Sniffer® Portable Professional User's Guide - NetScout

Sniffer ® Portable Professional
User’s Guide
293-2235 Rev A
Contents
NetScout ® Systems, Inc.
Westford, MA 01886
Telephone: 978.614.4000
Fax: 978.614.4004
Web: http://www.netscout.com

Use of this product is subject to the NetScout Systems, Inc. End User License Agreement, which
accompanies the product at the time of shipment.
Notice of Restricted Rights: Use, duplication, release, modification, transfer, or disclosure (for purposes
of this section, "Use") of the Software is restricted by the terms of NetScout Systems, Inc.’s End User
License Agreement and further restricted in accordance with FAR 52.227-14 for civilian Government
agency purposes and 252.227-7015 of the Defense Federal Acquisition Regulations Supplement
("DFARS") for military Government agency purposes, or the similar acquisition regulations of other
applicable Government organizations, as applicable and amended. The Use of Software and the Product
is restricted by the terms of NetScout Systems, Inc.’s End User License Agreement, in accordance with
DFARS Section 227.7202 and FAR Section 12.212. The information in this manual is subject to change
without notice.
NetScout, the NetScout logo, Network General, the Network General logo, nGenius, Quantiva, NetVigil,
InfiniStream, Business Container, and Sniffer are registered trademarks of NetScout Systems, Inc. and/
or its affiliates in the United States and/or other countries. The CDM logo, MasterCare, the MasterCare
logo, Visualizer, and HyperLock are trademarks of NetScout Systems, Inc. All other registered and
unregistered trademarks herein are the sole property of their respective owners. NetScout Systems, Inc.
reserves the right, at its sole discretion, to make changes at any time in its technical information,
specifications, service and support programs.
All other brand names, company identifiers, trademarks, service trademarks, registered trademarks and
registered service marks mentioned in this document or the NetScout Systems license agreement are
properties of their respective owners, and protected as such against unlawful use or distribution.
This product includes software developed by the Apache Software Foundation
(http://www.apache.org/). Copyright 1997-2008 The Apache Software Foundation. All rights reserved.
THE SOFTWARE DEVELOPED BY APACHE SOFTWARE FOUNDATION AND INCLUDED HEREIN IS
PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
2

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
("
Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS" AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL
PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)
"
"This product includes software written by Tim Hudson (tjh@cryptsoft.com)
"
Copyright (c) 1995-1998 Eric Young (eay@cryptsoft.com) All rights
reserved.
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Sniffer ® Portable Professional User’s Guide
293-2235 Rev A
Copyright 2009 NetScout Systems, Inc. Printed in the USA.
All rights reserved.
3

4
Contacting NetScout Systems
Customer Support
The best way to contact Customer Support is to submit a Support Request:
http://www.netscout.com/support
Telephone: In the US, call 888-357-7667; outside the US, call
+011 978-614-4000. Phone support hours are 8 a.m. to 8 p.m. Eastern Standard Time
(EST).
E-mail: support@netscout.com
When you contact Customer Support, the following information can be helpful in diagnosing
and solving problems:
— Type of network platform
— Software and firmware versions
— Hardware model number
— License number and your organization’s name
— The text of any error messages
— Supporting screen images, logs, and error files, as appropriate
— A detailed description of the problem
Sales
Call 800-357-7666 for the sales office nearest your location.
Training and Online Learning
For end-user and partner training information, online course listings, and extensive learning
materials, visit the Training and Online Learning Center websites:
http://www.netscout.com/training
http://www.netscout.com/training/about_olc.asp
Documentation
Send comments or questions about nGenius documentation to the following address:
contact_doc@netscout.com
User Forum
To join a customer-driven user group connecting the worldwide community of NetScout users,
visit the following website:
http://www.netscoutuserforum.com/

Related Information Resources
NetScout Systems provides the documentation listed in the table below to support Sniffer Portable
Professional. NetScout MasterCare customers can access all documentation online at
www.netscout.com/support.
Document Description
Sniffer Portable Professional Documentation
Sniffer Portable Professional
Release Notes
Sniffer Portable Professional
User’s Guide
Describe enhancements, new features, known issues, and
system requirements for Sniffer Portable Professional.
Describes how to install and license Sniffer Portable Professional.
Describes how to use Sniffer Portable Professional for network
monitoring and analysis.
Online help Provides details on all product features and options.
Decode/Expert Reference Provides a complete reference for all Expert displays and
alarms; also summarizes Decode and Expert Pack features.
Available in PDF format in Decode and Expert Pack installation
directory.
5

Contents
1 Introducing Sniffer Portable Professional . . . . . . . . . . . . 11
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Product Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Major Components of Sniffer Portable Professional . . . . . . . . . . . . . . . . . 14
Sniffer Portable Professional Features for Wireless Networks . . . . . . . . . . 15
2 Installing Sniffer Portable Professional . . . . . . . . . . . . . . 17
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Uninstalling Previous Versions of
Sniffer Portable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Installing the Sniffer Portable Professional Application . . . . . . . . . . . . . . . 22
Installing Sniffer Enhanced Drivers (802.11) . . . . . . . . . . . . . . . . . . . . . 23
Authorizing Sniffer Portable Professional . . . . . . . . . . . . . . . . . . . . . . . . 30
Starting Sniffer Portable Professional . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Tuning Settings for Sniffer Portable Professional . . . . . . . . . . . . . . . . . . . 36
3 Introducing the Sniffer Window . . . . . . . . . . . . . . . . . . . 41
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Navigating the Sniffer Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4 Setting Options in the Sniffer Window . . . . . . . . . . . . . . 47
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Setting the General Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Setting the Real Time Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Setting the MAC Threshold Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . 51
Setting the App Threshold Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . 52
Setting the Alarm Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Setting the Protocols Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Setting the Protocol Forcing Tab Options . . . . . . . . . . . . . . . . . . . . . . . . 53
Setting Tools > Wireless Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Adding Tools to the Tools Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
User’s Guide 7

5 Monitoring Your Network . . . . . . . . . . . . . . . . . . . . . . . 67
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
About Sniffer Portable Professional Monitor Views . . . . . . . . . . . . . . . . . . 67
Monitoring Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Monitor Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Monitor Applications and Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Monitor Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Exporting Monitor Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
6 Capturing Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
About Capturing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Capture Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Capture Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Capture Buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Capturing from Specific Stations (Visual Filters) . . . . . . . . . . . . . . . . . . 128
Capture Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Capture Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
7 Real-Time Expert Display . . . . . . . . . . . . . . . . . . . . . . 131
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
About the Expert Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Setting Expert Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Setting Automatic Expert Display Filters . . . . . . . . . . . . . . . . . . . . . . . 151
Displaying Context-Sensitive Explain Messages . . . . . . . . . . . . . . . . . . 153
Rearranging the Expert Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Exporting the Contents of the Expert Database . . . . . . . . . . . . . . . . . . 154
8 Displaying Captured Data . . . . . . . . . . . . . . . . . . . . . . 157
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Displaying Captured Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Postcapture Views for Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . 160
Postcapture Expert Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Postcapture Decode Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Postcapture Matrix Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Postcapture Host Table Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Postcapture Protocol Distribution Tab . . . . . . . . . . . . . . . . . . . . . . . . . 208
8 Sniffer Portable Professional

Postcapture Statistics Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
9 Working with Real-Time Decodes . . . . . . . . . . . . . . . . 213
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Enabling and Setting Real-time Decodes . . . . . . . . . . . . . . . . . . . . . . . 213
Viewing Real-time Decodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
10 Defining Filters and Triggers . . . . . . . . . . . . . . . . . . . . 219
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Defined Filters vs. Automatic Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Define Filter Options for Wireless Networks . . . . . . . . . . . . . . . . . . . . . 220
Defining Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Sharing Filters between Systems and Products . . . . . . . . . . . . . . . . . . . 241
Defining Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
11 Using the Address Book . . . . . . . . . . . . . . . . . . . . . . . 249
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
About Address Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Creating Address Book Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
12 Managing Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
The Alarm Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Setting Alarm Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Setting Alarm Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
13 Network Adapters and Settings . . . . . . . . . . . . . . . . . . 267
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Removing Network Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Selecting Network Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Creating Sniffer Monitoring Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
9 Sniffer Portable Professional

10 Sniffer Portable Professional

Introducing Sniffer Portable
Professional
Overview
This documentation describes Sniffer ® Portable Professional. Sniffer
Portable Professional is ideally suited for a range of usage scenarios,
including:
1
On-site application and network troubleshooting by Field Service
engineers.
Analysis of enterprise network links not permanently instrumented
with NetScout appliances.
Analysis of network equipment in lab environments prior to roll-out
on a production network.
By incorporating Expert analysis capabilities and advanced protocol
decodes, Sniffer Portable Professional can determine, pinpoint, and
analyze the toughest performance problems automatically.
You can use Sniffer Portable Professional on network segments running
Ethernet, Gigabit Ethernet, and Wireless LANs.
See also:
Product Comparison
Major Components of Sniffer Portable Professional
Sniffer Portable Professional Features for Wireless Networks
User’s Guide 11

Chapter 1
Product Comparison
Table 1-1. Product Comparison
12 Sniffer Portable Professional
The following table summarizes the key differences between Sniffer
Portable Professional, Sniffer Global, and the legacy Sniffer Portable
product.
Feature Legacy Sniffer
Portable
Sniffer Portable
Professional
Sniffer Global
Operating Windows 2000
Windows XP
System
Windows XP
Windows 2003
Windows Vista
Windows 2008
Support for 64-bit Windows OS
Note: Windows 2003 and 2008 support is primarily
for Ethernet. Multiple instances over Terminal Server
is not supported.
Topologies Ethernet 10/100/1000 • Ethernet 10/100/1000
Wireless 802.11 a/b/g • Wireless 802.11 a/b/g on
Windows XP and Windows 2003
• Wireless 802.11 a/b/g/n on Windows Vista and
Windows 2008
Wireless Cards Atheros AR5001X, Atheros AR5002X, AR5004X, AR5005X, AR5006X &
AR5002X & AR5004X AR5008X chipset based PCMCIA, Cardbus,
chipset based PCMCIA ExpressCard, PCI, PCI-e, mini-PCI, mini-PCIe cards
& Cardbus cards
(USB not supported)
Trace File Sniffer .CAP, .CAZ and Sniffer .CAP, .CAZ and LibPcap formats
Formats legacy formats (.ENC
and so on)
Sniffer VoIP
Optional Yes
Intelligence
Sniffer Mobile
Intelligence
(Decode and
Expert)
All Decode and Expert functionality associated with
these legacy modules included in base installation.
Application
Optional No
Intelligence
Use Sniffer Intelligence with nGenius InfiniStream
instead.
Sniffer Reporter Yes No
Use nGenius Performance Manager with nGenius
InfiniStream instead.

Table 1-1. Product Comparison
Feature Legacy Sniffer
Portable
Sniffer Global
Server
Integrated
Updates
Introducing Sniffer Portable Professional
Sniffer Portable
Professional
Sniffer Global
No No Yes
No No Yes. Check for updates
and install them within
Sniffer Global application
user interface.
User’s Guide 13

Chapter 1
Major Components of Sniffer Portable
Professional
14 Sniffer Portable Professional
The major components of Sniffer Portable Professional include:
Monitor. Calculates and displays real-time network traffic data.
Capture. Captures network traffic and stores the actual packets in
a buffer (and optionally to a file) for later analysis.
Real-time and Postcapture Expert. Analyzes the network
packets during capture and alerts you to potential problems on
your network. These problems are categorized as either symptoms
and/or diagnoses. Expert analysis is also available postcapture.
Real-time and Postcapture Decode. Displays protocol decodes
in real-time as packets arrive. You do not have to stop a capture
session to see protocol decodes. Decodes are also available
postcapture.
Display. User-interface that provides decodes and analysis of the
captured packets in a variety of easy to view and navigate
windows.

Introducing Sniffer Portable Professional
Sniffer Portable Professional Features for
Wireless Networks
Sniffer Portable Professional includes many features specifically for
802.11 wireless networks, as summarized in Table 1-2.
Table 1-2. Features for Wireless Networks
Feature See this topic:
Different wireless LAN frame type counters are included in
the Dashboard.
The Monitor's Host Table includes an 802.11 tab with
entries for all detected wireless stations. Each station is
listed with several wireless LAN-specific counters.
The Monitor’s Host Table includes a zoomed view for
Access Points only.
Rogue identication is included in both Host Table and
Expert displays.
The Monitor's Global Statistics application includes a
Topology Surfing tab with statistics for each wireless
channel selected for monitoring.
The Matrix, Host Table, and Protocol Distribution
post-analysis tabs in the Display window each include
802.11 views, allowing you to focus specifically on 802.11
statistics for wireless stations.
The postcapture Statistics tab in the Display window
includes multiple wireless-specific statistics.
The Advanced tab in the Define Filter dialog box
includes wireless LAN packet types on which you can filter
(such as PLCP Errors and WEP-ICV Errors).
The 802.11 tab in the Define Filter dialog box allows you
to filter on packets seen on a channel to which they do not
belong, packets matching different speeds, or packets
seen on a particular channel.
Sniffer Portable Professional can perform both WPA/WPA2
and WEP decryption both during capture if the keys are
specified in the Tools > Wireless > Decryption dialog
box and after capture using the Wireless Decryption
option in the Decode tab's context menu.
Dashboard Counters for Wireless
Networks on page 75
Host Table Counters for Wireless
Networks on page 85
Viewing Access Points Only on page
88
Identifying Rogue Hosts on the
Wireless Network on page 91
The Global Statistics > Topology
Surfing Tab on page 117
Monitor Applications and Toolbar on
page 71
Postcapture Statistics Tab on page
210
Setting Filter Options in the Advanced
Tab on page 235
Setting Filter Options in the 802.11
Tab on page 238
• Configuring Wireless Encryption
Settings on page 56
• Postcapture 802.11 Decryption
on page 199
User’s Guide 15

Chapter 1
Table 1-2. Features for Wireless Networks
Feature See this topic:
The Decode display can completely decode 802.11 traffic
(if the correct decryption keys are specified and, in the
case of WPA, if the initial EAPOL handshake packets are
seen). Since wireless LAN services take place at the lower
network layers, you can see the wireless-specific decodes
by examining the DLC layer in the Detail pane of the
Decode display. In addition, the Decode display indicates
the channel from which each packet was captured inside
brackets in the Status column of the Summary pane (for
example, an entry of [1] in the Status column indicates
that the packet was captured from channel number 1 on
the wireless LAN).
The Expert analyzer creates network objects at the DLC
layer for wireless stations. There are also several
Wireless-specific Expert alarms. In addition, all of the
usual upper layer Expert analysis is provided.
During monitoring or capture, the title bar of the Sniffer
window shows the channel currently being monitored, the
signal strength, and the network topology. You can use
this display to get a quick feel for the strength of the signal
being monitored and determine whether you need to move
the analyzer closer to an access point to get a stronger
signal.
16 Sniffer Portable Professional
Postcapture Decode Display on page
162
Decode and Expert Reference Guide
in Decode & Expert installation
directory.
Navigating the Sniffer Window on
page 41

Installing Sniffer Portable
Professional
2
This chapter provides the system requirements and installation for
Sniffer Portable Professional. It also lists supported cards and enhanced
drivers.
System Requirements on page 18
Uninstalling Previous Versions of Sniffer Portable on page 21
Installing the Sniffer Portable Professional Application on page 22
Installing Sniffer Enhanced Drivers (802.11) on page 23
Sniffer Enhanced Driver Installation Procedure on page 24
802.11 a/b/g/n Card Installation Notes and Issues on page 27
Using the 802.11 a/b/g/n Card as a Normal Network Card on
page 29
Authorizing Sniffer Portable Professional on page 30
Starting Sniffer Portable Professional on page 34
Tuning Settings for Sniffer Portable Professional on page 36
User’s Guide 17

Chapter 2
System Requirements
18 Sniffer Portable Professional
Table 2-1 lists the system requirements to install and run the Sniffer
Portable Professional application.
Table 2-1. Sniffer Portable Professional System Requirements
Item Requirement
Operating
System
• Microsoft Windows XP Professional Edition with SP2 or higher
NOTE: Wireless is not supported on Windows XP 64-bit.
• Windows Server 2003
NOTE: Wireless is not supported on Windows Server 2003 64-bit.
• Microsoft Windows Vista
• Windows Server 2008
NOTE: The Wireless LAN Service must be installed to use wireless NICs on
Windows 2008 machines – by default it is not. You can add this service using
the Features > Add Features option in Administrative Tools > Server
Manager.
• Virtualized environments configured to emulate these operating systems.
Tested with VMware workstation 6.x and Microsoft Virtual-PC 2007.
NOTE: Virtualized environments are only supported for Ethernet adapters.
Wireless adapters are not supported in virtualized environments.
CPU Intel or AMD processor running at 1.6 GHz or higher.
• Dual or more core running at 1.0 GHz or higher
NOTE: Sniffer Portable Professional is supported on multi-processor, multi-core,
and hyperthreaded platforms.
RAM 512 MB of RAM or higher.
Storage 200 MB or more of free hard drive space (all supported operating systems)
CD-ROM Drive
Monitor VGA color monitor with 1024x768 resolution (with 256 color support or updated
VGA driver)

Table 2-1. Sniffer Portable Professional System Requirements
Item Requirement
Network
Interface
Cards
Installing Sniffer Portable Professional
Ethernet 10/100/1000 cards with native driver provided by vendor (no Sniffer
enhanced driver required or provided).
Wireless cards with Atheros AR5002X+ chipset:
• Windows XP and Windows Server 2003 – 802.11 a/b/g; Sniffer enhanced
driver required; see Installing Sniffer Enhanced Drivers (802.11) on page 23
for details.
Combo cards only supported if 802.11 a/b/g (b/g only not supported).
• Windows Vista and Windows Server 2008 – 802.11 a/b/g/n; Native
Atheros driver required (available both on Microsoft website and packaged
with Sniffer Portable Professional application installation). See Installing
Sniffer Enhanced Drivers (802.11) on page 23 for details.
Combo cards with any combination of 802.11 a/b/g/n are supported on
Windows Vista/Windows 2008. Combo cards with any combination of
802.11a/b/g are supported on Windows XP/Windows 2003.
Software Microsoft .NET Framework 3.0 or higher
User’s Guide 19

Chapter 2
20 Sniffer Portable Professional
Sniffer Portable Professional Application Coexistence with other
Products
NetScout Systems does not support installation of Sniffer Portable
Professional on a machine running any of the following NetScout
products:
Sniffer Global application, Sniffer Portable (legacy versions),
Sniffer Pro, or Netasyst
Sniffer Distributed Agent
Notes on Installing in Virtual Environments
Installing the Sniffer Portable Professional application in a virtual
environment (such as those provided by VMware) requires some
additional configuration. Keep in mind the following:
Only Ethernet adapters are supported. Wireless 802.11
adapters are not supported in virtualized environments.
Bridged networking mode is the only supported mode.
Select an Ethernet card in your virtual operating system in the
VMNet0 virtual network from Edit > Virtual Network Settings >
Host Virtual Network Mapping.
Make sure the Ethernet card drivers for VMNet0 are properly
installed by selecting the VM > Install VMware Tools command.
Running this command will select the correct drivers from the host
machine automatically. However, keep in mind that Sniffer
Portable Professional’s File > Adapter Settings dialog box will
show the device name as VMware Accelerated AMND PCNet
Adapter rather than the name of the bridged adapter.
The VMWare Virtual Network acts as a 1000-Mbps virtual hub with
uplink based on the speed of the actual physical port to which it is
bridged (100 or 1000 Mbps). Sniffer Portable Professional detects
the virtual network’s 1000-Mbps speed and will report this as the
network speed, regardless of the physical port’s actual speed.
Because of this, when the physical port’s speed is only 100 Mbps
instead of the 1000 Mbps detected, utilization calculations reported
in Sniffer Portable Professional will be less than the actual
utilization by a factor of ten.

Uninstalling Previous Versions of
Sniffer Portable
Installing Sniffer Portable Professional
Sniffer Portable Professional can not be installed on the same system as
legacy versions of Sniffer Portable – you must first uninstall the previous
Sniffer Portable installation. The following procedure explains how.
To uninstall a previous version of Sniffer Portable:
1 Log in to the Sniffer Portable machine with Administrator
privileges.
2 Go to Start > Settings > Control Panel > Add/Remove
Programs.
3 In the Add/Remove Programs window that appears, is there an
entry for Sniffer VoIP?
If yes — Uninstall Sniffer VoIP and reboot the computer before
uninstalling. Then access the Add/Remove Programs
window again (Step 2) and uninstall the Sniffer Portable
software.
If no — Select the entry for the Sniffer Portable software and
click Add/Remove.
4 During the uninstallation, the wizard will ask you if you would like
to remove unused shared files. Click Yes to all to remove all
unused shared files.
5 Reboot the computer.
The target PC is now ready to download and install the Sniffer Portable
Professional software.
User’s Guide 21

Chapter 2
Installing the Sniffer Portable Professional
Application
22 Sniffer Portable Professional
Use the following procedure to install the Sniffer Portable Professional
application.
To install Sniffer Portable Professional :
1 Make sure you have uninstalled any existing Sniffer Portable or
Global applications.
2 Double-click the Sniffer Portable Professional installation file.
3 Follow the instructions in the InstallShield Wizard to install Sniffer
Portable Professional.
4 Reboot the PC before using Sniffer Portable Professional.

Installing Sniffer Portable Professional
Installing Sniffer Enhanced Drivers (802.11)
NOTE: Sniffer enhanced drivers are not included for 10/100/1000
Ethernet cards. Sniffer Portable Professional supports 10/100/1000
Ethernet cards without using a Sniffer enhanced driver on both
Windows XP and Windows Vista.
Sniffer Portable Professional supports wireless adapters based on the
Atheros AR5002X+ chipset. The table below provides the details:
Table 2-2. Supported Wireless Chipsets and Drivers
Chipset Windows XP and Windows
Server 2003
Tested on Atheros-based Cisco
CB21, D-Link, Proxim, and
NETGEAR Cardbus Adapters
Atheros AR5008X
(802.11n)
You install drivers for wireless cards differently depending on whether
you are using Microsoft Windows XP or Microsoft Windows Vista:
Wireless Adapters in Windows XP
Windows Vista and Windows
Server 2008
Tested on Atheros-based D-Link,
NETGEAR, Cisco CB21, Trendnet, and
Gigabyte Cardbus, PCI/PCIe,
mini-PCI/PCIe adapters (USB not
supported).
Not supported. Supported with the native Atheros
driver, which you can install using either
Atheros AR5006X Supported with enhanced
drivers stored in \Sniffer
Atheros AR5004X Portable\Driver\en\atheros
\winxp
Atheros AR5002X
Microsoft Windows Update or one of the
bundled drivers:
• Cisco adapters –
Use the7.4 driver located at \Sniffer Portable\
driver\en\cisco\vista.
• All other adapters –
Use the 7.6 driver located at \Sniffer Portable\
driver\en\atheros\vista.
You must install a Sniffer enhanced driver before you can use
Sniffer Portable Professional on Windows XP with a wireless LAN
card. Sniffer Portable Professional includes enhanced drivers for
wireless cards based on the Atheros AR5002X+ chipsets as
summarized in the table above.
See Sniffer Enhanced Driver Installation Procedure on page 24 for
information on how to install the Sniffer enhanced driver for
wireless cards based on these chipsets.
User’s Guide 23

Chapter 2
24 Sniffer Portable Professional
Wireless Adapters in Windows Vista
You must install the latest native Atheros driver to use Sniffer
Portable Professional on Windows Vista or Windows Server 2008
with a wireless card.
The native Atheros driver is included with Sniffer Portable
Professional under \Sniffer
Portable\driver\en\atheros\vista. Select netathr.inf if
installing on a 32-bit machine or netathrx.inf if installing on a 64-bit
machine. For Cisco cards, use the driver in the \Sniffer Portable\driver\en\cisco\vista folder.
See Native Atheros Driver Update Procedure on page 26 for
information on how to install the native Atheros driver.
Combo Cards and Supported 802.11 Versions
Sniffer Portable Professional supports 802.11 combo cards using
the chipsets listed in the table above differently depending on your
operating system:
Windows XP or Windows Server 2003 – 802.11 a/b/g
combo cards only. Other combinations (including cards that
support only 802.11 b/g) are not supported.
Windows Vista or Windows Server 2008 – Any
combination of 802.11 a/b/g/n.
Sniffer Portable Professional can monitor, capture, and display
statistics for wireless cards supporting the Japanese W52 and W53
standards.
Sniffer Enhanced Driver Installation Procedure
Sniffer enhanced drivers for wireless LAN cards are located in intuitively
named subdirectories under the following default path:
\NetScout\Sniffer Portable\driver\en\
To install a Sniffer enhanced driver:
1 Make sure the Sniffer Portable Professional software is installed. If
it is not installed, install it now.
2 Log in to Windows as an Administrator.
3 Insert the card in an available card slot on the target machine.
Windows automatically detects the new card and installs its native
device driver.

Installing Sniffer Portable Professional
4 Right-click My Computer. Select Manage > Device Manager.
5 In the Network Cards list, select the card you inserted.
6 Right-click on the card and select Update Driver.
7 The Hardware Update Wizard displays. If a dialog box displays
prompting to you to connect to Windows Update to search for
software, select No, not this time and click Next.
8 Select the Install from a list or specific location (Advanced)
option. and click Next.
9 Select the Don’t search option and click Next.
10 Click Have Disk.
The Install from Disk dialog box appears prompting you to supply
the path to the driver to install.
11 Click Browse and navigate to the path where the driver for the
selected card is installed. Drivers for 802.11 a/b/g/n cards are
located at the following path:
\NetScout\Sniffer Portable\driver\en\
Use the driver found in the subdirectory corresponding to your
chipset and operating system (for example, \atheros\winxp\ for
an Atheros chipset on Windows XP).
12 Click Open in the Browse dialog box.
You are returned to the Install from Disk dialog box.
13 Click OK on the Install from Disk dialog box.
14 If the operating system is configured to alert you to unsigned
drivers, a dialog box will appear warning you that you are about to
install a driver that has not been verified by Microsoft Corporation.
Click Continue Anyway to continue the installation.
The wizard installs the driver. When it has finished, it displays a
screen indicating that the driver is installed.
15 Click Finish.
16 Click OK to clear the Card Properties dialog box.
17 Reboot the system.
User’s Guide 25

Chapter 2
Native Atheros Driver Update Procedure
26 Sniffer Portable Professional
Use the following procedure to update the existing driver for an
Atheros-based wireless adapter to the latest version in Windows Vista.
To update the native Atheros driver in Windows Vista:
1 Make sure the Sniffer Portable Professional software is installed. If
it is not installed, install it now.
2 Log in to Windows as an Administrator.
3 Right-click Computer and select Manage.
4 Select the Device Manager entry in the Computer Management
pane (left pane).
5 In the Network adapters list, select the wireless card you want to
use with Sniffer Portable Professional on Windows Vista.
6 Right-click on the card and select Update Driver Software.
7 The Update Driver Wizard displays. Select the Browse my
computer for driver software option.
The Browse for driver software on your computer dialog box
appears prompting you to supply the path to the driver to install.
8 Click Browse and navigate to the path for your card:
Cisco adapters (7.4 version):
\Sniffer Portable\driver\en\cisco\vista
All other adapters (7.6 version):
9 Click Next.
\Sniffer Portable\driver\en\atheros\vista
10 Select netathr.inf if installing on a 32-bit machine or netathrx.inf
if installing on a 64-bit machine and click Next.
11 Follow the wizard’s instructions to complete the driver update.
12 Close the Computer Management window.
13 Reboot the system and start Sniffer Portable Professional to use the
new driver.

Installing Sniffer Portable Professional
802.11 a/b/g/n Card Installation Notes and Issues
Keep the following notes and tips in mind when working with 802.11
a/b/g/n wireless cards:
After removing and replacing PCMCIA adapters, it’s a good idea to
restart the system before launching Sniffer Portable Professional.
This is especially important if you replace an Ethernet card with an
802.11 adapter, or vice-versa.
After exiting Sniffer Portable Professional, it may take up to a
minute for the wireless card to transition to normal wireless
network participation.
Wireless Client Utilities provided by your card’s vendor will not
function with the Sniffer enhanced driver installed. Use the
Wireless Network Connection utility included with Microsoft
Windows instead.
While configuring the 802.11 a/b/g/n card, you may see the
following warning: Can not access your wireless card. Please
remove and reinsert PC card to activate settings.
This warning can safely be ignored.
Use the Safely Remove Hardware option when removing the
cardbus card. Make sure Sniffer Portable Professional is properly
shut down before the card is removed.
For improved performance, you can unbind the Aegis Protocol
(IEEE802.1x) from the card driver, as shown in Figure 2-1.
However, keep in mind that unchecking this option can interfere
with any VPN clients you may be using. If you do decide to disable
the Aegis Protocol during Sniffer Portable Professional analysis,
reenable it before connecting to your VPN.
User’s Guide 27

Chapter 2
28 Sniffer Portable Professional
Figure 2-1. 802.11a/b/g/n Wireless Card Properties Dialog Box

Installing Sniffer Portable Professional
Using the 802.11 a/b/g/n Card as a Normal Network Card
When Sniffer Portable Professional is connected to the 802.11a/b/g/n
wireless card, the card operates in promiscuous mode and cannot
participate as an active member of the wireless LAN. However, when
Sniffer Portable Professional is not connected to the 802.11a/b/g/n card,
you can use the card to participate actively in a wireless network.
During a normal installation of the 802.11a/b/g/n wireless card, you are
given the option of configuring a profile for normal wireless network
participation (including configuring the ESSID, WEP keys, and so on). If
you did not configure these settings during the initial installation of the
card (or if you want to change the current settings), you can configure
them later using the Wireless Network option in the Control Panel.
However, do not make changes to the 802.11a/b/g/n card’s
configuration while Sniffer Portable Professional is running.
NOTE: For Windows XP, use the Wireless Network tab in the
Wireless Network Connection Properties dialog box to set wireless
network participation parameters.
NOTE: Wireless Client Utilities provided by your card’s vendor will
not function with the Sniffer enhanced driver installed. Use the
Wireless Network Connection utility included with Microsoft
Windows instead.
User’s Guide 29

Chapter 2
Authorizing Sniffer Portable Professional
30 Sniffer Portable Professional
Before you can use Sniffer Portable Professional, you must authorize
your copy using the License Utility (Start > (All) Programs >
NetScout > Sniffer Portable Professional > License Utility).
Review the topics in this section for more information about licensing:
Registering the Software on page 30
Entering Licensing Information in the License Utility on page 32
Use Same Serial Number After Uninstall/Reinstall
If you uninstall and reinstall Sniffer Portable Professional, you can
reapply your original serial number and password in the License Utilty to
authorize the product.
Lost Serial Number?
If you lose your serial number or password, you will need to request a
new one from the MasterCare Portal. Before doing so, however, check
your old email to see if you still have the original serial number mailed
to you from NetScout Systems (if you supplied an email address during
product registration).
Registering the Software
Visit the NetScout website to register your product and obtain the
information required for licensing.
IMPORTANT: Make sure you have the License Coupon that came with
your Sniffer Portable Professional product shipment. This coupon includes
the Registration Key required to generate the license file.
1 Locate the License Coupon in your Sniffer Portable Professional
product shipment. This form includes the product’s registration
key.
2 Launch your Web browser and enter the following URL:
http://www.netscout.com/support/
3 From Product Registration, select the License Request All link.
4 Accept the End User License Agreement by clicking I Agree.
5 Log in using your MasterCare credentials. If you do not have an
account yet, the site will assist you in creating one.

Installing Sniffer Portable Professional
6 Once you have logged in, locate the Sniffer Portable
Professional entries in the Product Registration page and click the
link corresponding to the type of license to activate.
7 Enter the requested information (all fields are required) and click
Submit. In response, you will receive the information listed in the
Output column in the table below. You will enter this information
in Sniffer Portable Professional’s License Utility.
Table 2-3. License Page Input/Output
License
Type
License Page Input License Page
Output
Trial Registration Key from License Coupon Serial Number
Expiration Date
Password
Permanent Registration Key from License Coupon
IP or MAC address of Sniffer Portable
Professional PC
Choosing an Address Type for the
License (MAC or IP)
Permanent Sniffer Portable Professional
licenses can be based on either a MAC or
an IP address. If the IP address changes
on a system using IP-based licensing,
you will need to request and apply a
new serial number based on the new IP
address. Because of this, you should
only use the IP-based option if you are
using a static IP address.
• If you use a static IP address for the
Sniffer Portable Professional PC, you
can use either the IP or MAC address.
• If you use a dynamic IP address for
the Sniffer Portable Professional PC,
you should use the MAC address
option.
Serial Number
IP Address or
MAC Address
Password
8 Start the License Utility and enter the information provided by the
MasterCare Portal.
See Entering Licensing Information in the License Utility on page 32
for instructions.
User’s Guide 31

Chapter 2
Entering Licensing Information in the License Utility
32 Sniffer Portable Professional
You can obtain Sniffer Portable Professional’s serial number from the
MasterCare Portal and apply it in the License Utility immediately after
you install the software or at any later time prior to using the product.
NOTE: Each Sniffer Portable Professional unit requires a separate
serial number.
To apply a Sniffer Portable Professional serial number:
1 Register the software and obtain the serial number. Refer to
Registering the Software on page 30.
2 Start the License Utility on the Sniffer Portable Professional PC:
Start > (All) Programs > NetScout > Sniffer Portable
Professional > License Utility
NOTE: You must run this utility as an administrator. If you are
not currently logged in as an administrator, you can right-click
the utility and select the Run as administrator command.
3 Enter the information you received from the MasterCare Portal’s
Licensing page in Registering the Software on page 30. All fields
must match the values specified during product registration.
Table 2-4. Sniffer Portable Professional License Fields
Field Description
Serial Number Provided by MasterCare Portal during product registration.
Expiry Date
(Trial Licenses
only)
IP/MAC
(Permanent
Licenses only)
Provided by MasterCare Portal during product registration.
Select the radio button corresponding to the type of
adddress you supplied during registration and enter the
address in the adjacent field. This was specified during
product registration.
Password Provided by MasterCare Portal during product registration.
4 When you have filled in all the fields, click OK.
The License Utility applies the license, informing you of its success
or failure.

Installing Sniffer Portable Professional
5 If licensing was not successful, make sure you entered all
information correctly. Verify the values against those you received
from the MasterCare Portal during product registration.
User’s Guide 33

Chapter 2
Starting Sniffer Portable Professional
34 Sniffer Portable Professional
After you have installed and authorized Sniffer Portable Professional and
any necessary enhanced drivers, start the application as follows:
1 Log in to the Sniffer Portable Professional application PC.
2 Go to Start > (All) Programs > NetScout > Sniffer Portable
Professional > Sniffer Portable.
3 The Adapter Settings dialog box appears, allowing you to choose
which capture card on the PC you’d like to use for network
monitoring and analysis.
Check the Post Capture box to open the application without
monitoring a specific card.
Check the Real Time box to begin monitoring the selected
card.
4 Click OK to open the Sniffer Portable Professional application.
No Network Cards Listed in Adapter Settings Dialog Box?
If you start the Sniffer Portable Professional application and do not see
any network cards listed in the Adapter Settings dialog box, you may
need to install the Sniffer Portable Professional Protocol Driver manually.
Use the procedure corresponding to your operating system, as follows:
To install the Sniffer Portable Professional Protocol Driver on
Windows XP:
1 Open the Network Connections Control Panel (Start > Control
Panel > Network Connections).
2 Right-click the entry for a network adapter (for example, Local
Area Connection) and select the Properties command from the
context menu that appears.
3 Click the Install button, select the Protocol entry in the list of
components that appears, and click Add.
4 Click Have Disk, use the Browse button to navigate to the
following path, and click OK:
C:\Program Files\NetScout\Sniffer Portable\driver\en\sniffer\winxp
5 Select the Sniffer Portable Professional Protocol Driver entry
and click OK.
6 After installation, close out of Local Area Connection Properties and
reboot the system.

Installing Sniffer Portable Professional
After rebooting the system, Sniffer Portable Professional will list
network cards in the Adapter Settings dialog box.
To install the Sniffer Portable Professional Protocol Driver on
Windows Vista:
1 Open the Network Connections Control Panel (Start > Control
Panel > Network and Sharing Center).
2 Select the Manage network connections option.
3 Right-click the entry for a network adapter (for example, Local
Area Connection) and select the Properties command from the
context menu that appears.
4 Click the Install button, select the Protocol entry in the list of
components that appears, and click Add.
5 Click Have Disk, use the Browse button to navigate to the
following path, and click OK:
C:\Program Files\NetScout\Sniffer Portable\driver\en\sniffer\vista
6 Select the Sniffer Portable Professional Protocol Driver entry
and click OK.
7 After installation, close out of all open dialogs and reboot the
system.
User’s Guide 35

Chapter 2
Tuning Settings for Sniffer Portable
Professional
36 Sniffer Portable Professional
There are several settings you can make to the Microsoft Windows
operating system that will improve Sniffer Portable Professional
performance. See the following sections:
Power Considerations for Sniffer Portable Professional Laptops on
page 36
Uninstalling the QoS Packet Scheduler Service on page 37
Removing the MAC Bridge Miniport Driver on XP on page 39
Power Considerations for Sniffer Portable Professional
Laptops
Most laptop computers include power configuration options that let you
specify whether the computer should be allowed to go into a standby or
hibernate mode after a specified period of inactivity. For computers
actively running Sniffer Portable Professional, these options
should always be disabled to preserve stable system
performance!
For example, MS-Windows 2000 and XP laptop computers include a
Power Options Properties control panel. The Power Options Properties
control panel is accessed by starting the Display control panel (Start >
Settings > Control Panel > Display), clicking on the Screen Saver
tab, and then clicking the Power button. In this example, the following
settings should be made for active Sniffer Portable Professional
operations:
Power Schemes Tab
- Turn off hard disks = Never
- System standby = Never
Hibernate Tab
- Enable hibernate support = Disabled
NOTE: Some laptop vendors include their own proprietary software
to perform power configuration tasks. In these cases, you may need
to make similar changes in the configuration menu provided by the
vendor.

Installing Sniffer Portable Professional
Uninstalling the QoS Packet Scheduler Service
The QoS Packet Scheduler service supports the 802.1P traffic
prioritization system, allowing for the implementation of best-effort
Quality of Service by conforming 802.1P equipment. This service is
automatically bound to each installed card driver in Windows XP. To
improve analyzer performance, NetScout recommends that the QoS
Packet Scheduler service be unbound from any cards used with Sniffer
Portable Professional.
IMPORTANT: Uninstalling the QoS Packet Scheduler service removes it
from all installed cards. Unbinding from individual cards allows you to
preserve the service for use with any non-Sniffer cards. See Unbinding
the QoS Packet Scheduler Service from Selected Cards on page 38.
You can either uninstall the QoS Packet Scheduler Service entirely or,
alternatively, unbind it from cards used with Sniffer Portable
Professional:
Uninstalling the QoS Packet Scheduler Service after Installation on
page 37
Unbinding the QoS Packet Scheduler Service from Selected Cards
on page 38
Uninstalling the QoS Packet Scheduler Service after Installation
Use the following procedure to uninstall the QoS Packet Scheduler
Service.
To completely remove the QoS Packet Scheduler Service:
1 Open the Network Connections folder by selecting the Start >
Settings > Network Connections option.
2 Right-click any of the Connection entries in the folder and select the
Properties command from the menu that appears.
The Connection Properties dialog box appears, as in Figure 2-2. The
following example is for wireless connections.
User’s Guide 37

Chapter 2
38 Sniffer Portable Professional
Figure 2-2. Local Area Connection Properties Dialog Box
3 De-select the QoS Packet Scheduler entry and click Uninstall.
A confirmation box appears.
4 Click OK to confirm that you want to uninstall the QoS Packet
Scheduler service completely.
The QoS Packet Scheduler service is uninstalled.
5 Click OK on the Connection Properties dialog box.
Unbinding the QoS Packet Scheduler Service from Selected
Cards
Use the following procedure to unbind the QoS Packet Scheduler Service
from selected cards:
To unbind the QoS Packet Scheduler Service from selected
cards:
1 Open the Network Connections folder by selecting the Start >
Settings > Network Connections option.
2 Right-click the Network Connection entry from which you want to
unbind the QoS Packet Scheduler service and select the
Properties command from the menu that appears.

Installing Sniffer Portable Professional
The Network Connection Properties dialog box appears, as in Figure
2-2 on page 38.
3 Deselect the checkbox next to the QoS Packet Scheduler entry
and click OK.
4 Repeat this procedure for each card you want to use with Sniffer
Portable Professional.
Removing the MAC Bridge Miniport Driver on XP
To improve analyzer performance, NetScout recommends that the
Network Bridge service provided with Windows XP not be used on a
Sniffer Portable Professional PC.
To remove a network bridge in Windows XP:
1 Open the Network Connections folder by selecting the Start >
Settings > Network Connections option.
The Network Connections folder appears.
2 Under the Network Bridge section, right-click the Network
Bridge entry and select the Delete command in the menu that
appears.
3 Click Yes to confirm that you want to delete the network bridge.
User’s Guide 39

Chapter 2
40 Sniffer Portable Professional

Introducing the Sniffer
Window
Overview
3
Once you start Sniffer Portable Professional, log in, and select a profile
for monitoring, the Sniffer window appears.
You use the Sniffer window to perform standard network analysis
activities – monitoring network activity, capturing network traffic,
decoding captured traffic, and so on. This chapter introduces the Sniffer
window and includes the following topics:
Navigating the Sniffer Window
Sniffer Window Menus
Navigating the Sniffer Window
When you start Sniffer Portable Professional, log in, and select a profile
for monitoring, a Sniffer window appears where you can control network
monitoring and analysis activities (Figure 3-1).
The Sniffer window consists of:
A title bar (item a, Figure 3-1) showing:
Network topology in use.
Line speed.
Certain adapters may add additional information to the title
bar, including the channel being monitored, wireless signal
strength, and so on.
NOTE: During monitoring or capture of wireless networks, the
window title bar shows the channel currently being monitored,
as well as the signal strength and the type of network being
monitored (802.11a or 802.11b/g). You can use this display to
get a quick feel for the strength of the signal being monitored
and determine whether you need to move the analyzer closer
to an access point to get a stronger signal.
Several toolbars (item b, Figure 3-1) at the top of the Sniffer
window providing access to commonly used functions, including:
User’s Guide 41

Chapter 3
a
b
c
42 Sniffer Portable Professional
Capture toolbar
Monitor toolbar
File\Print toolbars
A main workspace (item c, Figure 3-1) where you perform standard
Sniffer functions – viewing monitor displays, working with decoded
packets, interpreting Expert analysis, viewing real-time decodes,
and so on.
Figure 3-1. Sniffer Window
Status icons and counters (item d, Figure 3-1) at the bottom of the
display indicating:
d

Table 3-1. Sniffer Window Status Icons
Button Description
Number of files currently spooled to printer.
Introducing the Sniffer Window
Number of packets transmitted by Packet Generator. Note
that Packet Generator is no longer supported, so this field will
always be blank.
Number of packets that have passed the current filter.
Number of unacknowledged alarms in the local Alarm Log
(Monitor > Alarm Log).
User’s Guide 43

Chapter 3
Sniffer Window Menus
44 Sniffer Portable Professional
The table below lists each of the menus in the Sniffer window along with
the tasks they can be used to perform.
Table 3-2. Sniffer Window Menus
Menu Capabilities
File The File menu is where you can:
• Open, close, and save files.
• Select the monitoring profile you want to use for
monitoring the network. A monitoring profile is a
set of settings tied to a particular network
adapter.
• Reset all settings to their default values.
• Print files.
• Exit the Sniffer window.
Monitor
See Monitoring Your
Network on page 67
for details on using
the Monitor
applications.
Capture
See Capturing
Packets on page
121 for details on
performing
Captures.
The Monitor menu is where you can:
• Access monitor applications (Dashboard, Host
Table, Matrix, Application Response Time, History
Samples, Protocol Distribution, Global Statistics,
and so on).
• Define and select Monitor filters.
•View the Alarm log.
The Capture menu is where you can:
• Start, stop, and display captured packets.
• Display the Capture Panel.
• Define and select Capture filters.
• Set triggers.

Table 3-2. Sniffer Window Menus
Menu Capabilities
Display
See Displaying
Captured Data on
page 157 for details
on displaying
decoded data.
Tools
See for information
on the standard
network tools (Ping,
Trace Route, and so
on).
Introducing the Sniffer Window
The Display menu is where you can:
• Configure the display of your network data.
• Navigate from frame to frame.
• Select specific packets.
• Define and select Display filters.
The Tools menu is where you can access a variety of
tools included in the software, including:
• Address Book – See Using the Address Book on
page 249.
• General Options – See Setting Options in the
Sniffer Window on page 47.
• Expert Options – See Setting Expert Options on
page 134.
• Wireless Options – See Setting Tools > Wireless
Options on page 54
User’s Guide 45

Chapter 3
46 Sniffer Portable Professional

Setting Options in the Sniffer
Window
Overview
4
This section describes how to set the options in the Tools > Options
and Tools > Wireless dialog boxes. See the topics listed in the table
below.
NOTE: You can also add your own applications to the Tools menu.
See Adding Tools to the Tools Menu on page 64 for details.
User’s Guide 47

Chapter 4
Setting the General Tab Options
48 Sniffer Portable Professional
The Tools > Options > General tab lets you set a number of options
that specify when Sniffer will prompt you for confirmations, what items
will appear in the Sniffer window by default, and how often different
Monitor views in the Sniffer window are refreshed with new data.
Figure 4-1 shows the Tools > Options > General tab.
Figure 4-1. The Tools > Options > General Tab
The table below lists and describes the options available in the Tools >
Options > General tab:

Table 4-1. Setting Tools > General Tab Options
Entry Description
Setting Options in the Sniffer Window
Prompt to save/update Use these options to specify whether the
application should prompt you to save or
update particular items before they are lost,
as follows:
•Check New capture buffer to have the
application prompt you when saving or
updating new capture buffers.
•Check New history sample to prompt
you when saving or updating new
history samples.
•Check Discovered address to prompt
you when saving or updating discovered
addresses.
•Check Duplicate address to prompt
you when saving or updating duplicated
addresses.
Prompt before Use this option to specify whether the
application should prompt you for a
confirmation before exiting the program.
User’s Guide 49

Chapter 4
50 Sniffer Portable Professional
Table 4-1. Setting Tools > General Tab Options
Entry Description
Show Use these options to:
• Specify which toolbars appear in the
Sniffer window by default. You can
enable and disable the Main toolbar
and Capture toolbar separately.
• Specify whether the Status bar
appears at the bottom of the Sniffer
window.
• Specify whether monitor applications
should show Formatted data or not. If
this option is enabled, the byte values in
the Host and Matrix tables will change
between using K and M indicators
(Formatted) or fully numeric counts.
For example, 47K would be a
Formatted data representation of a
byte count that would otherwise be
shown as 47,138.
• Specify whether the Sniffer window
should add an Extra Filter Window
when a Display filter is applied to a
capture buffer or trace file. If this option
is not enabled, a set of filtered frames
resulting from a Display filter will
appear in an additional tab on the
existing decode window rather than in
an entirely new window.
• Specify whether Sniffer Portable
Professional should always start in log
off mode. In log off mode, Sniffer
Portable Professional will not actively
monitor the selected adapter at startup.

Setting the Real Time Tab Options
Setting Options in the Sniffer Window
Use the options in the Tools > Options > Real Time tab to enable and
set options for the Sniffer’s real-time decodes feature.
See Enabling and Setting Real-time Decodes on page 213 for details on
using the options in this tab.
Setting the MAC Threshold Tab Options
Use the Tools > Options > MAC Threshold tab to set alarm thresholds
for each of the dials on the Dashboard as well as many other network
statistics. If the value sampled for a particular statistic exceeds the
threshold over the specified Monitor sampling interval, an entry is
made in the alarm log. You can monitor the alarm log to keep watch over
your network.
The MAC Threshold tab lists various network parameters that can
trigger a threshold alarm. The exact parameters depend on the currently
selected adapter.
The High Threshold value for each measure will be the average per
second value measured during the monitor sampling interval. Specify
the interval at the bottom of the dialog box and click OK.
Figure 4-2 shows the Tools > Options > MAC Threshold tab.
Figure 4-2. The Tools > Options > MAC Threshold Tab
User’s Guide 51

Chapter 4
Setting the App Threshold Tab Options
52 Sniffer Portable Professional
Use the options in the Tools > Options > App Threshold tab to set
thresholds for alarms generated by the ART application. Specify the
threshold values in the Rsp Time column, then click OK.
See ART Alarms on page 105 and Application Response Time (ART) on
page 97 for details on using the options in this tab.
Setting the Alarm Tab Options
Use the Tools > Options > Alarm tab to:
Enable alarm logging and set alarm severity levels. See The Alarm
Log on page 257 and Setting Alarm Severity Levels on page 260.
Set up and assign alarm notification actions. See Setting Alarm
Notification on page 264.
Setting the Protocols Tab Options
Use the Tools > Options > Protocols tab to specify on what ports the
Sniffer should expect various upper layer protocols running over TCP,
UDP, or IPX (separate options are provided for each). The commonly
established port for each upper layer protocol is provided by default. For
most networks, the default port number for the listed upper layer
protocols will be correct. However, If your network uses a proprietary
implementation of a particular protocol, you can specify custom ports
here. You can also rename existing protocols by overwriting the default
name supplied in this tab.
In addition, you can also add entirely custom protocols by clicking in a
blank cell at the end of the list and supplying a protocol and port pair for
a given transport. The Sniffer will provide traffic counts for the named
protocol/port pair in its Monitor displays.
NOTE: The Sniffer can only track protocol loads that are based on
well known and fixed port numbers. If you have an application that
assigns and uses TCP/UDP (or IPX) port numbers dynamically, they
will be grouped into the Others category in Monitor views.
Similarly, upper layer packets running over TCP, UDP, or IPX with
port numbers not listed in the default protocol list are also grouped
together and counted in the Others category.

Setting Options in the Sniffer Window
Exporting and Importing Protocols Tab Settings
The Tools > Options > Protocols tab includes Import and Export
buttons that let you change the Protocols tab settings in force:
The Export button opens a common Save As dialog box, allowing
you to save out Protocols tab settings to an XML file.
The Import button opens a common Browse dialog box in which
you can navigate to an XML file of saved Protocols tab settings for
import.
The Import and Export buttons are particularly useful in the following
situations:
You want to create files of saved Protocols tab settings for use in
different network environments. For example, you may commonly
analyze network segments with protocol loads running over known
but non-standard ports. You can switch Protocols tab settings in
and out quickly using these buttons.
You want to share Protocols tab settings with another Sniffer unit
supporting this feature. You can export your settings to a file and
then import them on a second unit.
Setting the Protocol Forcing Tab Options
Use the Tools > Options > Protocol Forcing options to set up protocol
forcing rules. Protocol forcing is useful when capturing non-standard (for
example, proprietary) protocols that might not otherwise be decoded.
Protocol forcing essentially lets you tell the analyzer “if you see this
condition, skip this many bytes (to where the standard data is), then
apply this protocol interpreter.” See Using Protocol Forcing on page 198
for details on setting up Protocol Forcing rules.
User’s Guide 53

Chapter 4
Setting Tools > Wireless Options
54 Sniffer Portable Professional
The Tools > Wireless menu includes options that let you configure how
Sniffer Portable Professional monitors wireless traffic:
Use the Surf Settings dialog box to specify which channels on the
wireless network Sniffer Portable Professional monitors.
See Configuring Surf Settings on page 54 for details.
Use the Encryption dialog box to specify how Sniffer Portable
Professional should decrypt wireless network data.
See Configuring Wireless Encryption Settings on page 56 for
details.
Use the Rogue dialog box to enable and configure the identification
of wireless access points and hosts as rogues in the Host Table and
Expert displays.
See Configuring Rogue Identification for Wireless Networks on
page 61 for details.
NOTE: The Tools > Wireless options are only available if a
wireless LAN adapter is the currently selected adapter, the correct
driver is installed, and you are not operating in Local Mode. You
can change the currently selected adapter and the Local Mode
setting using the File > Adapter Settings command. See Installing
Sniffer Portable Professional for information on installing the correct
driver for wireless adapters in both Windows XP and Windows Vista.
Configuring Surf Settings
Use the Tools > Wireless > Surf Settings > Topology Surfing dialog
box (Figure 4-3) to select the wireless LAN channels you would like
Sniffer Portable Professional to monitor. For each wireless topology
supported by your wireless adapter, you can select individual channels
for monitoring, as well as the amount of time to monitor them.
The Topology Surfing dialog box consists of two main panels:
The left panel lists the channels available for selection. Channels
are listed independently by topology (for example, 802.11A,
802.11B, and 802.11G) – use the 802.11 drop-down to change the
selected topology. You can select channels in the left pane and click
the Add button to move them to the Selected panel.
The Selected panel lists the channels currently selected for
monitoring. Sniffer Portable Professional monitors each of the
channels in the Selected panel in a cycle for the time specified by
its Surf Time field before moving on to the next selected channel.

Use the 802.11 drop-down to change
the selected topology. You can add
channels from each topology
supported by your card to the Surf list
by selecting an entry and clicking Add.
Use the Surf Time
fields to specify the
amount of time to
monitor the
selected channel.
Working with the Topology Surfing Dialog Box
Setting Options in the Sniffer Window
The main tasks performed in the Topology Surfing dialog box are
channel selection and surf time configuration:
Use the Add button to move a channel from the list of available
channels to the list of selected channels.
To change a channel’s Surf Time, select its entry in the Selected
list, enter a new value in the Surf Time field, and click Set Time.
To reset all selected channels at once, click Reset All.
By default, Channel 11 on 802.11G is enabled. Enable any other
channels you’d like to monitor.
The Selected panel lists the channels Sniffer Portable
Professional will monitor. Each channel is listed with
its topology, channel number, and how long Sniffer
Portable Professional will monitor it during each cycle.
Figure 4-3. Tools > Wireless > Surf Settings Dialog Box
User’s Guide 55

Chapter 4
Configuring Wireless Encryption Settings
56 Sniffer Portable Professional
Use the Tools > Wireless > Encryption option (Figure 4-4) to specify
the encryption keys in use on wireless networks monitored by Sniffer
Portable Professional. If the correct keys are specified, Sniffer Portable
Professional can decrypt and decode both WPA-WPA2 and
WEP-encrypted packets during capture and postcapture.
The IEEE 802.11 Decryption Keys dialog box consists of two main areas:
Sniffer Portable Professional can decrypt both
WPA/WPA2 and WEP encrypted packets
simultaneously as long as you have enabled both
forms of decryption and configured their
associated keys correctly.
Use these options to specify the
keys to use for decryption of
WEP-encrypted data. WEP is an
early 802.11 encryption
technology and is not as
commonly seen as WPA-WPA2.
Use these options to specify
the passphrase used to
decrypt data on different SSIDs
(wireless networks).
WEP Keys – Use this panel to specify the WEP keys used to
encrypt data on the wireless network. You can specify either a
single set of keys for all channels or different keys for individual
channels. See Specifying WEP Keys on page 58.
WPA-WPA2 Keys – Use this panel to specify the pre-shared
passphrase corresponding to different SSIDs monitored by Sniffer
Portable Professional. See Specifying WPA-WPA2 Keys on page 57.
Figure 4-4. Tools > Wireless > Encryption Dialog Box

Specifying WPA-WPA2 Keys
Setting Options in the Sniffer Window
WPA-WPA2 encryption is widely used to secure 802.11 networks and is
more frequently encountered than the legacy WEP solution. Use the
WPA-WPA2 options in the IEEE 802.11 Decryption Keys dialog box
to specify the keys to be used for decryption of WPA-encrypted packets.
You can enter the pre-shared passphrase associated with different
SSIDs monitored by Sniffer Portable Professional to allow decryption and
decoding of the corresponding packets during capture.
NOTE: Sniffer Portable Professional can decrypt both
WPA/WPA2-encrypted and WEP-encrypted data at the same time,
so long as you have enabled and configured both forms of
decryption in the IEEE 802.11 Decryption Keys dialog box.
NOTE: You can also perform postcapture decryption on trace files
saved without the Encryption options specified correctly. See
Postcapture 802.11 Decryption on page 199 for information on how to
decrypt encrypted data in a buffer or saved trace file.
To enter WPA/WPA2 encryption keys:
1 Display the Tools > Wireless > Encryption dialog box.
2 In the WPA-WPA2 Keys area, check the Enable box to turn on
decryption of WPA/WPA2-encrypted packets.
3 Depending on how you have configured the Tools > Wireless >
Surfing options, Sniffer Portable Professional will likely be
encountering multiple wireless networks, each with its own
encryption keys. Perform the following steps to specify the
encryption keys used by each WPA/WPA2-encrypted wireless
network you expect Sniffer Portable Professional to monitor:
a Turn on the encryption key by checking its On radio button.
b Specify the SSID for the WPA/WPA2-encrypted network. This
is typically a short string used to identify a wireless network
(for example, labnet).
c WPA/WPA2 encryption relies on a pre-shared passphrase for
encryption. Enter the passphrase associated with this SSID.
d Repeat Step a though Step c for each SSID you expect Sniffer
Portable Professional to monitor.
4 Click OK to accept your settings.
User’s Guide 57

Chapter 4
58 Sniffer Portable Professional
Notes on WPA/WPA2 Decryption
Sniffer Portable Professional must observe the four EAPOL exchange
packets for successful WPA decryption to take place. These packets
must be seen for every independent Sniffer Portable Professional session
and every independent Client > AP session. Each time you restart the
application or use the File > Reset All command, Sniffer Portable
Professional will need to see new EAPOL exhange packets for successful
decryption. Note the following:
EAPOL exchange packets are seen when a client connects to the
access point. After starting Sniffer Portable Professional, perform a
manual connection to the access point to make sure the EAPOL
packets are exchanged.
Decrypted WPA/WPA2 packets will only appear in the Expert and
Decode displays after the EAPOL exchange packets are seen.
EAPOL packets are only valid for a single session of Client > AP
communications. Sniffer Portable Professional needs new EAPOL
exchange packets for each new session.
The EAPOL exchange packets must not have CRC errors in order for
decryption to work successfully.
If you suspect that decryption is not working correctly, try
reconnecting a client to the access point with the specified
passphrase.
Sniffer Portable Professional installations on Windows XP do not
support WPA decryption of traffic seen on Private networks.
You can temporarily disable a particular WPA/WPA2 key using the
Off/On radio buttons.
Specifying WEP Keys
Use the WEP Keys options in the IEEE 802.11 Decryption Keys
dialog box to specify the keys to be used for decryption of
WEP-encrypted packets. You can enter either a Single Key Set for all
wireless channels or specify separate keys for individual channels. Keys
can be entered as either Hex or ASCII characters. If the correct keys
are specified, Sniffer Portable Professional can decrypt and decode
WEP-encrypted packets during capture.
NOTE: Sniffer Portable Professional can decrypt both
WPA/WPA2-encrypted and WEP-encrypted data at the same time,
so long as you have enabled and configured both forms of
decryption in the IEEE 802.11 Decryption Keys dialog box.

Setting Options in the Sniffer Window
NOTE: You can also perform postcapture decryption on trace files
saved without the Encryption options specified correctly. See
Postcapture 802.11 Decryption on page 199 for information on how to
decrypt encrypted data in a buffer or saved trace file.
To enter WEP encryption keys:
1 Display the Tools > Wireless > Encryption dialog box.
2 In the WEP Keys area, check the Enable box to turn on decryption
of WEP-encrypted packets.
3 Use the Key entry mode options to specify whether Sniffer
Portable Professional should use the same WEP keys on every
channel on the wireless network or different keys on different
channels.
Enable the Single Key Set option if you would like Sniffer
Portable Professional to use the specified WEP keys for every
channel on the wireless network.
Enable the Keys Per Channel option if you would like to
specify different sets of WEP keys for different topologies and
channels on the wireless network. Then, use the Topology,
Channel, and Key list to specify separate keys for individual
channels.
4 Use the Hex/ASCII radio buttons to specify the format in which
you’d like to enter the WEP keys.
5 You can enter up to four separate encryption keys. For each key,
do the following:
a Specify the length of the key by selecting the appropriate
option. Keys can be either None, 40-bit, or 128-bit. Use the
None option if no encryption is used on the network.
Depending on the length of the key specified, some or all of
the adjacent fields become active, enabling you to specify the
keys in use.
b Specify the exact, case-sensitive value for each key in the
adjoining spaces provided.
Keep the following in mind when entering keys in ASCII format:
An empty field is equivalent to a setting of None in Hex entry
mode (that is, no encryption is used on the network).
Five ASCII characters or 0x followed by 10 hex characters is
interpreted as a 40-bit key.
User’s Guide 59

Chapter 4
60 Sniffer Portable Professional
Thirteen ASCII characters or 0x followed by 26 hex characters
is interpreted as a 128-bit key.
NOTE: The four encryption keys in use on a WEP-encrypted
network are all typically the same length — either 40-bit or
128-bit.
NOTE: Key entries appear as asterisks to preserve their
security.
Notes on Hex/ASCII Conversion
If you have previously entered encryption keys in one mode and
then switch to the other (Hex to ASCII or vice-versa), Sniffer
Portable Professional automatically converts your entries as
follows:
When converting from ASCII to hex, key entries of five ASCII
characters appear as 40-bit keys in Hex mode. Similarly, key
entries of 13 ASCII characters appear as 128-bit keys in Hex
mode.
When converting from hex to ASCII, key entries are converted
differently depending on the length specification in the Hex entry
mode:
If None was selected, the entry fields appear empty.
If 40-bit was selected, Sniffer Portable Professional attempts
to convert the hex key into ASCII. If conversion is possible, 5
ASCII characters appear. If conversion is not possible, 0x
followed by 10 hex characters appears.
If 128-bit was selected, Sniffer Portable Professional
attempts to convert the hex key into ASCII. If conversion is
possible, 13 ASCII characters appear. If conversion is not
possible, 0x followed by 26 hex characters appears.

Setting Options in the Sniffer Window
Configuring Rogue Identification for Wireless Networks
When the Lookup options here are
enabled, Sniffer Portable
Professional flags wireless entities
not found in the corresponding lists
as rogues in both Expert and Host
Table displays.
Use the Tools > Wireless > Rogue options (Figure 4-5) to enable and
configure Sniffer Portable Professional’s identification of rogue entities
on the wireless network.
Figure 4-5. Tools > Wireless > Rogue Dialog Box
If the Enable Rogue AP Lookup option (beneath the Known
Access Points in the Network table) is enabled, Sniffer Portable
Professional compares the MAC address (not the IP address) of
each detected access point to those in the Known Access Points
in the Network list. If an access point’s MAC address is not in the
list, Sniffer Portable Professional labels the access point as a rogue.
If the Enable Rogue Mobile Unit Lookup option is enabled, the
Expert compares the MAC address (not the IP address) of each
detected mobile unit to those in the Known Mobile Units in the
Network list. If a mobile unit’s MAC address is not in the list,
Sniffer Portable Professional labels it as a rogue.
User’s Guide 61

Chapter 4
62 Sniffer Portable Professional
Rogue Identification in Sniffer Portable Professional Displays
Rogues are identified in Sniffer Portable Professional displays as follows:
The Expert generates Rogue Access Point and Rogue Mobile
Unit alarms when a rogue is detected.
The Expert identifies rogues by adding the word (Rogue) in
parentheses following the offending stations’ entries in Summary
and Detail displays. This provides you with a handy means of
identifying units on the wireless network of which you were not
aware, some of which may be unauthorized intruders.
When Rogue Lookup is enabled, the Host Table includes a Status
column in tabular 802.11 displays listing the current
Rogue/Known/Neighbor identification of each listed entity. You
can check an entry’s selection box in the Host Table (in the #
column) and right-click to identify it as either Known or Neighbor,
or to remove it from the Known/Neighbor list entirely.
The Rogue Dialog Box and Expert Options
The Tools > Wireless > Rogue dialog box provides access to the same
settings found in the Tools > Expert Options > 802.11 Options tab.
These two dialogs share the same list of Known/Neighbor wireless
entities – when you change a setting in one dialog box, it is reflected in
both places. For example, if you add an Access Point as Known from the
Host Table, it will appear as Known in both the Tools > Wireless >
Rogue dialog box and the Tools > Expert Options > 802.11 Options
tab.
See Expert 802.11 Options on page 140 for information on using the
options found there, including the Import/Export features not available
in the Tools > Wireless > Rogue dialog box.
Adding Known Addresses to the List
To use the rogue identification abilities of Sniffer Portable Professional
effectively, you must first add the MAC addresses of the known access
points and mobile units on your network to the Expert’s list of known
wireless unit addresses. There are several ways to do this:
Automatically from the real-time Host Table. See Adding Known
Addresses from the Host Table on page 141.
Automatically from the Expert tab of the postcapture display. See
Adding Known Addresses from the Postcapture Display on page
143.
Automatically from the Address Book. See Autodiscovering and
Adding Addresses from the Address Book on page 145.

Setting Options in the Sniffer Window
Manually from the 802.11 Options tab of the Expert Properties
dialog box. See Adding Known Addresses Manually in the 802.11
Options Tab on page 145.
In addition, you can also import and export lists of known addresses (for
example, you can import addresses from other Sniffer Portable
Professional installations).
User’s Guide 63

Chapter 4
Adding Tools to the Tools Menu
64 Sniffer Portable Professional
You can add your own tools to the Tools menu. A tool can be any
Windows or DOS executable file installed on or accessible to your
machine.
To add a tool:
1 Select Tools > Customize User Tools from the main menu.
2 Click the Add button. The program will add (new tool) to the tool
list.
3 Edit the Menu Text field. Replace (new tool) with the name you
want to see on the menu.
4 Specify the command line, command line parameters, and initial
start-up directory as needed to properly start your program.
5 Optionally, assign a shortcut key (Alt + t, letter). To do this, place
an ampersand character (&) in front of the appropriate letter in the
Menu Text field. (In addition, the program automatically assigns an
Alt + number shortcut, visible to the right of the menu item when
you display the Tools menu.)
6 Optionally, use the Move Up and Move Down buttons in the
Customize User Tools dialog box to change the order of tools
displayed in the menu.
7 Click OK. The new tool will appear on the Tools menu.
Removing Tools from the Tools Menu
To remove a tool listed on the Tools menu:
1 Select Tools > Customize User Tools from the main menu.
2 Select the tool you want to remove.
3 Click Remove.
4 Click OK.

Setting Options in the Sniffer Window
User’s Guide 65

Chapter 4
66 Sniffer Portable Professional

Monitoring Your Network
Overview
This section describes Sniffer Portable Professional’s monitoring
functions. It includes the following major sections:
About Sniffer Portable Professional Monitor Views on page 67
Monitoring Wireless Networks on page 68
Monitor Filters on page 69
Monitor Applications and Toolbar on page 71
Monitor Alarms on page 120
Exporting Monitor Data on page 120
About Sniffer Portable Professional Monitor
Views
5
The Sniffer Portable Professional monitor stores statistical
measurements and calculations about your network traffic, providing an
accurate picture of network activity in real time. It can generate alarms
to notify you when errors are detected and can save historical records of
network activity that you can use later for traffic and fault analysis.
Monitoring features provide the following information:
Network load statistics, including the number of frames/bytes of
network traffic per time interval, the percentage of utilization, and
broadcast and multicast counts.
Protocol use statistics.
Application response time statistics for upper layer protocols.
Individual station and conversation-pair traffic statistics.
Packet size distribution statistics.
The data collected by the monitor can help you find traffic overloads,
troubleshoot bottlenecks, and locate faulty equipment. The data can also
be an important factor in deciding how to allocate your company’s
resources for network maintenance and upgrades.
User’s Guide 67

Chapter 5
Monitoring Wireless Networks
68 Sniffer Portable Professional
Sniffer Portable Professional monitors independent basic service set
(IBSS) and infrastructure wireless networks.
IBSS networks are wireless networks without access to a
distribution system. Traffic stays within the IBSS network. IBSS
networks are also known as ad hoc or independent networks.
Infrastructure networks are wireless networks with access to a
distribution system. Infrastructure networks are typically one part
of an integrated wired and wireless network structure.
When you select a wireless adapter in the Adapter Settings dialog box
(accessed from File > Adapter Settings or automatically the first time
you select an adapter to monitor), you are by default specifying that you
are monitoring both IBSS and infrastructure networks.
Wireless-Specific Information in Monitor Views
Sniffer Portable Professional adds wireless-specific information to many
of its views, including the Dashboard, Host Table, Matrix, and Global
Statistics views. See the section for each Monitor view for more
information:
Dashboard Counters for Wireless Networks on page 75
Host Table on page 82
Viewing Access Points Only on page 88
Identifying Rogue Hosts on the Wireless Network on page 91
Matrix on page 93
Global Statistics on page 116
Monitor Displays for Different WLAN Types
When using Sniffer Portable Professional with a wireless adapter, you
may notice differences in monitor displays for different wireless LAN
(WLAN) types (a, b, g, and n).
Some wireless adapters support proprietary extensions of the
802.11a standard that allow 802.11a networks to operate at twice
the rates stated by the 802.11a specification (for example, instead
of the upper limit of 54 Mbps stated for the 802.11a specification,
the 2X extension theoretically allows for an upper limit of 108
Mbps).

Monitor Filters
Monitoring Your Network
As a consequence of this support, Sniffer Portable Professional
displays for 802.11a networks will include data rate categories
beyond the 54 Mbps limit claimed by the 802.11a specification. You
will only see frames counted in these categories when monitoring
or capturing from an 802.11a network implementing these
proprietary extensions.
NOTE: Wireless network channels are based on geographical
location and the frequency band allocated in the country.
Sniffer Portable Professional lets you apply filters to the monitor. Monitor
filters affect all standard monitor applications — Dashboard, Host Table,
Matrix, Application Response Time, History Samples, Protocol
Distribution, and Global Statistics.
Using a monitor filter, you can look at your network traffic from several
different views. For example, by defining and applying a hardware
address filter to and from a router, you can easily tally the traffic load to
and from that router. Using the same filter, the Matrix Table will also
show who is talking to the router and how often. If you open the Protocol
Distribution window, it will show the percentage traffic load passing
through the router by protocol types. In addition, the History graph will
plot traffic load at the router over time.
If you want to look at matrix and host table statistics for IP traffic only,
you can define and apply an IP protocol filter. If you want to focus on
other protocol types, for example, IPX or AppleTalk, you can define
filters for those also.
IMPORTANT: For complete description of how to define a filter, see
Defining Filters and Triggers on page 219.
User’s Guide 69

Chapter 5
Applying Monitor Filters
70 Sniffer Portable Professional
To apply a filter to the monitor:
1 From the Monitor menu, choose Select Filter.
2 Check Apply monitor filter.
A list of all available monitor filter profiles appears. Monitor filter
profiles are defined using the Monitor > Define Filter menu
option.
3 Select a monitor filter from the list.
Once you have selected a monitor filter in the list, the adjacent
pane provides a capsule description of the filter profile's settings.
4 Click OK.
The selected monitor filter profile is applied to the monitor
applications. You can tell if a Monitor filter is currently applied by
examining the lower left corner of the Sniffer window. If a Monitor
filter is currently applied, a message reading Monitor Filter On
will appear.
Making Changes to the Currently Selected Monitor Filter’s
Definitions
When you change the currently selected monitor filter's definitions in the
Define Filter - Monitor dialog box, the new definitions are not enacted
until you do one of the following:
Toggle the setting of the Apply monitor filter option in the
Monitor > Select Filter dialog box.
Select a different monitor filter profile and then reselect the
updated monitor filter profile in the Monitor > Select Filter dialog
box.

Monitor Applications and Toolbar
Table 5-1. Monitor Applications
Application Toolbar
Button
Monitoring Your Network
You display monitor data by using monitor applications. The monitor
applications are listed under the Monitor menu and are also available
on the main toolbar.
To use monitor applications, you must be “logged on” to the selected
adapter. If you are not logged on, the entries for the monitor
applications in the Monitor menu will be grayed out, indicating their
unavailability. For a discussion of how to use the Log On and Log Off
options, see Network Adapters and Settings on page 267.
For more information, see...
Dashboard • Dashboard on page 72
• Viewing the Dashboard Graphs on page 73
• Working with the Dashboard Graphs on page 74
• Setting Thresholds for the Dashboard Statistics on
page 75
• Dashboard Counters for Wireless Networks on page
75
Host Table • Host Table on page 82
• Host Table Counters for Wireless Networks on page
85
Matrix • Matrix on page 93
ART • Application Response Time (ART) on page 97
History Samples • History Samples on page 110
Protocol
Distribution
• Protocol Distribution on page 114
Global Statistics • Global Statistics on page 116
User’s Guide 71

Chapter 5
Dashboard
72 Sniffer Portable Professional
.
Dashboard
Host Table
Matrix
Figure 5-1. The Monitor Toolbar
History
Samples
Application Response Time
Global Statistics
Protocol
Distribution
Alarm Log
The Dashboard displays current network activity in either graphical or
tabular format. Use the Dashboard to view a network segment’s
utilization and packet rate in real time.
Display the Dashboard by clicking the Dashboard icon in the Toolbar or
by selecting the Dashboard option from the Monitor menu or click .
From the Dashboard you can view or access the following information:
Gauges displaying utilization, packet rate, and error rate in real
time. Red zones shown in the gauges indicate the alarm threshold
settings
Click the Detail tab below the gauges to display tabular counters
for network statistics and size distribution statistics.
Topology-specific tabs displaying tabular counters for
network-specific statistics.
Configurable graphs for network statistics and size distribution
statistics.
The exact statistics (and tabs) provided in the Dashboard depend on the
currently selected adapter. To view the total network traffic load
accumulated since Sniffer Portable Professional started, click the Detail
tab.

Click these boxes to see
configurable graphs of the
corresponding statistics.
Monitoring Your Network
IMPORTANT: See Dashboard Counters for Wireless Networks on page
75 for details on the Dashboard statistics provided for wireless LANs.
Viewing tips:
To view average-per-second statistics select the Show Average
option at the top of the Dashboard instead of the Show Total
option.
To reset all the statistics in the Dashboard to zero, click Reset.
To set thresholds for alarms based on Dashboard statistics, click
Set Thresholds.
Figure 5-2 shows a sample Dashboard for an Ethernet adapter.
Figure 5-2. The Dashboard Gauge View
Viewing the Dashboard Graphs
Click these options to narrow (Short term) or widen (Long term) the
scale of the Network, Detail Errors, and Size Distribution graphs.
The Dashboard also provides configurable graphs for the broad groups
of statistics shown on the Detail tab. Ethernet adapters include
configurable graphs for:
Network statistics
Size Distribution statistics
Wireless LAN adapters include configurable graphs for:
Network statistics
Wireless Statistics
User’s Guide 73

Chapter 5
74 Sniffer Portable Professional
Speed Statistics
You view the configurable graphs by clicking the box corresponding to
the desired group of statistics at the bottom of the Dashboard. A graph
appears at the bottom of the Dashboard showing the selected statistics.
Figure 5-3 shows the Network statistics graph for an Ethernet adapter.
The exact statistics shown in the Network graph will change depending
on the selected adapter.
Click the Scroll buttons to move the graph’s “current” line. The statistics shown at
the right of the graph reflect the statistics at the “current” line’s position. You can
see the exact time and date of the “current” line to the right of the Scroll buttons.
The “Current” line.
Figure 5-3. Configurable Dashboard Graph
Working with the Dashboard Graphs
Check the boxes corresponding to each statistic you would like
included in the graph. The statistics available for graphing are the
same as those in the Detail tab at the top of the Dashboard.
You work with the configurable graphs as follows:

Monitoring Your Network
Each possible statistic for the graphs is listed at the right of the
graph. Check the boxes of the statistics you would like included in
the graph. A line in the corresponding color will appear in the graph
for the selected statistic.
If you are having difficulty viewing the line for a particular statistic,
allow your mouse to hover over the entry for the statistic at the
right of the graph. The corresponding line will appear in bold in the
graph while your mouse is hovering over its entry at the right.
The graph includes a vertical “current” line. The statistics counters
at the right of the graph are based on the position of the “current
line.” You can move the current line in either of the following ways:
Clicking the arrow buttons at the top of the graph.
Clicking to the right or the left of the “current” line in the
graph.
The time and date entry at the top of the graph shows the current
position of the “current” line.
You can widen or narrow the time scale of the graph by clicking the
Long term (widen) or Short term (narrow) buttons at the top of
the graph.
Setting Thresholds for the Dashboard Statistics
You can set alarm thresholds for each of the dials on the Dashboard (as
well as many other network statistics). When a threshold is exceeded,
an entry is made in the Alarm log. You can monitor the Alarm log to keep
watch over your network.
To set a threshold value, click Set Thresholds at the top of the
Dashboard (Figure 5-2). Alternatively, you can select Options from the
Tools menu and click the Mac Threshold tab. You will see a complete
list of network parameters that can trigger a threshold alarm. The exact
parameters depend on the currently selected adapter.
Another option in this dialog box is the Monitor sampling interval
option. The High Threshold value for each measure will be the average
per second value measured during the monitor sampling interval.
Dashboard Counters for Wireless Networks
For wireless displays, the Dashboard includes a number of
wireless-specific counters not seen on wired networks. These counters
are described in this section and are found in:
The Gauge tab (see The Dashboard Gauge Tab on page 76)
The 802.11 tab (see The Dashboard 802.11 Tab on page 77)
User’s Guide 75

Chapter 5
The Dashboard Gauge Tab
76 Sniffer Portable Professional
The Gauge tab is displayed by default when you start the Dashboard.
When capturing from wireless networks, the Dashboard’s Gauge tab
provides a Throughput gauge. This gauge provides a real-time
measurement of the data rate (in bits per second) observed by Sniffer
Portable Professional. When calculating throughput, Sniffer Portable
Professional only counts data frames. Management and control frames
are not part of this calculation. However, the throughput measurement
does include the header portions of data frames (see How Wireless
Utilization is Calculated on page 76 for details).
How Wireless Utilization is Calculated
The Dashboard provides network utilization percentage measurements
on both the Gauge and Detail tabs. Sniffer Portable Professional
calculates network utilization by storing the airtime (in microseconds)
for each observed frame in a buffer. Every second, the value in this
buffer is divided by 1,000,000 microseconds (that is, a second) to obtain
a percentage utilization measurement.
The airtime for each frame is calculated as follows:
1 First, the duration of the frame’s PLCP header is stored. PLCP
headers can be either:
192 microseconds. This is the Long header format specified
in IEEE 802.11b/g for 1 and 2 Mbps transmission speeds.
96 microseconds. This is the Short header format specified
in IEEE 802.11b/g for 5.5 and 11 Mbps transmission speeds.
NOTE: The calculations for 802.11a are performed similarly
except that they use the duration of the PLCP header specified
for different 802.11a rates.
2 Each frame’s PLCP header includes a field indicating the length of
the data portion of the frame in microseconds. Sniffer Portable
Professional adds this value to the duration of the PLCP header
observed in the previous step and stores the sum in a buffer.
3 Each second, the value in the buffer is divided by 1,000,000
microseconds to obtain a percentage utilization measurement.

The Dashboard 802.11 Tab
802.11 Dashboard Tab
Monitoring Your Network
The Dashboard’s 802.11 tab (Figure 5-4) includes counters for wireless
LAN Statistics, Management frame types, and Control frame types:
Statistics Counters in the 802.11 Tab on page 77
Management Frame Type Counters in the 802.11 Tab on page 79
Control Frame Type Counters in the 802.11 Tab on page 81
Figure 5-4. Sample 802.11 Tab in Dashboard
Statistics Counters in the 802.11 Tab
Table 5-2 lists and describes the Statistics counters in the Dashboard’s
802.11 tab (sample shown in Figure 5-4).
Table 5-2. Statistics Counters in the Dashboard’s 802.11 Tab
(1 of 3)
Counter Description
Data Pkts The number of data packets observed on the
wireless LAN.
User’s Guide 77

Chapter 5
78 Sniffer Portable Professional
Table 5-2. Statistics Counters in the Dashboard’s 802.11 Tab
(2 of 3)
Counter Description
Management Pkts The number of Management packets
observed on the wireless LAN. Management
packets include Association Requests, Probe
Requests, and so on. They are counted
individually in the Management column of
the 802.11 tab.
Control Pkts The number of Control packets observed on
the wireless LAN. Control packets include PS
Polls, CF Ends, and so on. They are counted
individually in the Control column of the
802.11 tab.
Data Throughput The current data rate (in bits per second)
observed by Sniffer Portable Professional.
When calculating throughput, Sniffer
Portable Professional only counts data
frames. Management and control frames are
not part of this calculation. However, the
throughput measurement does include the
header portions of data frames.
Retry Pkts The number of Retry packets observed on
the wireless LAN. Stations send retry
packets when they receive no
acknowledgment to a previously sent
packet.
WEP Pkts The number of packets observed on the
wireless LAN with the WEP bit in the Frame
Control field set to true. This indicates that
Wired Equivalent Policy encryption was used
on the packet.
Order Pkts The number of packets observed on the
wireless LAN with the Order bit in the Frame
Control field set to true. This indicates that
packets must be processed in order.
PLCP Short Pkts The number of Physical Layer Convergence
Protocol (PLCP) protocol data units seen with
the “short” preamble and header. This form
of PLCP PDU is used to achieve higher
throughput and can support 5.5 and 11
Mbps transmission speeds.

Monitoring Your Network
Table 5-2. Statistics Counters in the Dashboard’s 802.11 Tab
(3 of 3)
Counter Description
PLCP Long Pkts The number of PLCP PDUs seen with the
“long” preamble and header. This form of
PLCP PDU is compatible with legacy
equipment from older wireless LANs and
supports and operates at either 1 Mbps or 2
Mbps.
Data Rate Counters These counters provide packet counts for
different speed ranges.
Management Frame Type Counters in the 802.11 Tab
Management frames are used to set up the initial communications
between stations and access points on the wireless network. Table 5-3
lists and describes the Management frame counters in the Dashboard’s
802.11 tab (example shown in Figure 5-4 on page 77).
Table 5-3. Management Frame Counters in the Dashboard’s 802.11
Tab (1 of 2)
Counter Description
Association Requests The number of Association Requests
observed on the wireless network. Stations
send Association Requests to become
associated with access points.
Association Responses The number of Association Responses
observed on the wireless network. Access
points send Association Responses in
response to Association Requests from
wireless stations.
Reassociation Requests The number of Reassociation Requests
observed on the wireless network. Stations
send Reassociation Requests when they
need to associate with a new access point
(for example, because they are out of range
of their old access point). This way, the new
access point knows to set up forwarding of
traffic from the old access point.
Reassociation Responses The number of Reassociation Responses
observed on the wireless network. Access
points send Reassociation Responses in
response to Reassociation Requests from
wireless stations.
User’s Guide 79

Chapter 5
80 Sniffer Portable Professional
Table 5-3. Management Frame Counters in the Dashboard’s 802.11
Tab (2 of 2)
Counter Description
Probe Requests The number of Probe Requests observed on
the wireless network. Stations send Probe
Requests to other stations or access points
to retrieve information (for example, to
determine whether a given access point is
open for new associations).
Probe Responses The number of Probe Responses observed
on the wireless network. Stations and access
points send Probe Responses containing
requested parameters in response to Probe
Requests.
Beacons The number of Beacon packets observed on
the wireless network. Access points send
beacon packets at a regular interval to
synchronize timing between stations on the
same network.
ATIMs The number of Announcement Traffic
Indication Messages (ATIMs) observed on
the wireless network. Stations send ATIMs
immediately after a beacon packet
transmission to inform other stations that
they have data to transmit to them.
Disassociations The number of Disassociation packets
observed on the wireless network. Stations
and access points send Disassociations to
end associations.
Authentications The number of Authentication packets
observed on the wireless network. Stations
and access points send Authentications to
identify one another securely.
Deauthentications The number of Deauthentication packets
observed on the wireless network. Stations
and access points send Deauthentications to
end secure communications with one
another.

Control Frame Type Counters in the 802.11 Tab
Monitoring Your Network
Once stations and access points on the wireless networks have
established communications with one another (through the Association
and Authentication packet types described in the previous section),
Control frames are used in the transmission of data frames. Table 5-4
lists and describes the Control frame counters in the Dashboard’s
802.11 tab (example shown in Figure 5-4 on page 77).
Table 5-4. Control Frame Counters in the Dashboard’s 802.11 Tab
Counter Description
PS Polls The number of Power Save (PS) Poll packets
observed on the wireless network. PS Poll
packets are sent by stations to inform other
stations of time windows during which they
will not be transmitting.
RTS The number of Request to Send (RTS)
packets observed on the wireless network.
RTS packets are sent by stations to
negotiate how a data frame will be sent.
CTS The number of Clear to Send (CTS) packets
observed on the wireless network. Stations
send CTS packets to acknowledge the
receipt of an RTS packet and to indicate that
they are ready to receive data.
Acknowledge The number of Acknowledge packets
observed on the wireless network. Stations
send acknowledge packets to indicate that
they have received an error-free packet.
CF End The number of Contention-Free (CF) End
packets observed on the wireless network.
CF End packets are sent to indicate the end
of a contention period.
CF End/CF ACK CF End/CF ACK packets are sent to
acknowledge CF End packets.
BSSID The Basic Service Set Identification (BSSID)
for the access point on the channel being
monitored.
ESSID The Extended Service Set Identification
(ESSID) for the channel being monitored.
User’s Guide 81

Chapter 5
Host Table
82 Sniffer Portable Professional
The Host Table collects each network node’s traffic statistics in real time.
For LAN adapters, the Host Table accumulates MAC, IP network, IP
application, IPX network, and IPX transport-layer information.
For wireless LAN adapters, the Host Table accumulates 802.11,
MAC, IP, and IPX transport-layer information. See Host Table
Counters for Wireless Networks on page 85 for more information
on wireless-specific statistics.
Options for viewing data in the Host Table are summarized in the
following table.
Table 5-5. Host Table Toolbar Options
Button Description
Access Point Table (802.11 Tab Only). Focuses the
standard Outline Table view on Access Points only, helping
you zoom in on their associated statistics.
Outline Table. The table views display traffic count
statistics for each network node in real time. The outline
table provides a quick summary of total bytes and packets
transmitted in and out of each network node.
Detail Table. The table views display traffic count statistics
for each network node in real time.
For most tabs, the detail table provides a quick summary of
the higher-layer protocol type and its traffic load
transmitted in and out of each network node.
For the 802.11 tab, the detail table breaks out packet
counts by different wireless control frame types. For
example, stations sending Beacon frames are listed with
counts for in and out packets and bytes associated with
beacon frames.
Bar Chart. The bar chart displays the top x busiest host
nodes in real time, where x is a user-configurable number.
(The default is 10.)
Pie Chart. The pie chart displays the top x busiest host
nodes as relative percentages of the total load of top x
traffic. x is a user-configurable number (the default is 10).
Capture. Capture data to or from a single station (first
select a station from outline table view).
Define Filter. Displays the Define Filter - Capture dialog
box, pre-populated with settings based on the selected
station in the Outline Table.

Table 5-5. Host Table Toolbar Options
Button Description
Monitoring Your Network
Add to Last Filter. Displays the Define Filter - Capture
dialog box, adding information associated with the selected
station in the Outline Table to the previous filter
information.
NOTE: The type of selected station must match the station
used in the previous filter for this to work. For example, if
you select an IP station in the Host Table’s IP tab and click
Define Filter, the Define Filter - Capture dialog box will
automatically populate with the IP address of the selected
station. You could then select a second IP station in the IP
tab, click the Add to Last Filter button, and see the Define
Filter - Capture dialog box appear with the IP address of the
second station added to the previous station. However, you
could not go to the MAC tab, select a station, and then add
that to a filter already populated with IP information. The
filter types must match.
Pause. Pauses updates.
Refresh. Refreshes the display.
Reset. Resets all counters to zero.
Export. Exports tabular data to CSV (Table views only)
Properties. Opens a properties dialog box in which you
can set operating parameters for the Host Table, including
update and sort intervals, sort options for charts, and which
wireless stations are included in the display (Access
Points, Stations, None, or any combination of the three).
Single Station. Displays a Single Station view for the
selected station. See Host Table Single Station Functions on
page 84 for more information.
Export data to HTML (Table views only)
Sort a Host Table by clicking a column heading (for example, to sort the
statistics by incoming packets, click the In Pkts column heading). Click
a second time to sort in reverse order.
User’s Guide 83

Chapter 5
84 Sniffer Portable Professional
You can configure settings (specifying to show the raw address instead
of a symbolic name, defining the update and sort interval, and defining
the sort variable and top-N variable in the bar and pie chart) by clicking
Properties from the Host Table toolbar.
In the table views, you can export the statistics for tabulation or
charting. Refer to Exporting Monitor Data on page 120.
Figure 5-5 shows a sample Host Table display.
Figure 5-5. The Host Table (Outline Table View)
Maximum Number of Entries in the Host Table
The maximum number of entries in the Host Table display is 1000.
Host Table Single Station Functions
Click to display traffic by 802.11, MAC, IP, or IPX
To capture data to or from a single station, click the station’s icon in the
outline table and then click the button. (For more information, see
Capturing from Specific Stations (Visual Filters) on page 128.)
To display a single station’s statistics, click the station’s icon in the
outline table and click the button. You can view a single station’s
statistics in a traffic map, table, bar chart, or pie chart.

Host Table Counters for Wireless Networks
Monitoring Your Network
In addition to the standard Host Table features available for all
networks, Sniffer Portable Professional provides counters specifically for
MAC-layer wireless stations in the 802.11 tab.
Display the Host Table’s 802.11 tab by clicking it at the bottom of the
Host Table window. For each MAC-layer wireless station detected on the
network, the 802.11 tab provides the statistics listed and described in
Table 5-6.
In addition, you can click the Access Point button to zoom in on
access points only. See Viewing Access Points Only on page 88 for
information on the counts in the Access Points view.
Table 5-6. Host Table Counters in the 802.11 Tab (1 of 3)
Counter Description
HwAddr The hardware address for this station.
Type The type of station. Station types include:
• AP. Access Point.
• STA. Wireless Station.
Status The Status column lets you monitor
Known, Rogue, and Neighbor stations in
your WLAN. It appears whenever Enable
Rogue AP Lookup and/or Enable Rogue
Mobile Unit Lookup is turned on in either
Tools > Wireless > Rogue or Tools >
Expert Options > 802.11 Options.
As you use the Host Table, you can flag a
wireless entity as either Known or
Neighbor by checking its box in the
leftmost # column, right-clicking, and
selecting either Add to Wireless Units List
as Known or Add to Wireless Units List
as Neighbor. The value you assign will
appear in the Status column, helping you
keep track of unknown entities on your
WLAN. See Adding Known Addresses to the
List on page 141 for information on the
different ways you can automatically add
addresses to the list of known units, how
rogues are flagged in Sniffer Portable
Professional displays, and so on.
BSSID The Basic Service Set ID associated with this
station.
ESSID The Extended Service Set ID associated with
this station.
User’s Guide 85

Chapter 5
86 Sniffer Portable Professional
Table 5-6. Host Table Counters in the 802.11 Tab (2 of 3)
Counter Description
Encryption The last observed encryption method for this
host. Possible values include:
• RC4-Open (WEP)
• RC4-TKIP (WPA-PSK)
• AES-CCMP (WPA2-PSK)
•Unencrypted
If this field is empty, then no encryption is in
use.
Authentication The last observed authentication method for
this host. Possible values include:
•Open
•Shared
• 802.1X-PSK
Monitored Topology The wireless network topology on which this
station was last seen transmitting. For
example, A for 802.11A, B for 802.11b, and
so on.
Monitored Channel The wireless network channel on which this
station was last seen transmitting.
Valid Topology The wireless network topology on which this
station is supposed to be transmitting
according to the information in transmitted
packets.
Compare this value to the Monitored
Topology value.
Valid Channel The wireless network channel on which this
station is supposed to be transmitting
according to the information in transmitted
packets.
Compare this value to the Monitored
Channel value to see how channels are
overlapping in your WLAN.
Signal Curr The average of all measured signal strengths
for this station.
Signal Max Of the measured signal strengths for this
station, the highest (expressed as a
percentage).
Signal Min Of the measured signal strengths for this
station, the lowest (expressed as a
percentage).

Monitoring Your Network
Table 5-6. Host Table Counters in the 802.11 Tab (3 of 3)
Counter Description
In Bytes The number of bytes received by this
station.
Out Bytes The number of bytes transmitted by this
station.
In Pkts The number of packets received by this
station.
Out Pkts The number of packets transmitted by this
station.
Broadcast The number of broadcast packets
transmitted by this station.
Multicast The number of multicast packets transmitted
by this station.
Retry Pkts The number of retry packets transmitted by
this station. Stations send retry packets
when they receive no acknowledgment to a
previously sent packet.
Data Rate Counters These counters provide packet counts for
different speed ranges.
Update Time The last time this station was updated in the
Host Table with new statistics.
Create Time The time this station’s entry was first added
to the Host Table.
User’s Guide 87

Chapter 5
Viewing Access Points Only
88 Sniffer Portable Professional
You can click the Access Point button in the Host Table’s 802.11
tab to zoom in on access points only.
The statistics available in the Access Point view are somewhat different
than those in the full 802.11 tab, as summarized in the table below.
Table 5-7. Host Table Counters in the Access Point View
Counter Description
Access Points The hardware address for each detected
access point.
Status The Status column lets you monitor
Known, Rogue, and Neighbor stations in
your WLAN. It appears whenever Enable
Rogue AP Lookup and/or Enable Rogue
Mobile Unit Lookup is turned on in either
Tools > Wireless > Rogue or Tools >
Expert Options > 802.11 Options.
As you use the Host Table, you can flag a
wireless entity as either Known or
Neighbor by checking its box in the
leftmost # column, right-clicking, and
selecting either Add to Wireless Units List
as Known or Add to Wireless Units List
as Neighbor. The value you assign will
appear in the Status column, helping you
keep track of unknown entities on your
WLAN. See Adding Known Addresses to the
List on page 141 for information on the
different ways you can automatically add
addresses to the list of known units, how
rogues are flagged in Sniffer Portable
Professional displays, and so on.
ESSID The Extended Service Set ID associated with
this station.
Encryption The last observed encryption method for this
host. Possible values include:
• RC4-Open (WEP)
• RC4-TKIP (WPA-PSK)
• AES-CCMP (WPA2-PSK)
•Unencrypted
If this field is empty, then no encryption is in
use.

Monitoring Your Network
Table 5-7. Host Table Counters in the Access Point View
Counter Description
Authentication The last observed authentication method for
this host. Possible values include:
•Open
•Shared
• 802.1X-PSK
Monitored Topology The wireless network topology on which this
station was last seen transmitting. For
example, A for 802.11A, B for 802.11b, and
so on.
Monitored Channel The wireless network channel on which this
station was last seen transmitting.
Valid Topology The wireless network topology on which this
station is supposed to be transmitting
according to the information in transmitted
packets.
Compare this value to the Monitored
Topology value.
Valid Channel The wireless network channel on which this
station is supposed to be transmitting
according to the information in transmitted
packets.
Compare this value to the Monitored
Channel value to see how channels are
overlapping in your WLAN.
Signal Curr The average of all measured signal strengths
for this station.
Signal Max Of the measured signal strengths for this
station, the highest (expressed as a
percentage).
Signal Min Of the measured signal strengths for this
station, the lowest (expressed as a
percentage).
In Bytes The number of bytes received by this access
point.
Out Bytes The number of bytes transmitted by this
access point.
In Pkts The number of packets received by this
access point.
Out Pkts The number of packets transmitted by this
access point.
User’s Guide 89

Chapter 5
90 Sniffer Portable Professional
Table 5-7. Host Table Counters in the Access Point View
Counter Description
Beacons The number of beacon packets transmitted
by this access point. Access points send
beacon packets at a regular interval to
synchronize timing between stations on the
same network.
Update Time The last time this access point was updated
in the Host Table with new statistics.
Create Time The time this access point’s entry was first
added to the Host Table.

Identifying Rogue Hosts on the Wireless Network
Monitoring Your Network
Sniffer Portable Professional helps you identify unknown units on your
wireless network, both during monitoring and live capture. In general,
this feature works by comparing detected addresses to a list of Known
and Neighbor addresses. Addresses not found in this list are flagged as
rogues in Sniffer Portable Professional displays. The figure below
summarizes the process:
1. Enable Rogue Lookup for Access Points and/or Mobile Units
in either Tools > Wireless > Rogue (shown) or Tools > Expert
Options > 802.11 Options. See Configuring Rogue
Identification for Wireless Networks on page 61 for details.
2. All wireless entities start out as rogues.
Add wireless entities as Known or Neighbors
to change their classification. The easiest
way to do this is by checking entries in the #
column of the Host Table’s 802.11 tab and
right-clicking. However, there are several
ways to do this – see Adding Known
Addresses to the List on page 62.
3. Review the Status column in the Host
Table, as well as Expert displays to review
the Known/Neighbor/Rogue classification
of wireless entities. See Rogue
Identification in Sniffer Portable
Professional Displays on page 62 for
information on where Sniffer Portable
Professional reports this status.
User’s Guide 91

Chapter 5
Selecting Wireless Host Types to View in the 802.11 Tab
92 Sniffer Portable Professional
You can filter the display in the Host Table’s 802.11 tab to display any
combination of the following host types:
AP – Wireless access points.
STA – Wireless stations.
None – Unclassified stations (for example, broadcast/multicast
stations and stations that have not yet been classified).
To filter the Host Table display, click the Properties button in the Host
Table to display the Host Table Properties dialog box (Figure 5-6). From
here, you can use the 802.11 Host Type tab to select which types of
wireless hosts you would like displayed in the Host Table’s 802.11 tab.
Use standard Ctrl-Click and Shift-Click techniques to select any
combination of the listed types and click OK.
NOTE: The setting made here does not apply to the Access Points
view in the 802.11 tab. It always focuses on Access Points.
Figure 5-6. Selecting Wireless Hosts for the Host Table’s 802.11 Tab

Matrix
Monitoring Your Network
The Matrix collects statistics for conversations between network nodes
in real time:
For LAN adapters, the Matrix accumulates MAC, IP network, IP
application, IPX network, and IPX transport-layer information.
For wireless LAN adapters, the Matrix accumulates MAC, IP, IPX,
and 802.11 statistics. See Matrix Counters for Wireless Networks
(802.11 Tab) on page 96 for more information on wireless-specific
statistics.
You can view Matrix data as a traffic map, as a table, or as a bar or pie
chart using the buttons in the Matrix toolbar, as described in the table
below.
Table 5-8. Matrix Toolbar Options
Button Description
Traffic Map. The traffic map provides a birds-eye view of
network traffic patterns between nodes in real time.
Outline Table. The table views display traffic count
statistics for each detected conversation in real time. The
outline table provides a quick summary of total bytes and
packets transmitted by each side of each detected
conversation.
Detail Table. The table views display traffic count statistics
for each conversation in real time.
For most tabs, the detail table provides a quick summary of
the higher-layer protocol type and its traffic load
transmitted on both sides of each conversation.
For the 802.11 tab, the detail table breaks out packet
counts by different wireless control frame types. For
example, Beacon frame counts are provided for both sides
of each detected conversation.
Bar Chart. The bar chart displays the top x busiest
conversations in real time, where x is a user-configurable
number in the Matrix Properties dialog box. (The default is
10.)
Pie Chart. The pie chart displays the top x busiest
conversations as relative percentages of the total load of
top x traffic. x is a user-configurable number in the Matrix
Properties dialog box (the default is 10).
User’s Guide 93

Chapter 5
94 Sniffer Portable Professional
Table 5-8. Matrix Toolbar Options
Button Description
Capture. Capture data associated with a single
conversation. First, select a conversation from the outline
table view and then click this button to start capture on the
selected conversation.
Define Filter. Displays the Define Filter - Capture dialog
box, pre-populated with settings based on the selected
conversation in the Outline Table.
Add to Last Filter. Displays the Define Filter - Capture
dialog box, adding information associated with the selected
conversation in the Outline Table to the previous filter
definition.
NOTE: The type of selected conversation must match the
conversation used in the previous filter for this to work. For
example, if you select an IP conversation in the Host
Table’s IP tab and click Define Filter, the Define Filter -
Capture dialog box will automatically populate for traffic
flowing between the IP addresses of the selected stations.
You could then select a second IP conversation in the IP
tab, click the Add to Last Filter button, and see the Define
Filter - Capture dialog box appear with the IP addresses of
the second conversation added to the previous
conversation. However, you could not go to the MAC tab,
select a conversation, and then add that to a filter already
populated with IP information. The filter types must match.
Pause. Pauses updates.
Refresh. Refreshes the display.
Reset. Resets all counters to zero.
Export. Exports tabular data to CSV (Table views only)
Refer to Exporting Monitor Data on page 120 for more
information.
Properties. Opens a properties dialog box in which you
can set operating parameters for the Matrix, including the
colors used in the traffic map, the top x variable in the bar
and pie chart, and the update and sort interval.
Export data to HTML (Table views only). Refer to Exporting
Monitor Data on page 120 for more information.

Maximum Number of Entries in the Matrix Display
Monitoring Your Network
The maximum number of entries in the Matrix display is 2000. The
Matrix’s Outline and Detail views can both show all 2000 entries.
However, the Traffic Map cannot show all 2000 and will display an
Overflow message indicating that not all entries can be shown.
NOTE: When the Matrix display reaches its maximum number of
entries, you must press the Refresh button to display new entries.
Refresh Rate for the Matrix
The default refresh rate is 1 second. You can use the Update every x
seconds option in the Properties dialog box for the Matrix to change the
refresh rate.
Figure 5-7 shows a Matrix bar chart for a wireless adapter.
Click to display traffic by MAC, IP, IPX, or 802.11 (WLANs only)
Figure 5-7. The Matrix (Bar Chart View) and Toolbar
User’s Guide 95

Chapter 5
Setting Capture Filters from the Matrix
96 Sniffer Portable Professional
To capture data on a specific station or conversation from the matrix:
Click the icon for a single stations in the traffic map, or:
Select a conversation entry in the outline table view.
Then, click the button. (For more information, see Capturing from
Specific Stations (Visual Filters) on page 128.)
NOTE: If you have difficulty selecting a station for capture in the
traffic map, try clicking the Pause button before selecting the
station.
Matrix Counters for Wireless Networks (802.11 Tab)
In addition to the standard Matrix features available for all networks,
Sniffer Portable Professional provides counters specifically for MAC-layer
wireless stations in the 802.11 tab.
Display the Matrix’s 802.11 tab by clicking it at the bottom of the Matrix
window. For each conversation involving MAC-layer wireless stations
detected on the network, the 802.11 tab provides packet and byte
counts for each side of the conversation.

Application Response Time (ART)
Monitoring Your Network
The Application Response Time (ART) monitor application measures and
reports response times for application layer connections between
servers and clients on known TCP/UDP ports in real time (for example,
HTTP, Telnet, SNMP, and so on). Response times are measured as the
time between when a request was sent and when the corresponding
response was observed by Sniffer Portable Professional.
When ART first appears, the Tabular view is displayed. However, you
can also view response times for different application connections as
either a client-server response time bar chart or a server response
time bar chart by clicking the appropriate button at the left of the
ART window. See the following sections for details on these views:
ART – The Tabular View on page 98
ART – The Server-Client Response Time Bar Chart on page 100
ART – The Server Response Time Bar Chart on page 100
About ART Monitor Alarms
In addition to measuring and reporting application response times, ART
also generates alarms for detected application response times that are
slower than the thresholds in the App Threshold tab of the Options
dialog box. See the ART Alarms on page 105 for information on how to
change these thresholds.
How ART Calculates Response Times
In general, the ART application calculates response times by measuring
the interval between when a packet is sent and when the corresponding
response is seen. However, in practice, this is slightly different for
connection-oriented protocols (like TCP) and connectionless protocols
(like UDP).
TCP – For each socket, ART stores the sequence numbers for
packets sent by the client and waits for the corresponding ACK
packets from the server. It then measures the time difference
between the packet with the stored sequence number and the
packet with the ACK to arrive at the response time.
UDP – For each socket, ART measures the time between packets
going from a client to a server and the next packet going from the
server to the client.
User’s Guide 97

Chapter 5
98 Sniffer Portable Professional
Adding Custom Protocols to the ART Display
If your network uses non-standard TCP or UDP ports for different upper
layer protocols, or if you want to add a custom protocol running over TCP
or UDP, you can still get ART analysis (and analysis from all other
Monitor applications, too) by specifying the correct port number for
different upper layer protocols in the Protocols tab of the Options dialog
box (accessed by selecting the Options command from the Tools
menu). Keep in mind, however, that if you do change the port numbers,
you will need to stop and restart collection for your changes to take
effect. You can do this using the Reset command in the File menu. See
Adding Custom Protocols to the ART Display on page 108 for details.
Not Seeing ART Data?
If the ART displays are not populating with data, make sure that Sniffer
Portable Professional is connected to the network in such a way that it
is seeing both sides of a conversation – requests and responses. For
example, if Sniffer Portable Professional is connected to a designated
mirror port on a switch, make sure you that you have set up port
mirroring in a way that ensures both inbound and outbound packets are
being sent to the mirror port.
IMPORTANT: Keep in mind that setting up port mirroring in this way
will occasionally cause duplicate packets to appear in the Decode
window.
ART – The Tabular View
The ART application’s Tabular view lists each detected application layer
connection with the addresses of both the server and the client, detailed
statistics for the response times on the connection, and overall traffic
statistics for the connection (server bytes, client octets, retries, and
timeouts).
ART organizes connections by protocol. Each protocol you have enabled
in the Display Protocols tab of the ART Options dialog box (accessed
by clicking the Properties button in the ART window) has its own tab at
the bottom of the ART window. You can view connections using different
protocols by clicking on the appropriate tab at the bottom of the window.
The Tabular View provides the statistics in the following table:

Table 5-9. ART Statistics in the Tabular View
Statistic Description
Monitoring Your Network
Server Address The address of the Server taking part in this
connection.
Client Address The address of the Client taking part in this
connection.
AvgRsp The average time (in milliseconds) of all responses
observed on this connection.
90% Rsp 90% of all responses observed for this client-server
pair were faster than the indicated response time.
MinRsp The time (in milliseconds) of the fastest response
observed on this connection.
MaxRsp The time (in milliseconds) of the slowest response
observed on this connection.
TotRsp The total number of responses observed on this
connection.
0-25,
26-51…801-1600
The number of responses on this connection in
each of seven different time windows. For example,
the number of responses to requests on this
connection that took between 0 and 24
milliseconds to be sent, the number of responses to
requests on this connection that took between 25
and 49 milliseconds to be sent, and so on.
Server Octets The total number of bytes sent from the Server to
the Client on this connection.
Client Octets The total number of bytes sent from the Client to
the Server on this connection.
Retries The total number of retries observed on this
connection. Retries are counted when the Sniffer
Distributed sees a request made with the same
sequence number as a previous request, indicating
that it is a retransmission. Retries only apply to
TCP-oriented protocols since UDP is
"connectionless" and does not use sequence
numbers.
Timeouts The total number of timeouts observed on this
connection. Timeouts are counted either when no
response is seen to a request by the time the
maximum value of the highest time window has
expired (by default, 5000 milliseconds), or when no
response is seen at all. Note that timeouts are also
used to generate ART alarms whenever the
specified thresholds are crossed.
User’s Guide 99

Chapter 5
ART – The Server-Client Response Time Bar Chart
100 Sniffer Portable Professional
The Server-Client Response Time bar chart graphs
Server-Client pairs according to the options you have specified in
the Server-Client tab of the ART Options dialog box. The options
there specify how many pairs are graphed, the criterion used to
sort the graph, and the display options included for each graphed
pair.
Server-client pairs are listed by number along the horizontal
axis. The addresses corresponding to each number are listed
in the pane to the right of the graph.
The vertical axis provides the units (in milliseconds) for each
bar.
Individual bars are provided along the Z-axis for each Display
Option enabled in the Server-Client tab of the ART Options
dialog box.
As always, you can click on the display tabs at the bottom of the
window to see the graph for server-client pairs observed using the
corresponding protocol.
ART – The Server Response Time Bar Chart
The Server Response Time bar chart graphs Servers according
to the options you have specified in the Servers Only tab of the
ART Options dialog box. The options there specify how many
servers are graphed, the criterion used to sort the graph, and the
display options included for each graphed server.
Servers are listed by number along the horizontal axis. The
addresses corresponding to each number are listed in the
pane to the right of the graph.
The vertical axis provides the units (in milliseconds) for each
bar.
Individual bars are provided along the Z-axis for each Display
Option enabled in the Servers Only tab of the ART Options
dialog box.
As always, you can click on the display tabs at the bottom of the
window to see the graph for servers observed using the
corresponding protocol.

Setting ART Options
Monitoring Your Network
You set options for the ART monitor application by clicking the
Properties button in the ART window. The ART Options dialog box
appears with the following four tabs:
The ART Options – General Tab on page 101 lets you set the update
interval for the ART application.
The ART Options – Server-Client Tab on page 101 lets you set
display options for the Client-Server Response Time bar graph.
The ART Options – Servers Only Tab on page 104 lets you set
display options for the Server Response Time bar graph.
The ART Options – Display Protocols Tab on page 104 lets you
specify for which protocols ART should provide a display tab at the
bottom of the ART window.
ART Options – General Tab
The General tab in the ART Options dialog box lets you specify how
often the counters in the ART application window are updated. Specify
the desired update interval (in seconds) in the provided field and click
OK.
You can also refresh the ART application’s counters manually by clicking
the Refresh button in the ART application window.
ART Options – Server-Client Tab
The Server-Client tab in the ART Options dialog box lets you specify
display options for the ART Server-Client Response Time bar graph. Set
the following options.
The Show Options let you specify how many server-client pairs you
would like the graph to display. You can also select whether the
graph should show the slowest xx number of server-client pairs or
the fastest xx number of server-client pairs.
The Sort By Options let you specify the criterion by which you
would like the server-client pairs displayed in the graph to be
sorted. You can only select Sort By options whose corresponding
option in the Display Options area of this tab are selected (for
example, you can't sort server-client pairs by Min Response Time
if the Min Response Time is not enabled as a display option in the
adjacent list).
The Display Options let you specify which statistics for the
server-client pairs you would like included in the bar graph.
These options are described below:
User’s Guide 101

Chapter 5
Show Options
102 Sniffer Portable Professional
Show Slowest/Fastest – Select whether you would like the
graph to show the slowest or the fastest Server-Client pairs. The
exact number of Server-Client pairs displayed depends on the
setting of the adjacent Server-Client Pairs option.
Server-Client Pairs – Specify the number of Server-Client pairs
you would like included in the graph.
Sort By Options
The Sort By options let you specify the criterion by which you would like
the server-client pairs displayed in the graph to be sorted. Server-Client
pairs are sorted in the graph from left (highest value of the selected
criterion) to right (lowest value of the selected criterion) along the
horizontal axis of the graph.
Table 5-10. Sort By Options for ART
Option Description
Max Response Time Enable this option if you would like server-client
pairs to be sorted according to the highest (that
is, the slowest) response time observed on each
listed pair.
RspTm of 90%
Response
Enable this option if you would like server-client
pairs to be sorted according to their 90%
Response values.
Each server-client pair has a 90% Response
value – this value means that 90% of all
responses observed for this client-server pair
were faster than the indicated response time.
This option can be useful when you want to
smooth out statistical oddities. For example, if a
given server-pair happened to have one or two
responses among many that were much slower
than the others, this option can remove the
strangely slow responses from statistical
consideration.

Table 5-10. Sort By Options for ART
Option Description
Average Response
Time
Display Options
Monitoring Your Network
Enable this option if you would like server-client
pairs to be sorted according to the average
response time observed for each listed pair. The
pair with the highest average response time is
listed at the left of the horizontal axis of the
graph and then descends to the right.
Min Response Time Enable this option if you would like server-client
pairs to be sorted according to the lowest (that
is, the fastest) response time observed on each
listed pair.
NOTE: You can only select Sort By options
whose corresponding option in the Display
Options area of this tab is selected (for
example, you can’t sort server-client pairs by
Min Response Time if the Min Response
Time is not enabled as a display option in the
adjacent list).
The Display Options let you specify which statistics for the
server-client pairs you would like included in the bar graph. For each
statistic you enable, the graph provides another row along the Z-axis of
the graph (that is, behind the other statistics) for the listed server-client
pairs.
User’s Guide 103

Chapter 5
ART Options – Servers Only Tab
104 Sniffer Portable Professional
Table 5-11. ART Display Options
Option Description
Max Response Time Enable this option if you would like a row along
the Z-axis included in the graph to show the
slowest response time observed on each listed
server-client pair.
RspTm of 90%
Response
Average Response
Time
The Servers Only tab lets you set the same options described in ART
Options – Server-Client Tab on page 101. The only difference is that the
options set in this tab apply to the Server Response Time bar graph
rather than the Server-Client Response Time bar graph.
ART Options – Display Protocols Tab
Enable this option if you would like a row along
the Z-axis included in the graph to show the
RspTm of 90% Response value observed on
each listed server-client pair.
Each server-client pair has a 90% Response
value – this value means that 90% of all
responses observed for this client-server pair
were faster than the indicated response time.
This option can be useful when you want to
smooth out statistical oddities. For example, if a
given server-pair happened to have one or two
responses among many that were much slower
than the others, this option can remove the
strangely slow responses from statistical
consideration.
Enable this option if you would like a row along
the Z-axis included in the graph to show the
average response time observed on each listed
server-client pair.
Min Response Time Enable this option if you would like a row along
the Z-axis included in the graph to show the
lowest (that is, the fastest) response time
observed on each listed server-client pair.
Show DNS Name Enable this option if you would like DNS names
for both sides of each listed server-client pair
displayed in a pane at the right of the graph.
The Display Protocols tab lets you specify for which protocols ART
should provide a display tab at the bottom of the ART window. For each
protocol enabled in this tab, the ART application will include a display tab
in the ART application window.

ART Alarms
Monitoring Your Network
Protocols are organized broadly according to whether they are TCP or
UDP oriented. Click the appropriate tab at the bottom of the Display
Protocol tab, enable each desired protocol, and then click OK. The ART
application window will automatically include display tabs for your
selected protocols.
In addition to measuring and reporting application response times, the
ART application also generates alarms for detected application response
times that are slower than the thresholds in the App Threshold tab of
the Options dialog box.
You set thresholds for alarms generated by the ART application in the
App Threshold tab of the Options dialog box. Specify the threshold
values in the Rsp Time column, then click OK. App Threshold
parameters are stored on the Agent, by adapter. This ensures all
Consoles connecting to the Agent will experience consistent settings.
Figure 5-8. Setting Thresholds for ART Alarms
The App Threshold tab includes a row for each protocol monitored by
the ART application. Protocols are organized according to whether they
are TCP-oriented or UDP-oriented – there is a tab for each.
For each protocol, there is a Rsp Time and a % Applied field:
User’s Guide 105

Chapter 5
106 Sniffer Portable Professional
The Rsp Time value specifies at what point a response using the
specified protocol is considered “slow.” For example, if Rsp Time
were set to 5000 milliseconds for HTTP, any response to an HTTP
request that took longer than 5000 milliseconds would be
considered “slow.” When the percentage of “slow” responses on a
given Server-Client connection exceeds the % Applied threshold
(see below), the Monitor generates an alarm on the connection.
The % Applied value specifies the maximum acceptable
percentage of responses exceeding the Rsp Time threshold on a
given connection using the specified protocol. When the percentage
of connections exceeding the Rsp Time threshold on a given
Server-Client connection exceeds the % Applied threshold, the
Monitor generates an alarm on the connection.
Generated alarms are written to the alarm log. Actions take place as a
result of generated alarms according to the options you have set on the
Alarms tab of the Options dialog box. See Managing Alarms on page
257 for details.
The following example shows the ART application window in the tabular
view along with descriptions of its toolbar items.

Tabular view
Server Only bar chart
Refresh display
Click to display application response times for
different protocols. The protocols available depend on
the options you have enabled in the Display Protocols
tab of the ART Options dialog box.
Reset display
Monitoring Your Network
Server-Client Response Time bar chart
Properties
Set refresh interval
Set display options for bar charts
Specify display protocols
Figure 5-9. The ART Display (Tabular View) and Toolbar
User’s Guide 107

Chapter 5
Adding Custom Protocols to the ART Display
108 Sniffer Portable Professional
You can add custom protocols to the ART display in the same way you
add protocols for all monitor applications. Use the following procedure.
To add custom protocols to the ART display:
1 Display the Options dialog box by selecting the Options command
from the Tools menu.
2 In the Options dialog box, click on the Protocols tab.
3 The Protocols tab lets you add new upper-layer protocols for
monitoring (or change the port numbers associated with existing
upper-layer protocols).
If the protocol you want to add runs over TCP, make sure the
TCP tab at the bottom of the Protocols tab is displayed (this
is the default).
If the protocol you want to add runs over UDP, click on the
UDP tab at the bottom of the Protocols tab.
NOTE: ART does not support monitoring over protocols
running over IPX in this release.
4 Scroll to the bottom of the tab and click in the Name cell. Type in
the name by which you would like this protocol to be known in
Sniffer displays.
5 Click in the adjoining Port cell and type in the port number on
which the Sniffer should look for this protocol.
6 Click OK. You will be informed that the application must be
restarted for your changes to take effect. Restart the application.
7 Display the ART window by selecting the Application Response
Time command from the Monitor menu.
8 Click on the Properties button to display the ART Options dialog
box.
9 Click on the Display Protocols tab in the ART Options dialog box.
10 Click on either the TCP or UDP tab at the bottom of the Display
Protocols tab, depending on which type of protocol you added in
Step 3.
11 Scroll down to display the entry for the protocol you added in the
previous steps. Click the box next to this protocol to include it in
ART displays.

Monitoring Your Network
12 Click OK on the ART Options dialog box. The ART application
informs you that it must close and reopen the ART window for your
changes to take place. Click Yes to close and reopen the window.
13 The ART window reopens with a new tab at the bottom for your
custom protocol.
User’s Guide 109

Chapter 5
History Samples
Click to start a
sample
Click to change how the
icons display in this
window
Click to create a new
sample to collect
multiple network events
Click to set the sampling
interval, threshold values,
graph type, and colors used
in the graph
110 Sniffer Portable Professional
You can use History Samples to collect a variety of network statistics
over a period of time to establish your network performance baseline.
Baseline statistics help you set alarm thresholds to notify you when
abnormal network behavior occurs. You can also use history samples to
determine long-term network traffic trends and to help plan for future
network expansion and reorganization.
You can launch as many as 10 history sample processes concurrently.
These can be 10 different samples or multiple instances of the same
sample so that both short-term and long-term trends can be recorded
simultaneously.
The network events available for history sample monitoring vary
according to the type of adapter you have selected in the Adapter dialog
box.
IMPORTANT: History Samples average data over the sample period.
Because of this, you may miss “spikes” in sampled data due to the
averaging. It’s always a good idea to use History Samples in conjunction
with other Sniffer Portable Professional views that will help you get an
accurate view of the traffic on your network.
The sample data can be displayed in a bar chart, a line chart, or an area
chart.
Figure 5-10 shows the History Samples window for an Ethernet adapter.
Figure 5-10. The History Samples Window

Specify the threshold
values here
Specify the sample
interval. Sniffer Portable
Professional maintains a
maximum of 3,600
samples. If you specify 15
seconds, you will get up to
3,600 15-second samples.
Click OK to save
the settings
Monitoring Your Network
Before launching a sample, set the sampling interval, the high and low
threshold values, the graph type, the colors used in the graph, and
whether to wrap the buffer when the maximum 3,600 samples have
been collected. First select the sample you want to use from the History
Samples window. Then click the button. The History properties
dialog box is shown in Figure 5-11.
Figure 5-11. Configuring History Sample Settings
Zooming the Display During Monitoring
Click to select the
colors used in the
graph
Select this option if
you want to wrap
the buffer when the
maximum 3,600
samples have been
collected.
Click to select the
graph type
Click to restore
factory settings
You can use the Zoom In\Zoom Out context menu options to narrow
or broaden the focus of a history sample while it is collecting data. These
options change the range of data points displayed, allowing you to focus
on a specific small time period, or, alternatively, see broad trends over
a comparatively long duration.
You use the Zoom In\Zoom Out feature by right-clicking anywhere in
a History Sample’s graphical display and selecting the desired option
from the context menu that appears. Figure 5-12 shows a Packets/s
History Sample with the context menu displayed.
NOTE: The Zoom In\Zoom Out feature has three levels of detail.
If you are already zoomed to the narrowest view, the Zoom In
command will be grayed out in the context menu. The reverse is
true of the Zoom Out command.
User’s Guide 111

Chapter 5
112 Sniffer Portable Professional
If the Wrap Buffer when full option is disabled, the history sample will
stop automatically when the maximum number of samples is collected.
Otherwise the history sample stops when you close the History window.
Sniffer Portable Professional lets you export the history data for
tabulation or charting. Refer to Exporting Monitor Data on page 120.
Figure 5-12 shows a Packets/s history sample in bar chart format and
describes the toolbar.
Bar chart view
Line chart view
Display as three-dimensional
or two-dimensional chart
Display/hide a border around
the bars/lines in the chart
Export history data to spreadsheet
Area chart view
Display chart as
logarithmic or linear
Show/hide the legend
Pause Screen Updates
Right-click a
History Sample to
display the Zoom
In/Zoom Out
context menu.
This menu lets
you narrow or
broaden the
focus of the
history sample.
Figure 5-12. History Samples (Packets/s Bar Chart) and Toolbar

Creating a Multiple History Sample
Statistics
selected for
inclusion in this
Multiple History
Sample are
listed here in
the order in
which they will
appear in the
display.
Monitoring Your Network
You can create your own “multi-view” History Samples tracking
combinations of the single statistics available for display in the other
History Samples. You set up Multiple History Samples in the Multiple
History dialog box. Display this dialog box by clicking Add Multiple
History in the History Samples window. Figure 5-13 shows the
Multiple History dialog box.
Figure 5-13. Multiple History Dialog Box
Use these buttons to
change the order of
the sampled statistics
in the display.
Use this button to
delete a selected
statistic.
Use this button to
open a dialog box in
which you can add a
new statistic.
As shown in Figure 5-13, the Multiple History dialog box has three tabs.
The General and Color tabs provide the same options described on
page 111. The Selection tab (Figure 5-13) lets you select which
statistics you would like to include in this Multiple History Sample, in
addition to the order in which they are displayed. In general, you will
want to place statistics with a high sampling rate at the bottom of the
list.
When you are finished setting up your Multiple History Sample, click OK
to add it to the History Samples window.
User’s Guide 113

Chapter 5
Protocol Distribution
114 Sniffer Portable Professional
You can use the Protocol Distribution application to report network usage
based on the network-, transport-, and application-layer protocols. For
example, you can monitor IPX/SPX, TCP/IP, NetBIOS, AppleTalk,
DECnet, SNA, Banyan, and many other protocols.
Protocol distribution monitors popular IP applications, such as NFS, FTP,
Telnet, SMTP, POP2, POP3, HTTP (WWW), Gopher, NNTP, SNMP,
X-Window, and others. It also monitors IPX transport-layer protocols
such as NCP, SAP, RIP, NetBIOS, Diagnostic, Serialization, NMPI, NLSP,
SNMP, and SPX.
You can view the protocol distribution in a table or as a bar or pie chart.
You can also view the number and percentage of packets or bytes for a
protocol.
Sniffer Portable Professional lets you export the protocol distribution
data for tabulation or charting. Refer to Exporting Monitor Data on page
120.
Figure 5-14 shows a Protocol Distribution bar chart for an Ethernet
adapter.

Click to display protocol distribution by MAC, IP, or IPX
Bar chart view
Display total number or
percentage of bytes seen
Table view
Refresh display
Export data to spreadsheet
(Table view only)
Monitoring Your Network
Pie chart view
Display total number or
percentage of packets
seen
Pause screen updates
Restart data collection
Export to HTML
(Table view only
Figure 5-14. Protocol Distribution (Bar Chart View) and Toolbar
User’s Guide 115

Chapter 5
Global Statistics
116 Sniffer Portable Professional
Global Statistics help you understand the overall activity levels in the
network and pinpoint large- and small-size packet traffic loads, each of
which can have a different effect on overall network performance and
availability.
Global statistics provides various tabs with statistical measures
pertinent to network traffic analysis:
The Size Distribution tab shows the frequency of each packet size
as a percentage of all monitored traffic.
The Utilization Distribution tab shows network bandwidth
consumption distributed among each 10% grouping – 1-10%, 11%
-20%, ..., 91%-100%.
The Topology Surfing tab (Wireless LAN adapters only) presents
a quick snapshot of network activity on all wireless network
topology/channel combinations selected for monitoring in Tools >
Wireless > Surf Settings. Each channel is listed in the display
with the same sets of statistics, enabling you to see at a glance
what is happening on each channel.
See The Global Statistics > Topology Surfing Tab on page 117 for
more information on this tab.
NOTE: See Configuring Surf Settings on page 54 for information
on selecting wireless channels for surfing.
You can view the Size Distribution and Utilization Distribution tabs in a
table or as a bar or pie chart. Figure 5-15 shows a sample packet size
distribution graph for an Ethernet adapter.

Click to display a
bar chart
Click to display
a pie chart
Currently selected to show
packet size distribution
Click to show utilization
distribution
Figure 5-15. Global Statistics (Bar Chart View)
The Global Statistics > Topology Surfing Tab
Monitoring Your Network
The Topology Surfing tab in the Global Statistics view (Wireless LAN
adapters only) presents a quick snapshot of network activity on all
wireless network topology/channel combinations selected for monitoring
in Tools > Wireless > Surf Setting. Up to 30 channels are listed in
the display with the same sets of statistics, enabling you to see at a
glance what is happening on each channel.
IMPORTANT: When you use the Topology Surfing tab, be sure to select
the wireless network topology/channel combinations that interest you in
the Tools > Wireless > Surfing dialog box. This dialog box specifies
the topology/channel combinations Sniffer Portable Professional will cycle
between for specified durations. Topology Surfing statistics will only be
available for the channels you select here. See Configuring Surf Settings
on page 54 for details.
User’s Guide 117

Chapter 5
118 Sniffer Portable Professional
Figure 5-16. Global Statistics > Topology Surfing Tab (Wireless
Network)
For each channel on the wireless network, the Topology Surfing tab
provides the statistics listed and described in Table 5-12.
Table 5-12. Counters in the Topology Surfing Tab (1 of 2)
Counter Description
Topology The wireless network topology for these
statistics. For example, A for 802.11A, B for
802.11b, and so on.
Ch. No. The wireless network channel for these
statistics.
Packets The number of packets seen on this channel.
Octets The number of bytes seen on this channel.
Errors The number of error packets seen on this
channel. Error packets include CRC errors,
undersize errors, oversize errors, WEP ICV
errors, and PLCP errors.
Data The number of data packets seen on this
channel. Data packets are used to transmit
data between stations.
Cntl The number of Control Packets seen on this
channel. Control packets are used to
regulate the transmission of data packets
after initial authentication has taken place.

Monitoring Your Network
Table 5-12. Counters in the Topology Surfing Tab (2 of 2)
Counter Description
Mgmt The number of Management Packets seen on
this channel. Management packets are used
to set up the initial communications between
stations and access points on the wireless
network.
Beacon The number of beacon packets seen on this
channel. Access points send beacon packets
at a regular interval to synchronize timing
between stations on the same network.
Signal The signal strength measured for this
channel, expressed as a percentage.
BSSID The Basic Service Set ID used for
communications on this channel.
Data Rate Counters These counters provide packet counts for
different speed ranges.
Additional Buttons in the Topology Surfing Tab’s Toolbar
In addition to the standard Bar Chart, Pie Chart, and Reset buttons
available in all Global Statistics tabs, the Topology Surfing tab includes
the additional buttons listed and described below:
Table 5-13. Extra Topology Surfing Tab Toolbar Buttons
Button Description
List View. The Topology Surfing tab shows a tabular view,
with one row for each channel on the wireless network.
Properties. Opens a properties dialog box in which you
can specify how information is displayed in the Topology
Surfing tab.
User’s Guide 119

Chapter 5
Monitor Alarms
120 Sniffer Portable Professional
Sniffer Portable Professional provides a comprehensive method of
detecting and logging unusual network events during monitoring.
The alarm manager logs an event in the Alarm log when a user-specified
threshold parameter is exceeded. By reviewing the events listed in the
Alarm log, you can identify network exception conditions that might
require immediate attention.
To view the Alarm log, select Alarm Log from the Monitor menu or click
in the Sniffer Portable Professional main toolbar.
IMPORTANT: Alarms are only logged in the local Alarm Log if their
Severity is checked in the Tools > Options > Alarm tab. By default, no
alarm Severities are checked.
For information about configuring alarms and setting options, see
Managing Alarms on page 257.
Exporting Monitor Data
You can export data from the following application displays for tabulation
or charting by clicking the button.
The Host Table and Matrix outline table view
The Protocol Distribution table view
You can save data in several formats:
Comma Separated Value format (.csv)
Tab-delimited text file (.txt)

Capturing Packets
Overview
About Capturing
This section describes Sniffer Portable Professional’s network capture
functions. The following topics are covered:
About Capturing on page 121
Capture Controls on page 122
Capture Panel on page 123
Capture Buffer on page 124
Capturing from Specific Stations (Visual Filters) on page 128
Capture Filters on page 129
Capture Triggers on page 129
6
Unlike the monitoring function, which stores statistical measurements
and calculations about your network traffic, the capture function collects
and stores the actual packets from your network in a capture buffer.
During capture, the Expert analyzes the packets and displays the results
in real time. To disable the real-time Expert analysis, select Expert
Options from the Tools menu and uncheck the Expert During
Capture box.
After a capture is stopped, you can use the Sniffer Portable Professional
display function to decode and display the packets in the capture buffer,
providing you with detailed information about network transactions
(packet display). The display function also displays Expert analysis
(Expert display). Both the packet display and the Expert display are
described in Displaying Captured Data on page 157.
Sniffer Portable Professional provides capture controls on the main
toolbar and in the Capture menu to control the capture process,
configure the capture buffer (which stores the captured packets), and
define capture filters. A capture panel is also provided so that you can
view the status of a capture session.
User’s Guide 121

Chapter 6
Capture Controls
122 Sniffer Portable Professional
NOTE: Before starting a capture, you should configure the Expert
options that determine how Expert data is processed and displayed.
Expert options are described in Setting Expert Options on page 134.
Capture controls are provided on the main toolbar and in the Capture
menu to control the capture process, configure the capture buffer (which
stores the captured packets), and define capture filters. A capture panel
is also provided so that you can view the status of a capture session.
Use the capture buttons on the main toolbar or the menu items in the
Capture menu to:
Start, stop, and pause a capture session
Display the results of a capture
Create a new filter to use for capture
Select a filter to use for capture
The following figure shows the capture buttons located in the main
toolbar. The table below explains each button.
Start capture
Pause capture
Stop capture
Stop and display
capture
Display a stopped
capture
Figure 6-1. The Capture Controls
Define a capture filter
Select a capture filter

Table 6-1. Main Toolbar Buttons and Functions
Button Tool Keyboard
Shortcut
Capture Panel
Use to...
Start F10 Start a capture session.
Pause n/a Pause a capture session.
Stop F10 Stop a capture session.
Stop and
Display
F9 Stop a capture session and display the
captured data in the Decode window.
Note: You can also use F5 to display a
stopped capture.
Capturing Packets
Filter n/a Create a new filter to use for capture.
Note: You can also use the drop-down list
to the right of the Filter button to select an
existing filter to use for capture.
Use the capture panel to view the status of the capture process. Two
tabs are provided at the bottom of the panel. The Gauge tab displays
the number of packets captured and indicates how full the capture buffer
is (as a percentage). The Detail tab shows detailed statistics about the
current capture session.
To open the capture panel:
1 Select Capture Panel from the Capture menu, or click in the
main toolbar.
The following figure provides a sample Capture Panel window.
The Packets gauge shows the number of packets captured.
The Buffer gauge shows how full the buffer is as a percentage.
Click the Detail tab to see detailed statistics about the capture
process. For example, the number of packets dropped, accepted,
and rejected, and the frame slice size are shown.
User’s Guide 123

Chapter 6
Capture Buffer
124 Sniffer Portable Professional
Captured packets are stored in a capture buffer. You can display and
analyze the packets currently in the capture buffer or save the packets
to disk. You can load and display previously saved capture files (trace
files). You can even spool captured packets to files in real time,
effectively increasing the size of your capture buffer. Use capture filters
to economize capture buffer space further.
Capture buffer options are tied to the Define Filter function.
To set capture buffer options:
1 Select Define Filter from the Capture menu, then click the Buffer
tab (see Figure 6-2).
2 The following options are available:
Buffer Size. Select a capture buffer size to accommodate the
amount of network traffic you wish to capture. Select a buffer
size from the drop-down list or type in your own value.
You can specify buffer sizes from 256 KB to 384 MB,
depending on how much memory your system has. You must
have at least 10MB more memory than the specified capture
buffer size. For example, to start a capture with the buffer
size specified as 64MB, you must have at least 74 MB of
memory in the system.
NOTE: If you do select a large buffer size, refrain from
running other programs concurrently with Sniffer Portable
Professional. There may be a delay while Sniffer Portable
Professional allocates memory.

Capturing Packets
When Buffer is Full. Select to automatically stop the capture
(Stop capture) when the buffer is full or overwrite older data
in the buffer (Wrap buffer). You can select these options only
if the Save to File option is disabled.
Packet Size. You can save the entire packet in the capture
buffer, or truncate each packet by setting the Packet Size
option when defining a capture filter. Move the slider to select
the size of the packet to be captured and saved in the buffer.
A data packet size greater than the specified size will be
truncated. You can select Whole packet, 64, 128, 256, 512,
1024, 4096, 8192, 16384, or 18432 bytes.
By truncating large packets, you can save more packets in
the capture buffer, thus extending the time covered by the
capture and reducing the size of the capture data file, saving
disk space (assuming you save the capture buffer to disk).
On a very busy network, truncating frames may also help
avoid losing frames, since longer frames take longer to store.
Save to File. You can set the Filename prefix and the
Number of files to be spooled. The maximum number of files
allowed is 99,999.
Each file is the same size as the defined capture buffer. For
example, if you select the 4 MB buffer size, each file created
will be 4 MB in size. (The last file size may be smaller than 4
MB.) Setting the buffer size to between 8 and 12 MB will
improve capture performance.
You may select the Unique names option to guarantee that
the file names created by packet capture are unique when
being stored in the same directory. This is a useful option
when you use packet capture spooling in conjunction with the
capture trigger repeat mode. Several packet capture
sequences can be saved without overwriting earlier
sequences.
By selecting the Wrap file names option, the capture will
continue to spool to disk files, overwriting the first file if the
last file is full. Otherwise, the capture will stop once it
reaches the end of the last file.
3 If you would like to start capture based on the specified filter
criteria, click Start Capture directly from the Define Filter dialog
box. This action saves the filter criteria and starts a capture based
on the active filter in the dialog box.
4 If you would like to save the filter criteria, click OK.
User’s Guide 125

Chapter 6
Tips:
126 Sniffer Portable Professional
When you change the buffer size, you may experience a delay as
Sniffer Portable Professional allocates the memory for the buffer,
especially if you specify a large buffer. Keep the buffer size less
than the size of the capture buffer plus 10MB.
Figure 6-2. Setting Capture Buffer Options
Setting Large Capture Buffer Sizes
This release supports capture buffer sizes from 256K up to a maximum
of 384 MB). You must have at least 10MB more memory than the
specified capture buffer size for capture to start. For example, to
start a capture with the buffer size specified as 64 MB, you must have
at least 74 MB of memory in the system.
NOTE: In addition to selecting the predefined buffer sizes from the
Buffer size drop-down list, you can also type in your own custom
value.

“Failed to start capture” Messages?
Capturing Packets
If you receive a Failed to start capture message when using large
capture buffer sizes (for example, greater than 288 MB), upgrade
Windows XP to Service Pack 3. Windows XP Service Pack 3 includes a fix
for Knowledge Base (KB) issue 894472 that resolves this issue.
Saving the Capture Buffer to a File
You can save the capture buffer contents to a file automatically when the
buffer is full by selecting Save to file on the Buffer tab. Specify the
filename prefix and the number of files to be spooled. For example, if
you specify 5 in the Number of files field and click Wrap file names,
the sixth file overwrites the first file. If you do not select Wrap file
names, capture will stop when the fifth file is full.
Opening Saved Trace Files
Sniffer Portable Professional can open trace files saved in the following
formats:
Ethernet Sniffer format. This includes *.cap and *.caz formats.
LibPcap format. This is an industry standard packet capture
format (*.pcap) used by common tools such as tcpdump. The
maximum trace file size for a LibPcap file is 320 MB.
Opening saved trace files lets you display and analyze data as if it was
captured live at that moment. Sniffer Portable Professional treats the
data loaded from a disk file in the same way as data captured live off the
network.
NOTE: Sniffer Portable Professional does not support WAN/ATM
trace files, either in legacy Sniffer formats or LibPcap format. Only
the trace file formats listed above are supported.
NOTE: Sniffer Portable Professional does not save trace files in
LibPcap format; it can only open these files.
User’s Guide 127

Chapter 6
Capturing from Specific Stations (Visual
Filters)
1. Select station (turns blue)
2. Click Capture
You can see the progress
of the capture on the
status line of the main
Sniffer Portable
Professional window, or
on the Capture Panel
128 Sniffer Portable Professional
To capture packets for a particular station, select the station from the
monitor’s host table display. To capture packets between two specific
stations, select one of the stations from the monitor’s matrix display.
Then, click . (To view the host table or matrix table, select Host
Table or Matrix from the Monitor menu, or use a toolbar button.)
Figure 6-3 shows an example of how to capture from a single station in
the host table. The following procedure provides the details:
To capture packets between two specific stations:
1 Display the Matrix (Monitor > Matrix) in the tabular view.
2 Select one of the conversations in the display.
3 Click the Quick Capture button in the Matrix’s toolbar.
In response, a capture starts with an automatic Quick Capture filter set
up to include just traffic between the two selected stations.
The following example illustrates capturing from a single station in the
host table. After the selected station turns blue, click the Capture
button from the vertical toolbar. The capture progress appears in the
main window, or on the Capture Panel.
Figure 6-3. Single-Station Capture from the Host Table

Capture Filters
Capture Triggers
Capturing Packets
You can define filters to capture only the particular packets you need, so
that you can focus on the data necessary for troubleshooting network
problems.
When you apply a filter to the capture process it is called a capture filter.
A capture filter allows only certain frames to be saved in the capture
buffer. For a description of how to define a filter, see Defining Filters and
Triggers on page 219.
The trigger feature allows you to start and stop captures based on date
and time, alarms, and specific network events. Use triggers to capture
data while Sniffer Portable Professional is unattended, such as on
off-hours or weekends, or to start captures when specific events occur,
such as alarm conditions.
For a description of how to define a capture trigger, see Defining
Triggers on page 242.
User’s Guide 129

Chapter 6
130 Sniffer Portable Professional

Real-Time Expert Display
Overview
7
This section introduces the Expert display, describes its major concepts,
and gives you a summary of how to use its functionality.
About the Expert Display on page 131
Setting Expert Options on page 134
Setting Automatic Expert Display Filters on page 151
Displaying Context-Sensitive Explain Messages on page 153
Rearranging the Expert Display on page 153
Exporting the Contents of the Expert Database on page 154
IMPORTANT: Both the Sniffer Portable Professional online help and the
Sniffer Decode and Expert Reference provide full details on working with
the Expert analyzer. This chapter provides a quick summary of the topic,
letting you get up and running quickly.
About the Expert Display
The Expert display shows the results of Expert analysis. Expert analysis
can occur during a capture session, showing the results in real time. It
can also occur after a capture session when the display function is
invoked.
During Expert analysis, a database of network objects is constructed
from the traffic seen. The Expert protocol interpreters learn all about the
network stations, routing nodes, subnetworks, and connections related
to the frames in the capture buffer. Using this information, potential
problems are detected and you are alerted to issues that may exist on
the network. These problems are categorized as being either symptoms
or diagnoses:
A symptom indicates that a threshold has been exceeded and may
indicate a problem on your network.
User’s Guide 131

Chapter 7
132 Sniffer Portable Professional
A diagnosis can be several symptoms analyzed together, high rates
of recurrence of specific symptoms, or single instances of particular
network events that cause the Expert to conclude that the network
has a real problem. A Diagnosis should be investigated
immediately.
The Expert analysis results (symptoms and diagnoses) are shown in five
viewing panes on the Expert display tab and on the real-time Expert
window that displays during capture. These panes function together so
that you can view and select information at all levels of detail. See Figure
7-1.
Each pane is described below:
The Expert Overview pane shows the network analysis layers
(similar in concept to the ISO layers) and the Expert overview
statistics (objects, symptoms, or diagnoses) for each layer. By
selecting a combination of layer and statistic type, you control the
display of Expert analysis data in the other Expert panes.
NOTE: You can configure the window to be wide or narrow by
clicking the arrows in the upper right-hand corner of the
Expert overview pane.
The Expert Summary pane shows key summary information for the
layer and statistic selected in the Expert Overview pane. The
column headings for the Expert Summary display will change,
depending on what layer and statistic you have selected.
The Protocol Statistics pane displays the amount of traffic (in
frames and bytes) for each protocol encountered for the layer you
selected in the Expert Overview pane. This pane is not displayed
when the Expert Overview pane is narrow.
The Detail tree pane shows a hierarchical listing of all layers at or
below those selected in the Expert Overview and Expert Summary
panes. You can expand or collapse each layer in a manner similar
to Windows Explorer. Click any item in the Detail Tree to display its
Expert detail data.
The Expert Detail pane is a collection of information tables for the
data selected by the other panes. The content of the Expert Detail
pane will vary, depending on what items are selected in the various
other panes.

Expert Overview
Protocol Statistics
Detail tree
Expert Summary
Figure 7-1. The Expert Window Panes
Real-Time Expert Display
Expert Details
User’s Guide 133

Chapter 7
Setting Expert Options
134 Sniffer Portable Professional
For effective network analysis, and depending on your network’s
protocol environment, you should configure Expert options before you
start capturing data. The Expert options are described in the following
sections.
See also:
Expert Layers and Objects on page 134
Expert Threshold Settings on page 137
Expert Protocol Settings on page 137
Expert Subnet Mask Settings on page 138
Expert RIP Settings on page 138
Expert 802.11 Options on page 140
Expert Mobile Options on page 149
Expert Oracle Options on page 150
Expert IP Options on page 151
Expert Layers and Objects
During capture, the Expert constructs a database of network objects
from the traffic it sees and categorizes network problems according to
the Expert layer at which they occur.
NOTE: The Expert’s network layering structure is similar to the OSI
model. However, the two schemes do not always map on a
one-to-one basis.
To configure network object and Expert layer options, select Expert
Options from the Tools menu. The Expert Properties dialog box opens
displaying the Objects tab.
The Expert has configuration options that enable you to:
Exclude certain layers from Expert processing. In addition to
using capture filters, which let you select the particular traffic you
need for network analysis, you can exclude certain Expert layers
from processing. Double-click a layer in the Analyze column of the
Objects tab and select No to exclude the layer from Expert
processing

Real-Time Expert Display
Disabling analysis on the lower layer will disable analysis on all
upper layers.This enables you to focus on specific network
problems precisely.
Specify the maximum number of objects that can be created
in the database for each Expert layer. To reduce the amount of
memory needed to create network objects, you can specify the
maximum number of objects that the Expert can create for each
Expert layer. Double-click in the Max Objects column of the
Objects tab to specify the maximum number of objects that can be
created in the database for each Expert layer.
NOTE: To help with configuration, the Expert shows the
estimated amount of memory needed for the number of
objects selected for each layer in the Est. Memory column of
the Objects tab.
Specify whether to recycle Expert objects (the default) or
stop creating new objects when there is no more room in the
database. The Expert builds a database of network objects from
the information in the packets accumulated in the capture buffer.
Because some networks can be immensely complex in their
structure, at some point the Expert will have no more memory for
new network objects. If you recycle objects, the Expert continues
to add new objects to the database, overwriting the least
interesting objects when it runs out of memory (objects with no
associated errors are considered “least interesting”). If you do not
recycle objects, the Expert stops creating new objects when it runs
out of memory, and instead, continues to interpret traffic in
accordance with the information it has already stored in its
database.
Enable/disable real-time Expert analysis during capture. By
default, when you start a capture, the Expert analyzes the packets
coming into the buffer and displays the results in real time in the
Expert window. You can observe the network objects, symptoms,
and diagnoses that the Expert analyzer creates while the capture
progresses. You can disable real-time Expert analysis if you prefer.
Specify the maximum number of alarms that can be created
in the Expert database. When the maximum number is reached,
the Expert will either recycle the oldest and lowest priority alarms
(if the Recycle Alarms option is selected) or stop creating new
alarms.
This Recycle Alarms option specifies what the Expert does when
it runs out of memory:
User’s Guide 135

Chapter 7
136 Sniffer Portable Professional
Continues to create new objects by overwriting older objects
in the database (checked)
Stops creating new objects and continues interpreting traffic
according to information already in the database (unchecked)
Specify how often Expert displays are updated with new
data. Configure the Data Update Rate and the Resorting Rate as
desired in within the Objects tab of the Expert UI Object Properties
dialog box. The Resorting Rate specifies the delay between
resorting the Expert’s database of objects and refreshing the
Expert’s summary display.
Notes on Expert Tuning
The Expert Analyzer defaults to a maximum number of objects per layer
of 1000 for most layers. Adjacent to this column is the Est Memory
column, reflecting the estimated amount of memory required to support
the relevant number of objects at each layer. For networks where you
will see many conversations and hosts you will want to do one or both
of the following:
Increase the maximum number of objects at the relevant layer(s)
Disable Recycle Expert Objects
If Recycle Expert Objects is enabled, Expert will attempt to reuse
object memory for a given layer when the maximum count of objects at
that layer is reached. On higher speed networks, it is advised that
recycling is disabled as it can become an issue. If you disable recycling
and hit the maximum counts, any newly detected conversations or hosts
will be ignored. In this situation, it is advised to increase the maximum
number of objects and disable Recycle Expert Objects.
For example, if you run Expert and discover that you are hitting the
maximum count at the IP layer, then increase the maximum number of
objects to 5000. You will also have to increase Layers 4 and perhaps
Layers 6 and 7 because those layers are likely to hit their respective
maximum counts as well. This may take several iterations before you
come up with the best combination of maximum object counts. Each
layer can support up to 99999 maximum objects.
If you increase the maximum object counts then the Expert calculates
expected memory needs. If such expected memory needs exceed the
amount of memory available you will get an error message. At which
point you will have to trim your maximum object counts accordingly. You
can also reduce the maximum object count at those layers that will not
have large object counts so as to conserve available memory. A good
candidate in most cases would be the DLC\MAC layer (Layer 2).

Expert Threshold Settings
Real-Time Expert Display
Expert thresholds determine whether the Expert generates a symptom
or a diagnosis (also called an alarm) based on a given network event.
To change Expert thresholds, select Expert Options from the Tools
menu and click the Alarms tab.
Expand and/or collapse the Expert layers using the tools in the left
column. Clicking “1” or “0” at the top of the column expands or collapses
all Expert layers. Click the “+” next to a layer to open an Expert layer
and display all symptoms and diagnoses (alarms). After expanding the
layer, expand again to display the settings for the alarm.
Options in the Alarms tab include:
Changing Threshold values. Double-click in the Threshold Value
cell and type the new threshold value.
Reset Threshold values. Click Reset to reset the selected value
to the factory default, or click Reset All to reset all settings for all
layers to the factory defaults.
IMPORTANT: The default thresholds have been carefully calculated to
ensure accurate and informative symptom and diagnosis detection.
Before changing any of the thresholds, make sure you understand your
network.
For information about alarm severity levels and the Alarm log, refer to
Managing Alarms on page 257.
Expert Protocol Settings
You can use the options in the Tools > Expert Options > Protocols
tab to specify which protocols you would like the Expert to analyze.
Limiting Expert analysis to a selected set of protocols will help improve
the Expert’s performance.
The Protocols tab arranges protocols by the Expert layer at which they
are analyzed. You can cascade each layer open by clicking the + sign
next to its entry in the dialog box. Then, click in the Analyze column to
specify either Yes, you would like Expert analysis for this protocol, or
No, you would not like Expert analysis for this protocol.
Click Enable All or Disable All to enable or disable Expert analysis for
all protocols.
User’s Guide 137

Chapter 7
Expert Subnet Mask Settings
138 Sniffer Portable Professional
TCP/IP subnet masks traditionally reserve specific bits within an IP
network address for the subnet mask depending on the class of address.
The Expert comes with default subnet mask settings for each class of IP
address.
Certain networks may use non-traditional subnet masks. If the Expert is
attached to a network segment that uses nontraditional subnet masks,
it may register spurious network objects and diagnoses. This happens
because the Expert expects address information at a location within the
address field other than where it actually is.
If your networks use nontraditional subnet masks, you must add the IP
network address and appropriate subnet mask for the networks from
which the Expert will see frames.
Select Expert Options from the Tools menu, then click the Subnet
Masks tab. Click Add to create a new entry and add the IP address and
appropriate subnet mask for the networks from which the Expert sees
frames. Type your IP address in the IP Net Address column in the
format n.n.n.n where each n is less than 256. Type the subnet mask
associated with the IP address in the Subnet Mask column, then click
Apply.
Click Delete to delete the selected IP address/subnet mask from the
table.
Expert RIP Settings
The Expert performs RIP (Routing Information Protocol) analysis during
capture and builds a routing table by parsing RIP and other routing
protocols in captured frames. RIP analysis is shown in the “Route” layer
in the Expert window and enables you to detect common routing
problems.
You can disable RIP analysis, or specify the level of analysis you want to
perform (traffic counts and misdirected frames, or traffic counts only).
The Expert tracks the routers it discovers over the network and any
default routers that you configure. When you configure a default router,
the Expert constructs a default static route to that gateway. The
destination IP address for this route is [0.0.0.0]. (You can enter either
the MAC address or the IP address of the default router.) This feature
allows the RIP Expert to be aware of routers that provide routes that
they are not advertising.

Real-Time Expert Display
Some hosts may be configured to route traffic to default gateways, but
a route from such a host to a default gateway might never be advertised.
Unless you configure static default routes, the RIP Expert will incorrectly
diagnose frames sent from a host to a default gateway as misdirected.
If a default route you have configured is also advertised, the other route
is ignored, since the one you configured is permanently in the table.
To configure or disable RIP analysis:
1 Select Expert Options from the Tools menu.
2 Click the RIP Options tab.
3 Select the level of RIP analysis you want to perform from the
drop-down list:
No traffic analysis (RIP disabled) disables the RIP Expert.
Full traffic analysis (counts and analysis) produces traffic
counts and detects misdirected frames.
Traffic counts only produces only traffic counts.
4 Expert discovers the routers on the network during capture and
displays them in the router table of the RIP Options tab. You can
add or remove routers from the table using the Add Router and
Delete buttons to the right of the Routers table.
5 The Subnet table displays the subnets that Expert detects on your
network automatically during capture and the subnets you add
manually. The Source column indicates if the subnet is detected
by the Expert (Network) or added manually (User). Add or
remove subnets from the table using the Add Subnet and Delete
buttons to the right of the Subnet table.
IMPORTANT: The RIP Expert requires that the IP subnet
address and subnet mask be set properly in the Subnet Masks
Tab.
6 Select Auto Discover Subnets if you want Expert to discover the
subnets on your network automatically during capture.
7 Click OK.
NOTE: For RIP packets to be analyzed by the Expert, the
connection layer or the application layer must be set to Analyze in
the Objects tab of the Expert Properties dialog box. RIP sits above
UDP; the RIP interpreter must be called from the UDP interpreter.
UDP is considered to be a transport layer; for the transport layer
User’s Guide 139

Chapter 7
140 Sniffer Portable Professional
and above to be interpreted, at least the connection layer must be
selected.
Expert 802.11 Options
The options in the 802.11 Options tab let you specify how the Expert
identifies rogue entities on the wireless network, as follows:
If the Enable Rogue AP Lookup option (beneath the Known
Address Points in the Network table) is enabled during capture, the
Expert compares the MAC address (not the IP address) of each
detected access point to those in the Known Access Points in the
Network list. If the access point’s MAC address is not in the list,
the Expert labels the address as a “rogue” and generates the
Rogue Access Point alarm.
If the Enable Rogue Mobile Unit option is enabled during
capture, the Expert compares the MAC address (not the IP address)
of each detected mobile unit to those in the Known Mobile Units in
the Network list. the Expert flag mobile units whose MAC addresses
are not in the Known Mobile Units list as “rogues” and generates
the Rogue Mobile Unit alarm.
Additional Rogue Identification
In addition, Sniffer Portable Professional identifies rogues (access points
and workstations) as follows:
The word (Rogue) is included in parentheses following the
offending stations’ entries in Expert Summary and Detail displays.
This provides you with a handy means of identifying units on the
wireless network of which you were not aware, some of which may
be unauthorized intruders.
When Rogue Lookup is enabled, the Host Table includes a Status
column in tabular 802.11 displays listing the current
Rogue/Known/Neighbor identification of each listed entity. You
can check an entry’s selection box in the Host Table (in the #
column) and right-click to identify it as either Known or Neighbor,
or to remove it from the Known/Neighbor list entirely.

Adding Known Addresses to the List
Real-Time Expert Display
To use the rogue identification abilities of Sniffer Portable Professional
effectively, you must first add the MAC addresses of the known access
points and mobile units on your network to the Expert’s list of known
wireless unit addresses. There are several ways to do this:
Automatically from the real-time Host Table. See Adding Known
Addresses from the Host Table on page 141.
Automatically from the Expert tab of the postcapture display. See
Adding Known Addresses from the Postcapture Display on page
143.
Automatically from the Address Book. See Autodiscovering and
Adding Addresses from the Address Book on page 145.
Manually from the 802.11 Options tab of the Expert Properties
dialog box. See Adding Known Addresses Manually in the 802.11
Options Tab on page 145.
In addition, you can also import and export lists of known addresses (for
example, you can import addresses from other Sniffer Portable
Professional installations). The following sections describe how to use
each of these methods.
Adding Known Addresses from the Host Table
Use the following procedure to add the MAC addresses of known wireless
units (either access points or mobile units) automatically from the Host
Table during real-time monitoring.
To add known addresses automatically from the Host Table:
1 Open the Monitor > Host Table application.
The Host Table appears. During real-time monitoring, the Host
Table adds one-line entries for each detected wireless unit (access
points and mobile units) on the network.
2 If the 802.11 tab is not already displayed, click its entry at the
bottom of the Host Table. You can display either the full 802.11 tab,
or, alternatively, click the Access Point button to zoom in on
access points only.
User’s Guide 141

Chapter 7
142 Sniffer Portable Professional
3 Select which entries in the Host Table you would like to add to the
Expert’s list of known addresses. Select an entry by checking its
corresponding box in the # column at the left of the display. You
can select both access points and mobile units. Sniffer Portable
Professional will add each to the appropriate list in the Tools >
Expert Options > 802.11 Options tab and the Tools >
Wireless > Rogue dialog box.
Figure 7-2 shows the 802.11 tab of the Host Table with several
access points selected in the # column.
Figure 7-2. The Host Table > 802.11 Tab
4 Right-click any entry in the Host Table and select either the Add to
Wireless Units List as Known or Add to Wireless Units List as
Neighbor command from the context menu that appears.
The checked addresses are added to the Expert’s list. You can
verify that they have been added by displaying the Tools > Expert
Options > 802.11 Options tab or the Tools > Wireless >
Rogue dialog box. The Known...in the Network lists will include
the newly added addresses.

Real-Time Expert Display
Adding Known Addresses from the Postcapture Display
Use the following procedure to add the MAC addresses of known wireless
units (either access points or mobile units) automatically from the
Expert tab of the postcapture display.
To add known addresses automatically from the postcapture
display:
1 Display either a capture buffer or a saved trace file.
2 Click the Expert tab of the postcapture display.
NOTE: If the Expert tab is not available, make sure the
Expert tab option is enabled in the Display > Display Setup
> General tab.
3 Click Wireless Units List at the top of the Expert pane.
The Wireless Units Discovered in this trace dialog box appears
(Figure 7-3). This dialog box has two separate lists of wireless units
discovered in the capture buffer or trace file — one for access
points and one for mobile units.
NOTE: You can edit the IP Address field in either list. In
some cases, the Expert may be unable to determine a station’s
IP address. In these cases, you can manually enter an IP
address using this feature.
User’s Guide 143

Chapter 7
Discovered access points
are listed in the upper list;
discovered mobile units
are listed in the lower list.
IP Address fields are
editable — you can enter
a custom IP address.
Selected access points
and mobile units will be
added to the list of known
addresses by clicking this
button.
By default, all discovered addresses are selected for addition to the Known list (the box
at the right of each entry in the list is checked). You can select and deselect individual
entries for addition or click Select All and Deselect All for faster selection.
144 Sniffer Portable Professional
Figure 7-3. Adding Discovered Addresses Postcapture
4 Select the access points and mobile units you would like to add to
the list of known addresses by checking the checkbox at the right
of each desired entry. By default, all discovered addresses are
selected for addition. You can change selections in the following
ways:
By clicking Select All and Unselect All.
By clicking in the checkbox for individual entries to toggle
them between selected and unselected.
5 When you have finished selecting the addresses for addition, click
Update Known Wireless Units List at the bottom of the dialog
box.
Those selected addresses not already in the Expert’s list are added.
You can verify that they have been added by displaying the Tools
> Expert Options > 802.11 Options tab or the Tools >
Wireless > Rogue dialog box. The Known Access Points in the
Network and Known Mobile Units in the Network lists will
include the newly added addresses.

Real-Time Expert Display
Autodiscovering and Adding Addresses from the Address Book
The Address Book provides you with the ability to autodiscover access
points and mobile units on the wireless network. Then, you can add
discovered access points to the list of known addresses automatically.
To autodiscover access points and add them from the
Address Book:
1 Display the Address Book (Tools > Address Book).
2 Click Autodiscovery .
3 In the Autodiscovery Options dialog box, make sure the Discover
Mobile Units and Discover Access Points options are enabled.
4 Click OK.
Autodiscovery proceeds. Discovered addresses appear in the
Address Book.
5 Click Export AP in the Address Book’s toolbar to add the
addresses of all the access points in the Address Book to the list of
known access points.
Addresses not already in the Expert’s list are added. You can verify
that they have been added by displaying the Tools > Expert
Options > 802.11 Options tab or the Tools > Wireless >
Rogue dialog box. The Known Access Points in the Network
list will include the newly added addresses.
NOTE: Clicking Export AP only adds those addresses in the
Address Book with a Type value set to Access Point. Mobile units
are not added.
Adding Known Addresses Manually in the 802.11 Options Tab
Use the following procedure to add the MAC addresses of known wireless
units manually (either access points or mobile units) to the Expert’s list.
To add known addresses manually in the 802.11 Options tab:
1 Display one of the following dialog boxes/tabs:
Tools > Expert Options > 802.11 Options
Tools > Wireless > Rogue
2 Do you want to add the address of an access point or a mobile unit?
User’s Guide 145

Chapter 7
146 Sniffer Portable Professional
To add the address of an access point, click Add AP.
A new entry line becomes active in the Known Access
Points in the Network list with the active cursor in the MAC
Address column.
To add the address of a mobile unit, click Add MU.
A new entry line becomes active in the Known Mobile Units
in the Network list with the active cursor in the MAC
Address column.
3 Enter the MAC address of the access point or mobile unit in the
appropriate MAC Address column. You must enter the entire
address in hexadecimal format. The dialog box will not let you enter
an address that is not the proper length and format (twelve
characters, hexadecimal only). If you do not know the full
hexadecimal addresses of the access points in your network, see
Determining a Wireless Unit’s Full Hexadecimal Address on page
147.
4 Once you have entered a legal MAC address, you can also enter an
IP address in the IP Address column. For this release, IP
addresses are for your own reference only. The Expert only
compares MAC addresses when flagging wireless units as
rogues!
5 Repeat Step 2 through Step 4 for each access point or mobile unit
you want to add to the Expert’s list. You can enter as many
addresses as you like.
6 Turn on the Enable Rogue AP Lookup option and/or Enable
Rogue Mobile Unit Lookup option by checking the appropriate
boxes.
7 Click OK in the Expert Properties dialog box.
Once you have enabled the Rogue AP Lookup and/or Enable Rogue
Mobile Unit Lookup option and clicked OK, during subsequent
captures (and openings of trace files), Sniffer Portable Professional will
compare the MAC addresses of detected access points and mobile units
to those in the corresponding lists. Wireless entities not found in the
appropriate list will be flagged as rogues in both the Host Table and
Expert Summary and Detail displays. In addition, either the Rogue
Access Point or Rogue Mobile Unit alarm will be generated for each
detected rogue. See Rogue Identification in Sniffer Portable Professional
Displays on page 62 for information on how Sniffer Portable Professional
identifies rogues in its various displays.

Real-Time Expert Display
Determining a Wireless Unit’s Full Hexadecimal Address
If you do not know the full hexadecimal address of a wireless unit (either
an access point or a mobile unit) in your network, you should first check
the unit. Often, the address is written on the equipment itself.
If this does not work, you can use the Host Table or Expert displays to
discover the address. However, because most displays substitute textual
manufacturer IDs for the first three bytes of a hexadecimal MAC address
(that is, a hexadecimal address of 0020d8014060 would usually be
identified in displays as Netwav014060), you need to know where to
look in Sniffer Portable Professional displays to find the entire address in
hexadecimal.
To determine a wireless unit’s full hexadecimal address:
1 Start capturing from the network containing the unit whose
address you want to determine. Alternatively, you can open a trace
file captured from that network.
2 In the Expert display, examine the Station Function column in the
Summary pane at the Wireless layer. In this column, locate an
entry for either an Access Point or a Mobile Unit. Highlight this
entry.
The Detail pane automatically updates to show statistics for the
entry selected in the Summary pane.
3 In the Detail pane, scroll down to the Wireless Address field. This
field shows the entire hexadecimal address of the selected unit. A
textual manufacturer’s ID is not substituted for the first portion of
the address.
4 Repeat this procedure for each access point on the network whose
full hexadecimal address you want to determine.
Importing and Exporting Known Addresses
Sniffer Portable Professional also provides export and import capabilities
for the known address lists in the Tools > Expert Options > 802.11
Options tab.
You can export the contents of either the Known Access Points or the
Known Mobile Units list using the corresponding Export button in the
802.11 Options tab. Exported files are saved in comma-separated
values (CSV) format. The exported file consists of a heading row with
the IP Address and MAC Address column headings followed by
multiple data rows in the format IP Address,MAC Address. For example,
a small exported CSV file might appear:
IP Address,MAC Address
User’s Guide 147

Chapter 7
148 Sniffer Portable Professional
192.168.1.40,08002000E25B
192.168.1.14,0800000036D9
192.168.1.25,080020061107
NOTE: MAC addresses are always presented in the CSV file in
hexadecimal format.
Similarly, you can also import CSV files into the Known Access Points
or the Known Mobile Units list using the corresponding Import button
in the 802.11 Options tab. You can import either CSV files created by
exporting the lists from other Sniffer Portable Professional installations,
or CSV files you create yourself following the model above (that is,
multiple rows in the IP Address,MAC Address format).
NOTE: You can use the Import and Export buttons together to
share known address lists among multiple Sniffer Portable
Professional installations.

Expert Mobile Options
Real-Time Expert Display
Set the options in the Mobile Options tab to specify how the Expert
should analyze Mobile IP data:
Enable IP Home Agent
Tunnel Analysis
Enable GRE Home Agent
Tunnel Analysis
Report Mobile Reg Error
136
Enable GTP 99 IP Tunnel
Analysis
Mobile IP Registration List
Flush Count
Max Radius Users per
Object
Specifies whether IP Home Agent Tunnel
Analysis is enabled. Disabling this option
improves Expert performance.
Specifies whether GRE Home Agent Tunnel
Analysis is enabled. Disabling this option
improves Expert performance.
Specifies whether a Mobile Registration
Reply with a Code value of 136
(Registration Denied by the Home
Agent - Unknown Home Agent Address)
should be considered when generating
Registration Failure Expert alarms. If this
option is disabled, Registration Failure
alarms will not be generated when
registration fails with error code 136.
Specifies whether GTP 99 Tunnel Analysis is
enabled. When enabled, protocols inside a
GTP 99 tunnel will be analyzed by the
Expert. Disabling this option improves
Expert performance.
Specifies how often the list of Mobile IP
Registration requests should be checked for
registration timeouts and flushed of expired
Registration Requests.
NOTE: If you set this field to 0, the Expert
treats the field as if were set to 1. Only nonzero
values are supported.
Specifies the maximum number of user data
elements to be tracked with each Radius
object.
User’s Guide 149

Chapter 7
Expert Oracle Options
150 Sniffer Portable Professional
Radius Request List Flush
Count
GTP 99 Create PDP
Context Request Flush
Count
Use the Oracle Options tab to specify the Oracle Error Type numbers
(Oracle Error Codes) for which you would like the Expert to generate
alarms. Whenever the Expert sees one of the error codes listed here, it
will generate the Oracle: ORA Error Type Noticed alarm at the Service
layer.
Use this tab as follows:
Specifies how often the list of Radius
requests for a particular Radius object
should be checked for timeouts and flushed
of expired entries.
NOTE: If you set this field to 0, the Expert
treats the field as if were set to 1. Only nonzero
values are supported.
NOTE: For most situations, setting this field
higher than its default of 1 is not
recommended. Setting the value higher than
1 decreases the likelihood of seeing any
Timed Out alarms for Radius Access and
Accounting requests.
Specifies how often the list of GTP 99 PDP
Context Requests for a particular GTP 99
object should be checked for timeouts and
flushed of expired requests. When the
Expert checks this list and sees at least one
response that exceeds the PDP Context
Request Timeout threshold or no response
at all, it generates the GTP 99 PDP
Context Request Timed Out alarm.
NOTE: If you set this field to 0, the Expert
treats the field as if were set to 1. Only nonzero
values are supported.
Click Add to create a new entry in the grid. Then, type in the
numerical error code to be monitored.
Click Delete to delete the selected error code from the table.
You can modify any entry in the grid by selecting it and revising as
necessary.

Expert IP Options
Real-Time Expert Display
Use the IP Options tab to exclude specified IP addresses from
consideration for the Expert’s Duplicate Network Address alarm. The
Expert will not generate Duplicate Network Address alarms for the IP
addresses listed in this tab.
Use this tab as follows:
Click Add and supply an address to add a new IP address to the list
of exclusions.
Select an entry and click Delete to remove the selected IP Address
from the list.
Modify entries by selecting them and editing as necessary.
Setting Automatic Expert Display Filters
You can use Expert display filters to automatically display all traffic in the
capture buffer related to a specific:
Network object
Symptom or diagnosis
You apply an Expert display filter by selecting a network object,
symptom, or diagnosis in the summary pane of the Expert window and
clicking the Define Filter button in the upper left corner of the Expert
window. In response, the Expert adds a new tab to the display window
(titled Filtered xx, where xx is the sequential number of the filter you
applied) containing just those frames associated with the selected
network object, symptom, or diagnosis.
The frames may be displayed with skipped frame numbers on the
Filtered tab, because the network object filter does not change the
frame numbers of frames it selects for display. Thus, you may see frame
30 followed by frame 35 because the network object filter excluded
frames 31-34. If you save the filtered frames as a new file (using the
Save As) command, the Sniffer Portable Professional will renumber the
filtered frames with sequential numbers.
IMPORTANT: Expert filters support a maximum of 10 objects. Make
sure you have selected no more than 10 objects before using this
feature.
User’s Guide 151

Chapter 7
Limitations of the Expert Filter
152 Sniffer Portable Professional
The Expert filter has the following limitations:
Some symptoms and diagnoses, such as Broadcast storm, have
no associated network object on which the analyzer can filter. In
those cases, the Define Filter button will not appear at the upper
left of the display, indicating that an Expert filter cannot be set.
Expert filters are not supported on objects at the Multicast layer.
Expert filters support a maximum of 10 objects. Make sure you
have selected no more than 10 objects before using this feature.
Occasionally you will see the message:
No frames are eligible for display
This message appears when one or more of the following conditions
exist:
The highlighted object has not sent or received a frame
The highlighted object has been filtered out by a standard
Display filter
Other Notes About Expert Filters
The Expert analyzer uses several algorithms to decide which frames are
associated with a network object. Sometimes, these algorithms may
eliminate frames you consider relevant.
Certain maintenance frames may not be shown. For example, if
you set an Expert filter on a Novell Netware connection-layer
connection, the Expert analyzer would show all those related
frames with NCP layers, but would not show certain connection
maintenance frames it considers irrelevant.
When you set a filter on a connection object, the frame that
initiates the connection is not shown. This is because Expert does
not create a connection object until the connection is completed.
When you filter on an application object, TCP continuation frames
are not shown.

Displaying Context-Sensitive Explain
Messages
Real-Time Expert Display
The Expert provides an explanation of the information in each pane of
the Expert window. Click inside the pane on which you need information
and press F1.
The Expert also provides concise explanations for each symptom and
diagnosis generated. To display a detailed explanation of a symptom or
diagnosis, click the question mark (?) to the right of the
symptom/diagnosis description in the Expert Detail pane. You may have
to scroll to the right of the pane to see the ?.
Rearranging the Expert Display
You can change the Expert display to better suit your viewing needs. You
can display:
All five viewing panes at the same time (shown in Figure 7-1).
The Expert Overview and Expert Summary panes (with or without
the Protocol Statistics pane). This is the default view.
The Detail tree and Expert Detail panes.
Figure 7-4 shows the default Expert display and demonstrates how to
rearrange the different panes.
User’s Guide 153

Chapter 7
Click to show the packet
display (only available
when capture is stopped)
Click here to expand the Expert Overview pane
and display the Protocol Statistics pane
underneath
154 Sniffer Portable Professional
Drag the bar up to the middle of the
display to see all five panes at the
same time (as in Figure 7-1)
Figure 7-4. Rearranging the Expert Window Panes
Exporting the Contents of the Expert
Database
Click the Summary
tab to display the
Expert Overview
and Summary
panes (as shown)
Click the Objects
tab to display the
Detail tree and
Expert Detail
panes
You can export the contents of the Expert analyzer’s database of
network objects, symptoms, and diagnoses to a file saved in
comma-separated values (CSV) or HTML format. The CSV file format can
easily be imported into most spreadsheet programs.
Export the contents of the Expert analyzer’s database by clicking Export
to CSV or Export to HTML in the Expert window. For exporting
to CSV file format, use the dialog box shown in Figure 7-5 to specify
which portions of the database you would like to export.

Specify the path and
filename for the
exported contents of
the Expert database.
Select the portions of the
Expert’s database you
would like to export to the
CSV file. Each checkbox
corresponds to a pane in
the Expert window.
Real-Time Expert Display
Figure 7-5. Exporting the Contents of the Expert Analyzer’s Database to
CSV Format
User’s Guide 155

Chapter 7
156 Sniffer Portable Professional

Displaying Captured Data
Overview
8
This chapter describes the postcapture display window. Once you have
captured a buffer or trace file of network data, you can use the
postcapture display window to analyze the data in a variety of formats,
including the Expert tab, classic line-by-line decode tab, and a variety of
other formats.
The section includes the following major topics:
Displaying Captured Packets on page 158
Postcapture Views for Wireless Networks on page 160
Postcapture Expert Display on page 161
Postcapture Decode Display on page 162
Setting Display Filters on page 167
Setting Display Setup Options on page 177
Searching for Frames in the Decode Display on page 186
Postcapture 802.11 Decryption on page 199
Postcapture Matrix Tab on page 202
Postcapture Host Table Tab on page 206
More about the Matrix Traffic Map on page 204
Postcapture Protocol Distribution Tab on page 208
Postcapture Statistics Tab on page 210
User’s Guide 157

Chapter 8
Displaying Captured Packets
158 Sniffer Portable Professional
Use the Display feature to decode and view the packets stored in the
capture buffer or in a capture file. The postcapture Display window
provides a variety of tabs ranging from proprietary Expert analysis to
classic tri-pane, line-by-line protocol decodes.
To display the contents of the capture buffer:
1 In the Sniffer window, click Stop and Display in the main
toolbar during a capture session, or click Display after a
capture session.
To open a capture file:
1 In the Sniffer window, select Open from the File menu.
Regardless of whether you are displaying data from the capture buffer
or a trace file, the postcapture display window appears (Figure 8-1).
Postcapture display tabs. The Decode
tab always appears. The other tabs
appear by default, but can be disabled.
Figure 8-1. The Postcapture Display Window (Expert Tab Shown)

Table 8-1. Postcapture Display Tabs
Tab Description
Displaying Captured Data
Each of the tabs in the postcapture window provides different views of
the data in the buffer or trace file, as summarized in the table below.
Expert Displays the results of proprietary Expert analysis, showing network objects,
symptoms, and diagnoses by network layer. Provides the same functionality as the
real-time Expert, except for data/objects already in the capture buffer or trace file.
See Postcapture Expert Display on page 161
Decode Provides classic, line-by-line protocol decodes in a tri-pane window. Sophisticated
automatic filtering features let you select a packet in the Summary pane and
automatically filter on different components of the packet (source/destination
addresses, ports, and so on).
See Postcapture Decode Display on page 162.
Matrix Provides the same functionality as the real-time Matrix, except for data already in the
buffer or trace file. Statistics are provided on conversations taking place on the
network.
See Postcapture Matrix Tab on page 202
Host Table Provides the same functionality as the real-time Host Table, except for data already in
the buffer or trace file. Statistics are broken out for each host detected on the network.
Different tabs let you focus on wireless hosts, IP hosts, MAC hosts, and so on.
See Postcapture Host Table Tab on page 206.
Protocol
Distribution
Provides the same functionality as the real-time Protocol Distribution view, except for
data already in the buffer or trace file. Statistics are broken out by protocol family. You
can focus on MAC, IP, or IPX layer protocols.
See Postcapture Protocol Distribution Tab on page 208.
Statistics Provides a variety of global statistics on the data in the buffer or trace file, including
capture start/stop times, average speeds, and packet counts for a variety of basic
categories.
See Postcapture Statistics Tab on page 210.
Filtered
Tabs
By default, display filters return the filtered frames in a new tab at the bottom of the
postcapture display window. If you prefer, you can enable the Select matching
option. When this option is enabled, frames matching the filter appear “marked” in the
leftmost column of the active Decode tab – their checkboxes are checked.
See Setting Display Filters on page 167 for more information on how to use display
filters in the Decode tab.
NOTE: The Matrix, Host table, Protocol Distribution, and Statistics
tabs appear at the bottom of the Display window only if the Post
analysis tabs box is checked on the General tab of the Display >
Display Setup dialog box. Similarly, the Expert tab only appears if
the Expert tab box is checked.
User’s Guide 159

Chapter 8
Postcapture Views for Wireless Networks
160 Sniffer Portable Professional
When working with data from a wireless network, Sniffer Portable
Professional adds a number of features to its postcapture display tabs.
In addition to the standard information provided in the postcapture tabs,
Sniffer Portable Professional adds special 802.11 information to the tabs
listed below, allowing you to concentrate on statistics specifically for
wireless stations:
The Matrix, Host Table, and Protocol Distribution post-analysis
tabs in the Display window each include 802.11 views, allowing
you to focus specifically on 802.11 statistics for wireless stations.
See Postcapture Matrix Tab on page 202, Postcapture Host Table
Tab on page 206, and Postcapture Protocol Distribution Tab on
page 208.
The Statistics post-analysis tab in the Display window includes
many wireless-specific statistics.
See Postcapture Statistics Tab on page 210.
The Decode display can completely decode 802.11 traffic. In
addition, Sniffer Portable Professional can perform
WEP/WPA/WPA2 decryption either during capture or after capture
if the correct decryption keys are specified.
See Postcapture Decode Display on page 162.

Postcapture Expert Display
Displaying Captured Data
The postcapture display’s Expert tab provides you with the same Expert
analysis features available in the Expert window during real-time
capture. It shows you the network objects, symptoms, and diagnoses
detected by the Expert based on the packets in the capture buffer or
trace file. Symptoms and Diagnoses are Expert indications of possible
network problems. You can navigate through the various panes of the
real-time Expert window to look at items of interest.
IMPORTANT: The real-time Expert window is described in Real-Time
Expert Display on page 131.
The Expert tab is organized in the same way as the real-time Expert
window described in Real-Time Expert Display on page 131. Expert
analysis results are shown in five viewing panes – Expert overview,
Expert summary, protocol statistics, detail tree, and Expert detail
(Figure 8-1 on page 158). These panes function together to provide
Expert analysis at different network layers, as follows:
The Expert Overview pane shows network analysis layers (similar
in concept to the ISO layers) and the Expert overview statistics
(objects, symptoms, or diagnoses) for each layer. By selecting a
combination of layer and statistic type, you control the display of
Expert analysis data in the other Expert panes.
Tip: You can configure the Expert Overview to be wide or narrow
by clicking on the arrow icon at the upper right-hand corner of the
pane.
The Expert Summary pane shows key summary information for
the layer and statistic selected in the Expert Overview pane. The
column headings for the Expert Summary display will change,
depending on what layer and statistic you have selected.
The Protocol Statistics pane displays the amount of traffic (in
frames and bytes) for each protocol encountered for the layer you
selected in the Expert Overview pane. (This pane is not displayed
when the Expert Overview pane is narrow.)
The Detail Tree pane shows a hierarchical listing of all layers at or
below those selected in the Expert Overview and Expert Summary
panes. You can expand or collapse each layer in a manner similar
to Windows Explorer. Click on any item in the Detail Tree to display
its Expert detail data.
User’s Guide 161

Chapter 8
162 Sniffer Portable Professional
The Expert Detail pane is a collection of information tables for the
data selected by the other panes. The content of the Expert Detail
pane will vary, depending on what items are selected in the various
other panes.
Postcapture Decode Display
The Decode tab provides classic, line-by-line protocol interpretation of
network data. When you display the contents of the capture buffer or a
capture file, Sniffer Portable Professional interprets and decodes the
higher-level protocols within the captured packets using its protocol
interpreters. The Decode tab shows the results of this protocol analysis.
It displays packets in three color-coded viewing panes: summary, detail,
and hex:
The summary pane shows an overview of the packets captured in
line-by-line summarized format.
The detail pane displays the detailed contents of the packet
currently selected in the summary pane. Each layer of the protocol
is interpreted and displayed.
You can display the detailed protocol layers in three different views
— fully expanded decode, one-line summary, or a mixture of the
two.
By default, Sniffer Portable Professional expands underlying
protocol layers in the detail pane. To save viewing space, click the
minus (-) sign in front of the protocol sublayer line. To expand the
protocol display again, click the plus (+) sign.
The hex pane shows the selected packet in hexadecimal and ASCII
(or EBCDIC) format.
When you select a packet on the summary pane, or a detailed
protocol field in the detail pane, the equivalent hexadecimal octets
in the packet are highlighted in the hex pane. This quickly shows
you the correspondence between the protocol field and its
equivalent bytes in the packet.
Figure 8-2 shows a sample Decode display.

Click the minus (-) sign to
reduce the protocol display
Click the plus (+) sign to
expand the display
The detail pane displays the detailed
contents of the packet currently
selected in the summary pane
The Decode tab toolbar
provides shortcuts to
handy functionality.
Figure 8-2. The Decode Tab
Navigating the Decode Tab
Displaying Captured Data
The summary pane shows an
overview of the packets captured
in line-by-line summarized format
The hex pane shows the selected
packet in hexadecimal and ASCII
(or EBCDIC) format
You navigate Decode tabs with a combination of keyboard, mouse, and
toolbar, moving between the different panes and zooming as necessary
to see exactly the lines you’re interested in.
Each pane can be resized by clicking and dragging the separator bar
between the panes. Each pane also contains scroll bars that let you use
the mouse to manipulate the viewing position in the pane. You can also
use the cursor control keys to provide a similar function for the pane that
has the focus.
To maximize efficiency in scanning packets for details, follow these
suggestions:
User’s Guide 163

Chapter 8
164 Sniffer Portable Professional
Adjust the Packet Display size, and the individual pane to maximize
the viewing area for your particular interests.
Select the starting packet of interest in the Summary pane by
clicking on it.
Click the Detail pane to gain focus. The cursor movement and PgUp
/ PgDn keys will now apply to the Detail pane.
Use the F7 key to move to the previous packet. Use the F8 to move
to the next packet.
If you want to move the viewing area in the Detail pane, use the
cursor and the Page Up / Page Down keys.
You can search for packets by selecting the Find Frame command
from either the Display menu or the context menu (accessed by
right-clicking on the Display window). See Searching for Frames in
the Decode Display on page 186 for details.
You can copy text from the Detail pane. You can copy either a
selected line in the pane (Copy Highlights in the right-click
context menu or the Ctrl-C keyboard shortcut) or all of the text in
the pane (Copy All in the right-click context menu
Use the keys shown in Table 8-2 to navigate the Decode display. You can
also use the corresponding commands in the Display menu.
Table 8-2. Keyboard Shortcuts for the Display Pane
Page Up View the previous page in the active
pane.
Page Down View the next page in the active pane.
Cursor Up View the previous line in the active pane.
Cursor Down View the next line in the active pane.
F2 - Next Selected Move the display to the next selected
packet in the summary pane.
Shift+F2 - Previous Selected Move the display to the previous
selected packet in the summary pane.
Ctrl+F2 - Select Toggle Toggle the packet between selected and
unselected state.
Alt+F3 - Find Frame Open the Find Frame dialog box to
specify what to search for in the Display
pane.
F3 - Find Next Frame Repeat the last search performed in Find
Frame dialog box.
F4 - Zoom Pane Zoom in/out of the selected Decode
pane.

Selecting Packets
Table 8-2. Keyboard Shortcuts for the Display Pane
Displaying Captured Data
F7 - Previous View the previous packet in the
summary pane.
F8 - Next View the next packet in the summary
pane.
You can select individual packets or a group of packets in the summary
pane. Selecting packets allows you to mark key packets that are of
interest to you, so that you can view and use them more easily. You can:
Save the selected packets to a file (Display > Save Selected).
Treat the selected packets as bookmarks, and use F2 to advance
from one selected packet to the next.
Using the Decode Tab Toolbar
The Decode tab provides a toolbar at the top of the window with
shortcuts to useful functionality (Figure 8-3). Each of the buttons in the
toolbar is described in the table that follows.
Figure 8-3. Decode Tab Toolbar
Table 8-3. Decode Tab Toolbar Buttons
Button Title Description
Two Station Format Toggles the two-station format on and
off. The two-station format splits the
display into left and right panes,
showing traffic between two stations.
See Display Setup > General Options on
page 179 for details.
Show/Hide All Layers Toggles the Show All Layers option on
and off. If enabled, the Summary pane
shows one line for each protocol level
contained in a frame. If disabled, only
one line (for the highest enabled
protocol level) is shown.
Display Setup Displays the Display Setup dialog box.
See Setting Display Setup Options on
page 177.
User’s Guide 165

Chapter 8
Table 8-3. Decode Tab Toolbar Buttons
Button Title Description
Automatic Filter Type
Selection
166 Sniffer Portable Professional
Use this dropdown to specify which
information in the currently selected
packet should be used to automatically
populate the Define Filter dialog box’s
fields when you click the Define Display
Filter or Add to Last Filter button.
You can populate based on
source/destination IP addresses, ports,
and MAC addresses.
See Using Automatic Display Filters on
page 168.
Define Display Filter Displays the Define Filter dialog box with
settings automatically populated based
on the currently selected packet and the
setting of the adjacent Filter Type
Selection dropdown.
See Using Automatic Display Filters on
page 168.
Add to Last Filter Takes the type of information specified
in the Filter Type Selection dropdown
from the currently selected packet and
adds it to the last filter used in the
Define Filter dialog.
See Combining Filter Components (“Add
to Last Filter”) on page 173 for details.
Quick Filter Automatically filters the display based
on the selected information in the
currently selected packet. For example,
if the Filter Type Selection dropdown is
set to Connection, clicking Quick Filter
will filter the display based on the
source/destination addresses and ports
(that is, the connection).
Use the Display > Display Setup >
Packet Selection tab to specify how
Quick Filters will be applied (for
example, whether matching packets are
returned in a new tab or shown selected
in the active tab, and so on).
See Using Quick Filters on page 172 for
details.

Setting Display Filters
Displaying Captured Data
A filter applied to the display of captured data is called a display filter.
Display filters let you select the packets you want to display in a Decode
tab. Display filters do not affect the contents of the capture buffer. They
just prevent some of the data from being displayed.
You can use display filters to view only:
Packets transmitted between network nodes (or address pairs)
Packets that belong to one or more protocol groups
Packets that match predefined data patterns
Error packets
Packets that belong to a certain size range
Packets that match various combinations of the above
specifications
IMPORTANT: Defining Filters and Triggers on page 219 provides the
details on working with Sniffer filters in general – monitor, capture, and
display. This section adds to that information with some additional topics
specifically for display filters.
Types of Display Filters
The Sniffer provides several types of display filters:
Manual Display Filters
You can set Display filters manually in the Define Filter - Display dialog
box. This dialog box is available by using the Display > Define Filter
command. Then, you have full access to the standard Define Filter tabs
described in Defining Filters and Triggers on page 219.
Automatic Display Filters
You can automatically populate the Define Filter - Display dialog box’s
tabs with filter settings based on selected portions of the currently
selected packet in the Decode tab. You do this by using the dropdown at
the top of the Decode tab to specify which portion of the selected packet
you want to use as a filter (for example, just the source IP address) and
clicking the Define Display Filter button.
See Using Automatic Display Filters on page 168.
User’s Guide 167

Chapter 8
168 Sniffer Portable Professional
Quick Display Filters
Quick Display Filters are similar to automatic display filters – they filter
the active Decode tab based on selected portions of the currently
selected packet in the Decode tab. The main difference is that they take
effect immediately without displaying the Define Filter dialog box first.
You set Quick Filters by using the dropdown at the top of the Decode tab
to specify which portion of the selected packet you want to use as a filter
(for example, just the source port) and clicking the Quick Filter button.
NOTE: You set global options for how Quick Filters are applied in
the Display > Display Setup > Packet Selection tab. These options
specify to which packets Quick Filters should be applied (all or
selected) and how results should be returned (by selecting/clearing
packets in the active tab or by showing a new filtered tab at the
base of the postcapture display window).
Automatic Expert Filters
You can also set automatic Expert filters that only display data
associated with a particular network object, symptom, or diagnosis. You
do this by displaying the Expert tab, selecting an object, symptom, or
diagnosis and clicking the Display Filter button.
See Setting Automatic Expert Display Filters on page 151.
Using Automatic Display Filters
You can automatically populate the Define Filter - Display dialog box’s
tabs with filter settings based on selected portions of the currently
selected packet in the Decode tab.
To set an automatic display filter:
1 In a Decode tab, select the packet to use as a filter source.
2 Use the Automatic Filter Type Selection dropdown in the
Decode toolbar to specify which portion of the packet you want to
use as a filter (Figure 8-4).

Figure 8-4. Selecting the Automatic Filter Type
You can select from the following options:
Table 8-4. Automatic Filter Type Selection Options
Connection
IP Source Address
IP Destination
Address
IP Addresses
Source Port
Destination Port
Ports
Source Application
Destination
Application
MAC Addresses
3 Click the Define Display Filter button .
Displaying Captured Data
Use both the source/destination IP
addresses and source/destination ports as a
filter.
Use only the source IP address as a filter.
Use only the destination IP address as a
filter.
Use both the source and destination IP
addresses as a filter (traffic flowing between
these two addresses only).
Use only the source port as a filter.
Use only the destination port as a filter.
Use both the source and destination port as
a filter.
Use both the source IP address and port as
a filter.
Use both the destination IP address and port
as a filter.
Use the source and destination MAC
addresses as a filter.
User’s Guide 169

Chapter 8
b
170 Sniffer Portable Professional
The Define Filter - Display dialog box appears populated based on
the specified portion of the selected frame (Figure 8-5). Notice that
the settings already populated in this dialog box correspond to
those shown in the selected packet in the Summary pane in Figure
8-4.
Figure 8-5. Define Filter - Display Dialog Box
Note the following important points about the Define Filter - Display
dialog box:
You can change which parts of the selected frame are used for
an automatic filter by clicking the dropdown at the top of the
Define Filter dialog box (a in Figure 8-5) and selecting a
different option.
You can reset all Define Filter fields by clicking Reset.
You can specify how the filter is applied and how results are
returned using the Select matching, Clear selected, and
Apply on selected set options (b in Figure 8-5). See Filtered
Tabs or Marked Frames? on page 171 for details.
4 When you have set the options in the Define Filter - Display dialog
box as desired, click Apply to filter the active tab with your filter
settings.
a

Filtered Tabs or Marked Frames?
Displaying Captured Data
When you apply a display filter, the Sniffer examines the packets in the
active tab, looking for matches. Then, it returns the matching packets,
either in a new tab at the bottom of the display window (b in Figure 8-6),
or by “selecting” all matching packets in the Summary pane (a in Figure
8-6).
“Selected” packets appear in the Summary pane with the boxes in the
leftmost column checked. Additionally, if you’ve enabled the Highlight
selected frames option in the Display Setup > Summary Display
tab, selected frames will appear highlighted in the Summary pane.
You specify how you would like matching packets returned in the Define
Filter dialog box’s Summary tab (Figure 8-5 on page 170):
If neither the Select matching nor Clear selected option is
enabled, a new filter tab will appear each time you apply a display
filter.
If the Select matching option is enabled, the Sniffer will mark
packets matching the filter in the currently active Decode tab.
If the Clear selected option is enabled, the Sniffer will deselect
packets matching the filter in the currently active Decode tab.
NOTE: Quick filters provide this same functionality. However, for
Quick filters, you set the Select matching option in the Display
Setup dialog box’s Packet Selection tab. See Display Setup > Packet
Selection Options on page 183 for details.
The “Apply on Selected Set” Option
You can also use the Apply on selected set option together with either
the Select matching or Clear selected options to apply a filter to only
a subset of the packets in the active Decode tab. When using the Apply
on selected set option, you may want to use the Display > Select
Range command to select a large set of packets quickly.
User’s Guide 171

Chapter 8
a
172 Sniffer Portable Professional
Figure 8-6. Selected Packets
Using Quick Filters
Quick Display Filters are similar to the automatic display filters described
in Using Automatic Display Filters on page 168 – they filter the active
Decode tab based on selected portions of the currently selected packet
in the Decode tab.
The main differences between Quick Filters and Automatic Display Filters
are as follows:
Quick Filters take effect immediately without displaying the Define
Filter dialog box.
The Select matching, Clear selected, and Apply on selected
set options all work the same way for Quick Filters as they do for
Automatic Display Filters, as described in Filtered Tabs or Marked
Frames? on page 171. However, instead of using the Define Filter
- Display dialog box to set these options, you set them globally for
Quick Filters in the Display > Display Setup > Packet Selection
tab (see Display Setup > Packet Selection Options on page 183).
To set a Quick Filter:
b
1 In a Decode tab, select the packet to use as a filter source.

Displaying Captured Data
2 Use the Automatic Filter Type Selection dropdown in the Decode
toolbar to specify which portion of the packet you want to use as a
filter (Figure 8-4).
Figure 8-7. Selecting the Automatic Filter Type
You can select from the same options available for Automatic
Display Filters, as described in Table 8-4 on page 169.
3 Click the Quick Filter button .
The Sniffer sifts through the packets in the active tab, looking for
matches. Then, it returns the matching packets, either in a new tab
at the bottom of the display window (b in Figure 8-6 on page 172),
or by “selecting” all matching packets in the Summary pane (a in
Figure 8-6 on page 172). You choose which action the Sniffer takes
by setting the options in the Display > Display Setup > Packet
Selection tab (see Display Setup > Packet Selection Options on
page 183).
Combining Filter Components (“Add to Last Filter”)
You can use the Add to Last Filter button to add a new filter
component from the currently selected packet to the last filter used in
the Define Filter dialog box.
For example, if the last filter you created was based on the Source Port
in the selected frame, you could add source and destination addresses
to the same filter by setting the Automatic Filter Type Selection
dropdown to IP Addresses and clicking the the Add to Last Filter
button.
To use the Add to Last Filter button:
1 In a Decode tab, select the packet to use as a filter source.
User’s Guide 173

Chapter 8
174 Sniffer Portable Professional
2 Use the Automatic Filter Type Selection dropdown in the Decode
toolbar to specify which portion of the packet you want to use as a
filter (Figure 8-8).
Figure 8-8. Selecting the Automatic Filter Type
You can select from the same options available for Automatic
Display Filters, as described in Table 8-4 on page 169.
3 Click the Add to Last Filter button .
The Sniffer displays the Define Filter dialog box with the specified
component of the selected frame added to the last used filter
definition. You can edit the settings in this dialog box, if necessary.
When you are satisfied with the filter definition, click Apply to filter
the active tab.
Selecting Filters / Combining Multiple Filters
You use the Display > Select Filter command to display a dialog box
in which you can select display filters to apply. The dialog box lists all
available filters, including:
Capture filters. You can reuse your capture filters as display
filters, if you like.
Display filters. All display filters you have created are listed by
name.
You can either use a single listed filter or check the Multiple Filter Mode
option and check the boxes for multiple filters.
To select a display filter:
1 Use the Display > Select Filter command.
The Select Filter dialog box appears (Figure 8-9).

Figure 8-9. The Select Filter Dialog Box
Displaying Captured Data
2 Do you want to use a single filter or combine multiple filters from
the list?
Multiple Filter Mode. If you want to combine multiple filters
from the list, enable the Multiple Filter Mode option. Then,
check the boxes corresponding to the filters you want to use.
Multiple filter mode allows you to select two or more display
filters to apply in the Sniffer window. Select options from the
list of available filters to create a single filter using
combinations of existing filters. If you select a parent
category, all the filters within the category are selected
automatically. When the parent category is unselected, all
the filters within the category are deselected.
NOTE: When the combination filter is applied, it acts as an
“OR” between the selected filters. Because of this, Multiple
Filter Mode may return unexpected results when using Exclude
filters (filters set to remove matching traffic). See Multiple
Filter Mode and Exclude Filters on page 176 for details.
Single Filter Mode. If you are using only a single filter, leave
Single Filter Mode enabled and check the box corresponding to
the filter you want to use.
User’s Guide 175

Chapter 8
176 Sniffer Portable Professional
Single filter mode functions as a regular, single filter. With
the Single Filter Mode option, you are limited to only one
filter selection in the Select Filter dialog box. Selecting one
filter automatically deselects the previously selected filter.
Selecting a “parent” filter is not a valid filter. You must
specify a single filter within the parent grouping.
3 Use the Select matching, Clear selected, and Apply on
selected set options to specify how the display filter will be applied
and its results returned. See Filtered Tabs or Marked Frames? on
page 171 and The “Apply on Selected Set” Option on page 171 for
more information.
4 Click OK to apply the selected filter(s) on the active Decode tab.
Multiple Filter Mode and Exclude Filters
When combining multiple filters in Multiple Filter Mode, Sniffer Portable
Professional joins the filter with a logical OR rather than an AND.
Because of this, joining multiple Exclude filters will always result in ALL
packets passing the filter and being returned. Consider the following
examples:
Combing Include Filters in Multiple Filter Mode
For example, suppose you set up the following filters:
Filter 1 includes all packets of type A
Filter 2 includes all packets of type B
Combining these filters in Multiple Filter Mode and applying them to a
trace file with packets of type A,B and C, will result in a filtered display
with just packets of Type A and B.
Combing Exclude Filters in Multiple Filter Mode
Now, let’s apply the same logic to Exclude filters:
Filter 1 excludes all packets of type A
Filter 2 excludes all packets of type B
Combining these filters in Multiple Filter Mode and applying them to a
trace file with packets of type A,B and C, will result in a filtered display
with packets of Type A, B, and C – all packets will pass the filter.
This happens because the Exclude filters are joined with an OR condition
between the filters. For a packet to be excluded from the filtered display,
both the conditions must return FALSE. If even one condition returns
TRUE, the packet gets included.

The Boolean logic for this is:
Not (Filter A or Filter B) = Not Filter A AND Not Filter B.
Displaying Captured Data
Saving Sets of Filtered Frames / Creating New Windows
You can save sets of filtered frames by selecting File > Save As with a
filtered tab selected. A new window is created with the set of filtered
frames in it, followed by the appearance of the Save As dialog box.
When you use the Save As command on a set of filtered frames, the
filtered frames in the new window are renumbered sequentially with new
sequence numbers - the original sequence numbers are not preserved.
You can also create new windows for filtered sets of frames by
right-clicking a filtered tab and selecting the Create New Window
command. A new postcapture window with just the filtered frames will
appear.
For a description of how to define a filter, see Defining Filters and
Triggers on page 219.
Setting Display Setup Options
You can customize the way data is displayed in the decode display. You
can:
Exclude certain subprotocols from the summary pane (this is a
more detailed control than a display filter).
Set the summary address field format (network or hardware).
Specify whether the two-station display format should be used.
Select optional fields to be shown in the summary display.
Color-code packets displayed in the summary pane based on their
protocol.
Select the font for the detail display.
To set the display options:
1 Select Display Setup from the Display menu. The Display Setup
dialog tabs are summarized in the following table.
User’s Guide 177

Chapter 8
178 Sniffer Portable Professional
Table 8-5. Display Setup Options
Display Setup Tab Settings for...
General Select which tabs show on the Display. You
can show/hide the Expert tab and the post
analysis tabs (Host Table, Matrix, Protocol
Distribution, and Statistics). The Decode
tab is always displayed. You can also set
options that affect how fast data is
decoded. See Display Setup > General
Options on page 179.
Summary Display Specify the symptoms and protocol detail
in the Decode Summary pane. See Display
Setup > Summary Display Options on
page 180.
Protocol Color Click here to change the colors used for
protocols in the summary pane.
Protocol Expand Click here to set each protocol’s display
mode in the Detail pane to fully expanded
or one-line summary.
Decode Font Click here to change font type, style, and
size for the text in the Decode display.
Packet Selection Click here to specify whether or not you
would like a new tab created when you are
filtering in the Decode > Summary pane
(Decode tab) or mark the selected packets
in the Decode > Summary pane. See
Display Setup > Packet Selection Options
on page 183.

Display Setup > General Options
Displaying Captured Data
The Display > Display Setup > General tab contains options that can
change the performance of Sniffer Portable Professional’s decodes when
working with large buffers or trace files.
In previous releases, when decoding a trace file or buffer, Sniffer
Portable Professional’s protocol interpreters would start by performing a
prescan of the entire trace or buffer. For large trace files and buffers, this
process could take a long time.
To address this issue, Sniffer Portable Professional provides the option
of a windowed approach. Using the windowed approach, Sniffer Portable
Professional starts by prescanning a user-specified portion of the trace
file or buffer. When moving from window to window within the buffer or
trace file, the previous prescanned information will be cleared from
memory so the new window can be scanned. This way, decoded
information is available more quickly.
You specify both whether to use the windowed approach and the size of
the window to be used in the Display > Display Setup > General tab.
Set the reassembly options as follows:
Reassemble entire trace file— Enable this option if you would
like to reassemble the entire trace file or buffer before displaying
decoded data. Disable this option if you would like to reassemble
the trace file in “chunks.”
Reassembly window size — Use this option to specify the size
(in terms of the number of frames) of the “chunk” to be
reassembled and displayed. As you move between chunks, one
chunk is cleared out and scan another is scanned.
The default and minimum value for the Reassembly window size
is 5000. This value is configurable, but it is recommended that you
edit this value only if it is absolutely necessary.
NOTE: When Frame Slicing is enabled on the Capture > Define
Filter > Buffer tab, windowed reassembly is not supported.
Enabling windowed reassembly and frame slicing can result in some
minor display problems.
User’s Guide 179

Chapter 8
Display Setup > Summary Display Options
180 Sniffer Portable Professional
The following table summarizes the options you can set in the Display
Setup > Summary Display tab.
Table 8-6. Summary Display Options
Show Expert symptoms If enabled, the Summary display shows
the last symptom found (if any) for each
frame.
Show all layers If enabled, the Summary pane shows one
line for each protocol level contained in a
frame. If disabled, only one line (for the
highest enabled protocol level) is shown.
Show network address If enabled, the Summary pane shows
addresses as network addresses. If
disabled, the Summary pane shows
addresses as hardware (DLC) addresses.
Display vendor ID on MAC
Address
Resolve name on Network
address
Use Address Book to resolve
name
If enabled, the Summary pane shows
vendor names for the first portion
(manufacturer’s ID) of MAC addresses
instead of numerical addresses.
If enabled, the Summary pane shows
names for network addresses instead of
numerical addresses.
If enabled, the Summary pane will
substitute names for addresses for any
stations that are named in the Address
Book.

Table 8-6. Summary Display Options
Displaying Captured Data
Two-station format If enabled, splits the display into left and
right panes, showing traffic between two
stations.
When you examine network activity, you
often want to focus on traffic between a
pair of stations. To do this, you can set up
display filters that define the two stations
and enable the Two-station format in
the Summary Display tab.
The two-station format shows transmission
from one station (the station that was
detected first) on the left side of the screen
and transmissions from the other station
on the right. The Source and Destination
columns from the single station display are
removed. Instead, there are two columns,
title From xxx and From yyy. A frame
from the station on the left is assumed to
be addressed to the station on the right,
and vice versa.
If you do not set filters limiting the display
of frames to two stations, Sniffer Portable
Professional will display frames from
additional stations in the usual format.
Since this is inconsistent with the
two-station format, it makes the feature
less useful.
Highlight selected frames If enabled, selected frames are highlighted
in the Summary pane.
User’s Guide 181

Chapter 8
182 Sniffer Portable Professional
Table 8-6. Summary Display Options
Optional Fields • Status. Flags associated with a
frame. See Packet Status Flags in the
Summary Pane on page 185 for a
description of the flags that can
appear in the Status column.
• Absolute time. When the frame was
received.
• Delta time. The interval between the
current frame and the previous frame.
• Relative time. The interval between
the current frame and the marked
frame.
• (Len) Bytes. The frame’s length.
• Cumulative bytes. The length of all
frames, starting with the marked
frame and including the current
frame.
Exclude protocols Checked protocols are excluded from the
Decode tab. Click All to exclude all
protocols or click None to include all
protocols.

Display Setup > Packet Selection Options
Displaying Captured Data
Use the options in the Display Setup > Packet Selection tab (Figure
8-10) to specify how Quick Filters are applied and how new tabs of
filtered frames are named (the Filtered Tab Name option).
Set the following options:
Table 8-7. Packet Selection Tab Options
Option Description
Select Packets When this option is enabled, quick filters either
select or clear matching packets in the active
Decode tab, depending on whether Select
Matching or Clear Selected is set.
When this option is not enabled, quick filters return
matching packets in a new tab of filtered packets.
Select Matching When this option is enabled, quick filters select
matching packets in the active Decode tab (check
the boxes in the leftmost column of the Summary
pane).
Clear Selected When this option is enabled, quick filters clear the
selection of matching packets in the active Decode
tab.
Apply on Selected
Set
When this option is enabled, quick filters are
applied only to the currently selected packets in
the active Decode tab.
Filtered Tab Name Use this option to specify how new tabs of filtered
frames are named. New tabs will be added using
the name you specify here along with a sequence
number.
User’s Guide 183

Chapter 8
184 Sniffer Portable Professional
Figure 8-10. Display Setup > Packet Selection Options

Packet Status Flags in the Summary Pane
Displaying Captured Data
For most network topologies, the Status column in the Summary pane
is empty if the packet is normal with no errors, symptoms, or diagnoses
associated with it. The exceptions to this rule are as follows:
For data captured from a wireless LAN, the Status column
indicates the wireless LAN channel from which the packet was
captured inside brackets. For example, an entry of [1] in the
Status column indicates that the corresponding packet was
captured from wireless LAN channel number 1.
Otherwise, Table 8-8 lists the flags used in the Status column of the
Summary pane. Note that any of the flags associated with error frames
(CRC, Jabber, Runt, and so on) require an enhanced driver for detection
and reporting.
Table 8-8. Status Flags
M Packet is marked. Mark a packet to return quickly to a
particular spot in a decoded set of frames.
A Packet was captured from Port A on the pod or adapter
card.
B Packet was captured from Port B on the pod or adapter
card.
# Packet has a symptom or diagnosis associated with it.
Trigger Packet is an event filter trigger
CRC CRC error packet with normal packet size
Jabber CRC error packet with oversize error
Runt Packet size is less than 64 bytes (including the 4 CRC
bytes) but with valid CRC
Fragment Packet size is less than 64 bytes (including the 4 CRC
bytes) with CRC error
Oversize Packet size is more than 1518 (including the 4 CRC bytes)
but with valid CRC
Collision Packet was damaged by a collision
Alignment Packet length is not an integer multiple of 8 bits.
User’s Guide 185

Chapter 8
Searching for Frames in the Decode Display
186 Sniffer Portable Professional
Because the Decode display can include thousands and thousands of
frames, it can be useful to search for particular frames. Using the
Sniffer’s powerful search abilities, you can search for frames in the
Decode display that match a text string, a certain data pattern, a certain
status flag, or have an Expert symptom or diagnosis associated with
them.
NOTE: In addition to searching for frames, you can also advance to
a particular frame in the Decode tab by specifying its number. Do
this by selecting the Go to Frame command from the Display menu
and supplying the frame number in the dialog box that appears.
Use the Find Frame dialog box to search for frames. Display the Find
Frame dialog box using any of the following commands:
Select Find Frame from the Display menu.
Select Find Frame from the Decode tab’s context menu (activated
by right-clicking anywhere on the Decode tab).
Use the Alt-F3 keyboard shortcut.
The Find Frame dialog box contains the following tabs:
Text — The Text tab lets you search for frames containing a
specified text string.
Time — The Time tab lets you search for frames with specific text
in the delta, relative, or absolute time fields.
Data — The Data tab lets you search for frames containing a
specified data pattern.
Status — The Status tab lets you search for frames with a
particular status flag.
Expert — The Expert tab lets you search for frames with a
particular associated Expert symptom or diagnosis.
The following sections describe how to perform searches from each of
these tabs.

Searching for Frames Matching Text Strings
To search for packets matching a text string:
Displaying Captured Data
1 Display the Find Frame dialog box using any of the following
commands:
Select Find Frame from the Display menu.
Select Find Frame from the Decode tab’s context menu
(activated by right-clicking anywhere on the Decode tab).
Use the Alt-F3 keyboard shortcut.
2 Click the Text tab.
3 Enter the text to search in the field provided. The dropdown list
includes previously performed text searches.
4 Specify in which portion of the Decode tab to search for the
specified from the options provided.
5 Specify whether the search is case-sensitive using the Match case
option.
6 Specify the search direction.
7 Click OK. If the string is found, the frame containing the pattern
will be displayed in the Decode Display. Press F3 to search for the
next packet matching the same criteria.
Figure 8-11. Text Tab of the Find Frame Dialog Box
User’s Guide 187

Chapter 8
Searching for Frames Matching Time Criteria
188 Sniffer Portable Professional
To search for frames matching time criteria:
1 Display the Find Frame dialog box using any of the following
commands:
Select Find Frame from the Display menu.
Select Find Frame from the Decode tab’s context menu
(activated by right-clicking anywhere on the Decode tab).
Use the Alt-F3 keyboard shortcut.
2 Click the Time tab. Search for packets with specific text in the
Delta Time, Relative Time, or Absolute Time fields in the
Summary pane here.
To search for a value in the Delta Time field, enable the Delta
Time option and supply the text to search for.
To search for a value in the Relative Time field, enable the
Relative Time option and supply the text to search for.
To search for a value in the Absolute Time field, enable the
Absolute Time option and use the dropdown fields to select
the value to search for.
NOTE: You can select any combination of values in the
dropdown lists. Leaving a field blank will cause the search to
accept any value for that field.
3 Use the Up and Down fields to specify whether to search in an
upward or downward direction from the currently selected frame.
4 Use the Search Condition fields to specify which type of search
you would like to perform, as follows:
Simple Partial Search — A simple partial search will find any
occurrence of the specified value anywhere within the
specified field.
Advanced Complete Search — An advanced complete
search will find an exact match only.
5 Click OK.

Figure 8-12. Time Tab of the Find Frame Dialog Box
Displaying Captured Data
User’s Guide 189

Chapter 8
Searching for Frames Matching Data Patterns
190 Sniffer Portable Professional
You can also search for data patterns by Searching for Data Patterns
using a Pattern from a Known Packet.
To search for frame matching specific data patterns:
1 Display the Find Frame dialog box using any of the following
commands:
Select Find Frame from the Display menu.
Select Find Frame from the Decode tab’s context menu
(activated by right-clicking anywhere on the Decode tab).
Use the Alt-F3 keyboard shortcut.
2 Click the Data tab.
3 From the Form dropdown list, specify whether to search for data
from a packet, protocol, or either.
4 In the Offset field, specify the offset at which to search for the
specified pattern.
5 From the Format field, specify the format in which the data to
search for is specified.
6 Click Up or Down to specify the search direction.
7 Click OK.
NOTE: If desired, click Reset to reset all the fields in the Data tab
to start a new search.

Figure 8-13. Data Tab of the Find Frame Dialog Box
Displaying Captured Data
User’s Guide 191

Chapter 8
Searching for Data Patterns using a Pattern from a Known
Packet
192 Sniffer Portable Professional
In addition to Searching for Frames Matching Data Patterns, the easiest
way to search for a data pattern is to use a pattern from a known packet.
To search for data patterns using a pattern from a known
packet:
1 Locate and highlight either:
A packet in the Summary pane.
A protocol field or a data pattern in the Detail pane.
2 Open the Find Frame dialog box by selecting the Find Frame
command from the Display menu (or from the context menu).
3 Select the Data tab.
If you selected a packet in the Summary pane, the Data tab
will already contain some data from the selected packet.
If you selected a protocol field or data pattern in the Detail
pane, the Data tab will already contain the selected field or
pattern.
4 Set the From list box to Don’t Care.
5 You can click the Set Data button to open the Set Data dialog box,
containing a line-by-line decode of the selected packet.
Figure 8-14. The Set Data Dialog Box
6 Select a line from the Set Data dialog box and click OK.
7 The data from the selected line is placed in the data pattern area
of the Find Frame dialog box. Adjust the data and the length if
necessary

Displaying Captured Data
8 Click OK to start the search. If a pattern match is found, the packet
containing the pattern will be displayed in the Decode Display.
Press F3 to search for the next packet.
Searching for Frames Matching Packet Status Flags
To search for packets with a a particular Status flag:
1 Display the Find Frame dialog box using any of the following
commands:
Select Find Frame from the Display menu.
Select Find Frame from the Decode tab’s context menu
(activated by right-clicking anywhere on the Decode tab).
Use the Alt-F3 keyboard shortcut.
2 Click the Status tab.
3 Select the status flag(s) to search for.
4 Click Up or Down to specify the search direction.
5 Click OK. If a frame with one of the specified flags is found, the
frame containing the will be displayed in the Decode Display. Press
F3 to search for the next packet matching the same criteria.
NOTE: Some Status flags require an enhanced driver to detect.
Because Sniffer Portable Professional no longer includes enhanced
drivers for Ethernet, searching for the corresponding Status flag will
often produce no results.
For descriptions of the various possible packet status flags, see Packet
Status Flags in the Summary Pane on page 185.
User’s Guide 193

Chapter 8
194 Sniffer Portable Professional
Figure 8-15. Status Tab of the Find Frame Dialog Box

Searching for Frames with Expert Alarms
Displaying Captured Data
To search for packets exhibiting a particular Expert symptom
or diagnosis:
1 Display the Find Frame dialog box using any of the following
commands:
Select Find Frame from the Display menu.
Select Find Frame from the Decode tab’s context menu
(activated by right-clicking anywhere on the Decode tab).
Use the Alt-F3 keyboard shortcut.
2 Click the Expert tab.
3 Select the Expert alarm to search for from the dropdown list
provided. The list includes each of the Expert alarms found
somewhere in the currently displayed Decode tab.
4 Click Up or Down to specify the search direction.
5 Click OK. If a frame exhibiting the specified Expert alarm is found,
the frame will be displayed in the Decode Display. Press F3 to
search for the next packet matching the same criteria.
Figure 8-16. Expert Tab of the Find Frame Dialog Box
User’s Guide 195

Chapter 8
Printing Decoded Packets
196 Sniffer Portable Professional
You can print the decoded data packets in the Decode Display. You can
print a line-by-line list of the packets in the Summary pane, a list of
protocol fields in the Detail pane, the hex data in the Hex pane, or a
combination of any of the three panes.
To print decoded packets, select Print from the File menu to display the
Print dialog box. Use this dialog box as follows:
In the Print Range area, select the range of packets you want to
print.
In the Format area, select which panes (Summary, Detail, Hex)
you want to print and whether to print the data in
comma-separated values format for import into a spreadsheet
application.
If you enable the CSV Format and Print to file options, you may
want to replace the default .PRN extension for printed output with
a .CSV extension. The .CSV extension tells most spreadsheet
applications (including MS-Excel) to expect comma-delimited data
and import it accordingly (that is, with each comma-separated
value in its own column).
NOTE: If you open a CSV Format file saved with the default
.PRN extension in MS-Excel, you will be prompted to supply
the character used for the delimiter in the file. As you would
expect when the CSV Format option is enabled, the delimiter
used in the saved output file is a comma.
Check the Print to File option to output the decoded data packets
to a file.
During printing, you can use the Abort Printing toolbar button or File
> Abort Printing menu selection to abort the current print job.
Changing the Format of Printed Summary Pane Data
You can control which optional fields in the Summary pane are included
in printed output, and what order they are printed in. Summary pane
fields are printed in a "what you see is what you get" ("WYSIWYG")
format -- columns in the pane are printed in the same order in which
they are show in the Decode display. Because of this, you can use the
following techniques to control the format of printed summary data:

Displaying Captured Data
Use the Optional Fields list in the Summary Display tab of the
Display > Display Setup dialog box to specify which optional
fields are included in the Summary pane display. The only optional
fields included in printed output will be those enabled in this list.
However, printed output will always include the standard
non-optional frame number, source address, destination address,
and summary text fields.
See Display Setup > Summary Display Options on page 180 for
information on specifying optional fields for the Summary pane.
Use standard drag-and-drop techniques to rearrange the columns
in the Summary pane. Summary pane fields will be printed in the
same order in which they are shown in the Decode display.
NOTE: Although you can resize columns in the Summary pane
display using standard click-and-drag techniques, columns in
printed Summary pane output are automatically resized to
accommodate the largest entry in a given column. This way, data is
not inadvertently truncated in printed output.
The Summary Field in Printed Summary Pane Data
The Summary pane of the Decode Display always includes a Summary
column. The data in this column provides a quick synopsis of the packet
in question -- it's highest layer protocol, the frame type, any pertinent
status flags, and so on. The width of the data in the Summary column
can vary widely and is often much wider than the other columns in the
Summary pane. Because of this, the Sniffer treats Summary column
data as follows in printed output:
When packets are printed with the CSV Format option enabled,
the Summary column will be on the same line as the rest of the
data for a given packet (Source Address, Dest Address, and so
on).
When packets are printed without the CSV Format option enabled
(either to a printer or to a file), the Summary column will be on its
own line immediately following a line containing the rest of the
information for the packet (Status, Source Address, Dest
Address, and so on, depending on the current selections in
Display > Display Setup > Summary Display and your own
drag-and-drop settings).
User’s Guide 197

Chapter 8
Using Protocol Forcing
You can define up to four
rules. Checked rules are
enabled and applied to
decoded data.
198 Sniffer Portable Professional
Protocol forcing is useful when capturing frames that use a mixture of
standard and non-standard (for example, proprietary) protocols that the
Sniffer Portable Professional might not otherwise be able to decode. For
example, in some situations, networks may include standard IP data
within a proprietary lower layer packet format unknown to the analyzer.
Protocol forcing essentially lets you tell the analyzer “if you see this
condition, skip this many bytes (to where the standard data is), then
apply this protocol interpreter.”
You specify protocol forcing rules in the Protocol Forcing tab of the
Options dialog box, displayed by selecting the Options command from
the analyzer's Tools menu (sample shown in Figure 8-17).
Use the drop-down list to specify the protocol that should
be used as the “force from” protocol. When the analyzer
encounters the condition specified here, it will skip the
number of bytes specified in the Skip x bytes field and
apply the protocol interpreter specified in the Then field.
Figure 8-17. Defining Protocol Forcing Rules
Specify the number of
bytes to skip once the “If”
condition is detected.
Use the drop-down list to
specify the protocol that
should be used as the
“force to” protocol (that is,
the protocol to be
expected at the offset you
specified in the Skip x
bytes field).

Postcapture 802.11 Decryption
Displaying Captured Data
Sniffer Portable Professional can decrypt and decode 802.11 packets
encrypted with either WPA/WPA2 or WEP both during and after capture.
As described in Configuring Wireless Encryption Settings on page 56,
you use the Tools > Wireless > Encryption options to configure the
automatic decryption of encrypted data on wireless networks during
capture. However, you can also perform decryption on trace files
containing frames encrypted with a known WPA passphrase or WEP key
set but not decrypted during capture. There are two ways to do this:
Use the integrated decryption utility accessed from the Decode
tab’s context menu.
Use the standalone WLAN Decryption utility located at
C:\Program Files\NetScout\Sniffer
Portable\bin\WLANDecrypt.exe.
Both approaches do the same thing – decrypt wireless data with supplied
decryption keys. The major difference is that the standalone utility takes
a trace file as input and outputs a decrypted trace file.
To perform offline decryption of encrypted wireless data:
1 Display the Decode tab of a trace file or capture buffer containing
frames encrypted with a known WPA passphrase or WEP key set
but not decrypted during capture.
2 Right-click in the Summary, Detail, or Hex pane to activate the
Decode tab’s context menu.
3 Select Wireless Decryption to open the Select WEP - WPA
Keys dialog box. A sample is shown in Figure 8-18.
User’s Guide 199

Chapter 8
Sniffer Portable Professional can decrypt
both WPA/WPA2 and WEP encrypted
packets simultaneously.
Use these options to specify the
keys to use for decryption of
WEP-encrypted data. WEP is an
early 802.11 encryption
technology and is not as
commonly seen as WPA-WPA2.
Use these options to specify
the passphrase used to
decrypt data on different SSIDs
(wireless networks).
200 Sniffer Portable Professional
Figure 8-18. Select WEP - WPA Keys Dialog Box
Use the Select WEP-WPA Keys dialog box (Figure 8-18) to specify
the WEP and/or WPA keys to be used for decrypting the data in the
selected buffer or trace file.
4 To specify new WEP keys for decryption, start by setting the WEP
Key Entry Mode option to specify whether you want to enter the
keys as either Hex or ASCII. Then, enter up to four separate
encryption keys. For each key, do the following:
a Specify the length of the key by selecting the appropriate
option. Keys can be either None, 40-bit, or 128-bit. Use the
None option if no encryption is used on the network.
Depending on the length of the key specified, some or all of
the adjacent fields become active, enabling you to specify the
keys in use.
b Specify the exact value for each key in the adjoining spaces
provided.
NOTE: The four encryption keys in use on a WEP-encrypted
network are all typically the same length — either 40-bit or

128-bit.
5 To specify new WPA-WPA2 keys for decryption:
Displaying Captured Data
a Turn on the encryption key by checking its On radio button.
b Specify the SSID for the WPA/WPA2-encrypted network. This
is typically a short string used to identify a wireless network
(for example, labnet).
c WPA/WPA2 encryption relies on a pre-shared passphrase for
encryption. Enter the passphrase associated with this SSID.
d Repeat Step a though Step c for each SSID you expect Sniffer
Portable Professional to monitor.
6 Click OK on the Select WEP-WPA Keys dialog box.
Sniffer Portable Professional attempts to use the specified keys to
decrypt the data in the selected buffer or trace file and opens a new
window with the results. If you specified the correct keys, the new
window displays the newly-decrypted data. You can save the
decrypted data to a new trace file using the usual File > Save
command.
IMPORTANT: Make sure the data to decrypt includes four
EAPOL Exchange packets for each SSID/passphrase combo you
have entered. You can obtain these packets by capturing the
Client to AP association packets. If these EAPOL Exchange
Packets are not present, the corresponding
WPA/WPA2-encrypted packets cannot be decrypted.
NOTE: An easy way to determine whether you have entered the
correct WEP keys is to check for the presence of a large number of
WEP-ICV Error Expert alarms. If there are an abnormally large
number of these alarms, you probably have not entered the correct
WEP keys for the encrypted data in the selected buffer or trace file.
User’s Guide 201

Chapter 8
Postcapture Matrix Tab
202 Sniffer Portable Professional
The Matrix tab collects statistics for conversations between network
nodes. For LANs, the matrix tab accumulates MAC, IP network, IP
application, IPX network, and IPX transport-layer information. Sniffer
Portable Professional also provides an additional 802.11 view for
wireless LANs that allows you to concentrate on information specifically
for wireless stations.
You can view accumulated data as a traffic map, as a table, or as a bar
or pie chart.
The traffic map provides a birds-eye view of network traffic
patterns between nodes. You can filter out unwanted traffic by
unchecking certain protocols, or by selecting specific network
nodes to display.
The matrix tables display traffic count statistics for node pairs:
The outline table provides a quick summary of total bytes and
packets transmitted between pairs of network nodes.
The detail table provides a quick summary of the higher layer
protocol type and its traffic load transmitted in and out of each
conversation node pair.
You can sort a matrix table by clicking a column heading (for
example, to sort the statistics by packets, click the Packets
column heading). Click a second time to sort in reverse order.
The bar chart displays the top 10 busiest conversation node pairs.
The pie chart displays the top 10 busiest conversation node pairs
as relative percentages of the total load of traffic.
In all views, you can display conversation traffic at the link layer, MAC
layer, or selectively view only the IP or IPX layers.
In the table views, you can export the statistics for tabulation or
charting.
Figure 8-19 shows the Matrix display (bar chart view) and toolbar.

Select layer
Traffic map view
Detail table view
Outline table view
Pie chart view
Bar chart view
Figure 8-19. Matrix Display (Bar Chart View) and Toolbar
Displaying Captured Data
Sort criteria (bar and pie chart)
Define visual filter
Export data to
spreadsheet
(Table views only)
Export data to
HTML (Table
views only)
User’s Guide 203

Chapter 8
More about the Matrix Traffic Map
204 Sniffer Portable Professional
The traffic map in the postcapture Matrix tab is a powerful tool that gives
you a birds-eye view of the network traffic patterns captured in the
packet buffer. It gives a complete graphical presentation of the traffic
pattern between network nodes, as well as the type of protocol used for
communications.
To view the traffic map from the Packet Display:
1 Select the Matrix tab on the bottom of the postcapture Display
window. If you do not see the Matrix tab, make sure that the
Show Post Analysis tabs option in the Display Setup dialog
box’s General tab is enabled.
2 Click the traffic map button. A traffic map showing conversation
load and protocol type is displayed.
To view traffic at a different layer:
1 Open the drop-down list on the upper left corner of the traffic map.
Select the layer at which you want to view traffic (for example, IP or
IPX). A traffic map showing conversation load and protocol type at the
selected layer is displayed.
Using a Visual Filter in the Traffic Map
The traffic map can be used to automatically define a filter. You can
select stations and particular protocols that displayed on the traffic map
and Sniffer Portable Professional will automatically configure a filter to
match your selections.
To use the Traffic Map to define a filter:
1 Select the Matrix tab on the bottom of the postcapture Display
window. If you do not see the Matrix tab, make sure that the
Show Post Analysis tabs option in the Display Setup dialog
box’s General tab is enabled.
2 On the pull-down window, select the protocol suite. In the left
column, select one or more sub-protocols to display.
3 Highlight any network node(s) you want to filter for. To select more
than one node, hold the Ctrl key down while you click additional
nodes.

Displaying Captured Data
4 Click the Define Filter button. Depending on the settings in the
Display Setup dialog box’s Packet Selection tab, the Sniffer either
marks all matching packets in the Decode tab (Select Packets >
Select Matching) or creates a new Decode tab with just the
filtered packets based on the network node and protocol selections
you made.
NOTE: For more information on the Packet Selection tab, see
Display Setup > Packet Selection Options on page 183.
Using the Matrix Map to Identify the Others Protocol Type
The traffic map's capacity to create a visual filter provides an ideal way
to investigate Others protocol types in the capture buffer. Others are
protocols that do not fall into the protocol categories predefined by
Sniffer Portable Professional.
To define a filter to select Other protocol packets to display in
the Packet Display window:
1 Select the Matrix tab on the bottom of the Packet Display window.
2 Uncheck all protocols listed in the traffic map except the Others
box.
3 Click the Define Filter button. Depending on the settings in the
Display Setup dialog box’s Packet Selection tab, the Sniffer either
marks all matching packets in the Decode tab (Select Packets >
Select Matching) or creates a new Decode tab with just the Other
packets.
NOTE: For more information on the Packet Selection tab, see
Display Setup > Packet Selection Options on page 183.
User’s Guide 205

Chapter 8
Postcapture Host Table Tab
206 Sniffer Portable Professional
The Host Table collects each network node’s traffic statistics. For LANs,
the matrix tab accumulates MAC, IP network, IP application, IPX
network, and IPX transport-layer information. Sniffer Portable
Professional also provides an additional 802.11 view for wireless LANs
that allows you to concentrate on traffic statistics specifically for wireless
stations.
You can view accumulated data as a table, bar chart, or pie chart.
The table views display traffic count statistics for each network
node.
The outline table provides a quick summary of total bytes and
packets transmitted in and out of each network node.
The detail table provides a quick summary of the higher layer
protocol type and its traffic load transmitted in and out of each
network node.
You can sort a host table by clicking a column heading (for
example, to sort the statistics by incoming packets, click the In
Pkts column heading). Click a second time to sort in reverse order.
The bar chart displays the 10 busiest host nodes in real time.
The pie chart displays the 10 busiest host nodes as relative
percentages of the total load of traffic.
In all views, you can display traffic at the link layer, MAC layer, or
selectively view only the IP or IPX layers.
In the table views, you can export the statistics for tabulation or
charting.
Figure 8-20 shows the Host Table display and toolbar.

Select MAC, IP,
or IPX layer
Click the plus (+)
sign to see protocol
information. Click
the minus (-) sign to
hide it.
Outline table view
Detail table view
Bar chart view
Sort criteria
(Bar and Pie chart)
Pie chart view
Displaying Captured Data
Export to HTML
(Table views only)
Export data to spreadsheet
(Table views only)
Figure 8-20. Host Table Display (Outline Table View) and Toolbar
User’s Guide 207

Chapter 8
Postcapture Protocol Distribution Tab
208 Sniffer Portable Professional
The Protocol Distribution tab reports network usage based on the
network-, transport-, and application-layer protocols. For example, you
can monitor IPX/SPX, TCP/IP, NetBIOS, AppleTalk, DECnet, SNA,
Banyan, and many other protocols.
Protocol distribution monitors popular IP applications, such as NFS, FTP,
Telnet, SMTP, POP2, POP3, HTTP (WWW), Gopher, NNTP, SNMP,
X-Window, and others. It also monitors IPX transport-layer protocols
such as NCP, SAP, RIP, NetBIOS, Diagnostic, Serialization, NMPI, NLSP,
SNMP, and SPX.
Sniffer Portable Professional also provides an additional 802.11 view
that allows you to view network usage by 802.11 frame types (for
example, Association Requests, Probe Requests, Beacons, and so on).
You can view the protocol distribution in a table, or as a bar or pie chart.
You can also view the number and percentage of packets or bytes for a
protocol.
Sniffer Portable Professional lets you export the protocol distribution
data for tabulation or charting. To export data, the display must be in
the table view.
Figure 8-21 shows the Protocol Distribution display and toolbar.

Select MAC, IP,
or IPX layer
Table view
Bar chart view
Pie chart view
Displaying Captured Data
Display total number or
percentage of bytes Export data to
spreadsheet format
(Table view only)
Display total number or
percentage of packets
Export data to HTML
(Table view only)
Figure 8-21. Protocol Distribution Display (Pie Chart View) and Toolbar
User’s Guide 209

Chapter 8
Postcapture Statistics Tab
Export data to
spreadsheet
210 Sniffer Portable Professional
For each capture session, statistical information is accumulated to help
you analyze the network traffic during the capture period. A summary of
this information is displayed in a table on the Statistics tab. The table
displays:
The date and time of the capture
The amount of traffic seen during the capture period
Utilization statistics
You can export this information to a spreadsheet using the button.
Figure 8-22 shows the Statistics display.
Figure 8-22. The Statistics Display

Displaying Captured Data
802.11 Information in the Postcapture Statistics Tab
In addition to the standard counters in the Statistics tab, Sniffer
Portable Professional adds a variety of wireless-specific statistics. These
statistics are listed and described in Table 8-9 on page 211.
Table 8-9. 802.11 Counters in the Statistics Tab (1 of 2)
Counter Description
802.11 Data Throughput The data rate (in bits per second) observed
by Sniffer Portable Professional for this
capture session. When calculating
throughput, Sniffer Portable Professional
only counts data frames. Management and
control frames are not part of this
calculation. However, the throughput
measurement does include the header
portions of data frames.
802.11 Management Pkts The number of Management packets
observed on the wireless LAN during this
capture session.
802.11 Control Pkts The number of Control packets observed on
the wireless LAN during this capture session.
802.11 Data Packets The number of data packets observed on the
wireless LAN during this capture session.
802.11 Mgmt Pkt Util Of the total number of MAC layer frames
observed during this session, the percentage
that were Management packets.
802.11 Ctrl Pkt Util Of the total number of MAC layer frames
observed during this session, the percentage
that were Control packets.
802.11 Data Pkt Util Of the total number of MAC layer frames
observed during this session, the percentage
that were Data packets.
802.11 Retry Pkts The number of Retry packets observed on
the wireless LAN during this capture session.
Stations send retry packets when they
receive no acknowledgment to a previously
sent packet.
802.11 WEP Pkts The number of packets observed on the
wireless LAN during this capture session with
the WEP bit in the Frame Control field set to
true. This indicates that Wired Equivalent
Policy encryption was used on the packet.
User’s Guide 211

Chapter 8
212 Sniffer Portable Professional
Table 8-9. 802.11 Counters in the Statistics Tab (2 of 2)
Counter Description
802.11 Short PLCPs The number of Physical Layer Convergence
Protocol (PLCP) protocol data units seen with
the “short” preamble and header during this
capture session. This form of PLCP PDU is
used to achieve higher throughput and can
support 5.5 and 11 Mbps transmission
speeds.
802.11 Long PLCPs The number of PLCP PDUs seen with the
“long” preamble and header during this
capture session. This form of PLCP PDU is
compatible with legacy equipment from
older wireless LANs and supports and
operates at either 1 Mbps or 2 Mbps.
Data Rate Counters These counters vary depending on the
monitored network:
• For 802.11b/g networks, there are
separate counters for the number of
frames sent at 1, 2, 5.5, 11, 6, 9, 12,
18, 24, 36, 48, 54, 72, 108 Mbps.
• For 802.11a networks, there are
separate counters for the number of
frames sent at 6, 9, 12, 18, 24, 36, 48,
54, 72, and 108 Mbps.
• For legacy 802.11b cards, the speeds
remain at 1, 2, 5.5, 11 Mbps.
NOTE: 802.11g is backward-compatible with
802.11b, therefore the speed counters seen
in 802.11b are also shown in 802.11g.
802.11b and 802.11g share the same
frequency band (2.4 GHz) and same number
of channels (1-14). 802.11b goes from
speeds 1 Mbps to 11 Mbps and 802.11g goes
from speeds 1 Mbps to 54 Mbps. 802.11a
and 802.11g share similar speeds (6, 9, 12,
18, 24, 36, 48, 54, 72, and 108 Mbps – 72
and 108 Mbps are proprietary
implementations).

Working with Real-Time
Decodes
Overview
9
In addition to off-line or post-capture analysis, you can display protocol
decodes in real-time as packets arrive. You do not have to stop a capture
session to see protocol decodes.
Real-time decodes are disabled by default. After launching Sniffer
Portable Professional, enable real-time decodes and set real-time
decode options.
See also:
Enabling and Setting Real-time Decodes on page 213
Viewing Real-time Decodes on page 214
Scrolling Modes in Real-time Decodes on page 215
Real-time Decode Display Limitations on page 216
Enabling and Setting Real-time Decodes
In addition to off-line or post-capture analysis, you can display protocol
decodes in real-time as packets arrive. You do not have to stop a capture
session to see protocol decodes. Real-time decodes are disabled by
default when Sniffer Portable Professional is installed. Setting Real-time
decode options includes specifying the refresh rate used in Live-Scroll
mode.
To enable real-time decodes:
1 From the Tools menu, select Options, then click the Real-Time
tab.
2 Select the Real Time Decode option.
3 Specify a refresh rate in the field provided. This rate is used in
Live-Scroll Mode to jump to the new set of latest packets to decode
at each defined interval. You can specify a rate between 1 and 60
seconds.
See Scrolling Modes in Real-time Decodes on page 215 for detailed
information.
User’s Guide 213

Chapter 9
4 Click OK.
214 Sniffer Portable Professional
Real Time Decodes and the “When buffer is full” Option
Real Time Decodes only work when the When buffer is full option in
the Define Filter - Capture dialog box is set to Stop capture for the
active capture filter.
If the Real Time Decode option is enabled and the capture buffer is
currently set to wrap (Wrap buffer is enabled), Sniffer Portable
Professional will automatically change the setting of the option to Stop
capture.
After starting a new capture session, the Real-Time Decode window is
displayed automatically. An example is shown in Figure 9-1 on page 215.
Viewing Real-time Decodes
Real-time decodes allow you to display protocol decodes in real-time as
packets arrive. When enabled, you do not have to stop a capture session
to see protocol decodes.
To view real-time decodes:
1 Ensure real-time decodes are enabled. See Enabling and Setting
Real-time Decodes on page 213.
2 Select Start from the Capture menu.
3 The Decode window opens and the real-time decodes are displayed
in the Summary pane as shown in the example in Figure 9-1 on
page 215. Depending on the refresh interval specified, you might
not see the decode information immediately.
NOTE: Switch from Non-live to Live scrolling at any time using
Ctrl + End, or clicking and .
4 Select Stop from the Capture menu to stop the capture and the
real-time decode data stream. Save the data to a trace file using
traditional file saving methods if desired.

Figure 9-1. Real-time Decodes Window Example
Scrolling Modes in Real-time Decodes
Working with Real-Time Decodes
Like the traditional Sniffer post-capture Decode window, the Real-time
Decode window (Figure 9-1 on page 215) has three panes: Summary,
Detail, and Hex. When Real-time decodes are enabled and new network
packets come in, the Summary pane is updated.
In Live scroll mode you see the network packets from top to bottom in
the order they were received. When new packets come in, the Decode
window automatically starts scrolling upward and older packets are
removed from the Summary pane. The refresh interval rate is set in the
Real-Time tab of the Options dialog box. See Enabling and Setting
Real-time Decodes on page 213 for detailed information.
When the Decode screen refreshes, the Summary pane displays the last
set of network packets that were received in the interval period. Please
note, if the Summary pane is limited to displaying 20 lines for 20 packets
and the most recent interval period contained 500 packets, then the
Summary pane displays packets 481 to 500. During the next interval,
250 more packets are received. The Summary pane automatically
updates and displays packets 731 to 750.
User’s Guide 215

Chapter 9
216 Sniffer Portable Professional
In Non-live scroll mode the Decode window does not automatically
update. To view new packets, you have to manually scroll the Summary
pane using the scrolling tools to the right of the pane.
In either Live or Non-live scroll mode, the Detail and Hex panes show
the first packet by default when the Real-Time Decode window opens.
When you select a new packet in the Summary pane, the Detail and Hex
panes are refreshed to display information specific to the selected
packet.
To switch between Real-time Decode scrolling modes:
1 Ensure Real-time Decode is enabled. See Enabling and Setting
Real-time Decodes on page 213.
2 Start a capture session. This opens the Real-Time Decode window
automatically.
3 Switch from Live to Non-live scrolling in the Real-Time Decode
window by clicking any summary line in the Summary pane, or
moving the Summary pane scroll bar upward. You can do this at
any time.
4 You can also switch from Non-live to Live scrolling using Ctrl +
End, or clicking Start scrolling and Stop scrolling . You
can do this at any time.
Real-time Decode Display Limitations
When specifying Real-time decode options or viewing real-time decodes,
please note the following:
Capture to disk is not supported with Real-time decodes. If you
have Capture to Disk selected as a capture option, the Real-Time
Decode window is disabled.
The Real-Time Decode window displays the Frame Number, Status,
Source Address, Destination Address, Summary, Length, Delta
Time, and Absolute Time columns, but these statistics are not
user-configurable.
Display setup items are not user-configurable in the Real-Time
Decode window. The Real-Time Decode window will always display
Show Network Address, the Display Vendor ID on the MAC address,
and the Summary line for the last protocol layer.
The Real-Time Decode window does not display Expert Symptoms,
Two-Station Format, nor will the Window resolve the network name
using the Address book.

Working with Real-Time Decodes
The Find Frame, Go to Frame, Marking of Frame, and Select
and Save Range tools are not available in the Real-Time Decode
window.
Display filters are not available in the Real-Time Decode window.
Segmentation and Re-assembly analysis of network packets or
frames is not supported in Real-time Decode mode.
User’s Guide 217

Chapter 9
218 Sniffer Portable Professional

Defining Filters and Triggers
Overview
This section describes filters and triggers:
10
Use filters to select the particular traffic you need for your network
analysis so that you can focus precisely on the data you need to
troubleshoot network problems and minimize the size of files you
collect for historical records.
Use triggers to capture data while Sniffer Portable Professional is
unattended, such as on off-hours or weekends. You can set triggers
to start captures at specific times, or in response to specific events
(for example, alarms).
The section includes the following information:
Defining Filters on page 220
Using Filter Profiles on page 222
Setting Filter Options in the Address Tab on page 225
Setting Filter Options in the Port Tab on page 228
Setting Filter Options in the Data Pattern Tab on page 230
Setting Filter Options in the Advanced Tab on page 235
Setting Filter Options in the 802.11 Tab on page 238
Filtering from the Decode Window on page 240
Sharing Filters between Systems and Products on page 241
Defining Triggers on page 242
Defined Filters vs. Automatic Filters
There are two categories of filters:
Defined filters. You can define address, port, protocol, and
Boolean data pattern filters to select the particular traffic you need
for your network analysis. By using filters, you can precisely focus
on the data you need to troubleshoot network problems and
minimize the size of files you collect for historical records.
User’s Guide 219

Chapter 10
220 Sniffer Portable Professional
In general, you work with Defined filters in the Define Filter dialog
box. This section describes how to do that.
Automatic filters. In some cases, filters are created automatically
by Sniffer Portable Professional when you choose to view selected
information. For example, you can single-out a particular station's
conversations using the Visual Filter on the Matrix map display. You
can also set automatic Expert Filters in many Expert window
displays, as well as automatic Display filters from an active Decode
tab.
Automatic filters are described in the following sections:
Automatic Display filters are described in Setting Display
Filters on page 167.
Expert filters are described in Setting Automatic Expert
Display Filters on page 151
Define Filter Options for Wireless Networks
Defining Filters
When using Sniffer Portable Professional with a wireless adapter, the
Define Filter dialog box adds several wireless-specific filtering options:
The Define Filter dialog box’s Advanced tab includes wireless LAN
packet types on which you can filter (for example, PLCP Errors).
See Filters for 802.11 Packet Types in the Advanced Tab on page
237.
The Define Filter dialog box also includes an 802.11 tab specifically
for wireless LAN filtering. See Setting Filter Options in the 802.11
Tab on page 238.
In general, you work with filters in the Define Filter dialog box. The type
of filter is determined by its use:
When selecting what traffic to monitor, the filter becomes a
monitor filter.
When selecting what traffic to admit into the capture buffer, the
filter becomes a capture filter.
When selecting what data in the capture buffer to display, the filter
becomes a display filter.

Defining Filters and Triggers
When you define a filter, you give it a name (known as a Profile in the
application displays). You then select a filter Profile to use as a monitor,
capture, or display filter (depending on whether you choose the Select
Filter command from the Monitor, Capture, or Display menu). To
easily differentiate different kinds of filters, use a distinctive naming
convention. See Using Filter Profiles on page 222 for details.
To access the Define Filter dialog box:
1 Select Define Filter from the Monitor, Capture, or Display
menu.
You can also click the button (located in many windows).
The Define Filter dialog box lets you define capture filters to collect
specific network information. When you first open the Define Filter
dialog box, the Summary tab appears, summarizing the current
settings for the selected filter. This tab also displays the buffer size and
the buffer action (stop capture or overwrite older data when buffer is
full).
In addition to the Summary tab, some or all of the following tabs are
available, depending on the type of network adapter in use:
The Address tab lets you define filters to capture data transmitted
between network nodes (or address pairs).
The Port tab lets you filter traffic on IP or IPX ports.
The Data Pattern tab lets you define filters that capture frames
that match data patterns rules joined by AND/OR/NOT logical
operators. Data pattern filters provide a generic method of defining
and documenting filter conditions that can not be defined by the
address and protocol filters.
The Advanced tab tab lets you define filters that capture frames
that belong to one or more protocol group(s). It also lets you set
filters for frames falling in a specified size range and various
protocol-specific frame types (for example, jabber packets on an
Ethernet network).
The Buffer tab lets you set various global options relating to the
size of the capture buffer and what actions should be taken when
the maximum size of the capture buffer is reached.
You can also create filter profiles — saved combinations of one or more
of the individual filters defined on the tabs listed above. See Using Filter
Profiles on page 222 for details.
User’s Guide 221

Chapter 10
Using a Defined Filter
Using Filter Profiles
222 Sniffer Portable Professional
You apply a named filter to one of four filter points in Sniffer Portable
Professional to select the information you want. The filter points are,
monitor, capture, display, and event.
When you apply a filter to the monitoring process, it is called a
monitor filter. It selects what information will be included in
monitor statistics.
When you apply a filter to a capture, it is called a capture filter. A
capture filter allows only certain frames or certain portions of
frames to be saved in the capture buffer. It also defines the size of
the capture buffer and what to do when the buffer is full.
When you apply a filter to the Packet Display, it is called a display
filter. The display filter lets you select what packets you want to
display. A display filter does not affect the contents of the capture
buffer. It just prevents some of the data from being displayed.
When you apply a filter to a capture trigger definition, it is called
an event filter. You use a trigger to automatically start or stop
captures based on network events and other parameters.
Tip: Implement a naming convention for your filters. Some of the
named filters you define will be specifically designed for a particular
purpose, for example, as a display filter or as a capture filter. To easily
identify different kinds of filters in your filter list, use a distinctive
naming convention.
For example, you could begin each filter name with a single-letter
descriptor:
C-name for capture filters
D-name for display filters
M-name for monitor filters
T-name for trigger event filters
Creating precise filter definitions can be a time-consuming process.
Filter profiles provide a means to save your carefully crafted filter
definitions for later use. A filter profile is a set of one or more individual
filters defined on the various tabs in the Define Filter dialog box
(Address, Port, Data Pattern, Advanced, Buffer, and so on).

Defining Filters and Triggers
For example, suppose you are only interested in IP traffic to and from a
particular router. You could create a special filter profile that combined
an Address filter on the router’s IP address, as well as an Advanced
filter on IP protocol traffic. Then, whenever you needed to use this
combination of filters, you could simply select the saved filter profile
from the Select Filter dialog box.
NOTE: If you need to see which individual filters make up a filter
profile, select the Define Filter command and then select the entry
for the filter profile in the Settings For pane of the Define Filter
dialog box. The Summary tab of the Define Filter dialog box will
show you a quick summary of the various individual filters making
up the selected profile.
Creating a Filter Profile
Each time you create a new filter, be sure to start by clicking the
Profiles button in the Define Filter dialog box. Then, click the New
button to open a dialog box in which you can give your filter profile a
name.
Once you have named a filter profile, it will appear in the Settings For
pane of the Define Filter dialog box, allowing you to fine tune the settings
for the filter. In addition, the filter will also appear in the Select Filter
dialog box, allowing you to apply it to a given monitoring, capture, or
decode session whenever you like.
To create a filter profile:
1 Select the Define Filter command from either the Monitor,
Capture, or Display menu (depending on the type of filter you
would like to create).
2 Click Profiles.
The Capture Profiles dialog box appears, listing the filter profiles
already defined.
3 Click New.
4 In the New Capture Profile dialog box, supply a name for the filter
in the field provided.
You can also copy the settings for this filter from either an existing
defined profile (Copy Existing Profile option) or from an existing
sample (Copy Sample Profile option).
5 Click OK.
User’s Guide 223

Chapter 10
224 Sniffer Portable Professional
6 Click Done in the Capture Profiles dialog box.
The filter appears in the Settings For pane of the Define Filter
dialog box. At this point, you can fine tune the settings for this filter
in the other tabs of the Define Filter dialog box (Address, Port,
Data Pattern, Advanced, and so on).
Starting Capture Directly from the Define Filter - Capture
Dialog Box
Start capture directly
from the Define Filter
dialog using this button.
In contrast to previous Sniffer Portable Professional releases, you can
now start a capture directly from the Define Filter - Capture dialog box
with the currently selected filter in place. This way, you don’t have to go
through the intermediate step of accepting your filter and then clicking
the Start Capture button (although you still can, if you want to!).
To start capture directly from the Define Filter - Capture
dialog box:
1 Select Define Filter from the Capture menu.
You can also click the button in the Capture toolbar.
2 Use the tabs in the Define Filter - Capture dialog box to set up the
capture filter.
3 When you have finished setting up the filter, click the Start
Capture button at the lower left of the dialog box (Figure 10-1).
Figure 10-1. Starting Capture from the Define Filter - Capture Dialog Box

Setting Filter Options in the Address Tab
Defining Filters and Triggers
Use the options on the Address tab of the Define Filter dialog box to set
up a filter to capture or display packets between up to ten pairs of
network nodes by their addresses.
To set an Address filter:
1 Click the Address tab from the Define Filter dialog box.
2 Use the Address Type drop-down list to specify the type of
address on which you want to filter.
3 Use the Mode field to specify whether you want to Include or
Exclude the specified traffic.
4 The Known Address box includes addresses already known to
Sniffer Portable Professional (including those in your Address
Book). You can click and drag addresses from the Known Address
box into the Station 1 or Station 2 fields to filter on these
addresses. If you do not want to click and drag known addresses,
you can also manually add addresses by placing your cursor in the
appropriate field and typing the address.
NOTE: You can use a wild card symbol (*) in the third or
fourth octet of the address in Station 1 and Station 2. For
example, manually enter 10.20.*.* when IP is selected as
Address Type. If you have selected Hardware as the
Address Type, enter hardware addresses in the Station 1
and Station 2 fields as desired. Example: 0050da*.
5 You can use the adjacent / column to enter a subnet mask in CIDR
format. See Using CIDR Bit-Count Netmasks in the Address Tab on
page 226 for more information on this format.
6 Once you have specified the address pair on which you want to
filter, click the Dir button to specify in which directions you want to
capture traffic (from Station 1 to Station 2, from Station 2 to
Station 1, or in both directions).
7 Click OK.
Figure 10-2 shows the Address tab of the Filter Settings dialog box.
User’s Guide 225

Chapter 10
Drag and drop a symbolic address from the Known Address list
into the Station 1 or Station 2 fields. Known addresses come
from Broadcast Addresses, the Host Table, or the Address Book.
Define the address as either
a network hardware address
(6 bytes in hexadecimal
value) or a network IP or IPX
address (4 octets).
Select to include or exclude
packets that match the
address specification.
Start capture directly
from the Define Filter
dialog using this button.
226 Sniffer Portable Professional
Specify an
optional
subnet mask in
CIDR format.
Figure 10-2. Setting Address Filters
First, click to name the new filter.
Select which direction the traffic flows
by setting the Dir option.
Using CIDR Bit-Count Netmasks in the Address Tab
You can also just
type in an address
manually.
The Address tab lets you enter subnet masks in the Classless
Inter-Domain Routing (CIDR) scheme. CIDR uses a standard 32-bit IP
address with a short-hand version of the decimal netmask called a bit
count. For example, in the CIDR address 192.168.40.250 with a
netmask of 255.255.255.0, 24 is the number of bits in the netmask. So
the IP address and netmask can be written as 192.168.40.250/24.
If you don’t know your CIDR netmask, you can use Figure 10-3 to
convert your subnet mask to a CIDR bit count mask.

T
CIDR Bit
Count
/32
/31
/30
/29
/28
/27
/26
/25
/24
/23
/22
/21
/20
/19
/18
/17
/16
/15
/14
/13
/12
/11
/10
/9
/8
/7
/6
/5
/4
/3
/2
/1
/0
Equivalent Standard
Netmask
255.255.255.255
255.255.255.254
255.255.255.252
255.255.255.248
255.255.255.240
255.255.255.224
255.255.255.192
255.255.255.128
255.255.255.0
255.255.254.0
255.255.252.0
255.255.248.0
255.255.240.0
255.255.224.0
255.255.192.0
255.255.128.0
255.255.0.0
255.254.0.0
255.252.0.0
255.248.0.0
255.240.0.0
255.224.0.0
255.192.0.0
255.128.0.0
255.0.0.0
254.0.0.0
252.0.0.0
248.0.0.0
240.0.0.0
224.0.0.0
192.0.0.0
128.0.0.0
0.0.0.0
Figure 10-3. CIDR Netmask Conversion Table
Defining Filters and Triggers
User’s Guide 227

Chapter 10
Setting Filter Options in the Port Tab
228 Sniffer Portable Professional
You can filter by a specific IP or IPX port.
NOTE: If Hardware is selected as the Address Type in the Address
tab of the Define Filter dialog box, all fields in the Port tab of the
Define Filter dialog box are disabled. By default, IP is selected as
the Address Type when you open the Define Filter dialog box.
To filter by a specific port:
1 Select the Define Filter command from either the Monitor,
Capture, or Display menu (depending on the type of filter you
would like to create).
2 Click the Address tab and ensure IP or IPX is selected as the
Address Type. If Hardware is the selected Address Type, all fields
of the Port tab are disabled.
3 Click the Port tab.
4 An expandable tree displays known ports. Known ports include
ports already known to Sniffer Portable Professional (including
those in your Address Book). The list is dependent on the Address
Type selected in the Address tab of the Define Filter dialog box. If
IP is selected, the list displays known IP ports. If IPX is selected,
the list displays known IPX ports.
NOTE: Filtering by TCP or UDP ports is not supported.
5 Enter a port number in the Port 1 or Port 2 field by dragging and
dropping a known port from the list above into the desired field.
You can also manually add ports by placing your cursor in the
appropriate field and typing.
You can enter multiple ports by separating entries with a
comma (for example, 23,25).
You can enter a range of ports by using a hyphen. For
example, you can specify ports 23, 24, 25, and 26 by entering
23-26 in the Port field.
IMPORTANT: Multiple ports and/or a range of ports are only
supported on one side of a port pair. If you use multiple ports

Defining Filters and Triggers
on one side of the port pair the only options allowed on the
other side are ANY or a single port.
6 Once you have specified the ports on which you want to filter, click
the Dir button to specify in which directions you want to capture
traffic (from Station 1 to Station 2, from Station 2 to Station 1, or
in both directions).
7 Click OK.
User’s Guide 229

Chapter 10
Setting Filter Options in the Data Pattern Tab
230 Sniffer Portable Professional
Use the Data Pattern tab to define a filter that will only capture or
display packets that match a data pattern you specify. A data pattern
filter can be simple, consisting of a single data pattern, or very
sophisticated, involving multiple data patterns connected by Boolean
operators AND, OR, and NOT.
NOTE: A complex filter is limited to no more than 20 Boolean
operators and data patterns.
A data pattern is:
A particular sequence of bits
The length of the sequence
Its offset position within the packet
The maximum data pattern length is 32 octets. You can specify the
offset from the beginning of the packet or from the protocol boundary.
You can copy the data pattern for your filter from the display decode
screen. To do this, select the packet before you invoke the define filter
function. In the Data Pattern tab, select Add Pattern, then Set Data.
This copies the data field from the selected packet into the data pattern
fields, and calculates the offset and length. In addition, you can use the
selected pattern as a template, editing it in the display to suit your
needs.
To construct a complex data pattern filter, link data patterns using
Boolean operators. The result is displayed in a tree-like diagram on the
Data Pattern tab.
The Data Pattern tab displays the work space for creating your filter,
and displays the current data pattern equation. The buttons below the
display control the process of defining the Boolean expression and data
patterns.
Figure 10-4 shows the Data Pattern tab of the Filter Settings dialog
box.

Click to create a
new Boolean
Operator AND/OR
Click to create a
new data pattern.
You can use the
selected packet in
the Decode
display as a
template.
Start capture directly
from the Define Filter
dialog using this button.
Click to toggle the
selected Boolean operator
between AND and OR
Creates a NOT operator
Click to modify the
data pattern
Figure 10-4. Setting Data Pattern Filters
Defining Filters and Triggers
Evaluates the Boolean
equation immediately. If the
equation is incomplete, an
error message is generated.
Click to turn on or off the
NOT operator
Click to delete the selected Boolean
operator or data pattern. (If the operator
has child operators or data patterns,
they will be deleted with the parent.
User’s Guide 231

Chapter 10
Add or Edit Pattern Dialog Box
232 Sniffer Portable Professional
The Add or Edit Pattern dialog box (Figure 10-5, below) appears when
you click the Add Pattern or Edit Pattern buttons on the Data Pattern
tab of the Define Filter dialog box (Figure 10-4 on page 231). Use this
dialog box to define a specific data pattern to filter.
Keep the following in mind when adding or editing a data pattern filter:
Use the From: and Format: fields to identify the type of data you
would like to use for the data pattern.
Check the Variable Offset option to search for the data pattern
you define, starting at byte 0 until the pattern is matched or has
reached the end of the frame. With this option enabled, you do not
have to define the fixed offset data pattern.
If Variable Offset is not selected, designate an Offset value in the
field provided. This option is useful when you are reasonably sure
the pattern falls between a specific start and end offset.
Specify the End Offset (hex) in the field provided.
Enter the pattern in row 1 and 2.
The easiest way to add patterns is to select a packet in the Decode
tab before you click Define Filter. When you do it this way, the
selected packet will appear in the Edit Pattern dialog box, allowing
you to populate your pattern with information from the selected
packet (Figure 10-5).
Figure 10-5. Add or Edit Pattern Dialog Box

More on Data Pattern Filters
Defining Filters and Triggers
A data pattern filter can be created from a single data pattern or from
multiple data pattern definitions that are connected together by
AND/OR/NOT Boolean operators. A complex filter can contain no more
than 20 Boolean operators and data patterns.
A data pattern is defined by a particular sequence of bits, the length of
these bits, and the pattern's offset position within the packet. You have
the option of specifying the offset from the beginning of the full packet
or from the first level protocol boundary. The maximum data pattern
length is 32 octets.
The beginning octet location of a protocol boundary from the packet may
vary depending upon the media type, (Ethernet), or the DLC format
(Ethernet II, 802.2, 802.2 SNAP) it uses. IPX protocol is a good example.
It starts from offset byte 14 in an Ethernet II-type packet, but from byte
17 in an 802.2-type packet. Since Sniffer Portable Professional
recognizes various DLC format types and is able to mark the protocol
boundary correctly, using the protocol layer boundary as a starting
location for calculating the offset allows you to capture protocol packets
with a pattern filter from different network media or with different DLC
formats.
To facilitate the definition of a data pattern, Sniffer Portable Professional
allows you to 'copy' the data pattern of your choice from a known
packet. To do this, you must be in the packet decode viewer, and have
selected a particular packet before you invoke the Define Filter profiler.
Use Add Pattern/Set Data in the Data Pattern tab to copy a known data
field from the decoded packet into the data pattern fields. This will
automatically calculate the offset and length, fill the data pattern, and
suggest a default field name.
Use AND/OR/NOT Boolean operators to construct a complex data
pattern filter. The result is displayed in a tree-like diagram to show the
logical relationships.
The best way to learn how to construct a Boolean Data Pattern filter is
to start from a simple data pattern filter. The first step is to write down
the logical relationships in a Boolean equation. Next, clarify the Boolean
operation's precedence by using parenthesis liberally, so that the final
equation can be constructed using a binary-tree diagram.
The following example demonstrates how to construct the sample filter,
My Subnet. (My Subnet is also listed in the sample Boolean Data Pattern
filters supplied in Sniffer Portable Professional capture profiles.)
Suppose that you want to capture all IP traffic except traffic to and from
subnet 36.56.0. The first step is to write down a data pattern Boolean
equation that represents this operation:
Not (Src Subnet 36.56.0 OR Dest Subnet 36.56.0)
User’s Guide 233

Chapter 10
234 Sniffer Portable Professional
If you already have a capture packet file that contains this subnet
address, you should open this file and select the packet containing the
source subnet address 36.56.0. This will substantially ease the data
entry operation later, when you define the data pattern for the subnet
35.56.0.
Next, start defining the data pattern filter by following these steps:
1 From the main toolbar, click to open the Define Filter dialog
box.
2 Click the Profiles button to open the Capture Profiles dialog box.
3 Click the New button. Enter new profile name for example, My
Subnet. Click OK.
4 Click the Done button to close the Capture Profiles dialog box.
5 Click the Advanced tab.
6 Select IP from the Available Protocols list box. This will filter out any
non-IP packets that might have the same data pattern.
7 Click the Data Pattern tab. A default AND operator is displayed.
8 Click the Add NOT button to create a NOT operator.
9 From the newly created NOT line, click the Add AND/OR to create
a new AND child operator linked to the NOT operator.
10 Click the Toggle AND/OR button to change the AND to OR.
11 From the OR line, click the Add Pattern button to invoke the Edit
Pattern dialog box.
12 Scroll the detail decode window to locate the IP source address
containing subnet 35.56.0 and highlight the field.
13 Select Protocol in the From list box. This will tell Sniffer Portable
Professional to calculate the source IP address offset from the
beginning of the IP protocol data packet.
14 Click the Set Data button to tell Sniffer Portable Professional to fill
in the source IP address field.
15 Change Len (length of subnet) from 4 to 3, and delete the 4th octet
from the data pattern field.
16 Edit the Name field to Src Subnet 36.56.0.
17 Click OK. A new data pattern Src Subnet 36.56.0 is created and
connected to the OR operator.
18 Click the OR operator again to select it.
19 Click Add Pattern to open another Edit Pattern dialog box.

Defining Filters and Triggers
20 Click Set Data to tell Sniffer Portable Professional to fill in a dummy
data pattern (a placeholder) for the Dest Subnet and click OK.
21 Click OK again in the Define Filter dialog box to save the filter.
22 Select the next packet containing the destination IP subnet address
from the Packet Display.
23 From the main toolbar, click to open the Define Filter dialog
box for My Subnet.
24 Click the Data Pattern tab to display the Data Pattern filter
defined so far.
25 Highlight the second PAT (this was the placeholder created
previously) and click Edit Pattern to open the Edit Pattern dialog
box.
26 Scroll the detail decode window to locate the IP destination address
containing subnet 35.56.0. Highlight the field.
27 Select Protocol in the From list box. This will tell Sniffer Portable
Professional to calculate the destination IP address offset from the
beginning of the IP protocol data packet.
28 Click the Set Data button to tell Sniffer Portable Professional to fill
in the source IP address field.
29 Change Len (length of subnet) from 4 to 3, and delete the 4th octet
from the data pattern field.
30 Edit the Name field, so it shows Dest Subnet 36.56.0.
31 Click OK. A second data pattern Dest Subnet 36.56.0 is created
and connected to the OR operator.
32 Click Evaluate. The resulting operation Not (Src Subnet 36.56.0
OR Dest Subnet 36.56.0) is shown on the top line.
33 Click OK to save the filter.
Setting Filter Options in the Advanced Tab
Use options on the Advanced tab to define a filter based on packet size,
protocol type, or error type.
You can specify packets that are equal to, greater than, or less than a
specific packet size, or in a range or outside of a range of packet sizes.
You can select one or more protocols or subprotocols to act as a filter. If
the packet matches one of the selected protocol types, it will pass
through the filter. (If no protocol is selected, Sniffer Portable
Professional captures all protocol types.)
User’s Guide 235

Chapter 10
Specify one or more
network protocols on
which to filter. All
network protocols with
a checkmark will be
included.
Start capture directly
from the Define Filter
dialog using this button.
236 Sniffer Portable Professional
If a protocol you need is not defined in the protocol list, you can define
your own protocol filter using the data pattern filter controls.
NOTE: Selecting or deselecting a parent protocol (a protocol with a
+\- sign adjacent to its entry in the list) automatically selects or
deselects all of its child protocols. For example, selecting the IP
entry automatically selects each of the sub-protocol entries in the
IP family (TCP, UDP, and so on). You can still select and deselect
individual sub-protocols manually; this shortcut simply provides
you with a means of selecting or deselecting entire protocol families
quickly.
Not all protocols in the list are supported by the Expert. For a list of
currently supported protocols for Expert, see the online Help.
Packet Types filters for error packets require an enhanced driver for
detection. Because Sniffer Portable Professional does not support
enhanced drivers for Ethernet or WLAN on Vista, these filters will not
typically work for those topologies and/or operating system.
Figure 10-6 shows the Advanced tab of the Filter Settings dialog box.
Specify the packet size
on which to filter.
Figure 10-6. Setting Advanced Filters

Defining Filters and Triggers
Filters for 802.11 Packet Types in the Advanced Tab
When using Sniffer Portable Professional with a wireless adapter, the
Packet Type dropdown includes the wireless LAN error packet types
listed and described in Table 10-1.
Table 10-1. Wireless LAN Error Packet Types Available for Filtering
Packet Type Description
PLCP Errors PLCP errors occur when a wireless station
receives a Physical Layer Convergence
Protocol header with an invalid checksum.
Before frames are sent between wireless
stations, the physical layer (PHY) sends a
PLCP header to a receiving station to
negotiate the size of the frames to be sent,
the speed at which they should be sent, and
so on. This PLCP header includes a
checksum which the receiving station uses
to validate that the received PLCP header is
not corrupt. If this checksum is corrupt, it is
considered a PLCP error.
WEP ICVs The Wired Equivalent Policy (WEP) is used to
encrypt data sent between stations on the
wireless network. When two stations
exchange WEP-encrypted data, they go
through an authentication sequence wherein
challenge messages are encrypted and
decrypted by sender and receiver. If an
Integrity Check Value does not match
between sender and receiver, the receiver
sends a frame indicating a communications
failure (that is, an invalid WEP ICV). This
filter works on these types of packets.
User’s Guide 237

Chapter 10
Setting Filter Options in the 802.11 Tab
238 Sniffer Portable Professional
When working with a wireless adapter, you can use the options in the
802.11 tab (Figure 10-7) to filter on a variety of different types of
wireless traffic, as summarized below.
Figure 10-7. Define Filter > 802.11 Tab
Traffic Type Filters
Interference can occur in wireless networks when multiple access points
within a range of each other are broadcasting on the same or
overlapping channels. The impact of this interference on network
performance can intensify during busy times when a large amount of
data and media traffic compete for bandwidth.
Use the Traffic Type options to detect packets on a channel to which
they do or do not belong:
Valid packets are packets which belong on the specified
channel(s).
Invalid packets are packets which do not belong on the specified
channel(s).
Indeterministic packets are packets which Sniffer Portable
Professional cannot determine whether are valid or invalid.

Channel Filters
Defining Filters and Triggers
Use the Channel filters to specify different wireless channels to include
as part of this filter. Acceptable values range from 1-161. You can enter
either multiple values separated by commas or a single range separated
by a hyphen. For example, you could enter a range like this:
1-12
Alternatively, you could enter multiple individual values like this:
5,7,12,149
Speed Filters
Use the Speed filters to specify different wireless traffic speeds (in
Mbps) to include as part of this filter. Packets matching one of the
specified speeds are included as part of the filter.
You can enter either multiple speeds separated by commas or a single
speed range separated by a hyphen. For example, you could enter a
range like this:
1-10
Alternatively, you could enter multiple individual values like this:
48,54
Setting Filter Options in the Buffer Tab
Set options for the capture buffer on the Buffer tab. (These settings are
used only if the filter is being used as a capture filter.) For a description
of the capture buffer settings, refer to Capture Buffer on page 124.
Working with Display Filters
A display filter allows you to filter out unwanted packets when you
display the contents of a capture buffer or trace file in the postcapture
window. The profile defined for a capture filter can also be used for
filtering out packets from the postcapture Display by using the Display
> Select Filter command – the dialog box that appears will display all
defined Capture Filter profiles under their own entry. See Selecting
Filters / Combining Multiple Filters on page 174 for details.
The procedure for defining a display filter is identical to the procedure
for a capture filter.
To create or change a display filter:
User’s Guide 239

Chapter 10
240 Sniffer Portable Professional
1 From the Display menu, select Define Filter.
2 Follow the Define Filter procedure (Defining Filters on page 220).
The links to topics describing how to create various capture filters
are applicable to defining a display filter.
3 From the Display menu, choose Select Filter to apply your new
filter to the current display.
Filtering from the Decode Window
This release provides a variety of new features for filtering from a
Decode tab. You can:
Select a packet in the Decode tab’s Summary pane and click the
Define Filter button to automatically populate the Define Filter
dialog box with some of its components (connection information,
source port/address, destination port/address, and so on).
Add a new filter component to the previous filter by selecting a
packet in the Summary tab and clicking Add to Last Filter button.
Use the Quick Filter button to automatically filter the display based
on the selected information in the currently selected packet (Quick
Filters do not display the Define Filter - Display dialog box as
automatic filters do).
Specify whether Display filters return results by selecting/clearing
packets in the active tab or by creating a new tab of filtered
packets.
Apply Display filters to all packets or only selected packets.
These features are described in detail starting in Postcapture Decode
Display on page 162. In particular, see the following topics:
Using the Decode Tab Toolbar on page 165
Setting Display Filters on page 167
Using Automatic Display Filters on page 168
Using Quick Filters on page 172
Combining Filter Components (“Add to Last Filter”) on page 173
Selecting Filters / Combining Multiple Filters on page 174
Saving Sets of Filtered Frames / Creating New Windows on page
177

Defining Filters and Triggers
Sharing Filters between Systems and Products
Importing Filters
You can import or export individual filters between other Sniffer Portable
Professional systems and some NetScout products (for example, Sniffer
InfiniStream, Sniffer Portable and Sniffer Distributed). Filters are
imported and exported through the Define Filter dialog box.
Individual filters can be imported from other Sniffer Portable
Professional units. Sniffer Portable Professional filters are compatible
with other NetScout products supporting the .snf format (for example,
Sniffer InfiniStream, Sniffer Portable, and Sniffer Distributed). Before
importing a filter to your Sniffer Portable Professional installation, place
the filter in a network drive accessible to the Sniffer Portable
Professional machine.
To import filters:
1 From the main toolbar, click to open the Define Filter dialog
box.
2 Click the Profiles button at the base of the Summary tab.
3 Click Import in the Capture Profiles dialog box.
4 Browse to the directory containing the capture or display filter.
5 Select a filter and click Open.
6 Click OK.
Exporting Filters
The filter appears in the filter list and is copied to the appropriate folder
on the Sniffer Portable Professional PC.
Individual filters can be exported for use with other NetScout products
supporting the .snf format (for example, Sniffer InfiniStream, Sniffer
Portable, and Sniffer Distributed).
To export filters:
1 From the main toolbar, click to open the Define Filter dialog
box.
2 Click the Profiles button at the base of the Summary tab.
3 Select a filter from the list.
User’s Guide 241

Chapter 10
242 Sniffer Portable Professional
4 Click Export in the Capture Profiles dialog box.
5 In the Select Default Directory dialog box, select Folders.
6 Select the desired location where you want to export the filter from
the Drives drop-down list. You can also click Network to specify a
different machine accessible to the Sniffer Portable Professional PC.
7 Click OK.
Defining Triggers
Triggers let you start and stop captures based on date and time, alarms,
and specific network events. Use triggers to capture data while your
Sniffer Portable Professional machine is unattended, such as on
off-hours or weekends, or to start captures when specific events occur,
such as alarm conditions.
IMPORTANT: You cannot enable a trigger when a capture is already
running. If you try to do so, you will receive a Failed to set trigger
error message. Stop any active captures before enabling a new trigger.
You can define three kinds of triggers — start triggers, which will start a
capture session, stop triggers, which will stop a capture session, and
start and stop triggers, which do both.
A start trigger has two elements:
Trigger specification. Specifies what will start a capture session.
Select a predefined trigger specification from a drop-down list, or
create a new one by clicking the Define button.
Capture filter specification. Select a capture filter to use during
the capture. Select one from the Capture Filter list.
A stop trigger has three elements:
Trigger specification. Specifies what will stop a capture session.
Select a predefined trigger specification from a drop-down list, or
create a new one by clicking the Define button.
Trigger delay specification. Specifies how many packets to
capture after the stop trigger event occurs.
Restart option. Check this box to automatically restart capturing
after the stop trigger event occurs.
As with a filter, once you create and name a trigger, you can reuse it
whenever appropriate.

This picture
graphically
depicts your
trigger
definition
To define a trigger:
1 Select Trigger Setup from the Capture menu.
Defining Filters and Triggers
The Trigger Setup dialog box opens (shown in Figure 10-8).
Click to specify which events to use
as a start trigger (start time and date,
threshold alarm, and/or event filter)
Define how to control packet capture:
Start trigger, stop trigger, delay after
trigger, or repeat mode
Figure 10-8. Defining a Trigger
Specify what capture
filter to use when the
trigger event occurs
Click to specify which events to use
as a stop trigger (start time and date,
threshold alarm, and/or event filter)
2 Select Enable under Start Trigger, Stop Trigger, or both. Start
triggers start capture sessions when the trigger event is detected.
Stop triggers stop a capture session when the trigger event is
detected. Start and stop triggers do both.
3 Click the Define button corresponding to the type of trigger event
you want to specify (Start or Stop).
Either the Start Trigger dialog box (Figure 10-9) or the Stop Trigger
dialog box appears, depending on which Define button you clicked.
These dialog boxes let you specify the Start or Stop Trigger event.
Existing trigger profiles are shown in the Triggers list.
User’s Guide 243

Chapter 10
244 Sniffer Portable Professional
a Click New to create a new trigger.
b Enable the Date/Time option to select a specific date and
time as the trigger event.
c Enable the Alarms option to select a particular type of Monitor
Alarm as the trigger event. The thresholds for monitor alarms
are specified in the Tools > Options > MAC Threshold tab.
d Enable the Event filter option to select a Filter Profile as the
trigger event. The dropdown automatically lists all configured
Filter Profiles. When Sniffer Portable Professional detects a
packet matching the selected filter’s definitions, capture will
either start or stop (depending on what type of trigger you are
setting up).
For example, if you want to start a capture triggered by a
particular IP address, you can accomplish this by defining an
IP address filter with your known IP address in the Station 1
field and Any in the Station 2 field, with the Dir set
appropriately. Then, you can use this filter as the Event
filter for the Start Trigger.
e Click OK to close the Start Trigger or Stop Trigger dialog box.
Figure 10-9. Start Trigger Dialog Box
4 In the Trigger Setup dialog box (Figure 10-8):
a For Start Triggers, use the Capture Filter option to select
what capture filter to use when the trigger event is detected
and capture starts.
a For Stop Triggers, specify the number of packets to capture
after the Stop trigger event in the field provided.

Defining Filters and Triggers
b For Stop Triggers, check the Automatically re-start
capture after stop field to restart capture automatically after
capture is stopped after a Stop Trigger event.
5 Check Repeat Mode to automatically repeat this trigger. This
option applies to both Start and Stop triggers.
6 Click OK.
Specifying a Capture Filter for a Trigger
To specify what capture filter to use when a capture is started
with a trigger:
1 Select Trigger Setup from the Capture menu.
2 In the Start Trigger section, check the Enable checkbox.
3 Select a trigger from the pull-down list. If you want to create a new
trigger, click Define.
4 Select the capture filter you want from the Capture Filter pull-down
list. (If you want to create a new capture filter, cancel from the
Trigger Setup dialog box and select Define Filter from the Capture
menu. Then return to the Trigger Setup dialog box and continue.)
5 Click OK.
Capture Trigger Example
The following example shows how an event filter (seeing any Telnet
packet) can be used to trigger the start of a packet capture. Then, after
either 60 minutes has elapsed or a predefined IP address is detected,
the packet capture continues for 3,000 packets, and then the capture
stops.
This example assumes that filters have already been defined
for a Telnet packet and a known IP address:
1 From the Capture menu, select Trigger Setup to open the Trigger
Setup dialog box.
2 Check the Enable check box of the Start Trigger section, and click
the Define button. A Start Trigger dialog box appears.
3 Click New to invoke a New Trigger dialog box.
4 Enter the name of the start trigger, in this example, Start Trigger
Sample.
User’s Guide 245

Chapter 10
5 Click OK.
246 Sniffer Portable Professional
6 Mark the Event Filter check box, and select a defined filter from
the drop-down list. In our example, we've previously created a
filter named Telnet Packet and selected it as the Event Filter in
the Start Trigger dialog box.
7 Click OK. Alternatively, you may use Date/Time or Alarm as the
trigger. Enter the time, and select each weekday of your choice by
clicking on the button to toggle its ON/OFF state. A floating button
means OFF; a sinking button means ON. If you are interested in
using network traffic load to trigger capture, select Alarms and the
individual network variables as the trigger.
8 Select a capture filter profile from the Capture Filter pull-down
menu. The capture filter selected here will be used as the capture
filter when the start trigger activates the capture.
9 Mark the Enable check box of the Stop Trigger section, and click
Define.
10 Click New, and define a new stop trigger Stop Trigger Sample
and click OK.
11 Select the Time check box. Specify Stop after 3600 seconds
from start as the first stop trigger. Mark the Event filter check
box, and select IP Address as the second stop trigger. Then click
OK.
12 Enter Capture 3000 packets after stop trigger happened. Click
OK.
The trigger appears as in the figure below.
Figure 10-10. Sample Trigger

Trigger Entries in Alarm Log
Defining Filters and Triggers
Sniffer Portable Professional will log information related to trigger event
detection and captures started\stopped based on trigger event detection
to the local Alarm Log.
Alarms logged for trigger events typically include the time the capture
started, the types of trigger event(s) specified for both Start and Stop
triggers, and a variety of other configuration information summarizing
the trigger definitions.
User’s Guide 247

Chapter 10
248 Sniffer Portable Professional

Using the Address Book
Overview
11
The address book lets you assign familiar, recognizable names for your
network nodes. These symbolic names are used in place of six-byte
hardware addresses and IP addresses in:
Filter definitions
The capture decode display
The Expert display
Host Table displays (both monitor and capture)
Matrix displays (both monitor and capture)
To create an address book to maintain a symbolic name table for your
own network, you can:
Entering Names Manually on page 252
Use the address book's autodiscovery feature
Add names discovered by the Expert analyzer
About Address Entries
The Address Book allows you to define your network nodes in
more-readable symbolic names. Sniffer Portable Professional uses the
address book in filter definitions, the capture decode display, the Expert
display, and the Host Tables to replace the 6 byte hardware address or
network address of the network node with its respective symbolic name.
An address book entry contains:
Name
Medium
Hardware Address
IP Address
IPX Address
Type
User’s Guide 249

Chapter 11
Description
250 Sniffer Portable Professional
NOTE: The address book can contain a maximum of 5,000 entries.
Sniffer Portable Professional uses only the medium, hardware address,
IP/IPX address, and Type fields. The other fields are only informational.
The Medium field can also be thought of as a topology field - it
refers to the type of network entity for which you are creating an
Address Book entry. The Medium field tells Sniffer Portable
Professional on what types of networks it should look for this
Address Book entry.
The Medium field also determines the type of HW Address you can
enter. For example, if you set Medium to Ethernet, blanks are
provided in the HW Address field for you to enter a standard
Ethernet hardware address in hexadecimal format.
The Type selections are Workstation, Server, File Server, Printer
Server, Router, Bridge, Hub, Access Point, and Mobile Unit. The
Type field is mainly used when exporting the MAC addresses of
access points to the Expert's list of known access points.
The Description field is a text field in which you can write your own
description or notes about the node.
Creating Address Book Entries
You create an address book to maintain a symbolic names table for your
own network. To create entries in the address book, you can enter
names manually or automatically discover names with the address
book’s autodiscovery feature.
To create an address book entry:
1 Select Address Book from the Tools menu or click in the
main toolbar.
2 Click the right mouse button to display the context menu.
3 Click New Address to open the New/Edit Address dialog box.
4 Enter the Name, Medium, HW Address, IP Address and/or IPX
Address. If the entry is a router, select Router for the Type. (This
prevents duplicate address alarms during address autodiscovery.)
Other entries are for user reference only. Sniffer Portable
Professional does not interpret them.

Add a new address
Edit selected
address
Delete selected
address
Undo and redo
previous action
Sort and unsort
address book
Export Access
Point list
Using the Address Book
NOTE: The Medium field can also be thought of as a topology
field - it refers to the type of network entity for which you are
creating an Address Book entry. The Medium field tells Sniffer
Portable Professional on what types of networks it should look
for this Address Book entry.
5 The Medium field also determines the type of HW Address you can
enter. For example, if you set Medium to Ethernet, blanks are
provided in the HW Address field for you to enter a standard
Ethernet hardware address in hexadecimal format.
6 Click Save to add the new entry to the Address Book. Alternatively,
click Save and Next to save this entry and add another entry.
NOTE: The address book can contain a maximum of 5000
entries.
Export table to
spreadsheet
Figure 11-1. The Address Book
Autodiscover IP addresses
and Domain names
Delete all
entries.
User’s Guide 251

Chapter 11
Entering Names Manually
Specify the
name,
medium,
hardware
address,
IP/IPX
address, and
type of
network node
in these
fields.
252 Sniffer Portable Professional
You can build your own address book by getting hardware addresses and
IP addresses from the host table.
To add a new address to the book, select Address Book from the Tools
menu. Then, click the New Address button in the Address Book
toolbar. The New/Edit Address dialog box opens (Figure 11-2). You can
enter address information for a network node in this dialog box.
Figure 11-2. Entering Names Manually
About the Medium Field
A node Type can be:
Workstation
Server
File Server
Printer Server
Router
Bridge
The Medium field can also be thought of as a topology field – it refers
to the type of network entity for which you are creating an Address Book
entry. The Medium field tells the Sniffer on what types of networks it
should look for this Address Book entry.
The setting of the Medium field also determines the type of HW
Address you can enter. For example, if you set Medium to Ethernet,
blanks are provided in the HW Address field for you to enter a standard
Ethernet hardware address in hexadecimal format.
Hub
Access Point
Mobile Unit

Autodiscovering Addresses and Names
Using the Address Book
Sniffer Portable Professional provides an autodiscovery feature that
learns the following names and addresses automatically and saves them
in the Address Book:
A network node’s IP address, its associated hardware address, and
domain name
A network node’s NetBIOS name and hardware (MAC address)
An IPX network node’s Netware user name and hardware (MAC)
address
NOTE: To ensure accuracy, autodiscovery discovers source
addresses and not destination addresses.
IMPORTANT: During autodiscovery of Netware user names and MAC
addresses, you must log in to a Netware Server from a DOS window and
type the command userlist /a. This procedure enables Sniffer Portable
Professional to extract login user names and hardware addresses.
To use the autodiscovery feature:
1 Click the autodiscovery button in the Address Book toolbar or
right-click and select Auto Discovery.
The Discovery Option dialog box opens. Select the type of address
to resolve (see Figure 11-3).
User’s Guide 253

Chapter 11
Click to resolve the Domain name of any IP
node that has traffic on the subnet
Click to
resolve the
NetBIOS name
of any node
that has traffic
on the subnet
Click to resolve the Netware
user name of any IPX node
that has traffic on the subnet
254 Sniffer Portable Professional
Enter the subnet address and node address range
to resolve the Domain names of specific IP nodes
Figure 11-3. Setting Autodiscovery Options (Wireless Adapter Selected)
Exporting Access Point Addresses to the Expert’s List of Known
Addresses
You can use the Export AP button in the Address Book’s toolbar to
export each of the access point entries to the Expert’s list of known
access points. The Expert uses this list to generate the Rogue Access
Point alarm. During capture with the Enable Rogue AP Lookup option
enabled, the Expert compares the MAC address (not the IP address) of
each detected access point to those in the Known Access Points in the
Network list. If the access point’s MAC address is not in the list, the
Expert generates the Rogue Access Point alarm. You can see the
Expert’s list of known access points in the Tools > Expert Options >
802.11 Options tab or in the Tools > Wireless > Rogue dialog box.
See Expert 802.11 Options on page 140 for details on configuring the
Expert to generate Rogue Access Point and Rogue Mobile Unit
alarms.

Configuring Autodiscovery for Routers
Using the Address Book
A router carries traffic between other subnets and the local segment
where your Sniffer Portable Professional resides, therefore, the router’s
hardware address will be associated with any IP address that passes
through it. This appears as a duplicate IP address to the autodiscovery
process. When autodiscovery finds duplicate IP addresses, it adds an
entry into the Alarm log and sounds an audible alarm. To prevent these
false duplicate IP address alarms, you must manually enter your IP
network router’s IP address, hardware address, and domain name in the
address book first, and specify the Type as Router.
Adding Discovered Addresses to the Address Book
During capture, the Expert analyzer automatically discovers name and
address pairs on the network. You can add these discovered addresses
to the analyzer’s Address Book using the Discovered Addresses dialog
box.
To add name and address pairs discovered by the Expert:
1 After a capture, display the Expert tab of the display window.
2 Click Discovered Addresses in the Expert tab of the display
window. The Discovered Addresses dialog box appears (Figure
11-4). It lists the new name and address pairs that have been
discovered during the capture session. Only name and address
pairs not already in the address book are listed.
Figure 11-4. The Discovered Addresses Dialog Box
3 Select the addresses in the list that you would like to add to the
Address Book. You can use the standard Shift-Click and Ctrl-Click
methods to select multiple entries. You can also use Select All and
Select None to speed the selection process.
User’s Guide 255

Chapter 11
256 Sniffer Portable Professional
4 When you have finished selecting the addresses you would like to
add to the Address Book, click Update.
5 The Address Book appears with the newly added entries
NOTE: The General tab of the Options dialog box (accessed from
the Tools menu) provides a means to ensure that you are reminded
to save discovered name and address pairs. If you enable the
Discovered Address checkbox in the Prompt to save/update
list, the analyzer will always ask you if you want to save discovered
addresses that have not yet been saved when you close a capture
window.

Managing Alarms
Overview
The Alarm Log
12
Sniffer Portable Professional’s alarm features provide a comprehensive
method of detecting and logging network alarm events:
The Sniffer Expert generates alarms during data capture. It can log
an event in the Alarm log when it detects a symptom or diagnosis.
The monitor’s Alarm Manager starts automatically when you start
Sniffer Portable Professional. It logs an event in the Alarm log when
a user-specified threshold parameter is exceeded.
Abnormal network events can be assigned to one of five different levels
of severity: Critical, Major, Minor, Warning, and Informational. In
addition, you can associate each severity level with up to four alarm
notification actions (for example, you can configure Sniffer Portable
Professional to send email when a critical or Major alarm occurs). Alarm
notification actions can be activated during certain time periods within a
day, or on certain days of the week.
Logged alarm events (Monitor alarms and Expert alarms) are listed in
the Alarm log, which you display by selecting Alarm Log from the
Monitor menu or by clicking the Alarm button .
IMPORTANT: Alarms (both Monitor and Expert) are only logged in the
Monitor > Alarm Log if the Enable Alarm option is checked in the
Tools > Options > Alarm tab. This option is enabled by default. See
Setting Up Logging for the Local Alarm Log on page 259 for details.
For each alarm event, you see the type of node that triggered the alarm
(for example, server, bridge, or hub), a description of the alarm, the
time it occurred, and the severity level.
The Alarm log (sample shown in Figure 12-1) displays the following
information:
Status. Alarm status. The Status can be new or acknowledged (i).
To acknowledge an alarm, right-click on the alarm entry and select
Acknowledge.
User’s Guide 257

Chapter 12
Type of node triggering
the alarm (as defined in
your address book)
258 Sniffer Portable Professional
Type. The type of node triggering the alarm (as defined in your
address book).
Log Time. The date and time the alarm was triggered.
Severity. Level of severity assigned to this type of alarm (1
through 5).
Description. A brief description of the error.
Figure 12-1 shows a sample Alarm log.
Date and time
the alarm was
triggered
The Status can be new (-) or acknowledged (i). To acknowledge
an alarm, right-click the alarm entry and select Acknowledge.
Figure 12-1. The Alarm Log
Level of severity
assigned to this type of
alarm (1 through 5)
Description of
the error

Setting Up Logging for the Local Alarm Log
Managing Alarms
Configuring logging for the local Alarm Log consists of the following
steps:
Make sure the Enable Alarm option is checked in the Tools >
Options > Alarm tab (Figure 12-2). This option is enabled by
default. This option must be enabled for any logging to take place
in the local Alarm Log.
Use the Tools > Expert Options > Alarms tab to set Alarm
Logged to YES for each Expert alarm you’d like logged in the local
Alarm Log. See Logging and Severities for Expert Alarms.
Use the Tools > Options > Alarm tab’s Severities button to
specify the severity for each possible monitor alarm. See Severities
for Monitor Alarms.
Alarms are
logged in the
local Alarm
Log when
this option is
checked.
Figure 12-2. Setting Up Alarm Logging
User’s Guide 259

Chapter 12
Setting Alarm Severity Levels
260 Sniffer Portable Professional
You can assign a severity level to both Monitor and Expert alarms
(symptoms and diagnoses).
Severities for Monitor Alarms on page 260
Logging and Severities for Expert Alarms on page 262
IMPORTANT: Alarms (both Monitor and Expert) are only logged in the
Monitor > Alarm Log if the Enable Alarm option is checked in the
Tools > Options > Alarm tab. This option is enabled by default. See
Setting Up Logging for the Local Alarm Log on page 259 for details.
Severities for Monitor Alarms
By default, Sniffer Portable Professional defines the alarm event types
listed in the table below and assigns each one a severity level. You can
change the default severity level assigned to each event to suit your
specific network operating environment. Table 12-1 lists the default
severity levels.
Table 12-1. Default Severity Levels
Alarm Event Severity Level
Threshold: Over upper limit Critical
Address: Duplicate IP address Critical
Address: Duplicate data in address book Inform
To change an alarm severity level, select Options from the Tools menu,
then click the Alarm tab. Click the Define Severity button to open the
Define Severity dialog box (Figure 12-3). Click the Severity cell for an
alarm to display a list of severity-level options. Select the one you want
to use and click OK.

Figure 12-3. Setting Severity Levels for Alarms
Managing Alarms
Select the
severity level
from the
drop-down
list
User’s Guide 261

Chapter 12
Logging and Severities for Expert Alarms
262 Sniffer Portable Professional
Expert alarms (symptoms and diagnoses) can be assigned one of five
different severity levels: Critical/Diag, Major, Minor, Warning, and
Informational. The severity level for a symptom or diagnosis displays in
the summary pane of the Expert window. It is also recorded in the Alarm
log if the alarm setting Alarm Logged is set to YES in the Tools >
Expert Options > Alarms tab.
IMPORTANT: Alarms (both Monitor and Expert) are only logged in the
Monitor > Alarm Log if the Enable Alarm option is checked in the
Tools > Options > Alarm tab. This option is enabled by default. See
Setting Up Logging for the Local Alarm Log on page 259 for details.
To change the severity level for an Expert alarm, select Expert Options
from the Tools menu and click the Alarms tab (Figure 12-4). Then, click
(0) or (1) at the top of the left column to expand/collapse all Expert
layers. Click (+) or (-) next to an Expert layer to display all alarms for
that level. For the Alarm log to record the alarm, you must set the Alarm
Logged option to Yes.
Click in the Value cell for an alarm to display a dropdown box. From the
dropdown box, select a severity level.
NOTE: The alarm must be recorded in the Alarm log for notification
to take place. Refer to Setting an Alarm Notification Action on page
265.

Click the + to open
an Expert layer
and display all
alarms
Click the + to
display an alarm’s
settings
Alarm Logged
must be set to Yes
to record the alarm
in the Alarm log.
Click to expand/collapse all
Expert layers
Figure 12-4. Setting Severity Levels for Expert Alarms
Managing Alarms
Click the
Value cell for
the severity
to display the
drop-down
box.
User’s Guide 263

Chapter 12
Setting Alarm Notification
264 Sniffer Portable Professional
Each severity level that can be assigned to an alarm (Critical/Diag,
Major, Minor, Warning, and Informational) can be associated with up to
four alarm notification actions. These notification actions can be enabled
for specified time periods within a day, and on specified days of the
week. When an alarm is triggered, Sniffer Portable Professional can:
Send email
Invoke a script to open an application or send an alarm notification
as an SNMP trap to an SNMP console
To set up a notification action:
1 Select Options from the Tools menu.
2 Select the Alarm tab.
3 Click Define Actions to open the Define Actions dialog box (Figure
12-5).
4 Click Add and select the radio button for the type of alarm
response you want. A wizard will guide you through the setup
procedure.
NOTE: Expert alarms must have their Alarm Logged options set to
Yes in the Tools > Expert Options > Alarms tab for notification
to take effect. Refer to Logging and Severities for Expert Alarms on
page 262.

Select and configure the
option you want to use
Click Add to open the
New Alarm Action
dialog box and set up
a new alarm action
Figure 12-5. Setting an Alarm Notification Action
Enabling Alarm Actions
Managing Alarms
After you complete the definition of an alarm action, you must assign it
to a severity level. Up to four actions can be assigned to a severity level.
When an alarm of a particular severity level occurs, all actions assigned
to it are executed (unless disabled by time and date settings).
NOTE: You must enable alarms for alarm actions to take place.
Check the Enable Alarm check box on the Alarm tab to enable
alarm actions.
Alarm Beeps and Sounds
Specify a name for the alarm action
By default, Sniffer Portable Professional makes a single beep sound
when an alarm occurs. If you prefer another sound, you can replace the
standard beep with any .wav sound file. To do this, click the button
on the Alarm tab and select the file.
User’s Guide 265

Chapter 12
266 Sniffer Portable Professional

Network Adapters and
Settings
Overview
13
This chapter describes how to select different adapters for capture, and
how to bind and load multiple instances of Sniffer if there are multiple
adapters. In addition, it also discusses how to use Sniffer Portable
Professional’s profile feature to maintain multiple sets of settings for
capture and monitoring.
Removing Network Adapters
Do not remove network adapters from the Sniffer Portable Professional
PC while the application is actively using them. For example, if Sniffer
Portable Professional is currently logged on to a wireless adapter, do not
remove the adapter. Removing the adapter can result in unpredictable
results. Instead, close Sniffer Portable Professional and then remove the
adapter.
When using Sniffer Portable Professional on Windows Vista, you must
reboot the system after removing a network adapter and inserting a new
one before you can monitor data.
Selecting Network Adapters
If you have more than one network interface card (adapter) installed in
your system, you can select which card Sniffer Portable Professional will
use.
If you have multiple adapters attached to different network segments,
you can select which segment Sniffer Portable Professional will monitor
by switching from one adapter to another.
NOTE: See Installing Sniffer Portable Professional for a list of
supported 802.11 adapters.
User’s Guide 267

Chapter 13
268 Sniffer Portable Professional
To select an adapter:
1 Select Adapter Settings from the File menu to open the Adapter
Settings dialog box (see Figure 13-1).
The Adapter Settings dialog box contains the profiles you have
defined for this Sniffer Portable Professional PC.
2 Select a previously defined profile as the target network for the
Sniffer Portable Professional to monitor from the list provided.
NOTE: To define new profiles to use for monitoring, click New
and supply the appropriate information. See Creating Sniffer
Monitoring Profiles on page 270 for more information.
3 Change the Real Time/Post Capture option if desired. This
checkbox specifies whether Sniffer Portable Professional will
actively monitor an adapter at startup:
If the Post Capture box appears, the selected profile is
currently in Real Time mode and will automatically begin
monitoring the selected adapter at startup. You can check the
Post Capture box to open the application without monitoring
a specific card.
If the Real Time box appears, the selected profile is currently
in Post Capture mode and will only be available for trace file
analysis. You can check the Real Time box to enable
real-time monitoring and analysis according to the privileges
assigned to your account.
The name of this option changes depending on what the card is
currently set to. For example, since the card selected in Figure 13-1
is set to start in Real Time mode, you could check Post Capture
to reverse that.
4 Change the Local Mode option if desired. This checkbox specifies
whether Sniffer Portable Professional monitors all traffic or only
local/broadcast/multicast traffic:
If Local Mode is not checked, Sniffer Portable Professional
monitors promiscuously, including all traffic.
If Local Mode is checked, Sniffer Portable Professional
monitors only traffic to/from the local host, broadcast traffic,
and multicast traffic with the local host addressed.
5 Click OK.

Figure 13-1. Selecting a Network Adapter
Network Adapters and Settings
User’s Guide 269

Chapter 13
Creating Sniffer Monitoring Profiles
270 Sniffer Portable Professional
To operate Sniffer Portable Professional with different network adapters
and settings, you create separate entities, called profiles. A profile can
be thought of as a set of settings — each profile holds session
information, such as the address book, capture filter settings, and
packet display options. Each profile has independent configuration
information, so it can be used to globally reconfigure Sniffer Portable
Professional when moving from one network to another, one segment to
another, or for setting up the options for specific tasks.
When you create a new profile, it automatically uses the settings
currently defined in the Sniffer Portable Professional application (the
address book, capture filter settings, packet display options, and so on).
NOTE: If you use Sniffer Portable Professional as a field service tool
to troubleshoot different networks, use the profile feature to
maintain configuration information for each client’s network.
To create a new profile:
1 Select Adapter Settings from the File menu.
2 Click New.
3 In the New Settings dialog box (Figure 13-2), enter a description
for the profile in the field provided. This will also be the name of the
profile and will appear in future instances of the Settings dialog
box.
4 Select the adapter for this profile. All adapters are listed.
5 Use the Copy settings from field to use the configuration settings
from an existing profile. The drop-down list includes all previously
defined profiles on the Sniffer Portable Professional PC. The
settings you are copying include the address book, filter settings,
trigger settings, alarm threshold settings, and so on. If you do not
use the Copy settings from field, the new profile will be created
using the settings currently active on Sniffer Portable Professional.
You can then change these settings to suit your needs.
NOTE: Various options in Sniffer Portable Professional's
menus will change depending on the type of adapter you have
selected for capture.
6 Click OK.

Tips:
Network Adapters and Settings
Once you have created multiple profiles, you can launch new
Sniffer Portable Professional sessions without creating the new
agents again.
It may be useful to think of a profile as a “set of settings.” You can
define multiple sets of settings (profiles) for a single adapter. This
makes it easy to switch between different monitoring or analysis
needs by simply switching profiles. The same network card is used,
but the configuration settings within the analyzer will be different.
Figure 13-2. Creating a profile
User’s Guide 271

Chapter 13
272 Sniffer Portable Professional

Index
Numerics
802.11 Options tab (Expert Options), 140
802.11 tab
Status column, 85, 88
90% Response
ART setting, 102
A
Absolute time,
access point
182
determining full hex address,
Acknowledge counter
147
in Dashboard’s 802.11 tab, 81
Adapter Settings dialog box, 267
Adapters, using, 267
Adding tools to the Tools menu, 64
Address Book, 249, 254
autodiscovering addresses and
names, 253
creating, 250
entering names manually, 252
Address filter, 225
Advanced tab (Define Filter),
Alarm
235
beeps and sounds, 265
enabling notification actions, 265
features, 257
log, 120, 257
Monitor thresholds, 75
notification actions, 264
severity levels, 260
sound files,
Alarm Log
265
setting up logging, 259
alarm severities,
alarms
259
Expert thresholds, 137
Monitor thresholds, 51
none in Alarm Log?, 120, 257, 260, 262
ART
data not displaying?, 98
setting options, 101
tabular view statistics, 98
Association Requests counter
in Dashboard’s 802.11 tab,
Association Responses counter
79
in Dashboard’s 802.11 tab,
Atheros AR5002X
79
using as a normal network adapter,
ATIMs counter
29
in Dashboard’s 802.11 tab,
Authentication
80
field in Host Table,
Authentications counter
86, 89
in Dashboard’s 802.11 tab, 80
autodiscovering wireless units, 145
Autodiscovery, 253
B
Beacons counter
in Dashboard’s 802.11 tab, 80
in Global Statistics, 119
in Host Table,
BSSID
90
counter in Dashboard’s 802.11 tab, 81
counter in Global Statistics, 119
BSSID column in 802.11 tab, 85
Building your own address book, 252
C
Capture buffer
options, 124
saving to a file, 127
Capture filters, 129
User’s Guide 273

Capture panel, 123
Capture triggers, 129
Captured data, displaying,
Capturing data
158
between specific stations, 128
to or from a station, 84
cards missing,
CF End
34
counter in Dashboard’s 802.11 tab,
CF End/CF ACK counter
81
in Dashboard’s 802.11 tab,
Ch. No. counter
81
in Global Statistics, 118
Changing Expert alarm settings,
Cisco Aironet
262
installation notes and issues,
Cntl Pkts counter
34
in Global Statistics, 118
Color-code packets,
Configuring
178
autodiscovery for routers, 254
default routers (Expert), 138
Expert analysis,
Creating
134
an address book, 250
profiles,
CTS counter
270
in Dashboard’s 802.11 tab, 81
Cumulative bytes, 182
Customer Support,
Customizing
4
the decode display, 177
user tools, 64
D
Data pattern filter,
Data Pkts counter
230
in Dashboard’s 802.11 tab, 77
in Global Statistics, 118
Data Rate Counters, 79
Data Throughput counter
in Dashboard’s 802.11 tab, 78
Data, displaying, 158
274 Sniffer Portable Professional
Deauthentications counter
in Dashboard’s 802.11 tab, 80
Decode Font, 178
Decode tab, 162
searching for frames,
Define Filter
186
wireless options,
Defining
220
filters, 220
triggers, 242
Delta time, 182
Detail pane (decode display), 162
Detail tree pane, 132
Diagnosis in Expert analysis,
Disabling
132
Real-time decodes, 213
real-time Expert analysis, 135
RIP analysis (Expert),
Disassociations counter
138
in Dashboard’s 802.11 tab, 80
discovered addresses,
Display
255
customizing the decode display, 177
Decode, 162
Expert, 131
filters, 167
formats, 162
Host Table, 206
Matrix, 202
menu, 164
navigating the decode display, 164
options on General tab, 179
Protocol Distribution, 208
setting decode display options, 177
Statistics, 210
Display vendor ID on MAC address,
Displaying
180
captured data, 158
decoded packets, 162
Expert data, 131
Expert explain messages, 153
the Alarm log, 257
Domain names, resolving, 253

Duplicate IP address and autodiscovery, 255
E
Enable Rogue AP Lookup option, 61, 140
Enable Rogue Mobile Unit option, 61, 140
Enabling alarm actions, 265
Enabling Real-time decodes,
Encryption
213
field in Host Table,
Errors counter
86, 88
in Global Statistics,
ESSID
118
counter in Dashboard’s 802.11 tab, 81
counter in Host Table, 85, 88
Ethernet, 11
Exclude protocols,
Expert
182
alarms, 262
diagnoses, 132
display, 131
explain messages, 153
exporting data, 154
layers, 134
objects, 134
options, 134
rearranging the display, 153
Recycle Expert Objects, 136
RIP analysis, 138
searching for frames with alarms, 195
subnet mask settings, 138
symptoms, 131
thresholds, 137
Tuning, 136
window panes, 132
Expert Detail pane, 132
Expert Overview pane, 132
Expert Summary pane, 132
Export AP button, 145
Export AP button (Address book),
exporting
254
Protocols tab settings, 53
Exporting Expert data, 154
exporting filters, 241
exporting known addresses to csv file, 147
Exporting monitor data, 120
F
Failed to start capture, 127
Fast Ethernet (100BASE-T),
filter profiles
11
see Filters,
Filters
222
address, 225
capture, 129
creating, 223
data pattern, 230
defining, 220
display, 167
error type, 235
exporting, 241
importing, 241
monitor, 69
overview, 219
packet size, 235
port, 225
profiles, 222
protocol type, 235
settings, 225
sharing filters, 241
finding frames, 186
function key shortcuts
capture, 123
display, 164
G
Global Statistics, 116
toolbar, 117
H
Hex pane (decode display), 162
Highlight selected frames, 181
History Samples, 110
creating multiple, 113
settings, 111
toolbar, 112
window, 110
User’s Guide 275

zooming,
Host Table
111
display tab, 206
HwAddr counter, 85
maximum entries, 84
monitor, 82
toolbar, 84, 207
HwAddr counter, 85
I
IBSS networks, 68
icons
at base of Sniffer window, 43
importing
Protocols tab settings, 53
importing addresses to the known address
list, 147
importing filters, 241
In Bytes counter
in Host Table, 87, 89
In Pkts counter
in Host Table, 87, 89
Infrastructure networks, 68
installation requirements, 18
installing
Sniffer, 22
K
Keyboard usage (decode display), 164
Keys Per Channel option,
known addresses
59
adding from the Host Table, 141
adding from the postcapture display, 143
adding to the Expert’s list, 141
L
license
serial number, 30
types, 31
Live scroll mode,
logging
215
setting up for alarms, 259
276 Sniffer Portable Professional
M
MAC Bridge Miniport Driver, removing, 39
Main toolbar, 71
Management Pkts counter
in Dashboard’s 802.11 tab,
Matrix
78
display tab, 202
maximum entries, 95
monitor, 93
refresh rate, 95
toolbar, 95, 203
maximum entries
Host Table, 84
Matrix, 95
Mgmt Pkts counter
in Global Statistics, 119
Monitor, 67
alarms, 120
applications, 71
changing alarm severity levels, 260
default severity levels for alarms, 260
exporting data, 120
filters, 69
Global Statistics, 116
History Samples, 110
Host Table, 82
Matrix, 93
Protocol Distribution,
Monitored Channel counter
114
in Host Table, 86, 89
Monitored Topology counter
in Host Table, 86, 89
monitoring wireless networks,
Multicast counter
68
in Host Table, 87
N
Navigating the decode display, 164
NetBIOS names, resolving, 253
NetScout User Forum, 4
Netware user names, resolving, 253
network interface cards
see adapters

Non-live scroll mode, 216
Notification actions for alarms, 264
O
Octets counter
in Global Statistics, 118
offline WEP decryption, 199
Order Pkts counter
in Dashboard’s 802.11 tab, 78
Out Bytes counter
in Host Table, 87, 89
Out Pkts counter
in Host Table, 87, 89
Overflow
matrix message, 95
P
Packet capture
capture buffer options, 239
overview, 121
Packet display, 162
searching for frames, 186
Packet Selection,
Packets
178
color-coding, 178
selecting, 165
Packets counter
in Global Statistics, 118
pcap format,
PLCP Errors
127
as filter option, 237
PLCP Long Pkts counter
in Dashboard’s 802.11 tab,
PLCP Short Pkts counter
79
in Dashboard’s 802.11 tab, 78
Port filter, 228
postcapture WEP decryption, 199
postcapture WPA decryption, 199
power considerations for Sniffer PC,
printing
36
decoded packets, 196
to file, 196
Probe Requests counter
in Dashboard’s 802.11 tab,
Probe Responses counter
80
in Dashboard’s 802.11 tab, 80
product registration, 30
profiles, 270
profiles (filters), 222
Protocol Distribution
display tab, 208
monitor, 114
toolbar, 115, 209
Protocol Expand, 178
Protocol Statistics pane, 132
Protocols tab options,
Protocols tab settings
52
importing/exporting,
PS Polls counter
53
in Dashboard’s 802.11 tab, 81
Q
QoS Packet Scheduler Service, 37
R
Real-time decodes
display limitations, 216
enabling/disabling, 213
Live scroll mode, 215
Non-live scroll mode, 216
scrolling modes, 215
viewing, 214
Rearranging the Expert display, 153
Reassemble entire trace file option, 179
Reassembly window size option,
Reassociation Requests counter
179
in Dashboard’s 802.11 tab,
Reassociation Responses counter
79
in Dashboard’s 802.11 tab, 79
Recycle Expert Objects, 136
registering software, 30
Relative time,
removing
182
MAC Bridge Miniport Driver, 39
QoS Packet Scheduler Service, 37
requirements for installation, 18
User’s Guide 277

Resolve name on Network address,
Retry Pkts counter
180
in Dashboard’s 802.11 tab, 78
in Host Table, 87
RIP analysis, 138
Routers, autodiscovery, 254
RspTm of 90% Response, 103
ART setting,
RTS counter
102
in Dashboard’s 802.11 tab, 81
S
Sales Offices, 4
Saving buffer contents to a file, 127
scrolling modes (Real-time decodes), 215
searching for frames, 186
data pattern searches, 190
Expert alarm searches, 195
status flag searches, 193
text searches,
Select Settings
187
no cards, 34
Selecting packets, 165
serial number, obtaining,
Setting
30
alarm notification options, 264
beeps and sounds, 265
capture buffer options, 124
Expert options,
severities
134
logging, 259
Severity levels
Expert alarms, 262
Monitor alarms, 260
sharing filters, 241
Show all layers, 180
Show Expert symptoms, 180
Show network address,
Signal Curr counter
180
in Host Table, 86, 89
Signal Level counter
in Global Statistics,
Signal Max counter
119
278 Sniffer Portable Professional
in Host Table,
Signal Min counter
86, 89
in Host Table, 86, 89
Single Key Set option, 59
Single station capture,
Sniffer
84, 128
installing, 22
uninstalling, 21
Sniffer icons,
Sniffer PC
43
power considerations,
Sniffer window
36
introduced, 41
navigating, 41
title bar, 41
Sound files, 265
Start triggers, 242
Statistics tab, 210
Status column in 802.11 tab, 85, 88
Stop triggers, 242
Subnet mask settings, 138
Summary Display, 178
Summary pane (decode display),
support
162
Customer Support, 4
Switching network adapters, 267
Symptom in Expert analysis, 131
system requirements, 18
T
Thresholds
Expert, 137
Monitor,
title bar
51, 75
Sniffer window,
Toolbar
41
Global Statistics, 117
History Samples, 112
Host Table, 84, 207
main, 71
Matrix, 95, 203
Protocol Distribution,
Tools
115, 209

adding your own, 64
customizing,
Topology counter
64
in Global Statistics,
trace files
118
formats, 127
opening, 127
Triggers, 129, 242
troubleshooting
cards don’t appear, 34
Two-station format,
Type counter
181
in Host Table, 85
U
uninstalling
QoS Packet Scheduler Service, 37
Sniffer, 21
Update Time counter
in Host Table, 87, 90
Use Address Book to resolve name,
User Interface
180
menus, 44
utilization calculations (wireless), 76
V
Valid Channel, 86, 89
Valid Topology, 86, 89
viewing Real-time decodes, 214
W
website, Customer Support, 4
WEP decryption
postcapture, 199
WEP ICVs
as filter option, 237
WEP Pkts counter
in Dashboard’s 802.11 tab, 78
WPA decryption
postcapture, 199
User’s Guide 279

280 Sniffer Portable Professional