non-Sniffer cards. See Unbinding the QoS Packet Scheduler Service from Selected Cards on page 38.

You can either uninstall the QoS Packet Scheduler Service entirely or, alternatively, unbind it from cards used with Sniffer Portable Professional:

Uninstalling the QoS Packet Scheduler Service after Installation on page 37 Unbinding the QoS Packet Scheduler Service from Selected Cards on page 38

Uninstalling the QoS Packet Scheduler Service after Installation

Use the following procedure to uninstall the QoS Packet Scheduler Service.

To completely remove the QoS Packet Scheduler Service:

1

Open the Network Connections folder by selecting the Start > Settings > Network Connections option. Right-click any of the Connection entries in the folder and select the Properties command from the menu that appears. The Connection Properties dialog box appears, as in Figure 2-2. The following example is for wireless connections.

2

User's Guide

37

Chapter 2

Figure 2-2. Local Area Connection Properties Dialog Box

3

De-select the QoS Packet Scheduler entry and click Uninstall. A confirmation box appears.

4

Click OK to confirm that you want to uninstall the QoS Packet Scheduler service completely. The QoS Packet Scheduler service is uninstalled.

5

Click OK on the Connection Properties dialog box.

Unbinding the QoS Packet Scheduler Service from Selected Cards

Use the following procedure to unbind the QoS Packet Scheduler Service from selected cards:

To unbind the QoS Packet Scheduler Service from selected cards:

1

Open the Network Connections folder by selecting the Start > Settings > Network Connections option. Right-click the Network Connection entry from which you want to unbind the QoS Packet Scheduler service and select the Properties command from the menu that appears.

2

38

Sniffer Portable Professional

Installing Sniffer Portable Professional

The Network Connection Properties dialog box appears, as in Figure 2-2 on page 38.

3

Deselect the checkbox next to the QoS Packet Scheduler entry and click OK. Repeat this procedure for each card you want to use with Sniffer Portable Professional.

4

Removing the MAC Bridge Miniport Driver on XP

To improve analyzer performance, NetScout recommends that the Network Bridge service provided with Windows XP not be used on a Sniffer Portable Professional PC.

To remove a network bridge in Windows XP:

1

Open the Network Connections folder by selecting the Start > Settings > Network Connections option. The Network Connections folder appears.

2

Under the Network Bridge section, right-click the Network Bridge entry and select the Delete command in the menu that appears. Click Yes to confirm that you want to delete the network bridge.

3

User's Guide

39

Chapter 2

40

Sniffer Portable Professional

Introducing the Sniffer Window

Overview

3

Once you start Sniffer Portable Professional, log in, and select a profile for monitoring, the Sniffer window appears. You use the Sniffer window to perform standard network analysis activities ­ monitoring network activity, capturing network traffic, decoding captured traffic, and so on. This chapter introduces the Sniffer window and includes the following topics:

Navigating the Sniffer Window

Sniffer Window Menus

Navigating the Sniffer Window

When you start Sniffer Portable Professional, log in, and select a profile for monitoring, a Sniffer window appears where you can control network monitoring and analysis activities (Figure 3-1). The Sniffer window consists of:

A title bar (item a, Figure 3-1) showing:

Network topology in use. Line speed. Certain adapters may add additional information to the title bar, including the channel being monitored, wireless signal strength, and so on.

NOTE: During monitoring or capture of wireless networks, the window title bar shows the channel currently being monitored, as well as the signal strength and the type of network being monitored (802.11a or 802.11b/g). You can use this display to get a quick feel for the strength of the signal being monitored and determine whether you need to move the analyzer closer to an access point to get a stronger signal.

Several toolbars (item b, Figure 3-1) at the top of the Sniffer window providing access to commonly used functions, including:

User's Guide

41

Chapter 3

Capture toolbar Monitor toolbar File\Print toolbars

A main workspace (item c, Figure 3-1) where you perform standard Sniffer functions ­ viewing monitor displays, working with decoded packets, interpreting Expert analysis, viewing real-time decodes, and so on.

a b

c

d Figure 3-1. Sniffer Window

Status icons and counters (item d, Figure 3-1) at the bottom of the display indicating:

42

Sniffer Portable Professional

Introducing the Sniffer Window

Table 3-1. Sniffer Window Status Icons Button Description

Number of files currently spooled to printer. Number of packets transmitted by Packet Generator. Note that Packet Generator is no longer supported, so this field will always be blank. Number of packets that have passed the current filter.

Number of unacknowledged alarms in the local Alarm Log (Monitor > Alarm Log).

User's Guide

43

Chapter 3

Sniffer Window Menus

The table below lists each of the menus in the Sniffer window along with the tasks they can be used to perform.

Table 3-2. Sniffer Window Menus Menu

File

Capabilities

The File menu is where you can: · Open, close, and save files. · Select the monitoring profile you want to use for monitoring the network. A monitoring profile is a set of settings tied to a particular network adapter. · Reset all settings to their default values. · Print files. · Exit the Sniffer window.

Monitor See Monitoring Your Network on page 67 for details on using the Monitor applications.

The Monitor menu is where you can: · Access monitor applications (Dashboard, Host Table, Matrix, Application Response Time, History Samples, Protocol Distribution, Global Statistics, and so on). · Define and select Monitor filters. · View the Alarm log. The Capture menu is where you can: · Start, stop, and display captured packets. · Display the Capture Panel. · Define and select Capture filters. · Set triggers.

Capture See Capturing Packets on page 121 for details on performing Captures.

44

Sniffer Portable Professional

Introducing the Sniffer Window

Table 3-2. Sniffer Window Menus Menu

Display See Displaying Captured Data on page 157 for details on displaying decoded data. Tools See for information on the standard network tools (Ping, Trace Route, and so on).

Capabilities

The Display menu is where you can: · Configure the display of your network data. · Navigate from frame to frame. · Select specific packets. · Define and select Display filters. The Tools menu is where you can access a variety of tools included in the software, including: · Address Book ­ See Using the Address Book on page 249. · General Options ­ See Setting Options in the Sniffer Window on page 47. · Expert Options ­ See Setting Expert Options on page 134. · Wireless Options ­ See Setting Tools > Wireless Options on page 54

User's Guide

45

Chapter 3

46

Sniffer Portable Professional

Setting Options in the Sniffer Window

Overview

4

This section describes how to set the options in the Tools > Options and Tools > Wireless dialog boxes. See the topics listed in the table below.

NOTE: You can also add your own applications to the Tools menu. See Adding Tools to the Tools Menu on page 64 for details.

User's Guide

47

Chapter 4

Setting the General Tab Options

The Tools > Options > General tab lets you set a number of options that specify when Sniffer will prompt you for confirmations, what items will appear in the Sniffer window by default, and how often different Monitor views in the Sniffer window are refreshed with new data. Figure 4-1 shows the Tools > Options > General tab.

Figure 4-1. The Tools > Options > General Tab

The table below lists and describes the options available in the Tools > Options > General tab:

48

Sniffer Portable Professional

Setting Options in the Sniffer Window

Table 4-1. Setting Tools > General Tab Options Entry

Prompt to save/update

Description

Use these options to specify whether the application should prompt you to save or update particular items before they are lost, as follows: · Check New capture buffer to have the application prompt you when saving or updating new capture buffers. · Check New history sample to prompt you when saving or updating new history samples. · Check Discovered address to prompt you when saving or updating discovered addresses. · Check Duplicate address to prompt you when saving or updating duplicated addresses.

Prompt before

Use this option to specify whether the application should prompt you for a confirmation before exiting the program.

User's Guide

49

Chapter 4

Table 4-1. Setting Tools > General Tab Options Entry

Show

Description

Use these options to: · Specify which toolbars appear in the Sniffer window by default. You can enable and disable the Main toolbar and Capture toolbar separately. · Specify whether the Status bar appears at the bottom of the Sniffer window. · Specify whether monitor applications should show Formatted data or not. If this option is enabled, the byte values in the Host and Matrix tables will change between using K and M indicators (Formatted) or fully numeric counts. For example, 47K would be a Formatted data representation of a byte count that would otherwise be shown as 47,138. · Specify whether the Sniffer window should add an Extra Filter Window when a Display filter is applied to a capture buffer or trace file. If this option is not enabled, a set of filtered frames resulting from a Display filter will appear in an additional tab on the existing decode window rather than in an entirely new window. · Specify whether Sniffer Portable Professional should always start in log off mode. In log off mode, Sniffer Portable Professional will not actively monitor the selected adapter at startup.

50

Sniffer Portable Professional

Setting Options in the Sniffer Window

Setting the Real Time Tab Options

Use the options in the Tools > Options > Real Time tab to enable and set options for the Sniffer's real-time decodes feature. See Enabling and Setting Real-time Decodes on page 213 for details on using the options in this tab.

Setting the MAC Threshold Tab Options

Use the Tools > Options > MAC Threshold tab to set alarm thresholds for each of the dials on the Dashboard as well as many other network statistics. If the value sampled for a particular statistic exceeds the threshold over the specified Monitor sampling interval, an entry is made in the alarm log. You can monitor the alarm log to keep watch over your network. The MAC Threshold tab lists various network parameters that can trigger a threshold alarm. The exact parameters depend on the currently selected adapter. The High Threshold value for each measure will be the average per second value measured during the monitor sampling interval. Specify the interval at the bottom of the dialog box and click OK. Figure 4-2 shows the Tools > Options > MAC Threshold tab.

Figure 4-2. The Tools > Options > MAC Threshold Tab

User's Guide

51

Chapter 4

Setting the App Threshold Tab Options

Use the options in the Tools > Options > App Threshold tab to set thresholds for alarms generated by the ART application. Specify the threshold values in the Rsp Time column, then click OK. See ART Alarms on page 105 and Application Response Time (ART) on page 97 for details on using the options in this tab.

Setting the Alarm Tab Options

Use the Tools > Options > Alarm tab to:

Enable alarm logging and set alarm severity levels. See The Alarm Log on page 257 and Setting Alarm Severity Levels on page 260. Set up and assign alarm notification actions. See Setting Alarm Notification on page 264.

Setting the Protocols Tab Options

Use the Tools > Options > Protocols tab to specify on what ports the Sniffer should expect various upper layer protocols running over TCP, UDP, or IPX (separate options are provided for each). The commonly established port for each upper layer protocol is provided by default. For most networks, the default port number for the listed upper layer protocols will be correct. However, If your network uses a proprietary implementation of a particular protocol, you can specify custom ports here. You can also rename existing protocols by overwriting the default name supplied in this tab. In addition, you can also add entirely custom protocols by clicking in a blank cell at the end of the list and supplying a protocol and port pair for a given transport. The Sniffer will provide traffic counts for the named protocol/port pair in its Monitor displays.

NOTE: The Sniffer can only track protocol loads that are based on well known and fixed port numbers. If you have an application that assigns and uses TCP/UDP (or IPX) port numbers dynamically, they will be grouped into the Others category in Monitor views. Similarly, upper layer packets running over TCP, UDP, or IPX with port numbers not listed in the default protocol list are also grouped together and counted in the Others category.

52

Sniffer Portable Professional

Setting Options in the Sniffer Window

Exporting and Importing Protocols Tab Settings

The Tools > Options > Protocols tab includes Import and Export buttons that let you change the Protocols tab settings in force:

The Export button opens a common Save As dialog box, allowing you to save out Protocols tab settings to an XML file. The Import button opens a common Browse dialog box in which you can navigate to an XML file of saved Protocols tab settings for import.

The Import and Export buttons are particularly useful in the following situations:

You want to create files of saved Protocols tab settings for use in different network environments. For example, you may commonly analyze network segments with protocol loads running over known but non-standard ports. You can switch Protocols tab settings in and out quickly using these buttons. You want to share Protocols tab settings with another Sniffer unit supporting this feature. You can export your settings to a file and then import them on a second unit.

Setting the Protocol Forcing Tab Options

Use the Tools > Options > Protocol Forcing options to set up protocol forcing rules. Protocol forcing is useful when capturing non-standard (for example, proprietary) protocols that might not otherwise be decoded. Protocol forcing essentially lets you tell the analyzer "if you see this condition, skip this many bytes (to where the standard data is), then apply this protocol interpreter." See Using Protocol Forcing on page 198 for details on setting up Protocol Forcing rules.

User's Guide

53

Chapter 4

Setting Tools > Wireless Options

The Tools > Wireless menu includes options that let you configure how Sniffer Portable Professional monitors wireless traffic:

Use the Surf Settings dialog box to specify which channels on the wireless network Sniffer Portable Professional monitors. See Configuring Surf Settings on page 54 for details. Use the Encryption dialog box to specify how Sniffer Portable Professional should decrypt wireless network data. See Configuring Wireless Encryption Settings on page 56 for details. Use the Rogue dialog box to enable and configure the identification of wireless access points and hosts as rogues in the Host Table and Expert displays. See Configuring Rogue Identification for Wireless Networks on page 61 for details.

NOTE: The Tools > Wireless options are only available if a wireless LAN adapter is the currently selected adapter, the correct driver is installed, and you are not operating in Local Mode. You can change the currently selected adapter and the Local Mode setting using the File > Adapter Settings command. See Installing Sniffer Portable Professional for information on installing the correct driver for wireless adapters in both Windows XP and Windows Vista.

Configuring Surf Settings

Use the Tools > Wireless > Surf Settings > Topology Surfing dialog box (Figure 4-3) to select the wireless LAN channels you would like Sniffer Portable Professional to monitor. For each wireless topology supported by your wireless adapter, you can select individual channels for monitoring, as well as the amount of time to monitor them. The Topology Surfing dialog box consists of two main panels:

The left panel lists the channels available for selection. Channels are listed independently by topology (for example, 802.11A, 802.11B, and 802.11G) ­ use the 802.11 drop-down to change the selected topology. You can select channels in the left pane and click the Add button to move them to the Selected panel. The Selected panel lists the channels currently selected for monitoring. Sniffer Portable Professional monitors each of the channels in the Selected panel in a cycle for the time specified by its Surf Time field before moving on to the next selected channel.

54

Sniffer Portable Professional

Setting Options in the Sniffer Window

Working with the Topology Surfing Dialog Box

The main tasks performed in the Topology Surfing dialog box are channel selection and surf time configuration:

Use the Add button to move a channel from the list of available channels to the list of selected channels. To change a channel's Surf Time, select its entry in the Selected list, enter a new value in the Surf Time field, and click Set Time. To reset all selected channels at once, click Reset All.

By default, Channel 11 on 802.11G is enabled. Enable any other channels you'd like to monitor.

Use the 802.11 drop-down to change the selected topology. You can add channels from each topology supported by your card to the Surf list by selecting an entry and clicking Add.

The Selected panel lists the channels Sniffer Portable Professional will monitor. Each channel is listed with its topology, channel number, and how long Sniffer Portable Professional will monitor it during each cycle.

Use the Surf Time fields to specify the amount of time to monitor the selected channel.

Figure 4-3. Tools > Wireless > Surf Settings Dialog Box

User's Guide

55

Chapter 4

Configuring Wireless Encryption Settings

Use the Tools > Wireless > Encryption option (Figure 4-4) to specify the encryption keys in use on wireless networks monitored by Sniffer Portable Professional. If the correct keys are specified, Sniffer Portable Professional can decrypt and decode both WPA-WPA2 and WEP-encrypted packets during capture and postcapture. The IEEE 802.11 Decryption Keys dialog box consists of two main areas:

WEP Keys ­ Use this panel to specify the WEP keys used to encrypt data on the wireless network. You can specify either a single set of keys for all channels or different keys for individual channels. See Specifying WEP Keys on page 58. WPA-WPA2 Keys ­ Use this panel to specify the pre-shared passphrase corresponding to different SSIDs monitored by Sniffer Portable Professional. See Specifying WPA-WPA2 Keys on page 57.

Sniffer Portable Professional can decrypt both WPA/WPA2 and WEP encrypted packets simultaneously as long as you have enabled both forms of decryption and configured their associated keys correctly.

Use these options to specify the keys to use for decryption of WEP-encrypted data. WEP is an early 802.11 encryption technology and is not as commonly seen as WPA-WPA2.

Use these options to specify the passphrase used to decrypt data on different SSIDs (wireless networks).

Figure 4-4. Tools > Wireless > Encryption Dialog Box

56

Sniffer Portable Professional

Setting Options in the Sniffer Window

Specifying WPA-WPA2 Keys

WPA-WPA2 encryption is widely used to secure 802.11 networks and is more frequently encountered than the legacy WEP solution. Use the WPA-WPA2 options in the IEEE 802.11 Decryption Keys dialog box to specify the keys to be used for decryption of WPA-encrypted packets. You can enter the pre-shared passphrase associated with different SSIDs monitored by Sniffer Portable Professional to allow decryption and decoding of the corresponding packets during capture.

NOTE: Sniffer Portable Professional can decrypt both WPA/WPA2-encrypted and WEP-encrypted data at the same time, so long as you have enabled and configured both forms of decryption in the IEEE 802.11 Decryption Keys dialog box.

NOTE: You can also perform postcapture decryption on trace files saved without the Encryption options specified correctly. See Postcapture 802.11 Decryption on page 199 for information on how to decrypt encrypted data in a buffer or saved trace file.

To enter WPA/WPA2 encryption keys:

1 2

Display the Tools > Wireless > Encryption dialog box. In the WPA-WPA2 Keys area, check the Enable box to turn on decryption of WPA/WPA2-encrypted packets. Depending on how you have configured the Tools > Wireless > Surfing options, Sniffer Portable Professional will likely be encountering multiple wireless networks, each with its own encryption keys. Perform the following steps to specify the encryption keys used by each WPA/WPA2-encrypted wireless network you expect Sniffer Portable Professional to monitor:

a b

3

Turn on the encryption key by checking its On radio button. Specify the SSID for the WPA/WPA2-encrypted network. This is typically a short string used to identify a wireless network (for example, labnet). WPA/WPA2 encryption relies on a pre-shared passphrase for encryption. Enter the passphrase associated with this SSID. Repeat Step a though Step c for each SSID you expect Sniffer Portable Professional to monitor.

c

d

4

Click OK to accept your settings.

User's Guide

57

Chapter 4

Notes on WPA/WPA2 Decryption

Sniffer Portable Professional must observe the four EAPOL exchange packets for successful WPA decryption to take place. These packets must be seen for every independent Sniffer Portable Professional session and every independent Client > AP session. Each time you restart the application or use the File > Reset All command, Sniffer Portable Professional will need to see new EAPOL exhange packets for successful decryption. Note the following:

EAPOL exchange packets are seen when a client connects to the access point. After starting Sniffer Portable Professional, perform a manual connection to the access point to make sure the EAPOL packets are exchanged. Decrypted WPA/WPA2 packets will only appear in the Expert and Decode displays after the EAPOL exchange packets are seen. EAPOL packets are only valid for a single session of Client > AP communications. Sniffer Portable Professional needs new EAPOL exchange packets for each new session. The EAPOL exchange packets must not have CRC errors in order for decryption to work successfully. If you suspect that decryption is not working correctly, try reconnecting a client to the access point with the specified passphrase.

Sniffer Portable Professional installations on Windows XP do not support WPA decryption of traffic seen on Private networks.

You can temporarily disable a particular WPA/WPA2 key using the Off/On radio buttons.

Specifying WEP Keys

Use the WEP Keys options in the IEEE 802.11 Decryption Keys dialog box to specify the keys to be used for decryption of WEP-encrypted packets. You can enter either a Single Key Set for all wireless channels or specify separate keys for individual channels. Keys can be entered as either Hex or ASCII characters. If the correct keys are specified, Sniffer Portable Professional can decrypt and decode WEP-encrypted packets during capture.

NOTE: Sniffer Portable Professional can decrypt both WPA/WPA2-encrypted and WEP-encrypted data at the same time, so long as you have enabled and configured both forms of decryption in the IEEE 802.11 Decryption Keys dialog box.

58

Sniffer Portable Professional

Setting Options in the Sniffer Window

NOTE: You can also perform postcapture decryption on trace files saved without the Encryption options specified correctly. See Postcapture 802.11 Decryption on page 199 for information on how to decrypt encrypted data in a buffer or saved trace file.

To enter WEP encryption keys:

1 2

Display the Tools > Wireless > Encryption dialog box. In the WEP Keys area, check the Enable box to turn on decryption of WEP-encrypted packets. Use the Key entry mode options to specify whether Sniffer Portable Professional should use the same WEP keys on every channel on the wireless network or different keys on different channels.

3

Enable the Single Key Set option if you would like Sniffer Portable Professional to use the specified WEP keys for every channel on the wireless network. Enable the Keys Per Channel option if you would like to specify different sets of WEP keys for different topologies and channels on the wireless network. Then, use the Topology, Channel, and Key list to specify separate keys for individual channels.

4

Use the Hex/ASCII radio buttons to specify the format in which you'd like to enter the WEP keys. You can enter up to four separate encryption keys. For each key, do the following:

a

5

Specify the length of the key by selecting the appropriate option. Keys can be either None, 40-bit, or 128-bit. Use the None option if no encryption is used on the network. Depending on the length of the key specified, some or all of the adjacent fields become active, enabling you to specify the keys in use.

b

Specify the exact, case-sensitive value for each key in the adjoining spaces provided.

Keep the following in mind when entering keys in ASCII format:

An empty field is equivalent to a setting of None in Hex entry mode (that is, no encryption is used on the network). Five ASCII characters or 0x followed by 10 hex characters is interpreted as a 40-bit key.

User's Guide

59

Chapter 4

Thirteen ASCII characters or 0x followed by 26 hex characters is interpreted as a 128-bit key.

NOTE: The four encryption keys in use on a WEP-encrypted network are all typically the same length -- either 40-bit or 128-bit.

NOTE: Key entries appear as asterisks to preserve their security.

Notes on Hex/ASCII Conversion

If you have previously entered encryption keys in one mode and then switch to the other (Hex to ASCII or vice-versa), Sniffer Portable Professional automatically converts your entries as follows:

When converting from ASCII to hex, key entries of five ASCII characters appear as 40-bit keys in Hex mode. Similarly, key entries of 13 ASCII characters appear as 128-bit keys in Hex mode. When converting from hex to ASCII, key entries are converted differently depending on the length specification in the Hex entry mode:

If None was selected, the entry fields appear empty. If 40-bit was selected, Sniffer Portable Professional attempts to convert the hex key into ASCII. If conversion is possible, 5 ASCII characters appear. If conversion is not possible, 0x followed by 10 hex characters appears. If 128-bit was selected, Sniffer Portable Professional attempts to convert the hex key into ASCII. If conversion is possible, 13 ASCII characters appear. If conversion is not possible, 0x followed by 26 hex characters appears.

60

Sniffer Portable Professional

Setting Options in the Sniffer Window

Configuring Rogue Identification for Wireless Networks

Use the Tools > Wireless > Rogue options (Figure 4-5) to enable and configure Sniffer Portable Professional's identification of rogue entities on the wireless network.

When the Lookup options here are enabled, Sniffer Portable Professional flags wireless entities not found in the corresponding lists as rogues in both Expert and Host Table displays.

Figure 4-5. Tools > Wireless > Rogue Dialog Box

If the Enable Rogue AP Lookup option (beneath the Known Access Points in the Network table) is enabled, Sniffer Portable Professional compares the MAC address (not the IP address) of each detected access point to those in the Known Access Points in the Network list. If an access point's MAC address is not in the list, Sniffer Portable Professional labels the access point as a rogue. If the Enable Rogue Mobile Unit Lookup option is enabled, the Expert compares the MAC address (not the IP address) of each detected mobile unit to those in the Known Mobile Units in the Network list. If a mobile unit's MAC address is not in the list, Sniffer Portable Professional labels it as a rogue.

User's Guide

61

Chapter 4

Rogue Identification in Sniffer Portable Professional Displays

Rogues are identified in Sniffer Portable Professional displays as follows:

The Expert generates Rogue Access Point and Rogue Mobile Unit alarms when a rogue is detected. The Expert identifies rogues by adding the word (Rogue) in parentheses following the offending stations' entries in Summary and Detail displays. This provides you with a handy means of identifying units on the wireless network of which you were not aware, some of which may be unauthorized intruders. When Rogue Lookup is enabled, the Host Table includes a Status column in tabular 802.11 displays listing the current Rogue/Known/Neighbor identification of each listed entity. You can check an entry's selection box in the Host Table (in the # column) and right-click to identify it as either Known or Neighbor, or to remove it from the Known/Neighbor list entirely.

The Rogue Dialog Box and Expert Options

The Tools > Wireless > Rogue dialog box provides access to the same settings found in the Tools > Expert Options > 802.11 Options tab. These two dialogs share the same list of Known/Neighbor wireless entities ­ when you change a setting in one dialog box, it is reflected in both places. For example, if you add an Access Point as Known from the Host Table, it will appear as Known in both the Tools > Wireless > Rogue dialog box and the Tools > Expert Options > 802.11 Options tab. See Expert 802.11 Options on page 140 for information on using the options found there, including the Import/Export features not available in the Tools > Wireless > Rogue dialog box.

Adding Known Addresses to the List

To use the rogue identification abilities of Sniffer Portable Professional effectively, you must first add the MAC addresses of the known access points and mobile units on your network to the Expert's list of known wireless unit addresses. There are several ways to do this:

Automatically from the real-time Host Table. See Adding Known Addresses from the Host Table on page 141. Automatically from the Expert tab of the postcapture display. See Adding Known Addresses from the Postcapture Display on page 143. Automatically from the Address Book. See Autodiscovering and Adding Addresses from the Address Book on page 145.

62

Sniffer Portable Professional

Setting Options in the Sniffer Window

Manually from the 802.11 Options tab of the Expert Properties dialog box. See Adding Known Addresses Manually in the 802.11 Options Tab on page 145.

In addition, you can also import and export lists of known addresses (for example, you can import addresses from other Sniffer Portable Professional installations).

User's Guide

63

Chapter 4

Adding Tools to the Tools Menu

You can add your own tools to the Tools menu. A tool can be any Windows or DOS executable file installed on or accessible to your machine.

To add a tool:

1 2

Select Tools > Customize User Tools from the main menu. Click the Add button. The program will add (new tool) to the tool list. Edit the Menu Text field. Replace (new tool) with the name you want to see on the menu. Specify the command line, command line parameters, and initial start-up directory as needed to properly start your program. Optionally, assign a shortcut key (Alt + t, letter). To do this, place an ampersand character (&) in front of the appropriate letter in the Menu Text field. (In addition, the program automatically assigns an Alt + number shortcut, visible to the right of the menu item when you display the Tools menu.) Optionally, use the Move Up and Move Down buttons in the Customize User Tools dialog box to change the order of tools displayed in the menu. Click OK. The new tool will appear on the Tools menu.

3

4

5

6

7

Removing Tools from the Tools Menu

To remove a tool listed on the Tools menu:

1 2 3 4

Select Tools > Customize User Tools from the main menu. Select the tool you want to remove. Click Remove. Click OK.

64

Sniffer Portable Professional

Setting Options in the Sniffer Window

User's Guide

65

Chapter 4

66

Sniffer Portable Professional

Monitoring Your Network

Overview

This section describes Sniffer Portable Professional's monitoring functions. It includes the following major sections:

5

About Sniffer Portable Professional Monitor Views on page 67 Monitoring Wireless Networks on page 68 Monitor Filters on page 69 Monitor Applications and Toolbar on page 71 Monitor Alarms on page 120 Exporting Monitor Data on page 120

About Sniffer Portable Professional Monitor Views

The Sniffer Portable Professional monitor stores statistical measurements and calculations about your network traffic, providing an accurate picture of network activity in real time. It can generate alarms to notify you when errors are detected and can save historical records of network activity that you can use later for traffic and fault analysis. Monitoring features provide the following information:

Network load statistics, including the number of frames/bytes of network traffic per time interval, the percentage of utilization, and broadcast and multicast counts. Protocol use statistics. Application response time statistics for upper layer protocols. Individual station and conversation-pair traffic statistics. Packet size distribution statistics.

The data collected by the monitor can help you find traffic overloads, troubleshoot bottlenecks, and locate faulty equipment. The data can also be an important factor in deciding how to allocate your company's resources for network maintenance and upgrades.

User's Guide

67

Chapter 5

Monitoring Wireless Networks

Sniffer Portable Professional monitors independent basic service set (IBSS) and infrastructure wireless networks.

IBSS networks are wireless networks without access to a distribution system. Traffic stays within the IBSS network. IBSS networks are also known as ad hoc or independent networks. Infrastructure networks are wireless networks with access to a distribution system. Infrastructure networks are typically one part of an integrated wired and wireless network structure.

When you select a wireless adapter in the Adapter Settings dialog box (accessed from File > Adapter Settings or automatically the first time you select an adapter to monitor), you are by default specifying that you are monitoring both IBSS and infrastructure networks.

Wireless-Specific Information in Monitor Views

Sniffer Portable Professional adds wireless-specific information to many of its views, including the Dashboard, Host Table, Matrix, and Global Statistics views. See the section for each Monitor view for more information:

Dashboard Counters for Wireless Networks on page 75 Host Table on page 82

Viewing Access Points Only on page 88 Identifying Rogue Hosts on the Wireless Network on page 91

Matrix on page 93 Global Statistics on page 116

Monitor Displays for Different WLAN Types

When using Sniffer Portable Professional with a wireless adapter, you may notice differences in monitor displays for different wireless LAN (WLAN) types (a, b, g, and n).

Some wireless adapters support proprietary extensions of the 802.11a standard that allow 802.11a networks to operate at twice the rates stated by the 802.11a specification (for example, instead of the upper limit of 54 Mbps stated for the 802.11a specification, the 2X extension theoretically allows for an upper limit of 108 Mbps).

68

Sniffer Portable Professional

Monitoring Your Network

As a consequence of this support, Sniffer Portable Professional displays for 802.11a networks will include data rate categories beyond the 54 Mbps limit claimed by the 802.11a specification. You will only see frames counted in these categories when monitoring or capturing from an 802.11a network implementing these proprietary extensions.

NOTE: Wireless network channels are based on geographical location and the frequency band allocated in the country.

Monitor Filters

Sniffer Portable Professional lets you apply filters to the monitor. Monitor filters affect all standard monitor applications -- Dashboard, Host Table, Matrix, Application Response Time, History Samples, Protocol Distribution, and Global Statistics. Using a monitor filter, you can look at your network traffic from several different views. For example, by defining and applying a hardware address filter to and from a router, you can easily tally the traffic load to and from that router. Using the same filter, the Matrix Table will also show who is talking to the router and how often. If you open the Protocol Distribution window, it will show the percentage traffic load passing through the router by protocol types. In addition, the History graph will plot traffic load at the router over time. If you want to look at matrix and host table statistics for IP traffic only, you can define and apply an IP protocol filter. If you want to focus on other protocol types, for example, IPX or AppleTalk, you can define filters for those also.

IMPORTANT: For complete description of how to define a filter, see Defining Filters and Triggers on page 219.

User's Guide

69

Chapter 5

Applying Monitor Filters

To apply a filter to the monitor:

1 2

From the Monitor menu, choose Select Filter. Check Apply monitor filter. A list of all available monitor filter profiles appears. Monitor filter profiles are defined using the Monitor > Define Filter menu option.

3

Select a monitor filter from the list. Once you have selected a monitor filter in the list, the adjacent pane provides a capsule description of the filter profile's settings.

4

Click OK. The selected monitor filter profile is applied to the monitor applications. You can tell if a Monitor filter is currently applied by examining the lower left corner of the Sniffer window. If a Monitor filter is currently applied, a message reading Monitor Filter On will appear.

Making Changes to the Currently Selected Monitor Filter's Definitions

When you change the currently selected monitor filter's definitions in the Define Filter - Monitor dialog box, the new definitions are not enacted until you do one of the following:

Toggle the setting of the Apply monitor filter option in the Monitor > Select Filter dialog box. Select a different monitor filter profile and then reselect the updated monitor filter profile in the Monitor > Select Filter dialog box.

70

Sniffer Portable Professional

Monitoring Your Network

Monitor Applications and Toolbar

You display monitor data by using monitor applications. The monitor applications are listed under the Monitor menu and are also available on the main toolbar. To use monitor applications, you must be "logged on" to the selected adapter. If you are not logged on, the entries for the monitor applications in the Monitor menu will be grayed out, indicating their unavailability. For a discussion of how to use the Log On and Log Off options, see Network Adapters and Settings on page 267.

Table 5-1. Monitor Applications Application

Dashboard

Toolbar Button

For more information, see...

· Dashboard on page 72 · Viewing the Dashboard Graphs on page 73 · Working with the Dashboard Graphs on page 74 · Setting Thresholds for the Dashboard Statistics on page 75 · Dashboard Counters for Wireless Networks on page 75

Host Table

· Host Table on page 82 · Host Table Counters for Wireless Networks on page 85

Matrix ART

· Matrix on page 93 · Application Response Time (ART) on page 97

History Samples

· History Samples on page 110

Protocol Distribution Global Statistics

· Protocol Distribution on page 114

· Global Statistics on page 116

User's Guide

71

Chapter 5

.

Matrix Dashboard

Global Statistics History Samples Alarm Log

Host Table

Protocol Distribution

Application Response Time

Figure 5-1. The Monitor Toolbar

Dashboard

The Dashboard displays current network activity in either graphical or tabular format. Use the Dashboard to view a network segment's utilization and packet rate in real time. Display the Dashboard by clicking the Dashboard icon in the Toolbar or by selecting the Dashboard option from the Monitor menu or click . From the Dashboard you can view or access the following information:

Gauges displaying utilization, packet rate, and error rate in real time. Red zones shown in the gauges indicate the alarm threshold settings Click the Detail tab below the gauges to display tabular counters for network statistics and size distribution statistics. Topology-specific tabs displaying tabular counters for network-specific statistics. Configurable graphs for network statistics and size distribution statistics.

The exact statistics (and tabs) provided in the Dashboard depend on the currently selected adapter. To view the total network traffic load accumulated since Sniffer Portable Professional started, click the Detail tab.

72

Sniffer Portable Professional

Monitoring Your Network

IMPORTANT: See Dashboard Counters for Wireless Networks on page 75 for details on the Dashboard statistics provided for wireless LANs.

Viewing tips:

To view average-per-second statistics select the Show Average option at the top of the Dashboard instead of the Show Total option. To reset all the statistics in the Dashboard to zero, click Reset. To set thresholds for alarms based on Dashboard statistics, click Set Thresholds.

Figure 5-2 shows a sample Dashboard for an Ethernet adapter.

Click these boxes to see configurable graphs of the corresponding statistics.

Click these options to narrow (Short term) or widen (Long term) the scale of the Network, Detail Errors, and Size Distribution graphs. Figure 5-2. The Dashboard Gauge View

Viewing the Dashboard Graphs

The Dashboard also provides configurable graphs for the broad groups of statistics shown on the Detail tab. Ethernet adapters include configurable graphs for:

Network statistics Size Distribution statistics

Wireless LAN adapters include configurable graphs for:

Network statistics Wireless Statistics

User's Guide

73

Chapter 5

Speed Statistics

You view the configurable graphs by clicking the box corresponding to the desired group of statistics at the bottom of the Dashboard. A graph appears at the bottom of the Dashboard showing the selected statistics. Figure 5-3 shows the Network statistics graph for an Ethernet adapter. The exact statistics shown in the Network graph will change depending on the selected adapter.

Click the Scroll buttons to move the graph's "current" line. The statistics shown at the right of the graph reflect the statistics at the "current" line's position. You can see the exact time and date of the "current" line to the right of the Scroll buttons.

The "Current" line.

Check the boxes corresponding to each statistic you would like included in the graph. The statistics available for graphing are the same as those in the Detail tab at the top of the Dashboard. Figure 5-3. Configurable Dashboard Graph

Working with the Dashboard Graphs

You work with the configurable graphs as follows:

74

Sniffer Portable Professional

Monitoring Your Network

Each possible statistic for the graphs is listed at the right of the graph. Check the boxes of the statistics you would like included in the graph. A line in the corresponding color will appear in the graph for the selected statistic. If you are having difficulty viewing the line for a particular statistic, allow your mouse to hover over the entry for the statistic at the right of the graph. The corresponding line will appear in bold in the graph while your mouse is hovering over its entry at the right. The graph includes a vertical "current" line. The statistics counters at the right of the graph are based on the position of the "current line." You can move the current line in either of the following ways:

Clicking the arrow buttons at the top of the graph. Clicking to the right or the left of the "current" line in the graph.

The time and date entry at the top of the graph shows the current position of the "current" line.

You can widen or narrow the time scale of the graph by clicking the Long term (widen) or Short term (narrow) buttons at the top of the graph.

Setting Thresholds for the Dashboard Statistics

You can set alarm thresholds for each of the dials on the Dashboard (as well as many other network statistics). When a threshold is exceeded, an entry is made in the Alarm log. You can monitor the Alarm log to keep watch over your network. To set a threshold value, click Set Thresholds at the top of the Dashboard (Figure 5-2). Alternatively, you can select Options from the Tools menu and click the Mac Threshold tab. You will see a complete list of network parameters that can trigger a threshold alarm. The exact parameters depend on the currently selected adapter. Another option in this dialog box is the Monitor sampling interval option. The High Threshold value for each measure will be the average per second value measured during the monitor sampling interval.

Dashboard Counters for Wireless Networks

For wireless displays, the Dashboard includes a number of wireless-specific counters not seen on wired networks. These counters are described in this section and are found in:

The Gauge tab (see The Dashboard Gauge Tab on page 76) The 802.11 tab (see The Dashboard 802.11 Tab on page 77)

User's Guide 75

Chapter 5

The Dashboard Gauge Tab

The Gauge tab is displayed by default when you start the Dashboard. When capturing from wireless networks, the Dashboard's Gauge tab provides a Throughput gauge. This gauge provides a real-time measurement of the data rate (in bits per second) observed by Sniffer Portable Professional. When calculating throughput, Sniffer Portable Professional only counts data frames. Management and control frames are not part of this calculation. However, the throughput measurement does include the header portions of data frames (see How Wireless Utilization is Calculated on page 76 for details).

How Wireless Utilization is Calculated

The Dashboard provides network utilization percentage measurements on both the Gauge and Detail tabs. Sniffer Portable Professional calculates network utilization by storing the airtime (in microseconds) for each observed frame in a buffer. Every second, the value in this buffer is divided by 1,000,000 microseconds (that is, a second) to obtain a percentage utilization measurement. The airtime for each frame is calculated as follows:

1

First, the duration of the frame's PLCP header is stored. PLCP headers can be either:

192 microseconds. This is the Long header format specified in IEEE 802.11b/g for 1 and 2 Mbps transmission speeds. 96 microseconds. This is the Short header format specified in IEEE 802.11b/g for 5.5 and 11 Mbps transmission speeds.

NOTE: The calculations for 802.11a are performed similarly except that they use the duration of the PLCP header specified for different 802.11a rates.

2

Each frame's PLCP header includes a field indicating the length of the data portion of the frame in microseconds. Sniffer Portable Professional adds this value to the duration of the PLCP header observed in the previous step and stores the sum in a buffer. Each second, the value in the buffer is divided by 1,000,000 microseconds to obtain a percentage utilization measurement.

3

76

Sniffer Portable Professional

Monitoring Your Network

The Dashboard 802.11 Tab

The Dashboard's 802.11 tab (Figure 5-4) includes counters for wireless LAN Statistics, Management frame types, and Control frame types:

Statistics Counters in the 802.11 Tab on page 77 Management Frame Type Counters in the 802.11 Tab on page 79 Control Frame Type Counters in the 802.11 Tab on page 81

802.11 Dashboard Tab Figure 5-4. Sample 802.11 Tab in Dashboard

Statistics Counters in the 802.11 Tab

Table 5-2 lists and describes the Statistics counters in the Dashboard's 802.11 tab (sample shown in Figure 5-4).

Table 5-2. Statistics Counters in the Dashboard's 802.11 Tab (1 of 3) Counter

Data Pkts

Description

The number of data packets observed on the wireless LAN.

User's Guide

77

Chapter 5

Table 5-2. Statistics Counters in the Dashboard's 802.11 Tab (2 of 3) Counter

Management Pkts

Description

The number of Management packets observed on the wireless LAN. Management packets include Association Requests, Probe Requests, and so on. They are counted individually in the Management column of the 802.11 tab. The number of Control packets observed on the wireless LAN. Control packets include PS Polls, CF Ends, and so on. They are counted individually in the Control column of the 802.11 tab. The current data rate (in bits per second) observed by Sniffer Portable Professional. When calculating throughput, Sniffer Portable Professional only counts data frames. Management and control frames are not part of this calculation. However, the throughput measurement does include the header portions of data frames. The number of Retry packets observed on the wireless LAN. Stations send retry packets when they receive no acknowledgment to a previously sent packet. The number of packets observed on the wireless LAN with the WEP bit in the Frame Control field set to true. This indicates that Wired Equivalent Policy encryption was used on the packet. The number of packets observed on the wireless LAN with the Order bit in the Frame Control field set to true. This indicates that packets must be processed in order. The number of Physical Layer Convergence Protocol (PLCP) protocol data units seen with the "short" preamble and header. This form of PLCP PDU is used to achieve higher throughput and can support 5.5 and 11 Mbps transmission speeds.

Control Pkts

Data Throughput

Retry Pkts

WEP Pkts

Order Pkts

PLCP Short Pkts

78

Sniffer Portable Professional

Monitoring Your Network

Table 5-2. Statistics Counters in the Dashboard's 802.11 Tab (3 of 3) Counter

PLCP Long Pkts

Description

The number of PLCP PDUs seen with the "long" preamble and header. This form of PLCP PDU is compatible with legacy equipment from older wireless LANs and supports and operates at either 1 Mbps or 2 Mbps. These counters provide packet counts for different speed ranges.

Data Rate Counters

Management Frame Type Counters in the 802.11 Tab

Management frames are used to set up the initial communications between stations and access points on the wireless network. Table 5-3 lists and describes the Management frame counters in the Dashboard's 802.11 tab (example shown in Figure 5-4 on page 77).

Table 5-3. Management Frame Counters in the Dashboard's 802.11 Tab (1 of 2) Counter

Association Requests

Description

The number of Association Requests observed on the wireless network. Stations send Association Requests to become associated with access points. The number of Association Responses observed on the wireless network. Access points send Association Responses in response to Association Requests from wireless stations. The number of Reassociation Requests observed on the wireless network. Stations send Reassociation Requests when they need to associate with a new access point (for example, because they are out of range of their old access point). This way, the new access point knows to set up forwarding of traffic from the old access point. The number of Reassociation Responses observed on the wireless network. Access points send Reassociation Responses in response to Reassociation Requests from wireless stations.

Association Responses

Reassociation Requests

Reassociation Responses

User's Guide

79

Chapter 5

Table 5-3. Management Frame Counters in the Dashboard's 802.11 Tab (2 of 2) Counter

Probe Requests

Description

The number of Probe Requests observed on the wireless network. Stations send Probe Requests to other stations or access points to retrieve information (for example, to determine whether a given access point is open for new associations). The number of Probe Responses observed on the wireless network. Stations and access points send Probe Responses containing requested parameters in response to Probe Requests. The number of Beacon packets observed on the wireless network. Access points send beacon packets at a regular interval to synchronize timing between stations on the same network. The number of Announcement Traffic Indication Messages (ATIMs) observed on the wireless network. Stations send ATIMs immediately after a beacon packet transmission to inform other stations that they have data to transmit to them. The number of Disassociation packets observed on the wireless network. Stations and access points send Disassociations to end associations. The number of Authentication packets observed on the wireless network. Stations and access points send Authentications to identify one another securely. The number of Deauthentication packets observed on the wireless network. Stations and access points send Deauthentications to end secure communications with one another.

Probe Responses

Beacons

ATIMs

Disassociations

Authentications

Deauthentications

80

Sniffer Portable Professional

Monitoring Your Network

Control Frame Type Counters in the 802.11 Tab

Once stations and access points on the wireless networks have established communications with one another (through the Association and Authentication packet types described in the previous section), Control frames are used in the transmission of data frames. Table 5-4 lists and describes the Control frame counters in the Dashboard's 802.11 tab (example shown in Figure 5-4 on page 77).

Table 5-4. Control Frame Counters in the Dashboard's 802.11 Tab Counter

PS Polls

Description

The number of Power Save (PS) Poll packets observed on the wireless network. PS Poll packets are sent by stations to inform other stations of time windows during which they will not be transmitting. The number of Request to Send (RTS) packets observed on the wireless network. RTS packets are sent by stations to negotiate how a data frame will be sent. The number of Clear to Send (CTS) packets observed on the wireless network. Stations send CTS packets to acknowledge the receipt of an RTS packet and to indicate that they are ready to receive data. The number of Acknowledge packets observed on the wireless network. Stations send acknowledge packets to indicate that they have received an error-free packet. The number of Contention-Free (CF) End packets observed on the wireless network. CF End packets are sent to indicate the end of a contention period. CF End/CF ACK packets are sent to acknowledge CF End packets. The Basic Service Set Identification (BSSID) for the access point on the channel being monitored. The Extended Service Set Identification (ESSID) for the channel being monitored.

RTS

CTS

Acknowledge

CF End

CF End/CF ACK BSSID

ESSID

User's Guide

81

Chapter 5

Host Table

The Host Table collects each network node's traffic statistics in real time.

For LAN adapters, the Host Table accumulates MAC, IP network, IP application, IPX network, and IPX transport-layer information. For wireless LAN adapters, the Host Table accumulates 802.11, MAC, IP, and IPX transport-layer information. See Host Table Counters for Wireless Networks on page 85 for more information on wireless-specific statistics.

Options for viewing data in the Host Table are summarized in the following table.

Table 5-5. Host Table Toolbar Options Button Description

Access Point Table (802.11 Tab Only). Focuses the standard Outline Table view on Access Points only, helping you zoom in on their associated statistics. Outline Table. The table views display traffic count statistics for each network node in real time. The outline table provides a quick summary of total bytes and packets transmitted in and out of each network node. Detail Table. The table views display traffic count statistics for each network node in real time. For most tabs, the detail table provides a quick summary of the higher-layer protocol type and its traffic load transmitted in and out of each network node. For the 802.11 tab, the detail table breaks out packet counts by different wireless control frame types. For example, stations sending Beacon frames are listed with counts for in and out packets and bytes associated with beacon frames. Bar Chart. The bar chart displays the top x busiest host nodes in real time, where x is a user-configurable number. (The default is 10.) Pie Chart. The pie chart displays the top x busiest host nodes as relative percentages of the total load of top x traffic. x is a user-configurable number (the default is 10). Capture. Capture data to or from a single station (first select a station from outline table view). Define Filter. Displays the Define Filter - Capture dialog box, pre-populated with settings based on the selected station in the Outline Table.

82

Sniffer Portable Professional

Monitoring Your Network

Table 5-5. Host Table Toolbar Options Button Description

Add to Last Filter. Displays the Define Filter - Capture dialog box, adding information associated with the selected station in the Outline Table to the previous filter information. NOTE: The type of selected station must match the station used in the previous filter for this to work. For example, if you select an IP station in the Host Table's IP tab and click Define Filter, the Define Filter - Capture dialog box will automatically populate with the IP address of the selected station. You could then select a second IP station in the IP tab, click the Add to Last Filter button, and see the Define Filter - Capture dialog box appear with the IP address of the second station added to the previous station. However, you could not go to the MAC tab, select a station, and then add that to a filter already populated with IP information. The filter types must match. Pause. Pauses updates.

Refresh. Refreshes the display.

Reset. Resets all counters to zero.

Export. Exports tabular data to CSV (Table views only)

Properties. Opens a properties dialog box in which you can set operating parameters for the Host Table, including update and sort intervals, sort options for charts, and which wireless stations are included in the display (Access Points, Stations, None, or any combination of the three). Single Station. Displays a Single Station view for the selected station. See Host Table Single Station Functions on page 84 for more information. Export data to HTML (Table views only)

Sort a Host Table by clicking a column heading (for example, to sort the statistics by incoming packets, click the In Pkts column heading). Click a second time to sort in reverse order.

User's Guide

83

Chapter 5

You can configure settings (specifying to show the raw address instead of a symbolic name, defining the update and sort interval, and defining the sort variable and top-N variable in the bar and pie chart) by clicking Properties from the Host Table toolbar. In the table views, you can export the statistics for tabulation or charting. Refer to Exporting Monitor Data on page 120. Figure 5-5 shows a sample Host Table display.

Click to display traffic by 802.11, MAC, IP, or IPX Figure 5-5. The Host Table (Outline Table View)

Maximum Number of Entries in the Host Table

The maximum number of entries in the Host Table display is 1000.

Host Table Single Station Functions

To capture data to or from a single station, click the station's icon in the outline table and then click the button. (For more information, see Capturing from Specific Stations (Visual Filters) on page 128.) To display a single station's statistics, click the station's icon in the outline table and click the button. You can view a single station's statistics in a traffic map, table, bar chart, or pie chart.

84

Sniffer Portable Professional

Monitoring Your Network

Host Table Counters for Wireless Networks

In addition to the standard Host Table features available for all networks, Sniffer Portable Professional provides counters specifically for MAC-layer wireless stations in the 802.11 tab. Display the Host Table's 802.11 tab by clicking it at the bottom of the Host Table window. For each MAC-layer wireless station detected on the network, the 802.11 tab provides the statistics listed and described in Table 5-6. In addition, you can click the Access Point button to zoom in on access points only. See Viewing Access Points Only on page 88 for information on the counts in the Access Points view.

Table 5-6. Host Table Counters in the 802.11 Tab (1 of 3) Counter

HwAddr Type

Description

The hardware address for this station. The type of station. Station types include: · AP. Access Point. · STA. Wireless Station.

Status

The Status column lets you monitor Known, Rogue, and Neighbor stations in your WLAN. It appears whenever Enable Rogue AP Lookup and/or Enable Rogue Mobile Unit Lookup is turned on in either Tools > Wireless > Rogue or Tools > Expert Options > 802.11 Options. As you use the Host Table, you can flag a wireless entity as either Known or Neighbor by checking its box in the leftmost # column, right-clicking, and selecting either Add to Wireless Units List as Known or Add to Wireless Units List as Neighbor. The value you assign will appear in the Status column, helping you keep track of unknown entities on your WLAN. See Adding Known Addresses to the List on page 141 for information on the different ways you can automatically add addresses to the list of known units, how rogues are flagged in Sniffer Portable Professional displays, and so on.

BSSID ESSID

The Basic Service Set ID associated with this station. The Extended Service Set ID associated with this station.

User's Guide

85

Chapter 5

Table 5-6. Host Table Counters in the 802.11 Tab (2 of 3) Counter

Encryption

Description

The last observed encryption method for this host. Possible values include: · RC4-Open (WEP) · RC4-TKIP (WPA-PSK) · AES-CCMP (WPA2-PSK) · Unencrypted If this field is empty, then no encryption is in use.

Authentication

The last observed authentication method for this host. Possible values include: · Open · Shared · 802.1X-PSK

Monitored Topology

The wireless network topology on which this station was last seen transmitting. For example, A for 802.11A, B for 802.11b, and so on. The wireless network channel on which this station was last seen transmitting. The wireless network topology on which this station is supposed to be transmitting according to the information in transmitted packets. Compare this value to the Monitored Topology value.

Monitored Channel Valid Topology

Valid Channel

The wireless network channel on which this station is supposed to be transmitting according to the information in transmitted packets. Compare this value to the Monitored Channel value to see how channels are overlapping in your WLAN.

Signal Curr Signal Max

The average of all measured signal strengths for this station. Of the measured signal strengths for this station, the highest (expressed as a percentage). Of the measured signal strengths for this station, the lowest (expressed as a percentage).

Signal Min

86

Sniffer Portable Professional

Monitoring Your Network

Table 5-6. Host Table Counters in the 802.11 Tab (3 of 3) Counter

In Bytes Out Bytes In Pkts Out Pkts Broadcast Multicast Retry Pkts

Description

The number of bytes received by this station. The number of bytes transmitted by this station. The number of packets received by this station. The number of packets transmitted by this station. The number of broadcast packets transmitted by this station. The number of multicast packets transmitted by this station. The number of retry packets transmitted by this station. Stations send retry packets when they receive no acknowledgment to a previously sent packet. These counters provide packet counts for different speed ranges. The last time this station was updated in the Host Table with new statistics. The time this station's entry was first added to the Host Table.

Data Rate Counters Update Time Create Time

User's Guide

87

Chapter 5

Viewing Access Points Only

You can click the Access Point button tab to zoom in on access points only. in the Host Table's 802.11

The statistics available in the Access Point view are somewhat different than those in the full 802.11 tab, as summarized in the table below.

Table 5-7. Host Table Counters in the Access Point View Counter

Access Points Status

Description

The hardware address for each detected access point. The Status column lets you monitor Known, Rogue, and Neighbor stations in your WLAN. It appears whenever Enable Rogue AP Lookup and/or Enable Rogue Mobile Unit Lookup is turned on in either Tools > Wireless > Rogue or Tools > Expert Options > 802.11 Options. As you use the Host Table, you can flag a wireless entity as either Known or Neighbor by checking its box in the leftmost # column, right-clicking, and selecting either Add to Wireless Units List as Known or Add to Wireless Units List as Neighbor. The value you assign will appear in the Status column, helping you keep track of unknown entities on your WLAN. See Adding Known Addresses to the List on page 141 for information on the different ways you can automatically add addresses to the list of known units, how rogues are flagged in Sniffer Portable Professional displays, and so on.

ESSID Encryption

The Extended Service Set ID associated with this station. The last observed encryption method for this host. Possible values include: · RC4-Open (WEP) · RC4-TKIP (WPA-PSK) · AES-CCMP (WPA2-PSK) · Unencrypted If this field is empty, then no encryption is in use.

88

Sniffer Portable Professional

Monitoring Your Network

Table 5-7. Host Table Counters in the Access Point View Counter

Authentication

Description

The last observed authentication method for this host. Possible values include: · Open · Shared · 802.1X-PSK

Monitored Topology

The wireless network topology on which this station was last seen transmitting. For example, A for 802.11A, B for 802.11b, and so on. The wireless network channel on which this station was last seen transmitting. The wireless network topology on which this station is supposed to be transmitting according to the information in transmitted packets. Compare this value to the Monitored Topology value.

Monitored Channel Valid Topology

Valid Channel

The wireless network channel on which this station is supposed to be transmitting according to the information in transmitted packets. Compare this value to the Monitored Channel value to see how channels are overlapping in your WLAN.

Signal Curr Signal Max

The average of all measured signal strengths for this station. Of the measured signal strengths for this station, the highest (expressed as a percentage). Of the measured signal strengths for this station, the lowest (expressed as a percentage). The number of bytes received by this access point. The number of bytes transmitted by this access point. The number of packets received by this access point. The number of packets transmitted by this access point.

Signal Min

In Bytes Out Bytes In Pkts Out Pkts

User's Guide

89

Chapter 5

Table 5-7. Host Table Counters in the Access Point View Counter

Beacons

Description

The number of beacon packets transmitted by this access point. Access points send beacon packets at a regular interval to synchronize timing between stations on the same network. The last time this access point was updated in the Host Table with new statistics. The time this access point's entry was first added to the Host Table.

Update Time Create Time

90

Sniffer Portable Professional

Monitoring Your Network

Identifying Rogue Hosts on the Wireless Network

Sniffer Portable Professional helps you identify unknown units on your wireless network, both during monitoring and live capture. In general, this feature works by comparing detected addresses to a list of Known and Neighbor addresses. Addresses not found in this list are flagged as rogues in Sniffer Portable Professional displays. The figure below summarizes the process:

1. Enable Rogue Lookup for Access Points and/or Mobile Units in either Tools > Wireless > Rogue (shown) or Tools > Expert Options > 802.11 Options. See Configuring Rogue Identification for Wireless Networks on page 61 for details.

2. All wireless entities start out as rogues. Add wireless entities as Known or Neighbors to change their classification. The easiest way to do this is by checking entries in the # column of the Host Table's 802.11 tab and right-clicking. However, there are several ways to do this ­ see Adding Known Addresses to the List on page 62.

3. Review the Status column in the Host Table, as well as Expert displays to review the Known/Neighbor/Rogue classification of wireless entities. See Rogue Identification in Sniffer Portable Professional Displays on page 62 for information on where Sniffer Portable Professional reports this status.

User's Guide

91

Chapter 5

Selecting Wireless Host Types to View in the 802.11 Tab

You can filter the display in the Host Table's 802.11 tab to display any combination of the following host types:

AP ­ Wireless access points. STA ­ Wireless stations. None ­ Unclassified stations (for example, broadcast/multicast stations and stations that have not yet been classified).

To filter the Host Table display, click the Properties button in the Host Table to display the Host Table Properties dialog box (Figure 5-6). From here, you can use the 802.11 Host Type tab to select which types of wireless hosts you would like displayed in the Host Table's 802.11 tab. Use standard Ctrl-Click and Shift-Click techniques to select any combination of the listed types and click OK.

NOTE: The setting made here does not apply to the Access Points view in the 802.11 tab. It always focuses on Access Points.

Figure 5-6. Selecting Wireless Hosts for the Host Table's 802.11 Tab

92

Sniffer Portable Professional

Monitoring Your Network

Matrix

The Matrix collects statistics for conversations between network nodes in real time:

For LAN adapters, the Matrix accumulates MAC, IP network, IP application, IPX network, and IPX transport-layer information. For wireless LAN adapters, the Matrix accumulates MAC, IP, IPX, and 802.11 statistics. See Matrix Counters for Wireless Networks (802.11 Tab) on page 96 for more information on wireless-specific statistics.

You can view Matrix data as a traffic map, as a table, or as a bar or pie chart using the buttons in the Matrix toolbar, as described in the table below.

Table 5-8. Matrix Toolbar Options Button Description

Traffic Map. The traffic map provides a birds-eye view of network traffic patterns between nodes in real time. Outline Table. The table views display traffic count statistics for each detected conversation in real time. The outline table provides a quick summary of total bytes and packets transmitted by each side of each detected conversation. Detail Table. The table views display traffic count statistics for each conversation in real time. For most tabs, the detail table provides a quick summary of the higher-layer protocol type and its traffic load transmitted on both sides of each conversation. For the 802.11 tab, the detail table breaks out packet counts by different wireless control frame types. For example, Beacon frame counts are provided for both sides of each detected conversation. Bar Chart. The bar chart displays the top x busiest conversations in real time, where x is a user-configurable number in the Matrix Properties dialog box. (The default is 10.) Pie Chart. The pie chart displays the top x busiest conversations as relative percentages of the total load of top x traffic. x is a user-configurable number in the Matrix Properties dialog box (the default is 10).

User's Guide

93

Chapter 5

Table 5-8. Matrix Toolbar Options Button Description

Capture. Capture data associated with a single conversation. First, select a conversation from the outline table view and then click this button to start capture on the selected conversation. Define Filter. Displays the Define Filter - Capture dialog box, pre-populated with settings based on the selected conversation in the Outline Table. Add to Last Filter. Displays the Define Filter - Capture dialog box, adding information associated with the selected conversation in the Outline Table to the previous filter definition. NOTE: The type of selected conversation must match the conversation used in the previous filter for this to work. For example, if you select an IP conversation in the Host Table's IP tab and click Define Filter, the Define Filter Capture dialog box will automatically populate for traffic flowing between the IP addresses of the selected stations. You could then select a second IP conversation in the IP tab, click the Add to Last Filter button, and see the Define Filter - Capture dialog box appear with the IP addresses of the second conversation added to the previous conversation. However, you could not go to the MAC tab, select a conversation, and then add that to a filter already populated with IP information. The filter types must match. Pause. Pauses updates.

Refresh. Refreshes the display.

Reset. Resets all counters to zero.

Export. Exports tabular data to CSV (Table views only) Refer to Exporting Monitor Data on page 120 for more information. Properties. Opens a properties dialog box in which you can set operating parameters for the Matrix, including the colors used in the traffic map, the top x variable in the bar and pie chart, and the update and sort interval. Export data to HTML (Table views only). Refer to Exporting Monitor Data on page 120 for more information.

94

Sniffer Portable Professional

Monitoring Your Network

Maximum Number of Entries in the Matrix Display

The maximum number of entries in the Matrix display is 2000. The Matrix's Outline and Detail views can both show all 2000 entries. However, the Traffic Map cannot show all 2000 and will display an Overflow message indicating that not all entries can be shown.

NOTE: When the Matrix display reaches its maximum number of entries, you must press the Refresh button to display new entries.

Refresh Rate for the Matrix

The default refresh rate is 1 second. You can use the Update every x seconds option in the Properties dialog box for the Matrix to change the refresh rate. Figure 5-7 shows a Matrix bar chart for a wireless adapter.

Click to display traffic by MAC, IP, IPX, or 802.11 (WLANs only) Figure 5-7. The Matrix (Bar Chart View) and Toolbar

User's Guide

95

Chapter 5

Setting Capture Filters from the Matrix

To capture data on a specific station or conversation from the matrix:

Click the icon for a single stations in the traffic map, or: Select a conversation entry in the outline table view.

Then, click the button. (For more information, see Capturing from Specific Stations (Visual Filters) on page 128.)

NOTE: If you have difficulty selecting a station for capture in the traffic map, try clicking the Pause button before selecting the station.

Matrix Counters for Wireless Networks (802.11 Tab)

In addition to the standard Matrix features available for all networks, Sniffer Portable Professional provides counters specifically for MAC-layer wireless stations in the 802.11 tab. Display the Matrix's 802.11 tab by clicking it at the bottom of the Matrix window. For each conversation involving MAC-layer wireless stations detected on the network, the 802.11 tab provides packet and byte counts for each side of the conversation.

96

Sniffer Portable Professional

Monitoring Your Network

Application Response Time (ART)

The Application Response Time (ART) monitor application measures and reports response times for application layer connections between servers and clients on known TCP/UDP ports in real time (for example, HTTP, Telnet, SNMP, and so on). Response times are measured as the time between when a request was sent and when the corresponding response was observed by Sniffer Portable Professional. When ART first appears, the Tabular view is displayed. However, you can also view response times for different application connections as either a client-server response time bar chart or a server response time bar chart by clicking the appropriate button at the left of the ART window. See the following sections for details on these views:

ART ­ The Tabular View on page 98 ART ­ The Server-Client Response Time Bar Chart on page 100 ART ­ The Server Response Time Bar Chart on page 100

About ART Monitor Alarms

In addition to measuring and reporting application response times, ART also generates alarms for detected application response times that are slower than the thresholds in the App Threshold tab of the Options dialog box. See the ART Alarms on page 105 for information on how to change these thresholds.

How ART Calculates Response Times

In general, the ART application calculates response times by measuring the interval between when a packet is sent and when the corresponding response is seen. However, in practice, this is slightly different for connection-oriented protocols (like TCP) and connectionless protocols (like UDP).

TCP ­ For each socket, ART stores the sequence numbers for packets sent by the client and waits for the corresponding ACK packets from the server. It then measures the time difference between the packet with the stored sequence number and the packet with the ACK to arrive at the response time. UDP ­ For each socket, ART measures the time between packets going from a client to a server and the next packet going from the server to the client.

User's Guide

97

Chapter 5

Adding Custom Protocols to the ART Display

If your network uses non-standard TCP or UDP ports for different upper layer protocols, or if you want to add a custom protocol running over TCP or UDP, you can still get ART analysis (and analysis from all other Monitor applications, too) by specifying the correct port number for different upper layer protocols in the Protocols tab of the Options dialog box (accessed by selecting the Options command from the Tools menu). Keep in mind, however, that if you do change the port numbers, you will need to stop and restart collection for your changes to take effect. You can do this using the Reset command in the File menu. See Adding Custom Protocols to the ART Display on page 108 for details.

Not Seeing ART Data?

If the ART displays are not populating with data, make sure that Sniffer Portable Professional is connected to the network in such a way that it is seeing both sides of a conversation ­ requests and responses. For example, if Sniffer Portable Professional is connected to a designated mirror port on a switch, make sure you that you have set up port mirroring in a way that ensures both inbound and outbound packets are being sent to the mirror port.

IMPORTANT: Keep in mind that setting up port mirroring in this way will occasionally cause duplicate packets to appear in the Decode window.

ART ­ The Tabular View

The ART application's Tabular view lists each detected application layer connection with the addresses of both the server and the client, detailed statistics for the response times on the connection, and overall traffic statistics for the connection (server bytes, client octets, retries, and timeouts). ART organizes connections by protocol. Each protocol you have enabled in the Display Protocols tab of the ART Options dialog box (accessed by clicking the Properties button in the ART window) has its own tab at the bottom of the ART window. You can view connections using different protocols by clicking on the appropriate tab at the bottom of the window. The Tabular View provides the statistics in the following table:

98

Sniffer Portable Professional

Monitoring Your Network

Table 5-9. ART Statistics in the Tabular View Statistic

Server Address Client Address AvgRsp 90% Rsp MinRsp MaxRsp TotRsp 0-25, 26-51...801-1600

Description

The address of the Server taking part in this connection. The address of the Client taking part in this connection. The average time (in milliseconds) of all responses observed on this connection. 90% of all responses observed for this client-server pair were faster than the indicated response time. The time (in milliseconds) of the fastest response observed on this connection. The time (in milliseconds) of the slowest response observed on this connection. The total number of responses observed on this connection. The number of responses on this connection in each of seven different time windows. For example, the number of responses to requests on this connection that took between 0 and 24 milliseconds to be sent, the number of responses to requests on this connection that took between 25 and 49 milliseconds to be sent, and so on. The total number of bytes sent from the Server to the Client on this connection. The total number of bytes sent from the Client to the Server on this connection. The total number of retries observed on this connection. Retries are counted when the Sniffer Distributed sees a request made with the same sequence number as a previous request, indicating that it is a retransmission. Retries only apply to TCP-oriented protocols since UDP is "connectionless" and does not use sequence numbers. The total number of timeouts observed on this connection. Timeouts are counted either when no response is seen to a request by the time the maximum value of the highest time window has expired (by default, 5000 milliseconds), or when no response is seen at all. Note that timeouts are also used to generate ART alarms whenever the specified thresholds are crossed.

Server Octets Client Octets Retries

Timeouts

User's Guide

99

Chapter 5

ART ­ The Server-Client Response Time Bar Chart

The Server-Client Response Time bar chart graphs Server-Client pairs according to the options you have specified in the Server-Client tab of the ART Options dialog box. The options there specify how many pairs are graphed, the criterion used to sort the graph, and the display options included for each graphed pair.

Server-client pairs are listed by number along the horizontal axis. The addresses corresponding to each number are listed in the pane to the right of the graph. The vertical axis provides the units (in milliseconds) for each bar. Individual bars are provided along the Z-axis for each Display Option enabled in the Server-Client tab of the ART Options dialog box.

As always, you can click on the display tabs at the bottom of the window to see the graph for server-client pairs observed using the corresponding protocol.

ART ­ The Server Response Time Bar Chart

The Server Response Time bar chart graphs Servers according to the options you have specified in the Servers Only tab of the ART Options dialog box. The options there specify how many servers are graphed, the criterion used to sort the graph, and the display options included for each graphed server.

Servers are listed by number along the horizontal axis. The addresses corresponding to each number are listed in the pane to the right of the graph. The vertical axis provides the units (in milliseconds) for each bar. Individual bars are provided along the Z-axis for each Display Option enabled in the Servers Only tab of the ART Options dialog box.

As always, you can click on the display tabs at the bottom of the window to see the graph for servers observed using the corresponding protocol.

100

Sniffer Portable Professional

Monitoring Your Network

Setting ART Options

You set options for the ART monitor application by clicking the Properties button in the ART window. The ART Options dialog box appears with the following four tabs:

The ART Options ­ General Tab on page 101 lets you set the update interval for the ART application. The ART Options ­ Server-Client Tab on page 101 lets you set display options for the Client-Server Response Time bar graph. The ART Options ­ Servers Only Tab on page 104 lets you set display options for the Server Response Time bar graph. The ART Options ­ Display Protocols Tab on page 104 lets you specify for which protocols ART should provide a display tab at the bottom of the ART window.

ART Options ­ General Tab

The General tab in the ART Options dialog box lets you specify how often the counters in the ART application window are updated. Specify the desired update interval (in seconds) in the provided field and click OK. You can also refresh the ART application's counters manually by clicking the Refresh button in the ART application window.

ART Options ­ Server-Client Tab

The Server-Client tab in the ART Options dialog box lets you specify display options for the ART Server-Client Response Time bar graph. Set the following options.

The Show Options let you specify how many server-client pairs you would like the graph to display. You can also select whether the graph should show the slowest xx number of server-client pairs or the fastest xx number of server-client pairs. The Sort By Options let you specify the criterion by which you would like the server-client pairs displayed in the graph to be sorted. You can only select Sort By options whose corresponding option in the Display Options area of this tab are selected (for example, you can't sort server-client pairs by Min Response Time if the Min Response Time is not enabled as a display option in the adjacent list). The Display Options let you specify which statistics for the server-client pairs you would like included in the bar graph.

These options are described below:

User's Guide 101

Chapter 5

Show Options

Show Slowest/Fastest ­ Select whether you would like the graph to show the slowest or the fastest Server-Client pairs. The exact number of Server-Client pairs displayed depends on the setting of the adjacent Server-Client Pairs option. Server-Client Pairs ­ Specify the number of Server-Client pairs you would like included in the graph.

Sort By Options

The Sort By options let you specify the criterion by which you would like the server-client pairs displayed in the graph to be sorted. Server-Client pairs are sorted in the graph from left (highest value of the selected criterion) to right (lowest value of the selected criterion) along the horizontal axis of the graph.

Table 5-10. Sort By Options for ART Option

Max Response Time

Description

Enable this option if you would like server-client pairs to be sorted according to the highest (that is, the slowest) response time observed on each listed pair. Enable this option if you would like server-client pairs to be sorted according to their 90% Response values. Each server-client pair has a 90% Response value ­ this value means that 90% of all responses observed for this client-server pair were faster than the indicated response time. This option can be useful when you want to smooth out statistical oddities. For example, if a given server-pair happened to have one or two responses among many that were much slower than the others, this option can remove the strangely slow responses from statistical consideration.

RspTm of 90% Response

102

Sniffer Portable Professional

Monitoring Your Network

Table 5-10. Sort By Options for ART Option

Average Response Time

Description

Enable this option if you would like server-client pairs to be sorted according to the average response time observed for each listed pair. The pair with the highest average response time is listed at the left of the horizontal axis of the graph and then descends to the right. Enable this option if you would like server-client pairs to be sorted according to the lowest (that is, the fastest) response time observed on each listed pair. NOTE: You can only select Sort By options whose corresponding option in the Display Options area of this tab is selected (for example, you can't sort server-client pairs by Min Response Time if the Min Response Time is not enabled as a display option in the adjacent list).

Min Response Time

Display Options

The Display Options let you specify which statistics for the server-client pairs you would like included in the bar graph. For each statistic you enable, the graph provides another row along the Z-axis of the graph (that is, behind the other statistics) for the listed server-client pairs.

User's Guide

103

Chapter 5

Table 5-11. ART Display Options Option

Max Response Time

Description

Enable this option if you would like a row along the Z-axis included in the graph to show the slowest response time observed on each listed server-client pair. Enable this option if you would like a row along the Z-axis included in the graph to show the RspTm of 90% Response value observed on each listed server-client pair. Each server-client pair has a 90% Response value ­ this value means that 90% of all responses observed for this client-server pair were faster than the indicated response time. This option can be useful when you want to smooth out statistical oddities. For example, if a given server-pair happened to have one or two responses among many that were much slower than the others, this option can remove the strangely slow responses from statistical consideration.

RspTm of 90% Response

Average Response Time

Enable this option if you would like a row along the Z-axis included in the graph to show the average response time observed on each listed server-client pair. Enable this option if you would like a row along the Z-axis included in the graph to show the lowest (that is, the fastest) response time observed on each listed server-client pair. Enable this option if you would like DNS names for both sides of each listed server-client pair displayed in a pane at the right of the graph.

Min Response Time

Show DNS Name

ART Options ­ Servers Only Tab

The Servers Only tab lets you set the same options described in ART Options ­ Server-Client Tab on page 101. The only difference is that the options set in this tab apply to the Server Response Time bar graph rather than the Server-Client Response Time bar graph.

ART Options ­ Display Protocols Tab

The Display Protocols tab lets you specify for which protocols ART should provide a display tab at the bottom of the ART window. For each protocol enabled in this tab, the ART application will include a display tab in the ART application window.

104

Sniffer Portable Professional

Monitoring Your Network

Protocols are organized broadly according to whether they are TCP or UDP oriented. Click the appropriate tab at the bottom of the Display Protocol tab, enable each desired protocol, and then click OK. The ART application window will automatically include display tabs for your selected protocols.

ART Alarms

In addition to measuring and reporting application response times, the ART application also generates alarms for detected application response times that are slower than the thresholds in the App Threshold tab of the Options dialog box. You set thresholds for alarms generated by the ART application in the App Threshold tab of the Options dialog box. Specify the threshold values in the Rsp Time column, then click OK. App Threshold parameters are stored on the Agent, by adapter. This ensures all Consoles connecting to the Agent will experience consistent settings.

Figure 5-8. Setting Thresholds for ART Alarms

The App Threshold tab includes a row for each protocol monitored by the ART application. Protocols are organized according to whether they are TCP-oriented or UDP-oriented ­ there is a tab for each. For each protocol, there is a Rsp Time and a % Applied field:

User's Guide

105

Chapter 5

The Rsp Time value specifies at what point a response using the specified protocol is considered "slow." For example, if Rsp Time were set to 5000 milliseconds for HTTP, any response to an HTTP request that took longer than 5000 milliseconds would be considered "slow." When the percentage of "slow" responses on a given Server-Client connection exceeds the % Applied threshold (see below), the Monitor generates an alarm on the connection. The % Applied value specifies the maximum acceptable percentage of responses exceeding the Rsp Time threshold on a given connection using the specified protocol. When the percentage of connections exceeding the Rsp Time threshold on a given Server-Client connection exceeds the % Applied threshold, the Monitor generates an alarm on the connection.

Generated alarms are written to the alarm log. Actions take place as a result of generated alarms according to the options you have set on the Alarms tab of the Options dialog box. See Managing Alarms on page 257 for details. The following example shows the ART application window in the tabular view along with descriptions of its toolbar items.

106

Sniffer Portable Professional

Monitoring Your Network

Click to display application response times for different protocols. The protocols available depend on the options you have enabled in the Display Protocols tab of the ART Options dialog box.

Tabular view Server-Client Response Time bar chart Server Only bar chart Refresh display Reset display Properties · · · Set refresh interval Set display options for bar charts Specify display protocols

Figure 5-9. The ART Display (Tabular View) and Toolbar

User's Guide

107

Chapter 5

Adding Custom Protocols to the ART Display

You can add custom protocols to the ART display in the same way you add protocols for all monitor applications. Use the following procedure.

To add custom protocols to the ART display:

1

Display the Options dialog box by selecting the Options command from the Tools menu. In the Options dialog box, click on the Protocols tab. The Protocols tab lets you add new upper-layer protocols for monitoring (or change the port numbers associated with existing upper-layer protocols).

2 3

If the protocol you want to add runs over TCP, make sure the TCP tab at the bottom of the Protocols tab is displayed (this is the default). If the protocol you want to add runs over UDP, click on the UDP tab at the bottom of the Protocols tab.

NOTE: ART does not support monitoring over protocols running over IPX in this release.

4

Scroll to the bottom of the tab and click in the Name cell. Type in the name by which you would like this protocol to be known in Sniffer displays. Click in the adjoining Port cell and type in the port number on which the Sniffer should look for this protocol. Click OK. You will be informed that the application must be restarted for your changes to take effect. Restart the application. Display the ART window by selecting the Application Response Time command from the Monitor menu. Click on the Properties button to display the ART Options dialog box. Click on the Display Protocols tab in the ART Options dialog box. Protocols tab, depending on which type of protocol you added in Step 3.

5

6

7

8

9

10 Click on either the TCP or UDP tab at the bottom of the Display

11 Scroll down to display the entry for the protocol you added in the

previous steps. Click the box next to this protocol to include it in ART displays.

108

Sniffer Portable Professional

Monitoring Your Network

12 Click OK on the ART Options dialog box. The ART application

informs you that it must close and reopen the ART window for your changes to take place. Click Yes to close and reopen the window.

13 The ART window reopens with a new tab at the bottom for your

custom protocol.

User's Guide

109

Chapter 5

History Samples

You can use History Samples to collect a variety of network statistics over a period of time to establish your network performance baseline. Baseline statistics help you set alarm thresholds to notify you when abnormal network behavior occurs. You can also use history samples to determine long-term network traffic trends and to help plan for future network expansion and reorganization. You can launch as many as 10 history sample processes concurrently. These can be 10 different samples or multiple instances of the same sample so that both short-term and long-term trends can be recorded simultaneously. The network events available for history sample monitoring vary according to the type of adapter you have selected in the Adapter dialog box.

IMPORTANT: History Samples average data over the sample period. Because of this, you may miss "spikes" in sampled data due to the averaging. It's always a good idea to use History Samples in conjunction with other Sniffer Portable Professional views that will help you get an accurate view of the traffic on your network.

The sample data can be displayed in a bar chart, a line chart, or an area chart. Figure 5-10 shows the History Samples window for an Ethernet adapter.

Click to start a sample Click to change how the icons display in this window Click to create a new sample to collect multiple network events Click to set the sampling interval, threshold values, graph type, and colors used in the graph Figure 5-10. The History Samples Window

110

Sniffer Portable Professional

Monitoring Your Network

Before launching a sample, set the sampling interval, the high and low threshold values, the graph type, the colors used in the graph, and whether to wrap the buffer when the maximum 3,600 samples have been collected. First select the sample you want to use from the History Samples window. Then click the button. The History properties dialog box is shown in Figure 5-11.

Click to select the colors used in the graph

Specify the threshold values here

Specify the sample interval. Sniffer Portable Professional maintains a maximum of 3,600 samples. If you specify 15 seconds, you will get up to 3,600 15-second samples.

Select this option if you want to wrap the buffer when the maximum 3,600 samples have been collected. Click to select the graph type

Click OK to save the settings Figure 5-11. Configuring History Sample Settings

Click to restore factory settings

Zooming the Display During Monitoring

You can use the Zoom In\Zoom Out context menu options to narrow or broaden the focus of a history sample while it is collecting data. These options change the range of data points displayed, allowing you to focus on a specific small time period, or, alternatively, see broad trends over a comparatively long duration. You use the Zoom In\Zoom Out feature by right-clicking anywhere in a History Sample's graphical display and selecting the desired option from the context menu that appears. Figure 5-12 shows a Packets/s History Sample with the context menu displayed.

NOTE: The Zoom In\Zoom Out feature has three levels of detail. If you are already zoomed to the narrowest view, the Zoom In command will be grayed out in the context menu. The reverse is true of the Zoom Out command.

User's Guide

111

Chapter 5

If the Wrap Buffer when full option is disabled, the history sample will stop automatically when the maximum number of samples is collected. Otherwise the history sample stops when you close the History window. Sniffer Portable Professional lets you export the history data for tabulation or charting. Refer to Exporting Monitor Data on page 120. Figure 5-12 shows a Packets/s history sample in bar chart format and describes the toolbar.

Right-click a History Sample to display the Zoom In/Zoom Out context menu. This menu lets you narrow or broaden the focus of the history sample.

Bar chart view Area chart view Line chart view Display as three-dimensional or two-dimensional chart Display chart as logarithmic or linear

Show/hide the legend Display/hide a border around the bars/lines in the chart Pause Screen Updates Export history data to spreadsheet Figure 5-12. History Samples (Packets/s Bar Chart) and Toolbar

112

Sniffer Portable Professional

Monitoring Your Network

Creating a Multiple History Sample

You can create your own "multi-view" History Samples tracking combinations of the single statistics available for display in the other History Samples. You set up Multiple History Samples in the Multiple History dialog box. Display this dialog box by clicking Add Multiple History in the History Samples window. Figure 5-13 shows the Multiple History dialog box.

Use these buttons to change the order of the sampled statistics in the display.

Statistics selected for inclusion in this Multiple History Sample are listed here in the order in which they will appear in the display.

Use this button to delete a selected statistic.

Use this button to open a dialog box in which you can add a new statistic.

Figure 5-13. Multiple History Dialog Box

As shown in Figure 5-13, the Multiple History dialog box has three tabs. The General and Color tabs provide the same options described on page 111. The Selection tab (Figure 5-13) lets you select which statistics you would like to include in this Multiple History Sample, in addition to the order in which they are displayed. In general, you will want to place statistics with a high sampling rate at the bottom of the list. When you are finished setting up your Multiple History Sample, click OK to add it to the History Samples window.

User's Guide

113

Chapter 5

Protocol Distribution

You can use the Protocol Distribution application to report network usage based on the network-, transport-, and application-layer protocols. For example, you can monitor IPX/SPX, TCP/IP, NetBIOS, AppleTalk, DECnet, SNA, Banyan, and many other protocols. Protocol distribution monitors popular IP applications, such as NFS, FTP, Telnet, SMTP, POP2, POP3, HTTP (WWW), Gopher, NNTP, SNMP, X-Window, and others. It also monitors IPX transport-layer protocols such as NCP, SAP, RIP, NetBIOS, Diagnostic, Serialization, NMPI, NLSP, SNMP, and SPX. You can view the protocol distribution in a table or as a bar or pie chart. You can also view the number and percentage of packets or bytes for a protocol. Sniffer Portable Professional lets you export the protocol distribution data for tabulation or charting. Refer to Exporting Monitor Data on page 120. Figure 5-14 shows a Protocol Distribution bar chart for an Ethernet adapter.

114

Sniffer Portable Professional

Monitoring Your Network

Click to display protocol distribution by MAC, IP, or IPX

Bar chart view Pie chart view Table view Display total number or percentage of packets seen Pause screen updates Refresh display Restart data collection Export data to spreadsheet (Table view only) Export to HTML (Table view only

Display total number or percentage of bytes seen

Figure 5-14. Protocol Distribution (Bar Chart View) and Toolbar

User's Guide

115

Chapter 5

Global Statistics

Global Statistics help you understand the overall activity levels in the network and pinpoint large- and small-size packet traffic loads, each of which can have a different effect on overall network performance and availability. Global statistics provides various tabs with statistical measures pertinent to network traffic analysis:

The Size Distribution tab shows the frequency of each packet size as a percentage of all monitored traffic. The Utilization Distribution tab shows network bandwidth consumption distributed among each 10% grouping ­ 1-10%, 11% -20%, ..., 91%-100%. The Topology Surfing tab (Wireless LAN adapters only) presents a quick snapshot of network activity on all wireless network topology/channel combinations selected for monitoring in Tools > Wireless > Surf Settings. Each channel is listed in the display with the same sets of statistics, enabling you to see at a glance what is happening on each channel. See The Global Statistics > Topology Surfing Tab on page 117 for more information on this tab.

NOTE: See Configuring Surf Settings on page 54 for information on selecting wireless channels for surfing.

You can view the Size Distribution and Utilization Distribution tabs in a table or as a bar or pie chart. Figure 5-15 shows a sample packet size distribution graph for an Ethernet adapter.

116

Sniffer Portable Professional

Monitoring Your Network

Click to display a bar chart

Click to display a pie chart

Currently selected to show packet size distribution

Click to show utilization distribution

Figure 5-15. Global Statistics (Bar Chart View)

The Global Statistics > Topology Surfing Tab

The Topology Surfing tab in the Global Statistics view (Wireless LAN adapters only) presents a quick snapshot of network activity on all wireless network topology/channel combinations selected for monitoring in Tools > Wireless > Surf Setting. Up to 30 channels are listed in the display with the same sets of statistics, enabling you to see at a glance what is happening on each channel.

IMPORTANT: When you use the Topology Surfing tab, be sure to select the wireless network topology/channel combinations that interest you in the Tools > Wireless > Surfing dialog box. This dialog box specifies the topology/channel combinations Sniffer Portable Professional will cycle between for specified durations. Topology Surfing statistics will only be available for the channels you select here. See Configuring Surf Settings on page 54 for details.

User's Guide

117

Chapter 5

Figure 5-16. Global Statistics > Topology Surfing Tab (Wireless Network)

For each channel on the wireless network, the Topology Surfing tab provides the statistics listed and described in Table 5-12.

Table 5-12. Counters in the Topology Surfing Tab (1 of 2) Counter

Topology

Description

The wireless network topology for these statistics. For example, A for 802.11A, B for 802.11b, and so on. The wireless network channel for these statistics. The number of packets seen on this channel. The number of bytes seen on this channel. The number of error packets seen on this channel. Error packets include CRC errors, undersize errors, oversize errors, WEP ICV errors, and PLCP errors. The number of data packets seen on this channel. Data packets are used to transmit data between stations. The number of Control Packets seen on this channel. Control packets are used to regulate the transmission of data packets after initial authentication has taken place.

Ch. No. Packets Octets Errors

Data

Cntl

118

Sniffer Portable Professional

Monitoring Your Network

Table 5-12. Counters in the Topology Surfing Tab (2 of 2) Counter

Mgmt

Description

The number of Management Packets seen on this channel. Management packets are used to set up the initial communications between stations and access points on the wireless network. The number of beacon packets seen on this channel. Access points send beacon packets at a regular interval to synchronize timing between stations on the same network. The signal strength measured for this channel, expressed as a percentage. The Basic Service Set ID used for communications on this channel. These counters provide packet counts for different speed ranges.

Beacon

Signal BSSID Data Rate Counters

Additional Buttons in the Topology Surfing Tab's Toolbar

In addition to the standard Bar Chart, Pie Chart, and Reset buttons available in all Global Statistics tabs, the Topology Surfing tab includes the additional buttons listed and described below:

Table 5-13. Extra Topology Surfing Tab Toolbar Buttons Button Description

List View. The Topology Surfing tab shows a tabular view, with one row for each channel on the wireless network. Properties. Opens a properties dialog box in which you can specify how information is displayed in the Topology Surfing tab.

User's Guide

119

Chapter 5

Monitor Alarms

Sniffer Portable Professional provides a comprehensive method of detecting and logging unusual network events during monitoring. The alarm manager logs an event in the Alarm log when a user-specified threshold parameter is exceeded. By reviewing the events listed in the Alarm log, you can identify network exception conditions that might require immediate attention. To view the Alarm log, select Alarm Log from the Monitor menu or click in the Sniffer Portable Professional main toolbar.

IMPORTANT: Alarms are only logged in the local Alarm Log if their Severity is checked in the Tools > Options > Alarm tab. By default, no alarm Severities are checked.

For information about configuring alarms and setting options, see Managing Alarms on page 257.

Exporting Monitor Data

You can export data from the following application displays for tabulation or charting by clicking the button.

The Host Table and Matrix outline table view The Protocol Distribution table view

You can save data in several formats:

Comma Separated Value format (.csv) Tab-delimited text file (.txt)

120

Sniffer Portable Professional

Capturing Packets

Overview

6

This section describes Sniffer Portable Professional's network capture functions. The following topics are covered:

About Capturing on page 121 Capture Controls on page 122 Capture Panel on page 123 Capture Buffer on page 124 Capturing from Specific Stations (Visual Filters) on page 128 Capture Filters on page 129 Capture Triggers on page 129

About Capturing

Unlike the monitoring function, which stores statistical measurements and calculations about your network traffic, the capture function collects and stores the actual packets from your network in a capture buffer. During capture, the Expert analyzes the packets and displays the results in real time. To disable the real-time Expert analysis, select Expert Options from the Tools menu and uncheck the Expert During Capture box. After a capture is stopped, you can use the Sniffer Portable Professional display function to decode and display the packets in the capture buffer, providing you with detailed information about network transactions (packet display). The display function also displays Expert analysis (Expert display). Both the packet display and the Expert display are described in Displaying Captured Data on page 157. Sniffer Portable Professional provides capture controls on the main toolbar and in the Capture menu to control the capture process, configure the capture buffer (which stores the captured packets), and define capture filters. A capture panel is also provided so that you can view the status of a capture session.

User's Guide

121

Chapter 6

NOTE: Before starting a capture, you should configure the Expert options that determine how Expert data is processed and displayed. Expert options are described in Setting Expert Options on page 134.

Capture Controls

Capture controls are provided on the main toolbar and in the Capture menu to control the capture process, configure the capture buffer (which stores the captured packets), and define capture filters. A capture panel is also provided so that you can view the status of a capture session. Use the capture buttons on the main toolbar or the menu items in the Capture menu to:

Start, stop, and pause a capture session Display the results of a capture Create a new filter to use for capture Select a filter to use for capture

The following figure shows the capture buttons located in the main toolbar. The table below explains each button.

Pause capture Stop and display capture Start capture Define a capture filter

Display a stopped capture Stop capture Figure 6-1. The Capture Controls

Select a capture filter

122

Sniffer Portable Professional

Capturing Packets

Table 6-1. Main Toolbar Buttons and Functions Button Tool

Start

Keyboard Shortcut

F10

Use to...

Start a capture session.

Pause Stop

n/a F10

Pause a capture session. Stop a capture session.

Stop and Display

F9

Stop a capture session and display the captured data in the Decode window. Note: You can also use F5 to display a stopped capture.

Filter

n/a

Create a new filter to use for capture. Note: You can also use the drop-down list to the right of the Filter button to select an existing filter to use for capture.

Capture Panel

Use the capture panel to view the status of the capture process. Two tabs are provided at the bottom of the panel. The Gauge tab displays the number of packets captured and indicates how full the capture buffer is (as a percentage). The Detail tab shows detailed statistics about the current capture session.

To open the capture panel:

1

Select Capture Panel from the Capture menu, or click main toolbar.

in the

The following figure provides a sample Capture Panel window.

The Packets gauge shows the number of packets captured. The Buffer gauge shows how full the buffer is as a percentage. Click the Detail tab to see detailed statistics about the capture process. For example, the number of packets dropped, accepted, and rejected, and the frame slice size are shown.

User's Guide

123

Chapter 6

Capture Buffer

Captured packets are stored in a capture buffer. You can display and analyze the packets currently in the capture buffer or save the packets to disk. You can load and display previously saved capture files (trace files). You can even spool captured packets to files in real time, effectively increasing the size of your capture buffer. Use capture filters to economize capture buffer space further. Capture buffer options are tied to the Define Filter function.

To set capture buffer options:

1

Select Define Filter from the Capture menu, then click the Buffer tab (see Figure 6-2). The following options are available:

2

Buffer Size. Select a capture buffer size to accommodate the amount of network traffic you wish to capture. Select a buffer size from the drop-down list or type in your own value. You can specify buffer sizes from 256 KB to 384 MB, depending on how much memory your system has. You must have at least 10MB more memory than the specified capture buffer size. For example, to start a capture with the buffer size specified as 64MB, you must have at least 74 MB of memory in the system.

NOTE: If you do select a large buffer size, refrain from running other programs concurrently with Sniffer Portable Professional. There may be a delay while Sniffer Portable Professional allocates memory.

124

Sniffer Portable Professional

Capturing Packets

When Buffer is Full. Select to automatically stop the capture (Stop capture) when the buffer is full or overwrite older data in the buffer (Wrap buffer). You can select these options only if the Save to File option is disabled. Packet Size. You can save the entire packet in the capture buffer, or truncate each packet by setting the Packet Size option when defining a capture filter. Move the slider to select the size of the packet to be captured and saved in the buffer. A data packet size greater than the specified size will be truncated. You can select Whole packet, 64, 128, 256, 512, 1024, 4096, 8192, 16384, or 18432 bytes. By truncating large packets, you can save more packets in the capture buffer, thus extending the time covered by the capture and reducing the size of the capture data file, saving disk space (assuming you save the capture buffer to disk). On a very busy network, truncating frames may also help avoid losing frames, since longer frames take longer to store.

Save to File. You can set the Filename prefix and the Number of files to be spooled. The maximum number of files allowed is 99,999. Each file is the same size as the defined capture buffer. For example, if you select the 4 MB buffer size, each file created will be 4 MB in size. (The last file size may be smaller than 4 MB.) Setting the buffer size to between 8 and 12 MB will improve capture performance. You may select the Unique names option to guarantee that the file names created by packet capture are unique when being stored in the same directory. This is a useful option when you use packet capture spooling in conjunction with the capture trigger repeat mode. Several packet capture sequences can be saved without overwriting earlier sequences. By selecting the Wrap file names option, the capture will continue to spool to disk files, overwriting the first file if the last file is full. Otherwise, the capture will stop once it reaches the end of the last file.

3

If you would like to start capture based on the specified filter criteria, click Start Capture directly from the Define Filter dialog box. This action saves the filter criteria and starts a capture based on the active filter in the dialog box. If you would like to save the filter criteria, click OK.

4

User's Guide

125

Chapter 6

Tips:

When you change the buffer size, you may experience a delay as Sniffer Portable Professional allocates the memory for the buffer, especially if you specify a large buffer. Keep the buffer size less than the size of the capture buffer plus 10MB.

Figure 6-2. Setting Capture Buffer Options

Setting Large Capture Buffer Sizes

This release supports capture buffer sizes from 256K up to a maximum of 384 MB). You must have at least 10MB more memory than the specified capture buffer size for capture to start. For example, to start a capture with the buffer size specified as 64 MB, you must have at least 74 MB of memory in the system.

NOTE: In addition to selecting the predefined buffer sizes from the Buffer size drop-down list, you can also type in your own custom value.

126

Sniffer Portable Professional

Capturing Packets

"Failed to start capture" Messages?

If you receive a Failed to start capture message when using large capture buffer sizes (for example, greater than 288 MB), upgrade Windows XP to Service Pack 3. Windows XP Service Pack 3 includes a fix for Knowledge Base (KB) issue 894472 that resolves this issue.

Saving the Capture Buffer to a File

You can save the capture buffer contents to a file automatically when the buffer is full by selecting Save to file on the Buffer tab. Specify the filename prefix and the number of files to be spooled. For example, if you specify 5 in the Number of files field and click Wrap file names, the sixth file overwrites the first file. If you do not select Wrap file names, capture will stop when the fifth file is full.

Opening Saved Trace Files

Sniffer Portable Professional can open trace files saved in the following formats:

Ethernet Sniffer format. This includes *.cap and *.caz formats. LibPcap format. This is an industry standard packet capture format (*.pcap) used by common tools such as tcpdump. The maximum trace file size for a LibPcap file is 320 MB.

Opening saved trace files lets you display and analyze data as if it was captured live at that moment. Sniffer Portable Professional treats the data loaded from a disk file in the same way as data captured live off the network.

NOTE: Sniffer Portable Professional does not support WAN/ATM trace files, either in legacy Sniffer formats or LibPcap format. Only the trace file formats listed above are supported.

NOTE: Sniffer Portable Professional does not save trace files in LibPcap format; it can only open these files.

User's Guide

127

Chapter 6

Capturing from Specific Stations (Visual Filters)

To capture packets for a particular station, select the station from the monitor's host table display. To capture packets between two specific stations, select one of the stations from the monitor's matrix display. Then, click . (To view the host table or matrix table, select Host Table or Matrix from the Monitor menu, or use a toolbar button.) Figure 6-3 shows an example of how to capture from a single station in the host table. The following procedure provides the details:

To capture packets between two specific stations:

1 2 3

Display the Matrix (Monitor > Matrix) in the tabular view. Select one of the conversations in the display. Click the Quick Capture button in the Matrix's toolbar.

In response, a capture starts with an automatic Quick Capture filter set up to include just traffic between the two selected stations. The following example illustrates capturing from a single station in the host table. After the selected station turns blue, click the Capture button from the vertical toolbar. The capture progress appears in the main window, or on the Capture Panel.

1. Select station (turns blue) 2. Click Capture

You can see the progress of the capture on the status line of the main Sniffer Portable Professional window, or on the Capture Panel

Figure 6-3. Single-Station Capture from the Host Table

128

Sniffer Portable Professional

Capturing Packets

Capture Filters

You can define filters to capture only the particular packets you need, so that you can focus on the data necessary for troubleshooting network problems. When you apply a filter to the capture process it is called a capture filter. A capture filter allows only certain frames to be saved in the capture buffer. For a description of how to define a filter, see Defining Filters and Triggers on page 219.

Capture Triggers

The trigger feature allows you to start and stop captures based on date and time, alarms, and specific network events. Use triggers to capture data while Sniffer Portable Professional is unattended, such as on off-hours or weekends, or to start captures when specific events occur, such as alarm conditions. For a description of how to define a capture trigger, see Defining Triggers on page 242.

User's Guide

129

Chapter 6

130

Sniffer Portable Professional

Real-Time Expert Display

Overview

7

This section introduces the Expert display, describes its major concepts, and gives you a summary of how to use its functionality.

About the Expert Display on page 131 Setting Expert Options on page 134 Setting Automatic Expert Display Filters on page 151 Displaying Context-Sensitive Explain Messages on page 153 Rearranging the Expert Display on page 153 Exporting the Contents of the Expert Database on page 154

IMPORTANT: Both the Sniffer Portable Professional online help and the Sniffer Decode and Expert Reference provide full details on working with the Expert analyzer. This chapter provides a quick summary of the topic, letting you get up and running quickly.

About the Expert Display

The Expert display shows the results of Expert analysis. Expert analysis can occur during a capture session, showing the results in real time. It can also occur after a capture session when the display function is invoked. During Expert analysis, a database of network objects is constructed from the traffic seen. The Expert protocol interpreters learn all about the network stations, routing nodes, subnetworks, and connections related to the frames in the capture buffer. Using this information, potential problems are detected and you are alerted to issues that may exist on the network. These problems are categorized as being either symptoms or diagnoses:

A symptom indicates that a threshold has been exceeded and may indicate a problem on your network.

User's Guide

131

Chapter 7

A diagnosis can be several symptoms analyzed together, high rates of recurrence of specific symptoms, or single instances of particular network events that cause the Expert to conclude that the network has a real problem. A Diagnosis should be investigated immediately.

The Expert analysis results (symptoms and diagnoses) are shown in five viewing panes on the Expert display tab and on the real-time Expert window that displays during capture. These panes function together so that you can view and select information at all levels of detail. See Figure 7-1. Each pane is described below:

The Expert Overview pane shows the network analysis layers (similar in concept to the ISO layers) and the Expert overview statistics (objects, symptoms, or diagnoses) for each layer. By selecting a combination of layer and statistic type, you control the display of Expert analysis data in the other Expert panes.

NOTE: You can configure the window to be wide or narrow by clicking the arrows in the upper right-hand corner of the Expert overview pane.

The Expert Summary pane shows key summary information for the layer and statistic selected in the Expert Overview pane. The column headings for the Expert Summary display will change, depending on what layer and statistic you have selected. The Protocol Statistics pane displays the amount of traffic (in frames and bytes) for each protocol encountered for the layer you selected in the Expert Overview pane. This pane is not displayed when the Expert Overview pane is narrow. The Detail tree pane shows a hierarchical listing of all layers at or below those selected in the Expert Overview and Expert Summary panes. You can expand or collapse each layer in a manner similar to Windows Explorer. Click any item in the Detail Tree to display its Expert detail data. The Expert Detail pane is a collection of information tables for the data selected by the other panes. The content of the Expert Detail pane will vary, depending on what items are selected in the various other panes.

132

Sniffer Portable Professional

Real-Time Expert Display

Expert Summary Expert Overview

Protocol Statistics Detail tree Figure 7-1. The Expert Window Panes

Expert Details

User's Guide

133

Chapter 7

Setting Expert Options

For effective network analysis, and depending on your network's protocol environment, you should configure Expert options before you start capturing data. The Expert options are described in the following sections. See also:

Expert Layers and Objects on page 134 Expert Threshold Settings on page 137 Expert Protocol Settings on page 137 Expert Subnet Mask Settings on page 138 Expert RIP Settings on page 138 Expert 802.11 Options on page 140 Expert Mobile Options on page 149 Expert Oracle Options on page 150 Expert IP Options on page 151

Expert Layers and Objects

During capture, the Expert constructs a database of network objects from the traffic it sees and categorizes network problems according to the Expert layer at which they occur.

NOTE: The Expert's network layering structure is similar to the OSI model. However, the two schemes do not always map on a one-to-one basis.

To configure network object and Expert layer options, select Expert Options from the Tools menu. The Expert Properties dialog box opens displaying the Objects tab. The Expert has configuration options that enable you to:

Exclude certain layers from Expert processing. In addition to using capture filters, which let you select the particular traffic you need for network analysis, you can exclude certain Expert layers from processing. Double-click a layer in the Analyze column of the Objects tab and select No to exclude the layer from Expert processing

134

Sniffer Portable Professional

Real-Time Expert Display

Disabling analysis on the lower layer will disable analysis on all upper layers.This enables you to focus on specific network problems precisely.

Specify the maximum number of objects that can be created in the database for each Expert layer. To reduce the amount of memory needed to create network objects, you can specify the maximum number of objects that the Expert can create for each Expert layer. Double-click in the Max Objects column of the Objects tab to specify the maximum number of objects that can be created in the database for each Expert layer.

NOTE: To help with configuration, the Expert shows the estimated amount of memory needed for the number of objects selected for each layer in the Est. Memory column of the Objects tab.

Specify whether to recycle Expert objects (the default) or stop creating new objects when there is no more room in the database. The Expert builds a database of network objects from the information in the packets accumulated in the capture buffer. Because some networks can be immensely complex in their structure, at some point the Expert will have no more memory for new network objects. If you recycle objects, the Expert continues to add new objects to the database, overwriting the least interesting objects when it runs out of memory (objects with no associated errors are considered "least interesting"). If you do not recycle objects, the Expert stops creating new objects when it runs out of memory, and instead, continues to interpret traffic in accordance with the information it has already stored in its database. Enable/disable real-time Expert analysis during capture. By default, when you start a capture, the Expert analyzes the packets coming into the buffer and displays the results in real time in the Expert window. You can observe the network objects, symptoms, and diagnoses that the Expert analyzer creates while the capture progresses. You can disable real-time Expert analysis if you prefer. Specify the maximum number of alarms that can be created in the Expert database. When the maximum number is reached, the Expert will either recycle the oldest and lowest priority alarms (if the Recycle Alarms option is selected) or stop creating new alarms. This Recycle Alarms option specifies what the Expert does when it runs out of memory:

User's Guide

135

Chapter 7

Continues to create new objects by overwriting older objects in the database (checked) Stops creating new objects and continues interpreting traffic according to information already in the database (unchecked)

Specify how often Expert displays are updated with new data. Configure the Data Update Rate and the Resorting Rate as desired in within the Objects tab of the Expert UI Object Properties dialog box. The Resorting Rate specifies the delay between resorting the Expert's database of objects and refreshing the Expert's summary display.

Notes on Expert Tuning

The Expert Analyzer defaults to a maximum number of objects per layer of 1000 for most layers. Adjacent to this column is the Est Memory column, reflecting the estimated amount of memory required to support the relevant number of objects at each layer. For networks where you will see many conversations and hosts you will want to do one or both of the following:

Increase the maximum number of objects at the relevant layer(s) Disable Recycle Expert Objects

If Recycle Expert Objects is enabled, Expert will attempt to reuse object memory for a given layer when the maximum count of objects at that layer is reached. On higher speed networks, it is advised that recycling is disabled as it can become an issue. If you disable recycling and hit the maximum counts, any newly detected conversations or hosts will be ignored. In this situation, it is advised to increase the maximum number of objects and disable Recycle Expert Objects. For example, if you run Expert and discover that you are hitting the maximum count at the IP layer, then increase the maximum number of objects to 5000. You will also have to increase Layers 4 and perhaps Layers 6 and 7 because those layers are likely to hit their respective maximum counts as well. This may take several iterations before you come up with the best combination of maximum object counts. Each layer can support up to 99999 maximum objects. If you increase the maximum object counts then the Expert calculates expected memory needs. If such expected memory needs exceed the amount of memory available you will get an error message. At which point you will have to trim your maximum object counts accordingly. You can also reduce the maximum object count at those layers that will not have large object counts so as to conserve available memory. A good candidate in most cases would be the DLC\MAC layer (Layer 2).

136

Sniffer Portable Professional

Real-Time Expert Display

Expert Threshold Settings

Expert thresholds determine whether the Expert generates a symptom or a diagnosis (also called an alarm) based on a given network event. To change Expert thresholds, select Expert Options from the Tools menu and click the Alarms tab. Expand and/or collapse the Expert layers using the tools in the left column. Clicking "1" or "0" at the top of the column expands or collapses all Expert layers. Click the "+" next to a layer to open an Expert layer and display all symptoms and diagnoses (alarms). After expanding the layer, expand again to display the settings for the alarm. Options in the Alarms tab include:

Changing Threshold values. Double-click in the Threshold Value cell and type the new threshold value. Reset Threshold values. Click Reset to reset the selected value to the factory default, or click Reset All to reset all settings for all layers to the factory defaults.

IMPORTANT: The default thresholds have been carefully calculated to ensure accurate and informative symptom and diagnosis detection. Before changing any of the thresholds, make sure you understand your network.

For information about alarm severity levels and the Alarm log, refer to Managing Alarms on page 257.

Expert Protocol Settings

You can use the options in the Tools > Expert Options > Protocols tab to specify which protocols you would like the Expert to analyze. Limiting Expert analysis to a selected set of protocols will help improve the Expert's performance. The Protocols tab arranges protocols by the Expert layer at which they are analyzed. You can cascade each layer open by clicking the + sign next to its entry in the dialog box. Then, click in the Analyze column to specify either Yes, you would like Expert analysis for this protocol, or No, you would not like Expert analysis for this protocol. Click Enable All or Disable All to enable or disable Expert analysis for all protocols.

User's Guide

137

Chapter 7

Expert Subnet Mask Settings

TCP/IP subnet masks traditionally reserve specific bits within an IP network address for the subnet mask depending on the class of address. The Expert comes with default subnet mask settings for each class of IP address. Certain networks may use non-traditional subnet masks. If the Expert is attached to a network segment that uses nontraditional subnet masks, it may register spurious network objects and diagnoses. This happens because the Expert expects address information at a location within the address field other than where it actually is. If your networks use nontraditional subnet masks, you must add the IP network address and appropriate subnet mask for the networks from which the Expert will see frames. Select Expert Options from the Tools menu, then click the Subnet Masks tab. Click Add to create a new entry and add the IP address and appropriate subnet mask for the networks from which the Expert sees frames. Type your IP address in the IP Net Address column in the format n.n.n.n where each n is less than 256. Type the subnet mask associated with the IP address in the Subnet Mask column, then click Apply. Click Delete to delete the selected IP address/subnet mask from the table.

Expert RIP Settings

The Expert performs RIP (Routing Information Protocol) analysis during capture and builds a routing table by parsing RIP and other routing protocols in captured frames. RIP analysis is shown in the "Route" layer in the Expert window and enables you to detect common routing problems. You can disable RIP analysis, or specify the level of analysis you want to perform (traffic counts and misdirected frames, or traffic counts only). The Expert tracks the routers it discovers over the network and any default routers that you configure. When you configure a default router, the Expert constructs a default static route to that gateway. The destination IP address for this route is [0.0.0.0]. (You can enter either the MAC address or the IP address of the default router.) This feature allows the RIP Expert to be aware of routers that provide routes that they are not advertising.

138

Sniffer Portable Professional

Real-Time Expert Display

Some hosts may be configured to route traffic to default gateways, but a route from such a host to a default gateway might never be advertised. Unless you configure static default routes, the RIP Expert will incorrectly diagnose frames sent from a host to a default gateway as misdirected. If a default route you have configured is also advertised, the other route is ignored, since the one you configured is permanently in the table.

To configure or disable RIP analysis:

1 2 3

Select Expert Options from the Tools menu. Click the RIP Options tab. Select the level of RIP analysis you want to perform from the drop-down list:

No traffic analysis (RIP disabled) disables the RIP Expert. Full traffic analysis (counts and analysis) produces traffic counts and detects misdirected frames. Traffic counts only produces only traffic counts.

4

Expert discovers the routers on the network during capture and displays them in the router table of the RIP Options tab. You can add or remove routers from the table using the Add Router and Delete buttons to the right of the Routers table. The Subnet table displays the subnets that Expert detects on your network automatically during capture and the subnets you add manually. The Source column indicates if the subnet is detected by the Expert (Network) or added manually (User). Add or remove subnets from the table using the Add Subnet and Delete buttons to the right of the Subnet table.

IMPORTANT: The RIP Expert requires that the IP subnet address and subnet mask be set properly in the Subnet Masks Tab.

5

6

Select Auto Discover Subnets if you want Expert to discover the subnets on your network automatically during capture. Click OK.

7

NOTE: For RIP packets to be analyzed by the Expert, the connection layer or the application layer must be set to Analyze in the Objects tab of the Expert Properties dialog box. RIP sits above UDP; the RIP interpreter must be called from the UDP interpreter. UDP is considered to be a transport layer; for the transport layer

User's Guide

139

Chapter 7

and above to be interpreted, at least the connection layer must be selected.

Expert 802.11 Options

The options in the 802.11 Options tab let you specify how the Expert identifies rogue entities on the wireless network, as follows:

If the Enable Rogue AP Lookup option (beneath the Known Address Points in the Network table) is enabled during capture, the Expert compares the MAC address (not the IP address) of each detected access point to those in the Known Access Points in the Network list. If the access point's MAC address is not in the list, the Expert labels the address as a "rogue" and generates the Rogue Access Point alarm. If the Enable Rogue Mobile Unit option is enabled during capture, the Expert compares the MAC address (not the IP address) of each detected mobile unit to those in the Known Mobile Units in the Network list. the Expert flag mobile units whose MAC addresses are not in the Known Mobile Units list as "rogues" and generates the Rogue Mobile Unit alarm.

Additional Rogue Identification

In addition, Sniffer Portable Professional identifies rogues (access points and workstations) as follows:

The word (Rogue) is included in parentheses following the offending stations' entries in Expert Summary and Detail displays. This provides you with a handy means of identifying units on the wireless network of which you were not aware, some of which may be unauthorized intruders. When Rogue Lookup is enabled, the Host Table includes a Status column in tabular 802.11 displays listing the current Rogue/Known/Neighbor identification of each listed entity. You can check an entry's selection box in the Host Table (in the # column) and right-click to identify it as either Known or Neighbor, or to remove it from the Known/Neighbor list entirely.

140

Sniffer Portable Professional

Real-Time Expert Display

Adding Known Addresses to the List

To use the rogue identification abilities of Sniffer Portable Professional effectively, you must first add the MAC addresses of the known access points and mobile units on your network to the Expert's list of known wireless unit addresses. There are several ways to do this:

Automatically from the real-time Host Table. See Adding Known Addresses from the Host Table on page 141. Automatically from the Expert tab of the postcapture display. See Adding Known Addresses from the Postcapture Display on page 143. Automatically from the Address Book. See Autodiscovering and Adding Addresses from the Address Book on page 145. Manually from the 802.11 Options tab of the Expert Properties dialog box. See Adding Known Addresses Manually in the 802.11 Options Tab on page 145.

In addition, you can also import and export lists of known addresses (for example, you can import addresses from other Sniffer Portable Professional installations). The following sections describe how to use each of these methods.

Adding Known Addresses from the Host Table

Use the following procedure to add the MAC addresses of known wireless units (either access points or mobile units) automatically from the Host Table during real-time monitoring.

To add known addresses automatically from the Host Table:

1

Open the Monitor > Host Table application. The Host Table appears. During real-time monitoring, the Host Table adds one-line entries for each detected wireless unit (access points and mobile units) on the network.

2

If the 802.11 tab is not already displayed, click its entry at the bottom of the Host Table. You can display either the full 802.11 tab, or, alternatively, click the Access Point button to zoom in on access points only.

User's Guide

141

Chapter 7

3

Select which entries in the Host Table you would like to add to the Expert's list of known addresses. Select an entry by checking its corresponding box in the # column at the left of the display. You can select both access points and mobile units. Sniffer Portable Professional will add each to the appropriate list in the Tools > Expert Options > 802.11 Options tab and the Tools > Wireless > Rogue dialog box. Figure 7-2 shows the 802.11 tab of the Host Table with several access points selected in the # column.

Figure 7-2. The Host Table > 802.11 Tab

4

Right-click any entry in the Host Table and select either the Add to Wireless Units List as Known or Add to Wireless Units List as Neighbor command from the context menu that appears. The checked addresses are added to the Expert's list. You can verify that they have been added by displaying the Tools > Expert Options > 802.11 Options tab or the Tools > Wireless > Rogue dialog box. The Known...in the Network lists will include the newly added addresses.

142

Sniffer Portable Professional

Real-Time Expert Display

Adding Known Addresses from the Postcapture Display

Use the following procedure to add the MAC addresses of known wireless units (either access points or mobile units) automatically from the Expert tab of the postcapture display.

To add known addresses automatically from the postcapture display:

1 2

Display either a capture buffer or a saved trace file. Click the Expert tab of the postcapture display.

NOTE: If the Expert tab is not available, make sure the Expert tab option is enabled in the Display > Display Setup > General tab.

3

Click Wireless Units List

at the top of the Expert pane.

The Wireless Units Discovered in this trace dialog box appears (Figure 7-3). This dialog box has two separate lists of wireless units discovered in the capture buffer or trace file -- one for access points and one for mobile units.

NOTE: You can edit the IP Address field in either list. In some cases, the Expert may be unable to determine a station's IP address. In these cases, you can manually enter an IP address using this feature.

User's Guide

143

Chapter 7

Discovered access points are listed in the upper list; discovered mobile units are listed in the lower list. IP Address fields are editable -- you can enter a custom IP address.

Selected access points and mobile units will be added to the list of known addresses by clicking this button.

By default, all discovered addresses are selected for addition to the Known list (the box at the right of each entry in the list is checked). You can select and deselect individual entries for addition or click Select All and Deselect All for faster selection. Figure 7-3. Adding Discovered Addresses Postcapture

4

Select the access points and mobile units you would like to add to the list of known addresses by checking the checkbox at the right of each desired entry. By default, all discovered addresses are selected for addition. You can change selections in the following ways:

By clicking Select All and Unselect All. By clicking in the checkbox for individual entries to toggle them between selected and unselected.

5

When you have finished selecting the addresses for addition, click Update Known Wireless Units List at the bottom of the dialog box. Those selected addresses not already in the Expert's list are added. You can verify that they have been added by displaying the Tools > Expert Options > 802.11 Options tab or the Tools > Wireless > Rogue dialog box. The Known Access Points in the Network and Known Mobile Units in the Network lists will include the newly added addresses.

144

Sniffer Portable Professional

Real-Time Expert Display

Autodiscovering and Adding Addresses from the Address Book

The Address Book provides you with the ability to autodiscover access points and mobile units on the wireless network. Then, you can add discovered access points to the list of known addresses automatically.

To autodiscover access points and add them from the Address Book:

1 2 3

Display the Address Book (Tools > Address Book). Click Autodiscovery .

In the Autodiscovery Options dialog box, make sure the Discover Mobile Units and Discover Access Points options are enabled. Click OK. Autodiscovery proceeds. Discovered addresses appear in the Address Book.

4

5

Click Export AP in the Address Book's toolbar to add the addresses of all the access points in the Address Book to the list of known access points. Addresses not already in the Expert's list are added. You can verify that they have been added by displaying the Tools > Expert Options > 802.11 Options tab or the Tools > Wireless > Rogue dialog box. The Known Access Points in the Network list will include the newly added addresses.

NOTE: Clicking Export AP only adds those addresses in the Address Book with a Type value set to Access Point. Mobile units are not added.

Adding Known Addresses Manually in the 802.11 Options Tab

Use the following procedure to add the MAC addresses of known wireless units manually (either access points or mobile units) to the Expert's list.

To add known addresses manually in the 802.11 Options tab:

1

Display one of the following dialog boxes/tabs:

Tools > Expert Options > 802.11 Options Tools > Wireless > Rogue

2

Do you want to add the address of an access point or a mobile unit?

User's Guide

145

Chapter 7

To add the address of an access point, click Add AP. A new entry line becomes active in the Known Access Points in the Network list with the active cursor in the MAC Address column.

To add the address of a mobile unit, click Add MU. A new entry line becomes active in the Known Mobile Units in the Network list with the active cursor in the MAC Address column.

3

Enter the MAC address of the access point or mobile unit in the appropriate MAC Address column. You must enter the entire address in hexadecimal format. The dialog box will not let you enter an address that is not the proper length and format (twelve characters, hexadecimal only). If you do not know the full hexadecimal addresses of the access points in your network, see Determining a Wireless Unit's Full Hexadecimal Address on page 147. Once you have entered a legal MAC address, you can also enter an IP address in the IP Address column. For this release, IP addresses are for your own reference only. The Expert only compares MAC addresses when flagging wireless units as rogues! Repeat Step 2 through Step 4 for each access point or mobile unit you want to add to the Expert's list. You can enter as many addresses as you like. Turn on the Enable Rogue AP Lookup option and/or Enable Rogue Mobile Unit Lookup option by checking the appropriate boxes. Click OK in the Expert Properties dialog box.

4

5

6

7

Once you have enabled the Rogue AP Lookup and/or Enable Rogue Mobile Unit Lookup option and clicked OK, during subsequent captures (and openings of trace files), Sniffer Portable Professional will compare the MAC addresses of detected access points and mobile units to those in the corresponding lists. Wireless entities not found in the appropriate list will be flagged as rogues in both the Host Table and Expert Summary and Detail displays. In addition, either the Rogue Access Point or Rogue Mobile Unit alarm will be generated for each detected rogue. See Rogue Identification in Sniffer Portable Professional Displays on page 62 for information on how Sniffer Portable Professional identifies rogues in its various displays.

146

Sniffer Portable Professional

Real-Time Expert Display

Determining a Wireless Unit's Full Hexadecimal Address

If you do not know the full hexadecimal address of a wireless unit (either an access point or a mobile unit) in your network, you should first check the unit. Often, the address is written on the equipment itself. If this does not work, you can use the Host Table or Expert displays to discover the address. However, because most displays substitute textual manufacturer IDs for the first three bytes of a hexadecimal MAC address (that is, a hexadecimal address of 0020d8014060 would usually be identified in displays as Netwav014060), you need to know where to look in Sniffer Portable Professional displays to find the entire address in hexadecimal.

To determine a wireless unit's full hexadecimal address:

1

Start capturing from the network containing the unit whose address you want to determine. Alternatively, you can open a trace file captured from that network. In the Expert display, examine the Station Function column in the Summary pane at the Wireless layer. In this column, locate an entry for either an Access Point or a Mobile Unit. Highlight this entry. The Detail pane automatically updates to show statistics for the entry selected in the Summary pane.

2

3

In the Detail pane, scroll down to the Wireless Address field. This field shows the entire hexadecimal address of the selected unit. A textual manufacturer's ID is not substituted for the first portion of the address. Repeat this procedure for each access point on the network whose full hexadecimal address you want to determine.

4

Importing and Exporting Known Addresses

Sniffer Portable Professional also provides export and import capabilities for the known address lists in the Tools > Expert Options > 802.11 Options tab. You can export the contents of either the Known Access Points or the Known Mobile Units list using the corresponding Export button in the 802.11 Options tab. Exported files are saved in comma-separated values (CSV) format. The exported file consists of a heading row with the IP Address and MAC Address column headings followed by multiple data rows in the format IP Address,MAC Address. For example, a small exported CSV file might appear: IP Address,MAC Address

User's Guide 147

Chapter 7

192.168.1.40,08002000E25B 192.168.1.14,0800000036D9 192.168.1.25,080020061107

NOTE: MAC addresses are always presented in the CSV file in hexadecimal format.

Similarly, you can also import CSV files into the Known Access Points or the Known Mobile Units list using the corresponding Import button in the 802.11 Options tab. You can import either CSV files created by exporting the lists from other Sniffer Portable Professional installations, or CSV files you create yourself following the model above (that is, multiple rows in the IP Address,MAC Address format).

NOTE: You can use the Import and Export buttons together to share known address lists among multiple Sniffer Portable Professional installations.

148

Sniffer Portable Professional

Real-Time Expert Display

Expert Mobile Options

Set the options in the Mobile Options tab to specify how the Expert should analyze Mobile IP data:

Enable IP Home Agent Tunnel Analysis Enable GRE Home Agent Tunnel Analysis Report Mobile Reg Error 136 Specifies whether IP Home Agent Tunnel Analysis is enabled. Disabling this option improves Expert performance. Specifies whether GRE Home Agent Tunnel Analysis is enabled. Disabling this option improves Expert performance. Specifies whether a Mobile Registration Reply with a Code value of 136 (Registration Denied by the Home Agent - Unknown Home Agent Address) should be considered when generating Registration Failure Expert alarms. If this option is disabled, Registration Failure alarms will not be generated when registration fails with error code 136. Specifies whether GTP 99 Tunnel Analysis is enabled. When enabled, protocols inside a GTP 99 tunnel will be analyzed by the Expert. Disabling this option improves Expert performance. Specifies how often the list of Mobile IP Registration requests should be checked for registration timeouts and flushed of expired Registration Requests. NOTE: If you set this field to 0, the Expert treats the field as if were set to 1. Only nonzero values are supported. Max Radius Users per Object Specifies the maximum number of user data elements to be tracked with each Radius object.

Enable GTP 99 IP Tunnel Analysis

Mobile IP Registration List Flush Count

User's Guide

149

Chapter 7

Radius Request List Flush Count

Specifies how often the list of Radius requests for a particular Radius object should be checked for timeouts and flushed of expired entries. NOTE: If you set this field to 0, the Expert treats the field as if were set to 1. Only nonzero values are supported. NOTE: For most situations, setting this field higher than its default of 1 is not recommended. Setting the value higher than 1 decreases the likelihood of seeing any Timed Out alarms for Radius Access and Accounting requests.

GTP 99 Create PDP Context Request Flush Count

Specifies how often the list of GTP 99 PDP Context Requests for a particular GTP 99 object should be checked for timeouts and flushed of expired requests. When the Expert checks this list and sees at least one response that exceeds the PDP Context Request Timeout threshold or no response at all, it generates the GTP 99 PDP Context Request Timed Out alarm. NOTE: If you set this field to 0, the Expert treats the field as if were set to 1. Only nonzero values are supported.

Expert Oracle Options

Use the Oracle Options tab to specify the Oracle Error Type numbers (Oracle Error Codes) for which you would like the Expert to generate alarms. Whenever the Expert sees one of the error codes listed here, it will generate the Oracle: ORA Error Type Noticed alarm at the Service layer. Use this tab as follows:

Click Add to create a new entry in the grid. Then, type in the numerical error code to be monitored. Click Delete to delete the selected error code from the table. You can modify any entry in the grid by selecting it and revising as necessary.

150

Sniffer Portable Professional

Real-Time Expert Display

Expert IP Options

Use the IP Options tab to exclude specified IP addresses from consideration for the Expert's Duplicate Network Address alarm. The Expert will not generate Duplicate Network Address alarms for the IP addresses listed in this tab. Use this tab as follows:

Click Add and supply an address to add a new IP address to the list of exclusions. Select an entry and click Delete to remove the selected IP Address from the list. Modify entries by selecting them and editing as necessary.

Setting Automatic Expert Display Filters

You can use Expert display filters to automatically display all traffic in the capture buffer related to a specific:

Network object Symptom or diagnosis

You apply an Expert display filter by selecting a network object, symptom, or diagnosis in the summary pane of the Expert window and clicking the Define Filter button in the upper left corner of the Expert window. In response, the Expert adds a new tab to the display window (titled Filtered xx, where xx is the sequential number of the filter you applied) containing just those frames associated with the selected network object, symptom, or diagnosis. The frames may be displayed with skipped frame numbers on the Filtered tab, because the network object filter does not change the frame numbers of frames it selects for display. Thus, you may see frame 30 followed by frame 35 because the network object filter excluded frames 31-34. If you save the filtered frames as a new file (using the Save As) command, the Sniffer Portable Professional will renumber the filtered frames with sequential numbers.

IMPORTANT: Expert filters support a maximum of 10 objects. Make sure you have selected no more than 10 objects before using this feature.

User's Guide

151

Chapter 7

Limitations of the Expert Filter

The Expert filter has the following limitations:

Some symptoms and diagnoses, such as Broadcast storm, have no associated network object on which the analyzer can filter. In those cases, the Define Filter button will not appear at the upper left of the display, indicating that an Expert filter cannot be set. Expert filters are not supported on objects at the Multicast layer. Expert filters support a maximum of 10 objects. Make sure you have selected no more than 10 objects before using this feature. Occasionally you will see the message: No frames are eligible for display This message appears when one or more of the following conditions exist:

The highlighted object has not sent or received a frame The highlighted object has been filtered out by a standard Display filter

Other Notes About Expert Filters

The Expert analyzer uses several algorithms to decide which frames are associated with a network object. Sometimes, these algorithms may eliminate frames you consider relevant.

Certain maintenance frames may not be shown. For example, if you set an Expert filter on a Novell Netware connection-layer connection, the Expert analyzer would show all those related frames with NCP layers, but would not show certain connection maintenance frames it considers irrelevant. When you set a filter on a connection object, the frame that initiates the connection is not shown. This is because Expert does not create a connection object until the connection is completed. When you filter on an application object, TCP continuation frames are not shown.

152

Sniffer Portable Professional

Real-Time Expert Display

Displaying Context-Sensitive Explain Messages

The Expert provides an explanation of the information in each pane of the Expert window. Click inside the pane on which you need information and press F1. The Expert also provides concise explanations for each symptom and diagnosis generated. To display a detailed explanation of a symptom or diagnosis, click the question mark (?) to the right of the symptom/diagnosis description in the Expert Detail pane. You may have to scroll to the right of the pane to see the ?.

Rearranging the Expert Display

You can change the Expert display to better suit your viewing needs. You can display:

All five viewing panes at the same time (shown in Figure 7-1). The Expert Overview and Expert Summary panes (with or without the Protocol Statistics pane). This is the default view. The Detail tree and Expert Detail panes.

Figure 7-4 shows the default Expert display and demonstrates how to rearrange the different panes.

User's Guide

153

Chapter 7

Click here to expand the Expert Overview pane and display the Protocol Statistics pane underneath

Click the Summary tab to display the Expert Overview and Summary panes (as shown)

Click the Objects tab to display the Detail tree and Expert Detail panes Click to show the packet display (only available when capture is stopped) Drag the bar up to the middle of the display to see all five panes at the same time (as in Figure 7-1)

Figure 7-4. Rearranging the Expert Window Panes

Exporting the Contents of the Expert Database

You can export the contents of the Expert analyzer's database of network objects, symptoms, and diagnoses to a file saved in comma-separated values (CSV) or HTML format. The CSV file format can easily be imported into most spreadsheet programs. Export the contents of the Expert analyzer's database by clicking Export to CSV or Export to HTML in the Expert window. For exporting to CSV file format, use the dialog box shown in Figure 7-5 to specify which portions of the database you would like to export.

154

Sniffer Portable Professional

Real-Time Expert Display

Specify the path and filename for the exported contents of the Expert database.

Select the portions of the Expert's database you would like to export to the CSV file. Each checkbox corresponds to a pane in the Expert window. Figure 7-5. Exporting the Contents of the Expert Analyzer's Database to CSV Format

User's Guide

155

Chapter 7

156

Sniffer Portable Professional

Displaying Captured Data

Overview

8

This chapter describes the postcapture display window. Once you have captured a buffer or trace file of network data, you can use the postcapture display window to analyze the data in a variety of formats, including the Expert tab, classic line-by-line decode tab, and a variety of other formats. The section includes the following major topics:

Displaying Captured Packets on page 158 Postcapture Views for Wireless Networks on page 160 Postcapture Expert Display on page 161 Postcapture Decode Display on page 162 Setting Display Filters on page 167 Setting Display Setup Options on page 177 Searching for Frames in the Decode Display on page 186 Postcapture 802.11 Decryption on page 199 Postcapture Matrix Tab on page 202 Postcapture Host Table Tab on page 206 More about the Matrix Traffic Map on page 204 Postcapture Protocol Distribution Tab on page 208 Postcapture Statistics Tab on page 210

User's Guide

157

Chapter 8

Displaying Captured Packets

Use the Display feature to decode and view the packets stored in the capture buffer or in a capture file. The postcapture Display window provides a variety of tabs ranging from proprietary Expert analysis to classic tri-pane, line-by-line protocol decodes.

To display the contents of the capture buffer:

1

In the Sniffer window, click Stop and Display in the main toolbar during a capture session, or click Display after a capture session.

To open a capture file:

1

In the Sniffer window, select Open from the File menu.

Regardless of whether you are displaying data from the capture buffer or a trace file, the postcapture display window appears (Figure 8-1).

Postcapture display tabs. The Decode tab always appears. The other tabs appear by default, but can be disabled. Figure 8-1. The Postcapture Display Window (Expert Tab Shown)

158

Sniffer Portable Professional

Displaying Captured Data

Each of the tabs in the postcapture window provides different views of the data in the buffer or trace file, as summarized in the table below.

Table 8-1. Postcapture Display Tabs Tab

Expert

Description

Displays the results of proprietary Expert analysis, showing network objects, symptoms, and diagnoses by network layer. Provides the same functionality as the real-time Expert, except for data/objects already in the capture buffer or trace file. See Postcapture Expert Display on page 161

Decode

Provides classic, line-by-line protocol decodes in a tri-pane window. Sophisticated automatic filtering features let you select a packet in the Summary pane and automatically filter on different components of the packet (source/destination addresses, ports, and so on). See Postcapture Decode Display on page 162.

Matrix

Provides the same functionality as the real-time Matrix, except for data already in the buffer or trace file. Statistics are provided on conversations taking place on the network. See Postcapture Matrix Tab on page 202

Host Table

Provides the same functionality as the real-time Host Table, except for data already in the buffer or trace file. Statistics are broken out for each host detected on the network. Different tabs let you focus on wireless hosts, IP hosts, MAC hosts, and so on. See Postcapture Host Table Tab on page 206.

Protocol Distribution

Provides the same functionality as the real-time Protocol Distribution view, except for data already in the buffer or trace file. Statistics are broken out by protocol family. You can focus on MAC, IP, or IPX layer protocols. See Postcapture Protocol Distribution Tab on page 208.

Statistics

Provides a variety of global statistics on the data in the buffer or trace file, including capture start/stop times, average speeds, and packet counts for a variety of basic categories. See Postcapture Statistics Tab on page 210.

Filtered Tabs

By default, display filters return the filtered frames in a new tab at the bottom of the postcapture display window. If you prefer, you can enable the Select matching option. When this option is enabled, frames matching the filter appear "marked" in the leftmost column of the active Decode tab ­ their checkboxes are checked. See Setting Display Filters on page 167 for more information on how to use display filters in the Decode tab.

NOTE: The Matrix, Host table, Protocol Distribution, and Statistics tabs appear at the bottom of the Display window only if the Post analysis tabs box is checked on the General tab of the Display > Display Setup dialog box. Similarly, the Expert tab only appears if the Expert tab box is checked.

User's Guide

159

Chapter 8

Postcapture Views for Wireless Networks

When working with data from a wireless network, Sniffer Portable Professional adds a number of features to its postcapture display tabs. In addition to the standard information provided in the postcapture tabs, Sniffer Portable Professional adds special 802.11 information to the tabs listed below, allowing you to concentrate on statistics specifically for wireless stations:

The Matrix, Host Table, and Protocol Distribution post-analysis tabs in the Display window each include 802.11 views, allowing you to focus specifically on 802.11 statistics for wireless stations. See Postcapture Matrix Tab on page 202, Postcapture Host Table Tab on page 206, and Postcapture Protocol Distribution Tab on page 208.

The Statistics post-analysis tab in the Display window includes many wireless-specific statistics. See Postcapture Statistics Tab on page 210.

The Decode display can completely decode 802.11 traffic. In addition, Sniffer Portable Professional can perform WEP/WPA/WPA2 decryption either during capture or after capture if the correct decryption keys are specified. See Postcapture Decode Display on page 162.

160

Sniffer Portable Professional

Displaying Captured Data

Postcapture Expert Display

The postcapture display's Expert tab provides you with the same Expert analysis features available in the Expert window during real-time capture. It shows you the network objects, symptoms, and diagnoses detected by the Expert based on the packets in the capture buffer or trace file. Symptoms and Diagnoses are Expert indications of possible network problems. You can navigate through the various panes of the real-time Expert window to look at items of interest.

IMPORTANT: The real-time Expert window is described in Real-Time Expert Display on page 131.

The Expert tab is organized in the same way as the real-time Expert window described in Real-Time Expert Display on page 131. Expert analysis results are shown in five viewing panes ­ Expert overview, Expert summary, protocol statistics, detail tree, and Expert detail (Figure 8-1 on page 158). These panes function together to provide Expert analysis at different network layers, as follows:

The Expert Overview pane shows network analysis layers (similar in concept to the ISO layers) and the Expert overview statistics (objects, symptoms, or diagnoses) for each layer. By selecting a combination of layer and statistic type, you control the display of Expert analysis data in the other Expert panes. Tip: You can configure the Expert Overview to be wide or narrow by clicking on the arrow icon at the upper right-hand corner of the pane.

The Expert Summary pane shows key summary information for the layer and statistic selected in the Expert Overview pane. The column headings for the Expert Summary display will change, depending on what layer and statistic you have selected. The Protocol Statistics pane displays the amount of traffic (in frames and bytes) for each protocol encountered for the layer you selected in the Expert Overview pane. (This pane is not displayed when the Expert Overview pane is narrow.) The Detail Tree pane shows a hierarchical listing of all layers at or below those selected in the Expert Overview and Expert Summary panes. You can expand or collapse each layer in a manner similar to Windows Explorer. Click on any item in the Detail Tree to display its Expert detail data.

User's Guide

161

Chapter 8

The Expert Detail pane is a collection of information tables for the data selected by the other panes. The content of the Expert Detail pane will vary, depending on what items are selected in the various other panes.

Postcapture Decode Display

The Decode tab provides classic, line-by-line protocol interpretation of network data. When you display the contents of the capture buffer or a capture file, Sniffer Portable Professional interprets and decodes the higher-level protocols within the captured packets using its protocol interpreters. The Decode tab shows the results of this protocol analysis. It displays packets in three color-coded viewing panes: summary, detail, and hex:

The summary pane shows an overview of the packets captured in line-by-line summarized format. The detail pane displays the detailed contents of the packet currently selected in the summary pane. Each layer of the protocol is interpreted and displayed. You can display the detailed protocol layers in three different views -- fully expanded decode, one-line summary, or a mixture of the two. By default, Sniffer Portable Professional expands underlying protocol layers in the detail pane. To save viewing space, click the minus (-) sign in front of the protocol sublayer line. To expand the protocol display again, click the plus (+) sign.

The hex pane shows the selected packet in hexadecimal and ASCII (or EBCDIC) format. When you select a packet on the summary pane, or a detailed protocol field in the detail pane, the equivalent hexadecimal octets in the packet are highlighted in the hex pane. This quickly shows you the correspondence between the protocol field and its equivalent bytes in the packet.

Figure 8-2 shows a sample Decode display.

162

Sniffer Portable Professional

Displaying Captured Data

Click the minus (-) sign to reduce the protocol display Click the plus (+) sign to expand the display

The Decode tab toolbar provides shortcuts to handy functionality.

The summary pane shows an overview of the packets captured in line-by-line summarized format

The detail pane displays the detailed contents of the packet currently selected in the summary pane Figure 8-2. The Decode Tab

The hex pane shows the selected packet in hexadecimal and ASCII (or EBCDIC) format

Navigating the Decode Tab

You navigate Decode tabs with a combination of keyboard, mouse, and toolbar, moving between the different panes and zooming as necessary to see exactly the lines you're interested in. Each pane can be resized by clicking and dragging the separator bar between the panes. Each pane also contains scroll bars that let you use the mouse to manipulate the viewing position in the pane. You can also use the cursor control keys to provide a similar function for the pane that has the focus. To maximize efficiency in scanning packets for details, follow these suggestions:

User's Guide

163

Chapter 8

Adjust the Packet Display size, and the individual pane to maximize the viewing area for your particular interests. Select the starting packet of interest in the Summary pane by clicking on it. Click the Detail pane to gain focus. The cursor movement and PgUp / PgDn keys will now apply to the Detail pane. Use the F7 key to move to the previous packet. Use the F8 to move to the next packet. If you want to move the viewing area in the Detail pane, use the cursor and the Page Up / Page Down keys. You can search for packets by selecting the Find Frame command from either the Display menu or the context menu (accessed by right-clicking on the Display window). See Searching for Frames in the Decode Display on page 186 for details. You can copy text from the Detail pane. You can copy either a selected line in the pane (Copy Highlights in the right-click context menu or the Ctrl-C keyboard shortcut) or all of the text in the pane (Copy All in the right-click context menu

Use the keys shown in Table 8-2 to navigate the Decode display. You can also use the corresponding commands in the Display menu.

Table 8-2. Keyboard Shortcuts for the Display Pane

Page Up Page Down Cursor Up Cursor Down F2 - Next Selected Shift+F2 - Previous Selected Ctrl+F2 - Select Toggle Alt+F3 - Find Frame View the previous page in the active pane. View the next page in the active pane. View the previous line in the active pane. View the next line in the active pane. Move the display to the next selected packet in the summary pane. Move the display to the previous selected packet in the summary pane. Toggle the packet between selected and unselected state. Open the Find Frame dialog box to specify what to search for in the Display pane. Repeat the last search performed in Find Frame dialog box. Zoom in/out of the selected Decode pane.

F3 - Find Next Frame F4 - Zoom Pane

164

Sniffer Portable Professional

Displaying Captured Data

Table 8-2. Keyboard Shortcuts for the Display Pane

F7 - Previous F8 - Next View the previous packet in the summary pane. View the next packet in the summary pane.

Selecting Packets

You can select individual packets or a group of packets in the summary pane. Selecting packets allows you to mark key packets that are of interest to you, so that you can view and use them more easily. You can:

Save the selected packets to a file (Display > Save Selected). Treat the selected packets as bookmarks, and use F2 to advance from one selected packet to the next.

Using the Decode Tab Toolbar

The Decode tab provides a toolbar at the top of the window with shortcuts to useful functionality (Figure 8-3). Each of the buttons in the toolbar is described in the table that follows.

Figure 8-3. Decode Tab Toolbar

Table 8-3. Decode Tab Toolbar Buttons Button Title

Two Station Format

Description

Toggles the two-station format on and off. The two-station format splits the display into left and right panes, showing traffic between two stations. See Display Setup > General Options on page 179 for details. Toggles the Show All Layers option on and off. If enabled, the Summary pane shows one line for each protocol level contained in a frame. If disabled, only one line (for the highest enabled protocol level) is shown. Displays the Display Setup dialog box. See Setting Display Setup Options on page 177.

Show/Hide All Layers

Display Setup

User's Guide

165

Chapter 8

Table 8-3. Decode Tab Toolbar Buttons Button Title

Automatic Filter Type Selection

Description

Use this dropdown to specify which information in the currently selected packet should be used to automatically populate the Define Filter dialog box's fields when you click the Define Display Filter or Add to Last Filter button. You can populate based on source/destination IP addresses, ports, and MAC addresses. See Using Automatic Display Filters on page 168.

Define Display Filter

Displays the Define Filter dialog box with settings automatically populated based on the currently selected packet and the setting of the adjacent Filter Type Selection dropdown. See Using Automatic Display Filters on page 168.

Add to Last Filter

Takes the type of information specified in the Filter Type Selection dropdown from the currently selected packet and adds it to the last filter used in the Define Filter dialog. See Combining Filter Components ("Add to Last Filter") on page 173 for details.

Quick Filter

Automatically filters the display based on the selected information in the currently selected packet. For example, if the Filter Type Selection dropdown is set to Connection, clicking Quick Filter will filter the display based on the source/destination addresses and ports (that is, the connection). Use the Display > Display Setup > Packet Selection tab to specify how Quick Filters will be applied (for example, whether matching packets are returned in a new tab or shown selected in the active tab, and so on). See Using Quick Filters on page 172 for details.

166

Sniffer Portable Professional

Displaying Captured Data

Setting Display Filters

A filter applied to the display of captured data is called a display filter. Display filters let you select the packets you want to display in a Decode tab. Display filters do not affect the contents of the capture buffer. They just prevent some of the data from being displayed. You can use display filters to view only:

Packets transmitted between network nodes (or address pairs) Packets that belong to one or more protocol groups Packets that match predefined data patterns Error packets Packets that belong to a certain size range Packets that match various combinations of the above specifications

IMPORTANT: Defining Filters and Triggers on page 219 provides the details on working with Sniffer filters in general ­ monitor, capture, and display. This section adds to that information with some additional topics specifically for display filters.

Types of Display Filters

The Sniffer provides several types of display filters:

Manual Display Filters

You can set Display filters manually in the Define Filter - Display dialog box. This dialog box is available by using the Display > Define Filter command. Then, you have full access to the standard Define Filter tabs described in Defining Filters and Triggers on page 219.

Automatic Display Filters

You can automatically populate the Define Filter - Display dialog box's tabs with filter settings based on selected portions of the currently selected packet in the Decode tab. You do this by using the dropdown at the top of the Decode tab to specify which portion of the selected packet you want to use as a filter (for example, just the source IP address) and clicking the Define Display Filter button. See Using Automatic Display Filters on page 168.

User's Guide

167

Chapter 8

Quick Display Filters

Quick Display Filters are similar to automatic display filters ­ they filter the active Decode tab based on selected portions of the currently selected packet in the Decode tab. The main difference is that they take effect immediately without displaying the Define Filter dialog box first. You set Quick Filters by using the dropdown at the top of the Decode tab to specify which portion of the selected packet you want to use as a filter (for example, just the source port) and clicking the Quick Filter button.

NOTE: You set global options for how Quick Filters are applied in the Display > Display Setup > Packet Selection tab. These options specify to which packets Quick Filters should be applied (all or selected) and how results should be returned (by selecting/clearing packets in the active tab or by showing a new filtered tab at the base of the postcapture display window).

Automatic Expert Filters

You can also set automatic Expert filters that only display data associated with a particular network object, symptom, or diagnosis. You do this by displaying the Expert tab, selecting an object, symptom, or diagnosis and clicking the Display Filter button. See Setting Automatic Expert Display Filters on page 151.

Using Automatic Display Filters

You can automatically populate the Define Filter - Display dialog box's tabs with filter settings based on selected portions of the currently selected packet in the Decode tab.

To set an automatic display filter:

1 2

In a Decode tab, select the packet to use as a filter source. Use the Automatic Filter Type Selection dropdown in the Decode toolbar to specify which portion of the packet you want to use as a filter (Figure 8-4).

168

Sniffer Portable Professional

Displaying Captured Data

Figure 8-4. Selecting the Automatic Filter Type

You can select from the following options:

Table 8-4. Automatic Filter Type Selection Options Connection

Use both the source/destination IP addresses and source/destination ports as a filter. Use only the source IP address as a filter. Use only the destination IP address as a filter. Use both the source and destination IP addresses as a filter (traffic flowing between these two addresses only). Use only the source port as a filter. Use only the destination port as a filter. Use both the source and destination port as a filter. Use both the source IP address and port as a filter. Use both the destination IP address and port as a filter. Use the source and destination MAC addresses as a filter.

IP Source Address IP Destination Address IP Addresses

Source Port Destination Port Ports Source Application Destination Application MAC Addresses

3

Click the Define Display Filter button

.

User's Guide

169

Chapter 8

The Define Filter - Display dialog box appears populated based on the specified portion of the selected frame (Figure 8-5). Notice that the settings already populated in this dialog box correspond to those shown in the selected packet in the Summary pane in Figure 8-4.

a

b

Figure 8-5. Define Filter - Display Dialog Box

Note the following important points about the Define Filter - Display dialog box:

You can change which parts of the selected frame are used for an automatic filter by clicking the dropdown at the top of the Define Filter dialog box (a in Figure 8-5) and selecting a different option. You can reset all Define Filter fields by clicking Reset. You can specify how the filter is applied and how results are returned using the Select matching, Clear selected, and Apply on selected set options (b in Figure 8-5). See Filtered Tabs or Marked Frames? on page 171 for details.

4

When you have set the options in the Define Filter - Display dialog box as desired, click Apply to filter the active tab with your filter settings.

170

Sniffer Portable Professional

Displaying Captured Data

Filtered Tabs or Marked Frames?

When you apply a display filter, the Sniffer examines the packets in the active tab, looking for matches. Then, it returns the matching packets, either in a new tab at the bottom of the display window (b in Figure 8-6), or by "selecting" all matching packets in the Summary pane (a in Figure 8-6). "Selected" packets appear in the Summary pane with the boxes in the leftmost column checked. Additionally, if you've enabled the Highlight selected frames option in the Display Setup > Summary Display tab, selected frames will appear highlighted in the Summary pane. You specify how you would like matching packets returned in the Define Filter dialog box's Summary tab (Figure 8-5 on page 170):

If neither the Select matching nor Clear selected option is enabled, a new filter tab will appear each time you apply a display filter. If the Select matching option is enabled, the Sniffer will mark packets matching the filter in the currently active Decode tab. If the Clear selected option is enabled, the Sniffer will deselect packets matching the filter in the currently active Decode tab.

NOTE: Quick filters provide this same functionality. However, for Quick filters, you set the Select matching option in the Display Setup dialog box's Packet Selection tab. See Display Setup > Packet Selection Options on page 183 for details.

The "Apply on Selected Set" Option

You can also use the Apply on selected set option together with either the Select matching or Clear selected options to apply a filter to only a subset of the packets in the active Decode tab. When using the Apply on selected set option, you may want to use the Display > Select Range command to select a large set of packets quickly.

User's Guide

171

Chapter 8

a

b Figure 8-6. Selected Packets

Using Quick Filters

Quick Display Filters are similar to the automatic display filters described in Using Automatic Display Filters on page 168 ­ they filter the active Decode tab based on selected portions of the currently selected packet in the Decode tab. The main differences between Quick Filters and Automatic Display Filters are as follows:

Quick Filters take effect immediately without displaying the Define Filter dialog box. The Select matching, Clear selected, and Apply on selected set options all work the same way for Quick Filters as they do for Automatic Display Filters, as described in Filtered Tabs or Marked Frames? on page 171. However, instead of using the Define Filter - Display dialog box to set these options, you set them globally for Quick Filters in the Display > Display Setup > Packet Selection tab (see Display Setup > Packet Selection Options on page 183).

To set a Quick Filter:

1

In a Decode tab, select the packet to use as a filter source.

172

Sniffer Portable Professional

Displaying Captured Data

2

Use the Automatic Filter Type Selection dropdown in the Decode toolbar to specify which portion of the packet you want to use as a filter (Figure 8-4).

Figure 8-7. Selecting the Automatic Filter Type

You can select from the same options available for Automatic Display Filters, as described in Table 8-4 on page 169.

3

Click the Quick Filter button

.

The Sniffer sifts through the packets in the active tab, looking for matches. Then, it returns the matching packets, either in a new tab at the bottom of the display window (b in Figure 8-6 on page 172), or by "selecting" all matching packets in the Summary pane (a in Figure 8-6 on page 172). You choose which action the Sniffer takes by setting the options in the Display > Display Setup > Packet Selection tab (see Display Setup > Packet Selection Options on page 183).

Combining Filter Components ("Add to Last Filter")

You can use the Add to Last Filter button to add a new filter component from the currently selected packet to the last filter used in the Define Filter dialog box. For example, if the last filter you created was based on the Source Port in the selected frame, you could add source and destination addresses to the same filter by setting the Automatic Filter Type Selection dropdown to IP Addresses and clicking the the Add to Last Filter button.

To use the Add to Last Filter button:

1

In a Decode tab, select the packet to use as a filter source.

User's Guide

173

Chapter 8

2

Use the Automatic Filter Type Selection dropdown in the Decode toolbar to specify which portion of the packet you want to use as a filter (Figure 8-8).

Figure 8-8. Selecting the Automatic Filter Type

You can select from the same options available for Automatic Display Filters, as described in Table 8-4 on page 169.

3

Click the Add to Last Filter button

.

The Sniffer displays the Define Filter dialog box with the specified component of the selected frame added to the last used filter definition. You can edit the settings in this dialog box, if necessary. When you are satisfied with the filter definition, click Apply to filter the active tab.

Selecting Filters / Combining Multiple Filters

You use the Display > Select Filter command to display a dialog box in which you can select display filters to apply. The dialog box lists all available filters, including:

Capture filters. You can reuse your capture filters as display filters, if you like. Display filters. All display filters you have created are listed by name.

You can either use a single listed filter or check the Multiple Filter Mode option and check the boxes for multiple filters.

To select a display filter:

1

Use the Display > Select Filter command. The Select Filter dialog box appears (Figure 8-9).

174

Sniffer Portable Professional

Displaying Captured Data

Figure 8-9. The Select Filter Dialog Box

2

Do you want to use a single filter or combine multiple filters from the list?

Multiple Filter Mode. If you want to combine multiple filters from the list, enable the Multiple Filter Mode option. Then, check the boxes corresponding to the filters you want to use. Multiple filter mode allows you to select two or more display filters to apply in the Sniffer window. Select options from the list of available filters to create a single filter using combinations of existing filters. If you select a parent category, all the filters within the category are selected automatically. When the parent category is unselected, all the filters within the category are deselected.

NOTE: When the combination filter is applied, it acts as an "OR" between the selected filters. Because of this, Multiple Filter Mode may return unexpected results when using Exclude filters (filters set to remove matching traffic). See Multiple Filter Mode and Exclude Filters on page 176 for details.

Single Filter Mode. If you are using only a single filter, leave Single Filter Mode enabled and check the box corresponding to the filter you want to use.

User's Guide

175

Chapter 8

Single filter mode functions as a regular, single filter. With the Single Filter Mode option, you are limited to only one filter selection in the Select Filter dialog box. Selecting one filter automatically deselects the previously selected filter. Selecting a "parent" filter is not a valid filter. You must specify a single filter within the parent grouping.

3

Use the Select matching, Clear selected, and Apply on selected set options to specify how the display filter will be applied and its results returned. See Filtered Tabs or Marked Frames? on page 171 and The "Apply on Selected Set" Option on page 171 for more information. Click OK to apply the selected filter(s) on the active Decode tab.

4

Multiple Filter Mode and Exclude Filters

When combining multiple filters in Multiple Filter Mode, Sniffer Portable Professional joins the filter with a logical OR rather than an AND. Because of this, joining multiple Exclude filters will always result in ALL packets passing the filter and being returned. Consider the following examples:

Combing Include Filters in Multiple Filter Mode

For example, suppose you set up the following filters:

Filter 1 includes all packets of type A Filter 2 includes all packets of type B

Combining these filters in Multiple Filter Mode and applying them to a trace file with packets of type A,B and C, will result in a filtered display with just packets of Type A and B.

Combing Exclude Filters in Multiple Filter Mode

Now, let's apply the same logic to Exclude filters:

Filter 1 excludes all packets of type A Filter 2 excludes all packets of type B

Combining these filters in Multiple Filter Mode and applying them to a trace file with packets of type A,B and C, will result in a filtered display with packets of Type A, B, and C ­ all packets will pass the filter. This happens because the Exclude filters are joined with an OR condition between the filters. For a packet to be excluded from the filtered display, both the conditions must return FALSE. If even one condition returns TRUE, the packet gets included.

176

Sniffer Portable Professional

Displaying Captured Data

The Boolean logic for this is: Not (Filter A or Filter B) = Not Filter A AND Not Filter B.

Saving Sets of Filtered Frames / Creating New Windows

You can save sets of filtered frames by selecting File > Save As with a filtered tab selected. A new window is created with the set of filtered frames in it, followed by the appearance of the Save As dialog box. When you use the Save As command on a set of filtered frames, the filtered frames in the new window are renumbered sequentially with new sequence numbers - the original sequence numbers are not preserved. You can also create new windows for filtered sets of frames by right-clicking a filtered tab and selecting the Create New Window command. A new postcapture window with just the filtered frames will appear. For a description of how to define a filter, see Defining Filters and Triggers on page 219.

Setting Display Setup Options

You can customize the way data is displayed in the decode display. You can:

Exclude certain subprotocols from the summary pane (this is a more detailed control than a display filter). Set the summary address field format (network or hardware). Specify whether the two-station display format should be used. Select optional fields to be shown in the summary display. Color-code packets displayed in the summary pane based on their protocol. Select the font for the detail display.

To set the display options:

1

Select Display Setup from the Display menu. The Display Setup dialog tabs are summarized in the following table.

User's Guide

177

Chapter 8

Table 8-5. Display Setup Options Display Setup Tab

General

Settings for...

Select which tabs show on the Display. You can show/hide the Expert tab and the post analysis tabs (Host Table, Matrix, Protocol Distribution, and Statistics). The Decode tab is always displayed. You can also set options that affect how fast data is decoded. See Display Setup > General Options on page 179. Specify the symptoms and protocol detail in the Decode Summary pane. See Display Setup > Summary Display Options on page 180. Click here to change the colors used for protocols in the summary pane. Click here to set each protocol's display mode in the Detail pane to fully expanded or one-line summary. Click here to change font type, style, and size for the text in the Decode display. Click here to specify whether or not you would like a new tab created when you are filtering in the Decode > Summary pane (Decode tab) or mark the selected packets in the Decode > Summary pane. See Display Setup > Packet Selection Options on page 183.

Summary Display

Protocol Color Protocol Expand

Decode Font Packet Selection

178

Sniffer Portable Professional

Displaying Captured Data

Display Setup > General Options

The Display > Display Setup > General tab contains options that can change the performance of Sniffer Portable Professional's decodes when working with large buffers or trace files. In previous releases, when decoding a trace file or buffer, Sniffer Portable Professional's protocol interpreters would start by performing a prescan of the entire trace or buffer. For large trace files and buffers, this process could take a long time. To address this issue, Sniffer Portable Professional provides the option of a windowed approach. Using the windowed approach, Sniffer Portable Professional starts by prescanning a user-specified portion of the trace file or buffer. When moving from window to window within the buffer or trace file, the previous prescanned information will be cleared from memory so the new window can be scanned. This way, decoded information is available more quickly. You specify both whether to use the windowed approach and the size of the window to be used in the Display > Display Setup > General tab. Set the reassembly options as follows:

Reassemble entire trace file-- Enable this option if you would like to reassemble the entire trace file or buffer before displaying decoded data. Disable this option if you would like to reassemble the trace file in "chunks." Reassembly window size -- Use this option to specify the size (in terms of the number of frames) of the "chunk" to be reassembled and displayed. As you move between chunks, one chunk is cleared out and scan another is scanned. The default and minimum value for the Reassembly window size is 5000. This value is configurable, but it is recommended that you edit this value only if it is absolutely necessary.

NOTE: When Frame Slicing is enabled on the Capture > Define Filter > Buffer tab, windowed reassembly is not supported. Enabling windowed reassembly and frame slicing can result in some minor display problems.

User's Guide

179

Chapter 8

Display Setup > Summary Display Options

The following table summarizes the options you can set in the Display Setup > Summary Display tab.

Table 8-6. Summary Display Options

Show Expert symptoms If enabled, the Summary display shows the last symptom found (if any) for each frame. If enabled, the Summary pane shows one line for each protocol level contained in a frame. If disabled, only one line (for the highest enabled protocol level) is shown. If enabled, the Summary pane shows addresses as network addresses. If disabled, the Summary pane shows addresses as hardware (DLC) addresses. If enabled, the Summary pane shows vendor names for the first portion (manufacturer's ID) of MAC addresses instead of numerical addresses. If enabled, the Summary pane shows names for network addresses instead of numerical addresses. If enabled, the Summary pane will substitute names for addresses for any stations that are named in the Address Book.

Show all layers

Show network address

Display vendor ID on MAC Address

Resolve name on Network address Use Address Book to resolve name

180

Sniffer Portable Professional

Displaying Captured Data

Table 8-6. Summary Display Options

Two-station format If enabled, splits the display into left and right panes, showing traffic between two stations. When you examine network activity, you often want to focus on traffic between a pair of stations. To do this, you can set up display filters that define the two stations and enable the Two-station format in the Summary Display tab. The two-station format shows transmission from one station (the station that was detected first) on the left side of the screen and transmissions from the other station on the right. The Source and Destination columns from the single station display are removed. Instead, there are two columns, title From xxx and From yyy. A frame from the station on the left is assumed to be addressed to the station on the right, and vice versa. If you do not set filters limiting the display of frames to two stations, Sniffer Portable Professional will display frames from additional stations in the usual format. Since this is inconsistent with the two-station format, it makes the feature less useful. Highlight selected frames If enabled, selected frames are highlighted in the Summary pane.

User's Guide

181

Chapter 8

Table 8-6. Summary Display Options

Optional Fields · Status. Flags associated with a frame. See Packet Status Flags in the Summary Pane on page 185 for a description of the flags that can appear in the Status column. · Absolute time. When the frame was received. · Delta time. The interval between the current frame and the previous frame. · Relative time. The interval between the current frame and the marked frame. · (Len) Bytes. The frame's length. · Cumulative bytes. The length of all frames, starting with the marked frame and including the current frame. Exclude protocols Checked protocols are excluded from the Decode tab. Click All to exclude all protocols or click None to include all protocols.

182

Sniffer Portable Professional

Displaying Captured Data

Display Setup > Packet Selection Options

Use the options in the Display Setup > Packet Selection tab (Figure 8-10) to specify how Quick Filters are applied and how new tabs of filtered frames are named (the Filtered Tab Name option). Set the following options:

Table 8-7. Packet Selection Tab Options Option

Select Packets

Description

When this option is enabled, quick filters either select or clear matching packets in the active Decode tab, depending on whether Select Matching or Clear Selected is set. When this option is not enabled, quick filters return matching packets in a new tab of filtered packets.

Select Matching

When this option is enabled, quick filters select matching packets in the active Decode tab (check the boxes in the leftmost column of the Summary pane). When this option is enabled, quick filters clear the selection of matching packets in the active Decode tab. When this option is enabled, quick filters are applied only to the currently selected packets in the active Decode tab. Use this option to specify how new tabs of filtered frames are named. New tabs will be added using the name you specify here along with a sequence number.

Clear Selected

Apply on Selected Set Filtered Tab Name

User's Guide

183

Chapter 8

Figure 8-10. Display Setup > Packet Selection Options

184

Sniffer Portable Professional

Displaying Captured Data

Packet Status Flags in the Summary Pane

For most network topologies, the Status column in the Summary pane is empty if the packet is normal with no errors, symptoms, or diagnoses associated with it. The exceptions to this rule are as follows:

For data captured from a wireless LAN, the Status column indicates the wireless LAN channel from which the packet was captured inside brackets. For example, an entry of [1] in the Status column indicates that the corresponding packet was captured from wireless LAN channel number 1.

Otherwise, Table 8-8 lists the flags used in the Status column of the Summary pane. Note that any of the flags associated with error frames (CRC, Jabber, Runt, and so on) require an enhanced driver for detection and reporting.

Table 8-8. Status Flags

M A B # Trigger CRC Jabber Runt Fragment Oversize Collision Alignment Packet is marked. Mark a packet to return quickly to a particular spot in a decoded set of frames. Packet was captured from Port A on the pod or adapter card. Packet was captured from Port B on the pod or adapter card. Packet has a symptom or diagnosis associated with it. Packet is an event filter trigger CRC error packet with normal packet size CRC error packet with oversize error Packet size is less than 64 bytes (including the 4 CRC bytes) but with valid CRC Packet size is less than 64 bytes (including the 4 CRC bytes) with CRC error Packet size is more than 1518 (including the 4 CRC bytes) but with valid CRC Packet was damaged by a collision Packet length is not an integer multiple of 8 bits.

User's Guide

185

Chapter 8

Searching for Frames in the Decode Display

Because the Decode display can include thousands and thousands of frames, it can be useful to search for particular frames. Using the Sniffer's powerful search abilities, you can search for frames in the Decode display that match a text string, a certain data pattern, a certain status flag, or have an Expert symptom or diagnosis associated with them.

NOTE: In addition to searching for frames, you can also advance to a particular frame in the Decode tab by specifying its number. Do this by selecting the Go to Frame command from the Display menu and supplying the frame number in the dialog box that appears.

Use the Find Frame dialog box to search for frames. Display the Find Frame dialog box using any of the following commands:

Select Find Frame from the Display menu. Select Find Frame from the Decode tab's context menu (activated by right-clicking anywhere on the Decode tab). Use the Alt-F3 keyboard shortcut.

The Find Frame dialog box contains the following tabs:

Text -- The Text tab lets you search for frames containing a specified text string. Time -- The Time tab lets you search for frames with specific text in the delta, relative, or absolute time fields. Data -- The Data tab lets you search for frames containing a specified data pattern. Status -- The Status tab lets you search for frames with a particular status flag. Expert -- The Expert tab lets you search for frames with a particular associated Expert symptom or diagnosis.

The following sections describe how to perform searches from each of these tabs.

186

Sniffer Portable Professional

Displaying Captured Data

Searching for Frames Matching Text Strings

To search for packets matching a text string:

1

Display the Find Frame dialog box using any of the following commands:

Select Find Frame from the Display menu. Select Find Frame from the Decode tab's context menu (activated by right-clicking anywhere on the Decode tab). Use the Alt-F3 keyboard shortcut.

2 3

Click the Text tab. Enter the text to search in the field provided. The dropdown list includes previously performed text searches. Specify in which portion of the Decode tab to search for the specified from the options provided. Specify whether the search is case-sensitive using the Match case option. Specify the search direction. Click OK. If the string is found, the frame containing the pattern will be displayed in the Decode Display. Press F3 to search for the next packet matching the same criteria.

4

5

6 7

Figure 8-11. Text Tab of the Find Frame Dialog Box

User's Guide

187

Chapter 8

Searching for Frames Matching Time Criteria

To search for frames matching time criteria:

1

Display the Find Frame dialog box using any of the following commands:

Select Find Frame from the Display menu. Select Find Frame from the Decode tab's context menu (activated by right-clicking anywhere on the Decode tab). Use the Alt-F3 keyboard shortcut.

2

Click the Time tab. Search for packets with specific text in the Delta Time, Relative Time, or Absolute Time fields in the Summary pane here.

To search for a value in the Delta Time field, enable the Delta Time option and supply the text to search for. To search for a value in the Relative Time field, enable the Relative Time option and supply the text to search for. To search for a value in the Absolute Time field, enable the Absolute Time option and use the dropdown fields to select the value to search for.

NOTE: You can select any combination of values in the dropdown lists. Leaving a field blank will cause the search to accept any value for that field.

3

Use the Up and Down fields to specify whether to search in an upward or downward direction from the currently selected frame. Use the Search Condition fields to specify which type of search you would like to perform, as follows:

4

Simple Partial Search -- A simple partial search will find any occurrence of the specified value anywhere within the specified field. Advanced Complete Search -- An advanced complete search will find an exact match only.

5

Click OK.

188

Sniffer Portable Professional

Displaying Captured Data

Figure 8-12. Time Tab of the Find Frame Dialog Box

User's Guide

189

Chapter 8

Searching for Frames Matching Data Patterns

You can also search for data patterns by Searching for Data Patterns using a Pattern from a Known Packet.

To search for frame matching specific data patterns:

1

Display the Find Frame dialog box using any of the following commands:

Select Find Frame from the Display menu. Select Find Frame from the Decode tab's context menu (activated by right-clicking anywhere on the Decode tab). Use the Alt-F3 keyboard shortcut.

2 3

Click the Data tab. From the Form dropdown list, specify whether to search for data from a packet, protocol, or either. In the Offset field, specify the offset at which to search for the specified pattern. From the Format field, specify the format in which the data to search for is specified. Click Up or Down to specify the search direction. Click OK.

4

5

6 7

NOTE: If desired, click Reset to reset all the fields in the Data tab to start a new search.

190

Sniffer Portable Professional

Displaying Captured Data

Figure 8-13. Data Tab of the Find Frame Dialog Box

User's Guide

191

Chapter 8

Searching for Data Patterns using a Pattern from a Known Packet

In addition to Searching for Frames Matching Data Patterns, the easiest way to search for a data pattern is to use a pattern from a known packet.

To search for data patterns using a pattern from a known packet:

1

Locate and highlight either:

A packet in the Summary pane. A protocol field or a data pattern in the Detail pane.

2

Open the Find Frame dialog box by selecting the Find Frame command from the Display menu (or from the context menu). Select the Data tab.

3

If you selected a packet in the Summary pane, the Data tab will already contain some data from the selected packet. If you selected a protocol field or data pattern in the Detail pane, the Data tab will already contain the selected field or pattern.

4 5

Set the From list box to Don't Care. You can click the Set Data button to open the Set Data dialog box, containing a line-by-line decode of the selected packet.

Figure 8-14. The Set Data Dialog Box

6 7

Select a line from the Set Data dialog box and click OK. The data from the selected line is placed in the data pattern area of the Find Frame dialog box. Adjust the data and the length if necessary

192

Sniffer Portable Professional

Displaying Captured Data

8

Click OK to start the search. If a pattern match is found, the packet containing the pattern will be displayed in the Decode Display. Press F3 to search for the next packet.

Searching for Frames Matching Packet Status Flags

To search for packets with a a particular Status flag:

1

Display the Find Frame dialog box using any of the following commands:

Select Find Frame from the Display menu. Select Find Frame from the Decode tab's context menu (activated by right-clicking anywhere on the Decode tab). Use the Alt-F3 keyboard shortcut.

2 3 4 5

Click the Status tab. Select the status flag(s) to search for. Click Up or Down to specify the search direction. Click OK. If a frame with one of the specified flags is found, the frame containing the will be displayed in the Decode Display. Press F3 to search for the next packet matching the same criteria.

NOTE: Some Status flags require an enhanced driver to detect. Because Sniffer Portable Professional no longer includes enhanced drivers for Ethernet, searching for the corresponding Status flag will often produce no results.

For descriptions of the various possible packet status flags, see Packet Status Flags in the Summary Pane on page 185.

User's Guide

193

Chapter 8

Figure 8-15. Status Tab of the Find Frame Dialog Box

194

Sniffer Portable Professional

Displaying Captured Data

Searching for Frames with Expert Alarms

To search for packets exhibiting a particular Expert symptom or diagnosis:

1

Display the Find Frame dialog box using any of the following commands:

Select Find Frame from the Display menu. Select Find Frame from the Decode tab's context menu (activated by right-clicking anywhere on the Decode tab). Use the Alt-F3 keyboard shortcut.

2 3

Click the Expert tab. Select the Expert alarm to search for from the dropdown list provided. The list includes each of the Expert alarms found somewhere in the currently displayed Decode tab. Click Up or Down to specify the search direction. Click OK. If a frame exhibiting the specified Expert alarm is found, the frame will be displayed in the Decode Display. Press F3 to search for the next packet matching the same criteria.

4 5

Figure 8-16. Expert Tab of the Find Frame Dialog Box

User's Guide

195

Chapter 8

Printing Decoded Packets

You can print the decoded data packets in the Decode Display. You can print a line-by-line list of the packets in the Summary pane, a list of protocol fields in the Detail pane, the hex data in the Hex pane, or a combination of any of the three panes. To print decoded packets, select Print from the File menu to display the Print dialog box. Use this dialog box as follows:

In the Print Range area, select the range of packets you want to print. In the Format area, select which panes (Summary, Detail, Hex) you want to print and whether to print the data in comma-separated values format for import into a spreadsheet application. If you enable the CSV Format and Print to file options, you may want to replace the default .PRN extension for printed output with a .CSV extension. The .CSV extension tells most spreadsheet applications (including MS-Excel) to expect comma-delimited data and import it accordingly (that is, with each comma-separated value in its own column).

NOTE: If you open a CSV Format file saved with the default .PRN extension in MS-Excel, you will be prompted to supply the character used for the delimiter in the file. As you would expect when the CSV Format option is enabled, the delimiter used in the saved output file is a comma.

Check the Print to File option to output the decoded data packets to a file.

During printing, you can use the Abort Printing toolbar button or File > Abort Printing menu selection to abort the current print job.

Changing the Format of Printed Summary Pane Data

You can control which optional fields in the Summary pane are included in printed output, and what order they are printed in. Summary pane fields are printed in a "what you see is what you get" ("WYSIWYG") format -- columns in the pane are printed in the same order in which they are show in the Decode display. Because of this, you can use the following techniques to control the format of printed summary data:

196

Sniffer Portable Professional

Displaying Captured Data

Use the Optional Fields list in the Summary Display tab of the Display > Display Setup dialog box to specify which optional fields are included in the Summary pane display. The only optional fields included in printed output will be those enabled in this list. However, printed output will always include the standard non-optional frame number, source address, destination address, and summary text fields. See Display Setup > Summary Display Options on page 180 for information on specifying optional fields for the Summary pane.

Use standard drag-and-drop techniques to rearrange the columns in the Summary pane. Summary pane fields will be printed in the same order in which they are shown in the Decode display.

NOTE: Although you can resize columns in the Summary pane display using standard click-and-drag techniques, columns in printed Summary pane output are automatically resized to accommodate the largest entry in a given column. This way, data is not inadvertently truncated in printed output.

The Summary Field in Printed Summary Pane Data

The Summary pane of the Decode Display always includes a Summary column. The data in this column provides a quick synopsis of the packet in question -- it's highest layer protocol, the frame type, any pertinent status flags, and so on. The width of the data in the Summary column can vary widely and is often much wider than the other columns in the Summary pane. Because of this, the Sniffer treats Summary column data as follows in printed output:

When packets are printed with the CSV Format option enabled, the Summary column will be on the same line as the rest of the data for a given packet (Source Address, Dest Address, and so on). When packets are printed without the CSV Format option enabled (either to a printer or to a file), the Summary column will be on its own line immediately following a line containing the rest of the information for the packet (Status, Source Address, Dest Address, and so on, depending on the current selections in Display > Display Setup > Summary Display and your own drag-and-drop settings).

User's Guide

197

Chapter 8

Using Protocol Forcing

Protocol forcing is useful when capturing frames that use a mixture of standard and non-standard (for example, proprietary) protocols that the Sniffer Portable Professional might not otherwise be able to decode. For example, in some situations, networks may include standard IP data within a proprietary lower layer packet format unknown to the analyzer. Protocol forcing essentially lets you tell the analyzer "if you see this condition, skip this many bytes (to where the standard data is), then apply this protocol interpreter." You specify protocol forcing rules in the Protocol Forcing tab of the Options dialog box, displayed by selecting the Options command from the analyzer's Tools menu (sample shown in Figure 8-17).

You can define up to four rules. Checked rules are enabled and applied to decoded data. Use the drop-down list to specify the protocol that should be used as the "force from" protocol. When the analyzer encounters the condition specified here, it will skip the number of bytes specified in the Skip x bytes field and apply the protocol interpreter specified in the Then field.

Specify the number of bytes to skip once the "If" condition is detected.

Use the drop-down list to specify the protocol that should be used as the "force to" protocol (that is, the protocol to be expected at the offset you specified in the Skip x bytes field). Figure 8-17. Defining Protocol Forcing Rules

198

Sniffer Portable Professional

Displaying Captured Data

Postcapture 802.11 Decryption

Sniffer Portable Professional can decrypt and decode 802.11 packets encrypted with either WPA/WPA2 or WEP both during and after capture. As described in Configuring Wireless Encryption Settings on page 56, you use the Tools > Wireless > Encryption options to configure the automatic decryption of encrypted data on wireless networks during capture. However, you can also perform decryption on trace files containing frames encrypted with a known WPA passphrase or WEP key set but not decrypted during capture. There are two ways to do this:

Use the integrated decryption utility accessed from the Decode tab's context menu. Use the standalone WLAN Decryption utility located at C:\Program Files\NetScout\Sniffer Portable\bin\WLANDecrypt.exe.

Both approaches do the same thing ­ decrypt wireless data with supplied decryption keys. The major difference is that the standalone utility takes a trace file as input and outputs a decrypted trace file.

To perform offline decryption of encrypted wireless data:

1

Display the Decode tab of a trace file or capture buffer containing frames encrypted with a known WPA passphrase or WEP key set but not decrypted during capture. Right-click in the Summary, Detail, or Hex pane to activate the Decode tab's context menu. Select Wireless Decryption to open the Select WEP - WPA Keys dialog box. A sample is shown in Figure 8-18.

2

3

User's Guide

199

Chapter 8

Sniffer Portable Professional can decrypt both WPA/WPA2 and WEP encrypted packets simultaneously.

Use these options to specify the keys to use for decryption of WEP-encrypted data. WEP is an early 802.11 encryption technology and is not as commonly seen as WPA-WPA2.

Use these options to specify the passphrase used to decrypt data on different SSIDs (wireless networks).

Figure 8-18. Select WEP - WPA Keys Dialog Box

Use the Select WEP-WPA Keys dialog box (Figure 8-18) to specify the WEP and/or WPA keys to be used for decrypting the data in the selected buffer or trace file.

4

To specify new WEP keys for decryption, start by setting the WEP Key Entry Mode option to specify whether you want to enter the keys as either Hex or ASCII. Then, enter up to four separate encryption keys. For each key, do the following:

a

Specify the length of the key by selecting the appropriate option. Keys can be either None, 40-bit, or 128-bit. Use the None option if no encryption is used on the network. Depending on the length of the key specified, some or all of the adjacent fields become active, enabling you to specify the keys in use.

b

Specify the exact value for each key in the adjoining spaces provided.

NOTE: The four encryption keys in use on a WEP-encrypted network are all typically the same length -- either 40-bit or

200

Sniffer Portable Professional

Displaying Captured Data

128-bit.

5

To specify new WPA-WPA2 keys for decryption:

a b

Turn on the encryption key by checking its On radio button. Specify the SSID for the WPA/WPA2-encrypted network. This is typically a short string used to identify a wireless network (for example, labnet). WPA/WPA2 encryption relies on a pre-shared passphrase for encryption. Enter the passphrase associated with this SSID. Repeat Step a though Step c for each SSID you expect Sniffer Portable Professional to monitor.

c

d

6

Click OK on the Select WEP-WPA Keys dialog box. Sniffer Portable Professional attempts to use the specified keys to decrypt the data in the selected buffer or trace file and opens a new window with the results. If you specified the correct keys, the new window displays the newly-decrypted data. You can save the decrypted data to a new trace file using the usual File > Save command.

IMPORTANT: Make sure the data to decrypt includes four EAPOL Exchange packets for each SSID/passphrase combo you have entered. You can obtain these packets by capturing the Client to AP association packets. If these EAPOL Exchange Packets are not present, the corresponding WPA/WPA2-encrypted packets cannot be decrypted.

NOTE: An easy way to determine whether you have entered the correct WEP keys is to check for the presence of a large number of WEP-ICV Error Expert alarms. If there are an abnormally large number of these alarms, you probably have not entered the correct WEP keys for the encrypted data in the selected buffer or trace file.

User's Guide

201

Chapter 8

Postcapture Matrix Tab

The Matrix tab collects statistics for conversations between network nodes. For LANs, the matrix tab accumulates MAC, IP network, IP application, IPX network, and IPX transport-layer information. Sniffer Portable Professional also provides an additional 802.11 view for wireless LANs that allows you to concentrate on information specifically for wireless stations. You can view accumulated data as a traffic map, as a table, or as a bar or pie chart.

The traffic map provides a birds-eye view of network traffic patterns between nodes. You can filter out unwanted traffic by unchecking certain protocols, or by selecting specific network nodes to display. The matrix tables display traffic count statistics for node pairs:

The outline table provides a quick summary of total bytes and packets transmitted between pairs of network nodes. The detail table provides a quick summary of the higher layer protocol type and its traffic load transmitted in and out of each conversation node pair.

You can sort a matrix table by clicking a column heading (for example, to sort the statistics by packets, click the Packets column heading). Click a second time to sort in reverse order.

The bar chart displays the top 10 busiest conversation node pairs. The pie chart displays the top 10 busiest conversation node pairs as relative percentages of the total load of traffic.

In all views, you can display conversation traffic at the link layer, MAC layer, or selectively view only the IP or IPX layers. In the table views, you can export the statistics for tabulation or charting. Figure 8-19 shows the Matrix display (bar chart view) and toolbar.

202

Sniffer Portable Professional

Displaying Captured Data

Sort criteria (bar and pie chart) Detail table view Export data to spreadsheet (Table views only) Export data to HTML (Table views only) Bar chart view

Pie chart view

Traffic map view

Outline table view

Define visual filter

Select layer

Figure 8-19. Matrix Display (Bar Chart View) and Toolbar

User's Guide

203

Chapter 8

More about the Matrix Traffic Map

The traffic map in the postcapture Matrix tab is a powerful tool that gives you a birds-eye view of the network traffic patterns captured in the packet buffer. It gives a complete graphical presentation of the traffic pattern between network nodes, as well as the type of protocol used for communications.

To view the traffic map from the Packet Display:

1

Select the Matrix tab on the bottom of the postcapture Display window. If you do not see the Matrix tab, make sure that the Show Post Analysis tabs option in the Display Setup dialog box's General tab is enabled. Click the traffic map button. A traffic map showing conversation load and protocol type is displayed.

2

To view traffic at a different layer:

1

Open the drop-down list on the upper left corner of the traffic map.

Select the layer at which you want to view traffic (for example, IP or IPX). A traffic map showing conversation load and protocol type at the selected layer is displayed.

Using a Visual Filter in the Traffic Map

The traffic map can be used to automatically define a filter. You can select stations and particular protocols that displayed on the traffic map and Sniffer Portable Professional will automatically configure a filter to match your selections.

To use the Traffic Map to define a filter:

1

Select the Matrix tab on the bottom of the postcapture Display window. If you do not see the Matrix tab, make sure that the Show Post Analysis tabs option in the Display Setup dialog box's General tab is enabled. On the pull-down window, select the protocol suite. In the left column, select one or more sub-protocols to display. Highlight any network node(s) you want to filter for. To select more than one node, hold the Ctrl key down while you click additional nodes.

2

3

204

Sniffer Portable Professional

Displaying Captured Data

4

Click the Define Filter button. Depending on the settings in the Display Setup dialog box's Packet Selection tab, the Sniffer either marks all matching packets in the Decode tab (Select Packets > Select Matching) or creates a new Decode tab with just the filtered packets based on the network node and protocol selections you made.

NOTE: For more information on the Packet Selection tab, see Display Setup > Packet Selection Options on page 183.

Using the Matrix Map to Identify the Others Protocol Type

The traffic map's capacity to create a visual filter provides an ideal way to investigate Others protocol types in the capture buffer. Others are protocols that do not fall into the protocol categories predefined by Sniffer Portable Professional.

To define a filter to select Other protocol packets to display in the Packet Display window:

1 2

Select the Matrix tab on the bottom of the Packet Display window. Uncheck all protocols listed in the traffic map except the Others box. Click the Define Filter button. Depending on the settings in the Display Setup dialog box's Packet Selection tab, the Sniffer either marks all matching packets in the Decode tab (Select Packets > Select Matching) or creates a new Decode tab with just the Other packets.

NOTE: For more information on the Packet Selection tab, see Display Setup > Packet Selection Options on page 183.

3

User's Guide

205

Chapter 8

Postcapture Host Table Tab

The Host Table collects each network node's traffic statistics. For LANs, the matrix tab accumulates MAC, IP network, IP application, IPX network, and IPX transport-layer information. Sniffer Portable Professional also provides an additional 802.11 view for wireless LANs that allows you to concentrate on traffic statistics specifically for wireless stations. You can view accumulated data as a table, bar chart, or pie chart.

The table views display traffic count statistics for each network node.

The outline table provides a quick summary of total bytes and packets transmitted in and out of each network node. The detail table provides a quick summary of the higher layer protocol type and its traffic load transmitted in and out of each network node.

You can sort a host table by clicking a column heading (for example, to sort the statistics by incoming packets, click the In Pkts column heading). Click a second time to sort in reverse order.

The bar chart displays the 10 busiest host nodes in real time. The pie chart displays the 10 busiest host nodes as relative percentages of the total load of traffic.

In all views, you can display traffic at the link layer, MAC layer, or selectively view only the IP or IPX layers. In the table views, you can export the statistics for tabulation or charting. Figure 8-20 shows the Host Table display and toolbar.

206

Sniffer Portable Professional

Displaying Captured Data

Bar chart view Outline table view Sort criteria (Bar and Pie chart)

Export to HTML (Table views only)

Detail table view Pie chart view

Export data to spreadsheet (Table views only)

Select MAC, IP, or IPX layer

Click the plus (+) sign to see protocol information. Click the minus (-) sign to hide it. Figure 8-20. Host Table Display (Outline Table View) and Toolbar

User's Guide

207

Chapter 8

Postcapture Protocol Distribution Tab

The Protocol Distribution tab reports network usage based on the network-, transport-, and application-layer protocols. For example, you can monitor IPX/SPX, TCP/IP, NetBIOS, AppleTalk, DECnet, SNA, Banyan, and many other protocols. Protocol distribution monitors popular IP applications, such as NFS, FTP, Telnet, SMTP, POP2, POP3, HTTP (WWW), Gopher, NNTP, SNMP, X-Window, and others. It also monitors IPX transport-layer protocols such as NCP, SAP, RIP, NetBIOS, Diagnostic, Serialization, NMPI, NLSP, SNMP, and SPX. Sniffer Portable Professional also provides an additional 802.11 view that allows you to view network usage by 802.11 frame types (for example, Association Requests, Probe Requests, Beacons, and so on). You can view the protocol distribution in a table, or as a bar or pie chart. You can also view the number and percentage of packets or bytes for a protocol. Sniffer Portable Professional lets you export the protocol distribution data for tabulation or charting. To export data, the display must be in the table view. Figure 8-21 shows the Protocol Distribution display and toolbar.

208

Sniffer Portable Professional

Displaying Captured Data

Pie chart view Table view Display total number or percentage of bytes Export data to spreadsheet format (Table view only) Export data to HTML (Table view only) Display total number or percentage of packets

Bar chart view

Select MAC, IP, or IPX layer

Figure 8-21. Protocol Distribution Display (Pie Chart View) and Toolbar

User's Guide

209

Chapter 8

Postcapture Statistics Tab

For each capture session, statistical information is accumulated to help you analyze the network traffic during the capture period. A summary of this information is displayed in a table on the Statistics tab. The table displays:

The date and time of the capture The amount of traffic seen during the capture period Utilization statistics button.

You can export this information to a spreadsheet using the Figure 8-22 shows the Statistics display.

Export data to spreadsheet

Figure 8-22. The Statistics Display

210

Sniffer Portable Professional

Displaying Captured Data

802.11 Information in the Postcapture Statistics Tab

In addition to the standard counters in the Statistics tab, Sniffer Portable Professional adds a variety of wireless-specific statistics. These statistics are listed and described in Table 8-9 on page 211.

Table 8-9. 802.11 Counters in the Statistics Tab (1 of 2) Counter

802.11 Data Throughput

Description

The data rate (in bits per second) observed by Sniffer Portable Professional for this capture session. When calculating throughput, Sniffer Portable Professional only counts data frames. Management and control frames are not part of this calculation. However, the throughput measurement does include the header portions of data frames. The number of Management packets observed on the wireless LAN during this capture session. The number of Control packets observed on the wireless LAN during this capture session. The number of data packets observed on the wireless LAN during this capture session. Of the total number of MAC layer frames observed during this session, the percentage that were Management packets. Of the total number of MAC layer frames observed during this session, the percentage that were Control packets. Of the total number of MAC layer frames observed during this session, the percentage that were Data packets. The number of Retry packets observed on the wireless LAN during this capture session. Stations send retry packets when they receive no acknowledgment to a previously sent packet. The number of packets observed on the wireless LAN during this capture session with the WEP bit in the Frame Control field set to true. This indicates that Wired Equivalent Policy encryption was used on the packet.

802.11 Management Pkts

802.11 Control Pkts 802.11 Data Packets 802.11 Mgmt Pkt Util

802.11 Ctrl Pkt Util

802.11 Data Pkt Util

802.11 Retry Pkts

802.11 WEP Pkts

User's Guide

211

Chapter 8

Table 8-9. 802.11 Counters in the Statistics Tab (2 of 2) Counter

802.11 Short PLCPs

Description

The number of Physical Layer Convergence Protocol (PLCP) protocol data units seen with the "short" preamble and header during this capture session. This form of PLCP PDU is used to achieve higher throughput and can support 5.5 and 11 Mbps transmission speeds. The number of PLCP PDUs seen with the "long" preamble and header during this capture session. This form of PLCP PDU is compatible with legacy equipment from older wireless LANs and supports and operates at either 1 Mbps or 2 Mbps. These counters vary depending on the monitored network: · For 802.11b/g networks, there are separate counters for the number of frames sent at 1, 2, 5.5, 11, 6, 9, 12, 18, 24, 36, 48, 54, 72, 108 Mbps. · For 802.11a networks, there are separate counters for the number of frames sent at 6, 9, 12, 18, 24, 36, 48, 54, 72, and 108 Mbps. · For legacy 802.11b cards, the speeds remain at 1, 2, 5.5, 11 Mbps. NOTE: 802.11g is backward-compatible with 802.11b, therefore the speed counters seen in 802.11b are also shown in 802.11g. 802.11b and 802.11g share the same frequency band (2.4 GHz) and same number of channels (1-14). 802.11b goes from speeds 1 Mbps to 11 Mbps and 802.11g goes from speeds 1 Mbps to 54 Mbps. 802.11a and 802.11g share similar speeds (6, 9, 12, 18, 24, 36, 48, 54, 72, and 108 Mbps ­ 72 and 108 Mbps are proprietary implementations).

802.11 Long PLCPs

Data Rate Counters

212

Sniffer Portable Professional

Working with Real-Time Decodes

Overview

9

In addition to off-line or post-capture analysis, you can display protocol decodes in real-time as packets arrive. You do not have to stop a capture session to see protocol decodes. Real-time decodes are disabled by default. After launching Sniffer Portable Professional, enable real-time decodes and set real-time decode options. See also:

Enabling and Setting Real-time Decodes on page 213 Viewing Real-time Decodes on page 214 Scrolling Modes in Real-time Decodes on page 215 Real-time Decode Display Limitations on page 216

Enabling and Setting Real-time Decodes

In addition to off-line or post-capture analysis, you can display protocol decodes in real-time as packets arrive. You do not have to stop a capture session to see protocol decodes. Real-time decodes are disabled by default when Sniffer Portable Professional is installed. Setting Real-time decode options includes specifying the refresh rate used in Live-Scroll mode.

To enable real-time decodes:

1

From the Tools menu, select Options, then click the Real-Time tab. Select the Real Time Decode option. Specify a refresh rate in the field provided. This rate is used in Live-Scroll Mode to jump to the new set of latest packets to decode at each defined interval. You can specify a rate between 1 and 60 seconds. See Scrolling Modes in Real-time Decodes on page 215 for detailed information.

2 3

User's Guide

213

Chapter 9

4

Click OK.

Real Time Decodes and the "When buffer is full" Option

Real Time Decodes only work when the When buffer is full option in the Define Filter - Capture dialog box is set to Stop capture for the active capture filter. If the Real Time Decode option is enabled and the capture buffer is currently set to wrap (Wrap buffer is enabled), Sniffer Portable Professional will automatically change the setting of the option to Stop capture. After starting a new capture session, the Real-Time Decode window is displayed automatically. An example is shown in Figure 9-1 on page 215.

Viewing Real-time Decodes

Real-time decodes allow you to display protocol decodes in real-time as packets arrive. When enabled, you do not have to stop a capture session to see protocol decodes.

To view real-time decodes:

1

Ensure real-time decodes are enabled. See Enabling and Setting Real-time Decodes on page 213. Select Start from the Capture menu. The Decode window opens and the real-time decodes are displayed in the Summary pane as shown in the example in Figure 9-1 on page 215. Depending on the refresh interval specified, you might not see the decode information immediately.

NOTE: Switch from Non-live to Live scrolling at any time using Ctrl + End, or clicking and .

2 3

4

Select Stop from the Capture menu to stop the capture and the real-time decode data stream. Save the data to a trace file using traditional file saving methods if desired.

214

Sniffer Portable Professional

Working with Real-Time Decodes

Figure 9-1. Real-time Decodes Window Example

Scrolling Modes in Real-time Decodes

Like the traditional Sniffer post-capture Decode window, the Real-time Decode window (Figure 9-1 on page 215) has three panes: Summary, Detail, and Hex. When Real-time decodes are enabled and new network packets come in, the Summary pane is updated. In Live scroll mode you see the network packets from top to bottom in the order they were received. When new packets come in, the Decode window automatically starts scrolling upward and older packets are removed from the Summary pane. The refresh interval rate is set in the Real-Time tab of the Options dialog box. See Enabling and Setting Real-time Decodes on page 213 for detailed information. When the Decode screen refreshes, the Summary pane displays the last set of network packets that were received in the interval period. Please note, if the Summary pane is limited to displaying 20 lines for 20 packets and the most recent interval period contained 500 packets, then the Summary pane displays packets 481 to 500. During the next interval, 250 more packets are received. The Summary pane automatically updates and displays packets 731 to 750.

User's Guide

215

Chapter 9

In Non-live scroll mode the Decode window does not automatically update. To view new packets, you have to manually scroll the Summary pane using the scrolling tools to the right of the pane. In either Live or Non-live scroll mode, the Detail and Hex panes show the first packet by default when the Real-Time Decode window opens. When you select a new packet in the Summary pane, the Detail and Hex panes are refreshed to display information specific to the selected packet.

To switch between Real-time Decode scrolling modes:

1

Ensure Real-time Decode is enabled. See Enabling and Setting Real-time Decodes on page 213. Start a capture session. This opens the Real-Time Decode window automatically. Switch from Live to Non-live scrolling in the Real-Time Decode window by clicking any summary line in the Summary pane, or moving the Summary pane scroll bar upward. You can do this at any time. You can also switch from Non-live to Live scrolling using Ctrl + End, or clicking Start scrolling and Stop scrolling . You can do this at any time.

2

3

4

Real-time Decode Display Limitations

When specifying Real-time decode options or viewing real-time decodes, please note the following:

Capture to disk is not supported with Real-time decodes. If you have Capture to Disk selected as a capture option, the Real-Time Decode window is disabled. The Real-Time Decode window displays the Frame Number, Status, Source Address, Destination Address, Summary, Length, Delta Time, and Absolute Time columns, but these statistics are not user-configurable. Display setup items are not user-configurable in the Real-Time Decode window. The Real-Time Decode window will always display Show Network Address, the Display Vendor ID on the MAC address, and the Summary line for the last protocol layer. The Real-Time Decode window does not display Expert Symptoms, Two-Station Format, nor will the Window resolve the network name using the Address book.

216

Sniffer Portable Professional

Working with Real-Time Decodes

The Find Frame, Go to Frame, Marking of Frame, and Select and Save Range tools are not available in the Real-Time Decode window. Display filters are not available in the Real-Time Decode window. Segmentation and Re-assembly analysis of network packets or frames is not supported in Real-time Decode mode.

User's Guide

217

Chapter 9

218

Sniffer Portable Professional

Defining Filters and Triggers

Overview

This section describes filters and triggers:

10

Use filters to select the particular traffic you need for your network analysis so that you can focus precisely on the data you need to troubleshoot network problems and minimize the size of files you collect for historical records. Use triggers to capture data while Sniffer Portable Professional is unattended, such as on off-hours or weekends. You can set triggers to start captures at specific times, or in response to specific events (for example, alarms).

The section includes the following information:

Defining Filters on page 220 Using Filter Profiles on page 222 Setting Filter Options in the Address Tab on page 225 Setting Filter Options in the Port Tab on page 228 Setting Filter Options in the Data Pattern Tab on page 230 Setting Filter Options in the Advanced Tab on page 235 Setting Filter Options in the 802.11 Tab on page 238 Filtering from the Decode Window on page 240 Sharing Filters between Systems and Products on page 241 Defining Triggers on page 242

Defined Filters vs. Automatic Filters

There are two categories of filters:

Defined filters. You can define address, port, protocol, and Boolean data pattern filters to select the particular traffic you need for your network analysis. By using filters, you can precisely focus on the data you need to troubleshoot network problems and minimize the size of files you collect for historical records.

User's Guide

219

Chapter 10

In general, you work with Defined filters in the Define Filter dialog box. This section describes how to do that.

Automatic filters. In some cases, filters are created automatically by Sniffer Portable Professional when you choose to view selected information. For example, you can single-out a particular station's conversations using the Visual Filter on the Matrix map display. You can also set automatic Expert Filters in many Expert window displays, as well as automatic Display filters from an active Decode tab. Automatic filters are described in the following sections:

Automatic Display filters are described in Setting Display Filters on page 167. Expert filters are described in Setting Automatic Expert Display Filters on page 151

Define Filter Options for Wireless Networks

When using Sniffer Portable Professional with a wireless adapter, the Define Filter dialog box adds several wireless-specific filtering options:

The Define Filter dialog box's Advanced tab includes wireless LAN packet types on which you can filter (for example, PLCP Errors). See Filters for 802.11 Packet Types in the Advanced Tab on page 237. The Define Filter dialog box also includes an 802.11 tab specifically for wireless LAN filtering. See Setting Filter Options in the 802.11 Tab on page 238.

Defining Filters

In general, you work with filters in the Define Filter dialog box. The type of filter is determined by its use:

When selecting what traffic to monitor, the filter becomes a monitor filter. When selecting what traffic to admit into the capture buffer, the filter becomes a capture filter. When selecting what data in the capture buffer to display, the filter becomes a display filter.

220

Sniffer Portable Professional

Defining Filters and Triggers

When you define a filter, you give it a name (known as a Profile in the application displays). You then select a filter Profile to use as a monitor, capture, or display filter (depending on whether you choose the Select Filter command from the Monitor, Capture, or Display menu). To easily differentiate different kinds of filters, use a distinctive naming convention. See Using Filter Profiles on page 222 for details.

To access the Define Filter dialog box:

1

Select Define Filter from the Monitor, Capture, or Display menu. You can also click the button (located in many windows).

The Define Filter dialog box lets you define capture filters to collect specific network information. When you first open the Define Filter dialog box, the Summary tab appears, summarizing the current settings for the selected filter. This tab also displays the buffer size and the buffer action (stop capture or overwrite older data when buffer is full). In addition to the Summary tab, some or all of the following tabs are available, depending on the type of network adapter in use:

The Address tab lets you define filters to capture data transmitted between network nodes (or address pairs). The Port tab lets you filter traffic on IP or IPX ports. The Data Pattern tab lets you define filters that capture frames that match data patterns rules joined by AND/OR/NOT logical operators. Data pattern filters provide a generic method of defining and documenting filter conditions that can not be defined by the address and protocol filters. The Advanced tab tab lets you define filters that capture frames that belong to one or more protocol group(s). It also lets you set filters for frames falling in a specified size range and various protocol-specific frame types (for example, jabber packets on an Ethernet network). The Buffer tab lets you set various global options relating to the size of the capture buffer and what actions should be taken when the maximum size of the capture buffer is reached.

You can also create filter profiles -- saved combinations of one or more of the individual filters defined on the tabs listed above. See Using Filter Profiles on page 222 for details.

User's Guide

221

Chapter 10

Using a Defined Filter

You apply a named filter to one of four filter points in Sniffer Portable Professional to select the information you want. The filter points are, monitor, capture, display, and event.

When you apply a filter to the monitoring process, it is called a monitor filter. It selects what information will be included in monitor statistics. When you apply a filter to a capture, it is called a capture filter. A capture filter allows only certain frames or certain portions of frames to be saved in the capture buffer. It also defines the size of the capture buffer and what to do when the buffer is full. When you apply a filter to the Packet Display, it is called a display filter. The display filter lets you select what packets you want to display. A display filter does not affect the contents of the capture buffer. It just prevents some of the data from being displayed. When you apply a filter to a capture trigger definition, it is called an event filter. You use a trigger to automatically start or stop captures based on network events and other parameters.

Tip: Implement a naming convention for your filters. Some of the named filters you define will be specifically designed for a particular purpose, for example, as a display filter or as a capture filter. To easily identify different kinds of filters in your filter list, use a distinctive naming convention. For example, you could begin each filter name with a single-letter descriptor:

C-name for capture filters D-name for display filters M-name for monitor filters T-name for trigger event filters

Using Filter Profiles

Creating precise filter definitions can be a time-consuming process. Filter profiles provide a means to save your carefully crafted filter definitions for later use. A filter profile is a set of one or more individual filters defined on the various tabs in the Define Filter dialog box (Address, Port, Data Pattern, Advanced, Buffer, and so on).

222

Sniffer Portable Professional

Defining Filters and Triggers

For example, suppose you are only interested in IP traffic to and from a particular router. You could create a special filter profile that combined an Address filter on the router's IP address, as well as an Advanced filter on IP protocol traffic. Then, whenever you needed to use this combination of filters, you could simply select the saved filter profile from the Select Filter dialog box.

NOTE: If you need to see which individual filters make up a filter profile, select the Define Filter command and then select the entry for the filter profile in the Settings For pane of the Define Filter dialog box. The Summary tab of the Define Filter dialog box will show you a quick summary of the various individual filters making up the selected profile.

Creating a Filter Profile

Each time you create a new filter, be sure to start by clicking the Profiles button in the Define Filter dialog box. Then, click the New button to open a dialog box in which you can give your filter profile a name. Once you have named a filter profile, it will appear in the Settings For pane of the Define Filter dialog box, allowing you to fine tune the settings for the filter. In addition, the filter will also appear in the Select Filter dialog box, allowing you to apply it to a given monitoring, capture, or decode session whenever you like.

To create a filter profile:

1

Select the Define Filter command from either the Monitor, Capture, or Display menu (depending on the type of filter you would like to create). Click Profiles. The Capture Profiles dialog box appears, listing the filter profiles already defined.

2

3 4

Click New. In the New Capture Profile dialog box, supply a name for the filter in the field provided. You can also copy the settings for this filter from either an existing defined profile (Copy Existing Profile option) or from an existing sample (Copy Sample Profile option).

5

Click OK.

User's Guide

223

Chapter 10

6

Click Done in the Capture Profiles dialog box. The filter appears in the Settings For pane of the Define Filter dialog box. At this point, you can fine tune the settings for this filter in the other tabs of the Define Filter dialog box (Address, Port, Data Pattern, Advanced, and so on).

Starting Capture Directly from the Define Filter - Capture Dialog Box

In contrast to previous Sniffer Portable Professional releases, you can now start a capture directly from the Define Filter - Capture dialog box with the currently selected filter in place. This way, you don't have to go through the intermediate step of accepting your filter and then clicking the Start Capture button (although you still can, if you want to!).

To start capture directly from the Define Filter - Capture dialog box:

1

Select Define Filter from the Capture menu. You can also click the button in the Capture toolbar.

2

Use the tabs in the Define Filter - Capture dialog box to set up the capture filter. When you have finished setting up the filter, click the Start Capture button at the lower left of the dialog box (Figure 10-1).

3

Start capture directly from the Define Filter dialog using this button.

Figure 10-1. Starting Capture from the Define Filter - Capture Dialog Box

224

Sniffer Portable Professional

Defining Filters and Triggers

Setting Filter Options in the Address Tab

Use the options on the Address tab of the Define Filter dialog box to set up a filter to capture or display packets between up to ten pairs of network nodes by their addresses.

To set an Address filter:

1 2

Click the Address tab from the Define Filter dialog box. Use the Address Type drop-down list to specify the type of address on which you want to filter. Use the Mode field to specify whether you want to Include or Exclude the specified traffic. The Known Address box includes addresses already known to Sniffer Portable Professional (including those in your Address Book). You can click and drag addresses from the Known Address box into the Station 1 or Station 2 fields to filter on these addresses. If you do not want to click and drag known addresses, you can also manually add addresses by placing your cursor in the appropriate field and typing the address.

NOTE: You can use a wild card symbol (*) in the third or fourth octet of the address in Station 1 and Station 2. For example, manually enter 10.20.*.* when IP is selected as Address Type. If you have selected Hardware as the Address Type, enter hardware addresses in the Station 1 and Station 2 fields as desired. Example: 0050da*.

3

4

5

You can use the adjacent / column to enter a subnet mask in CIDR format. See Using CIDR Bit-Count Netmasks in the Address Tab on page 226 for more information on this format. Once you have specified the address pair on which you want to filter, click the Dir button to specify in which directions you want to capture traffic (from Station 1 to Station 2, from Station 2 to Station 1, or in both directions). Click OK.

6

7

Figure 10-2 shows the Address tab of the Filter Settings dialog box.

User's Guide

225

Chapter 10

Drag and drop a symbolic address from the Known Address list into the Station 1 or Station 2 fields. Known addresses come from Broadcast Addresses, the Host Table, or the Address Book.

You can also just type in an address manually.

Define the address as either a network hardware address (6 bytes in hexadecimal value) or a network IP or IPX address (4 octets).

Select to include or exclude packets that match the address specification.

Start capture directly from the Define Filter dialog using this button.

Specify an optional subnet mask in CIDR format.

First, click to name the new filter. Select which direction the traffic flows by setting the Dir option.

Figure 10-2. Setting Address Filters

Using CIDR Bit-Count Netmasks in the Address Tab

The Address tab lets you enter subnet masks in the Classless Inter-Domain Routing (CIDR) scheme. CIDR uses a standard 32-bit IP address with a short-hand version of the decimal netmask called a bit count. For example, in the CIDR address 192.168.40.250 with a netmask of 255.255.255.0, 24 is the number of bits in the netmask. So the IP address and netmask can be written as 192.168.40.250/24. If you don't know your CIDR netmask, you can use Figure 10-3 to convert your subnet mask to a CIDR bit count mask.

226

Sniffer Portable Professional

Defining Filters and Triggers

T

CIDR Bit Count /32 /31 /30 /29 /28 /27 /26 /25 /24 /23 /22 /21 /20 /19 /18 /17 /16 /15 /14 /13 /12 /11 /10 /9 /8 /7 /6 /5 /4 /3 /2 /1 /0

Equivalent Standard Netmask 255.255.255.255 255.255.255.254 255.255.255.252 255.255.255.248 255.255.255.240 255.255.255.224 255.255.255.192 255.255.255.128 255.255.255.0 255.255.254.0 255.255.252.0 255.255.248.0 255.255.240.0 255.255.224.0 255.255.192.0 255.255.128.0 255.255.0.0 255.254.0.0 255.252.0.0 255.248.0.0 255.240.0.0 255.224.0.0 255.192.0.0 255.128.0.0 255.0.0.0 254.0.0.0 252.0.0.0 248.0.0.0 240.0.0.0 224.0.0.0 192.0.0.0 128.0.0.0 0.0.0.0

Figure 10-3. CIDR Netmask Conversion Table

User's Guide

227

Chapter 10

Setting Filter Options in the Port Tab

You can filter by a specific IP or IPX port.

NOTE: If Hardware is selected as the Address Type in the Address tab of the Define Filter dialog box, all fields in the Port tab of the Define Filter dialog box are disabled. By default, IP is selected as the Address Type when you open the Define Filter dialog box.

To filter by a specific port:

1

Select the Define Filter command from either the Monitor, Capture, or Display menu (depending on the type of filter you would like to create). Click the Address tab and ensure IP or IPX is selected as the Address Type. If Hardware is the selected Address Type, all fields of the Port tab are disabled. Click the Port tab. An expandable tree displays known ports. Known ports include ports already known to Sniffer Portable Professional (including those in your Address Book). The list is dependent on the Address Type selected in the Address tab of the Define Filter dialog box. If IP is selected, the list displays known IP ports. If IPX is selected, the list displays known IPX ports.

NOTE: Filtering by TCP or UDP ports is not supported.

2

3 4

5

Enter a port number in the Port 1 or Port 2 field by dragging and dropping a known port from the list above into the desired field. You can also manually add ports by placing your cursor in the appropriate field and typing.

You can enter multiple ports by separating entries with a comma (for example, 23,25). You can enter a range of ports by using a hyphen. For example, you can specify ports 23, 24, 25, and 26 by entering 23-26 in the Port field.

IMPORTANT: Multiple ports and/or a range of ports are only supported on one side of a port pair. If you use multiple ports

228

Sniffer Portable Professional

Defining Filters and Triggers

on one side of the port pair the only options allowed on the other side are ANY or a single port.

6

Once you have specified the ports on which you want to filter, click the Dir button to specify in which directions you want to capture traffic (from Station 1 to Station 2, from Station 2 to Station 1, or in both directions). Click OK.

7

User's Guide

229

Chapter 10

Setting Filter Options in the Data Pattern Tab

Use the Data Pattern tab to define a filter that will only capture or display packets that match a data pattern you specify. A data pattern filter can be simple, consisting of a single data pattern, or very sophisticated, involving multiple data patterns connected by Boolean operators AND, OR, and NOT.

NOTE: A complex filter is limited to no more than 20 Boolean operators and data patterns.

A data pattern is:

A particular sequence of bits The length of the sequence Its offset position within the packet

The maximum data pattern length is 32 octets. You can specify the offset from the beginning of the packet or from the protocol boundary. You can copy the data pattern for your filter from the display decode screen. To do this, select the packet before you invoke the define filter function. In the Data Pattern tab, select Add Pattern, then Set Data. This copies the data field from the selected packet into the data pattern fields, and calculates the offset and length. In addition, you can use the selected pattern as a template, editing it in the display to suit your needs. To construct a complex data pattern filter, link data patterns using Boolean operators. The result is displayed in a tree-like diagram on the Data Pattern tab. The Data Pattern tab displays the work space for creating your filter, and displays the current data pattern equation. The buttons below the display control the process of defining the Boolean expression and data patterns. Figure 10-4 shows the Data Pattern tab of the Filter Settings dialog box.

230

Sniffer Portable Professional

Defining Filters and Triggers

Creates a NOT operator

Evaluates the Boolean equation immediately. If the equation is incomplete, an error message is generated.

Click to create a new Boolean Operator AND/OR

Click to create a new data pattern. You can use the selected packet in the Decode display as a template.

Start capture directly from the Define Filter dialog using this button. Click to modify the data pattern

Click to turn on or off the NOT operator

Click to toggle the selected Boolean operator between AND and OR

Click to delete the selected Boolean operator or data pattern. (If the operator has child operators or data patterns, they will be deleted with the parent.

Figure 10-4. Setting Data Pattern Filters

User's Guide

231

Chapter 10

Add or Edit Pattern Dialog Box

The Add or Edit Pattern dialog box (Figure 10-5, below) appears when you click the Add Pattern or Edit Pattern buttons on the Data Pattern tab of the Define Filter dialog box (Figure 10-4 on page 231). Use this dialog box to define a specific data pattern to filter. Keep the following in mind when adding or editing a data pattern filter:

Use the From: and Format: fields to identify the type of data you would like to use for the data pattern. Check the Variable Offset option to search for the data pattern you define, starting at byte 0 until the pattern is matched or has reached the end of the frame. With this option enabled, you do not have to define the fixed offset data pattern. If Variable Offset is not selected, designate an Offset value in the field provided. This option is useful when you are reasonably sure the pattern falls between a specific start and end offset. Specify the End Offset (hex) in the field provided. Enter the pattern in row 1 and 2. The easiest way to add patterns is to select a packet in the Decode tab before you click Define Filter. When you do it this way, the selected packet will appear in the Edit Pattern dialog box, allowing you to populate your pattern with information from the selected packet (Figure 10-5).

Figure 10-5. Add or Edit Pattern Dialog Box

232

Sniffer Portable Professional

Defining Filters and Triggers

More on Data Pattern Filters

A data pattern filter can be created from a single data pattern or from multiple data pattern definitions that are connected together by AND/OR/NOT Boolean operators. A complex filter can contain no more than 20 Boolean operators and data patterns. A data pattern is defined by a particular sequence of bits, the length of these bits, and the pattern's offset position within the packet. You have the option of specifying the offset from the beginning of the full packet or from the first level protocol boundary. The maximum data pattern length is 32 octets. The beginning octet location of a protocol boundary from the packet may vary depending upon the media type, (Ethernet), or the DLC format (Ethernet II, 802.2, 802.2 SNAP) it uses. IPX protocol is a good example. It starts from offset byte 14 in an Ethernet II-type packet, but from byte 17 in an 802.2-type packet. Since Sniffer Portable Professional recognizes various DLC format types and is able to mark the protocol boundary correctly, using the protocol layer boundary as a starting location for calculating the offset allows you to capture protocol packets with a pattern filter from different network media or with different DLC formats. To facilitate the definition of a data pattern, Sniffer Portable Professional allows you to 'copy' the data pattern of your choice from a known packet. To do this, you must be in the packet decode viewer, and have selected a particular packet before you invoke the Define Filter profiler. Use Add Pattern/Set Data in the Data Pattern tab to copy a known data field from the decoded packet into the data pattern fields. This will automatically calculate the offset and length, fill the data pattern, and suggest a default field name. Use AND/OR/NOT Boolean operators to construct a complex data pattern filter. The result is displayed in a tree-like diagram to show the logical relationships. The best way to learn how to construct a Boolean Data Pattern filter is to start from a simple data pattern filter. The first step is to write down the logical relationships in a Boolean equation. Next, clarify the Boolean operation's precedence by using parenthesis liberally, so that the final equation can be constructed using a binary-tree diagram. The following example demonstrates how to construct the sample filter, My Subnet. (My Subnet is also listed in the sample Boolean Data Pattern filters supplied in Sniffer Portable Professional capture profiles.) Suppose that you want to capture all IP traffic except traffic to and from subnet 36.56.0. The first step is to write down a data pattern Boolean equation that represents this operation: Not (Src Subnet 36.56.0 OR Dest Subnet 36.56.0)

User's Guide

233

Chapter 10

If you already have a capture packet file that contains this subnet address, you should open this file and select the packet containing the source subnet address 36.56.0. This will substantially ease the data entry operation later, when you define the data pattern for the subnet 35.56.0. Next, start defining the data pattern filter by following these steps:

1

From the main toolbar, click box.

to open the Define Filter dialog

2 3

Click the Profiles button to open the Capture Profiles dialog box. Click the New button. Enter new profile name for example, My Subnet. Click OK. Click the Done button to close the Capture Profiles dialog box. Click the Advanced tab. Select IP from the Available Protocols list box. This will filter out any non-IP packets that might have the same data pattern. Click the Data Pattern tab. A default AND operator is displayed. Click the Add NOT button to create a NOT operator. From the newly created NOT line, click the Add AND/OR to create a new AND child operator linked to the NOT operator.

4 5 6

7 8 9

10 Click the Toggle AND/OR button to change the AND to OR. 11 From the OR line, click the Add Pattern button to invoke the Edit

Pattern dialog box.

12 Scroll the detail decode window to locate the IP source address

containing subnet 35.56.0 and highlight the field.

13 Select Protocol in the From list box. This will tell Sniffer Portable

Professional to calculate the source IP address offset from the beginning of the IP protocol data packet.

14 Click the Set Data button to tell Sniffer Portable Professional to fill

in the source IP address field.

15 Change Len (length of subnet) from 4 to 3, and delete the 4th octet

from the data pattern field.

16 Edit the Name field to Src Subnet 36.56.0. 17 Click OK. A new data pattern Src Subnet 36.56.0 is created and

connected to the OR operator.

18 Click the OR operator again to select it. 19 Click Add Pattern to open another Edit Pattern dialog box.

234

Sniffer Portable Professional

Defining Filters and Triggers

20 Click Set Data to tell Sniffer Portable Professional to fill in a dummy

data pattern (a placeholder) for the Dest Subnet and click OK.

21 Click OK again in the Define Filter dialog box to save the filter. 22 Select the next packet containing the destination IP subnet address

from the Packet Display.

23 From the main toolbar, click

to open the Define Filter dialog

box for My Subnet.

24 Click the Data Pattern tab to display the Data Pattern filter

defined so far.

25 Highlight the second PAT (this was the placeholder created

previously) and click Edit Pattern to open the Edit Pattern dialog box.

26 Scroll the detail decode window to locate the IP destination address

containing subnet 35.56.0. Highlight the field.

27 Select Protocol in the From list box. This will tell Sniffer Portable

Professional to calculate the destination IP address offset from the beginning of the IP protocol data packet.

28 Click the Set Data button to tell Sniffer Portable Professional to fill

in the source IP address field.

29 Change Len (length of subnet) from 4 to 3, and delete the 4th octet

from the data pattern field.

30 Edit the Name field, so it shows Dest Subnet 36.56.0. 31 Click OK. A second data pattern Dest Subnet 36.56.0 is created

and connected to the OR operator.

32 Click Evaluate. The resulting operation Not (Src Subnet 36.56.0

OR Dest Subnet 36.56.0) is shown on the top line.

33 Click OK to save the filter.

Setting Filter Options in the Advanced Tab

Use options on the Advanced tab to define a filter based on packet size, protocol type, or error type. You can specify packets that are equal to, greater than, or less than a specific packet size, or in a range or outside of a range of packet sizes. You can select one or more protocols or subprotocols to act as a filter. If the packet matches one of the selected protocol types, it will pass through the filter. (If no protocol is selected, Sniffer Portable Professional captures all protocol types.)

User's Guide

235

Chapter 10

If a protocol you need is not defined in the protocol list, you can define your own protocol filter using the data pattern filter controls.

NOTE: Selecting or deselecting a parent protocol (a protocol with a +\- sign adjacent to its entry in the list) automatically selects or deselects all of its child protocols. For example, selecting the IP entry automatically selects each of the sub-protocol entries in the IP family (TCP, UDP, and so on). You can still select and deselect individual sub-protocols manually; this shortcut simply provides you with a means of selecting or deselecting entire protocol families quickly.

Not all protocols in the list are supported by the Expert. For a list of currently supported protocols for Expert, see the online Help. Packet Types filters for error packets require an enhanced driver for detection. Because Sniffer Portable Professional does not support enhanced drivers for Ethernet or WLAN on Vista, these filters will not typically work for those topologies and/or operating system. Figure 10-6 shows the Advanced tab of the Filter Settings dialog box.

Specify one or more network protocols on which to filter. All network protocols with a checkmark will be included.

Start capture directly from the Define Filter dialog using this button.

Specify the packet size on which to filter.

Figure 10-6. Setting Advanced Filters

236

Sniffer Portable Professional

Defining Filters and Triggers

Filters for 802.11 Packet Types in the Advanced Tab

When using Sniffer Portable Professional with a wireless adapter, the Packet Type dropdown includes the wireless LAN error packet types listed and described in Table 10-1.

Table 10-1. Wireless LAN Error Packet Types Available for Filtering Packet Type

PLCP Errors

Description

PLCP errors occur when a wireless station receives a Physical Layer Convergence Protocol header with an invalid checksum. Before frames are sent between wireless stations, the physical layer (PHY) sends a PLCP header to a receiving station to negotiate the size of the frames to be sent, the speed at which they should be sent, and so on. This PLCP header includes a checksum which the receiving station uses to validate that the received PLCP header is not corrupt. If this checksum is corrupt, it is considered a PLCP error.

WEP ICVs

The Wired Equivalent Policy (WEP) is used to encrypt data sent between stations on the wireless network. When two stations exchange WEP-encrypted data, they go through an authentication sequence wherein challenge messages are encrypted and decrypted by sender and receiver. If an Integrity Check Value does not match between sender and receiver, the receiver sends a frame indicating a communications failure (that is, an invalid WEP ICV). This filter works on these types of packets.

User's Guide

237

Chapter 10

Setting Filter Options in the 802.11 Tab

When working with a wireless adapter, you can use the options in the 802.11 tab (Figure 10-7) to filter on a variety of different types of wireless traffic, as summarized below.

Figure 10-7. Define Filter > 802.11 Tab

Traffic Type Filters

Interference can occur in wireless networks when multiple access points within a range of each other are broadcasting on the same or overlapping channels. The impact of this interference on network performance can intensify during busy times when a large amount of data and media traffic compete for bandwidth. Use the Traffic Type options to detect packets on a channel to which they do or do not belong:

Valid packets are packets which belong on the specified channel(s). Invalid packets are packets which do not belong on the specified channel(s). Indeterministic packets are packets which Sniffer Portable Professional cannot determine whether are valid or invalid.

238

Sniffer Portable Professional

Defining Filters and Triggers

Channel Filters

Use the Channel filters to specify different wireless channels to include as part of this filter. Acceptable values range from 1-161. You can enter either multiple values separated by commas or a single range separated by a hyphen. For example, you could enter a range like this: 1-12 Alternatively, you could enter multiple individual values like this: 5,7,12,149

Speed Filters

Use the Speed filters to specify different wireless traffic speeds (in Mbps) to include as part of this filter. Packets matching one of the specified speeds are included as part of the filter. You can enter either multiple speeds separated by commas or a single speed range separated by a hyphen. For example, you could enter a range like this: 1-10 Alternatively, you could enter multiple individual values like this: 48,54

Setting Filter Options in the Buffer Tab

Set options for the capture buffer on the Buffer tab. (These settings are used only if the filter is being used as a capture filter.) For a description of the capture buffer settings, refer to Capture Buffer on page 124.

Working with Display Filters

A display filter allows you to filter out unwanted packets when you display the contents of a capture buffer or trace file in the postcapture window. The profile defined for a capture filter can also be used for filtering out packets from the postcapture Display by using the Display > Select Filter command ­ the dialog box that appears will display all defined Capture Filter profiles under their own entry. See Selecting Filters / Combining Multiple Filters on page 174 for details. The procedure for defining a display filter is identical to the procedure for a capture filter.

To create or change a display filter:

User's Guide

239

Chapter 10

1 2

From the Display menu, select Define Filter. Follow the Define Filter procedure (Defining Filters on page 220). The links to topics describing how to create various capture filters are applicable to defining a display filter. From the Display menu, choose Select Filter to apply your new filter to the current display.

3

Filtering from the Decode Window

This release provides a variety of new features for filtering from a Decode tab. You can:

Select a packet in the Decode tab's Summary pane and click the Define Filter button to automatically populate the Define Filter dialog box with some of its components (connection information, source port/address, destination port/address, and so on). Add a new filter component to the previous filter by selecting a packet in the Summary tab and clicking Add to Last Filter button. Use the Quick Filter button to automatically filter the display based on the selected information in the currently selected packet (Quick Filters do not display the Define Filter - Display dialog box as automatic filters do). Specify whether Display filters return results by selecting/clearing packets in the active tab or by creating a new tab of filtered packets. Apply Display filters to all packets or only selected packets.

These features are described in detail starting in Postcapture Decode Display on page 162. In particular, see the following topics:

Using the Decode Tab Toolbar on page 165 Setting Display Filters on page 167 Using Automatic Display Filters on page 168 Using Quick Filters on page 172 Combining Filter Components ("Add to Last Filter") on page 173 Selecting Filters / Combining Multiple Filters on page 174 Saving Sets of Filtered Frames / Creating New Windows on page 177

240

Sniffer Portable Professional

Defining Filters and Triggers

Sharing Filters between Systems and Products

You can import or export individual filters between other Sniffer Portable Professional systems and some NetScout products (for example, Sniffer InfiniStream, Sniffer Portable and Sniffer Distributed). Filters are imported and exported through the Define Filter dialog box.

Importing Filters

Individual filters can be imported from other Sniffer Portable Professional units. Sniffer Portable Professional filters are compatible with other NetScout products supporting the .snf format (for example, Sniffer InfiniStream, Sniffer Portable, and Sniffer Distributed). Before importing a filter to your Sniffer Portable Professional installation, place the filter in a network drive accessible to the Sniffer Portable Professional machine.

To import filters:

1

From the main toolbar, click box.

to open the Define Filter dialog

2 3 4 5 6

Click the Profiles button at the base of the Summary tab. Click Import in the Capture Profiles dialog box. Browse to the directory containing the capture or display filter. Select a filter and click Open. Click OK.

The filter appears in the filter list and is copied to the appropriate folder on the Sniffer Portable Professional PC.

Exporting Filters

Individual filters can be exported for use with other NetScout products supporting the .snf format (for example, Sniffer InfiniStream, Sniffer Portable, and Sniffer Distributed).

To export filters:

1

From the main toolbar, click box.

to open the Define Filter dialog

2 3

Click the Profiles button at the base of the Summary tab. Select a filter from the list.

User's Guide

241

Chapter 10

4 5 6

Click Export in the Capture Profiles dialog box. In the Select Default Directory dialog box, select Folders. Select the desired location where you want to export the filter from the Drives drop-down list. You can also click Network to specify a different machine accessible to the Sniffer Portable Professional PC. Click OK.

7

Defining Triggers

Triggers let you start and stop captures based on date and time, alarms, and specific network events. Use triggers to capture data while your Sniffer Portable Professional machine is unattended, such as on off-hours or weekends, or to start captures when specific events occur, such as alarm conditions.

IMPORTANT: You cannot enable a trigger when a capture is already running. If you try to do so, you will receive a Failed to set trigger error message. Stop any active captures before enabling a new trigger.

You can define three kinds of triggers -- start triggers, which will start a capture session, stop triggers, which will stop a capture session, and start and stop triggers, which do both. A start trigger has two elements:

Trigger specification. Specifies what will start a capture session. Select a predefined trigger specification from a drop-down list, or create a new one by clicking the Define button. Capture filter specification. Select a capture filter to use during the capture. Select one from the Capture Filter list.

A stop trigger has three elements:

Trigger specification. Specifies what will stop a capture session. Select a predefined trigger specification from a drop-down list, or create a new one by clicking the Define button. Trigger delay specification. Specifies how many packets to capture after the stop trigger event occurs. Restart option. Check this box to automatically restart capturing after the stop trigger event occurs.

As with a filter, once you create and name a trigger, you can reuse it whenever appropriate.

242

Sniffer Portable Professional

Defining Filters and Triggers

To define a trigger:

1

Select Trigger Setup from the Capture menu. The Trigger Setup dialog box opens (shown in Figure 10-8).

Click to specify which events to use as a start trigger (start time and date, threshold alarm, and/or event filter)

Specify what capture filter to use when the trigger event occurs

This picture graphically depicts your trigger definition

Define how to control packet capture: Start trigger, stop trigger, delay after trigger, or repeat mode

Click to specify which events to use as a stop trigger (start time and date, threshold alarm, and/or event filter)

Figure 10-8. Defining a Trigger

2

Select Enable under Start Trigger, Stop Trigger, or both. Start triggers start capture sessions when the trigger event is detected. Stop triggers stop a capture session when the trigger event is detected. Start and stop triggers do both. Click the Define button corresponding to the type of trigger event you want to specify (Start or Stop). Either the Start Trigger dialog box (Figure 10-9) or the Stop Trigger dialog box appears, depending on which Define button you clicked. These dialog boxes let you specify the Start or Stop Trigger event. Existing trigger profiles are shown in the Triggers list.

User's Guide 243

3

Chapter 10

a b

Click New to create a new trigger. Enable the Date/Time option to select a specific date and time as the trigger event. Enable the Alarms option to select a particular type of Monitor Alarm as the trigger event. The thresholds for monitor alarms are specified in the Tools > Options > MAC Threshold tab. Enable the Event filter option to select a Filter Profile as the trigger event. The dropdown automatically lists all configured Filter Profiles. When Sniffer Portable Professional detects a packet matching the selected filter's definitions, capture will either start or stop (depending on what type of trigger you are setting up). For example, if you want to start a capture triggered by a particular IP address, you can accomplish this by defining an IP address filter with your known IP address in the Station 1 field and Any in the Station 2 field, with the Dir set appropriately. Then, you can use this filter as the Event filter for the Start Trigger.

c

d

e

Click OK to close the Start Trigger or Stop Trigger dialog box.

Figure 10-9. Start Trigger Dialog Box

4

In the Trigger Setup dialog box (Figure 10-8):

a

For Start Triggers, use the Capture Filter option to select what capture filter to use when the trigger event is detected and capture starts. For Stop Triggers, specify the number of packets to capture after the Stop trigger event in the field provided.

a

244

Sniffer Portable Professional

Defining Filters and Triggers

b

For Stop Triggers, check the Automatically re-start capture after stop field to restart capture automatically after capture is stopped after a Stop Trigger event.

5

Check Repeat Mode to automatically repeat this trigger. This option applies to both Start and Stop triggers. Click OK.

6

Specifying a Capture Filter for a Trigger

To specify what capture filter to use when a capture is started with a trigger:

1 2 3

Select Trigger Setup from the Capture menu. In the Start Trigger section, check the Enable checkbox. Select a trigger from the pull-down list. If you want to create a new trigger, click Define. Select the capture filter you want from the Capture Filter pull-down list. (If you want to create a new capture filter, cancel from the Trigger Setup dialog box and select Define Filter from the Capture menu. Then return to the Trigger Setup dialog box and continue.) Click OK.

4

5

Capture Trigger Example

The following example shows how an event filter (seeing any Telnet packet) can be used to trigger the start of a packet capture. Then, after either 60 minutes has elapsed or a predefined IP address is detected, the packet capture continues for 3,000 packets, and then the capture stops.

This example assumes that filters have already been defined for a Telnet packet and a known IP address:

1

From the Capture menu, select Trigger Setup to open the Trigger Setup dialog box. Check the Enable check box of the Start Trigger section, and click the Define button. A Start Trigger dialog box appears. Click New to invoke a New Trigger dialog box. Enter the name of the start trigger, in this example, Start Trigger Sample.

2

3 4

User's Guide

245

Chapter 10

5 6

Click OK. Mark the Event Filter check box, and select a defined filter from the drop-down list. In our example, we've previously created a filter named Telnet Packet and selected it as the Event Filter in the Start Trigger dialog box. Click OK. Alternatively, you may use Date/Time or Alarm as the trigger. Enter the time, and select each weekday of your choice by clicking on the button to toggle its ON/OFF state. A floating button means OFF; a sinking button means ON. If you are interested in using network traffic load to trigger capture, select Alarms and the individual network variables as the trigger. Select a capture filter profile from the Capture Filter pull-down menu. The capture filter selected here will be used as the capture filter when the start trigger activates the capture. Mark the Enable check box of the Stop Trigger section, and click Define. and click OK.

7

8

9

10 Click New, and define a new stop trigger Stop Trigger Sample 11 Select the Time check box. Specify Stop after 3600 seconds

from start as the first stop trigger. Mark the Event filter check box, and select IP Address as the second stop trigger. Then click OK.

12 Enter Capture 3000 packets after stop trigger happened. Click

OK. The trigger appears as in the figure below.

Figure 10-10. Sample Trigger

246

Sniffer Portable Professional

Defining Filters and Triggers

Trigger Entries in Alarm Log

Sniffer Portable Professional will log information related to trigger event detection and captures started\stopped based on trigger event detection to the local Alarm Log. Alarms logged for trigger events typically include the time the capture started, the types of trigger event(s) specified for both Start and Stop triggers, and a variety of other configuration information summarizing the trigger definitions.

User's Guide

247

Chapter 10

248

Sniffer Portable Professional

Using the Address Book

Overview

11

The address book lets you assign familiar, recognizable names for your network nodes. These symbolic names are used in place of six-byte hardware addresses and IP addresses in:

Filter definitions The capture decode display The Expert display Host Table displays (both monitor and capture) Matrix displays (both monitor and capture)

To create an address book to maintain a symbolic name table for your own network, you can:

Entering Names Manually on page 252 Use the address book's autodiscovery feature Add names discovered by the Expert analyzer

About Address Entries

The Address Book allows you to define your network nodes in more-readable symbolic names. Sniffer Portable Professional uses the address book in filter definitions, the capture decode display, the Expert display, and the Host Tables to replace the 6 byte hardware address or network address of the network node with its respective symbolic name. An address book entry contains:

Name Medium Hardware Address IP Address IPX Address Type

User's Guide

249

Chapter 11

Description

NOTE: The address book can contain a maximum of 5,000 entries.

Sniffer Portable Professional uses only the medium, hardware address, IP/IPX address, and Type fields. The other fields are only informational.

The Medium field can also be thought of as a topology field - it refers to the type of network entity for which you are creating an Address Book entry. The Medium field tells Sniffer Portable Professional on what types of networks it should look for this Address Book entry. The Medium field also determines the type of HW Address you can enter. For example, if you set Medium to Ethernet, blanks are provided in the HW Address field for you to enter a standard Ethernet hardware address in hexadecimal format.

The Type selections are Workstation, Server, File Server, Printer Server, Router, Bridge, Hub, Access Point, and Mobile Unit. The Type field is mainly used when exporting the MAC addresses of access points to the Expert's list of known access points. The Description field is a text field in which you can write your own description or notes about the node.

Creating Address Book Entries

You create an address book to maintain a symbolic names table for your own network. To create entries in the address book, you can enter names manually or automatically discover names with the address book's autodiscovery feature.

To create an address book entry:

1

Select Address Book from the Tools menu or click main toolbar.

in the

2 3 4

Click the right mouse button to display the context menu. Click New Address to open the New/Edit Address dialog box. Enter the Name, Medium, HW Address, IP Address and/or IPX Address. If the entry is a router, select Router for the Type. (This prevents duplicate address alarms during address autodiscovery.) Other entries are for user reference only. Sniffer Portable Professional does not interpret them.

250

Sniffer Portable Professional

Using the Address Book

NOTE: The Medium field can also be thought of as a topology field - it refers to the type of network entity for which you are creating an Address Book entry. The Medium field tells Sniffer Portable Professional on what types of networks it should look for this Address Book entry.

5

The Medium field also determines the type of HW Address you can enter. For example, if you set Medium to Ethernet, blanks are provided in the HW Address field for you to enter a standard Ethernet hardware address in hexadecimal format. Click Save to add the new entry to the Address Book. Alternatively, click Save and Next to save this entry and add another entry.

NOTE: The address book can contain a maximum of 5000 entries.

6

Add a new address Edit selected address

Delete selected address

Undo and redo previous action Sort and unsort address book Export Access Point list

Export table to spreadsheet

Autodiscover IP addresses and Domain names

Delete all entries.

Figure 11-1. The Address Book

User's Guide

251

Chapter 11

Entering Names Manually

You can build your own address book by getting hardware addresses and IP addresses from the host table. To add a new address to the book, select Address Book from the Tools menu. Then, click the New Address button in the Address Book toolbar. The New/Edit Address dialog box opens (Figure 11-2). You can enter address information for a network node in this dialog box.

A node Type can be: · Specify the name, medium, hardware address, IP/IPX address, and type of network node in these fields. · · · · · · · · Workstation Server File Server Printer Server Router Bridge Hub Access Point Mobile Unit

Figure 11-2. Entering Names Manually

About the Medium Field

The Medium field can also be thought of as a topology field ­ it refers to the type of network entity for which you are creating an Address Book entry. The Medium field tells the Sniffer on what types of networks it should look for this Address Book entry. The setting of the Medium field also determines the type of HW Address you can enter. For example, if you set Medium to Ethernet, blanks are provided in the HW Address field for you to enter a standard Ethernet hardware address in hexadecimal format.

252

Sniffer Portable Professional

Using the Address Book

Autodiscovering Addresses and Names

Sniffer Portable Professional provides an autodiscovery feature that learns the following names and addresses automatically and saves them in the Address Book:

A network node's IP address, its associated hardware address, and domain name A network node's NetBIOS name and hardware (MAC address) An IPX network node's Netware user name and hardware (MAC) address

NOTE: To ensure accuracy, autodiscovery discovers source addresses and not destination addresses.

IMPORTANT: During autodiscovery of Netware user names and MAC addresses, you must log in to a Netware Server from a DOS window and type the command userlist /a. This procedure enables Sniffer Portable Professional to extract login user names and hardware addresses.

To use the autodiscovery feature:

1

Click the autodiscovery button in the Address Book toolbar or right-click and select Auto Discovery. The Discovery Option dialog box opens. Select the type of address to resolve (see Figure 11-3).

User's Guide

253

Chapter 11

Click to resolve the Domain name of any IP node that has traffic on the subnet

Enter the subnet address and node address range to resolve the Domain names of specific IP nodes

Click to resolve the NetBIOS name of any node that has traffic on the subnet

Click to resolve the Netware user name of any IPX node that has traffic on the subnet Figure 11-3. Setting Autodiscovery Options (Wireless Adapter Selected)

Exporting Access Point Addresses to the Expert's List of Known Addresses

You can use the Export AP button in the Address Book's toolbar to export each of the access point entries to the Expert's list of known access points. The Expert uses this list to generate the Rogue Access Point alarm. During capture with the Enable Rogue AP Lookup option enabled, the Expert compares the MAC address (not the IP address) of each detected access point to those in the Known Access Points in the Network list. If the access point's MAC address is not in the list, the Expert generates the Rogue Access Point alarm. You can see the Expert's list of known access points in the Tools > Expert Options > 802.11 Options tab or in the Tools > Wireless > Rogue dialog box. See Expert 802.11 Options on page 140 for details on configuring the Expert to generate Rogue Access Point and Rogue Mobile Unit alarms.

254

Sniffer Portable Professional

Using the Address Book

Configuring Autodiscovery for Routers

A router carries traffic between other subnets and the local segment where your Sniffer Portable Professional resides, therefore, the router's hardware address will be associated with any IP address that passes through it. This appears as a duplicate IP address to the autodiscovery process. When autodiscovery finds duplicate IP addresses, it adds an entry into the Alarm log and sounds an audible alarm. To prevent these false duplicate IP address alarms, you must manually enter your IP network router's IP address, hardware address, and domain name in the address book first, and specify the Type as Router.

Adding Discovered Addresses to the Address Book

During capture, the Expert analyzer automatically discovers name and address pairs on the network. You can add these discovered addresses to the analyzer's Address Book using the Discovered Addresses dialog box.

To add name and address pairs discovered by the Expert:

1 2

After a capture, display the Expert tab of the display window. Click Discovered Addresses in the Expert tab of the display window. The Discovered Addresses dialog box appears (Figure 11-4). It lists the new name and address pairs that have been discovered during the capture session. Only name and address pairs not already in the address book are listed.

Figure 11-4. The Discovered Addresses Dialog Box

3

Select the addresses in the list that you would like to add to the Address Book. You can use the standard Shift-Click and Ctrl-Click methods to select multiple entries. You can also use Select All and Select None to speed the selection process.

User's Guide

255

Chapter 11

4

When you have finished selecting the addresses you would like to add to the Address Book, click Update. The Address Book appears with the newly added entries

5

NOTE: The General tab of the Options dialog box (accessed from the Tools menu) provides a means to ensure that you are reminded to save discovered name and address pairs. If you enable the Discovered Address checkbox in the Prompt to save/update list, the analyzer will always ask you if you want to save discovered addresses that have not yet been saved when you close a capture window.

256

Sniffer Portable Professional

Managing Alarms

Overview

12

Sniffer Portable Professional's alarm features provide a comprehensive method of detecting and logging network alarm events:

The Sniffer Expert generates alarms during data capture. It can log an event in the Alarm log when it detects a symptom or diagnosis. The monitor's Alarm Manager starts automatically when you start Sniffer Portable Professional. It logs an event in the Alarm log when a user-specified threshold parameter is exceeded.

Abnormal network events can be assigned to one of five different levels of severity: Critical, Major, Minor, Warning, and Informational. In addition, you can associate each severity level with up to four alarm notification actions (for example, you can configure Sniffer Portable Professional to send email when a critical or Major alarm occurs). Alarm notification actions can be activated during certain time periods within a day, or on certain days of the week.

The Alarm Log

Logged alarm events (Monitor alarms and Expert alarms) are listed in the Alarm log, which you display by selecting Alarm Log from the Monitor menu or by clicking the Alarm button .

IMPORTANT: Alarms (both Monitor and Expert) are only logged in the Monitor > Alarm Log if the Enable Alarm option is checked in the Tools > Options > Alarm tab. This option is enabled by default. See Setting Up Logging for the Local Alarm Log on page 259 for details.

For each alarm event, you see the type of node that triggered the alarm (for example, server, bridge, or hub), a description of the alarm, the time it occurred, and the severity level. The Alarm log (sample shown in Figure 12-1) displays the following information:

Status. Alarm status. The Status can be new or acknowledged (i). To acknowledge an alarm, right-click on the alarm entry and select Acknowledge.

User's Guide

257

Chapter 12

Type. The type of node triggering the alarm (as defined in your address book). Log Time. The date and time the alarm was triggered. Severity. Level of severity assigned to this type of alarm (1 through 5). Description. A brief description of the error.

Figure 12-1 shows a sample Alarm log.

Type of node triggering the alarm (as defined in your address book)

Date and time the alarm was triggered

Level of severity assigned to this type of alarm (1 through 5) Description of the error

The Status can be new (-) or acknowledged (i). To acknowledge an alarm, right-click the alarm entry and select Acknowledge.

Figure 12-1. The Alarm Log

258

Sniffer Portable Professional

Managing Alarms

Setting Up Logging for the Local Alarm Log

Configuring logging for the local Alarm Log consists of the following steps:

Make sure the Enable Alarm option is checked in the Tools > Options > Alarm tab (Figure 12-2). This option is enabled by default. This option must be enabled for any logging to take place in the local Alarm Log. Use the Tools > Expert Options > Alarms tab to set Alarm Logged to YES for each Expert alarm you'd like logged in the local Alarm Log. See Logging and Severities for Expert Alarms. Use the Tools > Options > Alarm tab's Severities button to specify the severity for each possible monitor alarm. See Severities for Monitor Alarms.

Alarms are logged in the local Alarm Log when this option is checked.

Figure 12-2. Setting Up Alarm Logging

User's Guide

259

Chapter 12

Setting Alarm Severity Levels

You can assign a severity level to both Monitor and Expert alarms (symptoms and diagnoses).

Severities for Monitor Alarms on page 260 Logging and Severities for Expert Alarms on page 262

IMPORTANT: Alarms (both Monitor and Expert) are only logged in the Monitor > Alarm Log if the Enable Alarm option is checked in the Tools > Options > Alarm tab. This option is enabled by default. See Setting Up Logging for the Local Alarm Log on page 259 for details.

Severities for Monitor Alarms

By default, Sniffer Portable Professional defines the alarm event types listed in the table below and assigns each one a severity level. You can change the default severity level assigned to each event to suit your specific network operating environment. Table 12-1 lists the default severity levels.

Table 12-1. Default Severity Levels Alarm Event

Threshold: Over upper limit Address: Duplicate IP address Address: Duplicate data in address book

Severity Level

Critical Critical Inform

To change an alarm severity level, select Options from the Tools menu, then click the Alarm tab. Click the Define Severity button to open the Define Severity dialog box (Figure 12-3). Click the Severity cell for an alarm to display a list of severity-level options. Select the one you want to use and click OK.

260

Sniffer Portable Professional

Managing Alarms

Select the severity level from the drop-down list

Figure 12-3. Setting Severity Levels for Alarms

User's Guide

261

Chapter 12

Logging and Severities for Expert Alarms

Expert alarms (symptoms and diagnoses) can be assigned one of five different severity levels: Critical/Diag, Major, Minor, Warning, and Informational. The severity level for a symptom or diagnosis displays in the summary pane of the Expert window. It is also recorded in the Alarm log if the alarm setting Alarm Logged is set to YES in the Tools > Expert Options > Alarms tab.

IMPORTANT: Alarms (both Monitor and Expert) are only logged in the Monitor > Alarm Log if the Enable Alarm option is checked in the Tools > Options > Alarm tab. This option is enabled by default. See Setting Up Logging for the Local Alarm Log on page 259 for details.

To change the severity level for an Expert alarm, select Expert Options from the Tools menu and click the Alarms tab (Figure 12-4). Then, click (0) or (1) at the top of the left column to expand/collapse all Expert layers. Click (+) or (-) next to an Expert layer to display all alarms for that level. For the Alarm log to record the alarm, you must set the Alarm Logged option to Yes. Click in the Value cell for an alarm to display a dropdown box. From the dropdown box, select a severity level.

NOTE: The alarm must be recorded in the Alarm log for notification to take place. Refer to Setting an Alarm Notification Action on page 265.

262

Sniffer Portable Professional

Managing Alarms

Click to expand/collapse all Expert layers

Click the + to open an Expert layer and display all alarms

Click the Value cell for the severity to display the drop-down box.

Click the + to display an alarm's settings

Alarm Logged must be set to Yes to record the alarm in the Alarm log.

Figure 12-4. Setting Severity Levels for Expert Alarms

User's Guide

263

Chapter 12

Setting Alarm Notification

Each severity level that can be assigned to an alarm (Critical/Diag, Major, Minor, Warning, and Informational) can be associated with up to four alarm notification actions. These notification actions can be enabled for specified time periods within a day, and on specified days of the week. When an alarm is triggered, Sniffer Portable Professional can:

Send email Invoke a script to open an application or send an alarm notification as an SNMP trap to an SNMP console

To set up a notification action:

1 2 3

Select Options from the Tools menu. Select the Alarm tab. Click Define Actions to open the Define Actions dialog box (Figure 12-5). Click Add and select the radio button for the type of alarm response you want. A wizard will guide you through the setup procedure.

4

NOTE: Expert alarms must have their Alarm Logged options set to Yes in the Tools > Expert Options > Alarms tab for notification to take effect. Refer to Logging and Severities for Expert Alarms on page 262.

264

Sniffer Portable Professional

Managing Alarms

Specify a name for the alarm action

Select and configure the option you want to use

Click Add to open the New Alarm Action dialog box and set up a new alarm action Figure 12-5. Setting an Alarm Notification Action

Enabling Alarm Actions

After you complete the definition of an alarm action, you must assign it to a severity level. Up to four actions can be assigned to a severity level. When an alarm of a particular severity level occurs, all actions assigned to it are executed (unless disabled by time and date settings).

NOTE: You must enable alarms for alarm actions to take place. Check the Enable Alarm check box on the Alarm tab to enable alarm actions.

Alarm Beeps and Sounds

By default, Sniffer Portable Professional makes a single beep sound when an alarm occurs. If you prefer another sound, you can replace the standard beep with any .wav sound file. To do this, click the button on the Alarm tab and select the file.

User's Guide

265

Chapter 12

266

Sniffer Portable Professional

Network Adapters and Settings

Overview

13

This chapter describes how to select different adapters for capture, and how to bind and load multiple instances of Sniffer if there are multiple adapters. In addition, it also discusses how to use Sniffer Portable Professional's profile feature to maintain multiple sets of settings for capture and monitoring.

Removing Network Adapters

Do not remove network adapters from the Sniffer Portable Professional PC while the application is actively using them. For example, if Sniffer Portable Professional is currently logged on to a wireless adapter, do not remove the adapter. Removing the adapter can result in unpredictable results. Instead, close Sniffer Portable Professional and then remove the adapter. When using Sniffer Portable Professional on Windows Vista, you must reboot the system after removing a network adapter and inserting a new one before you can monitor data.

Selecting Network Adapters

If you have more than one network interface card (adapter) installed in your system, you can select which card Sniffer Portable Professional will use. If you have multiple adapters attached to different network segments, you can select which segment Sniffer Portable Professional will monitor by switching from one adapter to another.

NOTE: See Installing Sniffer Portable Professional for a list of supported 802.11 adapters.

User's Guide

267

Chapter 13

To select an adapter:

1

Select Adapter Settings from the File menu to open the Adapter Settings dialog box (see Figure 13-1). The Adapter Settings dialog box contains the profiles you have defined for this Sniffer Portable Professional PC.

2

Select a previously defined profile as the target network for the Sniffer Portable Professional to monitor from the list provided.

NOTE: To define new profiles to use for monitoring, click New and supply the appropriate information. See Creating Sniffer Monitoring Profiles on page 270 for more information.

3

Change the Real Time/Post Capture option if desired. This checkbox specifies whether Sniffer Portable Professional will actively monitor an adapter at startup:

If the Post Capture box appears, the selected profile is currently in Real Time mode and will automatically begin monitoring the selected adapter at startup. You can check the Post Capture box to open the application without monitoring a specific card. If the Real Time box appears, the selected profile is currently in Post Capture mode and will only be available for trace file analysis. You can check the Real Time box to enable real-time monitoring and analysis according to the privileges assigned to your account.

The name of this option changes depending on what the card is currently set to. For example, since the card selected in Figure 13-1 is set to start in Real Time mode, you could check Post Capture to reverse that.

4

Change the Local Mode option if desired. This checkbox specifies whether Sniffer Portable Professional monitors all traffic or only local/broadcast/multicast traffic:

If Local Mode is not checked, Sniffer Portable Professional monitors promiscuously, including all traffic. If Local Mode is checked, Sniffer Portable Professional monitors only traffic to/from the local host, broadcast traffic, and multicast traffic with the local host addressed.

5

Click OK.

268

Sniffer Portable Professional

Network Adapters and Settings

Figure 13-1. Selecting a Network Adapter

User's Guide

269

Chapter 13

Creating Sniffer Monitoring Profiles

To operate Sniffer Portable Professional with different network adapters and settings, you create separate entities, called profiles. A profile can be thought of as a set of settings -- each profile holds session information, such as the address book, capture filter settings, and packet display options. Each profile has independent configuration information, so it can be used to globally reconfigure Sniffer Portable Professional when moving from one network to another, one segment to another, or for setting up the options for specific tasks. When you create a new profile, it automatically uses the settings currently defined in the Sniffer Portable Professional application (the address book, capture filter settings, packet display options, and so on).

NOTE: If you use Sniffer Portable Professional as a field service tool to troubleshoot different networks, use the profile feature to maintain configuration information for each client's network.

To create a new profile:

1 2 3

Select Adapter Settings from the File menu. Click New. In the New Settings dialog box (Figure 13-2), enter a description for the profile in the field provided. This will also be the name of the profile and will appear in future instances of the Settings dialog box. Select the adapter for this profile. All adapters are listed. Use the Copy settings from field to use the configuration settings from an existing profile. The drop-down list includes all previously defined profiles on the Sniffer Portable Professional PC. The settings you are copying include the address book, filter settings, trigger settings, alarm threshold settings, and so on. If you do not use the Copy settings from field, the new profile will be created using the settings currently active on Sniffer Portable Professional. You can then change these settings to suit your needs.

NOTE: Various options in Sniffer Portable Professional's menus will change depending on the type of adapter you have selected for capture.

4 5

6

Click OK.

270

Sniffer Portable Professional

Network Adapters and Settings

Tips:

Once you have created multiple profiles, you can launch new Sniffer Portable Professional sessions without creating the new agents again. It may be useful to think of a profile as a "set of settings." You can define multiple sets of settings (profiles) for a single adapter. This makes it easy to switch between different monitoring or analysis needs by simply switching profiles. The same network card is used, but the configuration settings within the analyzer will be different.

Figure 13-2. Creating a profile

User's Guide

271

Chapter 13

272

Sniffer Portable Professional

Index

Numerics

802.11 Options tab (Expert Options), 802.11 tab Status column, 85, 88 90% Response ART setting, 102 140 ART data not displaying?, 98 setting options, 101 tabular view statistics, 98 Association Requests counter in Dashboard's 802.11 tab, 79 Association Responses counter in Dashboard's 802.11 tab, 79 Atheros AR5002X using as a normal network adapter, ATIMs counter in Dashboard's 802.11 tab, 80 Authentication field in Host Table, 86, 89 Authentications counter in Dashboard's 802.11 tab, 80 autodiscovering wireless units, 145 Autodiscovery, 253 Monitor thresholds, 51 none in Alarm Log?, 120, 257, 260, 262

A

Absolute time, 182 access point determining full hex address, 147 Acknowledge counter in Dashboard's 802.11 tab, 81 Adapter Settings dialog box, 267 Adapters, using, 267 Adding tools to the Tools menu, 64 Address Book, 249, 254 autodiscovering addresses and names, 253 creating, 250 entering names manually, 252 Address filter, 225 Advanced tab (Define Filter), 235 Alarm beeps and sounds, 265 enabling notification actions, 265 features, 257 log, 120, 257 Monitor thresholds, 75 notification actions, 264 severity levels, 260 sound files, 265 Alarm Log setting up logging, 259 alarm severities, 259 alarms Expert thresholds, 137

29

B

Beacons counter in Dashboard's 802.11 tab, 80 in Global Statistics, 119 in Host Table, 90 BSSID counter in Dashboard's 802.11 tab, counter in Global Statistics, 119 BSSID column in 802.11 tab, 85 Building your own address book, 252

81

C

Capture buffer options, 124 saving to a file, 127 Capture filters, 129

User's Guide

273

Capture panel, 123 Capture triggers, 129 Captured data, displaying, 158 Capturing data between specific stations, 128 to or from a station, 84 cards missing, 34 CF End counter in Dashboard's 802.11 tab, CF End/CF ACK counter in Dashboard's 802.11 tab, 81 Ch. No. counter in Global Statistics, 118 Changing Expert alarm settings, 262 Cisco Aironet installation notes and issues, 34 Cntl Pkts counter in Global Statistics, 118 Color-code packets, 178 Configuring autodiscovery for routers, 254 default routers (Expert), 138 Expert analysis, 134 Creating an address book, 250 profiles, 270 CTS counter in Dashboard's 802.11 tab, 81 Cumulative bytes, 182 Customer Support, 4 Customizing the decode display, 177 user tools, 64

81

D

Data pattern filter, 230 Data Pkts counter in Dashboard's 802.11 tab, in Global Statistics, 118 Data Rate Counters, 79 Data Throughput counter in Dashboard's 802.11 tab, Data, displaying, 158 77

78

Deauthentications counter in Dashboard's 802.11 tab, 80 Decode Font, 178 Decode tab, 162 searching for frames, 186 Define Filter wireless options, 220 Defining filters, 220 triggers, 242 Delta time, 182 Detail pane (decode display), 162 Detail tree pane, 132 Diagnosis in Expert analysis, 132 Disabling Real-time decodes, 213 real-time Expert analysis, 135 RIP analysis (Expert), 138 Disassociations counter in Dashboard's 802.11 tab, 80 discovered addresses, 255 Display customizing the decode display, 177 Decode, 162 Expert, 131 filters, 167 formats, 162 Host Table, 206 Matrix, 202 menu, 164 navigating the decode display, 164 options on General tab, 179 Protocol Distribution, 208 setting decode display options, 177 Statistics, 210 Display vendor ID on MAC address, 180 Displaying captured data, 158 decoded packets, 162 Expert data, 131 Expert explain messages, 153 the Alarm log, 257 Domain names, resolving, 253

274

Sniffer Portable Professional

Duplicate IP address and autodiscovery,

255

E

Enable Rogue AP Lookup option, 61, 140 Enable Rogue Mobile Unit option, 61, 140 Enabling alarm actions, 265 Enabling Real-time decodes, 213 Encryption field in Host Table, 86, 88 Errors counter in Global Statistics, 118 ESSID counter in Dashboard's 802.11 tab, 81 counter in Host Table, 85, 88 Ethernet, 11 Exclude protocols, 182 Expert alarms, 262 diagnoses, 132 display, 131 explain messages, 153 exporting data, 154 layers, 134 objects, 134 options, 134 rearranging the display, 153 Recycle Expert Objects, 136 RIP analysis, 138 searching for frames with alarms, 195 subnet mask settings, 138 symptoms, 131 thresholds, 137 Tuning, 136 window panes, 132 Expert Detail pane, 132 Expert Overview pane, 132 Expert Summary pane, 132 Export AP button, 145 Export AP button (Address book), 254 exporting Protocols tab settings, 53 Exporting Expert data, 154 exporting filters, 241

exporting known addresses to csv file, Exporting monitor data, 120

147

F

Failed to start capture, 127 Fast Ethernet (100BASE-T), 11 filter profiles see Filters, 222 Filters address, 225 capture, 129 creating, 223 data pattern, 230 defining, 220 display, 167 error type, 235 exporting, 241 importing, 241 monitor, 69 overview, 219 packet size, 235 port, 225 profiles, 222 protocol type, 235 settings, 225 sharing filters, 241 finding frames, 186 function key shortcuts capture, 123 display, 164

G

Global Statistics, 116 toolbar, 117

H

Hex pane (decode display), 162 Highlight selected frames, 181 History Samples, 110 creating multiple, 113 settings, 111 toolbar, 112 window, 110

User's Guide

275

zooming, 111 Host Table display tab, 206 HwAddr counter, 85 maximum entries, 84 monitor, 82 toolbar, 84, 207 HwAddr counter, 85

M

MAC Bridge Miniport Driver, removing, 39 Main toolbar, 71 Management Pkts counter in Dashboard's 802.11 tab, 78 Matrix display tab, 202 maximum entries, 95 monitor, 93 refresh rate, 95 toolbar, 95, 203 maximum entries Host Table, 84 Matrix, 95 Mgmt Pkts counter in Global Statistics, 119 Monitor, 67 alarms, 120 applications, 71 changing alarm severity levels, 260 default severity levels for alarms, 260 exporting data, 120 filters, 69 Global Statistics, 116 History Samples, 110 Host Table, 82 Matrix, 93 Protocol Distribution, 114 Monitored Channel counter in Host Table, 86, 89 Monitored Topology counter in Host Table, 86, 89 monitoring wireless networks, 68 Multicast counter in Host Table, 87

I

IBSS networks, 68 icons at base of Sniffer window, 43 importing Protocols tab settings, 53 importing addresses to the known address list, 147 importing filters, 241 In Bytes counter in Host Table, 87, 89 In Pkts counter in Host Table, 87, 89 Infrastructure networks, 68 installation requirements, 18 installing Sniffer, 22

K

Keyboard usage (decode display), 164 Keys Per Channel option, 59 known addresses adding from the Host Table, 141 adding from the postcapture display, adding to the Expert's list, 141

143

L

license serial number, 30 types, 31 Live scroll mode, 215 logging setting up for alarms,

N

Navigating the decode display, 164 NetBIOS names, resolving, 253 NetScout User Forum, 4 Netware user names, resolving, 253 network interface cards see adapters

259

276

Sniffer Portable Professional

Non-live scroll mode, 216 Notification actions for alarms,

264

O

Octets counter in Global Statistics, 118 offline WEP decryption, 199 Order Pkts counter in Dashboard's 802.11 tab, Out Bytes counter in Host Table, 87, 89 Out Pkts counter in Host Table, 87, 89 Overflow matrix message, 95

78

P

Packet capture capture buffer options, 239 overview, 121 Packet display, 162 searching for frames, 186 Packet Selection, 178 Packets color-coding, 178 selecting, 165 Packets counter in Global Statistics, 118 pcap format, 127 PLCP Errors as filter option, 237 PLCP Long Pkts counter in Dashboard's 802.11 tab, 79 PLCP Short Pkts counter in Dashboard's 802.11 tab, 78 Port filter, 228 postcapture WEP decryption, 199 postcapture WPA decryption, 199 power considerations for Sniffer PC, printing decoded packets, 196 to file, 196 Probe Requests counter

in Dashboard's 802.11 tab, Probe Responses counter in Dashboard's 802.11 tab, product registration, 30 profiles, 270 profiles (filters), 222 Protocol Distribution display tab, 208 monitor, 114 toolbar, 115, 209 Protocol Expand, 178 Protocol Statistics pane, 132 Protocols tab options, 52 Protocols tab settings importing/exporting, 53 PS Polls counter in Dashboard's 802.11 tab,

80 80

81

Q

QoS Packet Scheduler Service, 37

R

Real-time decodes display limitations, 216 enabling/disabling, 213 Live scroll mode, 215 Non-live scroll mode, 216 scrolling modes, 215 viewing, 214 Rearranging the Expert display, 153 Reassemble entire trace file option, 179 Reassembly window size option, 179 Reassociation Requests counter in Dashboard's 802.11 tab, 79 Reassociation Responses counter in Dashboard's 802.11 tab, 79 Recycle Expert Objects, 136 registering software, 30 Relative time, 182 removing MAC Bridge Miniport Driver, 39 QoS Packet Scheduler Service, 37 requirements for installation, 18

36

User's Guide

277

Resolve name on Network address, 180 Retry Pkts counter in Dashboard's 802.11 tab, 78 in Host Table, 87 RIP analysis, 138 Routers, autodiscovery, 254 RspTm of 90% Response, 103 ART setting, 102 RTS counter in Dashboard's 802.11 tab, 81

S

Sales Offices, 4 Saving buffer contents to a file, 127 scrolling modes (Real-time decodes), 215 searching for frames, 186 data pattern searches, 190 Expert alarm searches, 195 status flag searches, 193 text searches, 187 Select Settings no cards, 34 Selecting packets, 165 serial number, obtaining, 30 Setting alarm notification options, 264 beeps and sounds, 265 capture buffer options, 124 Expert options, 134 severities logging, 259 Severity levels Expert alarms, 262 Monitor alarms, 260 sharing filters, 241 Show all layers, 180 Show Expert symptoms, 180 Show network address, 180 Signal Curr counter in Host Table, 86, 89 Signal Level counter in Global Statistics, 119 Signal Max counter

in Host Table, 86, 89 Signal Min counter in Host Table, 86, 89 Single Key Set option, 59 Single station capture, 84, 128 Sniffer installing, 22 uninstalling, 21 Sniffer icons, 43 Sniffer PC power considerations, 36 Sniffer window introduced, 41 navigating, 41 title bar, 41 Sound files, 265 Start triggers, 242 Statistics tab, 210 Status column in 802.11 tab, 85, 88 Stop triggers, 242 Subnet mask settings, 138 Summary Display, 178 Summary pane (decode display), 162 support Customer Support, 4 Switching network adapters, 267 Symptom in Expert analysis, 131 system requirements, 18

T

Thresholds Expert, 137 Monitor, 51, 75 title bar Sniffer window, 41 Toolbar Global Statistics, 117 History Samples, 112 Host Table, 84, 207 main, 71 Matrix, 95, 203 Protocol Distribution, 115, 209 Tools

278

Sniffer Portable Professional

adding your own, 64 customizing, 64 Topology counter in Global Statistics, 118 trace files formats, 127 opening, 127 Triggers, 129, 242 troubleshooting cards don't appear, 34 Two-station format, 181 Type counter in Host Table, 85

U

uninstalling QoS Packet Scheduler Service, 37 Sniffer, 21 Update Time counter in Host Table, 87, 90 Use Address Book to resolve name, 180 User Interface menus, 44 utilization calculations (wireless), 76

V

Valid Channel, 86, 89 Valid Topology, 86, 89 viewing Real-time decodes, 214

W

website, Customer Support, 4 WEP decryption postcapture, 199 WEP ICVs as filter option, 237 WEP Pkts counter in Dashboard's 802.11 tab, WPA decryption postcapture, 199

78

User's Guide

279

280

Sniffer Portable Professional

Information

SPP_UG.book

280 pages

Find more like this

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate

1117047


You might also be interested in

BETA
IBM gains complete visibility of network performance with Sniffer
SPP_UG.book