Sniffer® Portable Professional User's Guide - NetScout
Sniffer® Portable Professional User's Guide - NetScout
Sniffer® Portable Professional User's Guide - NetScout
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Sniffer ® <strong>Portable</strong> <strong>Professional</strong><br />
User’s <strong>Guide</strong><br />
293-2235 Rev A<br />
Contents<br />
<strong>NetScout</strong> ® Systems, Inc.<br />
Westford, MA 01886<br />
Telephone: 978.614.4000<br />
Fax: 978.614.4004<br />
Web: http://www.netscout.com
Use of this product is subject to the <strong>NetScout</strong> Systems, Inc. End User License Agreement, which<br />
accompanies the product at the time of shipment.<br />
Notice of Restricted Rights: Use, duplication, release, modification, transfer, or disclosure (for purposes<br />
of this section, "Use") of the Software is restricted by the terms of <strong>NetScout</strong> Systems, Inc.’s End User<br />
License Agreement and further restricted in accordance with FAR 52.227-14 for civilian Government<br />
agency purposes and 252.227-7015 of the Defense Federal Acquisition Regulations Supplement<br />
("DFARS") for military Government agency purposes, or the similar acquisition regulations of other<br />
applicable Government organizations, as applicable and amended. The Use of Software and the Product<br />
is restricted by the terms of <strong>NetScout</strong> Systems, Inc.’s End User License Agreement, in accordance with<br />
DFARS Section 227.7202 and FAR Section 12.212. The information in this manual is subject to change<br />
without notice.<br />
<strong>NetScout</strong>, the <strong>NetScout</strong> logo, Network General, the Network General logo, nGenius, Quantiva, NetVigil,<br />
InfiniStream, Business Container, and Sniffer are registered trademarks of <strong>NetScout</strong> Systems, Inc. and/<br />
or its affiliates in the United States and/or other countries. The CDM logo, MasterCare, the MasterCare<br />
logo, Visualizer, and HyperLock are trademarks of <strong>NetScout</strong> Systems, Inc. All other registered and<br />
unregistered trademarks herein are the sole property of their respective owners. <strong>NetScout</strong> Systems, Inc.<br />
reserves the right, at its sole discretion, to make changes at any time in its technical information,<br />
specifications, service and support programs.<br />
All other brand names, company identifiers, trademarks, service trademarks, registered trademarks and<br />
registered service marks mentioned in this document or the <strong>NetScout</strong> Systems license agreement are<br />
properties of their respective owners, and protected as such against unlawful use or distribution.<br />
This product includes software developed by the Apache Software Foundation<br />
(http://www.apache.org/). Copyright 1997-2008 The Apache Software Foundation. All rights reserved.<br />
THE SOFTWARE DEVELOPED BY APACHE SOFTWARE FOUNDATION AND INCLUDED HEREIN IS<br />
PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED<br />
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE<br />
DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE<br />
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL<br />
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;<br />
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY<br />
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING<br />
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF<br />
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
2
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit<br />
("<br />
Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.<br />
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS" AND ANY EXPRESSED OR IMPLIED<br />
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY<br />
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL<br />
PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,<br />
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)<br />
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,<br />
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS<br />
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)<br />
"<br />
"This product includes software written by Tim Hudson (tjh@cryptsoft.com)<br />
"<br />
Copyright (c) 1995-1998 Eric Young (eay@cryptsoft.com) All rights<br />
reserved.<br />
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,<br />
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS<br />
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS<br />
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL<br />
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;<br />
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY<br />
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING<br />
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF<br />
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
Sniffer ® <strong>Portable</strong> <strong>Professional</strong> User’s <strong>Guide</strong><br />
293-2235 Rev A<br />
Copyright 2009 <strong>NetScout</strong> Systems, Inc. Printed in the USA.<br />
All rights reserved.<br />
3
4<br />
Contacting <strong>NetScout</strong> Systems<br />
Customer Support<br />
The best way to contact Customer Support is to submit a Support Request:<br />
http://www.netscout.com/support<br />
Telephone: In the US, call 888-357-7667; outside the US, call<br />
+011 978-614-4000. Phone support hours are 8 a.m. to 8 p.m. Eastern Standard Time<br />
(EST).<br />
E-mail: support@netscout.com<br />
When you contact Customer Support, the following information can be helpful in diagnosing<br />
and solving problems:<br />
— Type of network platform<br />
— Software and firmware versions<br />
— Hardware model number<br />
— License number and your organization’s name<br />
— The text of any error messages<br />
— Supporting screen images, logs, and error files, as appropriate<br />
— A detailed description of the problem<br />
Sales<br />
Call 800-357-7666 for the sales office nearest your location.<br />
Training and Online Learning<br />
For end-user and partner training information, online course listings, and extensive learning<br />
materials, visit the Training and Online Learning Center websites:<br />
http://www.netscout.com/training<br />
http://www.netscout.com/training/about_olc.asp<br />
Documentation<br />
Send comments or questions about nGenius documentation to the following address:<br />
contact_doc@netscout.com<br />
User Forum<br />
To join a customer-driven user group connecting the worldwide community of <strong>NetScout</strong> users,<br />
visit the following website:<br />
http://www.netscoutuserforum.com/
Related Information Resources<br />
<strong>NetScout</strong> Systems provides the documentation listed in the table below to support Sniffer <strong>Portable</strong><br />
<strong>Professional</strong>. <strong>NetScout</strong> MasterCare customers can access all documentation online at<br />
www.netscout.com/support.<br />
Document Description<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> Documentation<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Release Notes<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
User’s <strong>Guide</strong><br />
Describe enhancements, new features, known issues, and<br />
system requirements for Sniffer <strong>Portable</strong> <strong>Professional</strong>.<br />
Describes how to install and license Sniffer <strong>Portable</strong> <strong>Professional</strong>.<br />
Describes how to use Sniffer <strong>Portable</strong> <strong>Professional</strong> for network<br />
monitoring and analysis.<br />
Online help Provides details on all product features and options.<br />
Decode/Expert Reference Provides a complete reference for all Expert displays and<br />
alarms; also summarizes Decode and Expert Pack features.<br />
Available in PDF format in Decode and Expert Pack installation<br />
directory.<br />
5
Contents<br />
1 Introducing Sniffer <strong>Portable</strong> <strong>Professional</strong> . . . . . . . . . . . . 11<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11<br />
Product Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
Major Components of Sniffer <strong>Portable</strong> <strong>Professional</strong> . . . . . . . . . . . . . . . . . 14<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> Features for Wireless Networks . . . . . . . . . . 15<br />
2 Installing Sniffer <strong>Portable</strong> <strong>Professional</strong> . . . . . . . . . . . . . . 17<br />
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
Uninstalling Previous Versions of<br />
Sniffer <strong>Portable</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21<br />
Installing the Sniffer <strong>Portable</strong> <strong>Professional</strong> Application . . . . . . . . . . . . . . . 22<br />
Installing Sniffer Enhanced Drivers (802.11) . . . . . . . . . . . . . . . . . . . . . 23<br />
Authorizing Sniffer <strong>Portable</strong> <strong>Professional</strong> . . . . . . . . . . . . . . . . . . . . . . . . 30<br />
Starting Sniffer <strong>Portable</strong> <strong>Professional</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . 34<br />
Tuning Settings for Sniffer <strong>Portable</strong> <strong>Professional</strong> . . . . . . . . . . . . . . . . . . . 36<br />
3 Introducing the Sniffer Window . . . . . . . . . . . . . . . . . . . 41<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41<br />
Navigating the Sniffer Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41<br />
4 Setting Options in the Sniffer Window . . . . . . . . . . . . . . 47<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47<br />
Setting the General Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48<br />
Setting the Real Time Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51<br />
Setting the MAC Threshold Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . 51<br />
Setting the App Threshold Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . 52<br />
Setting the Alarm Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52<br />
Setting the Protocols Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52<br />
Setting the Protocol Forcing Tab Options . . . . . . . . . . . . . . . . . . . . . . . . 53<br />
Setting Tools > Wireless Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54<br />
Adding Tools to the Tools Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64<br />
User’s <strong>Guide</strong> 7
5 Monitoring Your Network . . . . . . . . . . . . . . . . . . . . . . . 67<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67<br />
About Sniffer <strong>Portable</strong> <strong>Professional</strong> Monitor Views . . . . . . . . . . . . . . . . . . 67<br />
Monitoring Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68<br />
Monitor Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69<br />
Monitor Applications and Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71<br />
Monitor Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120<br />
Exporting Monitor Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120<br />
6 Capturing Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . 121<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121<br />
About Capturing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121<br />
Capture Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122<br />
Capture Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123<br />
Capture Buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124<br />
Capturing from Specific Stations (Visual Filters) . . . . . . . . . . . . . . . . . . 128<br />
Capture Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129<br />
Capture Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129<br />
7 Real-Time Expert Display . . . . . . . . . . . . . . . . . . . . . . 131<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131<br />
About the Expert Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131<br />
Setting Expert Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134<br />
Setting Automatic Expert Display Filters . . . . . . . . . . . . . . . . . . . . . . . 151<br />
Displaying Context-Sensitive Explain Messages . . . . . . . . . . . . . . . . . . 153<br />
Rearranging the Expert Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153<br />
Exporting the Contents of the Expert Database . . . . . . . . . . . . . . . . . . 154<br />
8 Displaying Captured Data . . . . . . . . . . . . . . . . . . . . . . 157<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157<br />
Displaying Captured Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158<br />
Postcapture Views for Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . 160<br />
Postcapture Expert Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161<br />
Postcapture Decode Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162<br />
Postcapture Matrix Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202<br />
Postcapture Host Table Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206<br />
Postcapture Protocol Distribution Tab . . . . . . . . . . . . . . . . . . . . . . . . . 208<br />
8 Sniffer <strong>Portable</strong> <strong>Professional</strong>
Postcapture Statistics Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210<br />
9 Working with Real-Time Decodes . . . . . . . . . . . . . . . . 213<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213<br />
Enabling and Setting Real-time Decodes . . . . . . . . . . . . . . . . . . . . . . . 213<br />
Viewing Real-time Decodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214<br />
10 Defining Filters and Triggers . . . . . . . . . . . . . . . . . . . . 219<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219<br />
Defined Filters vs. Automatic Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 219<br />
Define Filter Options for Wireless Networks . . . . . . . . . . . . . . . . . . . . . 220<br />
Defining Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220<br />
Sharing Filters between Systems and Products . . . . . . . . . . . . . . . . . . . 241<br />
Defining Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242<br />
11 Using the Address Book . . . . . . . . . . . . . . . . . . . . . . . 249<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249<br />
About Address Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249<br />
Creating Address Book Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250<br />
12 Managing Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . 257<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257<br />
The Alarm Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257<br />
Setting Alarm Severity Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260<br />
Setting Alarm Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264<br />
13 Network Adapters and Settings . . . . . . . . . . . . . . . . . . 267<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267<br />
Removing Network Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267<br />
Selecting Network Adapters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267<br />
Creating Sniffer Monitoring Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 270<br />
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273<br />
9 Sniffer <strong>Portable</strong> <strong>Professional</strong>
10 Sniffer <strong>Portable</strong> <strong>Professional</strong>
Introducing Sniffer <strong>Portable</strong><br />
<strong>Professional</strong><br />
Overview<br />
This documentation describes Sniffer ® <strong>Portable</strong> <strong>Professional</strong>. Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong> is ideally suited for a range of usage scenarios,<br />
including:<br />
1<br />
On-site application and network troubleshooting by Field Service<br />
engineers.<br />
Analysis of enterprise network links not permanently instrumented<br />
with <strong>NetScout</strong> appliances.<br />
Analysis of network equipment in lab environments prior to roll-out<br />
on a production network.<br />
By incorporating Expert analysis capabilities and advanced protocol<br />
decodes, Sniffer <strong>Portable</strong> <strong>Professional</strong> can determine, pinpoint, and<br />
analyze the toughest performance problems automatically.<br />
You can use Sniffer <strong>Portable</strong> <strong>Professional</strong> on network segments running<br />
Ethernet, Gigabit Ethernet, and Wireless LANs.<br />
See also:<br />
Product Comparison<br />
Major Components of Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> Features for Wireless Networks<br />
User’s <strong>Guide</strong> 11
Chapter 1<br />
Product Comparison<br />
Table 1-1. Product Comparison<br />
12 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The following table summarizes the key differences between Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong>, Sniffer Global, and the legacy Sniffer <strong>Portable</strong><br />
product.<br />
Feature Legacy Sniffer<br />
<strong>Portable</strong><br />
Sniffer <strong>Portable</strong><br />
<strong>Professional</strong><br />
Sniffer Global<br />
Operating Windows 2000<br />
Windows XP<br />
System<br />
Windows XP<br />
Windows 2003<br />
Windows Vista<br />
Windows 2008<br />
Support for 64-bit Windows OS<br />
Note: Windows 2003 and 2008 support is primarily<br />
for Ethernet. Multiple instances over Terminal Server<br />
is not supported.<br />
Topologies Ethernet 10/100/1000 • Ethernet 10/100/1000<br />
Wireless 802.11 a/b/g • Wireless 802.11 a/b/g on<br />
Windows XP and Windows 2003<br />
• Wireless 802.11 a/b/g/n on Windows Vista and<br />
Windows 2008<br />
Wireless Cards Atheros AR5001X, Atheros AR5002X, AR5004X, AR5005X, AR5006X &<br />
AR5002X & AR5004X AR5008X chipset based PCMCIA, Cardbus,<br />
chipset based PCMCIA ExpressCard, PCI, PCI-e, mini-PCI, mini-PCIe cards<br />
& Cardbus cards<br />
(USB not supported)<br />
Trace File Sniffer .CAP, .CAZ and Sniffer .CAP, .CAZ and LibPcap formats<br />
Formats legacy formats (.ENC<br />
and so on)<br />
Sniffer VoIP<br />
Optional Yes<br />
Intelligence<br />
Sniffer Mobile<br />
Intelligence<br />
(Decode and<br />
Expert)<br />
All Decode and Expert functionality associated with<br />
these legacy modules included in base installation.<br />
Application<br />
Optional No<br />
Intelligence<br />
Use Sniffer Intelligence with nGenius InfiniStream<br />
instead.<br />
Sniffer Reporter Yes No<br />
Use nGenius Performance Manager with nGenius<br />
InfiniStream instead.
Table 1-1. Product Comparison<br />
Feature Legacy Sniffer<br />
<strong>Portable</strong><br />
Sniffer Global<br />
Server<br />
Integrated<br />
Updates<br />
Introducing Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Sniffer <strong>Portable</strong><br />
<strong>Professional</strong><br />
Sniffer Global<br />
No No Yes<br />
No No Yes. Check for updates<br />
and install them within<br />
Sniffer Global application<br />
user interface.<br />
User’s <strong>Guide</strong> 13
Chapter 1<br />
Major Components of Sniffer <strong>Portable</strong><br />
<strong>Professional</strong><br />
14 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The major components of Sniffer <strong>Portable</strong> <strong>Professional</strong> include:<br />
Monitor. Calculates and displays real-time network traffic data.<br />
Capture. Captures network traffic and stores the actual packets in<br />
a buffer (and optionally to a file) for later analysis.<br />
Real-time and Postcapture Expert. Analyzes the network<br />
packets during capture and alerts you to potential problems on<br />
your network. These problems are categorized as either symptoms<br />
and/or diagnoses. Expert analysis is also available postcapture.<br />
Real-time and Postcapture Decode. Displays protocol decodes<br />
in real-time as packets arrive. You do not have to stop a capture<br />
session to see protocol decodes. Decodes are also available<br />
postcapture.<br />
Display. User-interface that provides decodes and analysis of the<br />
captured packets in a variety of easy to view and navigate<br />
windows.
Introducing Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> Features for<br />
Wireless Networks<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> includes many features specifically for<br />
802.11 wireless networks, as summarized in Table 1-2.<br />
Table 1-2. Features for Wireless Networks<br />
Feature See this topic:<br />
Different wireless LAN frame type counters are included in<br />
the Dashboard.<br />
The Monitor's Host Table includes an 802.11 tab with<br />
entries for all detected wireless stations. Each station is<br />
listed with several wireless LAN-specific counters.<br />
The Monitor’s Host Table includes a zoomed view for<br />
Access Points only.<br />
Rogue identication is included in both Host Table and<br />
Expert displays.<br />
The Monitor's Global Statistics application includes a<br />
Topology Surfing tab with statistics for each wireless<br />
channel selected for monitoring.<br />
The Matrix, Host Table, and Protocol Distribution<br />
post-analysis tabs in the Display window each include<br />
802.11 views, allowing you to focus specifically on 802.11<br />
statistics for wireless stations.<br />
The postcapture Statistics tab in the Display window<br />
includes multiple wireless-specific statistics.<br />
The Advanced tab in the Define Filter dialog box<br />
includes wireless LAN packet types on which you can filter<br />
(such as PLCP Errors and WEP-ICV Errors).<br />
The 802.11 tab in the Define Filter dialog box allows you<br />
to filter on packets seen on a channel to which they do not<br />
belong, packets matching different speeds, or packets<br />
seen on a particular channel.<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> can perform both WPA/WPA2<br />
and WEP decryption both during capture if the keys are<br />
specified in the Tools > Wireless > Decryption dialog<br />
box and after capture using the Wireless Decryption<br />
option in the Decode tab's context menu.<br />
Dashboard Counters for Wireless<br />
Networks on page 75<br />
Host Table Counters for Wireless<br />
Networks on page 85<br />
Viewing Access Points Only on page<br />
88<br />
Identifying Rogue Hosts on the<br />
Wireless Network on page 91<br />
The Global Statistics > Topology<br />
Surfing Tab on page 117<br />
Monitor Applications and Toolbar on<br />
page 71<br />
Postcapture Statistics Tab on page<br />
210<br />
Setting Filter Options in the Advanced<br />
Tab on page 235<br />
Setting Filter Options in the 802.11<br />
Tab on page 238<br />
• Configuring Wireless Encryption<br />
Settings on page 56<br />
• Postcapture 802.11 Decryption<br />
on page 199<br />
User’s <strong>Guide</strong> 15
Chapter 1<br />
Table 1-2. Features for Wireless Networks<br />
Feature See this topic:<br />
The Decode display can completely decode 802.11 traffic<br />
(if the correct decryption keys are specified and, in the<br />
case of WPA, if the initial EAPOL handshake packets are<br />
seen). Since wireless LAN services take place at the lower<br />
network layers, you can see the wireless-specific decodes<br />
by examining the DLC layer in the Detail pane of the<br />
Decode display. In addition, the Decode display indicates<br />
the channel from which each packet was captured inside<br />
brackets in the Status column of the Summary pane (for<br />
example, an entry of [1] in the Status column indicates<br />
that the packet was captured from channel number 1 on<br />
the wireless LAN).<br />
The Expert analyzer creates network objects at the DLC<br />
layer for wireless stations. There are also several<br />
Wireless-specific Expert alarms. In addition, all of the<br />
usual upper layer Expert analysis is provided.<br />
During monitoring or capture, the title bar of the Sniffer<br />
window shows the channel currently being monitored, the<br />
signal strength, and the network topology. You can use<br />
this display to get a quick feel for the strength of the signal<br />
being monitored and determine whether you need to move<br />
the analyzer closer to an access point to get a stronger<br />
signal.<br />
16 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Postcapture Decode Display on page<br />
162<br />
Decode and Expert Reference <strong>Guide</strong><br />
in Decode & Expert installation<br />
directory.<br />
Navigating the Sniffer Window on<br />
page 41
Installing Sniffer <strong>Portable</strong><br />
<strong>Professional</strong><br />
2<br />
This chapter provides the system requirements and installation for<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong>. It also lists supported cards and enhanced<br />
drivers.<br />
System Requirements on page 18<br />
Uninstalling Previous Versions of Sniffer <strong>Portable</strong> on page 21<br />
Installing the Sniffer <strong>Portable</strong> <strong>Professional</strong> Application on page 22<br />
Installing Sniffer Enhanced Drivers (802.11) on page 23<br />
Sniffer Enhanced Driver Installation Procedure on page 24<br />
802.11 a/b/g/n Card Installation Notes and Issues on page 27<br />
Using the 802.11 a/b/g/n Card as a Normal Network Card on<br />
page 29<br />
Authorizing Sniffer <strong>Portable</strong> <strong>Professional</strong> on page 30<br />
Starting Sniffer <strong>Portable</strong> <strong>Professional</strong> on page 34<br />
Tuning Settings for Sniffer <strong>Portable</strong> <strong>Professional</strong> on page 36<br />
User’s <strong>Guide</strong> 17
Chapter 2<br />
System Requirements<br />
18 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Table 2-1 lists the system requirements to install and run the Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong> application.<br />
Table 2-1. Sniffer <strong>Portable</strong> <strong>Professional</strong> System Requirements<br />
Item Requirement<br />
Operating<br />
System<br />
• Microsoft Windows XP <strong>Professional</strong> Edition with SP2 or higher<br />
NOTE: Wireless is not supported on Windows XP 64-bit.<br />
• Windows Server 2003<br />
NOTE: Wireless is not supported on Windows Server 2003 64-bit.<br />
• Microsoft Windows Vista<br />
• Windows Server 2008<br />
NOTE: The Wireless LAN Service must be installed to use wireless NICs on<br />
Windows 2008 machines – by default it is not. You can add this service using<br />
the Features > Add Features option in Administrative Tools > Server<br />
Manager.<br />
• Virtualized environments configured to emulate these operating systems.<br />
Tested with VMware workstation 6.x and Microsoft Virtual-PC 2007.<br />
NOTE: Virtualized environments are only supported for Ethernet adapters.<br />
Wireless adapters are not supported in virtualized environments.<br />
CPU Intel or AMD processor running at 1.6 GHz or higher.<br />
• Dual or more core running at 1.0 GHz or higher<br />
NOTE: Sniffer <strong>Portable</strong> <strong>Professional</strong> is supported on multi-processor, multi-core,<br />
and hyperthreaded platforms.<br />
RAM 512 MB of RAM or higher.<br />
Storage 200 MB or more of free hard drive space (all supported operating systems)<br />
CD-ROM Drive<br />
Monitor VGA color monitor with 1024x768 resolution (with 256 color support or updated<br />
VGA driver)
Table 2-1. Sniffer <strong>Portable</strong> <strong>Professional</strong> System Requirements<br />
Item Requirement<br />
Network<br />
Interface<br />
Cards<br />
Installing Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Ethernet 10/100/1000 cards with native driver provided by vendor (no Sniffer<br />
enhanced driver required or provided).<br />
Wireless cards with Atheros AR5002X+ chipset:<br />
• Windows XP and Windows Server 2003 – 802.11 a/b/g; Sniffer enhanced<br />
driver required; see Installing Sniffer Enhanced Drivers (802.11) on page 23<br />
for details.<br />
Combo cards only supported if 802.11 a/b/g (b/g only not supported).<br />
• Windows Vista and Windows Server 2008 – 802.11 a/b/g/n; Native<br />
Atheros driver required (available both on Microsoft website and packaged<br />
with Sniffer <strong>Portable</strong> <strong>Professional</strong> application installation). See Installing<br />
Sniffer Enhanced Drivers (802.11) on page 23 for details.<br />
Combo cards with any combination of 802.11 a/b/g/n are supported on<br />
Windows Vista/Windows 2008. Combo cards with any combination of<br />
802.11a/b/g are supported on Windows XP/Windows 2003.<br />
Software Microsoft .NET Framework 3.0 or higher<br />
User’s <strong>Guide</strong> 19
Chapter 2<br />
20 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> Application Coexistence with other<br />
Products<br />
<strong>NetScout</strong> Systems does not support installation of Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> on a machine running any of the following <strong>NetScout</strong><br />
products:<br />
Sniffer Global application, Sniffer <strong>Portable</strong> (legacy versions),<br />
Sniffer Pro, or Netasyst<br />
Sniffer Distributed Agent<br />
Notes on Installing in Virtual Environments<br />
Installing the Sniffer <strong>Portable</strong> <strong>Professional</strong> application in a virtual<br />
environment (such as those provided by VMware) requires some<br />
additional configuration. Keep in mind the following:<br />
Only Ethernet adapters are supported. Wireless 802.11<br />
adapters are not supported in virtualized environments.<br />
Bridged networking mode is the only supported mode.<br />
Select an Ethernet card in your virtual operating system in the<br />
VMNet0 virtual network from Edit > Virtual Network Settings ><br />
Host Virtual Network Mapping.<br />
Make sure the Ethernet card drivers for VMNet0 are properly<br />
installed by selecting the VM > Install VMware Tools command.<br />
Running this command will select the correct drivers from the host<br />
machine automatically. However, keep in mind that Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong>’s File > Adapter Settings dialog box will<br />
show the device name as VMware Accelerated AMND PCNet<br />
Adapter rather than the name of the bridged adapter.<br />
The VMWare Virtual Network acts as a 1000-Mbps virtual hub with<br />
uplink based on the speed of the actual physical port to which it is<br />
bridged (100 or 1000 Mbps). Sniffer <strong>Portable</strong> <strong>Professional</strong> detects<br />
the virtual network’s 1000-Mbps speed and will report this as the<br />
network speed, regardless of the physical port’s actual speed.<br />
Because of this, when the physical port’s speed is only 100 Mbps<br />
instead of the 1000 Mbps detected, utilization calculations reported<br />
in Sniffer <strong>Portable</strong> <strong>Professional</strong> will be less than the actual<br />
utilization by a factor of ten.
Uninstalling Previous Versions of<br />
Sniffer <strong>Portable</strong><br />
Installing Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> can not be installed on the same system as<br />
legacy versions of Sniffer <strong>Portable</strong> – you must first uninstall the previous<br />
Sniffer <strong>Portable</strong> installation. The following procedure explains how.<br />
To uninstall a previous version of Sniffer <strong>Portable</strong>:<br />
1 Log in to the Sniffer <strong>Portable</strong> machine with Administrator<br />
privileges.<br />
2 Go to Start > Settings > Control Panel > Add/Remove<br />
Programs.<br />
3 In the Add/Remove Programs window that appears, is there an<br />
entry for Sniffer VoIP?<br />
If yes — Uninstall Sniffer VoIP and reboot the computer before<br />
uninstalling. Then access the Add/Remove Programs<br />
window again (Step 2) and uninstall the Sniffer <strong>Portable</strong><br />
software.<br />
If no — Select the entry for the Sniffer <strong>Portable</strong> software and<br />
click Add/Remove.<br />
4 During the uninstallation, the wizard will ask you if you would like<br />
to remove unused shared files. Click Yes to all to remove all<br />
unused shared files.<br />
5 Reboot the computer.<br />
The target PC is now ready to download and install the Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> software.<br />
User’s <strong>Guide</strong> 21
Chapter 2<br />
Installing the Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Application<br />
22 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Use the following procedure to install the Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
application.<br />
To install Sniffer <strong>Portable</strong> <strong>Professional</strong> :<br />
1 Make sure you have uninstalled any existing Sniffer <strong>Portable</strong> or<br />
Global applications.<br />
2 Double-click the Sniffer <strong>Portable</strong> <strong>Professional</strong> installation file.<br />
3 Follow the instructions in the InstallShield Wizard to install Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong>.<br />
4 Reboot the PC before using Sniffer <strong>Portable</strong> <strong>Professional</strong>.
Installing Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Installing Sniffer Enhanced Drivers (802.11)<br />
NOTE: Sniffer enhanced drivers are not included for 10/100/1000<br />
Ethernet cards. Sniffer <strong>Portable</strong> <strong>Professional</strong> supports 10/100/1000<br />
Ethernet cards without using a Sniffer enhanced driver on both<br />
Windows XP and Windows Vista.<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> supports wireless adapters based on the<br />
Atheros AR5002X+ chipset. The table below provides the details:<br />
Table 2-2. Supported Wireless Chipsets and Drivers<br />
Chipset Windows XP and Windows<br />
Server 2003<br />
Tested on Atheros-based Cisco<br />
CB21, D-Link, Proxim, and<br />
NETGEAR Cardbus Adapters<br />
Atheros AR5008X<br />
(802.11n)<br />
You install drivers for wireless cards differently depending on whether<br />
you are using Microsoft Windows XP or Microsoft Windows Vista:<br />
Wireless Adapters in Windows XP<br />
Windows Vista and Windows<br />
Server 2008<br />
Tested on Atheros-based D-Link,<br />
NETGEAR, Cisco CB21, Trendnet, and<br />
Gigabyte Cardbus, PCI/PCIe,<br />
mini-PCI/PCIe adapters (USB not<br />
supported).<br />
Not supported. Supported with the native Atheros<br />
driver, which you can install using either<br />
Atheros AR5006X Supported with enhanced<br />
drivers stored in \Sniffer<br />
Atheros AR5004X <strong>Portable</strong>\Driver\en\atheros<br />
\winxp<br />
Atheros AR5002X<br />
Microsoft Windows Update or one of the<br />
bundled drivers:<br />
• Cisco adapters –<br />
Use the7.4 driver located at \Sniffer <strong>Portable</strong>\<br />
driver\en\cisco\vista.<br />
• All other adapters –<br />
Use the 7.6 driver located at \Sniffer <strong>Portable</strong>\<br />
driver\en\atheros\vista.<br />
You must install a Sniffer enhanced driver before you can use<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> on Windows XP with a wireless LAN<br />
card. Sniffer <strong>Portable</strong> <strong>Professional</strong> includes enhanced drivers for<br />
wireless cards based on the Atheros AR5002X+ chipsets as<br />
summarized in the table above.<br />
See Sniffer Enhanced Driver Installation Procedure on page 24 for<br />
information on how to install the Sniffer enhanced driver for<br />
wireless cards based on these chipsets.<br />
User’s <strong>Guide</strong> 23
Chapter 2<br />
24 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Wireless Adapters in Windows Vista<br />
You must install the latest native Atheros driver to use Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong> on Windows Vista or Windows Server 2008<br />
with a wireless card.<br />
The native Atheros driver is included with Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> under \Sniffer<br />
<strong>Portable</strong>\driver\en\atheros\vista. Select netathr.inf if<br />
installing on a 32-bit machine or netathrx.inf if installing on a 64-bit<br />
machine. For Cisco cards, use the driver in the \Sniffer <strong>Portable</strong>\driver\en\cisco\vista folder.<br />
See Native Atheros Driver Update Procedure on page 26 for<br />
information on how to install the native Atheros driver.<br />
Combo Cards and Supported 802.11 Versions<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> supports 802.11 combo cards using<br />
the chipsets listed in the table above differently depending on your<br />
operating system:<br />
Windows XP or Windows Server 2003 – 802.11 a/b/g<br />
combo cards only. Other combinations (including cards that<br />
support only 802.11 b/g) are not supported.<br />
Windows Vista or Windows Server 2008 – Any<br />
combination of 802.11 a/b/g/n.<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> can monitor, capture, and display<br />
statistics for wireless cards supporting the Japanese W52 and W53<br />
standards.<br />
Sniffer Enhanced Driver Installation Procedure<br />
Sniffer enhanced drivers for wireless LAN cards are located in intuitively<br />
named subdirectories under the following default path:<br />
\<strong>NetScout</strong>\Sniffer <strong>Portable</strong>\driver\en\<br />
To install a Sniffer enhanced driver:<br />
1 Make sure the Sniffer <strong>Portable</strong> <strong>Professional</strong> software is installed. If<br />
it is not installed, install it now.<br />
2 Log in to Windows as an Administrator.<br />
3 Insert the card in an available card slot on the target machine.<br />
Windows automatically detects the new card and installs its native<br />
device driver.
Installing Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
4 Right-click My Computer. Select Manage > Device Manager.<br />
5 In the Network Cards list, select the card you inserted.<br />
6 Right-click on the card and select Update Driver.<br />
7 The Hardware Update Wizard displays. If a dialog box displays<br />
prompting to you to connect to Windows Update to search for<br />
software, select No, not this time and click Next.<br />
8 Select the Install from a list or specific location (Advanced)<br />
option. and click Next.<br />
9 Select the Don’t search option and click Next.<br />
10 Click Have Disk.<br />
The Install from Disk dialog box appears prompting you to supply<br />
the path to the driver to install.<br />
11 Click Browse and navigate to the path where the driver for the<br />
selected card is installed. Drivers for 802.11 a/b/g/n cards are<br />
located at the following path:<br />
\<strong>NetScout</strong>\Sniffer <strong>Portable</strong>\driver\en\<br />
Use the driver found in the subdirectory corresponding to your<br />
chipset and operating system (for example, \atheros\winxp\ for<br />
an Atheros chipset on Windows XP).<br />
12 Click Open in the Browse dialog box.<br />
You are returned to the Install from Disk dialog box.<br />
13 Click OK on the Install from Disk dialog box.<br />
14 If the operating system is configured to alert you to unsigned<br />
drivers, a dialog box will appear warning you that you are about to<br />
install a driver that has not been verified by Microsoft Corporation.<br />
Click Continue Anyway to continue the installation.<br />
The wizard installs the driver. When it has finished, it displays a<br />
screen indicating that the driver is installed.<br />
15 Click Finish.<br />
16 Click OK to clear the Card Properties dialog box.<br />
17 Reboot the system.<br />
User’s <strong>Guide</strong> 25
Chapter 2<br />
Native Atheros Driver Update Procedure<br />
26 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Use the following procedure to update the existing driver for an<br />
Atheros-based wireless adapter to the latest version in Windows Vista.<br />
To update the native Atheros driver in Windows Vista:<br />
1 Make sure the Sniffer <strong>Portable</strong> <strong>Professional</strong> software is installed. If<br />
it is not installed, install it now.<br />
2 Log in to Windows as an Administrator.<br />
3 Right-click Computer and select Manage.<br />
4 Select the Device Manager entry in the Computer Management<br />
pane (left pane).<br />
5 In the Network adapters list, select the wireless card you want to<br />
use with Sniffer <strong>Portable</strong> <strong>Professional</strong> on Windows Vista.<br />
6 Right-click on the card and select Update Driver Software.<br />
7 The Update Driver Wizard displays. Select the Browse my<br />
computer for driver software option.<br />
The Browse for driver software on your computer dialog box<br />
appears prompting you to supply the path to the driver to install.<br />
8 Click Browse and navigate to the path for your card:<br />
Cisco adapters (7.4 version):<br />
\Sniffer <strong>Portable</strong>\driver\en\cisco\vista<br />
All other adapters (7.6 version):<br />
9 Click Next.<br />
\Sniffer <strong>Portable</strong>\driver\en\atheros\vista<br />
10 Select netathr.inf if installing on a 32-bit machine or netathrx.inf<br />
if installing on a 64-bit machine and click Next.<br />
11 Follow the wizard’s instructions to complete the driver update.<br />
12 Close the Computer Management window.<br />
13 Reboot the system and start Sniffer <strong>Portable</strong> <strong>Professional</strong> to use the<br />
new driver.
Installing Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
802.11 a/b/g/n Card Installation Notes and Issues<br />
Keep the following notes and tips in mind when working with 802.11<br />
a/b/g/n wireless cards:<br />
After removing and replacing PCMCIA adapters, it’s a good idea to<br />
restart the system before launching Sniffer <strong>Portable</strong> <strong>Professional</strong>.<br />
This is especially important if you replace an Ethernet card with an<br />
802.11 adapter, or vice-versa.<br />
After exiting Sniffer <strong>Portable</strong> <strong>Professional</strong>, it may take up to a<br />
minute for the wireless card to transition to normal wireless<br />
network participation.<br />
Wireless Client Utilities provided by your card’s vendor will not<br />
function with the Sniffer enhanced driver installed. Use the<br />
Wireless Network Connection utility included with Microsoft<br />
Windows instead.<br />
While configuring the 802.11 a/b/g/n card, you may see the<br />
following warning: Can not access your wireless card. Please<br />
remove and reinsert PC card to activate settings.<br />
This warning can safely be ignored.<br />
Use the Safely Remove Hardware option when removing the<br />
cardbus card. Make sure Sniffer <strong>Portable</strong> <strong>Professional</strong> is properly<br />
shut down before the card is removed.<br />
For improved performance, you can unbind the Aegis Protocol<br />
(IEEE802.1x) from the card driver, as shown in Figure 2-1.<br />
However, keep in mind that unchecking this option can interfere<br />
with any VPN clients you may be using. If you do decide to disable<br />
the Aegis Protocol during Sniffer <strong>Portable</strong> <strong>Professional</strong> analysis,<br />
reenable it before connecting to your VPN.<br />
User’s <strong>Guide</strong> 27
Chapter 2<br />
28 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Figure 2-1. 802.11a/b/g/n Wireless Card Properties Dialog Box
Installing Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Using the 802.11 a/b/g/n Card as a Normal Network Card<br />
When Sniffer <strong>Portable</strong> <strong>Professional</strong> is connected to the 802.11a/b/g/n<br />
wireless card, the card operates in promiscuous mode and cannot<br />
participate as an active member of the wireless LAN. However, when<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> is not connected to the 802.11a/b/g/n card,<br />
you can use the card to participate actively in a wireless network.<br />
During a normal installation of the 802.11a/b/g/n wireless card, you are<br />
given the option of configuring a profile for normal wireless network<br />
participation (including configuring the ESSID, WEP keys, and so on). If<br />
you did not configure these settings during the initial installation of the<br />
card (or if you want to change the current settings), you can configure<br />
them later using the Wireless Network option in the Control Panel.<br />
However, do not make changes to the 802.11a/b/g/n card’s<br />
configuration while Sniffer <strong>Portable</strong> <strong>Professional</strong> is running.<br />
NOTE: For Windows XP, use the Wireless Network tab in the<br />
Wireless Network Connection Properties dialog box to set wireless<br />
network participation parameters.<br />
NOTE: Wireless Client Utilities provided by your card’s vendor will<br />
not function with the Sniffer enhanced driver installed. Use the<br />
Wireless Network Connection utility included with Microsoft<br />
Windows instead.<br />
User’s <strong>Guide</strong> 29
Chapter 2<br />
Authorizing Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
30 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Before you can use Sniffer <strong>Portable</strong> <strong>Professional</strong>, you must authorize<br />
your copy using the License Utility (Start > (All) Programs ><br />
<strong>NetScout</strong> > Sniffer <strong>Portable</strong> <strong>Professional</strong> > License Utility).<br />
Review the topics in this section for more information about licensing:<br />
Registering the Software on page 30<br />
Entering Licensing Information in the License Utility on page 32<br />
Use Same Serial Number After Uninstall/Reinstall<br />
If you uninstall and reinstall Sniffer <strong>Portable</strong> <strong>Professional</strong>, you can<br />
reapply your original serial number and password in the License Utilty to<br />
authorize the product.<br />
Lost Serial Number?<br />
If you lose your serial number or password, you will need to request a<br />
new one from the MasterCare Portal. Before doing so, however, check<br />
your old email to see if you still have the original serial number mailed<br />
to you from <strong>NetScout</strong> Systems (if you supplied an email address during<br />
product registration).<br />
Registering the Software<br />
Visit the <strong>NetScout</strong> website to register your product and obtain the<br />
information required for licensing.<br />
IMPORTANT: Make sure you have the License Coupon that came with<br />
your Sniffer <strong>Portable</strong> <strong>Professional</strong> product shipment. This coupon includes<br />
the Registration Key required to generate the license file.<br />
1 Locate the License Coupon in your Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
product shipment. This form includes the product’s registration<br />
key.<br />
2 Launch your Web browser and enter the following URL:<br />
http://www.netscout.com/support/<br />
3 From Product Registration, select the License Request All link.<br />
4 Accept the End User License Agreement by clicking I Agree.<br />
5 Log in using your MasterCare credentials. If you do not have an<br />
account yet, the site will assist you in creating one.
Installing Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
6 Once you have logged in, locate the Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> entries in the Product Registration page and click the<br />
link corresponding to the type of license to activate.<br />
7 Enter the requested information (all fields are required) and click<br />
Submit. In response, you will receive the information listed in the<br />
Output column in the table below. You will enter this information<br />
in Sniffer <strong>Portable</strong> <strong>Professional</strong>’s License Utility.<br />
Table 2-3. License Page Input/Output<br />
License<br />
Type<br />
License Page Input License Page<br />
Output<br />
Trial Registration Key from License Coupon Serial Number<br />
Expiration Date<br />
Password<br />
Permanent Registration Key from License Coupon<br />
IP or MAC address of Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> PC<br />
Choosing an Address Type for the<br />
License (MAC or IP)<br />
Permanent Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
licenses can be based on either a MAC or<br />
an IP address. If the IP address changes<br />
on a system using IP-based licensing,<br />
you will need to request and apply a<br />
new serial number based on the new IP<br />
address. Because of this, you should<br />
only use the IP-based option if you are<br />
using a static IP address.<br />
• If you use a static IP address for the<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> PC, you<br />
can use either the IP or MAC address.<br />
• If you use a dynamic IP address for<br />
the Sniffer <strong>Portable</strong> <strong>Professional</strong> PC,<br />
you should use the MAC address<br />
option.<br />
Serial Number<br />
IP Address or<br />
MAC Address<br />
Password<br />
8 Start the License Utility and enter the information provided by the<br />
MasterCare Portal.<br />
See Entering Licensing Information in the License Utility on page 32<br />
for instructions.<br />
User’s <strong>Guide</strong> 31
Chapter 2<br />
Entering Licensing Information in the License Utility<br />
32 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
You can obtain Sniffer <strong>Portable</strong> <strong>Professional</strong>’s serial number from the<br />
MasterCare Portal and apply it in the License Utility immediately after<br />
you install the software or at any later time prior to using the product.<br />
NOTE: Each Sniffer <strong>Portable</strong> <strong>Professional</strong> unit requires a separate<br />
serial number.<br />
To apply a Sniffer <strong>Portable</strong> <strong>Professional</strong> serial number:<br />
1 Register the software and obtain the serial number. Refer to<br />
Registering the Software on page 30.<br />
2 Start the License Utility on the Sniffer <strong>Portable</strong> <strong>Professional</strong> PC:<br />
Start > (All) Programs > <strong>NetScout</strong> > Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> > License Utility<br />
NOTE: You must run this utility as an administrator. If you are<br />
not currently logged in as an administrator, you can right-click<br />
the utility and select the Run as administrator command.<br />
3 Enter the information you received from the MasterCare Portal’s<br />
Licensing page in Registering the Software on page 30. All fields<br />
must match the values specified during product registration.<br />
Table 2-4. Sniffer <strong>Portable</strong> <strong>Professional</strong> License Fields<br />
Field Description<br />
Serial Number Provided by MasterCare Portal during product registration.<br />
Expiry Date<br />
(Trial Licenses<br />
only)<br />
IP/MAC<br />
(Permanent<br />
Licenses only)<br />
Provided by MasterCare Portal during product registration.<br />
Select the radio button corresponding to the type of<br />
adddress you supplied during registration and enter the<br />
address in the adjacent field. This was specified during<br />
product registration.<br />
Password Provided by MasterCare Portal during product registration.<br />
4 When you have filled in all the fields, click OK.<br />
The License Utility applies the license, informing you of its success<br />
or failure.
Installing Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
5 If licensing was not successful, make sure you entered all<br />
information correctly. Verify the values against those you received<br />
from the MasterCare Portal during product registration.<br />
User’s <strong>Guide</strong> 33
Chapter 2<br />
Starting Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
34 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
After you have installed and authorized Sniffer <strong>Portable</strong> <strong>Professional</strong> and<br />
any necessary enhanced drivers, start the application as follows:<br />
1 Log in to the Sniffer <strong>Portable</strong> <strong>Professional</strong> application PC.<br />
2 Go to Start > (All) Programs > <strong>NetScout</strong> > Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> > Sniffer <strong>Portable</strong>.<br />
3 The Adapter Settings dialog box appears, allowing you to choose<br />
which capture card on the PC you’d like to use for network<br />
monitoring and analysis.<br />
Check the Post Capture box to open the application without<br />
monitoring a specific card.<br />
Check the Real Time box to begin monitoring the selected<br />
card.<br />
4 Click OK to open the Sniffer <strong>Portable</strong> <strong>Professional</strong> application.<br />
No Network Cards Listed in Adapter Settings Dialog Box?<br />
If you start the Sniffer <strong>Portable</strong> <strong>Professional</strong> application and do not see<br />
any network cards listed in the Adapter Settings dialog box, you may<br />
need to install the Sniffer <strong>Portable</strong> <strong>Professional</strong> Protocol Driver manually.<br />
Use the procedure corresponding to your operating system, as follows:<br />
To install the Sniffer <strong>Portable</strong> <strong>Professional</strong> Protocol Driver on<br />
Windows XP:<br />
1 Open the Network Connections Control Panel (Start > Control<br />
Panel > Network Connections).<br />
2 Right-click the entry for a network adapter (for example, Local<br />
Area Connection) and select the Properties command from the<br />
context menu that appears.<br />
3 Click the Install button, select the Protocol entry in the list of<br />
components that appears, and click Add.<br />
4 Click Have Disk, use the Browse button to navigate to the<br />
following path, and click OK:<br />
C:\Program Files\<strong>NetScout</strong>\Sniffer <strong>Portable</strong>\driver\en\sniffer\winxp<br />
5 Select the Sniffer <strong>Portable</strong> <strong>Professional</strong> Protocol Driver entry<br />
and click OK.<br />
6 After installation, close out of Local Area Connection Properties and<br />
reboot the system.
Installing Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
After rebooting the system, Sniffer <strong>Portable</strong> <strong>Professional</strong> will list<br />
network cards in the Adapter Settings dialog box.<br />
To install the Sniffer <strong>Portable</strong> <strong>Professional</strong> Protocol Driver on<br />
Windows Vista:<br />
1 Open the Network Connections Control Panel (Start > Control<br />
Panel > Network and Sharing Center).<br />
2 Select the Manage network connections option.<br />
3 Right-click the entry for a network adapter (for example, Local<br />
Area Connection) and select the Properties command from the<br />
context menu that appears.<br />
4 Click the Install button, select the Protocol entry in the list of<br />
components that appears, and click Add.<br />
5 Click Have Disk, use the Browse button to navigate to the<br />
following path, and click OK:<br />
C:\Program Files\<strong>NetScout</strong>\Sniffer <strong>Portable</strong>\driver\en\sniffer\vista<br />
6 Select the Sniffer <strong>Portable</strong> <strong>Professional</strong> Protocol Driver entry<br />
and click OK.<br />
7 After installation, close out of all open dialogs and reboot the<br />
system.<br />
User’s <strong>Guide</strong> 35
Chapter 2<br />
Tuning Settings for Sniffer <strong>Portable</strong><br />
<strong>Professional</strong><br />
36 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
There are several settings you can make to the Microsoft Windows<br />
operating system that will improve Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
performance. See the following sections:<br />
Power Considerations for Sniffer <strong>Portable</strong> <strong>Professional</strong> Laptops on<br />
page 36<br />
Uninstalling the QoS Packet Scheduler Service on page 37<br />
Removing the MAC Bridge Miniport Driver on XP on page 39<br />
Power Considerations for Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Laptops<br />
Most laptop computers include power configuration options that let you<br />
specify whether the computer should be allowed to go into a standby or<br />
hibernate mode after a specified period of inactivity. For computers<br />
actively running Sniffer <strong>Portable</strong> <strong>Professional</strong>, these options<br />
should always be disabled to preserve stable system<br />
performance!<br />
For example, MS-Windows 2000 and XP laptop computers include a<br />
Power Options Properties control panel. The Power Options Properties<br />
control panel is accessed by starting the Display control panel (Start ><br />
Settings > Control Panel > Display), clicking on the Screen Saver<br />
tab, and then clicking the Power button. In this example, the following<br />
settings should be made for active Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
operations:<br />
Power Schemes Tab<br />
- Turn off hard disks = Never<br />
- System standby = Never<br />
Hibernate Tab<br />
- Enable hibernate support = Disabled<br />
NOTE: Some laptop vendors include their own proprietary software<br />
to perform power configuration tasks. In these cases, you may need<br />
to make similar changes in the configuration menu provided by the<br />
vendor.
Installing Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Uninstalling the QoS Packet Scheduler Service<br />
The QoS Packet Scheduler service supports the 802.1P traffic<br />
prioritization system, allowing for the implementation of best-effort<br />
Quality of Service by conforming 802.1P equipment. This service is<br />
automatically bound to each installed card driver in Windows XP. To<br />
improve analyzer performance, <strong>NetScout</strong> recommends that the QoS<br />
Packet Scheduler service be unbound from any cards used with Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong>.<br />
IMPORTANT: Uninstalling the QoS Packet Scheduler service removes it<br />
from all installed cards. Unbinding from individual cards allows you to<br />
preserve the service for use with any non-Sniffer cards. See Unbinding<br />
the QoS Packet Scheduler Service from Selected Cards on page 38.<br />
You can either uninstall the QoS Packet Scheduler Service entirely or,<br />
alternatively, unbind it from cards used with Sniffer <strong>Portable</strong><br />
<strong>Professional</strong>:<br />
Uninstalling the QoS Packet Scheduler Service after Installation on<br />
page 37<br />
Unbinding the QoS Packet Scheduler Service from Selected Cards<br />
on page 38<br />
Uninstalling the QoS Packet Scheduler Service after Installation<br />
Use the following procedure to uninstall the QoS Packet Scheduler<br />
Service.<br />
To completely remove the QoS Packet Scheduler Service:<br />
1 Open the Network Connections folder by selecting the Start ><br />
Settings > Network Connections option.<br />
2 Right-click any of the Connection entries in the folder and select the<br />
Properties command from the menu that appears.<br />
The Connection Properties dialog box appears, as in Figure 2-2. The<br />
following example is for wireless connections.<br />
User’s <strong>Guide</strong> 37
Chapter 2<br />
38 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Figure 2-2. Local Area Connection Properties Dialog Box<br />
3 De-select the QoS Packet Scheduler entry and click Uninstall.<br />
A confirmation box appears.<br />
4 Click OK to confirm that you want to uninstall the QoS Packet<br />
Scheduler service completely.<br />
The QoS Packet Scheduler service is uninstalled.<br />
5 Click OK on the Connection Properties dialog box.<br />
Unbinding the QoS Packet Scheduler Service from Selected<br />
Cards<br />
Use the following procedure to unbind the QoS Packet Scheduler Service<br />
from selected cards:<br />
To unbind the QoS Packet Scheduler Service from selected<br />
cards:<br />
1 Open the Network Connections folder by selecting the Start ><br />
Settings > Network Connections option.<br />
2 Right-click the Network Connection entry from which you want to<br />
unbind the QoS Packet Scheduler service and select the<br />
Properties command from the menu that appears.
Installing Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The Network Connection Properties dialog box appears, as in Figure<br />
2-2 on page 38.<br />
3 Deselect the checkbox next to the QoS Packet Scheduler entry<br />
and click OK.<br />
4 Repeat this procedure for each card you want to use with Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong>.<br />
Removing the MAC Bridge Miniport Driver on XP<br />
To improve analyzer performance, <strong>NetScout</strong> recommends that the<br />
Network Bridge service provided with Windows XP not be used on a<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> PC.<br />
To remove a network bridge in Windows XP:<br />
1 Open the Network Connections folder by selecting the Start ><br />
Settings > Network Connections option.<br />
The Network Connections folder appears.<br />
2 Under the Network Bridge section, right-click the Network<br />
Bridge entry and select the Delete command in the menu that<br />
appears.<br />
3 Click Yes to confirm that you want to delete the network bridge.<br />
User’s <strong>Guide</strong> 39
Chapter 2<br />
40 Sniffer <strong>Portable</strong> <strong>Professional</strong>
Introducing the Sniffer<br />
Window<br />
Overview<br />
3<br />
Once you start Sniffer <strong>Portable</strong> <strong>Professional</strong>, log in, and select a profile<br />
for monitoring, the Sniffer window appears.<br />
You use the Sniffer window to perform standard network analysis<br />
activities – monitoring network activity, capturing network traffic,<br />
decoding captured traffic, and so on. This chapter introduces the Sniffer<br />
window and includes the following topics:<br />
Navigating the Sniffer Window<br />
Sniffer Window Menus<br />
Navigating the Sniffer Window<br />
When you start Sniffer <strong>Portable</strong> <strong>Professional</strong>, log in, and select a profile<br />
for monitoring, a Sniffer window appears where you can control network<br />
monitoring and analysis activities (Figure 3-1).<br />
The Sniffer window consists of:<br />
A title bar (item a, Figure 3-1) showing:<br />
Network topology in use.<br />
Line speed.<br />
Certain adapters may add additional information to the title<br />
bar, including the channel being monitored, wireless signal<br />
strength, and so on.<br />
NOTE: During monitoring or capture of wireless networks, the<br />
window title bar shows the channel currently being monitored,<br />
as well as the signal strength and the type of network being<br />
monitored (802.11a or 802.11b/g). You can use this display to<br />
get a quick feel for the strength of the signal being monitored<br />
and determine whether you need to move the analyzer closer<br />
to an access point to get a stronger signal.<br />
Several toolbars (item b, Figure 3-1) at the top of the Sniffer<br />
window providing access to commonly used functions, including:<br />
User’s <strong>Guide</strong> 41
Chapter 3<br />
a<br />
b<br />
c<br />
42 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Capture toolbar<br />
Monitor toolbar<br />
File\Print toolbars<br />
A main workspace (item c, Figure 3-1) where you perform standard<br />
Sniffer functions – viewing monitor displays, working with decoded<br />
packets, interpreting Expert analysis, viewing real-time decodes,<br />
and so on.<br />
Figure 3-1. Sniffer Window<br />
Status icons and counters (item d, Figure 3-1) at the bottom of the<br />
display indicating:<br />
d
Table 3-1. Sniffer Window Status Icons<br />
Button Description<br />
Number of files currently spooled to printer.<br />
Introducing the Sniffer Window<br />
Number of packets transmitted by Packet Generator. Note<br />
that Packet Generator is no longer supported, so this field will<br />
always be blank.<br />
Number of packets that have passed the current filter.<br />
Number of unacknowledged alarms in the local Alarm Log<br />
(Monitor > Alarm Log).<br />
User’s <strong>Guide</strong> 43
Chapter 3<br />
Sniffer Window Menus<br />
44 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The table below lists each of the menus in the Sniffer window along with<br />
the tasks they can be used to perform.<br />
Table 3-2. Sniffer Window Menus<br />
Menu Capabilities<br />
File The File menu is where you can:<br />
• Open, close, and save files.<br />
• Select the monitoring profile you want to use for<br />
monitoring the network. A monitoring profile is a<br />
set of settings tied to a particular network<br />
adapter.<br />
• Reset all settings to their default values.<br />
• Print files.<br />
• Exit the Sniffer window.<br />
Monitor<br />
See Monitoring Your<br />
Network on page 67<br />
for details on using<br />
the Monitor<br />
applications.<br />
Capture<br />
See Capturing<br />
Packets on page<br />
121 for details on<br />
performing<br />
Captures.<br />
The Monitor menu is where you can:<br />
• Access monitor applications (Dashboard, Host<br />
Table, Matrix, Application Response Time, History<br />
Samples, Protocol Distribution, Global Statistics,<br />
and so on).<br />
• Define and select Monitor filters.<br />
•View the Alarm log.<br />
The Capture menu is where you can:<br />
• Start, stop, and display captured packets.<br />
• Display the Capture Panel.<br />
• Define and select Capture filters.<br />
• Set triggers.
Table 3-2. Sniffer Window Menus<br />
Menu Capabilities<br />
Display<br />
See Displaying<br />
Captured Data on<br />
page 157 for details<br />
on displaying<br />
decoded data.<br />
Tools<br />
See for information<br />
on the standard<br />
network tools (Ping,<br />
Trace Route, and so<br />
on).<br />
Introducing the Sniffer Window<br />
The Display menu is where you can:<br />
• Configure the display of your network data.<br />
• Navigate from frame to frame.<br />
• Select specific packets.<br />
• Define and select Display filters.<br />
The Tools menu is where you can access a variety of<br />
tools included in the software, including:<br />
• Address Book – See Using the Address Book on<br />
page 249.<br />
• General Options – See Setting Options in the<br />
Sniffer Window on page 47.<br />
• Expert Options – See Setting Expert Options on<br />
page 134.<br />
• Wireless Options – See Setting Tools > Wireless<br />
Options on page 54<br />
User’s <strong>Guide</strong> 45
Chapter 3<br />
46 Sniffer <strong>Portable</strong> <strong>Professional</strong>
Setting Options in the Sniffer<br />
Window<br />
Overview<br />
4<br />
This section describes how to set the options in the Tools > Options<br />
and Tools > Wireless dialog boxes. See the topics listed in the table<br />
below.<br />
NOTE: You can also add your own applications to the Tools menu.<br />
See Adding Tools to the Tools Menu on page 64 for details.<br />
User’s <strong>Guide</strong> 47
Chapter 4<br />
Setting the General Tab Options<br />
48 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The Tools > Options > General tab lets you set a number of options<br />
that specify when Sniffer will prompt you for confirmations, what items<br />
will appear in the Sniffer window by default, and how often different<br />
Monitor views in the Sniffer window are refreshed with new data.<br />
Figure 4-1 shows the Tools > Options > General tab.<br />
Figure 4-1. The Tools > Options > General Tab<br />
The table below lists and describes the options available in the Tools ><br />
Options > General tab:
Table 4-1. Setting Tools > General Tab Options<br />
Entry Description<br />
Setting Options in the Sniffer Window<br />
Prompt to save/update Use these options to specify whether the<br />
application should prompt you to save or<br />
update particular items before they are lost,<br />
as follows:<br />
•Check New capture buffer to have the<br />
application prompt you when saving or<br />
updating new capture buffers.<br />
•Check New history sample to prompt<br />
you when saving or updating new<br />
history samples.<br />
•Check Discovered address to prompt<br />
you when saving or updating discovered<br />
addresses.<br />
•Check Duplicate address to prompt<br />
you when saving or updating duplicated<br />
addresses.<br />
Prompt before Use this option to specify whether the<br />
application should prompt you for a<br />
confirmation before exiting the program.<br />
User’s <strong>Guide</strong> 49
Chapter 4<br />
50 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Table 4-1. Setting Tools > General Tab Options<br />
Entry Description<br />
Show Use these options to:<br />
• Specify which toolbars appear in the<br />
Sniffer window by default. You can<br />
enable and disable the Main toolbar<br />
and Capture toolbar separately.<br />
• Specify whether the Status bar<br />
appears at the bottom of the Sniffer<br />
window.<br />
• Specify whether monitor applications<br />
should show Formatted data or not. If<br />
this option is enabled, the byte values in<br />
the Host and Matrix tables will change<br />
between using K and M indicators<br />
(Formatted) or fully numeric counts.<br />
For example, 47K would be a<br />
Formatted data representation of a<br />
byte count that would otherwise be<br />
shown as 47,138.<br />
• Specify whether the Sniffer window<br />
should add an Extra Filter Window<br />
when a Display filter is applied to a<br />
capture buffer or trace file. If this option<br />
is not enabled, a set of filtered frames<br />
resulting from a Display filter will<br />
appear in an additional tab on the<br />
existing decode window rather than in<br />
an entirely new window.<br />
• Specify whether Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> should always start in log<br />
off mode. In log off mode, Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong> will not actively<br />
monitor the selected adapter at startup.
Setting the Real Time Tab Options<br />
Setting Options in the Sniffer Window<br />
Use the options in the Tools > Options > Real Time tab to enable and<br />
set options for the Sniffer’s real-time decodes feature.<br />
See Enabling and Setting Real-time Decodes on page 213 for details on<br />
using the options in this tab.<br />
Setting the MAC Threshold Tab Options<br />
Use the Tools > Options > MAC Threshold tab to set alarm thresholds<br />
for each of the dials on the Dashboard as well as many other network<br />
statistics. If the value sampled for a particular statistic exceeds the<br />
threshold over the specified Monitor sampling interval, an entry is<br />
made in the alarm log. You can monitor the alarm log to keep watch over<br />
your network.<br />
The MAC Threshold tab lists various network parameters that can<br />
trigger a threshold alarm. The exact parameters depend on the currently<br />
selected adapter.<br />
The High Threshold value for each measure will be the average per<br />
second value measured during the monitor sampling interval. Specify<br />
the interval at the bottom of the dialog box and click OK.<br />
Figure 4-2 shows the Tools > Options > MAC Threshold tab.<br />
Figure 4-2. The Tools > Options > MAC Threshold Tab<br />
User’s <strong>Guide</strong> 51
Chapter 4<br />
Setting the App Threshold Tab Options<br />
52 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Use the options in the Tools > Options > App Threshold tab to set<br />
thresholds for alarms generated by the ART application. Specify the<br />
threshold values in the Rsp Time column, then click OK.<br />
See ART Alarms on page 105 and Application Response Time (ART) on<br />
page 97 for details on using the options in this tab.<br />
Setting the Alarm Tab Options<br />
Use the Tools > Options > Alarm tab to:<br />
Enable alarm logging and set alarm severity levels. See The Alarm<br />
Log on page 257 and Setting Alarm Severity Levels on page 260.<br />
Set up and assign alarm notification actions. See Setting Alarm<br />
Notification on page 264.<br />
Setting the Protocols Tab Options<br />
Use the Tools > Options > Protocols tab to specify on what ports the<br />
Sniffer should expect various upper layer protocols running over TCP,<br />
UDP, or IPX (separate options are provided for each). The commonly<br />
established port for each upper layer protocol is provided by default. For<br />
most networks, the default port number for the listed upper layer<br />
protocols will be correct. However, If your network uses a proprietary<br />
implementation of a particular protocol, you can specify custom ports<br />
here. You can also rename existing protocols by overwriting the default<br />
name supplied in this tab.<br />
In addition, you can also add entirely custom protocols by clicking in a<br />
blank cell at the end of the list and supplying a protocol and port pair for<br />
a given transport. The Sniffer will provide traffic counts for the named<br />
protocol/port pair in its Monitor displays.<br />
NOTE: The Sniffer can only track protocol loads that are based on<br />
well known and fixed port numbers. If you have an application that<br />
assigns and uses TCP/UDP (or IPX) port numbers dynamically, they<br />
will be grouped into the Others category in Monitor views.<br />
Similarly, upper layer packets running over TCP, UDP, or IPX with<br />
port numbers not listed in the default protocol list are also grouped<br />
together and counted in the Others category.
Setting Options in the Sniffer Window<br />
Exporting and Importing Protocols Tab Settings<br />
The Tools > Options > Protocols tab includes Import and Export<br />
buttons that let you change the Protocols tab settings in force:<br />
The Export button opens a common Save As dialog box, allowing<br />
you to save out Protocols tab settings to an XML file.<br />
The Import button opens a common Browse dialog box in which<br />
you can navigate to an XML file of saved Protocols tab settings for<br />
import.<br />
The Import and Export buttons are particularly useful in the following<br />
situations:<br />
You want to create files of saved Protocols tab settings for use in<br />
different network environments. For example, you may commonly<br />
analyze network segments with protocol loads running over known<br />
but non-standard ports. You can switch Protocols tab settings in<br />
and out quickly using these buttons.<br />
You want to share Protocols tab settings with another Sniffer unit<br />
supporting this feature. You can export your settings to a file and<br />
then import them on a second unit.<br />
Setting the Protocol Forcing Tab Options<br />
Use the Tools > Options > Protocol Forcing options to set up protocol<br />
forcing rules. Protocol forcing is useful when capturing non-standard (for<br />
example, proprietary) protocols that might not otherwise be decoded.<br />
Protocol forcing essentially lets you tell the analyzer “if you see this<br />
condition, skip this many bytes (to where the standard data is), then<br />
apply this protocol interpreter.” See Using Protocol Forcing on page 198<br />
for details on setting up Protocol Forcing rules.<br />
User’s <strong>Guide</strong> 53
Chapter 4<br />
Setting Tools > Wireless Options<br />
54 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The Tools > Wireless menu includes options that let you configure how<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> monitors wireless traffic:<br />
Use the Surf Settings dialog box to specify which channels on the<br />
wireless network Sniffer <strong>Portable</strong> <strong>Professional</strong> monitors.<br />
See Configuring Surf Settings on page 54 for details.<br />
Use the Encryption dialog box to specify how Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> should decrypt wireless network data.<br />
See Configuring Wireless Encryption Settings on page 56 for<br />
details.<br />
Use the Rogue dialog box to enable and configure the identification<br />
of wireless access points and hosts as rogues in the Host Table and<br />
Expert displays.<br />
See Configuring Rogue Identification for Wireless Networks on<br />
page 61 for details.<br />
NOTE: The Tools > Wireless options are only available if a<br />
wireless LAN adapter is the currently selected adapter, the correct<br />
driver is installed, and you are not operating in Local Mode. You<br />
can change the currently selected adapter and the Local Mode<br />
setting using the File > Adapter Settings command. See Installing<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> for information on installing the correct<br />
driver for wireless adapters in both Windows XP and Windows Vista.<br />
Configuring Surf Settings<br />
Use the Tools > Wireless > Surf Settings > Topology Surfing dialog<br />
box (Figure 4-3) to select the wireless LAN channels you would like<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> to monitor. For each wireless topology<br />
supported by your wireless adapter, you can select individual channels<br />
for monitoring, as well as the amount of time to monitor them.<br />
The Topology Surfing dialog box consists of two main panels:<br />
The left panel lists the channels available for selection. Channels<br />
are listed independently by topology (for example, 802.11A,<br />
802.11B, and 802.11G) – use the 802.11 drop-down to change the<br />
selected topology. You can select channels in the left pane and click<br />
the Add button to move them to the Selected panel.<br />
The Selected panel lists the channels currently selected for<br />
monitoring. Sniffer <strong>Portable</strong> <strong>Professional</strong> monitors each of the<br />
channels in the Selected panel in a cycle for the time specified by<br />
its Surf Time field before moving on to the next selected channel.
Use the 802.11 drop-down to change<br />
the selected topology. You can add<br />
channels from each topology<br />
supported by your card to the Surf list<br />
by selecting an entry and clicking Add.<br />
Use the Surf Time<br />
fields to specify the<br />
amount of time to<br />
monitor the<br />
selected channel.<br />
Working with the Topology Surfing Dialog Box<br />
Setting Options in the Sniffer Window<br />
The main tasks performed in the Topology Surfing dialog box are<br />
channel selection and surf time configuration:<br />
Use the Add button to move a channel from the list of available<br />
channels to the list of selected channels.<br />
To change a channel’s Surf Time, select its entry in the Selected<br />
list, enter a new value in the Surf Time field, and click Set Time.<br />
To reset all selected channels at once, click Reset All.<br />
By default, Channel 11 on 802.11G is enabled. Enable any other<br />
channels you’d like to monitor.<br />
The Selected panel lists the channels Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> will monitor. Each channel is listed with<br />
its topology, channel number, and how long Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong> will monitor it during each cycle.<br />
Figure 4-3. Tools > Wireless > Surf Settings Dialog Box<br />
User’s <strong>Guide</strong> 55
Chapter 4<br />
Configuring Wireless Encryption Settings<br />
56 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Use the Tools > Wireless > Encryption option (Figure 4-4) to specify<br />
the encryption keys in use on wireless networks monitored by Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong>. If the correct keys are specified, Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> can decrypt and decode both WPA-WPA2 and<br />
WEP-encrypted packets during capture and postcapture.<br />
The IEEE 802.11 Decryption Keys dialog box consists of two main areas:<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> can decrypt both<br />
WPA/WPA2 and WEP encrypted packets<br />
simultaneously as long as you have enabled both<br />
forms of decryption and configured their<br />
associated keys correctly.<br />
Use these options to specify the<br />
keys to use for decryption of<br />
WEP-encrypted data. WEP is an<br />
early 802.11 encryption<br />
technology and is not as<br />
commonly seen as WPA-WPA2.<br />
Use these options to specify<br />
the passphrase used to<br />
decrypt data on different SSIDs<br />
(wireless networks).<br />
WEP Keys – Use this panel to specify the WEP keys used to<br />
encrypt data on the wireless network. You can specify either a<br />
single set of keys for all channels or different keys for individual<br />
channels. See Specifying WEP Keys on page 58.<br />
WPA-WPA2 Keys – Use this panel to specify the pre-shared<br />
passphrase corresponding to different SSIDs monitored by Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong>. See Specifying WPA-WPA2 Keys on page 57.<br />
Figure 4-4. Tools > Wireless > Encryption Dialog Box
Specifying WPA-WPA2 Keys<br />
Setting Options in the Sniffer Window<br />
WPA-WPA2 encryption is widely used to secure 802.11 networks and is<br />
more frequently encountered than the legacy WEP solution. Use the<br />
WPA-WPA2 options in the IEEE 802.11 Decryption Keys dialog box<br />
to specify the keys to be used for decryption of WPA-encrypted packets.<br />
You can enter the pre-shared passphrase associated with different<br />
SSIDs monitored by Sniffer <strong>Portable</strong> <strong>Professional</strong> to allow decryption and<br />
decoding of the corresponding packets during capture.<br />
NOTE: Sniffer <strong>Portable</strong> <strong>Professional</strong> can decrypt both<br />
WPA/WPA2-encrypted and WEP-encrypted data at the same time,<br />
so long as you have enabled and configured both forms of<br />
decryption in the IEEE 802.11 Decryption Keys dialog box.<br />
NOTE: You can also perform postcapture decryption on trace files<br />
saved without the Encryption options specified correctly. See<br />
Postcapture 802.11 Decryption on page 199 for information on how to<br />
decrypt encrypted data in a buffer or saved trace file.<br />
To enter WPA/WPA2 encryption keys:<br />
1 Display the Tools > Wireless > Encryption dialog box.<br />
2 In the WPA-WPA2 Keys area, check the Enable box to turn on<br />
decryption of WPA/WPA2-encrypted packets.<br />
3 Depending on how you have configured the Tools > Wireless ><br />
Surfing options, Sniffer <strong>Portable</strong> <strong>Professional</strong> will likely be<br />
encountering multiple wireless networks, each with its own<br />
encryption keys. Perform the following steps to specify the<br />
encryption keys used by each WPA/WPA2-encrypted wireless<br />
network you expect Sniffer <strong>Portable</strong> <strong>Professional</strong> to monitor:<br />
a Turn on the encryption key by checking its On radio button.<br />
b Specify the SSID for the WPA/WPA2-encrypted network. This<br />
is typically a short string used to identify a wireless network<br />
(for example, labnet).<br />
c WPA/WPA2 encryption relies on a pre-shared passphrase for<br />
encryption. Enter the passphrase associated with this SSID.<br />
d Repeat Step a though Step c for each SSID you expect Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong> to monitor.<br />
4 Click OK to accept your settings.<br />
User’s <strong>Guide</strong> 57
Chapter 4<br />
58 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Notes on WPA/WPA2 Decryption<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> must observe the four EAPOL exchange<br />
packets for successful WPA decryption to take place. These packets<br />
must be seen for every independent Sniffer <strong>Portable</strong> <strong>Professional</strong> session<br />
and every independent Client > AP session. Each time you restart the<br />
application or use the File > Reset All command, Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> will need to see new EAPOL exhange packets for successful<br />
decryption. Note the following:<br />
EAPOL exchange packets are seen when a client connects to the<br />
access point. After starting Sniffer <strong>Portable</strong> <strong>Professional</strong>, perform a<br />
manual connection to the access point to make sure the EAPOL<br />
packets are exchanged.<br />
Decrypted WPA/WPA2 packets will only appear in the Expert and<br />
Decode displays after the EAPOL exchange packets are seen.<br />
EAPOL packets are only valid for a single session of Client > AP<br />
communications. Sniffer <strong>Portable</strong> <strong>Professional</strong> needs new EAPOL<br />
exchange packets for each new session.<br />
The EAPOL exchange packets must not have CRC errors in order for<br />
decryption to work successfully.<br />
If you suspect that decryption is not working correctly, try<br />
reconnecting a client to the access point with the specified<br />
passphrase.<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> installations on Windows XP do not<br />
support WPA decryption of traffic seen on Private networks.<br />
You can temporarily disable a particular WPA/WPA2 key using the<br />
Off/On radio buttons.<br />
Specifying WEP Keys<br />
Use the WEP Keys options in the IEEE 802.11 Decryption Keys<br />
dialog box to specify the keys to be used for decryption of<br />
WEP-encrypted packets. You can enter either a Single Key Set for all<br />
wireless channels or specify separate keys for individual channels. Keys<br />
can be entered as either Hex or ASCII characters. If the correct keys<br />
are specified, Sniffer <strong>Portable</strong> <strong>Professional</strong> can decrypt and decode<br />
WEP-encrypted packets during capture.<br />
NOTE: Sniffer <strong>Portable</strong> <strong>Professional</strong> can decrypt both<br />
WPA/WPA2-encrypted and WEP-encrypted data at the same time,<br />
so long as you have enabled and configured both forms of<br />
decryption in the IEEE 802.11 Decryption Keys dialog box.
Setting Options in the Sniffer Window<br />
NOTE: You can also perform postcapture decryption on trace files<br />
saved without the Encryption options specified correctly. See<br />
Postcapture 802.11 Decryption on page 199 for information on how to<br />
decrypt encrypted data in a buffer or saved trace file.<br />
To enter WEP encryption keys:<br />
1 Display the Tools > Wireless > Encryption dialog box.<br />
2 In the WEP Keys area, check the Enable box to turn on decryption<br />
of WEP-encrypted packets.<br />
3 Use the Key entry mode options to specify whether Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong> should use the same WEP keys on every<br />
channel on the wireless network or different keys on different<br />
channels.<br />
Enable the Single Key Set option if you would like Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong> to use the specified WEP keys for every<br />
channel on the wireless network.<br />
Enable the Keys Per Channel option if you would like to<br />
specify different sets of WEP keys for different topologies and<br />
channels on the wireless network. Then, use the Topology,<br />
Channel, and Key list to specify separate keys for individual<br />
channels.<br />
4 Use the Hex/ASCII radio buttons to specify the format in which<br />
you’d like to enter the WEP keys.<br />
5 You can enter up to four separate encryption keys. For each key,<br />
do the following:<br />
a Specify the length of the key by selecting the appropriate<br />
option. Keys can be either None, 40-bit, or 128-bit. Use the<br />
None option if no encryption is used on the network.<br />
Depending on the length of the key specified, some or all of<br />
the adjacent fields become active, enabling you to specify the<br />
keys in use.<br />
b Specify the exact, case-sensitive value for each key in the<br />
adjoining spaces provided.<br />
Keep the following in mind when entering keys in ASCII format:<br />
An empty field is equivalent to a setting of None in Hex entry<br />
mode (that is, no encryption is used on the network).<br />
Five ASCII characters or 0x followed by 10 hex characters is<br />
interpreted as a 40-bit key.<br />
User’s <strong>Guide</strong> 59
Chapter 4<br />
60 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Thirteen ASCII characters or 0x followed by 26 hex characters<br />
is interpreted as a 128-bit key.<br />
NOTE: The four encryption keys in use on a WEP-encrypted<br />
network are all typically the same length — either 40-bit or<br />
128-bit.<br />
NOTE: Key entries appear as asterisks to preserve their<br />
security.<br />
Notes on Hex/ASCII Conversion<br />
If you have previously entered encryption keys in one mode and<br />
then switch to the other (Hex to ASCII or vice-versa), Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong> automatically converts your entries as<br />
follows:<br />
When converting from ASCII to hex, key entries of five ASCII<br />
characters appear as 40-bit keys in Hex mode. Similarly, key<br />
entries of 13 ASCII characters appear as 128-bit keys in Hex<br />
mode.<br />
When converting from hex to ASCII, key entries are converted<br />
differently depending on the length specification in the Hex entry<br />
mode:<br />
If None was selected, the entry fields appear empty.<br />
If 40-bit was selected, Sniffer <strong>Portable</strong> <strong>Professional</strong> attempts<br />
to convert the hex key into ASCII. If conversion is possible, 5<br />
ASCII characters appear. If conversion is not possible, 0x<br />
followed by 10 hex characters appears.<br />
If 128-bit was selected, Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
attempts to convert the hex key into ASCII. If conversion is<br />
possible, 13 ASCII characters appear. If conversion is not<br />
possible, 0x followed by 26 hex characters appears.
Setting Options in the Sniffer Window<br />
Configuring Rogue Identification for Wireless Networks<br />
When the Lookup options here are<br />
enabled, Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> flags wireless entities<br />
not found in the corresponding lists<br />
as rogues in both Expert and Host<br />
Table displays.<br />
Use the Tools > Wireless > Rogue options (Figure 4-5) to enable and<br />
configure Sniffer <strong>Portable</strong> <strong>Professional</strong>’s identification of rogue entities<br />
on the wireless network.<br />
Figure 4-5. Tools > Wireless > Rogue Dialog Box<br />
If the Enable Rogue AP Lookup option (beneath the Known<br />
Access Points in the Network table) is enabled, Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> compares the MAC address (not the IP address) of<br />
each detected access point to those in the Known Access Points<br />
in the Network list. If an access point’s MAC address is not in the<br />
list, Sniffer <strong>Portable</strong> <strong>Professional</strong> labels the access point as a rogue.<br />
If the Enable Rogue Mobile Unit Lookup option is enabled, the<br />
Expert compares the MAC address (not the IP address) of each<br />
detected mobile unit to those in the Known Mobile Units in the<br />
Network list. If a mobile unit’s MAC address is not in the list,<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> labels it as a rogue.<br />
User’s <strong>Guide</strong> 61
Chapter 4<br />
62 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Rogue Identification in Sniffer <strong>Portable</strong> <strong>Professional</strong> Displays<br />
Rogues are identified in Sniffer <strong>Portable</strong> <strong>Professional</strong> displays as follows:<br />
The Expert generates Rogue Access Point and Rogue Mobile<br />
Unit alarms when a rogue is detected.<br />
The Expert identifies rogues by adding the word (Rogue) in<br />
parentheses following the offending stations’ entries in Summary<br />
and Detail displays. This provides you with a handy means of<br />
identifying units on the wireless network of which you were not<br />
aware, some of which may be unauthorized intruders.<br />
When Rogue Lookup is enabled, the Host Table includes a Status<br />
column in tabular 802.11 displays listing the current<br />
Rogue/Known/Neighbor identification of each listed entity. You<br />
can check an entry’s selection box in the Host Table (in the #<br />
column) and right-click to identify it as either Known or Neighbor,<br />
or to remove it from the Known/Neighbor list entirely.<br />
The Rogue Dialog Box and Expert Options<br />
The Tools > Wireless > Rogue dialog box provides access to the same<br />
settings found in the Tools > Expert Options > 802.11 Options tab.<br />
These two dialogs share the same list of Known/Neighbor wireless<br />
entities – when you change a setting in one dialog box, it is reflected in<br />
both places. For example, if you add an Access Point as Known from the<br />
Host Table, it will appear as Known in both the Tools > Wireless ><br />
Rogue dialog box and the Tools > Expert Options > 802.11 Options<br />
tab.<br />
See Expert 802.11 Options on page 140 for information on using the<br />
options found there, including the Import/Export features not available<br />
in the Tools > Wireless > Rogue dialog box.<br />
Adding Known Addresses to the List<br />
To use the rogue identification abilities of Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
effectively, you must first add the MAC addresses of the known access<br />
points and mobile units on your network to the Expert’s list of known<br />
wireless unit addresses. There are several ways to do this:<br />
Automatically from the real-time Host Table. See Adding Known<br />
Addresses from the Host Table on page 141.<br />
Automatically from the Expert tab of the postcapture display. See<br />
Adding Known Addresses from the Postcapture Display on page<br />
143.<br />
Automatically from the Address Book. See Autodiscovering and<br />
Adding Addresses from the Address Book on page 145.
Setting Options in the Sniffer Window<br />
Manually from the 802.11 Options tab of the Expert Properties<br />
dialog box. See Adding Known Addresses Manually in the 802.11<br />
Options Tab on page 145.<br />
In addition, you can also import and export lists of known addresses (for<br />
example, you can import addresses from other Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> installations).<br />
User’s <strong>Guide</strong> 63
Chapter 4<br />
Adding Tools to the Tools Menu<br />
64 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
You can add your own tools to the Tools menu. A tool can be any<br />
Windows or DOS executable file installed on or accessible to your<br />
machine.<br />
To add a tool:<br />
1 Select Tools > Customize User Tools from the main menu.<br />
2 Click the Add button. The program will add (new tool) to the tool<br />
list.<br />
3 Edit the Menu Text field. Replace (new tool) with the name you<br />
want to see on the menu.<br />
4 Specify the command line, command line parameters, and initial<br />
start-up directory as needed to properly start your program.<br />
5 Optionally, assign a shortcut key (Alt + t, letter). To do this, place<br />
an ampersand character (&) in front of the appropriate letter in the<br />
Menu Text field. (In addition, the program automatically assigns an<br />
Alt + number shortcut, visible to the right of the menu item when<br />
you display the Tools menu.)<br />
6 Optionally, use the Move Up and Move Down buttons in the<br />
Customize User Tools dialog box to change the order of tools<br />
displayed in the menu.<br />
7 Click OK. The new tool will appear on the Tools menu.<br />
Removing Tools from the Tools Menu<br />
To remove a tool listed on the Tools menu:<br />
1 Select Tools > Customize User Tools from the main menu.<br />
2 Select the tool you want to remove.<br />
3 Click Remove.<br />
4 Click OK.
Setting Options in the Sniffer Window<br />
User’s <strong>Guide</strong> 65
Chapter 4<br />
66 Sniffer <strong>Portable</strong> <strong>Professional</strong>
Monitoring Your Network<br />
Overview<br />
This section describes Sniffer <strong>Portable</strong> <strong>Professional</strong>’s monitoring<br />
functions. It includes the following major sections:<br />
About Sniffer <strong>Portable</strong> <strong>Professional</strong> Monitor Views on page 67<br />
Monitoring Wireless Networks on page 68<br />
Monitor Filters on page 69<br />
Monitor Applications and Toolbar on page 71<br />
Monitor Alarms on page 120<br />
Exporting Monitor Data on page 120<br />
About Sniffer <strong>Portable</strong> <strong>Professional</strong> Monitor<br />
Views<br />
5<br />
The Sniffer <strong>Portable</strong> <strong>Professional</strong> monitor stores statistical<br />
measurements and calculations about your network traffic, providing an<br />
accurate picture of network activity in real time. It can generate alarms<br />
to notify you when errors are detected and can save historical records of<br />
network activity that you can use later for traffic and fault analysis.<br />
Monitoring features provide the following information:<br />
Network load statistics, including the number of frames/bytes of<br />
network traffic per time interval, the percentage of utilization, and<br />
broadcast and multicast counts.<br />
Protocol use statistics.<br />
Application response time statistics for upper layer protocols.<br />
Individual station and conversation-pair traffic statistics.<br />
Packet size distribution statistics.<br />
The data collected by the monitor can help you find traffic overloads,<br />
troubleshoot bottlenecks, and locate faulty equipment. The data can also<br />
be an important factor in deciding how to allocate your company’s<br />
resources for network maintenance and upgrades.<br />
User’s <strong>Guide</strong> 67
Chapter 5<br />
Monitoring Wireless Networks<br />
68 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> monitors independent basic service set<br />
(IBSS) and infrastructure wireless networks.<br />
IBSS networks are wireless networks without access to a<br />
distribution system. Traffic stays within the IBSS network. IBSS<br />
networks are also known as ad hoc or independent networks.<br />
Infrastructure networks are wireless networks with access to a<br />
distribution system. Infrastructure networks are typically one part<br />
of an integrated wired and wireless network structure.<br />
When you select a wireless adapter in the Adapter Settings dialog box<br />
(accessed from File > Adapter Settings or automatically the first time<br />
you select an adapter to monitor), you are by default specifying that you<br />
are monitoring both IBSS and infrastructure networks.<br />
Wireless-Specific Information in Monitor Views<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> adds wireless-specific information to many<br />
of its views, including the Dashboard, Host Table, Matrix, and Global<br />
Statistics views. See the section for each Monitor view for more<br />
information:<br />
Dashboard Counters for Wireless Networks on page 75<br />
Host Table on page 82<br />
Viewing Access Points Only on page 88<br />
Identifying Rogue Hosts on the Wireless Network on page 91<br />
Matrix on page 93<br />
Global Statistics on page 116<br />
Monitor Displays for Different WLAN Types<br />
When using Sniffer <strong>Portable</strong> <strong>Professional</strong> with a wireless adapter, you<br />
may notice differences in monitor displays for different wireless LAN<br />
(WLAN) types (a, b, g, and n).<br />
Some wireless adapters support proprietary extensions of the<br />
802.11a standard that allow 802.11a networks to operate at twice<br />
the rates stated by the 802.11a specification (for example, instead<br />
of the upper limit of 54 Mbps stated for the 802.11a specification,<br />
the 2X extension theoretically allows for an upper limit of 108<br />
Mbps).
Monitor Filters<br />
Monitoring Your Network<br />
As a consequence of this support, Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
displays for 802.11a networks will include data rate categories<br />
beyond the 54 Mbps limit claimed by the 802.11a specification. You<br />
will only see frames counted in these categories when monitoring<br />
or capturing from an 802.11a network implementing these<br />
proprietary extensions.<br />
NOTE: Wireless network channels are based on geographical<br />
location and the frequency band allocated in the country.<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> lets you apply filters to the monitor. Monitor<br />
filters affect all standard monitor applications — Dashboard, Host Table,<br />
Matrix, Application Response Time, History Samples, Protocol<br />
Distribution, and Global Statistics.<br />
Using a monitor filter, you can look at your network traffic from several<br />
different views. For example, by defining and applying a hardware<br />
address filter to and from a router, you can easily tally the traffic load to<br />
and from that router. Using the same filter, the Matrix Table will also<br />
show who is talking to the router and how often. If you open the Protocol<br />
Distribution window, it will show the percentage traffic load passing<br />
through the router by protocol types. In addition, the History graph will<br />
plot traffic load at the router over time.<br />
If you want to look at matrix and host table statistics for IP traffic only,<br />
you can define and apply an IP protocol filter. If you want to focus on<br />
other protocol types, for example, IPX or AppleTalk, you can define<br />
filters for those also.<br />
IMPORTANT: For complete description of how to define a filter, see<br />
Defining Filters and Triggers on page 219.<br />
User’s <strong>Guide</strong> 69
Chapter 5<br />
Applying Monitor Filters<br />
70 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
To apply a filter to the monitor:<br />
1 From the Monitor menu, choose Select Filter.<br />
2 Check Apply monitor filter.<br />
A list of all available monitor filter profiles appears. Monitor filter<br />
profiles are defined using the Monitor > Define Filter menu<br />
option.<br />
3 Select a monitor filter from the list.<br />
Once you have selected a monitor filter in the list, the adjacent<br />
pane provides a capsule description of the filter profile's settings.<br />
4 Click OK.<br />
The selected monitor filter profile is applied to the monitor<br />
applications. You can tell if a Monitor filter is currently applied by<br />
examining the lower left corner of the Sniffer window. If a Monitor<br />
filter is currently applied, a message reading Monitor Filter On<br />
will appear.<br />
Making Changes to the Currently Selected Monitor Filter’s<br />
Definitions<br />
When you change the currently selected monitor filter's definitions in the<br />
Define Filter - Monitor dialog box, the new definitions are not enacted<br />
until you do one of the following:<br />
Toggle the setting of the Apply monitor filter option in the<br />
Monitor > Select Filter dialog box.<br />
Select a different monitor filter profile and then reselect the<br />
updated monitor filter profile in the Monitor > Select Filter dialog<br />
box.
Monitor Applications and Toolbar<br />
Table 5-1. Monitor Applications<br />
Application Toolbar<br />
Button<br />
Monitoring Your Network<br />
You display monitor data by using monitor applications. The monitor<br />
applications are listed under the Monitor menu and are also available<br />
on the main toolbar.<br />
To use monitor applications, you must be “logged on” to the selected<br />
adapter. If you are not logged on, the entries for the monitor<br />
applications in the Monitor menu will be grayed out, indicating their<br />
unavailability. For a discussion of how to use the Log On and Log Off<br />
options, see Network Adapters and Settings on page 267.<br />
For more information, see...<br />
Dashboard • Dashboard on page 72<br />
• Viewing the Dashboard Graphs on page 73<br />
• Working with the Dashboard Graphs on page 74<br />
• Setting Thresholds for the Dashboard Statistics on<br />
page 75<br />
• Dashboard Counters for Wireless Networks on page<br />
75<br />
Host Table • Host Table on page 82<br />
• Host Table Counters for Wireless Networks on page<br />
85<br />
Matrix • Matrix on page 93<br />
ART • Application Response Time (ART) on page 97<br />
History Samples • History Samples on page 110<br />
Protocol<br />
Distribution<br />
• Protocol Distribution on page 114<br />
Global Statistics • Global Statistics on page 116<br />
User’s <strong>Guide</strong> 71
Chapter 5<br />
Dashboard<br />
72 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
.<br />
Dashboard<br />
Host Table<br />
Matrix<br />
Figure 5-1. The Monitor Toolbar<br />
History<br />
Samples<br />
Application Response Time<br />
Global Statistics<br />
Protocol<br />
Distribution<br />
Alarm Log<br />
The Dashboard displays current network activity in either graphical or<br />
tabular format. Use the Dashboard to view a network segment’s<br />
utilization and packet rate in real time.<br />
Display the Dashboard by clicking the Dashboard icon in the Toolbar or<br />
by selecting the Dashboard option from the Monitor menu or click .<br />
From the Dashboard you can view or access the following information:<br />
Gauges displaying utilization, packet rate, and error rate in real<br />
time. Red zones shown in the gauges indicate the alarm threshold<br />
settings<br />
Click the Detail tab below the gauges to display tabular counters<br />
for network statistics and size distribution statistics.<br />
Topology-specific tabs displaying tabular counters for<br />
network-specific statistics.<br />
Configurable graphs for network statistics and size distribution<br />
statistics.<br />
The exact statistics (and tabs) provided in the Dashboard depend on the<br />
currently selected adapter. To view the total network traffic load<br />
accumulated since Sniffer <strong>Portable</strong> <strong>Professional</strong> started, click the Detail<br />
tab.
Click these boxes to see<br />
configurable graphs of the<br />
corresponding statistics.<br />
Monitoring Your Network<br />
IMPORTANT: See Dashboard Counters for Wireless Networks on page<br />
75 for details on the Dashboard statistics provided for wireless LANs.<br />
Viewing tips:<br />
To view average-per-second statistics select the Show Average<br />
option at the top of the Dashboard instead of the Show Total<br />
option.<br />
To reset all the statistics in the Dashboard to zero, click Reset.<br />
To set thresholds for alarms based on Dashboard statistics, click<br />
Set Thresholds.<br />
Figure 5-2 shows a sample Dashboard for an Ethernet adapter.<br />
Figure 5-2. The Dashboard Gauge View<br />
Viewing the Dashboard Graphs<br />
Click these options to narrow (Short term) or widen (Long term) the<br />
scale of the Network, Detail Errors, and Size Distribution graphs.<br />
The Dashboard also provides configurable graphs for the broad groups<br />
of statistics shown on the Detail tab. Ethernet adapters include<br />
configurable graphs for:<br />
Network statistics<br />
Size Distribution statistics<br />
Wireless LAN adapters include configurable graphs for:<br />
Network statistics<br />
Wireless Statistics<br />
User’s <strong>Guide</strong> 73
Chapter 5<br />
74 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Speed Statistics<br />
You view the configurable graphs by clicking the box corresponding to<br />
the desired group of statistics at the bottom of the Dashboard. A graph<br />
appears at the bottom of the Dashboard showing the selected statistics.<br />
Figure 5-3 shows the Network statistics graph for an Ethernet adapter.<br />
The exact statistics shown in the Network graph will change depending<br />
on the selected adapter.<br />
Click the Scroll buttons to move the graph’s “current” line. The statistics shown at<br />
the right of the graph reflect the statistics at the “current” line’s position. You can<br />
see the exact time and date of the “current” line to the right of the Scroll buttons.<br />
The “Current” line.<br />
Figure 5-3. Configurable Dashboard Graph<br />
Working with the Dashboard Graphs<br />
Check the boxes corresponding to each statistic you would like<br />
included in the graph. The statistics available for graphing are the<br />
same as those in the Detail tab at the top of the Dashboard.<br />
You work with the configurable graphs as follows:
Monitoring Your Network<br />
Each possible statistic for the graphs is listed at the right of the<br />
graph. Check the boxes of the statistics you would like included in<br />
the graph. A line in the corresponding color will appear in the graph<br />
for the selected statistic.<br />
If you are having difficulty viewing the line for a particular statistic,<br />
allow your mouse to hover over the entry for the statistic at the<br />
right of the graph. The corresponding line will appear in bold in the<br />
graph while your mouse is hovering over its entry at the right.<br />
The graph includes a vertical “current” line. The statistics counters<br />
at the right of the graph are based on the position of the “current<br />
line.” You can move the current line in either of the following ways:<br />
Clicking the arrow buttons at the top of the graph.<br />
Clicking to the right or the left of the “current” line in the<br />
graph.<br />
The time and date entry at the top of the graph shows the current<br />
position of the “current” line.<br />
You can widen or narrow the time scale of the graph by clicking the<br />
Long term (widen) or Short term (narrow) buttons at the top of<br />
the graph.<br />
Setting Thresholds for the Dashboard Statistics<br />
You can set alarm thresholds for each of the dials on the Dashboard (as<br />
well as many other network statistics). When a threshold is exceeded,<br />
an entry is made in the Alarm log. You can monitor the Alarm log to keep<br />
watch over your network.<br />
To set a threshold value, click Set Thresholds at the top of the<br />
Dashboard (Figure 5-2). Alternatively, you can select Options from the<br />
Tools menu and click the Mac Threshold tab. You will see a complete<br />
list of network parameters that can trigger a threshold alarm. The exact<br />
parameters depend on the currently selected adapter.<br />
Another option in this dialog box is the Monitor sampling interval<br />
option. The High Threshold value for each measure will be the average<br />
per second value measured during the monitor sampling interval.<br />
Dashboard Counters for Wireless Networks<br />
For wireless displays, the Dashboard includes a number of<br />
wireless-specific counters not seen on wired networks. These counters<br />
are described in this section and are found in:<br />
The Gauge tab (see The Dashboard Gauge Tab on page 76)<br />
The 802.11 tab (see The Dashboard 802.11 Tab on page 77)<br />
User’s <strong>Guide</strong> 75
Chapter 5<br />
The Dashboard Gauge Tab<br />
76 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The Gauge tab is displayed by default when you start the Dashboard.<br />
When capturing from wireless networks, the Dashboard’s Gauge tab<br />
provides a Throughput gauge. This gauge provides a real-time<br />
measurement of the data rate (in bits per second) observed by Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong>. When calculating throughput, Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> only counts data frames. Management and control frames<br />
are not part of this calculation. However, the throughput measurement<br />
does include the header portions of data frames (see How Wireless<br />
Utilization is Calculated on page 76 for details).<br />
How Wireless Utilization is Calculated<br />
The Dashboard provides network utilization percentage measurements<br />
on both the Gauge and Detail tabs. Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
calculates network utilization by storing the airtime (in microseconds)<br />
for each observed frame in a buffer. Every second, the value in this<br />
buffer is divided by 1,000,000 microseconds (that is, a second) to obtain<br />
a percentage utilization measurement.<br />
The airtime for each frame is calculated as follows:<br />
1 First, the duration of the frame’s PLCP header is stored. PLCP<br />
headers can be either:<br />
192 microseconds. This is the Long header format specified<br />
in IEEE 802.11b/g for 1 and 2 Mbps transmission speeds.<br />
96 microseconds. This is the Short header format specified<br />
in IEEE 802.11b/g for 5.5 and 11 Mbps transmission speeds.<br />
NOTE: The calculations for 802.11a are performed similarly<br />
except that they use the duration of the PLCP header specified<br />
for different 802.11a rates.<br />
2 Each frame’s PLCP header includes a field indicating the length of<br />
the data portion of the frame in microseconds. Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> adds this value to the duration of the PLCP header<br />
observed in the previous step and stores the sum in a buffer.<br />
3 Each second, the value in the buffer is divided by 1,000,000<br />
microseconds to obtain a percentage utilization measurement.
The Dashboard 802.11 Tab<br />
802.11 Dashboard Tab<br />
Monitoring Your Network<br />
The Dashboard’s 802.11 tab (Figure 5-4) includes counters for wireless<br />
LAN Statistics, Management frame types, and Control frame types:<br />
Statistics Counters in the 802.11 Tab on page 77<br />
Management Frame Type Counters in the 802.11 Tab on page 79<br />
Control Frame Type Counters in the 802.11 Tab on page 81<br />
Figure 5-4. Sample 802.11 Tab in Dashboard<br />
Statistics Counters in the 802.11 Tab<br />
Table 5-2 lists and describes the Statistics counters in the Dashboard’s<br />
802.11 tab (sample shown in Figure 5-4).<br />
Table 5-2. Statistics Counters in the Dashboard’s 802.11 Tab<br />
(1 of 3)<br />
Counter Description<br />
Data Pkts The number of data packets observed on the<br />
wireless LAN.<br />
User’s <strong>Guide</strong> 77
Chapter 5<br />
78 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Table 5-2. Statistics Counters in the Dashboard’s 802.11 Tab<br />
(2 of 3)<br />
Counter Description<br />
Management Pkts The number of Management packets<br />
observed on the wireless LAN. Management<br />
packets include Association Requests, Probe<br />
Requests, and so on. They are counted<br />
individually in the Management column of<br />
the 802.11 tab.<br />
Control Pkts The number of Control packets observed on<br />
the wireless LAN. Control packets include PS<br />
Polls, CF Ends, and so on. They are counted<br />
individually in the Control column of the<br />
802.11 tab.<br />
Data Throughput The current data rate (in bits per second)<br />
observed by Sniffer <strong>Portable</strong> <strong>Professional</strong>.<br />
When calculating throughput, Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong> only counts data<br />
frames. Management and control frames are<br />
not part of this calculation. However, the<br />
throughput measurement does include the<br />
header portions of data frames.<br />
Retry Pkts The number of Retry packets observed on<br />
the wireless LAN. Stations send retry<br />
packets when they receive no<br />
acknowledgment to a previously sent<br />
packet.<br />
WEP Pkts The number of packets observed on the<br />
wireless LAN with the WEP bit in the Frame<br />
Control field set to true. This indicates that<br />
Wired Equivalent Policy encryption was used<br />
on the packet.<br />
Order Pkts The number of packets observed on the<br />
wireless LAN with the Order bit in the Frame<br />
Control field set to true. This indicates that<br />
packets must be processed in order.<br />
PLCP Short Pkts The number of Physical Layer Convergence<br />
Protocol (PLCP) protocol data units seen with<br />
the “short” preamble and header. This form<br />
of PLCP PDU is used to achieve higher<br />
throughput and can support 5.5 and 11<br />
Mbps transmission speeds.
Monitoring Your Network<br />
Table 5-2. Statistics Counters in the Dashboard’s 802.11 Tab<br />
(3 of 3)<br />
Counter Description<br />
PLCP Long Pkts The number of PLCP PDUs seen with the<br />
“long” preamble and header. This form of<br />
PLCP PDU is compatible with legacy<br />
equipment from older wireless LANs and<br />
supports and operates at either 1 Mbps or 2<br />
Mbps.<br />
Data Rate Counters These counters provide packet counts for<br />
different speed ranges.<br />
Management Frame Type Counters in the 802.11 Tab<br />
Management frames are used to set up the initial communications<br />
between stations and access points on the wireless network. Table 5-3<br />
lists and describes the Management frame counters in the Dashboard’s<br />
802.11 tab (example shown in Figure 5-4 on page 77).<br />
Table 5-3. Management Frame Counters in the Dashboard’s 802.11<br />
Tab (1 of 2)<br />
Counter Description<br />
Association Requests The number of Association Requests<br />
observed on the wireless network. Stations<br />
send Association Requests to become<br />
associated with access points.<br />
Association Responses The number of Association Responses<br />
observed on the wireless network. Access<br />
points send Association Responses in<br />
response to Association Requests from<br />
wireless stations.<br />
Reassociation Requests The number of Reassociation Requests<br />
observed on the wireless network. Stations<br />
send Reassociation Requests when they<br />
need to associate with a new access point<br />
(for example, because they are out of range<br />
of their old access point). This way, the new<br />
access point knows to set up forwarding of<br />
traffic from the old access point.<br />
Reassociation Responses The number of Reassociation Responses<br />
observed on the wireless network. Access<br />
points send Reassociation Responses in<br />
response to Reassociation Requests from<br />
wireless stations.<br />
User’s <strong>Guide</strong> 79
Chapter 5<br />
80 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Table 5-3. Management Frame Counters in the Dashboard’s 802.11<br />
Tab (2 of 2)<br />
Counter Description<br />
Probe Requests The number of Probe Requests observed on<br />
the wireless network. Stations send Probe<br />
Requests to other stations or access points<br />
to retrieve information (for example, to<br />
determine whether a given access point is<br />
open for new associations).<br />
Probe Responses The number of Probe Responses observed<br />
on the wireless network. Stations and access<br />
points send Probe Responses containing<br />
requested parameters in response to Probe<br />
Requests.<br />
Beacons The number of Beacon packets observed on<br />
the wireless network. Access points send<br />
beacon packets at a regular interval to<br />
synchronize timing between stations on the<br />
same network.<br />
ATIMs The number of Announcement Traffic<br />
Indication Messages (ATIMs) observed on<br />
the wireless network. Stations send ATIMs<br />
immediately after a beacon packet<br />
transmission to inform other stations that<br />
they have data to transmit to them.<br />
Disassociations The number of Disassociation packets<br />
observed on the wireless network. Stations<br />
and access points send Disassociations to<br />
end associations.<br />
Authentications The number of Authentication packets<br />
observed on the wireless network. Stations<br />
and access points send Authentications to<br />
identify one another securely.<br />
Deauthentications The number of Deauthentication packets<br />
observed on the wireless network. Stations<br />
and access points send Deauthentications to<br />
end secure communications with one<br />
another.
Control Frame Type Counters in the 802.11 Tab<br />
Monitoring Your Network<br />
Once stations and access points on the wireless networks have<br />
established communications with one another (through the Association<br />
and Authentication packet types described in the previous section),<br />
Control frames are used in the transmission of data frames. Table 5-4<br />
lists and describes the Control frame counters in the Dashboard’s<br />
802.11 tab (example shown in Figure 5-4 on page 77).<br />
Table 5-4. Control Frame Counters in the Dashboard’s 802.11 Tab<br />
Counter Description<br />
PS Polls The number of Power Save (PS) Poll packets<br />
observed on the wireless network. PS Poll<br />
packets are sent by stations to inform other<br />
stations of time windows during which they<br />
will not be transmitting.<br />
RTS The number of Request to Send (RTS)<br />
packets observed on the wireless network.<br />
RTS packets are sent by stations to<br />
negotiate how a data frame will be sent.<br />
CTS The number of Clear to Send (CTS) packets<br />
observed on the wireless network. Stations<br />
send CTS packets to acknowledge the<br />
receipt of an RTS packet and to indicate that<br />
they are ready to receive data.<br />
Acknowledge The number of Acknowledge packets<br />
observed on the wireless network. Stations<br />
send acknowledge packets to indicate that<br />
they have received an error-free packet.<br />
CF End The number of Contention-Free (CF) End<br />
packets observed on the wireless network.<br />
CF End packets are sent to indicate the end<br />
of a contention period.<br />
CF End/CF ACK CF End/CF ACK packets are sent to<br />
acknowledge CF End packets.<br />
BSSID The Basic Service Set Identification (BSSID)<br />
for the access point on the channel being<br />
monitored.<br />
ESSID The Extended Service Set Identification<br />
(ESSID) for the channel being monitored.<br />
User’s <strong>Guide</strong> 81
Chapter 5<br />
Host Table<br />
82 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The Host Table collects each network node’s traffic statistics in real time.<br />
For LAN adapters, the Host Table accumulates MAC, IP network, IP<br />
application, IPX network, and IPX transport-layer information.<br />
For wireless LAN adapters, the Host Table accumulates 802.11,<br />
MAC, IP, and IPX transport-layer information. See Host Table<br />
Counters for Wireless Networks on page 85 for more information<br />
on wireless-specific statistics.<br />
Options for viewing data in the Host Table are summarized in the<br />
following table.<br />
Table 5-5. Host Table Toolbar Options<br />
Button Description<br />
Access Point Table (802.11 Tab Only). Focuses the<br />
standard Outline Table view on Access Points only, helping<br />
you zoom in on their associated statistics.<br />
Outline Table. The table views display traffic count<br />
statistics for each network node in real time. The outline<br />
table provides a quick summary of total bytes and packets<br />
transmitted in and out of each network node.<br />
Detail Table. The table views display traffic count statistics<br />
for each network node in real time.<br />
For most tabs, the detail table provides a quick summary of<br />
the higher-layer protocol type and its traffic load<br />
transmitted in and out of each network node.<br />
For the 802.11 tab, the detail table breaks out packet<br />
counts by different wireless control frame types. For<br />
example, stations sending Beacon frames are listed with<br />
counts for in and out packets and bytes associated with<br />
beacon frames.<br />
Bar Chart. The bar chart displays the top x busiest host<br />
nodes in real time, where x is a user-configurable number.<br />
(The default is 10.)<br />
Pie Chart. The pie chart displays the top x busiest host<br />
nodes as relative percentages of the total load of top x<br />
traffic. x is a user-configurable number (the default is 10).<br />
Capture. Capture data to or from a single station (first<br />
select a station from outline table view).<br />
Define Filter. Displays the Define Filter - Capture dialog<br />
box, pre-populated with settings based on the selected<br />
station in the Outline Table.
Table 5-5. Host Table Toolbar Options<br />
Button Description<br />
Monitoring Your Network<br />
Add to Last Filter. Displays the Define Filter - Capture<br />
dialog box, adding information associated with the selected<br />
station in the Outline Table to the previous filter<br />
information.<br />
NOTE: The type of selected station must match the station<br />
used in the previous filter for this to work. For example, if<br />
you select an IP station in the Host Table’s IP tab and click<br />
Define Filter, the Define Filter - Capture dialog box will<br />
automatically populate with the IP address of the selected<br />
station. You could then select a second IP station in the IP<br />
tab, click the Add to Last Filter button, and see the Define<br />
Filter - Capture dialog box appear with the IP address of the<br />
second station added to the previous station. However, you<br />
could not go to the MAC tab, select a station, and then add<br />
that to a filter already populated with IP information. The<br />
filter types must match.<br />
Pause. Pauses updates.<br />
Refresh. Refreshes the display.<br />
Reset. Resets all counters to zero.<br />
Export. Exports tabular data to CSV (Table views only)<br />
Properties. Opens a properties dialog box in which you<br />
can set operating parameters for the Host Table, including<br />
update and sort intervals, sort options for charts, and which<br />
wireless stations are included in the display (Access<br />
Points, Stations, None, or any combination of the three).<br />
Single Station. Displays a Single Station view for the<br />
selected station. See Host Table Single Station Functions on<br />
page 84 for more information.<br />
Export data to HTML (Table views only)<br />
Sort a Host Table by clicking a column heading (for example, to sort the<br />
statistics by incoming packets, click the In Pkts column heading). Click<br />
a second time to sort in reverse order.<br />
User’s <strong>Guide</strong> 83
Chapter 5<br />
84 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
You can configure settings (specifying to show the raw address instead<br />
of a symbolic name, defining the update and sort interval, and defining<br />
the sort variable and top-N variable in the bar and pie chart) by clicking<br />
Properties from the Host Table toolbar.<br />
In the table views, you can export the statistics for tabulation or<br />
charting. Refer to Exporting Monitor Data on page 120.<br />
Figure 5-5 shows a sample Host Table display.<br />
Figure 5-5. The Host Table (Outline Table View)<br />
Maximum Number of Entries in the Host Table<br />
The maximum number of entries in the Host Table display is 1000.<br />
Host Table Single Station Functions<br />
Click to display traffic by 802.11, MAC, IP, or IPX<br />
To capture data to or from a single station, click the station’s icon in the<br />
outline table and then click the button. (For more information, see<br />
Capturing from Specific Stations (Visual Filters) on page 128.)<br />
To display a single station’s statistics, click the station’s icon in the<br />
outline table and click the button. You can view a single station’s<br />
statistics in a traffic map, table, bar chart, or pie chart.
Host Table Counters for Wireless Networks<br />
Monitoring Your Network<br />
In addition to the standard Host Table features available for all<br />
networks, Sniffer <strong>Portable</strong> <strong>Professional</strong> provides counters specifically for<br />
MAC-layer wireless stations in the 802.11 tab.<br />
Display the Host Table’s 802.11 tab by clicking it at the bottom of the<br />
Host Table window. For each MAC-layer wireless station detected on the<br />
network, the 802.11 tab provides the statistics listed and described in<br />
Table 5-6.<br />
In addition, you can click the Access Point button to zoom in on<br />
access points only. See Viewing Access Points Only on page 88 for<br />
information on the counts in the Access Points view.<br />
Table 5-6. Host Table Counters in the 802.11 Tab (1 of 3)<br />
Counter Description<br />
HwAddr The hardware address for this station.<br />
Type The type of station. Station types include:<br />
• AP. Access Point.<br />
• STA. Wireless Station.<br />
Status The Status column lets you monitor<br />
Known, Rogue, and Neighbor stations in<br />
your WLAN. It appears whenever Enable<br />
Rogue AP Lookup and/or Enable Rogue<br />
Mobile Unit Lookup is turned on in either<br />
Tools > Wireless > Rogue or Tools ><br />
Expert Options > 802.11 Options.<br />
As you use the Host Table, you can flag a<br />
wireless entity as either Known or<br />
Neighbor by checking its box in the<br />
leftmost # column, right-clicking, and<br />
selecting either Add to Wireless Units List<br />
as Known or Add to Wireless Units List<br />
as Neighbor. The value you assign will<br />
appear in the Status column, helping you<br />
keep track of unknown entities on your<br />
WLAN. See Adding Known Addresses to the<br />
List on page 141 for information on the<br />
different ways you can automatically add<br />
addresses to the list of known units, how<br />
rogues are flagged in Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> displays, and so on.<br />
BSSID The Basic Service Set ID associated with this<br />
station.<br />
ESSID The Extended Service Set ID associated with<br />
this station.<br />
User’s <strong>Guide</strong> 85
Chapter 5<br />
86 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Table 5-6. Host Table Counters in the 802.11 Tab (2 of 3)<br />
Counter Description<br />
Encryption The last observed encryption method for this<br />
host. Possible values include:<br />
• RC4-Open (WEP)<br />
• RC4-TKIP (WPA-PSK)<br />
• AES-CCMP (WPA2-PSK)<br />
•Unencrypted<br />
If this field is empty, then no encryption is in<br />
use.<br />
Authentication The last observed authentication method for<br />
this host. Possible values include:<br />
•Open<br />
•Shared<br />
• 802.1X-PSK<br />
Monitored Topology The wireless network topology on which this<br />
station was last seen transmitting. For<br />
example, A for 802.11A, B for 802.11b, and<br />
so on.<br />
Monitored Channel The wireless network channel on which this<br />
station was last seen transmitting.<br />
Valid Topology The wireless network topology on which this<br />
station is supposed to be transmitting<br />
according to the information in transmitted<br />
packets.<br />
Compare this value to the Monitored<br />
Topology value.<br />
Valid Channel The wireless network channel on which this<br />
station is supposed to be transmitting<br />
according to the information in transmitted<br />
packets.<br />
Compare this value to the Monitored<br />
Channel value to see how channels are<br />
overlapping in your WLAN.<br />
Signal Curr The average of all measured signal strengths<br />
for this station.<br />
Signal Max Of the measured signal strengths for this<br />
station, the highest (expressed as a<br />
percentage).<br />
Signal Min Of the measured signal strengths for this<br />
station, the lowest (expressed as a<br />
percentage).
Monitoring Your Network<br />
Table 5-6. Host Table Counters in the 802.11 Tab (3 of 3)<br />
Counter Description<br />
In Bytes The number of bytes received by this<br />
station.<br />
Out Bytes The number of bytes transmitted by this<br />
station.<br />
In Pkts The number of packets received by this<br />
station.<br />
Out Pkts The number of packets transmitted by this<br />
station.<br />
Broadcast The number of broadcast packets<br />
transmitted by this station.<br />
Multicast The number of multicast packets transmitted<br />
by this station.<br />
Retry Pkts The number of retry packets transmitted by<br />
this station. Stations send retry packets<br />
when they receive no acknowledgment to a<br />
previously sent packet.<br />
Data Rate Counters These counters provide packet counts for<br />
different speed ranges.<br />
Update Time The last time this station was updated in the<br />
Host Table with new statistics.<br />
Create Time The time this station’s entry was first added<br />
to the Host Table.<br />
User’s <strong>Guide</strong> 87
Chapter 5<br />
Viewing Access Points Only<br />
88 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
You can click the Access Point button in the Host Table’s 802.11<br />
tab to zoom in on access points only.<br />
The statistics available in the Access Point view are somewhat different<br />
than those in the full 802.11 tab, as summarized in the table below.<br />
Table 5-7. Host Table Counters in the Access Point View<br />
Counter Description<br />
Access Points The hardware address for each detected<br />
access point.<br />
Status The Status column lets you monitor<br />
Known, Rogue, and Neighbor stations in<br />
your WLAN. It appears whenever Enable<br />
Rogue AP Lookup and/or Enable Rogue<br />
Mobile Unit Lookup is turned on in either<br />
Tools > Wireless > Rogue or Tools ><br />
Expert Options > 802.11 Options.<br />
As you use the Host Table, you can flag a<br />
wireless entity as either Known or<br />
Neighbor by checking its box in the<br />
leftmost # column, right-clicking, and<br />
selecting either Add to Wireless Units List<br />
as Known or Add to Wireless Units List<br />
as Neighbor. The value you assign will<br />
appear in the Status column, helping you<br />
keep track of unknown entities on your<br />
WLAN. See Adding Known Addresses to the<br />
List on page 141 for information on the<br />
different ways you can automatically add<br />
addresses to the list of known units, how<br />
rogues are flagged in Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> displays, and so on.<br />
ESSID The Extended Service Set ID associated with<br />
this station.<br />
Encryption The last observed encryption method for this<br />
host. Possible values include:<br />
• RC4-Open (WEP)<br />
• RC4-TKIP (WPA-PSK)<br />
• AES-CCMP (WPA2-PSK)<br />
•Unencrypted<br />
If this field is empty, then no encryption is in<br />
use.
Monitoring Your Network<br />
Table 5-7. Host Table Counters in the Access Point View<br />
Counter Description<br />
Authentication The last observed authentication method for<br />
this host. Possible values include:<br />
•Open<br />
•Shared<br />
• 802.1X-PSK<br />
Monitored Topology The wireless network topology on which this<br />
station was last seen transmitting. For<br />
example, A for 802.11A, B for 802.11b, and<br />
so on.<br />
Monitored Channel The wireless network channel on which this<br />
station was last seen transmitting.<br />
Valid Topology The wireless network topology on which this<br />
station is supposed to be transmitting<br />
according to the information in transmitted<br />
packets.<br />
Compare this value to the Monitored<br />
Topology value.<br />
Valid Channel The wireless network channel on which this<br />
station is supposed to be transmitting<br />
according to the information in transmitted<br />
packets.<br />
Compare this value to the Monitored<br />
Channel value to see how channels are<br />
overlapping in your WLAN.<br />
Signal Curr The average of all measured signal strengths<br />
for this station.<br />
Signal Max Of the measured signal strengths for this<br />
station, the highest (expressed as a<br />
percentage).<br />
Signal Min Of the measured signal strengths for this<br />
station, the lowest (expressed as a<br />
percentage).<br />
In Bytes The number of bytes received by this access<br />
point.<br />
Out Bytes The number of bytes transmitted by this<br />
access point.<br />
In Pkts The number of packets received by this<br />
access point.<br />
Out Pkts The number of packets transmitted by this<br />
access point.<br />
User’s <strong>Guide</strong> 89
Chapter 5<br />
90 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Table 5-7. Host Table Counters in the Access Point View<br />
Counter Description<br />
Beacons The number of beacon packets transmitted<br />
by this access point. Access points send<br />
beacon packets at a regular interval to<br />
synchronize timing between stations on the<br />
same network.<br />
Update Time The last time this access point was updated<br />
in the Host Table with new statistics.<br />
Create Time The time this access point’s entry was first<br />
added to the Host Table.
Identifying Rogue Hosts on the Wireless Network<br />
Monitoring Your Network<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> helps you identify unknown units on your<br />
wireless network, both during monitoring and live capture. In general,<br />
this feature works by comparing detected addresses to a list of Known<br />
and Neighbor addresses. Addresses not found in this list are flagged as<br />
rogues in Sniffer <strong>Portable</strong> <strong>Professional</strong> displays. The figure below<br />
summarizes the process:<br />
1. Enable Rogue Lookup for Access Points and/or Mobile Units<br />
in either Tools > Wireless > Rogue (shown) or Tools > Expert<br />
Options > 802.11 Options. See Configuring Rogue<br />
Identification for Wireless Networks on page 61 for details.<br />
2. All wireless entities start out as rogues.<br />
Add wireless entities as Known or Neighbors<br />
to change their classification. The easiest<br />
way to do this is by checking entries in the #<br />
column of the Host Table’s 802.11 tab and<br />
right-clicking. However, there are several<br />
ways to do this – see Adding Known<br />
Addresses to the List on page 62.<br />
3. Review the Status column in the Host<br />
Table, as well as Expert displays to review<br />
the Known/Neighbor/Rogue classification<br />
of wireless entities. See Rogue<br />
Identification in Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> Displays on page 62 for<br />
information on where Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> reports this status.<br />
User’s <strong>Guide</strong> 91
Chapter 5<br />
Selecting Wireless Host Types to View in the 802.11 Tab<br />
92 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
You can filter the display in the Host Table’s 802.11 tab to display any<br />
combination of the following host types:<br />
AP – Wireless access points.<br />
STA – Wireless stations.<br />
None – Unclassified stations (for example, broadcast/multicast<br />
stations and stations that have not yet been classified).<br />
To filter the Host Table display, click the Properties button in the Host<br />
Table to display the Host Table Properties dialog box (Figure 5-6). From<br />
here, you can use the 802.11 Host Type tab to select which types of<br />
wireless hosts you would like displayed in the Host Table’s 802.11 tab.<br />
Use standard Ctrl-Click and Shift-Click techniques to select any<br />
combination of the listed types and click OK.<br />
NOTE: The setting made here does not apply to the Access Points<br />
view in the 802.11 tab. It always focuses on Access Points.<br />
Figure 5-6. Selecting Wireless Hosts for the Host Table’s 802.11 Tab
Matrix<br />
Monitoring Your Network<br />
The Matrix collects statistics for conversations between network nodes<br />
in real time:<br />
For LAN adapters, the Matrix accumulates MAC, IP network, IP<br />
application, IPX network, and IPX transport-layer information.<br />
For wireless LAN adapters, the Matrix accumulates MAC, IP, IPX,<br />
and 802.11 statistics. See Matrix Counters for Wireless Networks<br />
(802.11 Tab) on page 96 for more information on wireless-specific<br />
statistics.<br />
You can view Matrix data as a traffic map, as a table, or as a bar or pie<br />
chart using the buttons in the Matrix toolbar, as described in the table<br />
below.<br />
Table 5-8. Matrix Toolbar Options<br />
Button Description<br />
Traffic Map. The traffic map provides a birds-eye view of<br />
network traffic patterns between nodes in real time.<br />
Outline Table. The table views display traffic count<br />
statistics for each detected conversation in real time. The<br />
outline table provides a quick summary of total bytes and<br />
packets transmitted by each side of each detected<br />
conversation.<br />
Detail Table. The table views display traffic count statistics<br />
for each conversation in real time.<br />
For most tabs, the detail table provides a quick summary of<br />
the higher-layer protocol type and its traffic load<br />
transmitted on both sides of each conversation.<br />
For the 802.11 tab, the detail table breaks out packet<br />
counts by different wireless control frame types. For<br />
example, Beacon frame counts are provided for both sides<br />
of each detected conversation.<br />
Bar Chart. The bar chart displays the top x busiest<br />
conversations in real time, where x is a user-configurable<br />
number in the Matrix Properties dialog box. (The default is<br />
10.)<br />
Pie Chart. The pie chart displays the top x busiest<br />
conversations as relative percentages of the total load of<br />
top x traffic. x is a user-configurable number in the Matrix<br />
Properties dialog box (the default is 10).<br />
User’s <strong>Guide</strong> 93
Chapter 5<br />
94 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Table 5-8. Matrix Toolbar Options<br />
Button Description<br />
Capture. Capture data associated with a single<br />
conversation. First, select a conversation from the outline<br />
table view and then click this button to start capture on the<br />
selected conversation.<br />
Define Filter. Displays the Define Filter - Capture dialog<br />
box, pre-populated with settings based on the selected<br />
conversation in the Outline Table.<br />
Add to Last Filter. Displays the Define Filter - Capture<br />
dialog box, adding information associated with the selected<br />
conversation in the Outline Table to the previous filter<br />
definition.<br />
NOTE: The type of selected conversation must match the<br />
conversation used in the previous filter for this to work. For<br />
example, if you select an IP conversation in the Host<br />
Table’s IP tab and click Define Filter, the Define Filter -<br />
Capture dialog box will automatically populate for traffic<br />
flowing between the IP addresses of the selected stations.<br />
You could then select a second IP conversation in the IP<br />
tab, click the Add to Last Filter button, and see the Define<br />
Filter - Capture dialog box appear with the IP addresses of<br />
the second conversation added to the previous<br />
conversation. However, you could not go to the MAC tab,<br />
select a conversation, and then add that to a filter already<br />
populated with IP information. The filter types must match.<br />
Pause. Pauses updates.<br />
Refresh. Refreshes the display.<br />
Reset. Resets all counters to zero.<br />
Export. Exports tabular data to CSV (Table views only)<br />
Refer to Exporting Monitor Data on page 120 for more<br />
information.<br />
Properties. Opens a properties dialog box in which you<br />
can set operating parameters for the Matrix, including the<br />
colors used in the traffic map, the top x variable in the bar<br />
and pie chart, and the update and sort interval.<br />
Export data to HTML (Table views only). Refer to Exporting<br />
Monitor Data on page 120 for more information.
Maximum Number of Entries in the Matrix Display<br />
Monitoring Your Network<br />
The maximum number of entries in the Matrix display is 2000. The<br />
Matrix’s Outline and Detail views can both show all 2000 entries.<br />
However, the Traffic Map cannot show all 2000 and will display an<br />
Overflow message indicating that not all entries can be shown.<br />
NOTE: When the Matrix display reaches its maximum number of<br />
entries, you must press the Refresh button to display new entries.<br />
Refresh Rate for the Matrix<br />
The default refresh rate is 1 second. You can use the Update every x<br />
seconds option in the Properties dialog box for the Matrix to change the<br />
refresh rate.<br />
Figure 5-7 shows a Matrix bar chart for a wireless adapter.<br />
Click to display traffic by MAC, IP, IPX, or 802.11 (WLANs only)<br />
Figure 5-7. The Matrix (Bar Chart View) and Toolbar<br />
User’s <strong>Guide</strong> 95
Chapter 5<br />
Setting Capture Filters from the Matrix<br />
96 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
To capture data on a specific station or conversation from the matrix:<br />
Click the icon for a single stations in the traffic map, or:<br />
Select a conversation entry in the outline table view.<br />
Then, click the button. (For more information, see Capturing from<br />
Specific Stations (Visual Filters) on page 128.)<br />
NOTE: If you have difficulty selecting a station for capture in the<br />
traffic map, try clicking the Pause button before selecting the<br />
station.<br />
Matrix Counters for Wireless Networks (802.11 Tab)<br />
In addition to the standard Matrix features available for all networks,<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> provides counters specifically for MAC-layer<br />
wireless stations in the 802.11 tab.<br />
Display the Matrix’s 802.11 tab by clicking it at the bottom of the Matrix<br />
window. For each conversation involving MAC-layer wireless stations<br />
detected on the network, the 802.11 tab provides packet and byte<br />
counts for each side of the conversation.
Application Response Time (ART)<br />
Monitoring Your Network<br />
The Application Response Time (ART) monitor application measures and<br />
reports response times for application layer connections between<br />
servers and clients on known TCP/UDP ports in real time (for example,<br />
HTTP, Telnet, SNMP, and so on). Response times are measured as the<br />
time between when a request was sent and when the corresponding<br />
response was observed by Sniffer <strong>Portable</strong> <strong>Professional</strong>.<br />
When ART first appears, the Tabular view is displayed. However, you<br />
can also view response times for different application connections as<br />
either a client-server response time bar chart or a server response<br />
time bar chart by clicking the appropriate button at the left of the<br />
ART window. See the following sections for details on these views:<br />
ART – The Tabular View on page 98<br />
ART – The Server-Client Response Time Bar Chart on page 100<br />
ART – The Server Response Time Bar Chart on page 100<br />
About ART Monitor Alarms<br />
In addition to measuring and reporting application response times, ART<br />
also generates alarms for detected application response times that are<br />
slower than the thresholds in the App Threshold tab of the Options<br />
dialog box. See the ART Alarms on page 105 for information on how to<br />
change these thresholds.<br />
How ART Calculates Response Times<br />
In general, the ART application calculates response times by measuring<br />
the interval between when a packet is sent and when the corresponding<br />
response is seen. However, in practice, this is slightly different for<br />
connection-oriented protocols (like TCP) and connectionless protocols<br />
(like UDP).<br />
TCP – For each socket, ART stores the sequence numbers for<br />
packets sent by the client and waits for the corresponding ACK<br />
packets from the server. It then measures the time difference<br />
between the packet with the stored sequence number and the<br />
packet with the ACK to arrive at the response time.<br />
UDP – For each socket, ART measures the time between packets<br />
going from a client to a server and the next packet going from the<br />
server to the client.<br />
User’s <strong>Guide</strong> 97
Chapter 5<br />
98 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Adding Custom Protocols to the ART Display<br />
If your network uses non-standard TCP or UDP ports for different upper<br />
layer protocols, or if you want to add a custom protocol running over TCP<br />
or UDP, you can still get ART analysis (and analysis from all other<br />
Monitor applications, too) by specifying the correct port number for<br />
different upper layer protocols in the Protocols tab of the Options dialog<br />
box (accessed by selecting the Options command from the Tools<br />
menu). Keep in mind, however, that if you do change the port numbers,<br />
you will need to stop and restart collection for your changes to take<br />
effect. You can do this using the Reset command in the File menu. See<br />
Adding Custom Protocols to the ART Display on page 108 for details.<br />
Not Seeing ART Data?<br />
If the ART displays are not populating with data, make sure that Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong> is connected to the network in such a way that it<br />
is seeing both sides of a conversation – requests and responses. For<br />
example, if Sniffer <strong>Portable</strong> <strong>Professional</strong> is connected to a designated<br />
mirror port on a switch, make sure you that you have set up port<br />
mirroring in a way that ensures both inbound and outbound packets are<br />
being sent to the mirror port.<br />
IMPORTANT: Keep in mind that setting up port mirroring in this way<br />
will occasionally cause duplicate packets to appear in the Decode<br />
window.<br />
ART – The Tabular View<br />
The ART application’s Tabular view lists each detected application layer<br />
connection with the addresses of both the server and the client, detailed<br />
statistics for the response times on the connection, and overall traffic<br />
statistics for the connection (server bytes, client octets, retries, and<br />
timeouts).<br />
ART organizes connections by protocol. Each protocol you have enabled<br />
in the Display Protocols tab of the ART Options dialog box (accessed<br />
by clicking the Properties button in the ART window) has its own tab at<br />
the bottom of the ART window. You can view connections using different<br />
protocols by clicking on the appropriate tab at the bottom of the window.<br />
The Tabular View provides the statistics in the following table:
Table 5-9. ART Statistics in the Tabular View<br />
Statistic Description<br />
Monitoring Your Network<br />
Server Address The address of the Server taking part in this<br />
connection.<br />
Client Address The address of the Client taking part in this<br />
connection.<br />
AvgRsp The average time (in milliseconds) of all responses<br />
observed on this connection.<br />
90% Rsp 90% of all responses observed for this client-server<br />
pair were faster than the indicated response time.<br />
MinRsp The time (in milliseconds) of the fastest response<br />
observed on this connection.<br />
MaxRsp The time (in milliseconds) of the slowest response<br />
observed on this connection.<br />
TotRsp The total number of responses observed on this<br />
connection.<br />
0-25,<br />
26-51…801-1600<br />
The number of responses on this connection in<br />
each of seven different time windows. For example,<br />
the number of responses to requests on this<br />
connection that took between 0 and 24<br />
milliseconds to be sent, the number of responses to<br />
requests on this connection that took between 25<br />
and 49 milliseconds to be sent, and so on.<br />
Server Octets The total number of bytes sent from the Server to<br />
the Client on this connection.<br />
Client Octets The total number of bytes sent from the Client to<br />
the Server on this connection.<br />
Retries The total number of retries observed on this<br />
connection. Retries are counted when the Sniffer<br />
Distributed sees a request made with the same<br />
sequence number as a previous request, indicating<br />
that it is a retransmission. Retries only apply to<br />
TCP-oriented protocols since UDP is<br />
"connectionless" and does not use sequence<br />
numbers.<br />
Timeouts The total number of timeouts observed on this<br />
connection. Timeouts are counted either when no<br />
response is seen to a request by the time the<br />
maximum value of the highest time window has<br />
expired (by default, 5000 milliseconds), or when no<br />
response is seen at all. Note that timeouts are also<br />
used to generate ART alarms whenever the<br />
specified thresholds are crossed.<br />
User’s <strong>Guide</strong> 99
Chapter 5<br />
ART – The Server-Client Response Time Bar Chart<br />
100 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The Server-Client Response Time bar chart graphs<br />
Server-Client pairs according to the options you have specified in<br />
the Server-Client tab of the ART Options dialog box. The options<br />
there specify how many pairs are graphed, the criterion used to<br />
sort the graph, and the display options included for each graphed<br />
pair.<br />
Server-client pairs are listed by number along the horizontal<br />
axis. The addresses corresponding to each number are listed<br />
in the pane to the right of the graph.<br />
The vertical axis provides the units (in milliseconds) for each<br />
bar.<br />
Individual bars are provided along the Z-axis for each Display<br />
Option enabled in the Server-Client tab of the ART Options<br />
dialog box.<br />
As always, you can click on the display tabs at the bottom of the<br />
window to see the graph for server-client pairs observed using the<br />
corresponding protocol.<br />
ART – The Server Response Time Bar Chart<br />
The Server Response Time bar chart graphs Servers according<br />
to the options you have specified in the Servers Only tab of the<br />
ART Options dialog box. The options there specify how many<br />
servers are graphed, the criterion used to sort the graph, and the<br />
display options included for each graphed server.<br />
Servers are listed by number along the horizontal axis. The<br />
addresses corresponding to each number are listed in the<br />
pane to the right of the graph.<br />
The vertical axis provides the units (in milliseconds) for each<br />
bar.<br />
Individual bars are provided along the Z-axis for each Display<br />
Option enabled in the Servers Only tab of the ART Options<br />
dialog box.<br />
As always, you can click on the display tabs at the bottom of the<br />
window to see the graph for servers observed using the<br />
corresponding protocol.
Setting ART Options<br />
Monitoring Your Network<br />
You set options for the ART monitor application by clicking the<br />
Properties button in the ART window. The ART Options dialog box<br />
appears with the following four tabs:<br />
The ART Options – General Tab on page 101 lets you set the update<br />
interval for the ART application.<br />
The ART Options – Server-Client Tab on page 101 lets you set<br />
display options for the Client-Server Response Time bar graph.<br />
The ART Options – Servers Only Tab on page 104 lets you set<br />
display options for the Server Response Time bar graph.<br />
The ART Options – Display Protocols Tab on page 104 lets you<br />
specify for which protocols ART should provide a display tab at the<br />
bottom of the ART window.<br />
ART Options – General Tab<br />
The General tab in the ART Options dialog box lets you specify how<br />
often the counters in the ART application window are updated. Specify<br />
the desired update interval (in seconds) in the provided field and click<br />
OK.<br />
You can also refresh the ART application’s counters manually by clicking<br />
the Refresh button in the ART application window.<br />
ART Options – Server-Client Tab<br />
The Server-Client tab in the ART Options dialog box lets you specify<br />
display options for the ART Server-Client Response Time bar graph. Set<br />
the following options.<br />
The Show Options let you specify how many server-client pairs you<br />
would like the graph to display. You can also select whether the<br />
graph should show the slowest xx number of server-client pairs or<br />
the fastest xx number of server-client pairs.<br />
The Sort By Options let you specify the criterion by which you<br />
would like the server-client pairs displayed in the graph to be<br />
sorted. You can only select Sort By options whose corresponding<br />
option in the Display Options area of this tab are selected (for<br />
example, you can't sort server-client pairs by Min Response Time<br />
if the Min Response Time is not enabled as a display option in the<br />
adjacent list).<br />
The Display Options let you specify which statistics for the<br />
server-client pairs you would like included in the bar graph.<br />
These options are described below:<br />
User’s <strong>Guide</strong> 101
Chapter 5<br />
Show Options<br />
102 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Show Slowest/Fastest – Select whether you would like the<br />
graph to show the slowest or the fastest Server-Client pairs. The<br />
exact number of Server-Client pairs displayed depends on the<br />
setting of the adjacent Server-Client Pairs option.<br />
Server-Client Pairs – Specify the number of Server-Client pairs<br />
you would like included in the graph.<br />
Sort By Options<br />
The Sort By options let you specify the criterion by which you would like<br />
the server-client pairs displayed in the graph to be sorted. Server-Client<br />
pairs are sorted in the graph from left (highest value of the selected<br />
criterion) to right (lowest value of the selected criterion) along the<br />
horizontal axis of the graph.<br />
Table 5-10. Sort By Options for ART<br />
Option Description<br />
Max Response Time Enable this option if you would like server-client<br />
pairs to be sorted according to the highest (that<br />
is, the slowest) response time observed on each<br />
listed pair.<br />
RspTm of 90%<br />
Response<br />
Enable this option if you would like server-client<br />
pairs to be sorted according to their 90%<br />
Response values.<br />
Each server-client pair has a 90% Response<br />
value – this value means that 90% of all<br />
responses observed for this client-server pair<br />
were faster than the indicated response time.<br />
This option can be useful when you want to<br />
smooth out statistical oddities. For example, if a<br />
given server-pair happened to have one or two<br />
responses among many that were much slower<br />
than the others, this option can remove the<br />
strangely slow responses from statistical<br />
consideration.
Table 5-10. Sort By Options for ART<br />
Option Description<br />
Average Response<br />
Time<br />
Display Options<br />
Monitoring Your Network<br />
Enable this option if you would like server-client<br />
pairs to be sorted according to the average<br />
response time observed for each listed pair. The<br />
pair with the highest average response time is<br />
listed at the left of the horizontal axis of the<br />
graph and then descends to the right.<br />
Min Response Time Enable this option if you would like server-client<br />
pairs to be sorted according to the lowest (that<br />
is, the fastest) response time observed on each<br />
listed pair.<br />
NOTE: You can only select Sort By options<br />
whose corresponding option in the Display<br />
Options area of this tab is selected (for<br />
example, you can’t sort server-client pairs by<br />
Min Response Time if the Min Response<br />
Time is not enabled as a display option in the<br />
adjacent list).<br />
The Display Options let you specify which statistics for the<br />
server-client pairs you would like included in the bar graph. For each<br />
statistic you enable, the graph provides another row along the Z-axis of<br />
the graph (that is, behind the other statistics) for the listed server-client<br />
pairs.<br />
User’s <strong>Guide</strong> 103
Chapter 5<br />
ART Options – Servers Only Tab<br />
104 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Table 5-11. ART Display Options<br />
Option Description<br />
Max Response Time Enable this option if you would like a row along<br />
the Z-axis included in the graph to show the<br />
slowest response time observed on each listed<br />
server-client pair.<br />
RspTm of 90%<br />
Response<br />
Average Response<br />
Time<br />
The Servers Only tab lets you set the same options described in ART<br />
Options – Server-Client Tab on page 101. The only difference is that the<br />
options set in this tab apply to the Server Response Time bar graph<br />
rather than the Server-Client Response Time bar graph.<br />
ART Options – Display Protocols Tab<br />
Enable this option if you would like a row along<br />
the Z-axis included in the graph to show the<br />
RspTm of 90% Response value observed on<br />
each listed server-client pair.<br />
Each server-client pair has a 90% Response<br />
value – this value means that 90% of all<br />
responses observed for this client-server pair<br />
were faster than the indicated response time.<br />
This option can be useful when you want to<br />
smooth out statistical oddities. For example, if a<br />
given server-pair happened to have one or two<br />
responses among many that were much slower<br />
than the others, this option can remove the<br />
strangely slow responses from statistical<br />
consideration.<br />
Enable this option if you would like a row along<br />
the Z-axis included in the graph to show the<br />
average response time observed on each listed<br />
server-client pair.<br />
Min Response Time Enable this option if you would like a row along<br />
the Z-axis included in the graph to show the<br />
lowest (that is, the fastest) response time<br />
observed on each listed server-client pair.<br />
Show DNS Name Enable this option if you would like DNS names<br />
for both sides of each listed server-client pair<br />
displayed in a pane at the right of the graph.<br />
The Display Protocols tab lets you specify for which protocols ART<br />
should provide a display tab at the bottom of the ART window. For each<br />
protocol enabled in this tab, the ART application will include a display tab<br />
in the ART application window.
ART Alarms<br />
Monitoring Your Network<br />
Protocols are organized broadly according to whether they are TCP or<br />
UDP oriented. Click the appropriate tab at the bottom of the Display<br />
Protocol tab, enable each desired protocol, and then click OK. The ART<br />
application window will automatically include display tabs for your<br />
selected protocols.<br />
In addition to measuring and reporting application response times, the<br />
ART application also generates alarms for detected application response<br />
times that are slower than the thresholds in the App Threshold tab of<br />
the Options dialog box.<br />
You set thresholds for alarms generated by the ART application in the<br />
App Threshold tab of the Options dialog box. Specify the threshold<br />
values in the Rsp Time column, then click OK. App Threshold<br />
parameters are stored on the Agent, by adapter. This ensures all<br />
Consoles connecting to the Agent will experience consistent settings.<br />
Figure 5-8. Setting Thresholds for ART Alarms<br />
The App Threshold tab includes a row for each protocol monitored by<br />
the ART application. Protocols are organized according to whether they<br />
are TCP-oriented or UDP-oriented – there is a tab for each.<br />
For each protocol, there is a Rsp Time and a % Applied field:<br />
User’s <strong>Guide</strong> 105
Chapter 5<br />
106 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The Rsp Time value specifies at what point a response using the<br />
specified protocol is considered “slow.” For example, if Rsp Time<br />
were set to 5000 milliseconds for HTTP, any response to an HTTP<br />
request that took longer than 5000 milliseconds would be<br />
considered “slow.” When the percentage of “slow” responses on a<br />
given Server-Client connection exceeds the % Applied threshold<br />
(see below), the Monitor generates an alarm on the connection.<br />
The % Applied value specifies the maximum acceptable<br />
percentage of responses exceeding the Rsp Time threshold on a<br />
given connection using the specified protocol. When the percentage<br />
of connections exceeding the Rsp Time threshold on a given<br />
Server-Client connection exceeds the % Applied threshold, the<br />
Monitor generates an alarm on the connection.<br />
Generated alarms are written to the alarm log. Actions take place as a<br />
result of generated alarms according to the options you have set on the<br />
Alarms tab of the Options dialog box. See Managing Alarms on page<br />
257 for details.<br />
The following example shows the ART application window in the tabular<br />
view along with descriptions of its toolbar items.
Tabular view<br />
Server Only bar chart<br />
Refresh display<br />
Click to display application response times for<br />
different protocols. The protocols available depend on<br />
the options you have enabled in the Display Protocols<br />
tab of the ART Options dialog box.<br />
Reset display<br />
Monitoring Your Network<br />
Server-Client Response Time bar chart<br />
Properties<br />
Set refresh interval<br />
Set display options for bar charts<br />
Specify display protocols<br />
Figure 5-9. The ART Display (Tabular View) and Toolbar<br />
User’s <strong>Guide</strong> 107
Chapter 5<br />
Adding Custom Protocols to the ART Display<br />
108 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
You can add custom protocols to the ART display in the same way you<br />
add protocols for all monitor applications. Use the following procedure.<br />
To add custom protocols to the ART display:<br />
1 Display the Options dialog box by selecting the Options command<br />
from the Tools menu.<br />
2 In the Options dialog box, click on the Protocols tab.<br />
3 The Protocols tab lets you add new upper-layer protocols for<br />
monitoring (or change the port numbers associated with existing<br />
upper-layer protocols).<br />
If the protocol you want to add runs over TCP, make sure the<br />
TCP tab at the bottom of the Protocols tab is displayed (this<br />
is the default).<br />
If the protocol you want to add runs over UDP, click on the<br />
UDP tab at the bottom of the Protocols tab.<br />
NOTE: ART does not support monitoring over protocols<br />
running over IPX in this release.<br />
4 Scroll to the bottom of the tab and click in the Name cell. Type in<br />
the name by which you would like this protocol to be known in<br />
Sniffer displays.<br />
5 Click in the adjoining Port cell and type in the port number on<br />
which the Sniffer should look for this protocol.<br />
6 Click OK. You will be informed that the application must be<br />
restarted for your changes to take effect. Restart the application.<br />
7 Display the ART window by selecting the Application Response<br />
Time command from the Monitor menu.<br />
8 Click on the Properties button to display the ART Options dialog<br />
box.<br />
9 Click on the Display Protocols tab in the ART Options dialog box.<br />
10 Click on either the TCP or UDP tab at the bottom of the Display<br />
Protocols tab, depending on which type of protocol you added in<br />
Step 3.<br />
11 Scroll down to display the entry for the protocol you added in the<br />
previous steps. Click the box next to this protocol to include it in<br />
ART displays.
Monitoring Your Network<br />
12 Click OK on the ART Options dialog box. The ART application<br />
informs you that it must close and reopen the ART window for your<br />
changes to take place. Click Yes to close and reopen the window.<br />
13 The ART window reopens with a new tab at the bottom for your<br />
custom protocol.<br />
User’s <strong>Guide</strong> 109
Chapter 5<br />
History Samples<br />
Click to start a<br />
sample<br />
Click to change how the<br />
icons display in this<br />
window<br />
Click to create a new<br />
sample to collect<br />
multiple network events<br />
Click to set the sampling<br />
interval, threshold values,<br />
graph type, and colors used<br />
in the graph<br />
110 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
You can use History Samples to collect a variety of network statistics<br />
over a period of time to establish your network performance baseline.<br />
Baseline statistics help you set alarm thresholds to notify you when<br />
abnormal network behavior occurs. You can also use history samples to<br />
determine long-term network traffic trends and to help plan for future<br />
network expansion and reorganization.<br />
You can launch as many as 10 history sample processes concurrently.<br />
These can be 10 different samples or multiple instances of the same<br />
sample so that both short-term and long-term trends can be recorded<br />
simultaneously.<br />
The network events available for history sample monitoring vary<br />
according to the type of adapter you have selected in the Adapter dialog<br />
box.<br />
IMPORTANT: History Samples average data over the sample period.<br />
Because of this, you may miss “spikes” in sampled data due to the<br />
averaging. It’s always a good idea to use History Samples in conjunction<br />
with other Sniffer <strong>Portable</strong> <strong>Professional</strong> views that will help you get an<br />
accurate view of the traffic on your network.<br />
The sample data can be displayed in a bar chart, a line chart, or an area<br />
chart.<br />
Figure 5-10 shows the History Samples window for an Ethernet adapter.<br />
Figure 5-10. The History Samples Window
Specify the threshold<br />
values here<br />
Specify the sample<br />
interval. Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> maintains a<br />
maximum of 3,600<br />
samples. If you specify 15<br />
seconds, you will get up to<br />
3,600 15-second samples.<br />
Click OK to save<br />
the settings<br />
Monitoring Your Network<br />
Before launching a sample, set the sampling interval, the high and low<br />
threshold values, the graph type, the colors used in the graph, and<br />
whether to wrap the buffer when the maximum 3,600 samples have<br />
been collected. First select the sample you want to use from the History<br />
Samples window. Then click the button. The History properties<br />
dialog box is shown in Figure 5-11.<br />
Figure 5-11. Configuring History Sample Settings<br />
Zooming the Display During Monitoring<br />
Click to select the<br />
colors used in the<br />
graph<br />
Select this option if<br />
you want to wrap<br />
the buffer when the<br />
maximum 3,600<br />
samples have been<br />
collected.<br />
Click to select the<br />
graph type<br />
Click to restore<br />
factory settings<br />
You can use the Zoom In\Zoom Out context menu options to narrow<br />
or broaden the focus of a history sample while it is collecting data. These<br />
options change the range of data points displayed, allowing you to focus<br />
on a specific small time period, or, alternatively, see broad trends over<br />
a comparatively long duration.<br />
You use the Zoom In\Zoom Out feature by right-clicking anywhere in<br />
a History Sample’s graphical display and selecting the desired option<br />
from the context menu that appears. Figure 5-12 shows a Packets/s<br />
History Sample with the context menu displayed.<br />
NOTE: The Zoom In\Zoom Out feature has three levels of detail.<br />
If you are already zoomed to the narrowest view, the Zoom In<br />
command will be grayed out in the context menu. The reverse is<br />
true of the Zoom Out command.<br />
User’s <strong>Guide</strong> 111
Chapter 5<br />
112 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
If the Wrap Buffer when full option is disabled, the history sample will<br />
stop automatically when the maximum number of samples is collected.<br />
Otherwise the history sample stops when you close the History window.<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> lets you export the history data for<br />
tabulation or charting. Refer to Exporting Monitor Data on page 120.<br />
Figure 5-12 shows a Packets/s history sample in bar chart format and<br />
describes the toolbar.<br />
Bar chart view<br />
Line chart view<br />
Display as three-dimensional<br />
or two-dimensional chart<br />
Display/hide a border around<br />
the bars/lines in the chart<br />
Export history data to spreadsheet<br />
Area chart view<br />
Display chart as<br />
logarithmic or linear<br />
Show/hide the legend<br />
Pause Screen Updates<br />
Right-click a<br />
History Sample to<br />
display the Zoom<br />
In/Zoom Out<br />
context menu.<br />
This menu lets<br />
you narrow or<br />
broaden the<br />
focus of the<br />
history sample.<br />
Figure 5-12. History Samples (Packets/s Bar Chart) and Toolbar
Creating a Multiple History Sample<br />
Statistics<br />
selected for<br />
inclusion in this<br />
Multiple History<br />
Sample are<br />
listed here in<br />
the order in<br />
which they will<br />
appear in the<br />
display.<br />
Monitoring Your Network<br />
You can create your own “multi-view” History Samples tracking<br />
combinations of the single statistics available for display in the other<br />
History Samples. You set up Multiple History Samples in the Multiple<br />
History dialog box. Display this dialog box by clicking Add Multiple<br />
History in the History Samples window. Figure 5-13 shows the<br />
Multiple History dialog box.<br />
Figure 5-13. Multiple History Dialog Box<br />
Use these buttons to<br />
change the order of<br />
the sampled statistics<br />
in the display.<br />
Use this button to<br />
delete a selected<br />
statistic.<br />
Use this button to<br />
open a dialog box in<br />
which you can add a<br />
new statistic.<br />
As shown in Figure 5-13, the Multiple History dialog box has three tabs.<br />
The General and Color tabs provide the same options described on<br />
page 111. The Selection tab (Figure 5-13) lets you select which<br />
statistics you would like to include in this Multiple History Sample, in<br />
addition to the order in which they are displayed. In general, you will<br />
want to place statistics with a high sampling rate at the bottom of the<br />
list.<br />
When you are finished setting up your Multiple History Sample, click OK<br />
to add it to the History Samples window.<br />
User’s <strong>Guide</strong> 113
Chapter 5<br />
Protocol Distribution<br />
114 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
You can use the Protocol Distribution application to report network usage<br />
based on the network-, transport-, and application-layer protocols. For<br />
example, you can monitor IPX/SPX, TCP/IP, NetBIOS, AppleTalk,<br />
DECnet, SNA, Banyan, and many other protocols.<br />
Protocol distribution monitors popular IP applications, such as NFS, FTP,<br />
Telnet, SMTP, POP2, POP3, HTTP (WWW), Gopher, NNTP, SNMP,<br />
X-Window, and others. It also monitors IPX transport-layer protocols<br />
such as NCP, SAP, RIP, NetBIOS, Diagnostic, Serialization, NMPI, NLSP,<br />
SNMP, and SPX.<br />
You can view the protocol distribution in a table or as a bar or pie chart.<br />
You can also view the number and percentage of packets or bytes for a<br />
protocol.<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> lets you export the protocol distribution<br />
data for tabulation or charting. Refer to Exporting Monitor Data on page<br />
120.<br />
Figure 5-14 shows a Protocol Distribution bar chart for an Ethernet<br />
adapter.
Click to display protocol distribution by MAC, IP, or IPX<br />
Bar chart view<br />
Display total number or<br />
percentage of bytes seen<br />
Table view<br />
Refresh display<br />
Export data to spreadsheet<br />
(Table view only)<br />
Monitoring Your Network<br />
Pie chart view<br />
Display total number or<br />
percentage of packets<br />
seen<br />
Pause screen updates<br />
Restart data collection<br />
Export to HTML<br />
(Table view only<br />
Figure 5-14. Protocol Distribution (Bar Chart View) and Toolbar<br />
User’s <strong>Guide</strong> 115
Chapter 5<br />
Global Statistics<br />
116 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Global Statistics help you understand the overall activity levels in the<br />
network and pinpoint large- and small-size packet traffic loads, each of<br />
which can have a different effect on overall network performance and<br />
availability.<br />
Global statistics provides various tabs with statistical measures<br />
pertinent to network traffic analysis:<br />
The Size Distribution tab shows the frequency of each packet size<br />
as a percentage of all monitored traffic.<br />
The Utilization Distribution tab shows network bandwidth<br />
consumption distributed among each 10% grouping – 1-10%, 11%<br />
-20%, ..., 91%-100%.<br />
The Topology Surfing tab (Wireless LAN adapters only) presents<br />
a quick snapshot of network activity on all wireless network<br />
topology/channel combinations selected for monitoring in Tools ><br />
Wireless > Surf Settings. Each channel is listed in the display<br />
with the same sets of statistics, enabling you to see at a glance<br />
what is happening on each channel.<br />
See The Global Statistics > Topology Surfing Tab on page 117 for<br />
more information on this tab.<br />
NOTE: See Configuring Surf Settings on page 54 for information<br />
on selecting wireless channels for surfing.<br />
You can view the Size Distribution and Utilization Distribution tabs in a<br />
table or as a bar or pie chart. Figure 5-15 shows a sample packet size<br />
distribution graph for an Ethernet adapter.
Click to display a<br />
bar chart<br />
Click to display<br />
a pie chart<br />
Currently selected to show<br />
packet size distribution<br />
Click to show utilization<br />
distribution<br />
Figure 5-15. Global Statistics (Bar Chart View)<br />
The Global Statistics > Topology Surfing Tab<br />
Monitoring Your Network<br />
The Topology Surfing tab in the Global Statistics view (Wireless LAN<br />
adapters only) presents a quick snapshot of network activity on all<br />
wireless network topology/channel combinations selected for monitoring<br />
in Tools > Wireless > Surf Setting. Up to 30 channels are listed in<br />
the display with the same sets of statistics, enabling you to see at a<br />
glance what is happening on each channel.<br />
IMPORTANT: When you use the Topology Surfing tab, be sure to select<br />
the wireless network topology/channel combinations that interest you in<br />
the Tools > Wireless > Surfing dialog box. This dialog box specifies<br />
the topology/channel combinations Sniffer <strong>Portable</strong> <strong>Professional</strong> will cycle<br />
between for specified durations. Topology Surfing statistics will only be<br />
available for the channels you select here. See Configuring Surf Settings<br />
on page 54 for details.<br />
User’s <strong>Guide</strong> 117
Chapter 5<br />
118 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Figure 5-16. Global Statistics > Topology Surfing Tab (Wireless<br />
Network)<br />
For each channel on the wireless network, the Topology Surfing tab<br />
provides the statistics listed and described in Table 5-12.<br />
Table 5-12. Counters in the Topology Surfing Tab (1 of 2)<br />
Counter Description<br />
Topology The wireless network topology for these<br />
statistics. For example, A for 802.11A, B for<br />
802.11b, and so on.<br />
Ch. No. The wireless network channel for these<br />
statistics.<br />
Packets The number of packets seen on this channel.<br />
Octets The number of bytes seen on this channel.<br />
Errors The number of error packets seen on this<br />
channel. Error packets include CRC errors,<br />
undersize errors, oversize errors, WEP ICV<br />
errors, and PLCP errors.<br />
Data The number of data packets seen on this<br />
channel. Data packets are used to transmit<br />
data between stations.<br />
Cntl The number of Control Packets seen on this<br />
channel. Control packets are used to<br />
regulate the transmission of data packets<br />
after initial authentication has taken place.
Monitoring Your Network<br />
Table 5-12. Counters in the Topology Surfing Tab (2 of 2)<br />
Counter Description<br />
Mgmt The number of Management Packets seen on<br />
this channel. Management packets are used<br />
to set up the initial communications between<br />
stations and access points on the wireless<br />
network.<br />
Beacon The number of beacon packets seen on this<br />
channel. Access points send beacon packets<br />
at a regular interval to synchronize timing<br />
between stations on the same network.<br />
Signal The signal strength measured for this<br />
channel, expressed as a percentage.<br />
BSSID The Basic Service Set ID used for<br />
communications on this channel.<br />
Data Rate Counters These counters provide packet counts for<br />
different speed ranges.<br />
Additional Buttons in the Topology Surfing Tab’s Toolbar<br />
In addition to the standard Bar Chart, Pie Chart, and Reset buttons<br />
available in all Global Statistics tabs, the Topology Surfing tab includes<br />
the additional buttons listed and described below:<br />
Table 5-13. Extra Topology Surfing Tab Toolbar Buttons<br />
Button Description<br />
List View. The Topology Surfing tab shows a tabular view,<br />
with one row for each channel on the wireless network.<br />
Properties. Opens a properties dialog box in which you<br />
can specify how information is displayed in the Topology<br />
Surfing tab.<br />
User’s <strong>Guide</strong> 119
Chapter 5<br />
Monitor Alarms<br />
120 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> provides a comprehensive method of<br />
detecting and logging unusual network events during monitoring.<br />
The alarm manager logs an event in the Alarm log when a user-specified<br />
threshold parameter is exceeded. By reviewing the events listed in the<br />
Alarm log, you can identify network exception conditions that might<br />
require immediate attention.<br />
To view the Alarm log, select Alarm Log from the Monitor menu or click<br />
in the Sniffer <strong>Portable</strong> <strong>Professional</strong> main toolbar.<br />
IMPORTANT: Alarms are only logged in the local Alarm Log if their<br />
Severity is checked in the Tools > Options > Alarm tab. By default, no<br />
alarm Severities are checked.<br />
For information about configuring alarms and setting options, see<br />
Managing Alarms on page 257.<br />
Exporting Monitor Data<br />
You can export data from the following application displays for tabulation<br />
or charting by clicking the button.<br />
The Host Table and Matrix outline table view<br />
The Protocol Distribution table view<br />
You can save data in several formats:<br />
Comma Separated Value format (.csv)<br />
Tab-delimited text file (.txt)
Capturing Packets<br />
Overview<br />
About Capturing<br />
This section describes Sniffer <strong>Portable</strong> <strong>Professional</strong>’s network capture<br />
functions. The following topics are covered:<br />
About Capturing on page 121<br />
Capture Controls on page 122<br />
Capture Panel on page 123<br />
Capture Buffer on page 124<br />
Capturing from Specific Stations (Visual Filters) on page 128<br />
Capture Filters on page 129<br />
Capture Triggers on page 129<br />
6<br />
Unlike the monitoring function, which stores statistical measurements<br />
and calculations about your network traffic, the capture function collects<br />
and stores the actual packets from your network in a capture buffer.<br />
During capture, the Expert analyzes the packets and displays the results<br />
in real time. To disable the real-time Expert analysis, select Expert<br />
Options from the Tools menu and uncheck the Expert During<br />
Capture box.<br />
After a capture is stopped, you can use the Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
display function to decode and display the packets in the capture buffer,<br />
providing you with detailed information about network transactions<br />
(packet display). The display function also displays Expert analysis<br />
(Expert display). Both the packet display and the Expert display are<br />
described in Displaying Captured Data on page 157.<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> provides capture controls on the main<br />
toolbar and in the Capture menu to control the capture process,<br />
configure the capture buffer (which stores the captured packets), and<br />
define capture filters. A capture panel is also provided so that you can<br />
view the status of a capture session.<br />
User’s <strong>Guide</strong> 121
Chapter 6<br />
Capture Controls<br />
122 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
NOTE: Before starting a capture, you should configure the Expert<br />
options that determine how Expert data is processed and displayed.<br />
Expert options are described in Setting Expert Options on page 134.<br />
Capture controls are provided on the main toolbar and in the Capture<br />
menu to control the capture process, configure the capture buffer (which<br />
stores the captured packets), and define capture filters. A capture panel<br />
is also provided so that you can view the status of a capture session.<br />
Use the capture buttons on the main toolbar or the menu items in the<br />
Capture menu to:<br />
Start, stop, and pause a capture session<br />
Display the results of a capture<br />
Create a new filter to use for capture<br />
Select a filter to use for capture<br />
The following figure shows the capture buttons located in the main<br />
toolbar. The table below explains each button.<br />
Start capture<br />
Pause capture<br />
Stop capture<br />
Stop and display<br />
capture<br />
Display a stopped<br />
capture<br />
Figure 6-1. The Capture Controls<br />
Define a capture filter<br />
Select a capture filter
Table 6-1. Main Toolbar Buttons and Functions<br />
Button Tool Keyboard<br />
Shortcut<br />
Capture Panel<br />
Use to...<br />
Start F10 Start a capture session.<br />
Pause n/a Pause a capture session.<br />
Stop F10 Stop a capture session.<br />
Stop and<br />
Display<br />
F9 Stop a capture session and display the<br />
captured data in the Decode window.<br />
Note: You can also use F5 to display a<br />
stopped capture.<br />
Capturing Packets<br />
Filter n/a Create a new filter to use for capture.<br />
Note: You can also use the drop-down list<br />
to the right of the Filter button to select an<br />
existing filter to use for capture.<br />
Use the capture panel to view the status of the capture process. Two<br />
tabs are provided at the bottom of the panel. The Gauge tab displays<br />
the number of packets captured and indicates how full the capture buffer<br />
is (as a percentage). The Detail tab shows detailed statistics about the<br />
current capture session.<br />
To open the capture panel:<br />
1 Select Capture Panel from the Capture menu, or click in the<br />
main toolbar.<br />
The following figure provides a sample Capture Panel window.<br />
The Packets gauge shows the number of packets captured.<br />
The Buffer gauge shows how full the buffer is as a percentage.<br />
Click the Detail tab to see detailed statistics about the capture<br />
process. For example, the number of packets dropped, accepted,<br />
and rejected, and the frame slice size are shown.<br />
User’s <strong>Guide</strong> 123
Chapter 6<br />
Capture Buffer<br />
124 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Captured packets are stored in a capture buffer. You can display and<br />
analyze the packets currently in the capture buffer or save the packets<br />
to disk. You can load and display previously saved capture files (trace<br />
files). You can even spool captured packets to files in real time,<br />
effectively increasing the size of your capture buffer. Use capture filters<br />
to economize capture buffer space further.<br />
Capture buffer options are tied to the Define Filter function.<br />
To set capture buffer options:<br />
1 Select Define Filter from the Capture menu, then click the Buffer<br />
tab (see Figure 6-2).<br />
2 The following options are available:<br />
Buffer Size. Select a capture buffer size to accommodate the<br />
amount of network traffic you wish to capture. Select a buffer<br />
size from the drop-down list or type in your own value.<br />
You can specify buffer sizes from 256 KB to 384 MB,<br />
depending on how much memory your system has. You must<br />
have at least 10MB more memory than the specified capture<br />
buffer size. For example, to start a capture with the buffer<br />
size specified as 64MB, you must have at least 74 MB of<br />
memory in the system.<br />
NOTE: If you do select a large buffer size, refrain from<br />
running other programs concurrently with Sniffer <strong>Portable</strong><br />
<strong>Professional</strong>. There may be a delay while Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> allocates memory.
Capturing Packets<br />
When Buffer is Full. Select to automatically stop the capture<br />
(Stop capture) when the buffer is full or overwrite older data<br />
in the buffer (Wrap buffer). You can select these options only<br />
if the Save to File option is disabled.<br />
Packet Size. You can save the entire packet in the capture<br />
buffer, or truncate each packet by setting the Packet Size<br />
option when defining a capture filter. Move the slider to select<br />
the size of the packet to be captured and saved in the buffer.<br />
A data packet size greater than the specified size will be<br />
truncated. You can select Whole packet, 64, 128, 256, 512,<br />
1024, 4096, 8192, 16384, or 18432 bytes.<br />
By truncating large packets, you can save more packets in<br />
the capture buffer, thus extending the time covered by the<br />
capture and reducing the size of the capture data file, saving<br />
disk space (assuming you save the capture buffer to disk).<br />
On a very busy network, truncating frames may also help<br />
avoid losing frames, since longer frames take longer to store.<br />
Save to File. You can set the Filename prefix and the<br />
Number of files to be spooled. The maximum number of files<br />
allowed is 99,999.<br />
Each file is the same size as the defined capture buffer. For<br />
example, if you select the 4 MB buffer size, each file created<br />
will be 4 MB in size. (The last file size may be smaller than 4<br />
MB.) Setting the buffer size to between 8 and 12 MB will<br />
improve capture performance.<br />
You may select the Unique names option to guarantee that<br />
the file names created by packet capture are unique when<br />
being stored in the same directory. This is a useful option<br />
when you use packet capture spooling in conjunction with the<br />
capture trigger repeat mode. Several packet capture<br />
sequences can be saved without overwriting earlier<br />
sequences.<br />
By selecting the Wrap file names option, the capture will<br />
continue to spool to disk files, overwriting the first file if the<br />
last file is full. Otherwise, the capture will stop once it<br />
reaches the end of the last file.<br />
3 If you would like to start capture based on the specified filter<br />
criteria, click Start Capture directly from the Define Filter dialog<br />
box. This action saves the filter criteria and starts a capture based<br />
on the active filter in the dialog box.<br />
4 If you would like to save the filter criteria, click OK.<br />
User’s <strong>Guide</strong> 125
Chapter 6<br />
Tips:<br />
126 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
When you change the buffer size, you may experience a delay as<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> allocates the memory for the buffer,<br />
especially if you specify a large buffer. Keep the buffer size less<br />
than the size of the capture buffer plus 10MB.<br />
Figure 6-2. Setting Capture Buffer Options<br />
Setting Large Capture Buffer Sizes<br />
This release supports capture buffer sizes from 256K up to a maximum<br />
of 384 MB). You must have at least 10MB more memory than the<br />
specified capture buffer size for capture to start. For example, to<br />
start a capture with the buffer size specified as 64 MB, you must have<br />
at least 74 MB of memory in the system.<br />
NOTE: In addition to selecting the predefined buffer sizes from the<br />
Buffer size drop-down list, you can also type in your own custom<br />
value.
“Failed to start capture” Messages?<br />
Capturing Packets<br />
If you receive a Failed to start capture message when using large<br />
capture buffer sizes (for example, greater than 288 MB), upgrade<br />
Windows XP to Service Pack 3. Windows XP Service Pack 3 includes a fix<br />
for Knowledge Base (KB) issue 894472 that resolves this issue.<br />
Saving the Capture Buffer to a File<br />
You can save the capture buffer contents to a file automatically when the<br />
buffer is full by selecting Save to file on the Buffer tab. Specify the<br />
filename prefix and the number of files to be spooled. For example, if<br />
you specify 5 in the Number of files field and click Wrap file names,<br />
the sixth file overwrites the first file. If you do not select Wrap file<br />
names, capture will stop when the fifth file is full.<br />
Opening Saved Trace Files<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> can open trace files saved in the following<br />
formats:<br />
Ethernet Sniffer format. This includes *.cap and *.caz formats.<br />
LibPcap format. This is an industry standard packet capture<br />
format (*.pcap) used by common tools such as tcpdump. The<br />
maximum trace file size for a LibPcap file is 320 MB.<br />
Opening saved trace files lets you display and analyze data as if it was<br />
captured live at that moment. Sniffer <strong>Portable</strong> <strong>Professional</strong> treats the<br />
data loaded from a disk file in the same way as data captured live off the<br />
network.<br />
NOTE: Sniffer <strong>Portable</strong> <strong>Professional</strong> does not support WAN/ATM<br />
trace files, either in legacy Sniffer formats or LibPcap format. Only<br />
the trace file formats listed above are supported.<br />
NOTE: Sniffer <strong>Portable</strong> <strong>Professional</strong> does not save trace files in<br />
LibPcap format; it can only open these files.<br />
User’s <strong>Guide</strong> 127
Chapter 6<br />
Capturing from Specific Stations (Visual<br />
Filters)<br />
1. Select station (turns blue)<br />
2. Click Capture<br />
You can see the progress<br />
of the capture on the<br />
status line of the main<br />
Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> window, or<br />
on the Capture Panel<br />
128 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
To capture packets for a particular station, select the station from the<br />
monitor’s host table display. To capture packets between two specific<br />
stations, select one of the stations from the monitor’s matrix display.<br />
Then, click . (To view the host table or matrix table, select Host<br />
Table or Matrix from the Monitor menu, or use a toolbar button.)<br />
Figure 6-3 shows an example of how to capture from a single station in<br />
the host table. The following procedure provides the details:<br />
To capture packets between two specific stations:<br />
1 Display the Matrix (Monitor > Matrix) in the tabular view.<br />
2 Select one of the conversations in the display.<br />
3 Click the Quick Capture button in the Matrix’s toolbar.<br />
In response, a capture starts with an automatic Quick Capture filter set<br />
up to include just traffic between the two selected stations.<br />
The following example illustrates capturing from a single station in the<br />
host table. After the selected station turns blue, click the Capture<br />
button from the vertical toolbar. The capture progress appears in the<br />
main window, or on the Capture Panel.<br />
Figure 6-3. Single-Station Capture from the Host Table
Capture Filters<br />
Capture Triggers<br />
Capturing Packets<br />
You can define filters to capture only the particular packets you need, so<br />
that you can focus on the data necessary for troubleshooting network<br />
problems.<br />
When you apply a filter to the capture process it is called a capture filter.<br />
A capture filter allows only certain frames to be saved in the capture<br />
buffer. For a description of how to define a filter, see Defining Filters and<br />
Triggers on page 219.<br />
The trigger feature allows you to start and stop captures based on date<br />
and time, alarms, and specific network events. Use triggers to capture<br />
data while Sniffer <strong>Portable</strong> <strong>Professional</strong> is unattended, such as on<br />
off-hours or weekends, or to start captures when specific events occur,<br />
such as alarm conditions.<br />
For a description of how to define a capture trigger, see Defining<br />
Triggers on page 242.<br />
User’s <strong>Guide</strong> 129
Chapter 6<br />
130 Sniffer <strong>Portable</strong> <strong>Professional</strong>
Real-Time Expert Display<br />
Overview<br />
7<br />
This section introduces the Expert display, describes its major concepts,<br />
and gives you a summary of how to use its functionality.<br />
About the Expert Display on page 131<br />
Setting Expert Options on page 134<br />
Setting Automatic Expert Display Filters on page 151<br />
Displaying Context-Sensitive Explain Messages on page 153<br />
Rearranging the Expert Display on page 153<br />
Exporting the Contents of the Expert Database on page 154<br />
IMPORTANT: Both the Sniffer <strong>Portable</strong> <strong>Professional</strong> online help and the<br />
Sniffer Decode and Expert Reference provide full details on working with<br />
the Expert analyzer. This chapter provides a quick summary of the topic,<br />
letting you get up and running quickly.<br />
About the Expert Display<br />
The Expert display shows the results of Expert analysis. Expert analysis<br />
can occur during a capture session, showing the results in real time. It<br />
can also occur after a capture session when the display function is<br />
invoked.<br />
During Expert analysis, a database of network objects is constructed<br />
from the traffic seen. The Expert protocol interpreters learn all about the<br />
network stations, routing nodes, subnetworks, and connections related<br />
to the frames in the capture buffer. Using this information, potential<br />
problems are detected and you are alerted to issues that may exist on<br />
the network. These problems are categorized as being either symptoms<br />
or diagnoses:<br />
A symptom indicates that a threshold has been exceeded and may<br />
indicate a problem on your network.<br />
User’s <strong>Guide</strong> 131
Chapter 7<br />
132 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
A diagnosis can be several symptoms analyzed together, high rates<br />
of recurrence of specific symptoms, or single instances of particular<br />
network events that cause the Expert to conclude that the network<br />
has a real problem. A Diagnosis should be investigated<br />
immediately.<br />
The Expert analysis results (symptoms and diagnoses) are shown in five<br />
viewing panes on the Expert display tab and on the real-time Expert<br />
window that displays during capture. These panes function together so<br />
that you can view and select information at all levels of detail. See Figure<br />
7-1.<br />
Each pane is described below:<br />
The Expert Overview pane shows the network analysis layers<br />
(similar in concept to the ISO layers) and the Expert overview<br />
statistics (objects, symptoms, or diagnoses) for each layer. By<br />
selecting a combination of layer and statistic type, you control the<br />
display of Expert analysis data in the other Expert panes.<br />
NOTE: You can configure the window to be wide or narrow by<br />
clicking the arrows in the upper right-hand corner of the<br />
Expert overview pane.<br />
The Expert Summary pane shows key summary information for the<br />
layer and statistic selected in the Expert Overview pane. The<br />
column headings for the Expert Summary display will change,<br />
depending on what layer and statistic you have selected.<br />
The Protocol Statistics pane displays the amount of traffic (in<br />
frames and bytes) for each protocol encountered for the layer you<br />
selected in the Expert Overview pane. This pane is not displayed<br />
when the Expert Overview pane is narrow.<br />
The Detail tree pane shows a hierarchical listing of all layers at or<br />
below those selected in the Expert Overview and Expert Summary<br />
panes. You can expand or collapse each layer in a manner similar<br />
to Windows Explorer. Click any item in the Detail Tree to display its<br />
Expert detail data.<br />
The Expert Detail pane is a collection of information tables for the<br />
data selected by the other panes. The content of the Expert Detail<br />
pane will vary, depending on what items are selected in the various<br />
other panes.
Expert Overview<br />
Protocol Statistics<br />
Detail tree<br />
Expert Summary<br />
Figure 7-1. The Expert Window Panes<br />
Real-Time Expert Display<br />
Expert Details<br />
User’s <strong>Guide</strong> 133
Chapter 7<br />
Setting Expert Options<br />
134 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
For effective network analysis, and depending on your network’s<br />
protocol environment, you should configure Expert options before you<br />
start capturing data. The Expert options are described in the following<br />
sections.<br />
See also:<br />
Expert Layers and Objects on page 134<br />
Expert Threshold Settings on page 137<br />
Expert Protocol Settings on page 137<br />
Expert Subnet Mask Settings on page 138<br />
Expert RIP Settings on page 138<br />
Expert 802.11 Options on page 140<br />
Expert Mobile Options on page 149<br />
Expert Oracle Options on page 150<br />
Expert IP Options on page 151<br />
Expert Layers and Objects<br />
During capture, the Expert constructs a database of network objects<br />
from the traffic it sees and categorizes network problems according to<br />
the Expert layer at which they occur.<br />
NOTE: The Expert’s network layering structure is similar to the OSI<br />
model. However, the two schemes do not always map on a<br />
one-to-one basis.<br />
To configure network object and Expert layer options, select Expert<br />
Options from the Tools menu. The Expert Properties dialog box opens<br />
displaying the Objects tab.<br />
The Expert has configuration options that enable you to:<br />
Exclude certain layers from Expert processing. In addition to<br />
using capture filters, which let you select the particular traffic you<br />
need for network analysis, you can exclude certain Expert layers<br />
from processing. Double-click a layer in the Analyze column of the<br />
Objects tab and select No to exclude the layer from Expert<br />
processing
Real-Time Expert Display<br />
Disabling analysis on the lower layer will disable analysis on all<br />
upper layers.This enables you to focus on specific network<br />
problems precisely.<br />
Specify the maximum number of objects that can be created<br />
in the database for each Expert layer. To reduce the amount of<br />
memory needed to create network objects, you can specify the<br />
maximum number of objects that the Expert can create for each<br />
Expert layer. Double-click in the Max Objects column of the<br />
Objects tab to specify the maximum number of objects that can be<br />
created in the database for each Expert layer.<br />
NOTE: To help with configuration, the Expert shows the<br />
estimated amount of memory needed for the number of<br />
objects selected for each layer in the Est. Memory column of<br />
the Objects tab.<br />
Specify whether to recycle Expert objects (the default) or<br />
stop creating new objects when there is no more room in the<br />
database. The Expert builds a database of network objects from<br />
the information in the packets accumulated in the capture buffer.<br />
Because some networks can be immensely complex in their<br />
structure, at some point the Expert will have no more memory for<br />
new network objects. If you recycle objects, the Expert continues<br />
to add new objects to the database, overwriting the least<br />
interesting objects when it runs out of memory (objects with no<br />
associated errors are considered “least interesting”). If you do not<br />
recycle objects, the Expert stops creating new objects when it runs<br />
out of memory, and instead, continues to interpret traffic in<br />
accordance with the information it has already stored in its<br />
database.<br />
Enable/disable real-time Expert analysis during capture. By<br />
default, when you start a capture, the Expert analyzes the packets<br />
coming into the buffer and displays the results in real time in the<br />
Expert window. You can observe the network objects, symptoms,<br />
and diagnoses that the Expert analyzer creates while the capture<br />
progresses. You can disable real-time Expert analysis if you prefer.<br />
Specify the maximum number of alarms that can be created<br />
in the Expert database. When the maximum number is reached,<br />
the Expert will either recycle the oldest and lowest priority alarms<br />
(if the Recycle Alarms option is selected) or stop creating new<br />
alarms.<br />
This Recycle Alarms option specifies what the Expert does when<br />
it runs out of memory:<br />
User’s <strong>Guide</strong> 135
Chapter 7<br />
136 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Continues to create new objects by overwriting older objects<br />
in the database (checked)<br />
Stops creating new objects and continues interpreting traffic<br />
according to information already in the database (unchecked)<br />
Specify how often Expert displays are updated with new<br />
data. Configure the Data Update Rate and the Resorting Rate as<br />
desired in within the Objects tab of the Expert UI Object Properties<br />
dialog box. The Resorting Rate specifies the delay between<br />
resorting the Expert’s database of objects and refreshing the<br />
Expert’s summary display.<br />
Notes on Expert Tuning<br />
The Expert Analyzer defaults to a maximum number of objects per layer<br />
of 1000 for most layers. Adjacent to this column is the Est Memory<br />
column, reflecting the estimated amount of memory required to support<br />
the relevant number of objects at each layer. For networks where you<br />
will see many conversations and hosts you will want to do one or both<br />
of the following:<br />
Increase the maximum number of objects at the relevant layer(s)<br />
Disable Recycle Expert Objects<br />
If Recycle Expert Objects is enabled, Expert will attempt to reuse<br />
object memory for a given layer when the maximum count of objects at<br />
that layer is reached. On higher speed networks, it is advised that<br />
recycling is disabled as it can become an issue. If you disable recycling<br />
and hit the maximum counts, any newly detected conversations or hosts<br />
will be ignored. In this situation, it is advised to increase the maximum<br />
number of objects and disable Recycle Expert Objects.<br />
For example, if you run Expert and discover that you are hitting the<br />
maximum count at the IP layer, then increase the maximum number of<br />
objects to 5000. You will also have to increase Layers 4 and perhaps<br />
Layers 6 and 7 because those layers are likely to hit their respective<br />
maximum counts as well. This may take several iterations before you<br />
come up with the best combination of maximum object counts. Each<br />
layer can support up to 99999 maximum objects.<br />
If you increase the maximum object counts then the Expert calculates<br />
expected memory needs. If such expected memory needs exceed the<br />
amount of memory available you will get an error message. At which<br />
point you will have to trim your maximum object counts accordingly. You<br />
can also reduce the maximum object count at those layers that will not<br />
have large object counts so as to conserve available memory. A good<br />
candidate in most cases would be the DLC\MAC layer (Layer 2).
Expert Threshold Settings<br />
Real-Time Expert Display<br />
Expert thresholds determine whether the Expert generates a symptom<br />
or a diagnosis (also called an alarm) based on a given network event.<br />
To change Expert thresholds, select Expert Options from the Tools<br />
menu and click the Alarms tab.<br />
Expand and/or collapse the Expert layers using the tools in the left<br />
column. Clicking “1” or “0” at the top of the column expands or collapses<br />
all Expert layers. Click the “+” next to a layer to open an Expert layer<br />
and display all symptoms and diagnoses (alarms). After expanding the<br />
layer, expand again to display the settings for the alarm.<br />
Options in the Alarms tab include:<br />
Changing Threshold values. Double-click in the Threshold Value<br />
cell and type the new threshold value.<br />
Reset Threshold values. Click Reset to reset the selected value<br />
to the factory default, or click Reset All to reset all settings for all<br />
layers to the factory defaults.<br />
IMPORTANT: The default thresholds have been carefully calculated to<br />
ensure accurate and informative symptom and diagnosis detection.<br />
Before changing any of the thresholds, make sure you understand your<br />
network.<br />
For information about alarm severity levels and the Alarm log, refer to<br />
Managing Alarms on page 257.<br />
Expert Protocol Settings<br />
You can use the options in the Tools > Expert Options > Protocols<br />
tab to specify which protocols you would like the Expert to analyze.<br />
Limiting Expert analysis to a selected set of protocols will help improve<br />
the Expert’s performance.<br />
The Protocols tab arranges protocols by the Expert layer at which they<br />
are analyzed. You can cascade each layer open by clicking the + sign<br />
next to its entry in the dialog box. Then, click in the Analyze column to<br />
specify either Yes, you would like Expert analysis for this protocol, or<br />
No, you would not like Expert analysis for this protocol.<br />
Click Enable All or Disable All to enable or disable Expert analysis for<br />
all protocols.<br />
User’s <strong>Guide</strong> 137
Chapter 7<br />
Expert Subnet Mask Settings<br />
138 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
TCP/IP subnet masks traditionally reserve specific bits within an IP<br />
network address for the subnet mask depending on the class of address.<br />
The Expert comes with default subnet mask settings for each class of IP<br />
address.<br />
Certain networks may use non-traditional subnet masks. If the Expert is<br />
attached to a network segment that uses nontraditional subnet masks,<br />
it may register spurious network objects and diagnoses. This happens<br />
because the Expert expects address information at a location within the<br />
address field other than where it actually is.<br />
If your networks use nontraditional subnet masks, you must add the IP<br />
network address and appropriate subnet mask for the networks from<br />
which the Expert will see frames.<br />
Select Expert Options from the Tools menu, then click the Subnet<br />
Masks tab. Click Add to create a new entry and add the IP address and<br />
appropriate subnet mask for the networks from which the Expert sees<br />
frames. Type your IP address in the IP Net Address column in the<br />
format n.n.n.n where each n is less than 256. Type the subnet mask<br />
associated with the IP address in the Subnet Mask column, then click<br />
Apply.<br />
Click Delete to delete the selected IP address/subnet mask from the<br />
table.<br />
Expert RIP Settings<br />
The Expert performs RIP (Routing Information Protocol) analysis during<br />
capture and builds a routing table by parsing RIP and other routing<br />
protocols in captured frames. RIP analysis is shown in the “Route” layer<br />
in the Expert window and enables you to detect common routing<br />
problems.<br />
You can disable RIP analysis, or specify the level of analysis you want to<br />
perform (traffic counts and misdirected frames, or traffic counts only).<br />
The Expert tracks the routers it discovers over the network and any<br />
default routers that you configure. When you configure a default router,<br />
the Expert constructs a default static route to that gateway. The<br />
destination IP address for this route is [0.0.0.0]. (You can enter either<br />
the MAC address or the IP address of the default router.) This feature<br />
allows the RIP Expert to be aware of routers that provide routes that<br />
they are not advertising.
Real-Time Expert Display<br />
Some hosts may be configured to route traffic to default gateways, but<br />
a route from such a host to a default gateway might never be advertised.<br />
Unless you configure static default routes, the RIP Expert will incorrectly<br />
diagnose frames sent from a host to a default gateway as misdirected.<br />
If a default route you have configured is also advertised, the other route<br />
is ignored, since the one you configured is permanently in the table.<br />
To configure or disable RIP analysis:<br />
1 Select Expert Options from the Tools menu.<br />
2 Click the RIP Options tab.<br />
3 Select the level of RIP analysis you want to perform from the<br />
drop-down list:<br />
No traffic analysis (RIP disabled) disables the RIP Expert.<br />
Full traffic analysis (counts and analysis) produces traffic<br />
counts and detects misdirected frames.<br />
Traffic counts only produces only traffic counts.<br />
4 Expert discovers the routers on the network during capture and<br />
displays them in the router table of the RIP Options tab. You can<br />
add or remove routers from the table using the Add Router and<br />
Delete buttons to the right of the Routers table.<br />
5 The Subnet table displays the subnets that Expert detects on your<br />
network automatically during capture and the subnets you add<br />
manually. The Source column indicates if the subnet is detected<br />
by the Expert (Network) or added manually (User). Add or<br />
remove subnets from the table using the Add Subnet and Delete<br />
buttons to the right of the Subnet table.<br />
IMPORTANT: The RIP Expert requires that the IP subnet<br />
address and subnet mask be set properly in the Subnet Masks<br />
Tab.<br />
6 Select Auto Discover Subnets if you want Expert to discover the<br />
subnets on your network automatically during capture.<br />
7 Click OK.<br />
NOTE: For RIP packets to be analyzed by the Expert, the<br />
connection layer or the application layer must be set to Analyze in<br />
the Objects tab of the Expert Properties dialog box. RIP sits above<br />
UDP; the RIP interpreter must be called from the UDP interpreter.<br />
UDP is considered to be a transport layer; for the transport layer<br />
User’s <strong>Guide</strong> 139
Chapter 7<br />
140 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
and above to be interpreted, at least the connection layer must be<br />
selected.<br />
Expert 802.11 Options<br />
The options in the 802.11 Options tab let you specify how the Expert<br />
identifies rogue entities on the wireless network, as follows:<br />
If the Enable Rogue AP Lookup option (beneath the Known<br />
Address Points in the Network table) is enabled during capture, the<br />
Expert compares the MAC address (not the IP address) of each<br />
detected access point to those in the Known Access Points in the<br />
Network list. If the access point’s MAC address is not in the list,<br />
the Expert labels the address as a “rogue” and generates the<br />
Rogue Access Point alarm.<br />
If the Enable Rogue Mobile Unit option is enabled during<br />
capture, the Expert compares the MAC address (not the IP address)<br />
of each detected mobile unit to those in the Known Mobile Units in<br />
the Network list. the Expert flag mobile units whose MAC addresses<br />
are not in the Known Mobile Units list as “rogues” and generates<br />
the Rogue Mobile Unit alarm.<br />
Additional Rogue Identification<br />
In addition, Sniffer <strong>Portable</strong> <strong>Professional</strong> identifies rogues (access points<br />
and workstations) as follows:<br />
The word (Rogue) is included in parentheses following the<br />
offending stations’ entries in Expert Summary and Detail displays.<br />
This provides you with a handy means of identifying units on the<br />
wireless network of which you were not aware, some of which may<br />
be unauthorized intruders.<br />
When Rogue Lookup is enabled, the Host Table includes a Status<br />
column in tabular 802.11 displays listing the current<br />
Rogue/Known/Neighbor identification of each listed entity. You<br />
can check an entry’s selection box in the Host Table (in the #<br />
column) and right-click to identify it as either Known or Neighbor,<br />
or to remove it from the Known/Neighbor list entirely.
Adding Known Addresses to the List<br />
Real-Time Expert Display<br />
To use the rogue identification abilities of Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
effectively, you must first add the MAC addresses of the known access<br />
points and mobile units on your network to the Expert’s list of known<br />
wireless unit addresses. There are several ways to do this:<br />
Automatically from the real-time Host Table. See Adding Known<br />
Addresses from the Host Table on page 141.<br />
Automatically from the Expert tab of the postcapture display. See<br />
Adding Known Addresses from the Postcapture Display on page<br />
143.<br />
Automatically from the Address Book. See Autodiscovering and<br />
Adding Addresses from the Address Book on page 145.<br />
Manually from the 802.11 Options tab of the Expert Properties<br />
dialog box. See Adding Known Addresses Manually in the 802.11<br />
Options Tab on page 145.<br />
In addition, you can also import and export lists of known addresses (for<br />
example, you can import addresses from other Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> installations). The following sections describe how to use<br />
each of these methods.<br />
Adding Known Addresses from the Host Table<br />
Use the following procedure to add the MAC addresses of known wireless<br />
units (either access points or mobile units) automatically from the Host<br />
Table during real-time monitoring.<br />
To add known addresses automatically from the Host Table:<br />
1 Open the Monitor > Host Table application.<br />
The Host Table appears. During real-time monitoring, the Host<br />
Table adds one-line entries for each detected wireless unit (access<br />
points and mobile units) on the network.<br />
2 If the 802.11 tab is not already displayed, click its entry at the<br />
bottom of the Host Table. You can display either the full 802.11 tab,<br />
or, alternatively, click the Access Point button to zoom in on<br />
access points only.<br />
User’s <strong>Guide</strong> 141
Chapter 7<br />
142 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
3 Select which entries in the Host Table you would like to add to the<br />
Expert’s list of known addresses. Select an entry by checking its<br />
corresponding box in the # column at the left of the display. You<br />
can select both access points and mobile units. Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> will add each to the appropriate list in the Tools ><br />
Expert Options > 802.11 Options tab and the Tools ><br />
Wireless > Rogue dialog box.<br />
Figure 7-2 shows the 802.11 tab of the Host Table with several<br />
access points selected in the # column.<br />
Figure 7-2. The Host Table > 802.11 Tab<br />
4 Right-click any entry in the Host Table and select either the Add to<br />
Wireless Units List as Known or Add to Wireless Units List as<br />
Neighbor command from the context menu that appears.<br />
The checked addresses are added to the Expert’s list. You can<br />
verify that they have been added by displaying the Tools > Expert<br />
Options > 802.11 Options tab or the Tools > Wireless ><br />
Rogue dialog box. The Known...in the Network lists will include<br />
the newly added addresses.
Real-Time Expert Display<br />
Adding Known Addresses from the Postcapture Display<br />
Use the following procedure to add the MAC addresses of known wireless<br />
units (either access points or mobile units) automatically from the<br />
Expert tab of the postcapture display.<br />
To add known addresses automatically from the postcapture<br />
display:<br />
1 Display either a capture buffer or a saved trace file.<br />
2 Click the Expert tab of the postcapture display.<br />
NOTE: If the Expert tab is not available, make sure the<br />
Expert tab option is enabled in the Display > Display Setup<br />
> General tab.<br />
3 Click Wireless Units List at the top of the Expert pane.<br />
The Wireless Units Discovered in this trace dialog box appears<br />
(Figure 7-3). This dialog box has two separate lists of wireless units<br />
discovered in the capture buffer or trace file — one for access<br />
points and one for mobile units.<br />
NOTE: You can edit the IP Address field in either list. In<br />
some cases, the Expert may be unable to determine a station’s<br />
IP address. In these cases, you can manually enter an IP<br />
address using this feature.<br />
User’s <strong>Guide</strong> 143
Chapter 7<br />
Discovered access points<br />
are listed in the upper list;<br />
discovered mobile units<br />
are listed in the lower list.<br />
IP Address fields are<br />
editable — you can enter<br />
a custom IP address.<br />
Selected access points<br />
and mobile units will be<br />
added to the list of known<br />
addresses by clicking this<br />
button.<br />
By default, all discovered addresses are selected for addition to the Known list (the box<br />
at the right of each entry in the list is checked). You can select and deselect individual<br />
entries for addition or click Select All and Deselect All for faster selection.<br />
144 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Figure 7-3. Adding Discovered Addresses Postcapture<br />
4 Select the access points and mobile units you would like to add to<br />
the list of known addresses by checking the checkbox at the right<br />
of each desired entry. By default, all discovered addresses are<br />
selected for addition. You can change selections in the following<br />
ways:<br />
By clicking Select All and Unselect All.<br />
By clicking in the checkbox for individual entries to toggle<br />
them between selected and unselected.<br />
5 When you have finished selecting the addresses for addition, click<br />
Update Known Wireless Units List at the bottom of the dialog<br />
box.<br />
Those selected addresses not already in the Expert’s list are added.<br />
You can verify that they have been added by displaying the Tools<br />
> Expert Options > 802.11 Options tab or the Tools ><br />
Wireless > Rogue dialog box. The Known Access Points in the<br />
Network and Known Mobile Units in the Network lists will<br />
include the newly added addresses.
Real-Time Expert Display<br />
Autodiscovering and Adding Addresses from the Address Book<br />
The Address Book provides you with the ability to autodiscover access<br />
points and mobile units on the wireless network. Then, you can add<br />
discovered access points to the list of known addresses automatically.<br />
To autodiscover access points and add them from the<br />
Address Book:<br />
1 Display the Address Book (Tools > Address Book).<br />
2 Click Autodiscovery .<br />
3 In the Autodiscovery Options dialog box, make sure the Discover<br />
Mobile Units and Discover Access Points options are enabled.<br />
4 Click OK.<br />
Autodiscovery proceeds. Discovered addresses appear in the<br />
Address Book.<br />
5 Click Export AP in the Address Book’s toolbar to add the<br />
addresses of all the access points in the Address Book to the list of<br />
known access points.<br />
Addresses not already in the Expert’s list are added. You can verify<br />
that they have been added by displaying the Tools > Expert<br />
Options > 802.11 Options tab or the Tools > Wireless ><br />
Rogue dialog box. The Known Access Points in the Network<br />
list will include the newly added addresses.<br />
NOTE: Clicking Export AP only adds those addresses in the<br />
Address Book with a Type value set to Access Point. Mobile units<br />
are not added.<br />
Adding Known Addresses Manually in the 802.11 Options Tab<br />
Use the following procedure to add the MAC addresses of known wireless<br />
units manually (either access points or mobile units) to the Expert’s list.<br />
To add known addresses manually in the 802.11 Options tab:<br />
1 Display one of the following dialog boxes/tabs:<br />
Tools > Expert Options > 802.11 Options<br />
Tools > Wireless > Rogue<br />
2 Do you want to add the address of an access point or a mobile unit?<br />
User’s <strong>Guide</strong> 145
Chapter 7<br />
146 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
To add the address of an access point, click Add AP.<br />
A new entry line becomes active in the Known Access<br />
Points in the Network list with the active cursor in the MAC<br />
Address column.<br />
To add the address of a mobile unit, click Add MU.<br />
A new entry line becomes active in the Known Mobile Units<br />
in the Network list with the active cursor in the MAC<br />
Address column.<br />
3 Enter the MAC address of the access point or mobile unit in the<br />
appropriate MAC Address column. You must enter the entire<br />
address in hexadecimal format. The dialog box will not let you enter<br />
an address that is not the proper length and format (twelve<br />
characters, hexadecimal only). If you do not know the full<br />
hexadecimal addresses of the access points in your network, see<br />
Determining a Wireless Unit’s Full Hexadecimal Address on page<br />
147.<br />
4 Once you have entered a legal MAC address, you can also enter an<br />
IP address in the IP Address column. For this release, IP<br />
addresses are for your own reference only. The Expert only<br />
compares MAC addresses when flagging wireless units as<br />
rogues!<br />
5 Repeat Step 2 through Step 4 for each access point or mobile unit<br />
you want to add to the Expert’s list. You can enter as many<br />
addresses as you like.<br />
6 Turn on the Enable Rogue AP Lookup option and/or Enable<br />
Rogue Mobile Unit Lookup option by checking the appropriate<br />
boxes.<br />
7 Click OK in the Expert Properties dialog box.<br />
Once you have enabled the Rogue AP Lookup and/or Enable Rogue<br />
Mobile Unit Lookup option and clicked OK, during subsequent<br />
captures (and openings of trace files), Sniffer <strong>Portable</strong> <strong>Professional</strong> will<br />
compare the MAC addresses of detected access points and mobile units<br />
to those in the corresponding lists. Wireless entities not found in the<br />
appropriate list will be flagged as rogues in both the Host Table and<br />
Expert Summary and Detail displays. In addition, either the Rogue<br />
Access Point or Rogue Mobile Unit alarm will be generated for each<br />
detected rogue. See Rogue Identification in Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Displays on page 62 for information on how Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
identifies rogues in its various displays.
Real-Time Expert Display<br />
Determining a Wireless Unit’s Full Hexadecimal Address<br />
If you do not know the full hexadecimal address of a wireless unit (either<br />
an access point or a mobile unit) in your network, you should first check<br />
the unit. Often, the address is written on the equipment itself.<br />
If this does not work, you can use the Host Table or Expert displays to<br />
discover the address. However, because most displays substitute textual<br />
manufacturer IDs for the first three bytes of a hexadecimal MAC address<br />
(that is, a hexadecimal address of 0020d8014060 would usually be<br />
identified in displays as Netwav014060), you need to know where to<br />
look in Sniffer <strong>Portable</strong> <strong>Professional</strong> displays to find the entire address in<br />
hexadecimal.<br />
To determine a wireless unit’s full hexadecimal address:<br />
1 Start capturing from the network containing the unit whose<br />
address you want to determine. Alternatively, you can open a trace<br />
file captured from that network.<br />
2 In the Expert display, examine the Station Function column in the<br />
Summary pane at the Wireless layer. In this column, locate an<br />
entry for either an Access Point or a Mobile Unit. Highlight this<br />
entry.<br />
The Detail pane automatically updates to show statistics for the<br />
entry selected in the Summary pane.<br />
3 In the Detail pane, scroll down to the Wireless Address field. This<br />
field shows the entire hexadecimal address of the selected unit. A<br />
textual manufacturer’s ID is not substituted for the first portion of<br />
the address.<br />
4 Repeat this procedure for each access point on the network whose<br />
full hexadecimal address you want to determine.<br />
Importing and Exporting Known Addresses<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> also provides export and import capabilities<br />
for the known address lists in the Tools > Expert Options > 802.11<br />
Options tab.<br />
You can export the contents of either the Known Access Points or the<br />
Known Mobile Units list using the corresponding Export button in the<br />
802.11 Options tab. Exported files are saved in comma-separated<br />
values (CSV) format. The exported file consists of a heading row with<br />
the IP Address and MAC Address column headings followed by<br />
multiple data rows in the format IP Address,MAC Address. For example,<br />
a small exported CSV file might appear:<br />
IP Address,MAC Address<br />
User’s <strong>Guide</strong> 147
Chapter 7<br />
148 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
192.168.1.40,08002000E25B<br />
192.168.1.14,0800000036D9<br />
192.168.1.25,080020061107<br />
NOTE: MAC addresses are always presented in the CSV file in<br />
hexadecimal format.<br />
Similarly, you can also import CSV files into the Known Access Points<br />
or the Known Mobile Units list using the corresponding Import button<br />
in the 802.11 Options tab. You can import either CSV files created by<br />
exporting the lists from other Sniffer <strong>Portable</strong> <strong>Professional</strong> installations,<br />
or CSV files you create yourself following the model above (that is,<br />
multiple rows in the IP Address,MAC Address format).<br />
NOTE: You can use the Import and Export buttons together to<br />
share known address lists among multiple Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> installations.
Expert Mobile Options<br />
Real-Time Expert Display<br />
Set the options in the Mobile Options tab to specify how the Expert<br />
should analyze Mobile IP data:<br />
Enable IP Home Agent<br />
Tunnel Analysis<br />
Enable GRE Home Agent<br />
Tunnel Analysis<br />
Report Mobile Reg Error<br />
136<br />
Enable GTP 99 IP Tunnel<br />
Analysis<br />
Mobile IP Registration List<br />
Flush Count<br />
Max Radius Users per<br />
Object<br />
Specifies whether IP Home Agent Tunnel<br />
Analysis is enabled. Disabling this option<br />
improves Expert performance.<br />
Specifies whether GRE Home Agent Tunnel<br />
Analysis is enabled. Disabling this option<br />
improves Expert performance.<br />
Specifies whether a Mobile Registration<br />
Reply with a Code value of 136<br />
(Registration Denied by the Home<br />
Agent - Unknown Home Agent Address)<br />
should be considered when generating<br />
Registration Failure Expert alarms. If this<br />
option is disabled, Registration Failure<br />
alarms will not be generated when<br />
registration fails with error code 136.<br />
Specifies whether GTP 99 Tunnel Analysis is<br />
enabled. When enabled, protocols inside a<br />
GTP 99 tunnel will be analyzed by the<br />
Expert. Disabling this option improves<br />
Expert performance.<br />
Specifies how often the list of Mobile IP<br />
Registration requests should be checked for<br />
registration timeouts and flushed of expired<br />
Registration Requests.<br />
NOTE: If you set this field to 0, the Expert<br />
treats the field as if were set to 1. Only nonzero<br />
values are supported.<br />
Specifies the maximum number of user data<br />
elements to be tracked with each Radius<br />
object.<br />
User’s <strong>Guide</strong> 149
Chapter 7<br />
Expert Oracle Options<br />
150 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Radius Request List Flush<br />
Count<br />
GTP 99 Create PDP<br />
Context Request Flush<br />
Count<br />
Use the Oracle Options tab to specify the Oracle Error Type numbers<br />
(Oracle Error Codes) for which you would like the Expert to generate<br />
alarms. Whenever the Expert sees one of the error codes listed here, it<br />
will generate the Oracle: ORA Error Type Noticed alarm at the Service<br />
layer.<br />
Use this tab as follows:<br />
Specifies how often the list of Radius<br />
requests for a particular Radius object<br />
should be checked for timeouts and flushed<br />
of expired entries.<br />
NOTE: If you set this field to 0, the Expert<br />
treats the field as if were set to 1. Only nonzero<br />
values are supported.<br />
NOTE: For most situations, setting this field<br />
higher than its default of 1 is not<br />
recommended. Setting the value higher than<br />
1 decreases the likelihood of seeing any<br />
Timed Out alarms for Radius Access and<br />
Accounting requests.<br />
Specifies how often the list of GTP 99 PDP<br />
Context Requests for a particular GTP 99<br />
object should be checked for timeouts and<br />
flushed of expired requests. When the<br />
Expert checks this list and sees at least one<br />
response that exceeds the PDP Context<br />
Request Timeout threshold or no response<br />
at all, it generates the GTP 99 PDP<br />
Context Request Timed Out alarm.<br />
NOTE: If you set this field to 0, the Expert<br />
treats the field as if were set to 1. Only nonzero<br />
values are supported.<br />
Click Add to create a new entry in the grid. Then, type in the<br />
numerical error code to be monitored.<br />
Click Delete to delete the selected error code from the table.<br />
You can modify any entry in the grid by selecting it and revising as<br />
necessary.
Expert IP Options<br />
Real-Time Expert Display<br />
Use the IP Options tab to exclude specified IP addresses from<br />
consideration for the Expert’s Duplicate Network Address alarm. The<br />
Expert will not generate Duplicate Network Address alarms for the IP<br />
addresses listed in this tab.<br />
Use this tab as follows:<br />
Click Add and supply an address to add a new IP address to the list<br />
of exclusions.<br />
Select an entry and click Delete to remove the selected IP Address<br />
from the list.<br />
Modify entries by selecting them and editing as necessary.<br />
Setting Automatic Expert Display Filters<br />
You can use Expert display filters to automatically display all traffic in the<br />
capture buffer related to a specific:<br />
Network object<br />
Symptom or diagnosis<br />
You apply an Expert display filter by selecting a network object,<br />
symptom, or diagnosis in the summary pane of the Expert window and<br />
clicking the Define Filter button in the upper left corner of the Expert<br />
window. In response, the Expert adds a new tab to the display window<br />
(titled Filtered xx, where xx is the sequential number of the filter you<br />
applied) containing just those frames associated with the selected<br />
network object, symptom, or diagnosis.<br />
The frames may be displayed with skipped frame numbers on the<br />
Filtered tab, because the network object filter does not change the<br />
frame numbers of frames it selects for display. Thus, you may see frame<br />
30 followed by frame 35 because the network object filter excluded<br />
frames 31-34. If you save the filtered frames as a new file (using the<br />
Save As) command, the Sniffer <strong>Portable</strong> <strong>Professional</strong> will renumber the<br />
filtered frames with sequential numbers.<br />
IMPORTANT: Expert filters support a maximum of 10 objects. Make<br />
sure you have selected no more than 10 objects before using this<br />
feature.<br />
User’s <strong>Guide</strong> 151
Chapter 7<br />
Limitations of the Expert Filter<br />
152 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The Expert filter has the following limitations:<br />
Some symptoms and diagnoses, such as Broadcast storm, have<br />
no associated network object on which the analyzer can filter. In<br />
those cases, the Define Filter button will not appear at the upper<br />
left of the display, indicating that an Expert filter cannot be set.<br />
Expert filters are not supported on objects at the Multicast layer.<br />
Expert filters support a maximum of 10 objects. Make sure you<br />
have selected no more than 10 objects before using this feature.<br />
Occasionally you will see the message:<br />
No frames are eligible for display<br />
This message appears when one or more of the following conditions<br />
exist:<br />
The highlighted object has not sent or received a frame<br />
The highlighted object has been filtered out by a standard<br />
Display filter<br />
Other Notes About Expert Filters<br />
The Expert analyzer uses several algorithms to decide which frames are<br />
associated with a network object. Sometimes, these algorithms may<br />
eliminate frames you consider relevant.<br />
Certain maintenance frames may not be shown. For example, if<br />
you set an Expert filter on a Novell Netware connection-layer<br />
connection, the Expert analyzer would show all those related<br />
frames with NCP layers, but would not show certain connection<br />
maintenance frames it considers irrelevant.<br />
When you set a filter on a connection object, the frame that<br />
initiates the connection is not shown. This is because Expert does<br />
not create a connection object until the connection is completed.<br />
When you filter on an application object, TCP continuation frames<br />
are not shown.
Displaying Context-Sensitive Explain<br />
Messages<br />
Real-Time Expert Display<br />
The Expert provides an explanation of the information in each pane of<br />
the Expert window. Click inside the pane on which you need information<br />
and press F1.<br />
The Expert also provides concise explanations for each symptom and<br />
diagnosis generated. To display a detailed explanation of a symptom or<br />
diagnosis, click the question mark (?) to the right of the<br />
symptom/diagnosis description in the Expert Detail pane. You may have<br />
to scroll to the right of the pane to see the ?.<br />
Rearranging the Expert Display<br />
You can change the Expert display to better suit your viewing needs. You<br />
can display:<br />
All five viewing panes at the same time (shown in Figure 7-1).<br />
The Expert Overview and Expert Summary panes (with or without<br />
the Protocol Statistics pane). This is the default view.<br />
The Detail tree and Expert Detail panes.<br />
Figure 7-4 shows the default Expert display and demonstrates how to<br />
rearrange the different panes.<br />
User’s <strong>Guide</strong> 153
Chapter 7<br />
Click to show the packet<br />
display (only available<br />
when capture is stopped)<br />
Click here to expand the Expert Overview pane<br />
and display the Protocol Statistics pane<br />
underneath<br />
154 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Drag the bar up to the middle of the<br />
display to see all five panes at the<br />
same time (as in Figure 7-1)<br />
Figure 7-4. Rearranging the Expert Window Panes<br />
Exporting the Contents of the Expert<br />
Database<br />
Click the Summary<br />
tab to display the<br />
Expert Overview<br />
and Summary<br />
panes (as shown)<br />
Click the Objects<br />
tab to display the<br />
Detail tree and<br />
Expert Detail<br />
panes<br />
You can export the contents of the Expert analyzer’s database of<br />
network objects, symptoms, and diagnoses to a file saved in<br />
comma-separated values (CSV) or HTML format. The CSV file format can<br />
easily be imported into most spreadsheet programs.<br />
Export the contents of the Expert analyzer’s database by clicking Export<br />
to CSV or Export to HTML in the Expert window. For exporting<br />
to CSV file format, use the dialog box shown in Figure 7-5 to specify<br />
which portions of the database you would like to export.
Specify the path and<br />
filename for the<br />
exported contents of<br />
the Expert database.<br />
Select the portions of the<br />
Expert’s database you<br />
would like to export to the<br />
CSV file. Each checkbox<br />
corresponds to a pane in<br />
the Expert window.<br />
Real-Time Expert Display<br />
Figure 7-5. Exporting the Contents of the Expert Analyzer’s Database to<br />
CSV Format<br />
User’s <strong>Guide</strong> 155
Chapter 7<br />
156 Sniffer <strong>Portable</strong> <strong>Professional</strong>
Displaying Captured Data<br />
Overview<br />
8<br />
This chapter describes the postcapture display window. Once you have<br />
captured a buffer or trace file of network data, you can use the<br />
postcapture display window to analyze the data in a variety of formats,<br />
including the Expert tab, classic line-by-line decode tab, and a variety of<br />
other formats.<br />
The section includes the following major topics:<br />
Displaying Captured Packets on page 158<br />
Postcapture Views for Wireless Networks on page 160<br />
Postcapture Expert Display on page 161<br />
Postcapture Decode Display on page 162<br />
Setting Display Filters on page 167<br />
Setting Display Setup Options on page 177<br />
Searching for Frames in the Decode Display on page 186<br />
Postcapture 802.11 Decryption on page 199<br />
Postcapture Matrix Tab on page 202<br />
Postcapture Host Table Tab on page 206<br />
More about the Matrix Traffic Map on page 204<br />
Postcapture Protocol Distribution Tab on page 208<br />
Postcapture Statistics Tab on page 210<br />
User’s <strong>Guide</strong> 157
Chapter 8<br />
Displaying Captured Packets<br />
158 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Use the Display feature to decode and view the packets stored in the<br />
capture buffer or in a capture file. The postcapture Display window<br />
provides a variety of tabs ranging from proprietary Expert analysis to<br />
classic tri-pane, line-by-line protocol decodes.<br />
To display the contents of the capture buffer:<br />
1 In the Sniffer window, click Stop and Display in the main<br />
toolbar during a capture session, or click Display after a<br />
capture session.<br />
To open a capture file:<br />
1 In the Sniffer window, select Open from the File menu.<br />
Regardless of whether you are displaying data from the capture buffer<br />
or a trace file, the postcapture display window appears (Figure 8-1).<br />
Postcapture display tabs. The Decode<br />
tab always appears. The other tabs<br />
appear by default, but can be disabled.<br />
Figure 8-1. The Postcapture Display Window (Expert Tab Shown)
Table 8-1. Postcapture Display Tabs<br />
Tab Description<br />
Displaying Captured Data<br />
Each of the tabs in the postcapture window provides different views of<br />
the data in the buffer or trace file, as summarized in the table below.<br />
Expert Displays the results of proprietary Expert analysis, showing network objects,<br />
symptoms, and diagnoses by network layer. Provides the same functionality as the<br />
real-time Expert, except for data/objects already in the capture buffer or trace file.<br />
See Postcapture Expert Display on page 161<br />
Decode Provides classic, line-by-line protocol decodes in a tri-pane window. Sophisticated<br />
automatic filtering features let you select a packet in the Summary pane and<br />
automatically filter on different components of the packet (source/destination<br />
addresses, ports, and so on).<br />
See Postcapture Decode Display on page 162.<br />
Matrix Provides the same functionality as the real-time Matrix, except for data already in the<br />
buffer or trace file. Statistics are provided on conversations taking place on the<br />
network.<br />
See Postcapture Matrix Tab on page 202<br />
Host Table Provides the same functionality as the real-time Host Table, except for data already in<br />
the buffer or trace file. Statistics are broken out for each host detected on the network.<br />
Different tabs let you focus on wireless hosts, IP hosts, MAC hosts, and so on.<br />
See Postcapture Host Table Tab on page 206.<br />
Protocol<br />
Distribution<br />
Provides the same functionality as the real-time Protocol Distribution view, except for<br />
data already in the buffer or trace file. Statistics are broken out by protocol family. You<br />
can focus on MAC, IP, or IPX layer protocols.<br />
See Postcapture Protocol Distribution Tab on page 208.<br />
Statistics Provides a variety of global statistics on the data in the buffer or trace file, including<br />
capture start/stop times, average speeds, and packet counts for a variety of basic<br />
categories.<br />
See Postcapture Statistics Tab on page 210.<br />
Filtered<br />
Tabs<br />
By default, display filters return the filtered frames in a new tab at the bottom of the<br />
postcapture display window. If you prefer, you can enable the Select matching<br />
option. When this option is enabled, frames matching the filter appear “marked” in the<br />
leftmost column of the active Decode tab – their checkboxes are checked.<br />
See Setting Display Filters on page 167 for more information on how to use display<br />
filters in the Decode tab.<br />
NOTE: The Matrix, Host table, Protocol Distribution, and Statistics<br />
tabs appear at the bottom of the Display window only if the Post<br />
analysis tabs box is checked on the General tab of the Display ><br />
Display Setup dialog box. Similarly, the Expert tab only appears if<br />
the Expert tab box is checked.<br />
User’s <strong>Guide</strong> 159
Chapter 8<br />
Postcapture Views for Wireless Networks<br />
160 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
When working with data from a wireless network, Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> adds a number of features to its postcapture display tabs.<br />
In addition to the standard information provided in the postcapture tabs,<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> adds special 802.11 information to the tabs<br />
listed below, allowing you to concentrate on statistics specifically for<br />
wireless stations:<br />
The Matrix, Host Table, and Protocol Distribution post-analysis<br />
tabs in the Display window each include 802.11 views, allowing<br />
you to focus specifically on 802.11 statistics for wireless stations.<br />
See Postcapture Matrix Tab on page 202, Postcapture Host Table<br />
Tab on page 206, and Postcapture Protocol Distribution Tab on<br />
page 208.<br />
The Statistics post-analysis tab in the Display window includes<br />
many wireless-specific statistics.<br />
See Postcapture Statistics Tab on page 210.<br />
The Decode display can completely decode 802.11 traffic. In<br />
addition, Sniffer <strong>Portable</strong> <strong>Professional</strong> can perform<br />
WEP/WPA/WPA2 decryption either during capture or after capture<br />
if the correct decryption keys are specified.<br />
See Postcapture Decode Display on page 162.
Postcapture Expert Display<br />
Displaying Captured Data<br />
The postcapture display’s Expert tab provides you with the same Expert<br />
analysis features available in the Expert window during real-time<br />
capture. It shows you the network objects, symptoms, and diagnoses<br />
detected by the Expert based on the packets in the capture buffer or<br />
trace file. Symptoms and Diagnoses are Expert indications of possible<br />
network problems. You can navigate through the various panes of the<br />
real-time Expert window to look at items of interest.<br />
IMPORTANT: The real-time Expert window is described in Real-Time<br />
Expert Display on page 131.<br />
The Expert tab is organized in the same way as the real-time Expert<br />
window described in Real-Time Expert Display on page 131. Expert<br />
analysis results are shown in five viewing panes – Expert overview,<br />
Expert summary, protocol statistics, detail tree, and Expert detail<br />
(Figure 8-1 on page 158). These panes function together to provide<br />
Expert analysis at different network layers, as follows:<br />
The Expert Overview pane shows network analysis layers (similar<br />
in concept to the ISO layers) and the Expert overview statistics<br />
(objects, symptoms, or diagnoses) for each layer. By selecting a<br />
combination of layer and statistic type, you control the display of<br />
Expert analysis data in the other Expert panes.<br />
Tip: You can configure the Expert Overview to be wide or narrow<br />
by clicking on the arrow icon at the upper right-hand corner of the<br />
pane.<br />
The Expert Summary pane shows key summary information for<br />
the layer and statistic selected in the Expert Overview pane. The<br />
column headings for the Expert Summary display will change,<br />
depending on what layer and statistic you have selected.<br />
The Protocol Statistics pane displays the amount of traffic (in<br />
frames and bytes) for each protocol encountered for the layer you<br />
selected in the Expert Overview pane. (This pane is not displayed<br />
when the Expert Overview pane is narrow.)<br />
The Detail Tree pane shows a hierarchical listing of all layers at or<br />
below those selected in the Expert Overview and Expert Summary<br />
panes. You can expand or collapse each layer in a manner similar<br />
to Windows Explorer. Click on any item in the Detail Tree to display<br />
its Expert detail data.<br />
User’s <strong>Guide</strong> 161
Chapter 8<br />
162 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The Expert Detail pane is a collection of information tables for the<br />
data selected by the other panes. The content of the Expert Detail<br />
pane will vary, depending on what items are selected in the various<br />
other panes.<br />
Postcapture Decode Display<br />
The Decode tab provides classic, line-by-line protocol interpretation of<br />
network data. When you display the contents of the capture buffer or a<br />
capture file, Sniffer <strong>Portable</strong> <strong>Professional</strong> interprets and decodes the<br />
higher-level protocols within the captured packets using its protocol<br />
interpreters. The Decode tab shows the results of this protocol analysis.<br />
It displays packets in three color-coded viewing panes: summary, detail,<br />
and hex:<br />
The summary pane shows an overview of the packets captured in<br />
line-by-line summarized format.<br />
The detail pane displays the detailed contents of the packet<br />
currently selected in the summary pane. Each layer of the protocol<br />
is interpreted and displayed.<br />
You can display the detailed protocol layers in three different views<br />
— fully expanded decode, one-line summary, or a mixture of the<br />
two.<br />
By default, Sniffer <strong>Portable</strong> <strong>Professional</strong> expands underlying<br />
protocol layers in the detail pane. To save viewing space, click the<br />
minus (-) sign in front of the protocol sublayer line. To expand the<br />
protocol display again, click the plus (+) sign.<br />
The hex pane shows the selected packet in hexadecimal and ASCII<br />
(or EBCDIC) format.<br />
When you select a packet on the summary pane, or a detailed<br />
protocol field in the detail pane, the equivalent hexadecimal octets<br />
in the packet are highlighted in the hex pane. This quickly shows<br />
you the correspondence between the protocol field and its<br />
equivalent bytes in the packet.<br />
Figure 8-2 shows a sample Decode display.
Click the minus (-) sign to<br />
reduce the protocol display<br />
Click the plus (+) sign to<br />
expand the display<br />
The detail pane displays the detailed<br />
contents of the packet currently<br />
selected in the summary pane<br />
The Decode tab toolbar<br />
provides shortcuts to<br />
handy functionality.<br />
Figure 8-2. The Decode Tab<br />
Navigating the Decode Tab<br />
Displaying Captured Data<br />
The summary pane shows an<br />
overview of the packets captured<br />
in line-by-line summarized format<br />
The hex pane shows the selected<br />
packet in hexadecimal and ASCII<br />
(or EBCDIC) format<br />
You navigate Decode tabs with a combination of keyboard, mouse, and<br />
toolbar, moving between the different panes and zooming as necessary<br />
to see exactly the lines you’re interested in.<br />
Each pane can be resized by clicking and dragging the separator bar<br />
between the panes. Each pane also contains scroll bars that let you use<br />
the mouse to manipulate the viewing position in the pane. You can also<br />
use the cursor control keys to provide a similar function for the pane that<br />
has the focus.<br />
To maximize efficiency in scanning packets for details, follow these<br />
suggestions:<br />
User’s <strong>Guide</strong> 163
Chapter 8<br />
164 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Adjust the Packet Display size, and the individual pane to maximize<br />
the viewing area for your particular interests.<br />
Select the starting packet of interest in the Summary pane by<br />
clicking on it.<br />
Click the Detail pane to gain focus. The cursor movement and PgUp<br />
/ PgDn keys will now apply to the Detail pane.<br />
Use the F7 key to move to the previous packet. Use the F8 to move<br />
to the next packet.<br />
If you want to move the viewing area in the Detail pane, use the<br />
cursor and the Page Up / Page Down keys.<br />
You can search for packets by selecting the Find Frame command<br />
from either the Display menu or the context menu (accessed by<br />
right-clicking on the Display window). See Searching for Frames in<br />
the Decode Display on page 186 for details.<br />
You can copy text from the Detail pane. You can copy either a<br />
selected line in the pane (Copy Highlights in the right-click<br />
context menu or the Ctrl-C keyboard shortcut) or all of the text in<br />
the pane (Copy All in the right-click context menu<br />
Use the keys shown in Table 8-2 to navigate the Decode display. You can<br />
also use the corresponding commands in the Display menu.<br />
Table 8-2. Keyboard Shortcuts for the Display Pane<br />
Page Up View the previous page in the active<br />
pane.<br />
Page Down View the next page in the active pane.<br />
Cursor Up View the previous line in the active pane.<br />
Cursor Down View the next line in the active pane.<br />
F2 - Next Selected Move the display to the next selected<br />
packet in the summary pane.<br />
Shift+F2 - Previous Selected Move the display to the previous<br />
selected packet in the summary pane.<br />
Ctrl+F2 - Select Toggle Toggle the packet between selected and<br />
unselected state.<br />
Alt+F3 - Find Frame Open the Find Frame dialog box to<br />
specify what to search for in the Display<br />
pane.<br />
F3 - Find Next Frame Repeat the last search performed in Find<br />
Frame dialog box.<br />
F4 - Zoom Pane Zoom in/out of the selected Decode<br />
pane.
Selecting Packets<br />
Table 8-2. Keyboard Shortcuts for the Display Pane<br />
Displaying Captured Data<br />
F7 - Previous View the previous packet in the<br />
summary pane.<br />
F8 - Next View the next packet in the summary<br />
pane.<br />
You can select individual packets or a group of packets in the summary<br />
pane. Selecting packets allows you to mark key packets that are of<br />
interest to you, so that you can view and use them more easily. You can:<br />
Save the selected packets to a file (Display > Save Selected).<br />
Treat the selected packets as bookmarks, and use F2 to advance<br />
from one selected packet to the next.<br />
Using the Decode Tab Toolbar<br />
The Decode tab provides a toolbar at the top of the window with<br />
shortcuts to useful functionality (Figure 8-3). Each of the buttons in the<br />
toolbar is described in the table that follows.<br />
Figure 8-3. Decode Tab Toolbar<br />
Table 8-3. Decode Tab Toolbar Buttons<br />
Button Title Description<br />
Two Station Format Toggles the two-station format on and<br />
off. The two-station format splits the<br />
display into left and right panes,<br />
showing traffic between two stations.<br />
See Display Setup > General Options on<br />
page 179 for details.<br />
Show/Hide All Layers Toggles the Show All Layers option on<br />
and off. If enabled, the Summary pane<br />
shows one line for each protocol level<br />
contained in a frame. If disabled, only<br />
one line (for the highest enabled<br />
protocol level) is shown.<br />
Display Setup Displays the Display Setup dialog box.<br />
See Setting Display Setup Options on<br />
page 177.<br />
User’s <strong>Guide</strong> 165
Chapter 8<br />
Table 8-3. Decode Tab Toolbar Buttons<br />
Button Title Description<br />
Automatic Filter Type<br />
Selection<br />
166 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Use this dropdown to specify which<br />
information in the currently selected<br />
packet should be used to automatically<br />
populate the Define Filter dialog box’s<br />
fields when you click the Define Display<br />
Filter or Add to Last Filter button.<br />
You can populate based on<br />
source/destination IP addresses, ports,<br />
and MAC addresses.<br />
See Using Automatic Display Filters on<br />
page 168.<br />
Define Display Filter Displays the Define Filter dialog box with<br />
settings automatically populated based<br />
on the currently selected packet and the<br />
setting of the adjacent Filter Type<br />
Selection dropdown.<br />
See Using Automatic Display Filters on<br />
page 168.<br />
Add to Last Filter Takes the type of information specified<br />
in the Filter Type Selection dropdown<br />
from the currently selected packet and<br />
adds it to the last filter used in the<br />
Define Filter dialog.<br />
See Combining Filter Components (“Add<br />
to Last Filter”) on page 173 for details.<br />
Quick Filter Automatically filters the display based<br />
on the selected information in the<br />
currently selected packet. For example,<br />
if the Filter Type Selection dropdown is<br />
set to Connection, clicking Quick Filter<br />
will filter the display based on the<br />
source/destination addresses and ports<br />
(that is, the connection).<br />
Use the Display > Display Setup ><br />
Packet Selection tab to specify how<br />
Quick Filters will be applied (for<br />
example, whether matching packets are<br />
returned in a new tab or shown selected<br />
in the active tab, and so on).<br />
See Using Quick Filters on page 172 for<br />
details.
Setting Display Filters<br />
Displaying Captured Data<br />
A filter applied to the display of captured data is called a display filter.<br />
Display filters let you select the packets you want to display in a Decode<br />
tab. Display filters do not affect the contents of the capture buffer. They<br />
just prevent some of the data from being displayed.<br />
You can use display filters to view only:<br />
Packets transmitted between network nodes (or address pairs)<br />
Packets that belong to one or more protocol groups<br />
Packets that match predefined data patterns<br />
Error packets<br />
Packets that belong to a certain size range<br />
Packets that match various combinations of the above<br />
specifications<br />
IMPORTANT: Defining Filters and Triggers on page 219 provides the<br />
details on working with Sniffer filters in general – monitor, capture, and<br />
display. This section adds to that information with some additional topics<br />
specifically for display filters.<br />
Types of Display Filters<br />
The Sniffer provides several types of display filters:<br />
Manual Display Filters<br />
You can set Display filters manually in the Define Filter - Display dialog<br />
box. This dialog box is available by using the Display > Define Filter<br />
command. Then, you have full access to the standard Define Filter tabs<br />
described in Defining Filters and Triggers on page 219.<br />
Automatic Display Filters<br />
You can automatically populate the Define Filter - Display dialog box’s<br />
tabs with filter settings based on selected portions of the currently<br />
selected packet in the Decode tab. You do this by using the dropdown at<br />
the top of the Decode tab to specify which portion of the selected packet<br />
you want to use as a filter (for example, just the source IP address) and<br />
clicking the Define Display Filter button.<br />
See Using Automatic Display Filters on page 168.<br />
User’s <strong>Guide</strong> 167
Chapter 8<br />
168 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Quick Display Filters<br />
Quick Display Filters are similar to automatic display filters – they filter<br />
the active Decode tab based on selected portions of the currently<br />
selected packet in the Decode tab. The main difference is that they take<br />
effect immediately without displaying the Define Filter dialog box first.<br />
You set Quick Filters by using the dropdown at the top of the Decode tab<br />
to specify which portion of the selected packet you want to use as a filter<br />
(for example, just the source port) and clicking the Quick Filter button.<br />
NOTE: You set global options for how Quick Filters are applied in<br />
the Display > Display Setup > Packet Selection tab. These options<br />
specify to which packets Quick Filters should be applied (all or<br />
selected) and how results should be returned (by selecting/clearing<br />
packets in the active tab or by showing a new filtered tab at the<br />
base of the postcapture display window).<br />
Automatic Expert Filters<br />
You can also set automatic Expert filters that only display data<br />
associated with a particular network object, symptom, or diagnosis. You<br />
do this by displaying the Expert tab, selecting an object, symptom, or<br />
diagnosis and clicking the Display Filter button.<br />
See Setting Automatic Expert Display Filters on page 151.<br />
Using Automatic Display Filters<br />
You can automatically populate the Define Filter - Display dialog box’s<br />
tabs with filter settings based on selected portions of the currently<br />
selected packet in the Decode tab.<br />
To set an automatic display filter:<br />
1 In a Decode tab, select the packet to use as a filter source.<br />
2 Use the Automatic Filter Type Selection dropdown in the<br />
Decode toolbar to specify which portion of the packet you want to<br />
use as a filter (Figure 8-4).
Figure 8-4. Selecting the Automatic Filter Type<br />
You can select from the following options:<br />
Table 8-4. Automatic Filter Type Selection Options<br />
Connection<br />
IP Source Address<br />
IP Destination<br />
Address<br />
IP Addresses<br />
Source Port<br />
Destination Port<br />
Ports<br />
Source Application<br />
Destination<br />
Application<br />
MAC Addresses<br />
3 Click the Define Display Filter button .<br />
Displaying Captured Data<br />
Use both the source/destination IP<br />
addresses and source/destination ports as a<br />
filter.<br />
Use only the source IP address as a filter.<br />
Use only the destination IP address as a<br />
filter.<br />
Use both the source and destination IP<br />
addresses as a filter (traffic flowing between<br />
these two addresses only).<br />
Use only the source port as a filter.<br />
Use only the destination port as a filter.<br />
Use both the source and destination port as<br />
a filter.<br />
Use both the source IP address and port as<br />
a filter.<br />
Use both the destination IP address and port<br />
as a filter.<br />
Use the source and destination MAC<br />
addresses as a filter.<br />
User’s <strong>Guide</strong> 169
Chapter 8<br />
b<br />
170 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The Define Filter - Display dialog box appears populated based on<br />
the specified portion of the selected frame (Figure 8-5). Notice that<br />
the settings already populated in this dialog box correspond to<br />
those shown in the selected packet in the Summary pane in Figure<br />
8-4.<br />
Figure 8-5. Define Filter - Display Dialog Box<br />
Note the following important points about the Define Filter - Display<br />
dialog box:<br />
You can change which parts of the selected frame are used for<br />
an automatic filter by clicking the dropdown at the top of the<br />
Define Filter dialog box (a in Figure 8-5) and selecting a<br />
different option.<br />
You can reset all Define Filter fields by clicking Reset.<br />
You can specify how the filter is applied and how results are<br />
returned using the Select matching, Clear selected, and<br />
Apply on selected set options (b in Figure 8-5). See Filtered<br />
Tabs or Marked Frames? on page 171 for details.<br />
4 When you have set the options in the Define Filter - Display dialog<br />
box as desired, click Apply to filter the active tab with your filter<br />
settings.<br />
a
Filtered Tabs or Marked Frames?<br />
Displaying Captured Data<br />
When you apply a display filter, the Sniffer examines the packets in the<br />
active tab, looking for matches. Then, it returns the matching packets,<br />
either in a new tab at the bottom of the display window (b in Figure 8-6),<br />
or by “selecting” all matching packets in the Summary pane (a in Figure<br />
8-6).<br />
“Selected” packets appear in the Summary pane with the boxes in the<br />
leftmost column checked. Additionally, if you’ve enabled the Highlight<br />
selected frames option in the Display Setup > Summary Display<br />
tab, selected frames will appear highlighted in the Summary pane.<br />
You specify how you would like matching packets returned in the Define<br />
Filter dialog box’s Summary tab (Figure 8-5 on page 170):<br />
If neither the Select matching nor Clear selected option is<br />
enabled, a new filter tab will appear each time you apply a display<br />
filter.<br />
If the Select matching option is enabled, the Sniffer will mark<br />
packets matching the filter in the currently active Decode tab.<br />
If the Clear selected option is enabled, the Sniffer will deselect<br />
packets matching the filter in the currently active Decode tab.<br />
NOTE: Quick filters provide this same functionality. However, for<br />
Quick filters, you set the Select matching option in the Display<br />
Setup dialog box’s Packet Selection tab. See Display Setup > Packet<br />
Selection Options on page 183 for details.<br />
The “Apply on Selected Set” Option<br />
You can also use the Apply on selected set option together with either<br />
the Select matching or Clear selected options to apply a filter to only<br />
a subset of the packets in the active Decode tab. When using the Apply<br />
on selected set option, you may want to use the Display > Select<br />
Range command to select a large set of packets quickly.<br />
User’s <strong>Guide</strong> 171
Chapter 8<br />
a<br />
172 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Figure 8-6. Selected Packets<br />
Using Quick Filters<br />
Quick Display Filters are similar to the automatic display filters described<br />
in Using Automatic Display Filters on page 168 – they filter the active<br />
Decode tab based on selected portions of the currently selected packet<br />
in the Decode tab.<br />
The main differences between Quick Filters and Automatic Display Filters<br />
are as follows:<br />
Quick Filters take effect immediately without displaying the Define<br />
Filter dialog box.<br />
The Select matching, Clear selected, and Apply on selected<br />
set options all work the same way for Quick Filters as they do for<br />
Automatic Display Filters, as described in Filtered Tabs or Marked<br />
Frames? on page 171. However, instead of using the Define Filter<br />
- Display dialog box to set these options, you set them globally for<br />
Quick Filters in the Display > Display Setup > Packet Selection<br />
tab (see Display Setup > Packet Selection Options on page 183).<br />
To set a Quick Filter:<br />
b<br />
1 In a Decode tab, select the packet to use as a filter source.
Displaying Captured Data<br />
2 Use the Automatic Filter Type Selection dropdown in the Decode<br />
toolbar to specify which portion of the packet you want to use as a<br />
filter (Figure 8-4).<br />
Figure 8-7. Selecting the Automatic Filter Type<br />
You can select from the same options available for Automatic<br />
Display Filters, as described in Table 8-4 on page 169.<br />
3 Click the Quick Filter button .<br />
The Sniffer sifts through the packets in the active tab, looking for<br />
matches. Then, it returns the matching packets, either in a new tab<br />
at the bottom of the display window (b in Figure 8-6 on page 172),<br />
or by “selecting” all matching packets in the Summary pane (a in<br />
Figure 8-6 on page 172). You choose which action the Sniffer takes<br />
by setting the options in the Display > Display Setup > Packet<br />
Selection tab (see Display Setup > Packet Selection Options on<br />
page 183).<br />
Combining Filter Components (“Add to Last Filter”)<br />
You can use the Add to Last Filter button to add a new filter<br />
component from the currently selected packet to the last filter used in<br />
the Define Filter dialog box.<br />
For example, if the last filter you created was based on the Source Port<br />
in the selected frame, you could add source and destination addresses<br />
to the same filter by setting the Automatic Filter Type Selection<br />
dropdown to IP Addresses and clicking the the Add to Last Filter<br />
button.<br />
To use the Add to Last Filter button:<br />
1 In a Decode tab, select the packet to use as a filter source.<br />
User’s <strong>Guide</strong> 173
Chapter 8<br />
174 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
2 Use the Automatic Filter Type Selection dropdown in the Decode<br />
toolbar to specify which portion of the packet you want to use as a<br />
filter (Figure 8-8).<br />
Figure 8-8. Selecting the Automatic Filter Type<br />
You can select from the same options available for Automatic<br />
Display Filters, as described in Table 8-4 on page 169.<br />
3 Click the Add to Last Filter button .<br />
The Sniffer displays the Define Filter dialog box with the specified<br />
component of the selected frame added to the last used filter<br />
definition. You can edit the settings in this dialog box, if necessary.<br />
When you are satisfied with the filter definition, click Apply to filter<br />
the active tab.<br />
Selecting Filters / Combining Multiple Filters<br />
You use the Display > Select Filter command to display a dialog box<br />
in which you can select display filters to apply. The dialog box lists all<br />
available filters, including:<br />
Capture filters. You can reuse your capture filters as display<br />
filters, if you like.<br />
Display filters. All display filters you have created are listed by<br />
name.<br />
You can either use a single listed filter or check the Multiple Filter Mode<br />
option and check the boxes for multiple filters.<br />
To select a display filter:<br />
1 Use the Display > Select Filter command.<br />
The Select Filter dialog box appears (Figure 8-9).
Figure 8-9. The Select Filter Dialog Box<br />
Displaying Captured Data<br />
2 Do you want to use a single filter or combine multiple filters from<br />
the list?<br />
Multiple Filter Mode. If you want to combine multiple filters<br />
from the list, enable the Multiple Filter Mode option. Then,<br />
check the boxes corresponding to the filters you want to use.<br />
Multiple filter mode allows you to select two or more display<br />
filters to apply in the Sniffer window. Select options from the<br />
list of available filters to create a single filter using<br />
combinations of existing filters. If you select a parent<br />
category, all the filters within the category are selected<br />
automatically. When the parent category is unselected, all<br />
the filters within the category are deselected.<br />
NOTE: When the combination filter is applied, it acts as an<br />
“OR” between the selected filters. Because of this, Multiple<br />
Filter Mode may return unexpected results when using Exclude<br />
filters (filters set to remove matching traffic). See Multiple<br />
Filter Mode and Exclude Filters on page 176 for details.<br />
Single Filter Mode. If you are using only a single filter, leave<br />
Single Filter Mode enabled and check the box corresponding to<br />
the filter you want to use.<br />
User’s <strong>Guide</strong> 175
Chapter 8<br />
176 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Single filter mode functions as a regular, single filter. With<br />
the Single Filter Mode option, you are limited to only one<br />
filter selection in the Select Filter dialog box. Selecting one<br />
filter automatically deselects the previously selected filter.<br />
Selecting a “parent” filter is not a valid filter. You must<br />
specify a single filter within the parent grouping.<br />
3 Use the Select matching, Clear selected, and Apply on<br />
selected set options to specify how the display filter will be applied<br />
and its results returned. See Filtered Tabs or Marked Frames? on<br />
page 171 and The “Apply on Selected Set” Option on page 171 for<br />
more information.<br />
4 Click OK to apply the selected filter(s) on the active Decode tab.<br />
Multiple Filter Mode and Exclude Filters<br />
When combining multiple filters in Multiple Filter Mode, Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> joins the filter with a logical OR rather than an AND.<br />
Because of this, joining multiple Exclude filters will always result in ALL<br />
packets passing the filter and being returned. Consider the following<br />
examples:<br />
Combing Include Filters in Multiple Filter Mode<br />
For example, suppose you set up the following filters:<br />
Filter 1 includes all packets of type A<br />
Filter 2 includes all packets of type B<br />
Combining these filters in Multiple Filter Mode and applying them to a<br />
trace file with packets of type A,B and C, will result in a filtered display<br />
with just packets of Type A and B.<br />
Combing Exclude Filters in Multiple Filter Mode<br />
Now, let’s apply the same logic to Exclude filters:<br />
Filter 1 excludes all packets of type A<br />
Filter 2 excludes all packets of type B<br />
Combining these filters in Multiple Filter Mode and applying them to a<br />
trace file with packets of type A,B and C, will result in a filtered display<br />
with packets of Type A, B, and C – all packets will pass the filter.<br />
This happens because the Exclude filters are joined with an OR condition<br />
between the filters. For a packet to be excluded from the filtered display,<br />
both the conditions must return FALSE. If even one condition returns<br />
TRUE, the packet gets included.
The Boolean logic for this is:<br />
Not (Filter A or Filter B) = Not Filter A AND Not Filter B.<br />
Displaying Captured Data<br />
Saving Sets of Filtered Frames / Creating New Windows<br />
You can save sets of filtered frames by selecting File > Save As with a<br />
filtered tab selected. A new window is created with the set of filtered<br />
frames in it, followed by the appearance of the Save As dialog box.<br />
When you use the Save As command on a set of filtered frames, the<br />
filtered frames in the new window are renumbered sequentially with new<br />
sequence numbers - the original sequence numbers are not preserved.<br />
You can also create new windows for filtered sets of frames by<br />
right-clicking a filtered tab and selecting the Create New Window<br />
command. A new postcapture window with just the filtered frames will<br />
appear.<br />
For a description of how to define a filter, see Defining Filters and<br />
Triggers on page 219.<br />
Setting Display Setup Options<br />
You can customize the way data is displayed in the decode display. You<br />
can:<br />
Exclude certain subprotocols from the summary pane (this is a<br />
more detailed control than a display filter).<br />
Set the summary address field format (network or hardware).<br />
Specify whether the two-station display format should be used.<br />
Select optional fields to be shown in the summary display.<br />
Color-code packets displayed in the summary pane based on their<br />
protocol.<br />
Select the font for the detail display.<br />
To set the display options:<br />
1 Select Display Setup from the Display menu. The Display Setup<br />
dialog tabs are summarized in the following table.<br />
User’s <strong>Guide</strong> 177
Chapter 8<br />
178 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Table 8-5. Display Setup Options<br />
Display Setup Tab Settings for...<br />
General Select which tabs show on the Display. You<br />
can show/hide the Expert tab and the post<br />
analysis tabs (Host Table, Matrix, Protocol<br />
Distribution, and Statistics). The Decode<br />
tab is always displayed. You can also set<br />
options that affect how fast data is<br />
decoded. See Display Setup > General<br />
Options on page 179.<br />
Summary Display Specify the symptoms and protocol detail<br />
in the Decode Summary pane. See Display<br />
Setup > Summary Display Options on<br />
page 180.<br />
Protocol Color Click here to change the colors used for<br />
protocols in the summary pane.<br />
Protocol Expand Click here to set each protocol’s display<br />
mode in the Detail pane to fully expanded<br />
or one-line summary.<br />
Decode Font Click here to change font type, style, and<br />
size for the text in the Decode display.<br />
Packet Selection Click here to specify whether or not you<br />
would like a new tab created when you are<br />
filtering in the Decode > Summary pane<br />
(Decode tab) or mark the selected packets<br />
in the Decode > Summary pane. See<br />
Display Setup > Packet Selection Options<br />
on page 183.
Display Setup > General Options<br />
Displaying Captured Data<br />
The Display > Display Setup > General tab contains options that can<br />
change the performance of Sniffer <strong>Portable</strong> <strong>Professional</strong>’s decodes when<br />
working with large buffers or trace files.<br />
In previous releases, when decoding a trace file or buffer, Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong>’s protocol interpreters would start by performing a<br />
prescan of the entire trace or buffer. For large trace files and buffers, this<br />
process could take a long time.<br />
To address this issue, Sniffer <strong>Portable</strong> <strong>Professional</strong> provides the option<br />
of a windowed approach. Using the windowed approach, Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> starts by prescanning a user-specified portion of the trace<br />
file or buffer. When moving from window to window within the buffer or<br />
trace file, the previous prescanned information will be cleared from<br />
memory so the new window can be scanned. This way, decoded<br />
information is available more quickly.<br />
You specify both whether to use the windowed approach and the size of<br />
the window to be used in the Display > Display Setup > General tab.<br />
Set the reassembly options as follows:<br />
Reassemble entire trace file— Enable this option if you would<br />
like to reassemble the entire trace file or buffer before displaying<br />
decoded data. Disable this option if you would like to reassemble<br />
the trace file in “chunks.”<br />
Reassembly window size — Use this option to specify the size<br />
(in terms of the number of frames) of the “chunk” to be<br />
reassembled and displayed. As you move between chunks, one<br />
chunk is cleared out and scan another is scanned.<br />
The default and minimum value for the Reassembly window size<br />
is 5000. This value is configurable, but it is recommended that you<br />
edit this value only if it is absolutely necessary.<br />
NOTE: When Frame Slicing is enabled on the Capture > Define<br />
Filter > Buffer tab, windowed reassembly is not supported.<br />
Enabling windowed reassembly and frame slicing can result in some<br />
minor display problems.<br />
User’s <strong>Guide</strong> 179
Chapter 8<br />
Display Setup > Summary Display Options<br />
180 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The following table summarizes the options you can set in the Display<br />
Setup > Summary Display tab.<br />
Table 8-6. Summary Display Options<br />
Show Expert symptoms If enabled, the Summary display shows<br />
the last symptom found (if any) for each<br />
frame.<br />
Show all layers If enabled, the Summary pane shows one<br />
line for each protocol level contained in a<br />
frame. If disabled, only one line (for the<br />
highest enabled protocol level) is shown.<br />
Show network address If enabled, the Summary pane shows<br />
addresses as network addresses. If<br />
disabled, the Summary pane shows<br />
addresses as hardware (DLC) addresses.<br />
Display vendor ID on MAC<br />
Address<br />
Resolve name on Network<br />
address<br />
Use Address Book to resolve<br />
name<br />
If enabled, the Summary pane shows<br />
vendor names for the first portion<br />
(manufacturer’s ID) of MAC addresses<br />
instead of numerical addresses.<br />
If enabled, the Summary pane shows<br />
names for network addresses instead of<br />
numerical addresses.<br />
If enabled, the Summary pane will<br />
substitute names for addresses for any<br />
stations that are named in the Address<br />
Book.
Table 8-6. Summary Display Options<br />
Displaying Captured Data<br />
Two-station format If enabled, splits the display into left and<br />
right panes, showing traffic between two<br />
stations.<br />
When you examine network activity, you<br />
often want to focus on traffic between a<br />
pair of stations. To do this, you can set up<br />
display filters that define the two stations<br />
and enable the Two-station format in<br />
the Summary Display tab.<br />
The two-station format shows transmission<br />
from one station (the station that was<br />
detected first) on the left side of the screen<br />
and transmissions from the other station<br />
on the right. The Source and Destination<br />
columns from the single station display are<br />
removed. Instead, there are two columns,<br />
title From xxx and From yyy. A frame<br />
from the station on the left is assumed to<br />
be addressed to the station on the right,<br />
and vice versa.<br />
If you do not set filters limiting the display<br />
of frames to two stations, Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> will display frames from<br />
additional stations in the usual format.<br />
Since this is inconsistent with the<br />
two-station format, it makes the feature<br />
less useful.<br />
Highlight selected frames If enabled, selected frames are highlighted<br />
in the Summary pane.<br />
User’s <strong>Guide</strong> 181
Chapter 8<br />
182 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Table 8-6. Summary Display Options<br />
Optional Fields • Status. Flags associated with a<br />
frame. See Packet Status Flags in the<br />
Summary Pane on page 185 for a<br />
description of the flags that can<br />
appear in the Status column.<br />
• Absolute time. When the frame was<br />
received.<br />
• Delta time. The interval between the<br />
current frame and the previous frame.<br />
• Relative time. The interval between<br />
the current frame and the marked<br />
frame.<br />
• (Len) Bytes. The frame’s length.<br />
• Cumulative bytes. The length of all<br />
frames, starting with the marked<br />
frame and including the current<br />
frame.<br />
Exclude protocols Checked protocols are excluded from the<br />
Decode tab. Click All to exclude all<br />
protocols or click None to include all<br />
protocols.
Display Setup > Packet Selection Options<br />
Displaying Captured Data<br />
Use the options in the Display Setup > Packet Selection tab (Figure<br />
8-10) to specify how Quick Filters are applied and how new tabs of<br />
filtered frames are named (the Filtered Tab Name option).<br />
Set the following options:<br />
Table 8-7. Packet Selection Tab Options<br />
Option Description<br />
Select Packets When this option is enabled, quick filters either<br />
select or clear matching packets in the active<br />
Decode tab, depending on whether Select<br />
Matching or Clear Selected is set.<br />
When this option is not enabled, quick filters return<br />
matching packets in a new tab of filtered packets.<br />
Select Matching When this option is enabled, quick filters select<br />
matching packets in the active Decode tab (check<br />
the boxes in the leftmost column of the Summary<br />
pane).<br />
Clear Selected When this option is enabled, quick filters clear the<br />
selection of matching packets in the active Decode<br />
tab.<br />
Apply on Selected<br />
Set<br />
When this option is enabled, quick filters are<br />
applied only to the currently selected packets in<br />
the active Decode tab.<br />
Filtered Tab Name Use this option to specify how new tabs of filtered<br />
frames are named. New tabs will be added using<br />
the name you specify here along with a sequence<br />
number.<br />
User’s <strong>Guide</strong> 183
Chapter 8<br />
184 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Figure 8-10. Display Setup > Packet Selection Options
Packet Status Flags in the Summary Pane<br />
Displaying Captured Data<br />
For most network topologies, the Status column in the Summary pane<br />
is empty if the packet is normal with no errors, symptoms, or diagnoses<br />
associated with it. The exceptions to this rule are as follows:<br />
For data captured from a wireless LAN, the Status column<br />
indicates the wireless LAN channel from which the packet was<br />
captured inside brackets. For example, an entry of [1] in the<br />
Status column indicates that the corresponding packet was<br />
captured from wireless LAN channel number 1.<br />
Otherwise, Table 8-8 lists the flags used in the Status column of the<br />
Summary pane. Note that any of the flags associated with error frames<br />
(CRC, Jabber, Runt, and so on) require an enhanced driver for detection<br />
and reporting.<br />
Table 8-8. Status Flags<br />
M Packet is marked. Mark a packet to return quickly to a<br />
particular spot in a decoded set of frames.<br />
A Packet was captured from Port A on the pod or adapter<br />
card.<br />
B Packet was captured from Port B on the pod or adapter<br />
card.<br />
# Packet has a symptom or diagnosis associated with it.<br />
Trigger Packet is an event filter trigger<br />
CRC CRC error packet with normal packet size<br />
Jabber CRC error packet with oversize error<br />
Runt Packet size is less than 64 bytes (including the 4 CRC<br />
bytes) but with valid CRC<br />
Fragment Packet size is less than 64 bytes (including the 4 CRC<br />
bytes) with CRC error<br />
Oversize Packet size is more than 1518 (including the 4 CRC bytes)<br />
but with valid CRC<br />
Collision Packet was damaged by a collision<br />
Alignment Packet length is not an integer multiple of 8 bits.<br />
User’s <strong>Guide</strong> 185
Chapter 8<br />
Searching for Frames in the Decode Display<br />
186 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Because the Decode display can include thousands and thousands of<br />
frames, it can be useful to search for particular frames. Using the<br />
Sniffer’s powerful search abilities, you can search for frames in the<br />
Decode display that match a text string, a certain data pattern, a certain<br />
status flag, or have an Expert symptom or diagnosis associated with<br />
them.<br />
NOTE: In addition to searching for frames, you can also advance to<br />
a particular frame in the Decode tab by specifying its number. Do<br />
this by selecting the Go to Frame command from the Display menu<br />
and supplying the frame number in the dialog box that appears.<br />
Use the Find Frame dialog box to search for frames. Display the Find<br />
Frame dialog box using any of the following commands:<br />
Select Find Frame from the Display menu.<br />
Select Find Frame from the Decode tab’s context menu (activated<br />
by right-clicking anywhere on the Decode tab).<br />
Use the Alt-F3 keyboard shortcut.<br />
The Find Frame dialog box contains the following tabs:<br />
Text — The Text tab lets you search for frames containing a<br />
specified text string.<br />
Time — The Time tab lets you search for frames with specific text<br />
in the delta, relative, or absolute time fields.<br />
Data — The Data tab lets you search for frames containing a<br />
specified data pattern.<br />
Status — The Status tab lets you search for frames with a<br />
particular status flag.<br />
Expert — The Expert tab lets you search for frames with a<br />
particular associated Expert symptom or diagnosis.<br />
The following sections describe how to perform searches from each of<br />
these tabs.
Searching for Frames Matching Text Strings<br />
To search for packets matching a text string:<br />
Displaying Captured Data<br />
1 Display the Find Frame dialog box using any of the following<br />
commands:<br />
Select Find Frame from the Display menu.<br />
Select Find Frame from the Decode tab’s context menu<br />
(activated by right-clicking anywhere on the Decode tab).<br />
Use the Alt-F3 keyboard shortcut.<br />
2 Click the Text tab.<br />
3 Enter the text to search in the field provided. The dropdown list<br />
includes previously performed text searches.<br />
4 Specify in which portion of the Decode tab to search for the<br />
specified from the options provided.<br />
5 Specify whether the search is case-sensitive using the Match case<br />
option.<br />
6 Specify the search direction.<br />
7 Click OK. If the string is found, the frame containing the pattern<br />
will be displayed in the Decode Display. Press F3 to search for the<br />
next packet matching the same criteria.<br />
Figure 8-11. Text Tab of the Find Frame Dialog Box<br />
User’s <strong>Guide</strong> 187
Chapter 8<br />
Searching for Frames Matching Time Criteria<br />
188 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
To search for frames matching time criteria:<br />
1 Display the Find Frame dialog box using any of the following<br />
commands:<br />
Select Find Frame from the Display menu.<br />
Select Find Frame from the Decode tab’s context menu<br />
(activated by right-clicking anywhere on the Decode tab).<br />
Use the Alt-F3 keyboard shortcut.<br />
2 Click the Time tab. Search for packets with specific text in the<br />
Delta Time, Relative Time, or Absolute Time fields in the<br />
Summary pane here.<br />
To search for a value in the Delta Time field, enable the Delta<br />
Time option and supply the text to search for.<br />
To search for a value in the Relative Time field, enable the<br />
Relative Time option and supply the text to search for.<br />
To search for a value in the Absolute Time field, enable the<br />
Absolute Time option and use the dropdown fields to select<br />
the value to search for.<br />
NOTE: You can select any combination of values in the<br />
dropdown lists. Leaving a field blank will cause the search to<br />
accept any value for that field.<br />
3 Use the Up and Down fields to specify whether to search in an<br />
upward or downward direction from the currently selected frame.<br />
4 Use the Search Condition fields to specify which type of search<br />
you would like to perform, as follows:<br />
Simple Partial Search — A simple partial search will find any<br />
occurrence of the specified value anywhere within the<br />
specified field.<br />
Advanced Complete Search — An advanced complete<br />
search will find an exact match only.<br />
5 Click OK.
Figure 8-12. Time Tab of the Find Frame Dialog Box<br />
Displaying Captured Data<br />
User’s <strong>Guide</strong> 189
Chapter 8<br />
Searching for Frames Matching Data Patterns<br />
190 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
You can also search for data patterns by Searching for Data Patterns<br />
using a Pattern from a Known Packet.<br />
To search for frame matching specific data patterns:<br />
1 Display the Find Frame dialog box using any of the following<br />
commands:<br />
Select Find Frame from the Display menu.<br />
Select Find Frame from the Decode tab’s context menu<br />
(activated by right-clicking anywhere on the Decode tab).<br />
Use the Alt-F3 keyboard shortcut.<br />
2 Click the Data tab.<br />
3 From the Form dropdown list, specify whether to search for data<br />
from a packet, protocol, or either.<br />
4 In the Offset field, specify the offset at which to search for the<br />
specified pattern.<br />
5 From the Format field, specify the format in which the data to<br />
search for is specified.<br />
6 Click Up or Down to specify the search direction.<br />
7 Click OK.<br />
NOTE: If desired, click Reset to reset all the fields in the Data tab<br />
to start a new search.
Figure 8-13. Data Tab of the Find Frame Dialog Box<br />
Displaying Captured Data<br />
User’s <strong>Guide</strong> 191
Chapter 8<br />
Searching for Data Patterns using a Pattern from a Known<br />
Packet<br />
192 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
In addition to Searching for Frames Matching Data Patterns, the easiest<br />
way to search for a data pattern is to use a pattern from a known packet.<br />
To search for data patterns using a pattern from a known<br />
packet:<br />
1 Locate and highlight either:<br />
A packet in the Summary pane.<br />
A protocol field or a data pattern in the Detail pane.<br />
2 Open the Find Frame dialog box by selecting the Find Frame<br />
command from the Display menu (or from the context menu).<br />
3 Select the Data tab.<br />
If you selected a packet in the Summary pane, the Data tab<br />
will already contain some data from the selected packet.<br />
If you selected a protocol field or data pattern in the Detail<br />
pane, the Data tab will already contain the selected field or<br />
pattern.<br />
4 Set the From list box to Don’t Care.<br />
5 You can click the Set Data button to open the Set Data dialog box,<br />
containing a line-by-line decode of the selected packet.<br />
Figure 8-14. The Set Data Dialog Box<br />
6 Select a line from the Set Data dialog box and click OK.<br />
7 The data from the selected line is placed in the data pattern area<br />
of the Find Frame dialog box. Adjust the data and the length if<br />
necessary
Displaying Captured Data<br />
8 Click OK to start the search. If a pattern match is found, the packet<br />
containing the pattern will be displayed in the Decode Display.<br />
Press F3 to search for the next packet.<br />
Searching for Frames Matching Packet Status Flags<br />
To search for packets with a a particular Status flag:<br />
1 Display the Find Frame dialog box using any of the following<br />
commands:<br />
Select Find Frame from the Display menu.<br />
Select Find Frame from the Decode tab’s context menu<br />
(activated by right-clicking anywhere on the Decode tab).<br />
Use the Alt-F3 keyboard shortcut.<br />
2 Click the Status tab.<br />
3 Select the status flag(s) to search for.<br />
4 Click Up or Down to specify the search direction.<br />
5 Click OK. If a frame with one of the specified flags is found, the<br />
frame containing the will be displayed in the Decode Display. Press<br />
F3 to search for the next packet matching the same criteria.<br />
NOTE: Some Status flags require an enhanced driver to detect.<br />
Because Sniffer <strong>Portable</strong> <strong>Professional</strong> no longer includes enhanced<br />
drivers for Ethernet, searching for the corresponding Status flag will<br />
often produce no results.<br />
For descriptions of the various possible packet status flags, see Packet<br />
Status Flags in the Summary Pane on page 185.<br />
User’s <strong>Guide</strong> 193
Chapter 8<br />
194 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Figure 8-15. Status Tab of the Find Frame Dialog Box
Searching for Frames with Expert Alarms<br />
Displaying Captured Data<br />
To search for packets exhibiting a particular Expert symptom<br />
or diagnosis:<br />
1 Display the Find Frame dialog box using any of the following<br />
commands:<br />
Select Find Frame from the Display menu.<br />
Select Find Frame from the Decode tab’s context menu<br />
(activated by right-clicking anywhere on the Decode tab).<br />
Use the Alt-F3 keyboard shortcut.<br />
2 Click the Expert tab.<br />
3 Select the Expert alarm to search for from the dropdown list<br />
provided. The list includes each of the Expert alarms found<br />
somewhere in the currently displayed Decode tab.<br />
4 Click Up or Down to specify the search direction.<br />
5 Click OK. If a frame exhibiting the specified Expert alarm is found,<br />
the frame will be displayed in the Decode Display. Press F3 to<br />
search for the next packet matching the same criteria.<br />
Figure 8-16. Expert Tab of the Find Frame Dialog Box<br />
User’s <strong>Guide</strong> 195
Chapter 8<br />
Printing Decoded Packets<br />
196 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
You can print the decoded data packets in the Decode Display. You can<br />
print a line-by-line list of the packets in the Summary pane, a list of<br />
protocol fields in the Detail pane, the hex data in the Hex pane, or a<br />
combination of any of the three panes.<br />
To print decoded packets, select Print from the File menu to display the<br />
Print dialog box. Use this dialog box as follows:<br />
In the Print Range area, select the range of packets you want to<br />
print.<br />
In the Format area, select which panes (Summary, Detail, Hex)<br />
you want to print and whether to print the data in<br />
comma-separated values format for import into a spreadsheet<br />
application.<br />
If you enable the CSV Format and Print to file options, you may<br />
want to replace the default .PRN extension for printed output with<br />
a .CSV extension. The .CSV extension tells most spreadsheet<br />
applications (including MS-Excel) to expect comma-delimited data<br />
and import it accordingly (that is, with each comma-separated<br />
value in its own column).<br />
NOTE: If you open a CSV Format file saved with the default<br />
.PRN extension in MS-Excel, you will be prompted to supply<br />
the character used for the delimiter in the file. As you would<br />
expect when the CSV Format option is enabled, the delimiter<br />
used in the saved output file is a comma.<br />
Check the Print to File option to output the decoded data packets<br />
to a file.<br />
During printing, you can use the Abort Printing toolbar button or File<br />
> Abort Printing menu selection to abort the current print job.<br />
Changing the Format of Printed Summary Pane Data<br />
You can control which optional fields in the Summary pane are included<br />
in printed output, and what order they are printed in. Summary pane<br />
fields are printed in a "what you see is what you get" ("WYSIWYG")<br />
format -- columns in the pane are printed in the same order in which<br />
they are show in the Decode display. Because of this, you can use the<br />
following techniques to control the format of printed summary data:
Displaying Captured Data<br />
Use the Optional Fields list in the Summary Display tab of the<br />
Display > Display Setup dialog box to specify which optional<br />
fields are included in the Summary pane display. The only optional<br />
fields included in printed output will be those enabled in this list.<br />
However, printed output will always include the standard<br />
non-optional frame number, source address, destination address,<br />
and summary text fields.<br />
See Display Setup > Summary Display Options on page 180 for<br />
information on specifying optional fields for the Summary pane.<br />
Use standard drag-and-drop techniques to rearrange the columns<br />
in the Summary pane. Summary pane fields will be printed in the<br />
same order in which they are shown in the Decode display.<br />
NOTE: Although you can resize columns in the Summary pane<br />
display using standard click-and-drag techniques, columns in<br />
printed Summary pane output are automatically resized to<br />
accommodate the largest entry in a given column. This way, data is<br />
not inadvertently truncated in printed output.<br />
The Summary Field in Printed Summary Pane Data<br />
The Summary pane of the Decode Display always includes a Summary<br />
column. The data in this column provides a quick synopsis of the packet<br />
in question -- it's highest layer protocol, the frame type, any pertinent<br />
status flags, and so on. The width of the data in the Summary column<br />
can vary widely and is often much wider than the other columns in the<br />
Summary pane. Because of this, the Sniffer treats Summary column<br />
data as follows in printed output:<br />
When packets are printed with the CSV Format option enabled,<br />
the Summary column will be on the same line as the rest of the<br />
data for a given packet (Source Address, Dest Address, and so<br />
on).<br />
When packets are printed without the CSV Format option enabled<br />
(either to a printer or to a file), the Summary column will be on its<br />
own line immediately following a line containing the rest of the<br />
information for the packet (Status, Source Address, Dest<br />
Address, and so on, depending on the current selections in<br />
Display > Display Setup > Summary Display and your own<br />
drag-and-drop settings).<br />
User’s <strong>Guide</strong> 197
Chapter 8<br />
Using Protocol Forcing<br />
You can define up to four<br />
rules. Checked rules are<br />
enabled and applied to<br />
decoded data.<br />
198 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Protocol forcing is useful when capturing frames that use a mixture of<br />
standard and non-standard (for example, proprietary) protocols that the<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> might not otherwise be able to decode. For<br />
example, in some situations, networks may include standard IP data<br />
within a proprietary lower layer packet format unknown to the analyzer.<br />
Protocol forcing essentially lets you tell the analyzer “if you see this<br />
condition, skip this many bytes (to where the standard data is), then<br />
apply this protocol interpreter.”<br />
You specify protocol forcing rules in the Protocol Forcing tab of the<br />
Options dialog box, displayed by selecting the Options command from<br />
the analyzer's Tools menu (sample shown in Figure 8-17).<br />
Use the drop-down list to specify the protocol that should<br />
be used as the “force from” protocol. When the analyzer<br />
encounters the condition specified here, it will skip the<br />
number of bytes specified in the Skip x bytes field and<br />
apply the protocol interpreter specified in the Then field.<br />
Figure 8-17. Defining Protocol Forcing Rules<br />
Specify the number of<br />
bytes to skip once the “If”<br />
condition is detected.<br />
Use the drop-down list to<br />
specify the protocol that<br />
should be used as the<br />
“force to” protocol (that is,<br />
the protocol to be<br />
expected at the offset you<br />
specified in the Skip x<br />
bytes field).
Postcapture 802.11 Decryption<br />
Displaying Captured Data<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> can decrypt and decode 802.11 packets<br />
encrypted with either WPA/WPA2 or WEP both during and after capture.<br />
As described in Configuring Wireless Encryption Settings on page 56,<br />
you use the Tools > Wireless > Encryption options to configure the<br />
automatic decryption of encrypted data on wireless networks during<br />
capture. However, you can also perform decryption on trace files<br />
containing frames encrypted with a known WPA passphrase or WEP key<br />
set but not decrypted during capture. There are two ways to do this:<br />
Use the integrated decryption utility accessed from the Decode<br />
tab’s context menu.<br />
Use the standalone WLAN Decryption utility located at<br />
C:\Program Files\<strong>NetScout</strong>\Sniffer<br />
<strong>Portable</strong>\bin\WLANDecrypt.exe.<br />
Both approaches do the same thing – decrypt wireless data with supplied<br />
decryption keys. The major difference is that the standalone utility takes<br />
a trace file as input and outputs a decrypted trace file.<br />
To perform offline decryption of encrypted wireless data:<br />
1 Display the Decode tab of a trace file or capture buffer containing<br />
frames encrypted with a known WPA passphrase or WEP key set<br />
but not decrypted during capture.<br />
2 Right-click in the Summary, Detail, or Hex pane to activate the<br />
Decode tab’s context menu.<br />
3 Select Wireless Decryption to open the Select WEP - WPA<br />
Keys dialog box. A sample is shown in Figure 8-18.<br />
User’s <strong>Guide</strong> 199
Chapter 8<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> can decrypt<br />
both WPA/WPA2 and WEP encrypted<br />
packets simultaneously.<br />
Use these options to specify the<br />
keys to use for decryption of<br />
WEP-encrypted data. WEP is an<br />
early 802.11 encryption<br />
technology and is not as<br />
commonly seen as WPA-WPA2.<br />
Use these options to specify<br />
the passphrase used to<br />
decrypt data on different SSIDs<br />
(wireless networks).<br />
200 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Figure 8-18. Select WEP - WPA Keys Dialog Box<br />
Use the Select WEP-WPA Keys dialog box (Figure 8-18) to specify<br />
the WEP and/or WPA keys to be used for decrypting the data in the<br />
selected buffer or trace file.<br />
4 To specify new WEP keys for decryption, start by setting the WEP<br />
Key Entry Mode option to specify whether you want to enter the<br />
keys as either Hex or ASCII. Then, enter up to four separate<br />
encryption keys. For each key, do the following:<br />
a Specify the length of the key by selecting the appropriate<br />
option. Keys can be either None, 40-bit, or 128-bit. Use the<br />
None option if no encryption is used on the network.<br />
Depending on the length of the key specified, some or all of<br />
the adjacent fields become active, enabling you to specify the<br />
keys in use.<br />
b Specify the exact value for each key in the adjoining spaces<br />
provided.<br />
NOTE: The four encryption keys in use on a WEP-encrypted<br />
network are all typically the same length — either 40-bit or
128-bit.<br />
5 To specify new WPA-WPA2 keys for decryption:<br />
Displaying Captured Data<br />
a Turn on the encryption key by checking its On radio button.<br />
b Specify the SSID for the WPA/WPA2-encrypted network. This<br />
is typically a short string used to identify a wireless network<br />
(for example, labnet).<br />
c WPA/WPA2 encryption relies on a pre-shared passphrase for<br />
encryption. Enter the passphrase associated with this SSID.<br />
d Repeat Step a though Step c for each SSID you expect Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong> to monitor.<br />
6 Click OK on the Select WEP-WPA Keys dialog box.<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> attempts to use the specified keys to<br />
decrypt the data in the selected buffer or trace file and opens a new<br />
window with the results. If you specified the correct keys, the new<br />
window displays the newly-decrypted data. You can save the<br />
decrypted data to a new trace file using the usual File > Save<br />
command.<br />
IMPORTANT: Make sure the data to decrypt includes four<br />
EAPOL Exchange packets for each SSID/passphrase combo you<br />
have entered. You can obtain these packets by capturing the<br />
Client to AP association packets. If these EAPOL Exchange<br />
Packets are not present, the corresponding<br />
WPA/WPA2-encrypted packets cannot be decrypted.<br />
NOTE: An easy way to determine whether you have entered the<br />
correct WEP keys is to check for the presence of a large number of<br />
WEP-ICV Error Expert alarms. If there are an abnormally large<br />
number of these alarms, you probably have not entered the correct<br />
WEP keys for the encrypted data in the selected buffer or trace file.<br />
User’s <strong>Guide</strong> 201
Chapter 8<br />
Postcapture Matrix Tab<br />
202 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The Matrix tab collects statistics for conversations between network<br />
nodes. For LANs, the matrix tab accumulates MAC, IP network, IP<br />
application, IPX network, and IPX transport-layer information. Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong> also provides an additional 802.11 view for<br />
wireless LANs that allows you to concentrate on information specifically<br />
for wireless stations.<br />
You can view accumulated data as a traffic map, as a table, or as a bar<br />
or pie chart.<br />
The traffic map provides a birds-eye view of network traffic<br />
patterns between nodes. You can filter out unwanted traffic by<br />
unchecking certain protocols, or by selecting specific network<br />
nodes to display.<br />
The matrix tables display traffic count statistics for node pairs:<br />
The outline table provides a quick summary of total bytes and<br />
packets transmitted between pairs of network nodes.<br />
The detail table provides a quick summary of the higher layer<br />
protocol type and its traffic load transmitted in and out of each<br />
conversation node pair.<br />
You can sort a matrix table by clicking a column heading (for<br />
example, to sort the statistics by packets, click the Packets<br />
column heading). Click a second time to sort in reverse order.<br />
The bar chart displays the top 10 busiest conversation node pairs.<br />
The pie chart displays the top 10 busiest conversation node pairs<br />
as relative percentages of the total load of traffic.<br />
In all views, you can display conversation traffic at the link layer, MAC<br />
layer, or selectively view only the IP or IPX layers.<br />
In the table views, you can export the statistics for tabulation or<br />
charting.<br />
Figure 8-19 shows the Matrix display (bar chart view) and toolbar.
Select layer<br />
Traffic map view<br />
Detail table view<br />
Outline table view<br />
Pie chart view<br />
Bar chart view<br />
Figure 8-19. Matrix Display (Bar Chart View) and Toolbar<br />
Displaying Captured Data<br />
Sort criteria (bar and pie chart)<br />
Define visual filter<br />
Export data to<br />
spreadsheet<br />
(Table views only)<br />
Export data to<br />
HTML (Table<br />
views only)<br />
User’s <strong>Guide</strong> 203
Chapter 8<br />
More about the Matrix Traffic Map<br />
204 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The traffic map in the postcapture Matrix tab is a powerful tool that gives<br />
you a birds-eye view of the network traffic patterns captured in the<br />
packet buffer. It gives a complete graphical presentation of the traffic<br />
pattern between network nodes, as well as the type of protocol used for<br />
communications.<br />
To view the traffic map from the Packet Display:<br />
1 Select the Matrix tab on the bottom of the postcapture Display<br />
window. If you do not see the Matrix tab, make sure that the<br />
Show Post Analysis tabs option in the Display Setup dialog<br />
box’s General tab is enabled.<br />
2 Click the traffic map button. A traffic map showing conversation<br />
load and protocol type is displayed.<br />
To view traffic at a different layer:<br />
1 Open the drop-down list on the upper left corner of the traffic map.<br />
Select the layer at which you want to view traffic (for example, IP or<br />
IPX). A traffic map showing conversation load and protocol type at the<br />
selected layer is displayed.<br />
Using a Visual Filter in the Traffic Map<br />
The traffic map can be used to automatically define a filter. You can<br />
select stations and particular protocols that displayed on the traffic map<br />
and Sniffer <strong>Portable</strong> <strong>Professional</strong> will automatically configure a filter to<br />
match your selections.<br />
To use the Traffic Map to define a filter:<br />
1 Select the Matrix tab on the bottom of the postcapture Display<br />
window. If you do not see the Matrix tab, make sure that the<br />
Show Post Analysis tabs option in the Display Setup dialog<br />
box’s General tab is enabled.<br />
2 On the pull-down window, select the protocol suite. In the left<br />
column, select one or more sub-protocols to display.<br />
3 Highlight any network node(s) you want to filter for. To select more<br />
than one node, hold the Ctrl key down while you click additional<br />
nodes.
Displaying Captured Data<br />
4 Click the Define Filter button. Depending on the settings in the<br />
Display Setup dialog box’s Packet Selection tab, the Sniffer either<br />
marks all matching packets in the Decode tab (Select Packets ><br />
Select Matching) or creates a new Decode tab with just the<br />
filtered packets based on the network node and protocol selections<br />
you made.<br />
NOTE: For more information on the Packet Selection tab, see<br />
Display Setup > Packet Selection Options on page 183.<br />
Using the Matrix Map to Identify the Others Protocol Type<br />
The traffic map's capacity to create a visual filter provides an ideal way<br />
to investigate Others protocol types in the capture buffer. Others are<br />
protocols that do not fall into the protocol categories predefined by<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong>.<br />
To define a filter to select Other protocol packets to display in<br />
the Packet Display window:<br />
1 Select the Matrix tab on the bottom of the Packet Display window.<br />
2 Uncheck all protocols listed in the traffic map except the Others<br />
box.<br />
3 Click the Define Filter button. Depending on the settings in the<br />
Display Setup dialog box’s Packet Selection tab, the Sniffer either<br />
marks all matching packets in the Decode tab (Select Packets ><br />
Select Matching) or creates a new Decode tab with just the Other<br />
packets.<br />
NOTE: For more information on the Packet Selection tab, see<br />
Display Setup > Packet Selection Options on page 183.<br />
User’s <strong>Guide</strong> 205
Chapter 8<br />
Postcapture Host Table Tab<br />
206 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The Host Table collects each network node’s traffic statistics. For LANs,<br />
the matrix tab accumulates MAC, IP network, IP application, IPX<br />
network, and IPX transport-layer information. Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> also provides an additional 802.11 view for wireless LANs<br />
that allows you to concentrate on traffic statistics specifically for wireless<br />
stations.<br />
You can view accumulated data as a table, bar chart, or pie chart.<br />
The table views display traffic count statistics for each network<br />
node.<br />
The outline table provides a quick summary of total bytes and<br />
packets transmitted in and out of each network node.<br />
The detail table provides a quick summary of the higher layer<br />
protocol type and its traffic load transmitted in and out of each<br />
network node.<br />
You can sort a host table by clicking a column heading (for<br />
example, to sort the statistics by incoming packets, click the In<br />
Pkts column heading). Click a second time to sort in reverse order.<br />
The bar chart displays the 10 busiest host nodes in real time.<br />
The pie chart displays the 10 busiest host nodes as relative<br />
percentages of the total load of traffic.<br />
In all views, you can display traffic at the link layer, MAC layer, or<br />
selectively view only the IP or IPX layers.<br />
In the table views, you can export the statistics for tabulation or<br />
charting.<br />
Figure 8-20 shows the Host Table display and toolbar.
Select MAC, IP,<br />
or IPX layer<br />
Click the plus (+)<br />
sign to see protocol<br />
information. Click<br />
the minus (-) sign to<br />
hide it.<br />
Outline table view<br />
Detail table view<br />
Bar chart view<br />
Sort criteria<br />
(Bar and Pie chart)<br />
Pie chart view<br />
Displaying Captured Data<br />
Export to HTML<br />
(Table views only)<br />
Export data to spreadsheet<br />
(Table views only)<br />
Figure 8-20. Host Table Display (Outline Table View) and Toolbar<br />
User’s <strong>Guide</strong> 207
Chapter 8<br />
Postcapture Protocol Distribution Tab<br />
208 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The Protocol Distribution tab reports network usage based on the<br />
network-, transport-, and application-layer protocols. For example, you<br />
can monitor IPX/SPX, TCP/IP, NetBIOS, AppleTalk, DECnet, SNA,<br />
Banyan, and many other protocols.<br />
Protocol distribution monitors popular IP applications, such as NFS, FTP,<br />
Telnet, SMTP, POP2, POP3, HTTP (WWW), Gopher, NNTP, SNMP,<br />
X-Window, and others. It also monitors IPX transport-layer protocols<br />
such as NCP, SAP, RIP, NetBIOS, Diagnostic, Serialization, NMPI, NLSP,<br />
SNMP, and SPX.<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> also provides an additional 802.11 view<br />
that allows you to view network usage by 802.11 frame types (for<br />
example, Association Requests, Probe Requests, Beacons, and so on).<br />
You can view the protocol distribution in a table, or as a bar or pie chart.<br />
You can also view the number and percentage of packets or bytes for a<br />
protocol.<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> lets you export the protocol distribution<br />
data for tabulation or charting. To export data, the display must be in<br />
the table view.<br />
Figure 8-21 shows the Protocol Distribution display and toolbar.
Select MAC, IP,<br />
or IPX layer<br />
Table view<br />
Bar chart view<br />
Pie chart view<br />
Displaying Captured Data<br />
Display total number or<br />
percentage of bytes Export data to<br />
spreadsheet format<br />
(Table view only)<br />
Display total number or<br />
percentage of packets<br />
Export data to HTML<br />
(Table view only)<br />
Figure 8-21. Protocol Distribution Display (Pie Chart View) and Toolbar<br />
User’s <strong>Guide</strong> 209
Chapter 8<br />
Postcapture Statistics Tab<br />
Export data to<br />
spreadsheet<br />
210 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
For each capture session, statistical information is accumulated to help<br />
you analyze the network traffic during the capture period. A summary of<br />
this information is displayed in a table on the Statistics tab. The table<br />
displays:<br />
The date and time of the capture<br />
The amount of traffic seen during the capture period<br />
Utilization statistics<br />
You can export this information to a spreadsheet using the button.<br />
Figure 8-22 shows the Statistics display.<br />
Figure 8-22. The Statistics Display
Displaying Captured Data<br />
802.11 Information in the Postcapture Statistics Tab<br />
In addition to the standard counters in the Statistics tab, Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong> adds a variety of wireless-specific statistics. These<br />
statistics are listed and described in Table 8-9 on page 211.<br />
Table 8-9. 802.11 Counters in the Statistics Tab (1 of 2)<br />
Counter Description<br />
802.11 Data Throughput The data rate (in bits per second) observed<br />
by Sniffer <strong>Portable</strong> <strong>Professional</strong> for this<br />
capture session. When calculating<br />
throughput, Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
only counts data frames. Management and<br />
control frames are not part of this<br />
calculation. However, the throughput<br />
measurement does include the header<br />
portions of data frames.<br />
802.11 Management Pkts The number of Management packets<br />
observed on the wireless LAN during this<br />
capture session.<br />
802.11 Control Pkts The number of Control packets observed on<br />
the wireless LAN during this capture session.<br />
802.11 Data Packets The number of data packets observed on the<br />
wireless LAN during this capture session.<br />
802.11 Mgmt Pkt Util Of the total number of MAC layer frames<br />
observed during this session, the percentage<br />
that were Management packets.<br />
802.11 Ctrl Pkt Util Of the total number of MAC layer frames<br />
observed during this session, the percentage<br />
that were Control packets.<br />
802.11 Data Pkt Util Of the total number of MAC layer frames<br />
observed during this session, the percentage<br />
that were Data packets.<br />
802.11 Retry Pkts The number of Retry packets observed on<br />
the wireless LAN during this capture session.<br />
Stations send retry packets when they<br />
receive no acknowledgment to a previously<br />
sent packet.<br />
802.11 WEP Pkts The number of packets observed on the<br />
wireless LAN during this capture session with<br />
the WEP bit in the Frame Control field set to<br />
true. This indicates that Wired Equivalent<br />
Policy encryption was used on the packet.<br />
User’s <strong>Guide</strong> 211
Chapter 8<br />
212 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Table 8-9. 802.11 Counters in the Statistics Tab (2 of 2)<br />
Counter Description<br />
802.11 Short PLCPs The number of Physical Layer Convergence<br />
Protocol (PLCP) protocol data units seen with<br />
the “short” preamble and header during this<br />
capture session. This form of PLCP PDU is<br />
used to achieve higher throughput and can<br />
support 5.5 and 11 Mbps transmission<br />
speeds.<br />
802.11 Long PLCPs The number of PLCP PDUs seen with the<br />
“long” preamble and header during this<br />
capture session. This form of PLCP PDU is<br />
compatible with legacy equipment from<br />
older wireless LANs and supports and<br />
operates at either 1 Mbps or 2 Mbps.<br />
Data Rate Counters These counters vary depending on the<br />
monitored network:<br />
• For 802.11b/g networks, there are<br />
separate counters for the number of<br />
frames sent at 1, 2, 5.5, 11, 6, 9, 12,<br />
18, 24, 36, 48, 54, 72, 108 Mbps.<br />
• For 802.11a networks, there are<br />
separate counters for the number of<br />
frames sent at 6, 9, 12, 18, 24, 36, 48,<br />
54, 72, and 108 Mbps.<br />
• For legacy 802.11b cards, the speeds<br />
remain at 1, 2, 5.5, 11 Mbps.<br />
NOTE: 802.11g is backward-compatible with<br />
802.11b, therefore the speed counters seen<br />
in 802.11b are also shown in 802.11g.<br />
802.11b and 802.11g share the same<br />
frequency band (2.4 GHz) and same number<br />
of channels (1-14). 802.11b goes from<br />
speeds 1 Mbps to 11 Mbps and 802.11g goes<br />
from speeds 1 Mbps to 54 Mbps. 802.11a<br />
and 802.11g share similar speeds (6, 9, 12,<br />
18, 24, 36, 48, 54, 72, and 108 Mbps – 72<br />
and 108 Mbps are proprietary<br />
implementations).
Working with Real-Time<br />
Decodes<br />
Overview<br />
9<br />
In addition to off-line or post-capture analysis, you can display protocol<br />
decodes in real-time as packets arrive. You do not have to stop a capture<br />
session to see protocol decodes.<br />
Real-time decodes are disabled by default. After launching Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong>, enable real-time decodes and set real-time<br />
decode options.<br />
See also:<br />
Enabling and Setting Real-time Decodes on page 213<br />
Viewing Real-time Decodes on page 214<br />
Scrolling Modes in Real-time Decodes on page 215<br />
Real-time Decode Display Limitations on page 216<br />
Enabling and Setting Real-time Decodes<br />
In addition to off-line or post-capture analysis, you can display protocol<br />
decodes in real-time as packets arrive. You do not have to stop a capture<br />
session to see protocol decodes. Real-time decodes are disabled by<br />
default when Sniffer <strong>Portable</strong> <strong>Professional</strong> is installed. Setting Real-time<br />
decode options includes specifying the refresh rate used in Live-Scroll<br />
mode.<br />
To enable real-time decodes:<br />
1 From the Tools menu, select Options, then click the Real-Time<br />
tab.<br />
2 Select the Real Time Decode option.<br />
3 Specify a refresh rate in the field provided. This rate is used in<br />
Live-Scroll Mode to jump to the new set of latest packets to decode<br />
at each defined interval. You can specify a rate between 1 and 60<br />
seconds.<br />
See Scrolling Modes in Real-time Decodes on page 215 for detailed<br />
information.<br />
User’s <strong>Guide</strong> 213
Chapter 9<br />
4 Click OK.<br />
214 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Real Time Decodes and the “When buffer is full” Option<br />
Real Time Decodes only work when the When buffer is full option in<br />
the Define Filter - Capture dialog box is set to Stop capture for the<br />
active capture filter.<br />
If the Real Time Decode option is enabled and the capture buffer is<br />
currently set to wrap (Wrap buffer is enabled), Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> will automatically change the setting of the option to Stop<br />
capture.<br />
After starting a new capture session, the Real-Time Decode window is<br />
displayed automatically. An example is shown in Figure 9-1 on page 215.<br />
Viewing Real-time Decodes<br />
Real-time decodes allow you to display protocol decodes in real-time as<br />
packets arrive. When enabled, you do not have to stop a capture session<br />
to see protocol decodes.<br />
To view real-time decodes:<br />
1 Ensure real-time decodes are enabled. See Enabling and Setting<br />
Real-time Decodes on page 213.<br />
2 Select Start from the Capture menu.<br />
3 The Decode window opens and the real-time decodes are displayed<br />
in the Summary pane as shown in the example in Figure 9-1 on<br />
page 215. Depending on the refresh interval specified, you might<br />
not see the decode information immediately.<br />
NOTE: Switch from Non-live to Live scrolling at any time using<br />
Ctrl + End, or clicking and .<br />
4 Select Stop from the Capture menu to stop the capture and the<br />
real-time decode data stream. Save the data to a trace file using<br />
traditional file saving methods if desired.
Figure 9-1. Real-time Decodes Window Example<br />
Scrolling Modes in Real-time Decodes<br />
Working with Real-Time Decodes<br />
Like the traditional Sniffer post-capture Decode window, the Real-time<br />
Decode window (Figure 9-1 on page 215) has three panes: Summary,<br />
Detail, and Hex. When Real-time decodes are enabled and new network<br />
packets come in, the Summary pane is updated.<br />
In Live scroll mode you see the network packets from top to bottom in<br />
the order they were received. When new packets come in, the Decode<br />
window automatically starts scrolling upward and older packets are<br />
removed from the Summary pane. The refresh interval rate is set in the<br />
Real-Time tab of the Options dialog box. See Enabling and Setting<br />
Real-time Decodes on page 213 for detailed information.<br />
When the Decode screen refreshes, the Summary pane displays the last<br />
set of network packets that were received in the interval period. Please<br />
note, if the Summary pane is limited to displaying 20 lines for 20 packets<br />
and the most recent interval period contained 500 packets, then the<br />
Summary pane displays packets 481 to 500. During the next interval,<br />
250 more packets are received. The Summary pane automatically<br />
updates and displays packets 731 to 750.<br />
User’s <strong>Guide</strong> 215
Chapter 9<br />
216 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
In Non-live scroll mode the Decode window does not automatically<br />
update. To view new packets, you have to manually scroll the Summary<br />
pane using the scrolling tools to the right of the pane.<br />
In either Live or Non-live scroll mode, the Detail and Hex panes show<br />
the first packet by default when the Real-Time Decode window opens.<br />
When you select a new packet in the Summary pane, the Detail and Hex<br />
panes are refreshed to display information specific to the selected<br />
packet.<br />
To switch between Real-time Decode scrolling modes:<br />
1 Ensure Real-time Decode is enabled. See Enabling and Setting<br />
Real-time Decodes on page 213.<br />
2 Start a capture session. This opens the Real-Time Decode window<br />
automatically.<br />
3 Switch from Live to Non-live scrolling in the Real-Time Decode<br />
window by clicking any summary line in the Summary pane, or<br />
moving the Summary pane scroll bar upward. You can do this at<br />
any time.<br />
4 You can also switch from Non-live to Live scrolling using Ctrl +<br />
End, or clicking Start scrolling and Stop scrolling . You<br />
can do this at any time.<br />
Real-time Decode Display Limitations<br />
When specifying Real-time decode options or viewing real-time decodes,<br />
please note the following:<br />
Capture to disk is not supported with Real-time decodes. If you<br />
have Capture to Disk selected as a capture option, the Real-Time<br />
Decode window is disabled.<br />
The Real-Time Decode window displays the Frame Number, Status,<br />
Source Address, Destination Address, Summary, Length, Delta<br />
Time, and Absolute Time columns, but these statistics are not<br />
user-configurable.<br />
Display setup items are not user-configurable in the Real-Time<br />
Decode window. The Real-Time Decode window will always display<br />
Show Network Address, the Display Vendor ID on the MAC address,<br />
and the Summary line for the last protocol layer.<br />
The Real-Time Decode window does not display Expert Symptoms,<br />
Two-Station Format, nor will the Window resolve the network name<br />
using the Address book.
Working with Real-Time Decodes<br />
The Find Frame, Go to Frame, Marking of Frame, and Select<br />
and Save Range tools are not available in the Real-Time Decode<br />
window.<br />
Display filters are not available in the Real-Time Decode window.<br />
Segmentation and Re-assembly analysis of network packets or<br />
frames is not supported in Real-time Decode mode.<br />
User’s <strong>Guide</strong> 217
Chapter 9<br />
218 Sniffer <strong>Portable</strong> <strong>Professional</strong>
Defining Filters and Triggers<br />
Overview<br />
This section describes filters and triggers:<br />
10<br />
Use filters to select the particular traffic you need for your network<br />
analysis so that you can focus precisely on the data you need to<br />
troubleshoot network problems and minimize the size of files you<br />
collect for historical records.<br />
Use triggers to capture data while Sniffer <strong>Portable</strong> <strong>Professional</strong> is<br />
unattended, such as on off-hours or weekends. You can set triggers<br />
to start captures at specific times, or in response to specific events<br />
(for example, alarms).<br />
The section includes the following information:<br />
Defining Filters on page 220<br />
Using Filter Profiles on page 222<br />
Setting Filter Options in the Address Tab on page 225<br />
Setting Filter Options in the Port Tab on page 228<br />
Setting Filter Options in the Data Pattern Tab on page 230<br />
Setting Filter Options in the Advanced Tab on page 235<br />
Setting Filter Options in the 802.11 Tab on page 238<br />
Filtering from the Decode Window on page 240<br />
Sharing Filters between Systems and Products on page 241<br />
Defining Triggers on page 242<br />
Defined Filters vs. Automatic Filters<br />
There are two categories of filters:<br />
Defined filters. You can define address, port, protocol, and<br />
Boolean data pattern filters to select the particular traffic you need<br />
for your network analysis. By using filters, you can precisely focus<br />
on the data you need to troubleshoot network problems and<br />
minimize the size of files you collect for historical records.<br />
User’s <strong>Guide</strong> 219
Chapter 10<br />
220 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
In general, you work with Defined filters in the Define Filter dialog<br />
box. This section describes how to do that.<br />
Automatic filters. In some cases, filters are created automatically<br />
by Sniffer <strong>Portable</strong> <strong>Professional</strong> when you choose to view selected<br />
information. For example, you can single-out a particular station's<br />
conversations using the Visual Filter on the Matrix map display. You<br />
can also set automatic Expert Filters in many Expert window<br />
displays, as well as automatic Display filters from an active Decode<br />
tab.<br />
Automatic filters are described in the following sections:<br />
Automatic Display filters are described in Setting Display<br />
Filters on page 167.<br />
Expert filters are described in Setting Automatic Expert<br />
Display Filters on page 151<br />
Define Filter Options for Wireless Networks<br />
Defining Filters<br />
When using Sniffer <strong>Portable</strong> <strong>Professional</strong> with a wireless adapter, the<br />
Define Filter dialog box adds several wireless-specific filtering options:<br />
The Define Filter dialog box’s Advanced tab includes wireless LAN<br />
packet types on which you can filter (for example, PLCP Errors).<br />
See Filters for 802.11 Packet Types in the Advanced Tab on page<br />
237.<br />
The Define Filter dialog box also includes an 802.11 tab specifically<br />
for wireless LAN filtering. See Setting Filter Options in the 802.11<br />
Tab on page 238.<br />
In general, you work with filters in the Define Filter dialog box. The type<br />
of filter is determined by its use:<br />
When selecting what traffic to monitor, the filter becomes a<br />
monitor filter.<br />
When selecting what traffic to admit into the capture buffer, the<br />
filter becomes a capture filter.<br />
When selecting what data in the capture buffer to display, the filter<br />
becomes a display filter.
Defining Filters and Triggers<br />
When you define a filter, you give it a name (known as a Profile in the<br />
application displays). You then select a filter Profile to use as a monitor,<br />
capture, or display filter (depending on whether you choose the Select<br />
Filter command from the Monitor, Capture, or Display menu). To<br />
easily differentiate different kinds of filters, use a distinctive naming<br />
convention. See Using Filter Profiles on page 222 for details.<br />
To access the Define Filter dialog box:<br />
1 Select Define Filter from the Monitor, Capture, or Display<br />
menu.<br />
You can also click the button (located in many windows).<br />
The Define Filter dialog box lets you define capture filters to collect<br />
specific network information. When you first open the Define Filter<br />
dialog box, the Summary tab appears, summarizing the current<br />
settings for the selected filter. This tab also displays the buffer size and<br />
the buffer action (stop capture or overwrite older data when buffer is<br />
full).<br />
In addition to the Summary tab, some or all of the following tabs are<br />
available, depending on the type of network adapter in use:<br />
The Address tab lets you define filters to capture data transmitted<br />
between network nodes (or address pairs).<br />
The Port tab lets you filter traffic on IP or IPX ports.<br />
The Data Pattern tab lets you define filters that capture frames<br />
that match data patterns rules joined by AND/OR/NOT logical<br />
operators. Data pattern filters provide a generic method of defining<br />
and documenting filter conditions that can not be defined by the<br />
address and protocol filters.<br />
The Advanced tab tab lets you define filters that capture frames<br />
that belong to one or more protocol group(s). It also lets you set<br />
filters for frames falling in a specified size range and various<br />
protocol-specific frame types (for example, jabber packets on an<br />
Ethernet network).<br />
The Buffer tab lets you set various global options relating to the<br />
size of the capture buffer and what actions should be taken when<br />
the maximum size of the capture buffer is reached.<br />
You can also create filter profiles — saved combinations of one or more<br />
of the individual filters defined on the tabs listed above. See Using Filter<br />
Profiles on page 222 for details.<br />
User’s <strong>Guide</strong> 221
Chapter 10<br />
Using a Defined Filter<br />
Using Filter Profiles<br />
222 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
You apply a named filter to one of four filter points in Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> to select the information you want. The filter points are,<br />
monitor, capture, display, and event.<br />
When you apply a filter to the monitoring process, it is called a<br />
monitor filter. It selects what information will be included in<br />
monitor statistics.<br />
When you apply a filter to a capture, it is called a capture filter. A<br />
capture filter allows only certain frames or certain portions of<br />
frames to be saved in the capture buffer. It also defines the size of<br />
the capture buffer and what to do when the buffer is full.<br />
When you apply a filter to the Packet Display, it is called a display<br />
filter. The display filter lets you select what packets you want to<br />
display. A display filter does not affect the contents of the capture<br />
buffer. It just prevents some of the data from being displayed.<br />
When you apply a filter to a capture trigger definition, it is called<br />
an event filter. You use a trigger to automatically start or stop<br />
captures based on network events and other parameters.<br />
Tip: Implement a naming convention for your filters. Some of the<br />
named filters you define will be specifically designed for a particular<br />
purpose, for example, as a display filter or as a capture filter. To easily<br />
identify different kinds of filters in your filter list, use a distinctive<br />
naming convention.<br />
For example, you could begin each filter name with a single-letter<br />
descriptor:<br />
C-name for capture filters<br />
D-name for display filters<br />
M-name for monitor filters<br />
T-name for trigger event filters<br />
Creating precise filter definitions can be a time-consuming process.<br />
Filter profiles provide a means to save your carefully crafted filter<br />
definitions for later use. A filter profile is a set of one or more individual<br />
filters defined on the various tabs in the Define Filter dialog box<br />
(Address, Port, Data Pattern, Advanced, Buffer, and so on).
Defining Filters and Triggers<br />
For example, suppose you are only interested in IP traffic to and from a<br />
particular router. You could create a special filter profile that combined<br />
an Address filter on the router’s IP address, as well as an Advanced<br />
filter on IP protocol traffic. Then, whenever you needed to use this<br />
combination of filters, you could simply select the saved filter profile<br />
from the Select Filter dialog box.<br />
NOTE: If you need to see which individual filters make up a filter<br />
profile, select the Define Filter command and then select the entry<br />
for the filter profile in the Settings For pane of the Define Filter<br />
dialog box. The Summary tab of the Define Filter dialog box will<br />
show you a quick summary of the various individual filters making<br />
up the selected profile.<br />
Creating a Filter Profile<br />
Each time you create a new filter, be sure to start by clicking the<br />
Profiles button in the Define Filter dialog box. Then, click the New<br />
button to open a dialog box in which you can give your filter profile a<br />
name.<br />
Once you have named a filter profile, it will appear in the Settings For<br />
pane of the Define Filter dialog box, allowing you to fine tune the settings<br />
for the filter. In addition, the filter will also appear in the Select Filter<br />
dialog box, allowing you to apply it to a given monitoring, capture, or<br />
decode session whenever you like.<br />
To create a filter profile:<br />
1 Select the Define Filter command from either the Monitor,<br />
Capture, or Display menu (depending on the type of filter you<br />
would like to create).<br />
2 Click Profiles.<br />
The Capture Profiles dialog box appears, listing the filter profiles<br />
already defined.<br />
3 Click New.<br />
4 In the New Capture Profile dialog box, supply a name for the filter<br />
in the field provided.<br />
You can also copy the settings for this filter from either an existing<br />
defined profile (Copy Existing Profile option) or from an existing<br />
sample (Copy Sample Profile option).<br />
5 Click OK.<br />
User’s <strong>Guide</strong> 223
Chapter 10<br />
224 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
6 Click Done in the Capture Profiles dialog box.<br />
The filter appears in the Settings For pane of the Define Filter<br />
dialog box. At this point, you can fine tune the settings for this filter<br />
in the other tabs of the Define Filter dialog box (Address, Port,<br />
Data Pattern, Advanced, and so on).<br />
Starting Capture Directly from the Define Filter - Capture<br />
Dialog Box<br />
Start capture directly<br />
from the Define Filter<br />
dialog using this button.<br />
In contrast to previous Sniffer <strong>Portable</strong> <strong>Professional</strong> releases, you can<br />
now start a capture directly from the Define Filter - Capture dialog box<br />
with the currently selected filter in place. This way, you don’t have to go<br />
through the intermediate step of accepting your filter and then clicking<br />
the Start Capture button (although you still can, if you want to!).<br />
To start capture directly from the Define Filter - Capture<br />
dialog box:<br />
1 Select Define Filter from the Capture menu.<br />
You can also click the button in the Capture toolbar.<br />
2 Use the tabs in the Define Filter - Capture dialog box to set up the<br />
capture filter.<br />
3 When you have finished setting up the filter, click the Start<br />
Capture button at the lower left of the dialog box (Figure 10-1).<br />
Figure 10-1. Starting Capture from the Define Filter - Capture Dialog Box
Setting Filter Options in the Address Tab<br />
Defining Filters and Triggers<br />
Use the options on the Address tab of the Define Filter dialog box to set<br />
up a filter to capture or display packets between up to ten pairs of<br />
network nodes by their addresses.<br />
To set an Address filter:<br />
1 Click the Address tab from the Define Filter dialog box.<br />
2 Use the Address Type drop-down list to specify the type of<br />
address on which you want to filter.<br />
3 Use the Mode field to specify whether you want to Include or<br />
Exclude the specified traffic.<br />
4 The Known Address box includes addresses already known to<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> (including those in your Address<br />
Book). You can click and drag addresses from the Known Address<br />
box into the Station 1 or Station 2 fields to filter on these<br />
addresses. If you do not want to click and drag known addresses,<br />
you can also manually add addresses by placing your cursor in the<br />
appropriate field and typing the address.<br />
NOTE: You can use a wild card symbol (*) in the third or<br />
fourth octet of the address in Station 1 and Station 2. For<br />
example, manually enter 10.20.*.* when IP is selected as<br />
Address Type. If you have selected Hardware as the<br />
Address Type, enter hardware addresses in the Station 1<br />
and Station 2 fields as desired. Example: 0050da*.<br />
5 You can use the adjacent / column to enter a subnet mask in CIDR<br />
format. See Using CIDR Bit-Count Netmasks in the Address Tab on<br />
page 226 for more information on this format.<br />
6 Once you have specified the address pair on which you want to<br />
filter, click the Dir button to specify in which directions you want to<br />
capture traffic (from Station 1 to Station 2, from Station 2 to<br />
Station 1, or in both directions).<br />
7 Click OK.<br />
Figure 10-2 shows the Address tab of the Filter Settings dialog box.<br />
User’s <strong>Guide</strong> 225
Chapter 10<br />
Drag and drop a symbolic address from the Known Address list<br />
into the Station 1 or Station 2 fields. Known addresses come<br />
from Broadcast Addresses, the Host Table, or the Address Book.<br />
Define the address as either<br />
a network hardware address<br />
(6 bytes in hexadecimal<br />
value) or a network IP or IPX<br />
address (4 octets).<br />
Select to include or exclude<br />
packets that match the<br />
address specification.<br />
Start capture directly<br />
from the Define Filter<br />
dialog using this button.<br />
226 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Specify an<br />
optional<br />
subnet mask in<br />
CIDR format.<br />
Figure 10-2. Setting Address Filters<br />
First, click to name the new filter.<br />
Select which direction the traffic flows<br />
by setting the Dir option.<br />
Using CIDR Bit-Count Netmasks in the Address Tab<br />
You can also just<br />
type in an address<br />
manually.<br />
The Address tab lets you enter subnet masks in the Classless<br />
Inter-Domain Routing (CIDR) scheme. CIDR uses a standard 32-bit IP<br />
address with a short-hand version of the decimal netmask called a bit<br />
count. For example, in the CIDR address 192.168.40.250 with a<br />
netmask of 255.255.255.0, 24 is the number of bits in the netmask. So<br />
the IP address and netmask can be written as 192.168.40.250/24.<br />
If you don’t know your CIDR netmask, you can use Figure 10-3 to<br />
convert your subnet mask to a CIDR bit count mask.
T<br />
CIDR Bit<br />
Count<br />
/32<br />
/31<br />
/30<br />
/29<br />
/28<br />
/27<br />
/26<br />
/25<br />
/24<br />
/23<br />
/22<br />
/21<br />
/20<br />
/19<br />
/18<br />
/17<br />
/16<br />
/15<br />
/14<br />
/13<br />
/12<br />
/11<br />
/10<br />
/9<br />
/8<br />
/7<br />
/6<br />
/5<br />
/4<br />
/3<br />
/2<br />
/1<br />
/0<br />
Equivalent Standard<br />
Netmask<br />
255.255.255.255<br />
255.255.255.254<br />
255.255.255.252<br />
255.255.255.248<br />
255.255.255.240<br />
255.255.255.224<br />
255.255.255.192<br />
255.255.255.128<br />
255.255.255.0<br />
255.255.254.0<br />
255.255.252.0<br />
255.255.248.0<br />
255.255.240.0<br />
255.255.224.0<br />
255.255.192.0<br />
255.255.128.0<br />
255.255.0.0<br />
255.254.0.0<br />
255.252.0.0<br />
255.248.0.0<br />
255.240.0.0<br />
255.224.0.0<br />
255.192.0.0<br />
255.128.0.0<br />
255.0.0.0<br />
254.0.0.0<br />
252.0.0.0<br />
248.0.0.0<br />
240.0.0.0<br />
224.0.0.0<br />
192.0.0.0<br />
128.0.0.0<br />
0.0.0.0<br />
Figure 10-3. CIDR Netmask Conversion Table<br />
Defining Filters and Triggers<br />
User’s <strong>Guide</strong> 227
Chapter 10<br />
Setting Filter Options in the Port Tab<br />
228 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
You can filter by a specific IP or IPX port.<br />
NOTE: If Hardware is selected as the Address Type in the Address<br />
tab of the Define Filter dialog box, all fields in the Port tab of the<br />
Define Filter dialog box are disabled. By default, IP is selected as<br />
the Address Type when you open the Define Filter dialog box.<br />
To filter by a specific port:<br />
1 Select the Define Filter command from either the Monitor,<br />
Capture, or Display menu (depending on the type of filter you<br />
would like to create).<br />
2 Click the Address tab and ensure IP or IPX is selected as the<br />
Address Type. If Hardware is the selected Address Type, all fields<br />
of the Port tab are disabled.<br />
3 Click the Port tab.<br />
4 An expandable tree displays known ports. Known ports include<br />
ports already known to Sniffer <strong>Portable</strong> <strong>Professional</strong> (including<br />
those in your Address Book). The list is dependent on the Address<br />
Type selected in the Address tab of the Define Filter dialog box. If<br />
IP is selected, the list displays known IP ports. If IPX is selected,<br />
the list displays known IPX ports.<br />
NOTE: Filtering by TCP or UDP ports is not supported.<br />
5 Enter a port number in the Port 1 or Port 2 field by dragging and<br />
dropping a known port from the list above into the desired field.<br />
You can also manually add ports by placing your cursor in the<br />
appropriate field and typing.<br />
You can enter multiple ports by separating entries with a<br />
comma (for example, 23,25).<br />
You can enter a range of ports by using a hyphen. For<br />
example, you can specify ports 23, 24, 25, and 26 by entering<br />
23-26 in the Port field.<br />
IMPORTANT: Multiple ports and/or a range of ports are only<br />
supported on one side of a port pair. If you use multiple ports
Defining Filters and Triggers<br />
on one side of the port pair the only options allowed on the<br />
other side are ANY or a single port.<br />
6 Once you have specified the ports on which you want to filter, click<br />
the Dir button to specify in which directions you want to capture<br />
traffic (from Station 1 to Station 2, from Station 2 to Station 1, or<br />
in both directions).<br />
7 Click OK.<br />
User’s <strong>Guide</strong> 229
Chapter 10<br />
Setting Filter Options in the Data Pattern Tab<br />
230 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Use the Data Pattern tab to define a filter that will only capture or<br />
display packets that match a data pattern you specify. A data pattern<br />
filter can be simple, consisting of a single data pattern, or very<br />
sophisticated, involving multiple data patterns connected by Boolean<br />
operators AND, OR, and NOT.<br />
NOTE: A complex filter is limited to no more than 20 Boolean<br />
operators and data patterns.<br />
A data pattern is:<br />
A particular sequence of bits<br />
The length of the sequence<br />
Its offset position within the packet<br />
The maximum data pattern length is 32 octets. You can specify the<br />
offset from the beginning of the packet or from the protocol boundary.<br />
You can copy the data pattern for your filter from the display decode<br />
screen. To do this, select the packet before you invoke the define filter<br />
function. In the Data Pattern tab, select Add Pattern, then Set Data.<br />
This copies the data field from the selected packet into the data pattern<br />
fields, and calculates the offset and length. In addition, you can use the<br />
selected pattern as a template, editing it in the display to suit your<br />
needs.<br />
To construct a complex data pattern filter, link data patterns using<br />
Boolean operators. The result is displayed in a tree-like diagram on the<br />
Data Pattern tab.<br />
The Data Pattern tab displays the work space for creating your filter,<br />
and displays the current data pattern equation. The buttons below the<br />
display control the process of defining the Boolean expression and data<br />
patterns.<br />
Figure 10-4 shows the Data Pattern tab of the Filter Settings dialog<br />
box.
Click to create a<br />
new Boolean<br />
Operator AND/OR<br />
Click to create a<br />
new data pattern.<br />
You can use the<br />
selected packet in<br />
the Decode<br />
display as a<br />
template.<br />
Start capture directly<br />
from the Define Filter<br />
dialog using this button.<br />
Click to toggle the<br />
selected Boolean operator<br />
between AND and OR<br />
Creates a NOT operator<br />
Click to modify the<br />
data pattern<br />
Figure 10-4. Setting Data Pattern Filters<br />
Defining Filters and Triggers<br />
Evaluates the Boolean<br />
equation immediately. If the<br />
equation is incomplete, an<br />
error message is generated.<br />
Click to turn on or off the<br />
NOT operator<br />
Click to delete the selected Boolean<br />
operator or data pattern. (If the operator<br />
has child operators or data patterns,<br />
they will be deleted with the parent.<br />
User’s <strong>Guide</strong> 231
Chapter 10<br />
Add or Edit Pattern Dialog Box<br />
232 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
The Add or Edit Pattern dialog box (Figure 10-5, below) appears when<br />
you click the Add Pattern or Edit Pattern buttons on the Data Pattern<br />
tab of the Define Filter dialog box (Figure 10-4 on page 231). Use this<br />
dialog box to define a specific data pattern to filter.<br />
Keep the following in mind when adding or editing a data pattern filter:<br />
Use the From: and Format: fields to identify the type of data you<br />
would like to use for the data pattern.<br />
Check the Variable Offset option to search for the data pattern<br />
you define, starting at byte 0 until the pattern is matched or has<br />
reached the end of the frame. With this option enabled, you do not<br />
have to define the fixed offset data pattern.<br />
If Variable Offset is not selected, designate an Offset value in the<br />
field provided. This option is useful when you are reasonably sure<br />
the pattern falls between a specific start and end offset.<br />
Specify the End Offset (hex) in the field provided.<br />
Enter the pattern in row 1 and 2.<br />
The easiest way to add patterns is to select a packet in the Decode<br />
tab before you click Define Filter. When you do it this way, the<br />
selected packet will appear in the Edit Pattern dialog box, allowing<br />
you to populate your pattern with information from the selected<br />
packet (Figure 10-5).<br />
Figure 10-5. Add or Edit Pattern Dialog Box
More on Data Pattern Filters<br />
Defining Filters and Triggers<br />
A data pattern filter can be created from a single data pattern or from<br />
multiple data pattern definitions that are connected together by<br />
AND/OR/NOT Boolean operators. A complex filter can contain no more<br />
than 20 Boolean operators and data patterns.<br />
A data pattern is defined by a particular sequence of bits, the length of<br />
these bits, and the pattern's offset position within the packet. You have<br />
the option of specifying the offset from the beginning of the full packet<br />
or from the first level protocol boundary. The maximum data pattern<br />
length is 32 octets.<br />
The beginning octet location of a protocol boundary from the packet may<br />
vary depending upon the media type, (Ethernet), or the DLC format<br />
(Ethernet II, 802.2, 802.2 SNAP) it uses. IPX protocol is a good example.<br />
It starts from offset byte 14 in an Ethernet II-type packet, but from byte<br />
17 in an 802.2-type packet. Since Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
recognizes various DLC format types and is able to mark the protocol<br />
boundary correctly, using the protocol layer boundary as a starting<br />
location for calculating the offset allows you to capture protocol packets<br />
with a pattern filter from different network media or with different DLC<br />
formats.<br />
To facilitate the definition of a data pattern, Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
allows you to 'copy' the data pattern of your choice from a known<br />
packet. To do this, you must be in the packet decode viewer, and have<br />
selected a particular packet before you invoke the Define Filter profiler.<br />
Use Add Pattern/Set Data in the Data Pattern tab to copy a known data<br />
field from the decoded packet into the data pattern fields. This will<br />
automatically calculate the offset and length, fill the data pattern, and<br />
suggest a default field name.<br />
Use AND/OR/NOT Boolean operators to construct a complex data<br />
pattern filter. The result is displayed in a tree-like diagram to show the<br />
logical relationships.<br />
The best way to learn how to construct a Boolean Data Pattern filter is<br />
to start from a simple data pattern filter. The first step is to write down<br />
the logical relationships in a Boolean equation. Next, clarify the Boolean<br />
operation's precedence by using parenthesis liberally, so that the final<br />
equation can be constructed using a binary-tree diagram.<br />
The following example demonstrates how to construct the sample filter,<br />
My Subnet. (My Subnet is also listed in the sample Boolean Data Pattern<br />
filters supplied in Sniffer <strong>Portable</strong> <strong>Professional</strong> capture profiles.)<br />
Suppose that you want to capture all IP traffic except traffic to and from<br />
subnet 36.56.0. The first step is to write down a data pattern Boolean<br />
equation that represents this operation:<br />
Not (Src Subnet 36.56.0 OR Dest Subnet 36.56.0)<br />
User’s <strong>Guide</strong> 233
Chapter 10<br />
234 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
If you already have a capture packet file that contains this subnet<br />
address, you should open this file and select the packet containing the<br />
source subnet address 36.56.0. This will substantially ease the data<br />
entry operation later, when you define the data pattern for the subnet<br />
35.56.0.<br />
Next, start defining the data pattern filter by following these steps:<br />
1 From the main toolbar, click to open the Define Filter dialog<br />
box.<br />
2 Click the Profiles button to open the Capture Profiles dialog box.<br />
3 Click the New button. Enter new profile name for example, My<br />
Subnet. Click OK.<br />
4 Click the Done button to close the Capture Profiles dialog box.<br />
5 Click the Advanced tab.<br />
6 Select IP from the Available Protocols list box. This will filter out any<br />
non-IP packets that might have the same data pattern.<br />
7 Click the Data Pattern tab. A default AND operator is displayed.<br />
8 Click the Add NOT button to create a NOT operator.<br />
9 From the newly created NOT line, click the Add AND/OR to create<br />
a new AND child operator linked to the NOT operator.<br />
10 Click the Toggle AND/OR button to change the AND to OR.<br />
11 From the OR line, click the Add Pattern button to invoke the Edit<br />
Pattern dialog box.<br />
12 Scroll the detail decode window to locate the IP source address<br />
containing subnet 35.56.0 and highlight the field.<br />
13 Select Protocol in the From list box. This will tell Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> to calculate the source IP address offset from the<br />
beginning of the IP protocol data packet.<br />
14 Click the Set Data button to tell Sniffer <strong>Portable</strong> <strong>Professional</strong> to fill<br />
in the source IP address field.<br />
15 Change Len (length of subnet) from 4 to 3, and delete the 4th octet<br />
from the data pattern field.<br />
16 Edit the Name field to Src Subnet 36.56.0.<br />
17 Click OK. A new data pattern Src Subnet 36.56.0 is created and<br />
connected to the OR operator.<br />
18 Click the OR operator again to select it.<br />
19 Click Add Pattern to open another Edit Pattern dialog box.
Defining Filters and Triggers<br />
20 Click Set Data to tell Sniffer <strong>Portable</strong> <strong>Professional</strong> to fill in a dummy<br />
data pattern (a placeholder) for the Dest Subnet and click OK.<br />
21 Click OK again in the Define Filter dialog box to save the filter.<br />
22 Select the next packet containing the destination IP subnet address<br />
from the Packet Display.<br />
23 From the main toolbar, click to open the Define Filter dialog<br />
box for My Subnet.<br />
24 Click the Data Pattern tab to display the Data Pattern filter<br />
defined so far.<br />
25 Highlight the second PAT (this was the placeholder created<br />
previously) and click Edit Pattern to open the Edit Pattern dialog<br />
box.<br />
26 Scroll the detail decode window to locate the IP destination address<br />
containing subnet 35.56.0. Highlight the field.<br />
27 Select Protocol in the From list box. This will tell Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> to calculate the destination IP address offset from the<br />
beginning of the IP protocol data packet.<br />
28 Click the Set Data button to tell Sniffer <strong>Portable</strong> <strong>Professional</strong> to fill<br />
in the source IP address field.<br />
29 Change Len (length of subnet) from 4 to 3, and delete the 4th octet<br />
from the data pattern field.<br />
30 Edit the Name field, so it shows Dest Subnet 36.56.0.<br />
31 Click OK. A second data pattern Dest Subnet 36.56.0 is created<br />
and connected to the OR operator.<br />
32 Click Evaluate. The resulting operation Not (Src Subnet 36.56.0<br />
OR Dest Subnet 36.56.0) is shown on the top line.<br />
33 Click OK to save the filter.<br />
Setting Filter Options in the Advanced Tab<br />
Use options on the Advanced tab to define a filter based on packet size,<br />
protocol type, or error type.<br />
You can specify packets that are equal to, greater than, or less than a<br />
specific packet size, or in a range or outside of a range of packet sizes.<br />
You can select one or more protocols or subprotocols to act as a filter. If<br />
the packet matches one of the selected protocol types, it will pass<br />
through the filter. (If no protocol is selected, Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> captures all protocol types.)<br />
User’s <strong>Guide</strong> 235
Chapter 10<br />
Specify one or more<br />
network protocols on<br />
which to filter. All<br />
network protocols with<br />
a checkmark will be<br />
included.<br />
Start capture directly<br />
from the Define Filter<br />
dialog using this button.<br />
236 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
If a protocol you need is not defined in the protocol list, you can define<br />
your own protocol filter using the data pattern filter controls.<br />
NOTE: Selecting or deselecting a parent protocol (a protocol with a<br />
+\- sign adjacent to its entry in the list) automatically selects or<br />
deselects all of its child protocols. For example, selecting the IP<br />
entry automatically selects each of the sub-protocol entries in the<br />
IP family (TCP, UDP, and so on). You can still select and deselect<br />
individual sub-protocols manually; this shortcut simply provides<br />
you with a means of selecting or deselecting entire protocol families<br />
quickly.<br />
Not all protocols in the list are supported by the Expert. For a list of<br />
currently supported protocols for Expert, see the online Help.<br />
Packet Types filters for error packets require an enhanced driver for<br />
detection. Because Sniffer <strong>Portable</strong> <strong>Professional</strong> does not support<br />
enhanced drivers for Ethernet or WLAN on Vista, these filters will not<br />
typically work for those topologies and/or operating system.<br />
Figure 10-6 shows the Advanced tab of the Filter Settings dialog box.<br />
Specify the packet size<br />
on which to filter.<br />
Figure 10-6. Setting Advanced Filters
Defining Filters and Triggers<br />
Filters for 802.11 Packet Types in the Advanced Tab<br />
When using Sniffer <strong>Portable</strong> <strong>Professional</strong> with a wireless adapter, the<br />
Packet Type dropdown includes the wireless LAN error packet types<br />
listed and described in Table 10-1.<br />
Table 10-1. Wireless LAN Error Packet Types Available for Filtering<br />
Packet Type Description<br />
PLCP Errors PLCP errors occur when a wireless station<br />
receives a Physical Layer Convergence<br />
Protocol header with an invalid checksum.<br />
Before frames are sent between wireless<br />
stations, the physical layer (PHY) sends a<br />
PLCP header to a receiving station to<br />
negotiate the size of the frames to be sent,<br />
the speed at which they should be sent, and<br />
so on. This PLCP header includes a<br />
checksum which the receiving station uses<br />
to validate that the received PLCP header is<br />
not corrupt. If this checksum is corrupt, it is<br />
considered a PLCP error.<br />
WEP ICVs The Wired Equivalent Policy (WEP) is used to<br />
encrypt data sent between stations on the<br />
wireless network. When two stations<br />
exchange WEP-encrypted data, they go<br />
through an authentication sequence wherein<br />
challenge messages are encrypted and<br />
decrypted by sender and receiver. If an<br />
Integrity Check Value does not match<br />
between sender and receiver, the receiver<br />
sends a frame indicating a communications<br />
failure (that is, an invalid WEP ICV). This<br />
filter works on these types of packets.<br />
User’s <strong>Guide</strong> 237
Chapter 10<br />
Setting Filter Options in the 802.11 Tab<br />
238 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
When working with a wireless adapter, you can use the options in the<br />
802.11 tab (Figure 10-7) to filter on a variety of different types of<br />
wireless traffic, as summarized below.<br />
Figure 10-7. Define Filter > 802.11 Tab<br />
Traffic Type Filters<br />
Interference can occur in wireless networks when multiple access points<br />
within a range of each other are broadcasting on the same or<br />
overlapping channels. The impact of this interference on network<br />
performance can intensify during busy times when a large amount of<br />
data and media traffic compete for bandwidth.<br />
Use the Traffic Type options to detect packets on a channel to which<br />
they do or do not belong:<br />
Valid packets are packets which belong on the specified<br />
channel(s).<br />
Invalid packets are packets which do not belong on the specified<br />
channel(s).<br />
Indeterministic packets are packets which Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> cannot determine whether are valid or invalid.
Channel Filters<br />
Defining Filters and Triggers<br />
Use the Channel filters to specify different wireless channels to include<br />
as part of this filter. Acceptable values range from 1-161. You can enter<br />
either multiple values separated by commas or a single range separated<br />
by a hyphen. For example, you could enter a range like this:<br />
1-12<br />
Alternatively, you could enter multiple individual values like this:<br />
5,7,12,149<br />
Speed Filters<br />
Use the Speed filters to specify different wireless traffic speeds (in<br />
Mbps) to include as part of this filter. Packets matching one of the<br />
specified speeds are included as part of the filter.<br />
You can enter either multiple speeds separated by commas or a single<br />
speed range separated by a hyphen. For example, you could enter a<br />
range like this:<br />
1-10<br />
Alternatively, you could enter multiple individual values like this:<br />
48,54<br />
Setting Filter Options in the Buffer Tab<br />
Set options for the capture buffer on the Buffer tab. (These settings are<br />
used only if the filter is being used as a capture filter.) For a description<br />
of the capture buffer settings, refer to Capture Buffer on page 124.<br />
Working with Display Filters<br />
A display filter allows you to filter out unwanted packets when you<br />
display the contents of a capture buffer or trace file in the postcapture<br />
window. The profile defined for a capture filter can also be used for<br />
filtering out packets from the postcapture Display by using the Display<br />
> Select Filter command – the dialog box that appears will display all<br />
defined Capture Filter profiles under their own entry. See Selecting<br />
Filters / Combining Multiple Filters on page 174 for details.<br />
The procedure for defining a display filter is identical to the procedure<br />
for a capture filter.<br />
To create or change a display filter:<br />
User’s <strong>Guide</strong> 239
Chapter 10<br />
240 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
1 From the Display menu, select Define Filter.<br />
2 Follow the Define Filter procedure (Defining Filters on page 220).<br />
The links to topics describing how to create various capture filters<br />
are applicable to defining a display filter.<br />
3 From the Display menu, choose Select Filter to apply your new<br />
filter to the current display.<br />
Filtering from the Decode Window<br />
This release provides a variety of new features for filtering from a<br />
Decode tab. You can:<br />
Select a packet in the Decode tab’s Summary pane and click the<br />
Define Filter button to automatically populate the Define Filter<br />
dialog box with some of its components (connection information,<br />
source port/address, destination port/address, and so on).<br />
Add a new filter component to the previous filter by selecting a<br />
packet in the Summary tab and clicking Add to Last Filter button.<br />
Use the Quick Filter button to automatically filter the display based<br />
on the selected information in the currently selected packet (Quick<br />
Filters do not display the Define Filter - Display dialog box as<br />
automatic filters do).<br />
Specify whether Display filters return results by selecting/clearing<br />
packets in the active tab or by creating a new tab of filtered<br />
packets.<br />
Apply Display filters to all packets or only selected packets.<br />
These features are described in detail starting in Postcapture Decode<br />
Display on page 162. In particular, see the following topics:<br />
Using the Decode Tab Toolbar on page 165<br />
Setting Display Filters on page 167<br />
Using Automatic Display Filters on page 168<br />
Using Quick Filters on page 172<br />
Combining Filter Components (“Add to Last Filter”) on page 173<br />
Selecting Filters / Combining Multiple Filters on page 174<br />
Saving Sets of Filtered Frames / Creating New Windows on page<br />
177
Defining Filters and Triggers<br />
Sharing Filters between Systems and Products<br />
Importing Filters<br />
You can import or export individual filters between other Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> systems and some <strong>NetScout</strong> products (for example, Sniffer<br />
InfiniStream, Sniffer <strong>Portable</strong> and Sniffer Distributed). Filters are<br />
imported and exported through the Define Filter dialog box.<br />
Individual filters can be imported from other Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> units. Sniffer <strong>Portable</strong> <strong>Professional</strong> filters are compatible<br />
with other <strong>NetScout</strong> products supporting the .snf format (for example,<br />
Sniffer InfiniStream, Sniffer <strong>Portable</strong>, and Sniffer Distributed). Before<br />
importing a filter to your Sniffer <strong>Portable</strong> <strong>Professional</strong> installation, place<br />
the filter in a network drive accessible to the Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> machine.<br />
To import filters:<br />
1 From the main toolbar, click to open the Define Filter dialog<br />
box.<br />
2 Click the Profiles button at the base of the Summary tab.<br />
3 Click Import in the Capture Profiles dialog box.<br />
4 Browse to the directory containing the capture or display filter.<br />
5 Select a filter and click Open.<br />
6 Click OK.<br />
Exporting Filters<br />
The filter appears in the filter list and is copied to the appropriate folder<br />
on the Sniffer <strong>Portable</strong> <strong>Professional</strong> PC.<br />
Individual filters can be exported for use with other <strong>NetScout</strong> products<br />
supporting the .snf format (for example, Sniffer InfiniStream, Sniffer<br />
<strong>Portable</strong>, and Sniffer Distributed).<br />
To export filters:<br />
1 From the main toolbar, click to open the Define Filter dialog<br />
box.<br />
2 Click the Profiles button at the base of the Summary tab.<br />
3 Select a filter from the list.<br />
User’s <strong>Guide</strong> 241
Chapter 10<br />
242 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
4 Click Export in the Capture Profiles dialog box.<br />
5 In the Select Default Directory dialog box, select Folders.<br />
6 Select the desired location where you want to export the filter from<br />
the Drives drop-down list. You can also click Network to specify a<br />
different machine accessible to the Sniffer <strong>Portable</strong> <strong>Professional</strong> PC.<br />
7 Click OK.<br />
Defining Triggers<br />
Triggers let you start and stop captures based on date and time, alarms,<br />
and specific network events. Use triggers to capture data while your<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> machine is unattended, such as on<br />
off-hours or weekends, or to start captures when specific events occur,<br />
such as alarm conditions.<br />
IMPORTANT: You cannot enable a trigger when a capture is already<br />
running. If you try to do so, you will receive a Failed to set trigger<br />
error message. Stop any active captures before enabling a new trigger.<br />
You can define three kinds of triggers — start triggers, which will start a<br />
capture session, stop triggers, which will stop a capture session, and<br />
start and stop triggers, which do both.<br />
A start trigger has two elements:<br />
Trigger specification. Specifies what will start a capture session.<br />
Select a predefined trigger specification from a drop-down list, or<br />
create a new one by clicking the Define button.<br />
Capture filter specification. Select a capture filter to use during<br />
the capture. Select one from the Capture Filter list.<br />
A stop trigger has three elements:<br />
Trigger specification. Specifies what will stop a capture session.<br />
Select a predefined trigger specification from a drop-down list, or<br />
create a new one by clicking the Define button.<br />
Trigger delay specification. Specifies how many packets to<br />
capture after the stop trigger event occurs.<br />
Restart option. Check this box to automatically restart capturing<br />
after the stop trigger event occurs.<br />
As with a filter, once you create and name a trigger, you can reuse it<br />
whenever appropriate.
This picture<br />
graphically<br />
depicts your<br />
trigger<br />
definition<br />
To define a trigger:<br />
1 Select Trigger Setup from the Capture menu.<br />
Defining Filters and Triggers<br />
The Trigger Setup dialog box opens (shown in Figure 10-8).<br />
Click to specify which events to use<br />
as a start trigger (start time and date,<br />
threshold alarm, and/or event filter)<br />
Define how to control packet capture:<br />
Start trigger, stop trigger, delay after<br />
trigger, or repeat mode<br />
Figure 10-8. Defining a Trigger<br />
Specify what capture<br />
filter to use when the<br />
trigger event occurs<br />
Click to specify which events to use<br />
as a stop trigger (start time and date,<br />
threshold alarm, and/or event filter)<br />
2 Select Enable under Start Trigger, Stop Trigger, or both. Start<br />
triggers start capture sessions when the trigger event is detected.<br />
Stop triggers stop a capture session when the trigger event is<br />
detected. Start and stop triggers do both.<br />
3 Click the Define button corresponding to the type of trigger event<br />
you want to specify (Start or Stop).<br />
Either the Start Trigger dialog box (Figure 10-9) or the Stop Trigger<br />
dialog box appears, depending on which Define button you clicked.<br />
These dialog boxes let you specify the Start or Stop Trigger event.<br />
Existing trigger profiles are shown in the Triggers list.<br />
User’s <strong>Guide</strong> 243
Chapter 10<br />
244 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
a Click New to create a new trigger.<br />
b Enable the Date/Time option to select a specific date and<br />
time as the trigger event.<br />
c Enable the Alarms option to select a particular type of Monitor<br />
Alarm as the trigger event. The thresholds for monitor alarms<br />
are specified in the Tools > Options > MAC Threshold tab.<br />
d Enable the Event filter option to select a Filter Profile as the<br />
trigger event. The dropdown automatically lists all configured<br />
Filter Profiles. When Sniffer <strong>Portable</strong> <strong>Professional</strong> detects a<br />
packet matching the selected filter’s definitions, capture will<br />
either start or stop (depending on what type of trigger you are<br />
setting up).<br />
For example, if you want to start a capture triggered by a<br />
particular IP address, you can accomplish this by defining an<br />
IP address filter with your known IP address in the Station 1<br />
field and Any in the Station 2 field, with the Dir set<br />
appropriately. Then, you can use this filter as the Event<br />
filter for the Start Trigger.<br />
e Click OK to close the Start Trigger or Stop Trigger dialog box.<br />
Figure 10-9. Start Trigger Dialog Box<br />
4 In the Trigger Setup dialog box (Figure 10-8):<br />
a For Start Triggers, use the Capture Filter option to select<br />
what capture filter to use when the trigger event is detected<br />
and capture starts.<br />
a For Stop Triggers, specify the number of packets to capture<br />
after the Stop trigger event in the field provided.
Defining Filters and Triggers<br />
b For Stop Triggers, check the Automatically re-start<br />
capture after stop field to restart capture automatically after<br />
capture is stopped after a Stop Trigger event.<br />
5 Check Repeat Mode to automatically repeat this trigger. This<br />
option applies to both Start and Stop triggers.<br />
6 Click OK.<br />
Specifying a Capture Filter for a Trigger<br />
To specify what capture filter to use when a capture is started<br />
with a trigger:<br />
1 Select Trigger Setup from the Capture menu.<br />
2 In the Start Trigger section, check the Enable checkbox.<br />
3 Select a trigger from the pull-down list. If you want to create a new<br />
trigger, click Define.<br />
4 Select the capture filter you want from the Capture Filter pull-down<br />
list. (If you want to create a new capture filter, cancel from the<br />
Trigger Setup dialog box and select Define Filter from the Capture<br />
menu. Then return to the Trigger Setup dialog box and continue.)<br />
5 Click OK.<br />
Capture Trigger Example<br />
The following example shows how an event filter (seeing any Telnet<br />
packet) can be used to trigger the start of a packet capture. Then, after<br />
either 60 minutes has elapsed or a predefined IP address is detected,<br />
the packet capture continues for 3,000 packets, and then the capture<br />
stops.<br />
This example assumes that filters have already been defined<br />
for a Telnet packet and a known IP address:<br />
1 From the Capture menu, select Trigger Setup to open the Trigger<br />
Setup dialog box.<br />
2 Check the Enable check box of the Start Trigger section, and click<br />
the Define button. A Start Trigger dialog box appears.<br />
3 Click New to invoke a New Trigger dialog box.<br />
4 Enter the name of the start trigger, in this example, Start Trigger<br />
Sample.<br />
User’s <strong>Guide</strong> 245
Chapter 10<br />
5 Click OK.<br />
246 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
6 Mark the Event Filter check box, and select a defined filter from<br />
the drop-down list. In our example, we've previously created a<br />
filter named Telnet Packet and selected it as the Event Filter in<br />
the Start Trigger dialog box.<br />
7 Click OK. Alternatively, you may use Date/Time or Alarm as the<br />
trigger. Enter the time, and select each weekday of your choice by<br />
clicking on the button to toggle its ON/OFF state. A floating button<br />
means OFF; a sinking button means ON. If you are interested in<br />
using network traffic load to trigger capture, select Alarms and the<br />
individual network variables as the trigger.<br />
8 Select a capture filter profile from the Capture Filter pull-down<br />
menu. The capture filter selected here will be used as the capture<br />
filter when the start trigger activates the capture.<br />
9 Mark the Enable check box of the Stop Trigger section, and click<br />
Define.<br />
10 Click New, and define a new stop trigger Stop Trigger Sample<br />
and click OK.<br />
11 Select the Time check box. Specify Stop after 3600 seconds<br />
from start as the first stop trigger. Mark the Event filter check<br />
box, and select IP Address as the second stop trigger. Then click<br />
OK.<br />
12 Enter Capture 3000 packets after stop trigger happened. Click<br />
OK.<br />
The trigger appears as in the figure below.<br />
Figure 10-10. Sample Trigger
Trigger Entries in Alarm Log<br />
Defining Filters and Triggers<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> will log information related to trigger event<br />
detection and captures started\stopped based on trigger event detection<br />
to the local Alarm Log.<br />
Alarms logged for trigger events typically include the time the capture<br />
started, the types of trigger event(s) specified for both Start and Stop<br />
triggers, and a variety of other configuration information summarizing<br />
the trigger definitions.<br />
User’s <strong>Guide</strong> 247
Chapter 10<br />
248 Sniffer <strong>Portable</strong> <strong>Professional</strong>
Using the Address Book<br />
Overview<br />
11<br />
The address book lets you assign familiar, recognizable names for your<br />
network nodes. These symbolic names are used in place of six-byte<br />
hardware addresses and IP addresses in:<br />
Filter definitions<br />
The capture decode display<br />
The Expert display<br />
Host Table displays (both monitor and capture)<br />
Matrix displays (both monitor and capture)<br />
To create an address book to maintain a symbolic name table for your<br />
own network, you can:<br />
Entering Names Manually on page 252<br />
Use the address book's autodiscovery feature<br />
Add names discovered by the Expert analyzer<br />
About Address Entries<br />
The Address Book allows you to define your network nodes in<br />
more-readable symbolic names. Sniffer <strong>Portable</strong> <strong>Professional</strong> uses the<br />
address book in filter definitions, the capture decode display, the Expert<br />
display, and the Host Tables to replace the 6 byte hardware address or<br />
network address of the network node with its respective symbolic name.<br />
An address book entry contains:<br />
Name<br />
Medium<br />
Hardware Address<br />
IP Address<br />
IPX Address<br />
Type<br />
User’s <strong>Guide</strong> 249
Chapter 11<br />
Description<br />
250 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
NOTE: The address book can contain a maximum of 5,000 entries.<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> uses only the medium, hardware address,<br />
IP/IPX address, and Type fields. The other fields are only informational.<br />
The Medium field can also be thought of as a topology field - it<br />
refers to the type of network entity for which you are creating an<br />
Address Book entry. The Medium field tells Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> on what types of networks it should look for this<br />
Address Book entry.<br />
The Medium field also determines the type of HW Address you can<br />
enter. For example, if you set Medium to Ethernet, blanks are<br />
provided in the HW Address field for you to enter a standard<br />
Ethernet hardware address in hexadecimal format.<br />
The Type selections are Workstation, Server, File Server, Printer<br />
Server, Router, Bridge, Hub, Access Point, and Mobile Unit. The<br />
Type field is mainly used when exporting the MAC addresses of<br />
access points to the Expert's list of known access points.<br />
The Description field is a text field in which you can write your own<br />
description or notes about the node.<br />
Creating Address Book Entries<br />
You create an address book to maintain a symbolic names table for your<br />
own network. To create entries in the address book, you can enter<br />
names manually or automatically discover names with the address<br />
book’s autodiscovery feature.<br />
To create an address book entry:<br />
1 Select Address Book from the Tools menu or click in the<br />
main toolbar.<br />
2 Click the right mouse button to display the context menu.<br />
3 Click New Address to open the New/Edit Address dialog box.<br />
4 Enter the Name, Medium, HW Address, IP Address and/or IPX<br />
Address. If the entry is a router, select Router for the Type. (This<br />
prevents duplicate address alarms during address autodiscovery.)<br />
Other entries are for user reference only. Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> does not interpret them.
Add a new address<br />
Edit selected<br />
address<br />
Delete selected<br />
address<br />
Undo and redo<br />
previous action<br />
Sort and unsort<br />
address book<br />
Export Access<br />
Point list<br />
Using the Address Book<br />
NOTE: The Medium field can also be thought of as a topology<br />
field - it refers to the type of network entity for which you are<br />
creating an Address Book entry. The Medium field tells Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong> on what types of networks it should look<br />
for this Address Book entry.<br />
5 The Medium field also determines the type of HW Address you can<br />
enter. For example, if you set Medium to Ethernet, blanks are<br />
provided in the HW Address field for you to enter a standard<br />
Ethernet hardware address in hexadecimal format.<br />
6 Click Save to add the new entry to the Address Book. Alternatively,<br />
click Save and Next to save this entry and add another entry.<br />
NOTE: The address book can contain a maximum of 5000<br />
entries.<br />
Export table to<br />
spreadsheet<br />
Figure 11-1. The Address Book<br />
Autodiscover IP addresses<br />
and Domain names<br />
Delete all<br />
entries.<br />
User’s <strong>Guide</strong> 251
Chapter 11<br />
Entering Names Manually<br />
Specify the<br />
name,<br />
medium,<br />
hardware<br />
address,<br />
IP/IPX<br />
address, and<br />
type of<br />
network node<br />
in these<br />
fields.<br />
252 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
You can build your own address book by getting hardware addresses and<br />
IP addresses from the host table.<br />
To add a new address to the book, select Address Book from the Tools<br />
menu. Then, click the New Address button in the Address Book<br />
toolbar. The New/Edit Address dialog box opens (Figure 11-2). You can<br />
enter address information for a network node in this dialog box.<br />
Figure 11-2. Entering Names Manually<br />
About the Medium Field<br />
A node Type can be:<br />
Workstation<br />
Server<br />
File Server<br />
Printer Server<br />
Router<br />
Bridge<br />
The Medium field can also be thought of as a topology field – it refers<br />
to the type of network entity for which you are creating an Address Book<br />
entry. The Medium field tells the Sniffer on what types of networks it<br />
should look for this Address Book entry.<br />
The setting of the Medium field also determines the type of HW<br />
Address you can enter. For example, if you set Medium to Ethernet,<br />
blanks are provided in the HW Address field for you to enter a standard<br />
Ethernet hardware address in hexadecimal format.<br />
Hub<br />
Access Point<br />
Mobile Unit
Autodiscovering Addresses and Names<br />
Using the Address Book<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> provides an autodiscovery feature that<br />
learns the following names and addresses automatically and saves them<br />
in the Address Book:<br />
A network node’s IP address, its associated hardware address, and<br />
domain name<br />
A network node’s NetBIOS name and hardware (MAC address)<br />
An IPX network node’s Netware user name and hardware (MAC)<br />
address<br />
NOTE: To ensure accuracy, autodiscovery discovers source<br />
addresses and not destination addresses.<br />
IMPORTANT: During autodiscovery of Netware user names and MAC<br />
addresses, you must log in to a Netware Server from a DOS window and<br />
type the command userlist /a. This procedure enables Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> to extract login user names and hardware addresses.<br />
To use the autodiscovery feature:<br />
1 Click the autodiscovery button in the Address Book toolbar or<br />
right-click and select Auto Discovery.<br />
The Discovery Option dialog box opens. Select the type of address<br />
to resolve (see Figure 11-3).<br />
User’s <strong>Guide</strong> 253
Chapter 11<br />
Click to resolve the Domain name of any IP<br />
node that has traffic on the subnet<br />
Click to<br />
resolve the<br />
NetBIOS name<br />
of any node<br />
that has traffic<br />
on the subnet<br />
Click to resolve the Netware<br />
user name of any IPX node<br />
that has traffic on the subnet<br />
254 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Enter the subnet address and node address range<br />
to resolve the Domain names of specific IP nodes<br />
Figure 11-3. Setting Autodiscovery Options (Wireless Adapter Selected)<br />
Exporting Access Point Addresses to the Expert’s List of Known<br />
Addresses<br />
You can use the Export AP button in the Address Book’s toolbar to<br />
export each of the access point entries to the Expert’s list of known<br />
access points. The Expert uses this list to generate the Rogue Access<br />
Point alarm. During capture with the Enable Rogue AP Lookup option<br />
enabled, the Expert compares the MAC address (not the IP address) of<br />
each detected access point to those in the Known Access Points in the<br />
Network list. If the access point’s MAC address is not in the list, the<br />
Expert generates the Rogue Access Point alarm. You can see the<br />
Expert’s list of known access points in the Tools > Expert Options ><br />
802.11 Options tab or in the Tools > Wireless > Rogue dialog box.<br />
See Expert 802.11 Options on page 140 for details on configuring the<br />
Expert to generate Rogue Access Point and Rogue Mobile Unit<br />
alarms.
Configuring Autodiscovery for Routers<br />
Using the Address Book<br />
A router carries traffic between other subnets and the local segment<br />
where your Sniffer <strong>Portable</strong> <strong>Professional</strong> resides, therefore, the router’s<br />
hardware address will be associated with any IP address that passes<br />
through it. This appears as a duplicate IP address to the autodiscovery<br />
process. When autodiscovery finds duplicate IP addresses, it adds an<br />
entry into the Alarm log and sounds an audible alarm. To prevent these<br />
false duplicate IP address alarms, you must manually enter your IP<br />
network router’s IP address, hardware address, and domain name in the<br />
address book first, and specify the Type as Router.<br />
Adding Discovered Addresses to the Address Book<br />
During capture, the Expert analyzer automatically discovers name and<br />
address pairs on the network. You can add these discovered addresses<br />
to the analyzer’s Address Book using the Discovered Addresses dialog<br />
box.<br />
To add name and address pairs discovered by the Expert:<br />
1 After a capture, display the Expert tab of the display window.<br />
2 Click Discovered Addresses in the Expert tab of the display<br />
window. The Discovered Addresses dialog box appears (Figure<br />
11-4). It lists the new name and address pairs that have been<br />
discovered during the capture session. Only name and address<br />
pairs not already in the address book are listed.<br />
Figure 11-4. The Discovered Addresses Dialog Box<br />
3 Select the addresses in the list that you would like to add to the<br />
Address Book. You can use the standard Shift-Click and Ctrl-Click<br />
methods to select multiple entries. You can also use Select All and<br />
Select None to speed the selection process.<br />
User’s <strong>Guide</strong> 255
Chapter 11<br />
256 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
4 When you have finished selecting the addresses you would like to<br />
add to the Address Book, click Update.<br />
5 The Address Book appears with the newly added entries<br />
NOTE: The General tab of the Options dialog box (accessed from<br />
the Tools menu) provides a means to ensure that you are reminded<br />
to save discovered name and address pairs. If you enable the<br />
Discovered Address checkbox in the Prompt to save/update<br />
list, the analyzer will always ask you if you want to save discovered<br />
addresses that have not yet been saved when you close a capture<br />
window.
Managing Alarms<br />
Overview<br />
The Alarm Log<br />
12<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong>’s alarm features provide a comprehensive<br />
method of detecting and logging network alarm events:<br />
The Sniffer Expert generates alarms during data capture. It can log<br />
an event in the Alarm log when it detects a symptom or diagnosis.<br />
The monitor’s Alarm Manager starts automatically when you start<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong>. It logs an event in the Alarm log when<br />
a user-specified threshold parameter is exceeded.<br />
Abnormal network events can be assigned to one of five different levels<br />
of severity: Critical, Major, Minor, Warning, and Informational. In<br />
addition, you can associate each severity level with up to four alarm<br />
notification actions (for example, you can configure Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> to send email when a critical or Major alarm occurs). Alarm<br />
notification actions can be activated during certain time periods within a<br />
day, or on certain days of the week.<br />
Logged alarm events (Monitor alarms and Expert alarms) are listed in<br />
the Alarm log, which you display by selecting Alarm Log from the<br />
Monitor menu or by clicking the Alarm button .<br />
IMPORTANT: Alarms (both Monitor and Expert) are only logged in the<br />
Monitor > Alarm Log if the Enable Alarm option is checked in the<br />
Tools > Options > Alarm tab. This option is enabled by default. See<br />
Setting Up Logging for the Local Alarm Log on page 259 for details.<br />
For each alarm event, you see the type of node that triggered the alarm<br />
(for example, server, bridge, or hub), a description of the alarm, the<br />
time it occurred, and the severity level.<br />
The Alarm log (sample shown in Figure 12-1) displays the following<br />
information:<br />
Status. Alarm status. The Status can be new or acknowledged (i).<br />
To acknowledge an alarm, right-click on the alarm entry and select<br />
Acknowledge.<br />
User’s <strong>Guide</strong> 257
Chapter 12<br />
Type of node triggering<br />
the alarm (as defined in<br />
your address book)<br />
258 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Type. The type of node triggering the alarm (as defined in your<br />
address book).<br />
Log Time. The date and time the alarm was triggered.<br />
Severity. Level of severity assigned to this type of alarm (1<br />
through 5).<br />
Description. A brief description of the error.<br />
Figure 12-1 shows a sample Alarm log.<br />
Date and time<br />
the alarm was<br />
triggered<br />
The Status can be new (-) or acknowledged (i). To acknowledge<br />
an alarm, right-click the alarm entry and select Acknowledge.<br />
Figure 12-1. The Alarm Log<br />
Level of severity<br />
assigned to this type of<br />
alarm (1 through 5)<br />
Description of<br />
the error
Setting Up Logging for the Local Alarm Log<br />
Managing Alarms<br />
Configuring logging for the local Alarm Log consists of the following<br />
steps:<br />
Make sure the Enable Alarm option is checked in the Tools ><br />
Options > Alarm tab (Figure 12-2). This option is enabled by<br />
default. This option must be enabled for any logging to take place<br />
in the local Alarm Log.<br />
Use the Tools > Expert Options > Alarms tab to set Alarm<br />
Logged to YES for each Expert alarm you’d like logged in the local<br />
Alarm Log. See Logging and Severities for Expert Alarms.<br />
Use the Tools > Options > Alarm tab’s Severities button to<br />
specify the severity for each possible monitor alarm. See Severities<br />
for Monitor Alarms.<br />
Alarms are<br />
logged in the<br />
local Alarm<br />
Log when<br />
this option is<br />
checked.<br />
Figure 12-2. Setting Up Alarm Logging<br />
User’s <strong>Guide</strong> 259
Chapter 12<br />
Setting Alarm Severity Levels<br />
260 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
You can assign a severity level to both Monitor and Expert alarms<br />
(symptoms and diagnoses).<br />
Severities for Monitor Alarms on page 260<br />
Logging and Severities for Expert Alarms on page 262<br />
IMPORTANT: Alarms (both Monitor and Expert) are only logged in the<br />
Monitor > Alarm Log if the Enable Alarm option is checked in the<br />
Tools > Options > Alarm tab. This option is enabled by default. See<br />
Setting Up Logging for the Local Alarm Log on page 259 for details.<br />
Severities for Monitor Alarms<br />
By default, Sniffer <strong>Portable</strong> <strong>Professional</strong> defines the alarm event types<br />
listed in the table below and assigns each one a severity level. You can<br />
change the default severity level assigned to each event to suit your<br />
specific network operating environment. Table 12-1 lists the default<br />
severity levels.<br />
Table 12-1. Default Severity Levels<br />
Alarm Event Severity Level<br />
Threshold: Over upper limit Critical<br />
Address: Duplicate IP address Critical<br />
Address: Duplicate data in address book Inform<br />
To change an alarm severity level, select Options from the Tools menu,<br />
then click the Alarm tab. Click the Define Severity button to open the<br />
Define Severity dialog box (Figure 12-3). Click the Severity cell for an<br />
alarm to display a list of severity-level options. Select the one you want<br />
to use and click OK.
Figure 12-3. Setting Severity Levels for Alarms<br />
Managing Alarms<br />
Select the<br />
severity level<br />
from the<br />
drop-down<br />
list<br />
User’s <strong>Guide</strong> 261
Chapter 12<br />
Logging and Severities for Expert Alarms<br />
262 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Expert alarms (symptoms and diagnoses) can be assigned one of five<br />
different severity levels: Critical/Diag, Major, Minor, Warning, and<br />
Informational. The severity level for a symptom or diagnosis displays in<br />
the summary pane of the Expert window. It is also recorded in the Alarm<br />
log if the alarm setting Alarm Logged is set to YES in the Tools ><br />
Expert Options > Alarms tab.<br />
IMPORTANT: Alarms (both Monitor and Expert) are only logged in the<br />
Monitor > Alarm Log if the Enable Alarm option is checked in the<br />
Tools > Options > Alarm tab. This option is enabled by default. See<br />
Setting Up Logging for the Local Alarm Log on page 259 for details.<br />
To change the severity level for an Expert alarm, select Expert Options<br />
from the Tools menu and click the Alarms tab (Figure 12-4). Then, click<br />
(0) or (1) at the top of the left column to expand/collapse all Expert<br />
layers. Click (+) or (-) next to an Expert layer to display all alarms for<br />
that level. For the Alarm log to record the alarm, you must set the Alarm<br />
Logged option to Yes.<br />
Click in the Value cell for an alarm to display a dropdown box. From the<br />
dropdown box, select a severity level.<br />
NOTE: The alarm must be recorded in the Alarm log for notification<br />
to take place. Refer to Setting an Alarm Notification Action on page<br />
265.
Click the + to open<br />
an Expert layer<br />
and display all<br />
alarms<br />
Click the + to<br />
display an alarm’s<br />
settings<br />
Alarm Logged<br />
must be set to Yes<br />
to record the alarm<br />
in the Alarm log.<br />
Click to expand/collapse all<br />
Expert layers<br />
Figure 12-4. Setting Severity Levels for Expert Alarms<br />
Managing Alarms<br />
Click the<br />
Value cell for<br />
the severity<br />
to display the<br />
drop-down<br />
box.<br />
User’s <strong>Guide</strong> 263
Chapter 12<br />
Setting Alarm Notification<br />
264 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Each severity level that can be assigned to an alarm (Critical/Diag,<br />
Major, Minor, Warning, and Informational) can be associated with up to<br />
four alarm notification actions. These notification actions can be enabled<br />
for specified time periods within a day, and on specified days of the<br />
week. When an alarm is triggered, Sniffer <strong>Portable</strong> <strong>Professional</strong> can:<br />
Send email<br />
Invoke a script to open an application or send an alarm notification<br />
as an SNMP trap to an SNMP console<br />
To set up a notification action:<br />
1 Select Options from the Tools menu.<br />
2 Select the Alarm tab.<br />
3 Click Define Actions to open the Define Actions dialog box (Figure<br />
12-5).<br />
4 Click Add and select the radio button for the type of alarm<br />
response you want. A wizard will guide you through the setup<br />
procedure.<br />
NOTE: Expert alarms must have their Alarm Logged options set to<br />
Yes in the Tools > Expert Options > Alarms tab for notification<br />
to take effect. Refer to Logging and Severities for Expert Alarms on<br />
page 262.
Select and configure the<br />
option you want to use<br />
Click Add to open the<br />
New Alarm Action<br />
dialog box and set up<br />
a new alarm action<br />
Figure 12-5. Setting an Alarm Notification Action<br />
Enabling Alarm Actions<br />
Managing Alarms<br />
After you complete the definition of an alarm action, you must assign it<br />
to a severity level. Up to four actions can be assigned to a severity level.<br />
When an alarm of a particular severity level occurs, all actions assigned<br />
to it are executed (unless disabled by time and date settings).<br />
NOTE: You must enable alarms for alarm actions to take place.<br />
Check the Enable Alarm check box on the Alarm tab to enable<br />
alarm actions.<br />
Alarm Beeps and Sounds<br />
Specify a name for the alarm action<br />
By default, Sniffer <strong>Portable</strong> <strong>Professional</strong> makes a single beep sound<br />
when an alarm occurs. If you prefer another sound, you can replace the<br />
standard beep with any .wav sound file. To do this, click the button<br />
on the Alarm tab and select the file.<br />
User’s <strong>Guide</strong> 265
Chapter 12<br />
266 Sniffer <strong>Portable</strong> <strong>Professional</strong>
Network Adapters and<br />
Settings<br />
Overview<br />
13<br />
This chapter describes how to select different adapters for capture, and<br />
how to bind and load multiple instances of Sniffer if there are multiple<br />
adapters. In addition, it also discusses how to use Sniffer <strong>Portable</strong><br />
<strong>Professional</strong>’s profile feature to maintain multiple sets of settings for<br />
capture and monitoring.<br />
Removing Network Adapters<br />
Do not remove network adapters from the Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
PC while the application is actively using them. For example, if Sniffer<br />
<strong>Portable</strong> <strong>Professional</strong> is currently logged on to a wireless adapter, do not<br />
remove the adapter. Removing the adapter can result in unpredictable<br />
results. Instead, close Sniffer <strong>Portable</strong> <strong>Professional</strong> and then remove the<br />
adapter.<br />
When using Sniffer <strong>Portable</strong> <strong>Professional</strong> on Windows Vista, you must<br />
reboot the system after removing a network adapter and inserting a new<br />
one before you can monitor data.<br />
Selecting Network Adapters<br />
If you have more than one network interface card (adapter) installed in<br />
your system, you can select which card Sniffer <strong>Portable</strong> <strong>Professional</strong> will<br />
use.<br />
If you have multiple adapters attached to different network segments,<br />
you can select which segment Sniffer <strong>Portable</strong> <strong>Professional</strong> will monitor<br />
by switching from one adapter to another.<br />
NOTE: See Installing Sniffer <strong>Portable</strong> <strong>Professional</strong> for a list of<br />
supported 802.11 adapters.<br />
User’s <strong>Guide</strong> 267
Chapter 13<br />
268 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
To select an adapter:<br />
1 Select Adapter Settings from the File menu to open the Adapter<br />
Settings dialog box (see Figure 13-1).<br />
The Adapter Settings dialog box contains the profiles you have<br />
defined for this Sniffer <strong>Portable</strong> <strong>Professional</strong> PC.<br />
2 Select a previously defined profile as the target network for the<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> to monitor from the list provided.<br />
NOTE: To define new profiles to use for monitoring, click New<br />
and supply the appropriate information. See Creating Sniffer<br />
Monitoring Profiles on page 270 for more information.<br />
3 Change the Real Time/Post Capture option if desired. This<br />
checkbox specifies whether Sniffer <strong>Portable</strong> <strong>Professional</strong> will<br />
actively monitor an adapter at startup:<br />
If the Post Capture box appears, the selected profile is<br />
currently in Real Time mode and will automatically begin<br />
monitoring the selected adapter at startup. You can check the<br />
Post Capture box to open the application without monitoring<br />
a specific card.<br />
If the Real Time box appears, the selected profile is currently<br />
in Post Capture mode and will only be available for trace file<br />
analysis. You can check the Real Time box to enable<br />
real-time monitoring and analysis according to the privileges<br />
assigned to your account.<br />
The name of this option changes depending on what the card is<br />
currently set to. For example, since the card selected in Figure 13-1<br />
is set to start in Real Time mode, you could check Post Capture<br />
to reverse that.<br />
4 Change the Local Mode option if desired. This checkbox specifies<br />
whether Sniffer <strong>Portable</strong> <strong>Professional</strong> monitors all traffic or only<br />
local/broadcast/multicast traffic:<br />
If Local Mode is not checked, Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
monitors promiscuously, including all traffic.<br />
If Local Mode is checked, Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
monitors only traffic to/from the local host, broadcast traffic,<br />
and multicast traffic with the local host addressed.<br />
5 Click OK.
Figure 13-1. Selecting a Network Adapter<br />
Network Adapters and Settings<br />
User’s <strong>Guide</strong> 269
Chapter 13<br />
Creating Sniffer Monitoring Profiles<br />
270 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
To operate Sniffer <strong>Portable</strong> <strong>Professional</strong> with different network adapters<br />
and settings, you create separate entities, called profiles. A profile can<br />
be thought of as a set of settings — each profile holds session<br />
information, such as the address book, capture filter settings, and<br />
packet display options. Each profile has independent configuration<br />
information, so it can be used to globally reconfigure Sniffer <strong>Portable</strong><br />
<strong>Professional</strong> when moving from one network to another, one segment to<br />
another, or for setting up the options for specific tasks.<br />
When you create a new profile, it automatically uses the settings<br />
currently defined in the Sniffer <strong>Portable</strong> <strong>Professional</strong> application (the<br />
address book, capture filter settings, packet display options, and so on).<br />
NOTE: If you use Sniffer <strong>Portable</strong> <strong>Professional</strong> as a field service tool<br />
to troubleshoot different networks, use the profile feature to<br />
maintain configuration information for each client’s network.<br />
To create a new profile:<br />
1 Select Adapter Settings from the File menu.<br />
2 Click New.<br />
3 In the New Settings dialog box (Figure 13-2), enter a description<br />
for the profile in the field provided. This will also be the name of the<br />
profile and will appear in future instances of the Settings dialog<br />
box.<br />
4 Select the adapter for this profile. All adapters are listed.<br />
5 Use the Copy settings from field to use the configuration settings<br />
from an existing profile. The drop-down list includes all previously<br />
defined profiles on the Sniffer <strong>Portable</strong> <strong>Professional</strong> PC. The<br />
settings you are copying include the address book, filter settings,<br />
trigger settings, alarm threshold settings, and so on. If you do not<br />
use the Copy settings from field, the new profile will be created<br />
using the settings currently active on Sniffer <strong>Portable</strong> <strong>Professional</strong>.<br />
You can then change these settings to suit your needs.<br />
NOTE: Various options in Sniffer <strong>Portable</strong> <strong>Professional</strong>'s<br />
menus will change depending on the type of adapter you have<br />
selected for capture.<br />
6 Click OK.
Tips:<br />
Network Adapters and Settings<br />
Once you have created multiple profiles, you can launch new<br />
Sniffer <strong>Portable</strong> <strong>Professional</strong> sessions without creating the new<br />
agents again.<br />
It may be useful to think of a profile as a “set of settings.” You can<br />
define multiple sets of settings (profiles) for a single adapter. This<br />
makes it easy to switch between different monitoring or analysis<br />
needs by simply switching profiles. The same network card is used,<br />
but the configuration settings within the analyzer will be different.<br />
Figure 13-2. Creating a profile<br />
User’s <strong>Guide</strong> 271
Chapter 13<br />
272 Sniffer <strong>Portable</strong> <strong>Professional</strong>
Index<br />
Numerics<br />
802.11 Options tab (Expert Options), 140<br />
802.11 tab<br />
Status column, 85, 88<br />
90% Response<br />
ART setting, 102<br />
A<br />
Absolute time,<br />
access point<br />
182<br />
determining full hex address,<br />
Acknowledge counter<br />
147<br />
in Dashboard’s 802.11 tab, 81<br />
Adapter Settings dialog box, 267<br />
Adapters, using, 267<br />
Adding tools to the Tools menu, 64<br />
Address Book, 249, 254<br />
autodiscovering addresses and<br />
names, 253<br />
creating, 250<br />
entering names manually, 252<br />
Address filter, 225<br />
Advanced tab (Define Filter),<br />
Alarm<br />
235<br />
beeps and sounds, 265<br />
enabling notification actions, 265<br />
features, 257<br />
log, 120, 257<br />
Monitor thresholds, 75<br />
notification actions, 264<br />
severity levels, 260<br />
sound files,<br />
Alarm Log<br />
265<br />
setting up logging, 259<br />
alarm severities,<br />
alarms<br />
259<br />
Expert thresholds, 137<br />
Monitor thresholds, 51<br />
none in Alarm Log?, 120, 257, 260, 262<br />
ART<br />
data not displaying?, 98<br />
setting options, 101<br />
tabular view statistics, 98<br />
Association Requests counter<br />
in Dashboard’s 802.11 tab,<br />
Association Responses counter<br />
79<br />
in Dashboard’s 802.11 tab,<br />
Atheros AR5002X<br />
79<br />
using as a normal network adapter,<br />
ATIMs counter<br />
29<br />
in Dashboard’s 802.11 tab,<br />
Authentication<br />
80<br />
field in Host Table,<br />
Authentications counter<br />
86, 89<br />
in Dashboard’s 802.11 tab, 80<br />
autodiscovering wireless units, 145<br />
Autodiscovery, 253<br />
B<br />
Beacons counter<br />
in Dashboard’s 802.11 tab, 80<br />
in Global Statistics, 119<br />
in Host Table,<br />
BSSID<br />
90<br />
counter in Dashboard’s 802.11 tab, 81<br />
counter in Global Statistics, 119<br />
BSSID column in 802.11 tab, 85<br />
Building your own address book, 252<br />
C<br />
Capture buffer<br />
options, 124<br />
saving to a file, 127<br />
Capture filters, 129<br />
User’s <strong>Guide</strong> 273
Capture panel, 123<br />
Capture triggers, 129<br />
Captured data, displaying,<br />
Capturing data<br />
158<br />
between specific stations, 128<br />
to or from a station, 84<br />
cards missing,<br />
CF End<br />
34<br />
counter in Dashboard’s 802.11 tab,<br />
CF End/CF ACK counter<br />
81<br />
in Dashboard’s 802.11 tab,<br />
Ch. No. counter<br />
81<br />
in Global Statistics, 118<br />
Changing Expert alarm settings,<br />
Cisco Aironet<br />
262<br />
installation notes and issues,<br />
Cntl Pkts counter<br />
34<br />
in Global Statistics, 118<br />
Color-code packets,<br />
Configuring<br />
178<br />
autodiscovery for routers, 254<br />
default routers (Expert), 138<br />
Expert analysis,<br />
Creating<br />
134<br />
an address book, 250<br />
profiles,<br />
CTS counter<br />
270<br />
in Dashboard’s 802.11 tab, 81<br />
Cumulative bytes, 182<br />
Customer Support,<br />
Customizing<br />
4<br />
the decode display, 177<br />
user tools, 64<br />
D<br />
Data pattern filter,<br />
Data Pkts counter<br />
230<br />
in Dashboard’s 802.11 tab, 77<br />
in Global Statistics, 118<br />
Data Rate Counters, 79<br />
Data Throughput counter<br />
in Dashboard’s 802.11 tab, 78<br />
Data, displaying, 158<br />
274 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
Deauthentications counter<br />
in Dashboard’s 802.11 tab, 80<br />
Decode Font, 178<br />
Decode tab, 162<br />
searching for frames,<br />
Define Filter<br />
186<br />
wireless options,<br />
Defining<br />
220<br />
filters, 220<br />
triggers, 242<br />
Delta time, 182<br />
Detail pane (decode display), 162<br />
Detail tree pane, 132<br />
Diagnosis in Expert analysis,<br />
Disabling<br />
132<br />
Real-time decodes, 213<br />
real-time Expert analysis, 135<br />
RIP analysis (Expert),<br />
Disassociations counter<br />
138<br />
in Dashboard’s 802.11 tab, 80<br />
discovered addresses,<br />
Display<br />
255<br />
customizing the decode display, 177<br />
Decode, 162<br />
Expert, 131<br />
filters, 167<br />
formats, 162<br />
Host Table, 206<br />
Matrix, 202<br />
menu, 164<br />
navigating the decode display, 164<br />
options on General tab, 179<br />
Protocol Distribution, 208<br />
setting decode display options, 177<br />
Statistics, 210<br />
Display vendor ID on MAC address,<br />
Displaying<br />
180<br />
captured data, 158<br />
decoded packets, 162<br />
Expert data, 131<br />
Expert explain messages, 153<br />
the Alarm log, 257<br />
Domain names, resolving, 253
Duplicate IP address and autodiscovery, 255<br />
E<br />
Enable Rogue AP Lookup option, 61, 140<br />
Enable Rogue Mobile Unit option, 61, 140<br />
Enabling alarm actions, 265<br />
Enabling Real-time decodes,<br />
Encryption<br />
213<br />
field in Host Table,<br />
Errors counter<br />
86, 88<br />
in Global Statistics,<br />
ESSID<br />
118<br />
counter in Dashboard’s 802.11 tab, 81<br />
counter in Host Table, 85, 88<br />
Ethernet, 11<br />
Exclude protocols,<br />
Expert<br />
182<br />
alarms, 262<br />
diagnoses, 132<br />
display, 131<br />
explain messages, 153<br />
exporting data, 154<br />
layers, 134<br />
objects, 134<br />
options, 134<br />
rearranging the display, 153<br />
Recycle Expert Objects, 136<br />
RIP analysis, 138<br />
searching for frames with alarms, 195<br />
subnet mask settings, 138<br />
symptoms, 131<br />
thresholds, 137<br />
Tuning, 136<br />
window panes, 132<br />
Expert Detail pane, 132<br />
Expert Overview pane, 132<br />
Expert Summary pane, 132<br />
Export AP button, 145<br />
Export AP button (Address book),<br />
exporting<br />
254<br />
Protocols tab settings, 53<br />
Exporting Expert data, 154<br />
exporting filters, 241<br />
exporting known addresses to csv file, 147<br />
Exporting monitor data, 120<br />
F<br />
Failed to start capture, 127<br />
Fast Ethernet (100BASE-T),<br />
filter profiles<br />
11<br />
see Filters,<br />
Filters<br />
222<br />
address, 225<br />
capture, 129<br />
creating, 223<br />
data pattern, 230<br />
defining, 220<br />
display, 167<br />
error type, 235<br />
exporting, 241<br />
importing, 241<br />
monitor, 69<br />
overview, 219<br />
packet size, 235<br />
port, 225<br />
profiles, 222<br />
protocol type, 235<br />
settings, 225<br />
sharing filters, 241<br />
finding frames, 186<br />
function key shortcuts<br />
capture, 123<br />
display, 164<br />
G<br />
Global Statistics, 116<br />
toolbar, 117<br />
H<br />
Hex pane (decode display), 162<br />
Highlight selected frames, 181<br />
History Samples, 110<br />
creating multiple, 113<br />
settings, 111<br />
toolbar, 112<br />
window, 110<br />
User’s <strong>Guide</strong> 275
zooming,<br />
Host Table<br />
111<br />
display tab, 206<br />
HwAddr counter, 85<br />
maximum entries, 84<br />
monitor, 82<br />
toolbar, 84, 207<br />
HwAddr counter, 85<br />
I<br />
IBSS networks, 68<br />
icons<br />
at base of Sniffer window, 43<br />
importing<br />
Protocols tab settings, 53<br />
importing addresses to the known address<br />
list, 147<br />
importing filters, 241<br />
In Bytes counter<br />
in Host Table, 87, 89<br />
In Pkts counter<br />
in Host Table, 87, 89<br />
Infrastructure networks, 68<br />
installation requirements, 18<br />
installing<br />
Sniffer, 22<br />
K<br />
Keyboard usage (decode display), 164<br />
Keys Per Channel option,<br />
known addresses<br />
59<br />
adding from the Host Table, 141<br />
adding from the postcapture display, 143<br />
adding to the Expert’s list, 141<br />
L<br />
license<br />
serial number, 30<br />
types, 31<br />
Live scroll mode,<br />
logging<br />
215<br />
setting up for alarms, 259<br />
276 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
M<br />
MAC Bridge Miniport Driver, removing, 39<br />
Main toolbar, 71<br />
Management Pkts counter<br />
in Dashboard’s 802.11 tab,<br />
Matrix<br />
78<br />
display tab, 202<br />
maximum entries, 95<br />
monitor, 93<br />
refresh rate, 95<br />
toolbar, 95, 203<br />
maximum entries<br />
Host Table, 84<br />
Matrix, 95<br />
Mgmt Pkts counter<br />
in Global Statistics, 119<br />
Monitor, 67<br />
alarms, 120<br />
applications, 71<br />
changing alarm severity levels, 260<br />
default severity levels for alarms, 260<br />
exporting data, 120<br />
filters, 69<br />
Global Statistics, 116<br />
History Samples, 110<br />
Host Table, 82<br />
Matrix, 93<br />
Protocol Distribution,<br />
Monitored Channel counter<br />
114<br />
in Host Table, 86, 89<br />
Monitored Topology counter<br />
in Host Table, 86, 89<br />
monitoring wireless networks,<br />
Multicast counter<br />
68<br />
in Host Table, 87<br />
N<br />
Navigating the decode display, 164<br />
NetBIOS names, resolving, 253<br />
<strong>NetScout</strong> User Forum, 4<br />
Netware user names, resolving, 253<br />
network interface cards<br />
see adapters
Non-live scroll mode, 216<br />
Notification actions for alarms, 264<br />
O<br />
Octets counter<br />
in Global Statistics, 118<br />
offline WEP decryption, 199<br />
Order Pkts counter<br />
in Dashboard’s 802.11 tab, 78<br />
Out Bytes counter<br />
in Host Table, 87, 89<br />
Out Pkts counter<br />
in Host Table, 87, 89<br />
Overflow<br />
matrix message, 95<br />
P<br />
Packet capture<br />
capture buffer options, 239<br />
overview, 121<br />
Packet display, 162<br />
searching for frames, 186<br />
Packet Selection,<br />
Packets<br />
178<br />
color-coding, 178<br />
selecting, 165<br />
Packets counter<br />
in Global Statistics, 118<br />
pcap format,<br />
PLCP Errors<br />
127<br />
as filter option, 237<br />
PLCP Long Pkts counter<br />
in Dashboard’s 802.11 tab,<br />
PLCP Short Pkts counter<br />
79<br />
in Dashboard’s 802.11 tab, 78<br />
Port filter, 228<br />
postcapture WEP decryption, 199<br />
postcapture WPA decryption, 199<br />
power considerations for Sniffer PC,<br />
printing<br />
36<br />
decoded packets, 196<br />
to file, 196<br />
Probe Requests counter<br />
in Dashboard’s 802.11 tab,<br />
Probe Responses counter<br />
80<br />
in Dashboard’s 802.11 tab, 80<br />
product registration, 30<br />
profiles, 270<br />
profiles (filters), 222<br />
Protocol Distribution<br />
display tab, 208<br />
monitor, 114<br />
toolbar, 115, 209<br />
Protocol Expand, 178<br />
Protocol Statistics pane, 132<br />
Protocols tab options,<br />
Protocols tab settings<br />
52<br />
importing/exporting,<br />
PS Polls counter<br />
53<br />
in Dashboard’s 802.11 tab, 81<br />
Q<br />
QoS Packet Scheduler Service, 37<br />
R<br />
Real-time decodes<br />
display limitations, 216<br />
enabling/disabling, 213<br />
Live scroll mode, 215<br />
Non-live scroll mode, 216<br />
scrolling modes, 215<br />
viewing, 214<br />
Rearranging the Expert display, 153<br />
Reassemble entire trace file option, 179<br />
Reassembly window size option,<br />
Reassociation Requests counter<br />
179<br />
in Dashboard’s 802.11 tab,<br />
Reassociation Responses counter<br />
79<br />
in Dashboard’s 802.11 tab, 79<br />
Recycle Expert Objects, 136<br />
registering software, 30<br />
Relative time,<br />
removing<br />
182<br />
MAC Bridge Miniport Driver, 39<br />
QoS Packet Scheduler Service, 37<br />
requirements for installation, 18<br />
User’s <strong>Guide</strong> 277
Resolve name on Network address,<br />
Retry Pkts counter<br />
180<br />
in Dashboard’s 802.11 tab, 78<br />
in Host Table, 87<br />
RIP analysis, 138<br />
Routers, autodiscovery, 254<br />
RspTm of 90% Response, 103<br />
ART setting,<br />
RTS counter<br />
102<br />
in Dashboard’s 802.11 tab, 81<br />
S<br />
Sales Offices, 4<br />
Saving buffer contents to a file, 127<br />
scrolling modes (Real-time decodes), 215<br />
searching for frames, 186<br />
data pattern searches, 190<br />
Expert alarm searches, 195<br />
status flag searches, 193<br />
text searches,<br />
Select Settings<br />
187<br />
no cards, 34<br />
Selecting packets, 165<br />
serial number, obtaining,<br />
Setting<br />
30<br />
alarm notification options, 264<br />
beeps and sounds, 265<br />
capture buffer options, 124<br />
Expert options,<br />
severities<br />
134<br />
logging, 259<br />
Severity levels<br />
Expert alarms, 262<br />
Monitor alarms, 260<br />
sharing filters, 241<br />
Show all layers, 180<br />
Show Expert symptoms, 180<br />
Show network address,<br />
Signal Curr counter<br />
180<br />
in Host Table, 86, 89<br />
Signal Level counter<br />
in Global Statistics,<br />
Signal Max counter<br />
119<br />
278 Sniffer <strong>Portable</strong> <strong>Professional</strong><br />
in Host Table,<br />
Signal Min counter<br />
86, 89<br />
in Host Table, 86, 89<br />
Single Key Set option, 59<br />
Single station capture,<br />
Sniffer<br />
84, 128<br />
installing, 22<br />
uninstalling, 21<br />
Sniffer icons,<br />
Sniffer PC<br />
43<br />
power considerations,<br />
Sniffer window<br />
36<br />
introduced, 41<br />
navigating, 41<br />
title bar, 41<br />
Sound files, 265<br />
Start triggers, 242<br />
Statistics tab, 210<br />
Status column in 802.11 tab, 85, 88<br />
Stop triggers, 242<br />
Subnet mask settings, 138<br />
Summary Display, 178<br />
Summary pane (decode display),<br />
support<br />
162<br />
Customer Support, 4<br />
Switching network adapters, 267<br />
Symptom in Expert analysis, 131<br />
system requirements, 18<br />
T<br />
Thresholds<br />
Expert, 137<br />
Monitor,<br />
title bar<br />
51, 75<br />
Sniffer window,<br />
Toolbar<br />
41<br />
Global Statistics, 117<br />
History Samples, 112<br />
Host Table, 84, 207<br />
main, 71<br />
Matrix, 95, 203<br />
Protocol Distribution,<br />
Tools<br />
115, 209
adding your own, 64<br />
customizing,<br />
Topology counter<br />
64<br />
in Global Statistics,<br />
trace files<br />
118<br />
formats, 127<br />
opening, 127<br />
Triggers, 129, 242<br />
troubleshooting<br />
cards don’t appear, 34<br />
Two-station format,<br />
Type counter<br />
181<br />
in Host Table, 85<br />
U<br />
uninstalling<br />
QoS Packet Scheduler Service, 37<br />
Sniffer, 21<br />
Update Time counter<br />
in Host Table, 87, 90<br />
Use Address Book to resolve name,<br />
User Interface<br />
180<br />
menus, 44<br />
utilization calculations (wireless), 76<br />
V<br />
Valid Channel, 86, 89<br />
Valid Topology, 86, 89<br />
viewing Real-time decodes, 214<br />
W<br />
website, Customer Support, 4<br />
WEP decryption<br />
postcapture, 199<br />
WEP ICVs<br />
as filter option, 237<br />
WEP Pkts counter<br />
in Dashboard’s 802.11 tab, 78<br />
WPA decryption<br />
postcapture, 199<br />
User’s <strong>Guide</strong> 279
280 Sniffer <strong>Portable</strong> <strong>Professional</strong>