Sniffer Adaptive Application Analyzer: Adaptive Mode ... - NetScout
Sniffer Adaptive Application Analyzer: Adaptive Mode ... - NetScout Sniffer Adaptive Application Analyzer: Adaptive Mode ... - NetScout
EARLY FIELD TRIAL Sniffer ® Adaptive Application Analyzer: Adaptive Mode User’s Guide 733-0204 Rev A NetScout ® Systems, Inc. Westford, MA 01886 Telephone: 978.614.4000 Fax: 978.614.4004 Web: http://www.netscout.com
- Page 2 and 3: accompanies the product at the time
- Page 4 and 5: The best way to contact Customer Su
- Page 6 and 7: EARLY FIELD TRIAL Chapter 1 Opening
- Page 8 and 9: 8 Raw Capture Mode Postcapture Anal
- Page 10 and 11: EARLY FIELD TRIAL Chapter 1 Generat
- Page 12 and 13: EARLY FIELD TRIAL
- Page 14 and 15: EARLY FIELD TRIAL Chapter 1 14 Snif
- Page 16 and 17: About Sniffer Adaptive Intelligence
- Page 18 and 19: EARLY FIELD TRIAL Chapter 1 Using T
- Page 20 and 21: Table 1-1. Key Differences in Sniff
- Page 22 and 23: Key Differences for Sniffer Portabl
- Page 24 and 25: Table 1-3. Key Terms (2 of 3) Terms
- Page 26 and 27: EARLY FIELD TRIAL Chapter 1 26 Snif
- Page 28 and 29: Step 1 - Connecting to the Local Ag
- Page 30 and 31: EARLY FIELD TRIAL Chapter 2 30 Snif
- Page 32 and 33: Step 3 - Viewing Network Statistics
- Page 34 and 35: Capture Mode Adaptive Capture (Defa
- Page 36 and 37: EARLY FIELD TRIAL Chapter 2 36 Snif
- Page 38 and 39: EARLY FIELD TRIAL Chapter 2 38 Snif
- Page 40 and 41: Classic Postcapture Analysis EARLY
- Page 42 and 43: EARLY FIELD TRIAL Chapter 2 42 Snif
- Page 44 and 45: EARLY FIELD TRIAL
- Page 46 and 47: a c b EARLY FIELD TRIAL Chapter 3 F
- Page 48 and 49: Opening a Network Interface for Mon
- Page 50 and 51: EARLY FIELD TRIAL Chapter 3 50 Snif
EARLY FIELD TRIAL<br />
<strong>Sniffer</strong> ® <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>:<br />
<strong>Adaptive</strong> <strong>Mode</strong> User’s Guide<br />
733-0204 Rev A<br />
<strong>NetScout</strong> ® Systems, Inc.<br />
Westford, MA 01886<br />
Telephone: 978.614.4000<br />
Fax: 978.614.4004<br />
Web: http://www.netscout.com
accompanies the product at the time of shipment.<br />
Notice of Restricted Rights: Use, duplication, release, modification, transfer, or disclosure (for purposes<br />
of this section, "Use") of the Software is restricted by the terms of <strong>NetScout</strong> Systems, Inc.’s End User<br />
License Agreement and further restricted in accordance with FAR 52.227-14 for civilian Government<br />
agency purposes and 252.227-7015 of the Defense Federal Acquisition Regulations Supplement<br />
("DFARS") for military Government agency purposes, or the similar acquisition regulations of other<br />
applicable Government organizations, as applicable and amended. The Use of Software and the Product<br />
is restricted by the terms of <strong>NetScout</strong> Systems, Inc.’s End User License Agreement, in accordance with<br />
DFARS Section 227.7202 and FAR Section 12.212. The information in this manual is subject to change<br />
without notice.<br />
<strong>NetScout</strong>, the <strong>NetScout</strong> logo, Network General, the Network General logo, nGenius, Quantiva, NetVigil,<br />
InfiniStream, Business Container, and <strong>Sniffer</strong> are registered trademarks of <strong>NetScout</strong> Systems, Inc. and/<br />
or its affiliates in the United States and/or other countries. The CDM logo, MasterCare, the MasterCare<br />
logo, Visualizer, and HyperLock are trademarks of <strong>NetScout</strong> Systems, Inc. All other registered and<br />
unregistered trademarks herein are the sole property of their respective owners. <strong>NetScout</strong> Systems,<br />
Inc. reserves the right, at its sole discretion, to make changes at any time in its technical information,<br />
specifications, service and support programs.<br />
All other brand names, company identifiers, trademarks, service trademarks, registered trademarks and<br />
registered service marks mentioned in this document or the <strong>NetScout</strong> Systems license agreement are<br />
properties of their respective owners, and protected as such against unlawful use or distribution.<br />
This product includes software developed by the Apache Software Foundation<br />
(http://www.apache.org/). Copyright 1997-2008 The Apache Software Foundation. All rights reserved.<br />
THE SOFTWARE DEVELOPED BY APACHE SOFTWARE FOUNDATION AND INCLUDED HEREIN IS<br />
PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED<br />
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE<br />
DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE<br />
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL<br />
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;<br />
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY<br />
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING<br />
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF<br />
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
EARLY FIELD TRIAL Use of this product is subject to the <strong>NetScout</strong> Systems, Inc. End User License Agreement, which
EARLY FIELD TRIAL<br />
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit<br />
("<br />
Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.<br />
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS" AND ANY EXPRESSED OR IMPLIED<br />
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY<br />
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL<br />
PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,<br />
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF<br />
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)<br />
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,<br />
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS<br />
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)<br />
"<br />
"This product includes software written by Tim Hudson (tjh@cryptsoft.com)<br />
"<br />
Copyright (c) 1995-1998 Eric Young (eay@cryptsoft.com) All rights<br />
reserved.<br />
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,<br />
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS<br />
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS<br />
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL<br />
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;<br />
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY<br />
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING<br />
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF<br />
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
<strong>Sniffer</strong> ® <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>:<br />
733-0204 Rev A<br />
Copyright 2010 <strong>NetScout</strong> Systems, Inc. Printed in the USA.<br />
All rights reserved.
The best way to contact Customer Support is to submit a Support Request:<br />
https://my.netscout.com/pages/mcplanding.asp<br />
Telephone: In the US, call 888-357-7667; outside the US, call<br />
+011 978-614-4000. Phone support hours are 8 a.m. to 8 p.m. Eastern Standard Time (EST).<br />
E-mail: support@netscout.com<br />
When you contact Customer Support, the following information can be helpful in diagnosing and<br />
solving problems:<br />
— Type of network platform<br />
— Software and firmware versions<br />
— Hardware model number<br />
— License number and your organization’s name<br />
— The text of any error messages<br />
— Supporting screen images, logs, and error files, as appropriate<br />
— A detailed description of the problem<br />
Sales<br />
Call 800-357-7666 for the sales office nearest your location.<br />
Training<br />
Course listings and information on nGenius Certification are available at:<br />
http://www.netscout.com/training<br />
An extensive library of online course listings, discussion groups, podcasts and best practices is<br />
available at nGenius Learning 360:<br />
http://www.netscout.com/training/learning360<br />
Documentation<br />
Send comments or questions about nGenius documentation to the following address:<br />
contact_doc@netscout.com<br />
User Forum<br />
To join a customer-driven user group connecting the worldwide community of <strong>NetScout</strong> users, visit<br />
the following website:<br />
http://www.netscoutuserforum.com/<br />
RoHS and WEEE<br />
For compliance information on RoHS and WEEE, visit the <strong>NetScout</strong> Systems website:<br />
http://www.netscout.com<br />
EARLY FIELD TRIAL Customer Support
EARLY FIELD TRIAL<br />
Contents<br />
Section 1<br />
Introduction<br />
1 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> Overview . . . . . . . . 13<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
About <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> . . . . . . . . . . . . . . . . . . . . . . 13<br />
About <strong>Sniffer</strong> <strong>Adaptive</strong> Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
Protocols Supported for <strong>Sniffer</strong> <strong>Adaptive</strong> Processing . . . . . . . . . . . . . . 18<br />
What’s Different? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19<br />
Key Differences for InfiniStream Console Users . . . . . . . . . . . . . . . . . 19<br />
Key Differences for <strong>Sniffer</strong> Portable/<strong>Sniffer</strong> Global Users . . . . . . . . . . . 22<br />
Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23<br />
2 Quick Start – Five Steps . . . . . . . . . . . . . . . . . . . . . . . . 27<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27<br />
Step 1 – Connecting to the Local Agent . . . . . . . . . . . . . . . . . . . . . . . . . 28<br />
Step 2 – Selecting Data in the Graph Panel . . . . . . . . . . . . . . . . . . . . . . 31<br />
Step 3 – Viewing Network Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . 32<br />
Step 4 – Capturing Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33<br />
Step 5 – Mining Packet Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37<br />
<strong>Adaptive</strong> Postcapture Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39<br />
Classic Postcapture Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40<br />
Section 2<br />
Getting Started<br />
3 Working with the<br />
Quick Select Window . . . . . . . . . . . . . . . . . . . . . . . . . . 45<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45<br />
Launching <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> . . . . . . . . . . . . . . . . . . . 45<br />
Introducing the Navigation Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47<br />
User’s Guide 5
EARLY FIELD TRIAL Chapter 1<br />
Opening a Network Interface for Monitoring . . . . . . . . . . . . . . . . . . . . 48<br />
Other Navigation Panel Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49<br />
Introducing the Graph Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49<br />
Using the Time Selector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51<br />
Viewing “Hover” Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53<br />
Using the Graph Panel Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54<br />
Introducing the Graph Panel Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57<br />
Global Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57<br />
Selected Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59<br />
Pie Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61<br />
Column Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63<br />
Time Series Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65<br />
Capture Panel Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66<br />
Viewing Reports on the Spreadsheet Tab . . . . . . . . . . . . . . . . . . . . . . . . 67<br />
Using Custom Colors in the Quick Select Window . . . . . . . . . . . . . . . . . . 67<br />
Sample S2DPalette.ini File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69<br />
4 Using the Statistics Panel . . . . . . . . . . . . . . . . . . . . . . . 71<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71<br />
About the Statistics Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71<br />
Introducing the Statistics Panel Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . 72<br />
Spreadsheet Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72<br />
Reports Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87<br />
Working with the Statistics Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93<br />
Using Statistics Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93<br />
Refreshing Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97<br />
Selecting and Deselecting Rows . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97<br />
Sorting Statistics Panel Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98<br />
Using the Statistics Panel Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99<br />
Modifying Statistics Panel Columns and Tabs . . . . . . . . . . . . . . . . . . . . 104<br />
Adding New Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104<br />
Adding New Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106<br />
Reordering and Deleting Columns and Tabs . . . . . . . . . . . . . . . . . . . 106<br />
Section 3<br />
Capturing and Mining Data<br />
5 Capturing and Mining Data . . . . . . . . . . . . . . . . . . . . . 109<br />
6 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>
EARLY FIELD TRIAL<br />
Contents<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109<br />
About Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110<br />
Configuring and Starting Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111<br />
Mining Packet Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115<br />
Using the Mining Summary Dialog . . . . . . . . . . . . . . . . . . . . . . . . . 116<br />
Using the Progress Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118<br />
6 Using Filters in the Quick Select Window . . . . . . . . . . . 119<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119<br />
About Quick Select Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120<br />
Defining Quick Select Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124<br />
Working with Auto Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125<br />
Working with the Filter List Pane (a) . . . . . . . . . . . . . . . . . . . . . . . . 125<br />
Working with the Filter Editor Pane (c) . . . . . . . . . . . . . . . . . . . . . . 126<br />
Adding Terms to the Create/Edit Filters Dialog Box . . . . . . . . . . . . . . 129<br />
Using Pattern Matches with Mining Filters . . . . . . . . . . . . . . . . . . . . 131<br />
Applying Quick Select Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132<br />
Applying Mining Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133<br />
Applying Source Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134<br />
Applying <strong>Adaptive</strong> Display Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 136<br />
Applying Statistics Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138<br />
Section 4<br />
Analyzing Data<br />
7 <strong>Adaptive</strong> Session Analysis . . . . . . . . . . . . . . . . . . . . . 141<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141<br />
Postcapture Analysis by Capture <strong>Mode</strong> . . . . . . . . . . . . . . . . . . . . . . . . 141<br />
<strong>Adaptive</strong> <strong>Mode</strong> Postcapture Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 143<br />
How <strong>Adaptive</strong> Processing Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144<br />
<strong>Adaptive</strong> Postcapture Analysis Views . . . . . . . . . . . . . . . . . . . . . . . . . . 146<br />
<strong>Adaptive</strong> Session View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147<br />
<strong>Adaptive</strong> Decode View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153<br />
Searching <strong>Adaptive</strong> Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158<br />
Using Filters with <strong>Adaptive</strong> Postcapture Views . . . . . . . . . . . . . . . . . 159<br />
Enabling VLAN Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159<br />
User’s Guide 7
8 Raw Capture <strong>Mode</strong> Postcapture Analysis . . . . . . . . . . . 161<br />
EARLY FIELD TRIAL Chapter 1<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161<br />
Introducing the Raw <strong>Mode</strong> Postcapture Window . . . . . . . . . . . . . . . . . . 162<br />
Introducing the Packet Decode Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . 165<br />
Navigating the Decode Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167<br />
Selecting Packets in the Decode Tab . . . . . . . . . . . . . . . . . . . . . . . . 170<br />
Using the Decode Tab Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170<br />
Working with Display Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172<br />
Types of Display Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173<br />
Using Automatic Display Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . 174<br />
Using Quick Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178<br />
Combining Filter Components (“Add to Last Filter”) . . . . . . . . . . . . . 179<br />
Selecting Filters / Combining Multiple Filters . . . . . . . . . . . . . . . . . . 180<br />
Using Manual Filters (Display > Define Filter) . . . . . . . . . . . . . . . . . 183<br />
Using the Manual Display Filter Tabs . . . . . . . . . . . . . . . . . . . . . . . . 185<br />
Importing and Exporting Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . 190<br />
Setting Display Setup Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191<br />
Display Setup > General Options . . . . . . . . . . . . . . . . . . . . . . . . . . 192<br />
Display Setup > Summary Display Options . . . . . . . . . . . . . . . . . . . 193<br />
Display Setup > Packet Selection Options . . . . . . . . . . . . . . . . . . . . 195<br />
Setting Protocol Aliases for the Postcapture Display . . . . . . . . . . . . . 196<br />
Searching for Frames in the Decode Display . . . . . . . . . . . . . . . . . . . . . 197<br />
Printing Decoded Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207<br />
Using the Matrix Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209<br />
Using the Host Table Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212<br />
Using the Protocol Distribution Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . 214<br />
Using the Statistics Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216<br />
Enabling VLAN Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217<br />
9 Expert Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219<br />
Expert Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219<br />
Rearranging Expert Panes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221<br />
Setting Automatic Expert Display Filters . . . . . . . . . . . . . . . . . . . . . 222<br />
Displaying Context-Sensitive Explain Messages . . . . . . . . . . . . . . . . 223<br />
Postcapture Expert/Decode Statistics and CRCs . . . . . . . . . . . . . . . . 224<br />
Extra Characters in Expert Displays for High Counts? . . . . . . . . . . . . 224<br />
Saving Expert Objects with Trace Files . . . . . . . . . . . . . . . . . . . . . . 224<br />
8 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>
EARLY FIELD TRIAL<br />
Contents<br />
Setting Expert Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225<br />
Objects Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226<br />
Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229<br />
Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231<br />
Subnet Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233<br />
RIP Options Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234<br />
VoIP Options Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236<br />
Oracle Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237<br />
Mobile Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237<br />
IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239<br />
Exporting Expert Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239<br />
Section 5<br />
Additional Information<br />
10 Setting Quick Select Options . . . . . . . . . . . . . . . . . . . 243<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243<br />
Setting General Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243<br />
Setting Connection Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245<br />
Setting Graph Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247<br />
Setting Files Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248<br />
Setting Aliases Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250<br />
Using Group Aliases Effectively . . . . . . . . . . . . . . . . . . . . . . . . . . . 252<br />
Setting Options in the Mining Options Tab . . . . . . . . . . . . . . . . . . . . . . 254<br />
11 Using the Address Book . . . . . . . . . . . . . . . . . . . . . . . 255<br />
Section 6<br />
Reporting<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255<br />
Introducing the Address Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255<br />
Using the Address Book Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . 257<br />
Adding Addresses Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258<br />
12 Running Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261<br />
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261<br />
User’s Guide 9
EARLY FIELD TRIAL Chapter 1<br />
Generating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261<br />
Generating Reports from the Spreadsheet Tab . . . . . . . . . . . . . . . . . 261<br />
Generating Reports From the Reports Tab . . . . . . . . . . . . . . . . . . . . 264<br />
Modifying the Report Data Window . . . . . . . . . . . . . . . . . . . . . . . . . . . 265<br />
Printing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265<br />
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267<br />
10 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>
EARLY FIELD TRIAL<br />
SECTION 1<br />
Introduction<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> Overview on<br />
page 13<br />
About <strong>Sniffer</strong> <strong>Adaptive</strong> Intelligence on page 16<br />
What’s Different? on page 19<br />
Key Terms on page 23<br />
Quick Start – Five Steps on page 27
EARLY FIELD TRIAL
EARLY FIELD TRIAL<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong><br />
<strong>Analyzer</strong> Overview<br />
Overview<br />
1<br />
This guide describes how to use <strong>Sniffer</strong> ® <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
in <strong>Adaptive</strong> mode. For information on the Classic mode, refer to the<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>: Classic <strong>Mode</strong> User’s Guide.<br />
This section introduces <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>, describes<br />
the <strong>Sniffer</strong> <strong>Adaptive</strong> Intelligence technology, summarizes the major<br />
features of the software, and orients you to the product as a whole. The<br />
following topics are covered.<br />
About <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
About <strong>Sniffer</strong> <strong>Adaptive</strong> Intelligence<br />
Protocols Supported for <strong>Sniffer</strong> <strong>Adaptive</strong> Processing<br />
What’s Different?<br />
Key Terms<br />
About <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
You can use <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> in either <strong>Adaptive</strong> or<br />
Classic mode, depending on which entry you select in the Start menu:<br />
<strong>Adaptive</strong> <strong>Mode</strong> – Combines the familiar user interface of the<br />
InfiniStream ® Console’s Quick Select window with a local Ethernet<br />
interface and packet buffer (Figure 1-2). In addition, <strong>Adaptive</strong><br />
Intelligence condenses packet information for a range of<br />
application types while augmenting it with session-awareness,<br />
providing both the top-down view of a complete session as well as<br />
its critical packet-level details.<br />
Classic <strong>Mode</strong> – Provides all of the functionality traditionally<br />
associated with <strong>NetScout</strong>’s <strong>Sniffer</strong> Portable Professional product,<br />
including Wi-Fi support, real-time Expert, and full decodes.<br />
NOTE: <strong>Adaptive</strong> and Classic modes have separate interfaces.<br />
Although both interfaces can be open at the same time,<br />
simultaneously monitoring/capturing data from the <strong>Adaptive</strong> and<br />
Classic interfaces is not supported.<br />
User’s Guide 13
EARLY FIELD TRIAL Chapter 1<br />
14 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Figure 1-1. <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> – One Product, Two<br />
<strong>Mode</strong>s
EARLY FIELD TRIAL<br />
Figure 1-2. <strong>Adaptive</strong> <strong>Mode</strong> Summary<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> Overview<br />
User’s Guide 15
About <strong>Sniffer</strong> <strong>Adaptive</strong> Intelligence<br />
EARLY FIELD TRIAL Chapter 1<br />
16 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> introduces new <strong>Adaptive</strong> Session<br />
Intelligence technology that streamlines packet-level analysis for<br />
critical protocols while augmenting it with session-awareness. The<br />
<strong>Adaptive</strong> capture mode stores both <strong>Adaptive</strong> Session Packets (ASPs) for<br />
bit-level analysis and correlated <strong>Adaptive</strong> Session Records (ASRs) for<br />
session analysis:<br />
<strong>Adaptive</strong> Session Intelligence extracts and preserves key fields<br />
from supported packet types, storing condensed <strong>Adaptive</strong><br />
Session Packets (ASPs) rather than raw packets for supported<br />
protocols.<br />
ASPs include compressed packet headers through the transport<br />
layer and an intelligently “derived” payload rather than the actual<br />
payload. ASPs are much smaller than their raw counterparts and<br />
can be stored and analyzed much more efficiently. They are also<br />
correlated with parent <strong>Adaptive</strong> Session Records for session<br />
analysis.<br />
The exact fields preserved in an ASP vary by protocol but include<br />
compressed MAC/IP headers and key data fields (for example, SQL<br />
calls embedded in the data portion of an HTTP packet).<br />
<strong>Adaptive</strong> Session Records (ASRs) store metadata for flow<br />
analysis, providing end-to-end transaction metrics, including:<br />
Source/Destination Identifiers<br />
Session start/end times<br />
Latency metrics, success/failure codes, and error messages.<br />
<strong>Application</strong>-specific metrics for HTTP, DNS, Media (RTP), Mail<br />
(SMTP/POP), FTP, and so on.<br />
You work with ASRs and ASPs in separate Session and Decode views<br />
(Figure 1-3). The <strong>Adaptive</strong> Session and Decode views are very similar to<br />
the classic <strong>Sniffer</strong> decode window, allowing you to perform network<br />
analysis in Summary and Detail panes. Correlation between a session<br />
and its underlying ASPs let you drill back and forth between the two<br />
views. You get both the top down view of a complete session and the<br />
constituent packet level details.
EARLY FIELD TRIAL<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> Overview<br />
<strong>Adaptive</strong> Session Packets are<br />
available for viewing in the<br />
<strong>Adaptive</strong> Decode view.<br />
Standard Summary and Detail<br />
panes let you browse through<br />
the events. Here we see one of<br />
the FTP packets associated<br />
with the session listed above.<br />
Use the Open ASR command<br />
to drill up to the session file<br />
containing the parent flow.<br />
<strong>Adaptive</strong> capture produces<br />
session records for supported<br />
protocols. Here we see flow<br />
statistics for an FTP session.<br />
Use the <strong>Adaptive</strong> Packet Drill<br />
Down command to view the<br />
underlying packet events.<br />
Figure 1-3. <strong>Sniffer</strong> <strong>Adaptive</strong> Processing – Sessions and Packets<br />
User’s Guide 17
EARLY FIELD TRIAL Chapter 1<br />
Using Traditional Packet Capture<br />
18 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
In addition to the new <strong>Adaptive</strong> capture mode, the Expert analysis and<br />
raw packet decodes traditionally available in <strong>Sniffer</strong> products are also<br />
available in <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>. You can change the<br />
capture mode by clicking the Configure Capture button in the<br />
Capture toolbar and setting Capture Type to Raw instead of <strong>Adaptive</strong><br />
(the default; Figure 1-4).<br />
Select the Capture <strong>Mode</strong> in the<br />
Configure Capture dialog box.<br />
Figure 1-4. Setting the Capture <strong>Mode</strong><br />
Protocols Supported for <strong>Sniffer</strong> <strong>Adaptive</strong> Processing<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> supports the following protocols<br />
for adaptive processing, storing ASPs with derived payloads. For all<br />
other protocols, you have the choice of capturing full packets, sliced<br />
packets, or filtering them out entirely.<br />
HTTP<br />
FTP<br />
DNS<br />
SMTP<br />
POP3<br />
RTP<br />
RTCP<br />
SIP<br />
Cisco Skinny
EARLY FIELD TRIAL<br />
Sample Trace Files<br />
What’s Different?<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> Overview<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> is provided with several sets of<br />
sample trace files in the \Netscout\<strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong>\traces folder. Each set contains both a raw packet<br />
capture (.cap) file and the corresponding <strong>Adaptive</strong> Traces (.asp/.asr)<br />
generated by replaying the capture file.<br />
Each raw packet capture file contains flows using the protocols<br />
supported for ASI processing listed above. This way, you can compare<br />
the raw packet file and its corresponding <strong>Adaptive</strong> Session files to<br />
understand how the ASI technology works.<br />
In particular, you can see how <strong>Adaptive</strong> Intelligence stores key elements<br />
of supported protocols. For example, the key elements captured for a<br />
HTTP flow are Host and URL details, while for a RTP flow, the Caller and<br />
Callee Media Addresses are stored. The sample trace files also<br />
demonstrate the compression achieved by <strong>Adaptive</strong> processing – you<br />
can see at a glance the size differences between the raw and <strong>Adaptive</strong><br />
traces.<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>’s <strong>Adaptive</strong> mode combines a<br />
modified version of the InfiniStream Console user interface with the local<br />
network interface and packet buffer familiar to users of <strong>Sniffer</strong> Portable<br />
Professional and <strong>Sniffer</strong> Global <strong>Application</strong>. This section summarizes<br />
some of the differences users of those products will notice as they work<br />
with <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> in <strong>Adaptive</strong> mode.<br />
Key Differences for InfiniStream Console Users<br />
Users accustomed to working with the InfiniStream Console will notice<br />
some key differences in <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>. Most of<br />
the differences are due to the differences in how capture/monitoring<br />
takes place – rather than operating as a unified Console with<br />
connections to multiple persistent stream-to-disk interfaces on remote<br />
InfiniStream appliances, <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> uses a<br />
single local Ethernet interface capturing data to a local buffer.<br />
Key differences between <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> and the<br />
InfiniStream Console summarized below:<br />
User’s Guide 19
Table 1-1. Key Differences in <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> for InfiniStream<br />
Console Users<br />
Feature Description<br />
Local Capture Buffer • The InfiniStream Console connects to remote capture interfaces on<br />
multiple independent InfiniStream appliances.<br />
• <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> works with a single local<br />
Ethernet network interface. The Navigation Panel only lists the local<br />
PC – you can’t add additional remote devices. The local device is<br />
identified both by its Windows system name and the loopback IP<br />
address of 127.0.0.1.<br />
Capture • In the InfiniStream model, capture is “always on,” persistently<br />
streaming data to vast packet stores spanning multiple disks/array.<br />
• <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> captures data on demand –<br />
similar to <strong>Sniffer</strong> Portable/Global, packets are only available after<br />
you’ve started capture manually.<br />
Monitoring Statistics • In the InfiniStream model, the InfiniStream appliance tabulates<br />
RMON statistics persistently.<br />
• <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> only tabulates RMON statistics<br />
once you’ve opened the local network interface by double-clicking<br />
its entry in the Navigation Panel at the left of the Quick Select<br />
window. Once monitoring begins, new statistics are available for<br />
display in 15 second buckets – you can select a time window from<br />
the Graph Panel as you normally would.<br />
<strong>Adaptive</strong> Analysis Only available in <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>.<br />
Alerts/Alarms Not available in <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>.<br />
InfiniStream<br />
Administration<br />
Window<br />
EARLY FIELD TRIAL Chapter 1<br />
20 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Not available in <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>.<br />
<strong>Sniffer</strong> Intelligence Not available in <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>.<br />
Stream Merging Not available in <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>.
EARLY FIELD TRIAL<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> Overview<br />
Table 1-1. Key Differences in <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> for InfiniStream<br />
Console Users<br />
Feature Description<br />
<strong>Sniffer</strong> Expert Available when capturing in Raw mode instead of <strong>Adaptive</strong> mode. <strong>Sniffer</strong><br />
<strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> automatically determines which capture<br />
mode you are using and displays the appropriate analysis interface when<br />
you click the Mine button to retrieve packet data from a time selection:<br />
• <strong>Adaptive</strong> Capture <strong>Mode</strong> – ASPs are analyzed in the <strong>Adaptive</strong><br />
Session Trace Session and Decode views with drilldowns available<br />
between the two perspectives.<br />
• Raw Capture <strong>Mode</strong> – Packets are analyzed in the traditional<br />
postcapture Display window with Expert, tri-pane Decode, Matrix,<br />
Host Table, Protocol Distribution, and Statistics tabs.<br />
Trace Files • The InfiniStream Console can open <strong>Sniffer</strong> (.cap) trace files both<br />
into the Quick Select window and into the postcapture Decode<br />
window.<br />
• <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> only opens <strong>Sniffer</strong> trace files<br />
into the postcapture Decode window using File > Open; you can’t<br />
add them to the Navigation panel for Quick Select analysis as you<br />
can with the InfiniStream Console. However, you can also open<br />
<strong>Adaptive</strong> trace files (.asr and .asp; refer to Key Terms on page 23<br />
for a description of these file types).<br />
User’s Guide 21
Key Differences for <strong>Sniffer</strong> Portable/<strong>Sniffer</strong> Global Users<br />
EARLY FIELD TRIAL Chapter 1<br />
22 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Users coming to <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>’s <strong>Adaptive</strong> mode<br />
from <strong>Sniffer</strong> Portable and <strong>Sniffer</strong> Global <strong>Application</strong> will notice some key<br />
differences. The most obvious difference is the user interface itself –<br />
rather than using the <strong>Sniffer</strong> Portable look and feel, <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> adapts the InfiniStream Console user interface for<br />
use with a portable network analysis model.<br />
NOTE: Keep in mind that all traditional <strong>Sniffer</strong> Portable features are<br />
still available in <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>’s Classic<br />
mode.<br />
Key differences between <strong>Adaptive</strong> and Classic mode are summarized in<br />
the table below. These same differences also exist between <strong>Adaptive</strong><br />
mode and <strong>Sniffer</strong> Portable/<strong>Sniffer</strong> Global <strong>Application</strong>.<br />
Table 1-2. Key Differences in <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> for <strong>Sniffer</strong> Portable/<br />
<strong>Sniffer</strong> Global Users<br />
Feature Description<br />
User Interface <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>’s <strong>Adaptive</strong> mode is based on the<br />
InfiniStream Console user interface. The Postcapture Display window<br />
displayed for a <strong>Sniffer</strong>-format (.cap) trace file is mostly the same<br />
between the two products, but other features follow the InfiniStream<br />
Console model.<br />
Capture • <strong>Sniffer</strong> Portable/Global provides a Dashboard and Capture Panel<br />
with live packet counts as well as real-time Expert analysis and<br />
decodes.<br />
• <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> also provides a Capture Panel,<br />
though the statistics displayed are not the same. You can observe<br />
real-time capture in the Graph Panel, make a time selection for realtime<br />
statistics, and mine any portion of the stream for postanalysis.<br />
Real-time Expert analysis is not available.<br />
Monitoring Statistics • In <strong>Sniffer</strong> Portable/Global, monitoring statistics are collected once<br />
an adapter is opened and are presented in separate monitor<br />
applications available from the Monitor menu.<br />
• <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> collects RMON monitoring<br />
statistics once a network interface is opened and presents them in<br />
separate tabs in the Statistics panel at the base of the Quick Select<br />
window instead of in separate applications available from the<br />
Monitor menu.<br />
Wi-Fi Analysis Only available in Classic mode (or <strong>Sniffer</strong> Portable/<strong>Sniffer</strong> Global<br />
<strong>Application</strong>). <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> only provides support<br />
for 100/1000 Mbps Ethernet.<br />
<strong>Adaptive</strong> Analysis Only available in <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>.
EARLY FIELD TRIAL<br />
Key Terms<br />
Table 1-3. Key Terms (1 of 3)<br />
Terms Definition<br />
<strong>Adaptive</strong> Session<br />
Intelligence<br />
ASI Protocol<br />
Interpreters<br />
<strong>Adaptive</strong> Session<br />
Packets (ASPs)<br />
<strong>Adaptive</strong> Session<br />
Records (ASRs)<br />
<strong>Adaptive</strong> Capture<br />
<strong>Mode</strong><br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> Overview<br />
The following table defines terms and concepts used in this manual.<br />
<strong>Adaptive</strong> Session Intelligence is a <strong>Sniffer</strong> technology used to streamline<br />
network analysis by extracting key fields from supported protocols and<br />
preserving them in a .asp trace file. The .asp trace file is associated with<br />
a corresponding .asr trace file where correlated session level metadata is<br />
stored.<br />
<strong>Adaptive</strong> Session Intelligence (ASI) Protocol Interpreters condense raw<br />
packets into <strong>Adaptive</strong> Session Packets. For supported protocols, ASI<br />
Protocol Interpreters extract key fields and generate <strong>Adaptive</strong> Session<br />
Packets with derived payloads. Other protocols can be captured with the<br />
raw payload intact or with an optional slice size.<br />
Condensed “packet events” generated by ASI Protocol Interpreters for<br />
supported protocols. ASPs consists of compressed headers through Layer<br />
4 along with key fields extracted from the application payload.<br />
<strong>Adaptive</strong> Session Records store session-level metadata for transactions<br />
observed using supported protocols – for example, an HTTP session, an<br />
email exchange, and so on. <strong>Adaptive</strong> Session Records let you view<br />
combined statistics for entire sessions not available in a single packet.<br />
<strong>Adaptive</strong> Session Records are stored in .asr files and are associated with<br />
corresponding .asp files. You can drill between separate decode views for<br />
each to see both top-level session statistics and the packet-level details.<br />
Network capture with <strong>Adaptive</strong> payload generation enabled (the default).<br />
You can also use traditional packet capture; refer to Using Traditional<br />
Packet Capture.<br />
User’s Guide 23
Table 1-3. Key Terms (2 of 3)<br />
Terms Definition<br />
Network Interface<br />
(Stream)<br />
Capture Buffer<br />
(Store)<br />
EARLY FIELD TRIAL Chapter 1<br />
24 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
A network interface is the local source of network traffic for <strong>Sniffer</strong><br />
<strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> monitoring and capture. <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> supports a single network interface for monitoring/<br />
capture – the Ethernet interface on the local PC. This interface is listed<br />
under the local laptop’s entry in the Navigation Panel at the left of the<br />
user interface, like this:<br />
local laptop/desktop<br />
network interface<br />
InfiniStream Console users may be accustomed to referring to the<br />
network interface as a “stream.” The basic idea is the same – it’s the<br />
console’s representation of a packet/data gathering interface. However,<br />
there are several key differences:<br />
• The <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> network interface is on the<br />
local PC; streams are on remote InfiniStream appliance.<br />
• <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> begins monitoring statistics on<br />
the network interface when it is opened in the Navigation Panel.<br />
Packets themselves are only gathered when capture is started<br />
manually. In contrast, packets/statistics are continuously gathered<br />
for active streams on InfiniStream appliances.<br />
• <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> only has a single network<br />
interface – the Ethernet interface on the local laptop (identified in<br />
the list using the loopback IP address of 127.0.0.1). In contrast, the<br />
InfiniStream Console works with multiple remote appliances, each<br />
with multiple network streams.<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> stores captured packet and<br />
metadata in an in-memory capture buffer on the local PC. Recorded data<br />
stored in the capture buffer can be saved to trace files for permanent<br />
storage.<br />
InfiniStream Console users may be accustomed to referring to the<br />
capture buffer as “the store.” The basic idea is the same – a place to<br />
keep capture packets/metadata. However, there are several key<br />
differences between the <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> capture<br />
buffer and the store on an InfiniStream appliance:<br />
• Capture buffer is on the local PC; the store is on a remote<br />
InfiniStream appliance.<br />
• Capture buffer is designed for short-term recording and is filled on<br />
demand when capture starts; the store is a persistent stream-todisk<br />
operation designed for long-term forensic storage and analysis.<br />
• Capture buffer is relatively small (up to 1GB) and can be saved to<br />
trace files; the store is massive, typically spanning multiple disks/<br />
arrays.<br />
• Capture buffer is dynamic and is removed when the application<br />
shuts down; the store is persistent.
EARLY FIELD TRIAL<br />
Table 1-3. Key Terms (3 of 3)<br />
Terms Definition<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> Overview<br />
Statistical Data Statistical Data refers to the RMON network statistics tabulated and<br />
presented in the Statistics panel at the base of the Quick Select window.<br />
Statistical Data includes traditional packet/byte counts broken out by<br />
MAC address, IP address, application port, conversation, and so on.<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> begins monitoring statistical data<br />
when you double-click the local network interface in the Navigation Panel<br />
– the Graph Panel will begin to update and display traffic volume over<br />
time. However, <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> does not record<br />
packets until you manually start capture.<br />
You can use the color-coded Availability Meter at the base of the Graph<br />
Panel to determine where both packets and statistics are available and<br />
where only statistics are available. Refer to Availability Meter on page 56<br />
for details.<br />
Time Selection After <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> begins capturing packets, you<br />
can select a segment of the available packets in the Graph Panel for<br />
analysis. That segment – a portion of the available packets with a<br />
beginning and end time – is called a time selection. You must make a<br />
time selection before you can analyze or mine the stream’s data.<br />
Data Mining Data mining, or mining, refers to your ability to retrieve some of the<br />
packets in the capture buffer using your own custom search criteria.<br />
Mining allows you to locate specific sets of packets and conversations<br />
within the available data.<br />
Mining Filter A mining filter is a user-configured set of packet criteria and Boolean<br />
logic you can use to sift through data in the capture buffer.<br />
Source Filter A source filter is a user-configured set of packet criteria and Boolean<br />
logic <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> uses to filter unwanted<br />
packets before they are used for RMON monitoring or recorded to the<br />
capture buffer. Use these with care, since those packets you filter out are<br />
irretrievable.<br />
User’s Guide 25
EARLY FIELD TRIAL Chapter 1<br />
26 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>
EARLY FIELD TRIAL<br />
Quick Start – Five Steps<br />
Overview<br />
This section describes how to get started using <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong>:<br />
Step 1 – Connecting to the Local Agent on page 28<br />
Step 2 – Selecting Data in the Graph Panel on page 31<br />
Step 3 – Viewing Network Statistics on page 32<br />
Step 4 – Capturing Data on page 33<br />
Step 5 – Mining Packet Data on page 37<br />
NOTE: <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> should be installed on<br />
a machine that meets or exceeds the system requirements before<br />
using these steps.<br />
Refer to the <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> Installation Guide for<br />
system requirements, as well as details on which <strong>NetScout</strong><br />
applications can be installed on the same machine as <strong>Sniffer</strong><br />
<strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>.<br />
2<br />
User’s Guide 27
Step 1 – Connecting to the Local Agent<br />
EARLY FIELD TRIAL Chapter 2<br />
28 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Once you’ve installed <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>, you’re ready<br />
to start the application, open the local network interface in the<br />
Navigation panel, and view its traffic in the Graph and Statistics panels.<br />
1 On the Console machine, go to Start > (All) Programs ><br />
<strong>NetScout</strong> > <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> > and<br />
select the <strong>Sniffer</strong> (<strong>Adaptive</strong> <strong>Mode</strong>) entry to launch <strong>Sniffer</strong><br />
<strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>. The Quick Select window appears<br />
displaying the Navigation, Graph, and Statistics panels (Figure<br />
2-1):<br />
Navigation<br />
Panel<br />
The Navigation panel lists the network interfaces available<br />
for monitoring and capture on the local PC. See Using the<br />
Navigation Panel on page 41.<br />
The Graph panel displays a graphical representations of the<br />
local network interface’s traffic. The Graph controls let you<br />
browse the available data statistics and select a specific time<br />
period for analysis. See Working with the Quick Select Window<br />
on page 45.<br />
The Statistics panel displays the data statistics for a variety<br />
of traffic elements within the time selection in the Graph<br />
panel. See Using the Statistics Panel on page 71.<br />
Graph Panel<br />
Statistics Panel<br />
Figure 2-1. Initial View of the Quick Select Window
EARLY FIELD TRIAL<br />
Double-click the local PC’s entry in<br />
the Navigation Panel. The local PC is<br />
indicated with both the MS-Windows<br />
system name and the loopback IP<br />
address of 127.0.0.1.<br />
The local PC’s entry cascades open to<br />
show the network interface available<br />
for monitoring. Double-click the<br />
interface to start monitoring.<br />
Monitoring begins. Data is available<br />
for display in the Graph and Statistics<br />
panels after the completion of the<br />
first 15-second collection bucket.<br />
Quick Start – Five Steps<br />
2 When you first start <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>in<br />
<strong>Adaptive</strong> mode, the Graph and Statistics panels are both empty.<br />
Open a network interface for monitoring to start statistics<br />
collection:<br />
local laptop/desktop<br />
local laptop/desktop<br />
network interface<br />
network interface<br />
selected for monitoring<br />
NOTE: Note that the console assigns a color and letter to the<br />
interface. The letter indicates the order in which interfaces<br />
were opened (for example, the first interface is assigned the<br />
letter A). These designations are used for stream merging and<br />
are cosmetic in this release – only a single network interface is<br />
supported.<br />
3 Once the first bucket of statistics is collected, click either the Next<br />
Time Selection or Current Time button above the Graph<br />
Panel to populate it with bars illustrating the progress of statistics<br />
collection (Figure 2-2).<br />
User’s Guide 29
EARLY FIELD TRIAL Chapter 2<br />
30 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Figure 2-2. Graph Panel with Statistics Collection in Progress
EARLY FIELD TRIAL<br />
Quick Start – Five Steps<br />
Step 2 – Selecting Data in the Graph Panel<br />
Once you’ve opened a network interface for monitoring and the Graph<br />
Panel is illustrating the progress of statistics collection, you can make a<br />
time selection to view statistics in detail:<br />
1 In the Graph panel, drag the Time Selector (a) handles to the<br />
area in the stream you would like to analyze. See Using the Time<br />
Selector on page 51 for more information.<br />
Use the Graph panel controls (b) to travel in time within the stream<br />
and climb/descend the data window axis. See Using the Graph<br />
Panel Controls on page 54 for more information.<br />
Figure 2-3. Graph Panel<br />
b<br />
a<br />
a<br />
User’s Guide 31
Step 3 – Viewing Network Statistics<br />
EARLY FIELD TRIAL Chapter 2<br />
32 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
1 The Statistics panel displays traffic statistics for the time selection<br />
made in the Graph panel. You can check IP addresses and/or other<br />
entries in the Statistics panel tabs to display only selected statistics<br />
in the Graph panel. See Using the Statistics Panel Tools on page 99<br />
for more information.<br />
Figure 2-4. Statistics Panel<br />
2 Using the Statistics panel controls, filter and sort the data until you<br />
have isolated the packets you would like to analyze. See the<br />
following sections for details on Statistics panel tasks:<br />
Working with the Statistics Panel on page 93<br />
Using Statistics Filtering on page 93<br />
Selecting a Statistics Filter on page 94<br />
Working with the Top N Feature on page 95<br />
Selecting and Deselecting Rows on page 97<br />
Using the Statistics Panel Tools on page 99<br />
Showing/Clearing Highlights on page 100<br />
Collapsing and Expanding Column Data on page 100<br />
Using the Mining Summary Dialog on page 116
EARLY FIELD TRIAL<br />
Step 4 – Capturing Data<br />
Quick Start – Five Steps<br />
RMON statistics are valuable for understanding the network entities and<br />
traffic volumes on your network. Network troubleshooting, however,<br />
usually requires packet analysis. Use the following procedure to set the<br />
capture mode and start capture.<br />
1 Click the Configure Capture button and select the capture mode<br />
(Figure 2-5) – either <strong>Adaptive</strong> Capture or Raw Capture.<br />
Figure 2-5. Configuring the Capture <strong>Mode</strong><br />
The table below summarizes the differences between the two<br />
modes as well as the postcapture analysis views available for each:<br />
User’s Guide 33
Capture<br />
<strong>Mode</strong><br />
<strong>Adaptive</strong><br />
Capture<br />
(Default)<br />
Raw<br />
Capture<br />
EARLY FIELD TRIAL Chapter 2<br />
Summary Postcapture Analysis<br />
In <strong>Adaptive</strong> Capture mode, <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> extracts key fields<br />
from supported protocols and generates<br />
<strong>Adaptive</strong> Session Packets (ASPs) with<br />
derived payloads and compressed packet<br />
headers through the transport (TCP/UDP)<br />
layer. Hexadecimal bytes are not displayed<br />
for ASPs.<br />
In addition, <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong><br />
<strong>Analyzer</strong> stores metadata correlating ASPs<br />
with parent sessions to provide a flowaware<br />
view of network data. You can drill<br />
between the session view and the decode<br />
view during postcapture analysis to get<br />
both the top-down and bottom-up<br />
perspective.<br />
In Raw Capture mode, <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> records packets as<br />
seen on the wire, including payloads (an<br />
optional packet slice setting can be used).<br />
In addition session statistics are not<br />
available. Instead, traditional tri-paned<br />
packet decodes, Expert analysis, and postanalysis<br />
tabs are available.<br />
34 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Separate, correlated views provide<br />
session and packet statistics:<br />
• <strong>Adaptive</strong> Session View provides<br />
access to adaptive session records<br />
(ASRs).<br />
• <strong>Adaptive</strong> Decode View provides<br />
line by line interpretation of<br />
adaptive session packets (ASPs).<br />
Refer to About <strong>Sniffer</strong> <strong>Adaptive</strong><br />
Intelligence on page 16 for a summary<br />
of these two views.<br />
• Tri-pane packet decodes<br />
• Expert analyzer<br />
• Post-analysis tabs (Host Table,<br />
Matrix, Protocol Distribution,<br />
Statistics)<br />
2 Specify the Capture Buffer size (200 MB - 1 GB).
EARLY FIELD TRIAL<br />
Capture<br />
<strong>Mode</strong><br />
<strong>Adaptive</strong><br />
Capture<br />
(Default)<br />
Raw<br />
Capture<br />
Quick Start – Five Steps<br />
3 Set the Packet Slice Size option for your capture mode:<br />
Available Packet<br />
Slice Option<br />
<strong>Adaptive</strong> Packet<br />
Slice Size<br />
Raw Packet Slice<br />
Size<br />
Description<br />
When <strong>Adaptive</strong> capture is enabled, <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> generates <strong>Adaptive</strong> Session Packets for<br />
all protocols with an ASI Protocol Interpreter. You use the<br />
<strong>Adaptive</strong> Packet Slice Size option to specify how much of<br />
each packet without an ASI protocol interpreter <strong>Sniffer</strong><br />
<strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> should capture.<br />
There are two classes of packets without an ASI Protocol<br />
Interpreter:<br />
• Standard IPv4 Protocols on Well-Known TCP/UDP<br />
Ports<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> still records generic<br />
session metadata for these protocols, either listing them<br />
using hardcoded aliases or identifying them as GENERIC<br />
(refer to Session View for GENERIC Protocols on page 150<br />
for details.<br />
• Others (Non-IPv4)<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> does not record any<br />
session metadata for these packets.<br />
Refer to Protocols Supported for <strong>Sniffer</strong> <strong>Adaptive</strong> Processing<br />
on page 18 for a list of protocols with ASI protocol<br />
interpreters.<br />
When Raw capture is enabled, you use the Raw Packet<br />
Slice Size option to specify how much of each packet to<br />
capture.<br />
4 Click OK in the Configure Capture dialog box when you have<br />
finished configuring capture.<br />
5 Start capture with either the Start Capture button in the toolbar<br />
or the Quick Select > Start Capture menu item.<br />
6 Once you start capturing packets, the Availability Meter at the base<br />
of the Graph panel changes from Yellow to Green (Figure 2-6),<br />
indicating that both packets and monitoring statistics are available.<br />
You can view statistics in the Statistics panel, as well as mine this<br />
portion of the stream for packets. Refer to Availability Meter on<br />
page 56 for details.<br />
User’s Guide 35
EARLY FIELD TRIAL Chapter 2<br />
36 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Figure 2-6. Availability Meter after Capture Starts<br />
Availability Meter changes from yellow<br />
to green when capture starts,<br />
indicating packets and statistics are<br />
available for the time selection.
EARLY FIELD TRIAL<br />
Step 5 – Mining Packet Data<br />
Capture<br />
<strong>Mode</strong><br />
<strong>Adaptive</strong><br />
Capture<br />
(Default)<br />
Quick Start – Five Steps<br />
You mine available packet data (adaptive or raw) for postcapture<br />
analysis by making a time selection in the Graph Panel and clicking the<br />
Mine button at the base of the Quick Select window:<br />
1 Use the Availability Meter to identify and select a segment of packet<br />
data in the the Graph Panel. Packet data is indicated by green in<br />
the Availability Meter.<br />
2 Create an optional Auto Mining Filter by selecting entities in the<br />
Statistics Panel. For example, you could create an Auto Mining<br />
Filter by selecting individual IP addresses in the IP Address tab.<br />
3 Click Mine.<br />
4 If you created an optional Auto Mining Filter, click Edit Filter in the<br />
Summary dialog box to use it for mining.<br />
5 Refine your mining request as desired and click OK to begin packet<br />
mining.<br />
Postcapture Analysis by Capture <strong>Mode</strong> – <strong>Adaptive</strong> or Packets<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> mines the selected time window<br />
and automatically launches the postcapture analysis views<br />
corresponding to your capture mode, as summarized in the table and<br />
Figure 2-7:<br />
Postcapture Analysis Views Refer to:<br />
Separate, correlated views provide session and packet<br />
statistics:<br />
• <strong>Adaptive</strong> Session View<br />
• <strong>Adaptive</strong> Decode View (two-pane)<br />
Raw Capture • Tri-pane packet decodes<br />
• Expert analyzer<br />
• Post-analysis tabs (Host Table, Matrix, Protocol<br />
Distribution, Statistics)<br />
<strong>Adaptive</strong><br />
Postcapture<br />
Analysis on page 39<br />
Classic Postcapture<br />
Analysis on page 40<br />
User’s Guide 37
EARLY FIELD TRIAL Chapter 2<br />
38 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Figure 2-7. Postcapture Analysis by Capture <strong>Mode</strong> (<strong>Adaptive</strong> or Raw)
EARLY FIELD TRIAL<br />
<strong>Adaptive</strong> Postcapture Analysis<br />
Quick Start – Five Steps<br />
When capturing in <strong>Adaptive</strong> mode, clicking Mine displays the selected<br />
packet data in the <strong>Adaptive</strong> Decode and <strong>Adaptive</strong> Session views (Figure<br />
2-8).<br />
<strong>Adaptive</strong> Session Packets are<br />
available for viewing in the<br />
<strong>Adaptive</strong> Decode view.<br />
Standard Summary and Detail<br />
panes let you browse through<br />
the events. Here we see one of<br />
the FTP packets associated<br />
with the session listed above.<br />
Use the Open ASR command<br />
to drill up to the session file<br />
containing the parent flow.<br />
<strong>Adaptive</strong> capture produces<br />
session records for supported<br />
protocols. Here we see flow<br />
statistics for an FTP session.<br />
Use the <strong>Adaptive</strong> Packet Drill<br />
Down command to view the<br />
underlying packet events.<br />
Figure 2-8. <strong>Adaptive</strong> Session Intelligence Postcapture Analysis<br />
User’s Guide 39
Classic Postcapture Analysis<br />
EARLY FIELD TRIAL Chapter 2<br />
40 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
When capturing in Classic mode, clicking Mine displays the selected<br />
packets in the postcapture display window (Figure 2-9):<br />
The postcapture display window features two main tabs – Expert and<br />
Decode – as well as a variety of others providing different views of the<br />
data. Available tabs are summarized in the table below:<br />
a b<br />
Postcapture display tabs. The Decode<br />
tab always appears. The other tabs<br />
appear by default, but can be disabled.<br />
c d e<br />
Figure 2-9. Classic Postcapture Analysis
EARLY FIELD TRIAL<br />
Table 2-1. Postcapture Display Tabs<br />
Tab Description<br />
Quick Start – Five Steps<br />
Expert Displays the results of proprietary Expert analysis, showing network objects,<br />
symptoms, and diagnoses by network layer:<br />
•The Expert Overview (a) pane shows the network analysis layers (similar in<br />
concept to the ISO layers) and the Expert overview statistics (objects,<br />
symptoms, or diagnoses) for each layer.<br />
•The Expert Summary (b) pane shows key summary information for the layer<br />
and statistics selected in the Expert Overview panel.<br />
•The Protocol Statistics (c) pane displays the amount of traffic (in frames<br />
and bytes) for each protocol encountered for the layer you selected in the<br />
Expert Overview panel.<br />
•The Detail Tree (d) pane shows a hierarchical listing of all layers below those<br />
selected in the Expert Overview and Expert Summary panels.<br />
•The Expert Details (e) pane is a collection of information tables for the data<br />
selected in the Summary pane.<br />
See Expert Analysis on page 219.<br />
Decode Provides classic, line-by-line protocol decodes in a tri-pane window. Sophisticated<br />
automatic filtering features let you select a packet in the Summary pane and<br />
automatically filter on different components of the packet (source/destination<br />
addresses, ports, and so on).<br />
See Introducing the Packet Decode Tab on page 165.<br />
Matrix Provides statistics on conversations taking place on the network.<br />
See Using the Matrix Tab on page 209<br />
Host Table Provides statistics broken out for each host detected on the network. Different tabs<br />
let you focus on IP hosts, MAC hosts, and so on.<br />
See Using the Host Table Tab on page 212.<br />
Protocol<br />
Distribution<br />
Provides statistics broken out by protocol family. You can focus on MAC, IP, or IPX<br />
layer protocols.<br />
See Using the Protocol Distribution Tab on page 214.<br />
Statistics Provides a variety of global statistics, including capture start/stop times, average<br />
speeds, and packet counts for a variety of basic categories.<br />
See Using the Statistics Tab on page 216.<br />
Filtered<br />
Tabs<br />
By default, display filters return the filtered frames in a new tab at the bottom of<br />
the postcapture display window. If you prefer, you can enable the Select<br />
matching option. When this option is enabled, frames matching the filter appear<br />
“marked” in the leftmost column of the active Decode tab – their checkboxes are<br />
checked.<br />
See Working with Display Filters on page 172 for more information on how to use<br />
display filters in the Decode tab.<br />
User’s Guide 41
EARLY FIELD TRIAL Chapter 2<br />
42 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
6 You can optionally apply a Display Filter to isolate specific packets,<br />
including Automatic and Quick display filters. Display filters are<br />
helpful when working with large volumes of data. Use Display<br />
Filters to reduce large data sets when you are looking for<br />
something in particular. See Working with Display Filters on page<br />
172.<br />
7 Click the Quick Select icon to jump back to the Quick Select<br />
window. Then, you can:<br />
Adjust your time window selection and visually inspect the<br />
traffic skyline for anomalies.<br />
Select a time window and visually inspect the statistics related<br />
to specific IP addresses or protocol ports.<br />
Save the capture file and close it.
EARLY FIELD TRIAL<br />
SECTION 2<br />
Getting Started<br />
Using the Navigation Panel on page 41<br />
Working with the Quick Select Window on page 45<br />
Using the Statistics Panel on page 71
EARLY FIELD TRIAL
EARLY FIELD TRIAL<br />
Working with the<br />
Quick Select Window<br />
Overview<br />
3<br />
This section introduces the Navigation and Graph panels. After reading<br />
the topics in this section, you will be able to load statistics from the local<br />
network interface and select a block of time from a stream. The following<br />
topics are covered:<br />
Launching <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> on page 45<br />
Introducing the Navigation Panel on page 47<br />
Opening a Network Interface for Monitoring on page 48<br />
Introducing the Graph Panel on page 49<br />
Using the Time Selector on page 51<br />
Using the Graph Panel Controls on page 54<br />
Introducing the Graph Panel Tabs on page 57<br />
Viewing Reports on the Spreadsheet Tab on page 67<br />
Using Custom Colors in the Quick Select Window on page 67<br />
Launching <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong><br />
<strong>Analyzer</strong><br />
Go to Start > (All) Programs > <strong>NetScout</strong> > <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> and select the <strong>Sniffer</strong> (<strong>Adaptive</strong> <strong>Mode</strong>) entry<br />
to launch the application. The Quick Select window appears with three<br />
resizable panels.<br />
User’s Guide 45
a<br />
c<br />
b<br />
EARLY FIELD TRIAL Chapter 3<br />
Figure 3-1. Quick Select Window<br />
46 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
In the following sections, Capture Engine refers to the local network<br />
interface.<br />
The Navigation (a) panel lists the local network interface<br />
available for monitoring and capture. The local PC is identified both<br />
by its MS-Windows system name and the loopback IP address of<br />
127.0.0.1. See Introducing the Navigation Panel on page 47.<br />
The Graph (b) panel displays a graphical representation of the<br />
local interface’s network traffic. The graph’s controls let you browse<br />
the available data statistics so you can select a specific time period<br />
for analysis. See Working with the Quick Select Window on page<br />
45.<br />
The Statistics (c) panel displays data statistics for a variety of<br />
traffic elements occurring within the time selection in the Graph<br />
panel. See Using the Statistics Panel on page 71 for details on how<br />
to use the panel controls for viewing, filtering, and mining.
EARLY FIELD TRIAL<br />
Introducing the Navigation Panel<br />
Working with the Quick Select Window<br />
The Navigation panel lists the network interface(s) available for<br />
monitoring and capture on the local PC. Interfaces are listed under the<br />
local laptop’s entry in the Navigation Panel, as in Figure 3-2:<br />
network interface<br />
selected for monitoring<br />
Figure 3-2. Navigation Panel<br />
From the Navigation Panel, you can open a network interface for<br />
monitoring and capture, as well as access a variety of configuration and<br />
management features. Refer to the following sections for details:<br />
Opening a Network Interface for Monitoring on page 48<br />
Other Navigation Panel Tasks on page 49<br />
User’s Guide 47
Opening a Network Interface for Monitoring<br />
Double-click the local PC’s entry in<br />
the Navigation Panel. The local PC is<br />
indicated with both the MS-Windows<br />
system name and the loopback IP<br />
address of 127.0.0.1.<br />
The local PC’s entry cascades open to<br />
show the network interface available<br />
for monitoring. Double-click the<br />
interface to start monitoring.<br />
Monitoring begins. Data is available<br />
for display in the Graph and Statistics<br />
panels after the completion of the<br />
first 15-second collection bucket.<br />
EARLY FIELD TRIAL Chapter 3<br />
48 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
When you first start <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>, the Graph<br />
and Statistics panels are both empty. Open a network interface for<br />
monitoring to start statistics collection:<br />
local PC<br />
local PC<br />
network interface<br />
network interface<br />
selected for monitoring<br />
NOTE: Note that the console assigns a color and letter to the<br />
interface. The letter indicates the order in which the interfaces were<br />
opened (for example, the first interface is assigned the letter A).<br />
These designations are used for stream merging and are cosmetic<br />
in this release – only a single network interface is supported.<br />
Once the first bucket of statistics is collected, click either the Next Time<br />
Selection or Current Time button above the Graph Panel to<br />
populate it with bars illustrating the progress of statistics collection<br />
(Figure 3-3).
EARLY FIELD TRIAL<br />
Other Navigation Panel Tasks<br />
Working with the Quick Select Window<br />
The Navigation Panel provides access to additional features via rightclick<br />
context menus.<br />
Right-click the local PC’s entry in the Navigation panel to access the<br />
following commands:<br />
Configure Connection lets you specify how the local PC should<br />
appear in the Navigation Panel. You can use the system name, the<br />
IP address (loopback), or a custom name. Note that this option is<br />
only available before you connect to the local agent. Refer to<br />
Setting Connection Tab Options on page 245 for details.<br />
Connect opens the local agent and displays its network interfaces.<br />
Right-click a network interface in the Navigation panel to access the<br />
following commands:<br />
Open/Close starts/stops monitoring on the selected interface.<br />
Apply Source Filter opens a dialog box in which you can select (or<br />
create) a filter to be used as a source filter. Packets removed by a<br />
source filter are remove at the source and are not available for<br />
either monitoring or capture. Refer to Applying Source Filters on<br />
page 134 for details.<br />
Reset Buffer empties the current capture buffer, removing all<br />
stored packet data and session metadata.<br />
Introducing the Graph Panel<br />
The Graph panel displays time indicators at the top and bottom of the<br />
window that provide useful information about the data stream displayed<br />
in the work space. The figure below indicates where the time indicators<br />
are located in the Graph panel.<br />
The Start and End (a) times represent the location of the left and<br />
right edges of the graph window. Use the horizontal scroll bar to<br />
move the window to another location within the stream.<br />
The Data Start and Data End (b) times represent the start and<br />
end of the stream. The length of the data stream is the Duration.<br />
The Selected (c) value represents the number of packets and<br />
bytes in the current time selection. If checkbox selections are made<br />
on the Statistics panel, the Selected (c) value reflects data from<br />
the checked selections only.<br />
NOTE: The Selected value is an accurate depiction of the total<br />
User’s Guide 49
EARLY FIELD TRIAL Chapter 3<br />
50 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
traffic seen during the time selection when Top N is set to All.<br />
See Working with the Top N Feature on page 95 for details on<br />
how this counter works when Top N is enabled.<br />
NOTE: The Selected value does not appear when the<br />
Summary, Errors, or Destination tab is active in the Statistics<br />
panel.<br />
a a<br />
W<br />
b c<br />
b<br />
Figure 3-3. Graph Panel<br />
Updating Graph Panel Statistics<br />
The Console reads and reports the time values in the Graph Panel<br />
when a stream is opened and, by default, whenever the graph<br />
selection changes. You can change the default behavior using the<br />
Refresh statistics whenever graph selection changes option<br />
in Quick Select > Options > General; refer to Setting General<br />
Tab Options on page 243 for details.<br />
On actively capturing streams, the Console does not automatically<br />
update the Available End time – your most recent capture time.<br />
You can update the stream to the most current data by clicking<br />
either the Current Time or the Active Monitor button . See<br />
Monitoring for Updates – Active Monitor <strong>Mode</strong> on page 54 for more<br />
on updating stream data in the Graph window.<br />
NOTE: One-second selections – the smallest supported selection –<br />
results in identical Start and End times. For instance, a one-second<br />
time selection setup at Noon displays a Start and End time of<br />
12:00:00.
EARLY FIELD TRIAL<br />
Using the Time Selector<br />
Working with the Quick Select Window<br />
The Time Selector (a) appears in the form of a shaded bar which<br />
travels parallel along the Graph panel’s horizontal scroll bar. Two gray<br />
handles appear on either side of the Time Selector, which you drag to<br />
set the Start and End times.<br />
Figure 3-4. Time Selector (Full View and Close-up)<br />
When you initially open a stream, the time selector appears over the last<br />
one minute of the stream data (though you’ll need to wait for the first<br />
15 seconds of monitoring to pass before statistics/packets are<br />
available):<br />
Make adjustments by dragging one (or both) of the time selector<br />
handles to the desired location.<br />
Drag the entire Time Selector by grabbing the gray connecting bar.<br />
Watch the selection’s Start and End times change when you shift<br />
the selector’s position. When moving the time selector, the handles<br />
automatically snap to the closest 15 second time increment, unless<br />
you manually override this default. See Adjusting the Time<br />
Selection on page 52.<br />
NOTE: The snapping time increment changes depending on the<br />
Graph Panel zoom level.<br />
a<br />
User’s Guide 51
EARLY FIELD TRIAL Chapter 3<br />
Adjusting the Time Selection<br />
52 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Right-click the Time Selector’s sliding bar to display the Adjust time<br />
selection dialog box.<br />
Figure 3-5. Adjusting Time Selection<br />
See Using the Mining Summary Dialog on page 116 for details on<br />
adjusting the time selection up to the length of the stream.<br />
Click the First Statistics button to move your start time to the first<br />
statistics in the stream while maintaining your existing duration.<br />
Click the Last Packet button to move your end time to the last<br />
packet in the stream while maintaining your existing duration.<br />
Enter a new Start Time to override the existing start time.<br />
Enter a new Duration in days, hours, minutes and seconds to<br />
override the existing duration.<br />
NOTE: You can select any duration, up to the full length of the<br />
stream, with the Adjust Times button on the Summary dialog.<br />
See Using the Mining Summary Dialog on page 116.<br />
NOTE: You can only make time selections between the<br />
stream's Data Start and Data End times. An error message will<br />
appear if the Start Time or End Time is outside of the stream’s<br />
Data Start and Data End boundaries.<br />
Selecting Non-Aligned Time Boundaries<br />
If you use the Adjust time selection dialog to manually override the<br />
Graph panel's snap-to-15-second-boundaries behavior and select an<br />
unaligned time (such as 1:00:05 - 1:00:12), the Statistics panel<br />
displays the contents of the entire 15-second bucket (or buckets,<br />
depending on the boundaries selected) surrounding the time selection.
EARLY FIELD TRIAL<br />
Working with the Quick Select Window<br />
The Adjust Time Selection dialog box will warn you when this is<br />
happening with the message, “The times specified do not align with<br />
statistical boundaries, making statistical data inaccurate.”<br />
Additionally, the Statistics panel will show the resulting statistics in gray<br />
to communicate the inaccuracy. In most cases, these unaligned time<br />
selections will begin and end in two separate buckets, resulting in the<br />
Quick Select window displaying the excess contents of buckets on both<br />
ends of the time selection.<br />
Viewing “Hover” Statistics<br />
a<br />
The Graph panel also includes “hover” statistics. If you let your mouse<br />
cursor hover over a particular area in the graph panel, a popup will<br />
appear showing you the date, time, and traffic rate at the location of the<br />
mouse cursor (a in the figure below). The traffic rate will be expressed<br />
according to the current Data type selection in the right-click context<br />
menu – Packets/s, Bytes/s, Bits/s, or Utilization.<br />
IMPORTANT: The values shown in the “hover” statistics are based on<br />
the instance of time where the mouse cursor is located. In contrast, the<br />
same statistics presented in the Statistics panel are based on the entire<br />
window of time selected in the Time Selector. Because of this, they will<br />
usually be different.<br />
User’s Guide 53
Using the Graph Panel Controls<br />
Table 3-1. Graph Panel Controls<br />
Butto<br />
n<br />
EARLY FIELD TRIAL Chapter 3<br />
54 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Graph panel controls let you change the size of the data window,<br />
move up and down the x and y axis, travel through time on the data<br />
stream, and actively monitor incoming stream data. Use the following<br />
buttons to perform functions described in this table.<br />
Name Description<br />
Up Press this button to climb the y axis, increasing the y-axis interval for the<br />
selected Data Type (Packets, Bytes, Bits, or Utilization).<br />
Down Press this button to step down the y axis, decreasing the y-axis interval for<br />
the selected Data Type (Packets, Bytes, Bits, or Utilization).<br />
Oldest<br />
Packet<br />
Previous<br />
Time<br />
Selection<br />
Next<br />
Time<br />
Selection<br />
Current<br />
Time<br />
Active<br />
Monitor<br />
Press this button to rewind to the beginning of the stream.<br />
Press this button to rewind one interval. An interval is determined by the<br />
amount of time you have configured in the time selector.<br />
Press this button to fast forward one interval. An interval is determined by<br />
the amount of time you have configured in the time selector.<br />
Press this button to fast forward to the end of the stream or the last<br />
captured packets in a trace file.<br />
Press this button to start real-time monitoring. See Monitoring for Updates –<br />
Active Monitor <strong>Mode</strong>.<br />
Pause Press this button to pause real-time monitoring. See Monitoring for Updates<br />
– Active Monitor <strong>Mode</strong>.<br />
Monitoring for Updates – Active Monitor <strong>Mode</strong><br />
Press the Active Monitor button to start real-time monitoring. Active<br />
Monitor mode displays new data on the Graph panel as it arrives from<br />
the stream. Configure the default monitor update time interval from the<br />
Quick Select > Options > Graph tab. See Setting Graph Tab Options<br />
on page 247 for details.
EARLY FIELD TRIAL<br />
Zoom Menu<br />
Working with the Quick Select Window<br />
Use the Zoom menu to change the selected window size. The Graph<br />
panel window restricts time selections to a maximum 10 day window.<br />
NOTE: The values available in the Zoom menu are approximate<br />
because a larger Quick Select window can hold a relatively larger<br />
time span.<br />
Figure 3-6. Zoom Drop Down Menu<br />
As you zoom in or out, the Graph panel maintains your time selection on<br />
a best-effort basis.<br />
When you zoom out to a larger window, the Graph panel attempts<br />
to center your selection in the window except when your selection<br />
is near one end of the stream.<br />
When you zoom in to a smaller window, the Graph panel will never<br />
alter your Start time. However, if you choose to zoom in to a<br />
window that is smaller than your current time selection, the Graph<br />
panel truncates the time selection Start and End times to fit in the<br />
Graph Panel window.<br />
User’s Guide 55
EARLY FIELD TRIAL Chapter 3<br />
Availability Meter<br />
56 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Availability Meter (a) is a colored line that runs parallel along the<br />
bottom of the Graph panel. It indicates the type of data that is available<br />
in the stream at each point in time. This line appears green, red, or<br />
yellow at any given second within a stream.<br />
a<br />
Figure 3-7. Availability Meter<br />
Green = Capture Enabled, Packets/<strong>Adaptive</strong> Data Available.<br />
A green meter indicates the stream was actively capturing traffic<br />
with both traffic statistics and packet data available. You can view<br />
statistics in the Statistics panel, as well as mine this portion of the<br />
stream.<br />
NOTE: The type of packet data available for mining depends<br />
on the capture mode. In <strong>Adaptive</strong> mode, <strong>Adaptive</strong> Session<br />
Packets and Session Records are available for mining. In Raw<br />
mode, actual packet data is available.<br />
Yellow = Statistics Only. A yellow meter indicates capture was<br />
not started. The statistics from the yellow period are available in<br />
the Statistics panel but no packet data is available for mining.<br />
Red = No Data or Statistics. A red meter indicates that no<br />
statistics or packets are available. This happens when a stream was<br />
not opened for statistical monitoring or capture.<br />
NOTE: You can use the Stream Visibility options in the Quick<br />
Select > Options > General tab to specify whether streams with<br />
both Green and Yellow coded portions should open with the stream<br />
start time set to the Yellow (Statistics only) or Green (Earliest<br />
packet data) portion. See Setting General Tab Options on page 243 for<br />
details.
EARLY FIELD TRIAL<br />
Introducing the Graph Panel Tabs<br />
Global Statistics<br />
a<br />
Working with the Quick Select Window<br />
Use the following Graph panel tabs to view a stream’s traffic in a variety<br />
of graphical formats.<br />
Global Statistics on page 57<br />
Selected Statistics on page 59<br />
Pie Chart on page 61<br />
Column Chart on page 63<br />
Time Series Chart on page 65<br />
Capture Panel Tab on page 66<br />
The Global Statistics tab (a) displays a graphical representation of the<br />
data stream selected in the Navigation pane. You can use this tab to<br />
view a summary of the stream’s traffic volume over time.<br />
Send the output to your printer using the button at the right of the Graph<br />
panel.<br />
Figure 3-8. Global Statistics Tab<br />
User’s Guide 57
EARLY FIELD TRIAL Chapter 3<br />
Changing the Data and Graph Styles<br />
58 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Right-click the Graph panel to access the Data and Graph Styles context<br />
menu. Use this menu to modify the data representation and choose from<br />
a variety of formats. Changing the data type alters the data display<br />
because each data point on the graph is an average over the current<br />
interval (that is, from one second to one hour).<br />
NOTE: These options affect the data display in both the Global<br />
Statistics and Selected Statistics tabs in the Graph panel.<br />
Table 3-2. Data and Graph Styles Context Menu<br />
Option Description<br />
Data Type Packets - display the stream by total number of packets per second.<br />
Bytes - display the stream by total number of bytes per second.<br />
Bits - display the stream by total number of bits per second.<br />
Utilization - display the stream by percentage of utilization.<br />
Graph Style Stacked Bars - change the graph style to a stacked bar format.<br />
Lines - change the graph style to a line format.<br />
Graph Scale Linear - displays graph in linear format.<br />
Logarithmic - displays graph in logarithmic format.<br />
NOTE: The current setting is shown in the upper right corner of the graph.<br />
Data<br />
Source<br />
Selected Rows - displays all of the data you have selected in a stacked format.<br />
Filter Results - displays the number of packets you will retrieve if you press the<br />
Mine button. This option is useful when applying mining filters, as it lets you gauge<br />
whether the volume of packets returned will be adequate for your analysis goals.<br />
Note that this field is not updated during capture in <strong>Adaptive</strong> mode.<br />
NOTE: The Data Source options only appear when you are working in the Graph<br />
panel’s Selected Statistics tab.<br />
Orientation Selected Values - displays the selected values for all streams as a single<br />
aggregate.<br />
Selected Streams - displays up to four streams using colors assigned in the<br />
Navigation panel.<br />
NOTE: The current setting is shown in the upper right corner of the graph.<br />
NOTE: Configure your Data and Graph Style preferences in the<br />
Quick Select > Options > Graph tab. See Setting Quick Select<br />
Options on page 243.
EARLY FIELD TRIAL<br />
Selected Statistics<br />
Working with the Quick Select Window<br />
Line Speed Changes and Graph Panel Utilization Values<br />
The Graph Panel’s Global Statistics and Selected Statistics tabs can both<br />
display streams according to the percentage of network utilization<br />
consumed over time. Although it does not happen often, the line speed<br />
of a given network can change while a stream is still active. When this<br />
happens, the Utilization values shown in the Graph panel will be accurate<br />
up until the point at which the line speed changed. After that, they will<br />
be off by the same factor as the change in line speed.<br />
For example, if the line speed changes from 1000 Mbps to 100 Mbps,<br />
utilization values shown in the Graph panel will be off by a factor of 10<br />
until the stream is closed and reopened. Once the stream is closed and<br />
reopened, the correct line speed will again be used for utilization values.<br />
The Selected Statistics tab displays selections you make in the<br />
Statistics panel. Check items in the Statistics panel (a) to represent data<br />
in the Selected Statistics tab (b). Make selections in the Statistics panel<br />
and watch the Selected Statistics tab dynamically update.<br />
In the figure below, the selected IP address’ data statistics are displayed<br />
in the Selected Statistics tab and designated by a unique color for easy<br />
identification.<br />
Send the output to your printer using the button at the right of the Graph<br />
panel.<br />
NOTE: If the Graph panel’s Data Type option is set to Packets, a<br />
Packets column must appear in the Statistics panel for the Selected<br />
Statistics tab to display data. Similarly, if Data Type is set to any<br />
other options (Bytes, Bits, or Utilization), the Bytes column must<br />
appear in the Statistics panel.<br />
User’s Guide 59
EARLY FIELD TRIAL Chapter 3<br />
Figure 3-9. Selected Statistics Tab<br />
60 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
a<br />
b
EARLY FIELD TRIAL<br />
Pie Chart<br />
Working with the Quick Select Window<br />
The Pie Chart tab displays data statistics from the Statistics panel. It<br />
displays the first N entries in the active Statistics panel tab, by default.<br />
The entries are sorted according to the current sort order in place in the<br />
active Statistics panel tab. If no sort order is in place, the entries are<br />
sorted by order of the leftmost column in the active Statistics panel tab.<br />
IMPORTANT: The Pie Chart tab requires at least one Statistics panel<br />
column (for example, Bytes) to draw a chart.<br />
Charting Selected Data<br />
You can also display the Pie Chart using only data from selected entries.<br />
To do this, select entries in the Statistics panel, then right-click the<br />
Graph panel and choose Chart selections only to update the Pie Chart<br />
values. The items checked in the Statistics panel (a) are now displayed<br />
in the Pie Chart (b). Deselect Chart selections only to toggle back to<br />
the default values.<br />
NOTE: You can select up to 15 items when Chart selections only is<br />
enabled.<br />
In the figure, the selected data statistics are displayed in the Graph<br />
panel’s pie chart. You can click on one of the Statistics tab’s column<br />
headers to change the sorted statistic or sort order and modify the pie<br />
chart accordingly.<br />
Send the output to your printer using the button at the right of the Graph<br />
panel.<br />
NOTE: Because the Pie Chart tab truncates percentage values to a<br />
tenth of a percent, the percentage values shown in the pie chart<br />
legend will occasionally not sum exactly to the Total: 100% shown<br />
in the display. The true values do always sum to 100%, but the<br />
Console must truncate them to a tenth of a percent for display<br />
purposes.<br />
Choose another Statistics panel tab to view a different report. See<br />
Viewing Reports on the Spreadsheet Tab on page 67 for a list of available<br />
reports.<br />
User’s Guide 61
EARLY FIELD TRIAL Chapter 3<br />
Figure 3-10. Pie Chart Tab<br />
62 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
a<br />
b
EARLY FIELD TRIAL<br />
Column Chart<br />
Working with the Quick Select Window<br />
The Column Chart tab displays data statistics from the Statistics panel.<br />
It displays the first N entries in the active Statistics panel tab, by default.<br />
The entries are sorted according to the current sort order in place in the<br />
active Statistics panel tab. If no sort order is in place, the entries are<br />
sorted by order of the leftmost column in the active Statistics panel tab.<br />
IMPORTANT: The Column Chart tab requires at least one Statistics<br />
panel column (for example, Bytes) to draw a chart.<br />
Charting Selected Data<br />
You can also display the Pie Chart using only data from selected entries.<br />
To do this, select entries in the Statistics panel, then right-click the<br />
Column Chart and choose Chart selections only to update the display.<br />
The items checked in the Statistics panel (a) are now displayed in the<br />
Column Chart (b). Deselect Chart selections only to toggle back to the<br />
default values.<br />
NOTE: You can select up to 15 items when Chart selections only is<br />
enabled.<br />
In the figure, the selected data statistics are displayed in the Graph<br />
panel’s chart. You can click on one of the Statistics tab’s column headers<br />
to change the sorted statistic or sort order and modify the pie chart<br />
accordingly.<br />
Send the output to your printer using the button at the right of the Graph<br />
panel.<br />
Choose a another Statistics panel tab to view a different report. See<br />
Viewing Reports on the Spreadsheet Tab on page 67 for a list of available<br />
reports.<br />
User’s Guide 63
EARLY FIELD TRIAL Chapter 3<br />
Figure 3-11. Column Chart Tab<br />
64 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
a<br />
b
EARLY FIELD TRIAL<br />
Time Series Chart<br />
Working with the Quick Select Window<br />
The Time Series Chart tab displays data statistics from the Statistics<br />
panel. It displays the Average Bytes per second, so you can clearly<br />
discern spikes in the stream within intervals.<br />
The interval displayed in the Time Series Chart tab varies depending on<br />
the amount of time selected on the Global Statistics tab. For example, if<br />
more than seven hours are selected, each column shown in the Time<br />
Series Chart will be one hour in width. In contrast, if a minute is<br />
selected, five-minute columns will be displayed.<br />
Select data in the Statistics panel, then right-click the Graph panel and<br />
choose Chart selections only to update the Time Series Chart values.<br />
The items checked in the Statistics panel (a) are now displayed in the<br />
Time Series Chart (b). Deselect Chart selections only to toggle back<br />
to the default values.<br />
Send the output to your printer using the button at the right of the Graph<br />
panel.<br />
a<br />
b<br />
Figure 3-12. Time Series Chart Tab<br />
User’s Guide 65
Capture Panel Tab<br />
EARLY FIELD TRIAL Chapter 3<br />
c<br />
a<br />
66 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Capture Panel tab provides a summary of your current capture<br />
configuration, as well as meters showing buffer usage and packet length<br />
statistics. You can see at a glance how the compression achieved with<br />
<strong>Adaptive</strong> Session Processing saves system memory.<br />
The Capture Panel tab provides several main areas, as illustrated in<br />
Figure 3-13.<br />
Capture Configuration status indicators (a) show you the current<br />
settings from the Configure Capture dialog box (refer to<br />
Configuring and Starting Capture on page 111 for information on<br />
setting these options):<br />
Capture Type is either <strong>Adaptive</strong> or Raw.<br />
Capture Buffer Size shows the currently configured size of<br />
the capture buffer.<br />
Raw Packet Slice Size shows you the current packet slice<br />
size set in the Configure Capture Options dialog box. Refer to<br />
Configuring and Starting Capture on page 111 for information<br />
on how the slice size is used in both <strong>Adaptive</strong> and Raw capture<br />
mode.<br />
b<br />
Figure 3-13. Capture Panel Tab Gauges
EARLY FIELD TRIAL<br />
Working with the Quick Select Window<br />
Capture Statistics (b) illustrate the memory savings achieved by<br />
capturing in <strong>Adaptive</strong> mode. The graph compares the overall length<br />
of captured packets as seen on the wire versus their stored length<br />
as <strong>Adaptive</strong> Session Packets. The Compression value restates the<br />
statistics as a percentage, showing you by what percentage the<br />
wire length was reduced during adaptive packet generation.<br />
Buffer Status (c) shows the percentage of capture buffer space<br />
currently in use.<br />
Viewing Reports on the Spreadsheet Tab<br />
The Pie Chart and Column Chart tabs display reports based on the data<br />
shown in the Statistics panel’s Spreadsheet tab. When viewing Pie<br />
Chart and Column Chart reports in the Statistics panel, sort a column in<br />
the Statistics tab and the report will update accordingly.<br />
NOTE: By default, all reports initially display data by total Bytes.<br />
Sorting the Statistics panel tabs by different columns causes the Pie<br />
Chart and Column Chart reports to update dynamically. You can sort by<br />
both index and statistics columns and the reports will still update<br />
accordingly. For example, you can sort the VLAN tab by VLAN ID to see<br />
the highest or lowest VLAN IDs. Then, you can sort the same tab again<br />
by Bytes to see the VLAN IDs with the most bytes.<br />
See Running Reports on page 261 for details on viewing and printing<br />
reports appearing on the Reports tab. Be sure to use the Print Report<br />
button to print reports. The File > Print menu option is not supported<br />
in the Quick Select window.<br />
Using Custom Colors in the Quick Select<br />
Window<br />
The Quick Select window uses a set of 15 colors in the Graph and<br />
Statistics panels to identify different entities:<br />
Graph panel tabs all use color to identify different entities. For<br />
example, the Pie Chart tab assigns different colors to each slice of<br />
its pie. Similarly, the Column Chart tab assigns different colors to<br />
each bar in its chart.<br />
User’s Guide 67
EARLY FIELD TRIAL Chapter 3<br />
68 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Statistics panel tabs assign colors to rows as you select them.<br />
When you select a row, a colored box appears next to the index<br />
column for the entry. This color is carried over into the Graph panel<br />
and identifies data appearing in the charts.<br />
Colors are always assigned in the same order, either sequentially (for<br />
example, in order of selection on a Statistics tab) or hierarchically (for<br />
example, in order of bytes in a Top Talkers report).<br />
You can override the default colors used in the Quick Select window by<br />
editing the S2DPalette.ini configuration file in the C:\Program<br />
Files\<strong>NetScout</strong>\<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>\bin<br />
directory. This file specifies the palette to be used.<br />
IMPORTANT: After editing the S2DPalette.ini file, you must restart<br />
the Console application for your new custom colors to take effect.<br />
The S2DPalette.ini file contains a line following the entry line for each<br />
custom color in the palette. Color definitions appear in the file with the<br />
color index number (COLx, starting with zero), followed by the RGB<br />
values for the color. These entries look like this:<br />
COLx=r,g,b<br />
Where:<br />
x is the number of the color, beginning with 0 and<br />
incrementing sequentially.<br />
r,g,b are the RGB (Red, Green, Blue) specifications for the<br />
color.<br />
Obtaining RGB Values for Colors<br />
You can obtain RGB values for colors from a variety of sources. One easy<br />
way is to use the Custom Color dialog box in the Paint application<br />
provided with Microsoft Windows.<br />
To obtain RGB values using Microsoft Windows Paint:<br />
1 Start Paint (Start > All Programs > Accessories > Paint).<br />
2 Select the Colors > Edit Colors command.<br />
3 Click the Define Custom Colors button in the dialog box that<br />
appears.<br />
4 Use the color matrix and luminosity slider to mix a color to your<br />
liking. Note the Red, Green, and Blue values that appear for the<br />
color and enter them in the S2DPalette.ini file.
EARLY FIELD TRIAL<br />
Working with the Quick Select Window<br />
Custom Colors Do Not Apply to Navigation Panel<br />
Keep in mind that custom colors will not be applied to the stream icons<br />
in the Navigation panel.<br />
Sample S2DPalette.ini File<br />
Here is an example of a properly constructed S2DPalette.ini file:<br />
[PALETTE]<br />
COL0=234,56,78<br />
COL1=34,56,78<br />
COL2=41,156,78<br />
COL3=115,67,89<br />
COL4=67,89,112<br />
COL5=227,189,012<br />
COL6=89,123,45<br />
COL7=229,123,45<br />
COL8=13,57,190<br />
COL9=35,179,024<br />
COL10=234,56,78<br />
COL11=34,78,56<br />
COL12=41,78,156<br />
COL13=115,89,67<br />
COL14=67,112,89<br />
User’s Guide 69
EARLY FIELD TRIAL Chapter 3<br />
70 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>
EARLY FIELD TRIAL<br />
Using the Statistics Panel<br />
Overview<br />
4<br />
This section introduces the Statistics panel and describes the various<br />
data sorting controls you can use prior to packet analysis. The following<br />
major topics are covered:<br />
About the Statistics Panel on page 71<br />
Introducing the Statistics Panel Tabs on page 72<br />
Working with the Statistics Panel on page 93<br />
Using Statistics Filtering on page 93<br />
Modifying Statistics Panel Columns and Tabs on page 104<br />
About the Statistics Panel<br />
Using the Statistics panel, you can:<br />
Filter addresses, ports, VLAN IDs, conversations, or protocols.<br />
Preview filtered results prior to analysis.<br />
Collapse columns to identify top access patterns (for example, port<br />
scanners).<br />
Sort tables by any available metric.<br />
Highlight and reduce large volumes of data prior to packet analysis.<br />
Use Auto Filter capabilities to automatically generate mining filters<br />
based on your selections.<br />
The Statistics panel is optimized to browse statistics without<br />
downloading significant amounts of data. The Statistics panel’s tabbed<br />
interface provides preconfigured sets of statistics, as well as the<br />
potential to create custom columns within each tab.<br />
NOTE: The Statistics Filtering drop down list lets you limit the<br />
amount of data displayed in the Statistics panel to improve data<br />
retrieval times. See Using Statistics Filtering on page 93.<br />
User’s Guide 71
Introducing the Statistics Panel Tabs<br />
Spreadsheet Tabs<br />
EARLY FIELD TRIAL Chapter 4<br />
72 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Statistics panel includes two tabs:<br />
Spreadsheet Tabs on page 72<br />
Reports Tabs on page 87<br />
The following sub-tabs are available on the Spreadsheet tab:<br />
Summary Tab on page 73<br />
Errors Tab on page 74<br />
IP Address Tab on page 76<br />
Port Tab on page 77<br />
Network Tab on page 79<br />
MAC Address Tab on page 80<br />
Destination Tab on page 81<br />
Conversation Tab on page 82<br />
Advanced Tab on page 84<br />
VLAN ID Tab on page 85<br />
IP Protocol Tab on page 86<br />
on page 87
EARLY FIELD TRIAL<br />
Summary Tab<br />
a<br />
Using the Statistics Panel<br />
The Summary tab (a) displays an overview of the stream’s statistics<br />
including counts for Accepted, Rejected, and Dropped packets. The<br />
Rejected and Dropped counts can be charted on the Pie Chart and<br />
Column Chart tabs according to their Bytes values, but they cannot be<br />
filtered, because rejected and dropped packets are not retrievable.<br />
NOTE: Columns cannot be added or deleted from this tab – extra<br />
columns are labeled . However, you can rearrange<br />
the columns by right-clicking in a body cell and using the Move Left<br />
and Move Right commands.<br />
Figure 4-1. Summary Tab<br />
About the Rejected Counter in the Summary Tab<br />
The Rejected counter tabulates the number of packets rejected by a<br />
Source Filter.<br />
User’s Guide 73
EARLY FIELD TRIAL Chapter 4<br />
Errors Tab<br />
a<br />
74 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Errors tab (a) displays error statistics for the stream, including<br />
Fragments, Oversizes, Runts, Jabbers, CRC Errors, and Other<br />
errors. The various error counts can be charted on the Pie Chart and<br />
Column Chart tabs according to their Bytes values, but they cannot be<br />
filtered.<br />
NOTE: Columns cannot be added or deleted from this tab, as a<br />
result the extra columns are labeled . However, you<br />
can rearrange the columns by right-clicking in a body cell and using<br />
the Move Left and Move Right commands.<br />
7<br />
Figure 4-2. Errors Tab
EARLY FIELD TRIAL<br />
Using the Statistics Panel<br />
CRCs and Statistics Panel Packet Sizes vs. Postcapture Packet<br />
Sizes<br />
Packet size is reported differently in the Quick Select window than it is<br />
in postcapture Decode and Expert statistics. Postcapture Decode and<br />
Expert statistics do not take into account the CRC bytes attached to<br />
frames, while Statistics panel counters do. Because of this, postcapture<br />
views will show average frame sizes that are smaller than those reported<br />
in the Quick Select window. For Ethernet, the difference will be 4 bytes.<br />
User’s Guide 75
EARLY FIELD TRIAL Chapter 4<br />
IP Address Tab<br />
a<br />
76 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The IP Address tab (a) displays statistics for individual IP Addresses<br />
appearing on the network. Packets, Bytes, Packets/sec, and Bytes/<br />
sec are displayed by default for each address. Use the Statistics panel<br />
controls to filter, sort, select, collapse, and expand the statistical data.<br />
See Using the Statistics Panel Tools on page 99.<br />
Figure 4-3. IP Address Tab
EARLY FIELD TRIAL<br />
Port Tab<br />
Using the Statistics Panel<br />
The Port tab (a) displays traffic by port and IP protocol. TCP and UDP<br />
values in the Packets column are often a subset of values under other<br />
tabs because many packets are not addressed to ports.<br />
Packets, Bytes, Packets/sec, and Bytes/sec are displayed by<br />
default for each entry in the tab. Use the Statistics panel controls to<br />
filter, sort, select, collapse, and expand the statistical data. See Using<br />
the Statistics Panel Tools on page 99.<br />
a<br />
Figure 4-4. Port Tab<br />
User’s Guide 77
EARLY FIELD TRIAL Chapter 4<br />
78 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Doubled Counts for Packets with Same Source and Destination<br />
Port<br />
The Statistics panel's Port tab includes a Packets column tabulating<br />
the number of packets seen with a particular port designation. When a<br />
packet has the same source and destination port, it will be counted in<br />
this column twice – once for the source port and once for the<br />
destination port.<br />
For example, a single packet with the source and destination port both<br />
set to 137 (a NetBIOS port) would be counted twice in the Packets<br />
column for the 137 port. This is the way that the IP Address, TCP/<br />
UDP Port, and MAC Address columns are all displayed, because there<br />
are two of each of these addresses per each applicable packet.<br />
As shown in the figure below, you can create a custom tab that will<br />
display a correct count of packets containing any or all of these index<br />
types (IP Address, TCP/UDP Port, MAC Address) by adding columns for<br />
both sides of the connection. This way, you can see the directionality of<br />
the exchange broken out. For example, in this case, you could create a<br />
custom tab that included:<br />
Port A<br />
Port B<br />
Packets TX<br />
Packets RX<br />
Packets<br />
Summary tab shows total of 111 packets<br />
accepted, but Port tab shows 118 packets on<br />
port 137 because of doubled counts for packets<br />
with same source and destination ports.<br />
Custom tab broken out for directionality shows<br />
the true packet count – 59 packets with the<br />
same source and destination port were counted<br />
twice to arrive at the 118 total.<br />
Figure 4-5. Interpreting Packets with the Same Source/Destination Port.
EARLY FIELD TRIAL<br />
Network Tab<br />
Using the Statistics Panel<br />
The Network tab (a) provides statistics for individual subnets.<br />
Packets, Bytes, Packets/sec, and Bytes/sec are displayed by<br />
default for each entry in the tab. Use the Statistics panel controls to<br />
filter, sort, select, collapse, and expand the statistical data. See Using<br />
the Statistics Panel Tools on page 99.<br />
a<br />
Figure 4-6. Network Tab<br />
IMPORTANT: By default, the IP Address column is collapsed – it<br />
simply indicates the number of unique nodes seen in the subnet. This<br />
helps make the Network tab a concise list of the individual subnets<br />
seen. You can expand this data using the right-mouse menu to see each<br />
of the IP addresses seen on the subnet. See Collapsing and Expanding<br />
Column Data on page 100.<br />
IMPORTANT: If you collapse the Network column, the resulting<br />
Packets and Bytes counters are the sum of the Packets and Bytes values<br />
for all networks. Packets sent to a foreign network are only counted<br />
User’s Guide 79
EARLY FIELD TRIAL Chapter 4<br />
80 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
once, but packets that traveled from one subnet to another subnet, both<br />
in the same collapsed network, will be counted twice – once for each<br />
network.<br />
MAC Address Tab<br />
The MAC Address tab (a) provides statistics for individual MAC<br />
addresses on the network. Packets, Bytes, Packets/sec, and Bytes/<br />
sec are displayed by default for each entry in the tab. Use the Statistics<br />
panel controls to filter, sort, select, collapse, and expand the statistical<br />
data. See Using the Statistics Panel Tools on page 99.<br />
a<br />
Figure 4-7. MAC Address Tab
EARLY FIELD TRIAL<br />
Destination Tab<br />
Using the Statistics Panel<br />
The Destination tab (a) provides statistics for packets based on their<br />
destination type – MAC Unicast, MAC Multicast, MAC Broadcast, and<br />
ARP. Packets, Bytes, Packets/sec, and Bytes/sec are displayed by<br />
default for each entry in the tab.<br />
The Destination counts can be charted on the Pie Chart and Column<br />
Chart tabs according to their Bytes values, but they cannot be filtered.<br />
NOTE: Columns cannot be added or deleted from this tab, as a<br />
result the extra columns are labeled . However, you<br />
can rearrange the columns by right-clicking in a body cell and using<br />
the Move Left and Move Right commands.<br />
a<br />
Figure 4-8. Destination Tab<br />
User’s Guide 81
EARLY FIELD TRIAL Chapter 4<br />
Conversation Tab<br />
82 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Conversation tab (a) provides statistics for IP Address<br />
conversations on the network (IP Address A and IP Address B).<br />
Packets, Bytes, Packets/sec, and Bytes/sec are displayed by<br />
default for each entry in the tab. Use the Statistics panel controls to<br />
filter, sort, select, collapse, and expand the statistical data. See Using<br />
the Statistics Panel Tools on page 99.<br />
Figure 4-9. Conversation Tab<br />
a<br />
IMPORTANT: The IP Address A and IP Address B columns are not<br />
based on directionality and do not imply source or destination. The A side<br />
will be either the well known port if it exists, or the lower numbered port<br />
if both or neither of the ports are well known.<br />
IMPORTANT: You can collapse the IP Address B column using the rightmouse<br />
menu to see a simplified list of IP addresses transmitting data in<br />
this selection. When you do this, the IP Address B column will simply<br />
list the number of IP addresses to which the station in IP Address A has<br />
transmitted data.<br />
Note that when you collapse the IP Address B column, the resulting
EARLY FIELD TRIAL<br />
Using the Statistics Panel<br />
Packets and Bytes counters are the sum of all Packets and Bytes sent by<br />
the IP address listed in the IP Address A column.<br />
Multiple Entries for Same Pair of IP Addresses<br />
Occasionally, you may encounter multiple entries in the Conversation<br />
tab for the same pair of IP addresses, even though the Show<br />
Conversation Reciprocals option is not enabled (see Showing and<br />
Hiding Conversation Reciprocals on page 101). This can happen when<br />
the same pair of IP addresses is communicating on multiple different<br />
ports.<br />
The Conversation tab displays conversations based on unique<br />
combinations of IP addresses and port numbers. If the same pair of IP<br />
addresses is communicating on two different sets of ports, the traffic will<br />
be rolled up and displayed in two separate entries in the Conversation<br />
tab as follows:<br />
All traffic for the IP addresses where the destination port number<br />
is less than then source port number.<br />
All traffic for the IP addresses where the destination port number<br />
is greater than the source port number.<br />
User’s Guide 83
EARLY FIELD TRIAL Chapter 4<br />
Advanced Tab<br />
84 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Advanced tab (a) displays traffic by IP Address and Port. Packets,<br />
Bytes, Packets/sec, and Bytes/sec are displayed by default for each<br />
entry in the tab. Use the Statistics panel controls to filter, sort, select,<br />
collapse, and expand the statistical data. See Using the Statistics Panel<br />
Tools on page 99.<br />
Figure 4-10. Advanced Tab<br />
To identify port scanners on your network and their source IP addresses,<br />
set up the columns in the following order:<br />
1 Column 1 -IP Address<br />
2 Column 2 - Port (collapsed and sorted in ascending order)<br />
3 Column 3 - Packets<br />
To identify high-use ports and the most frequent users (IP addresses) of<br />
those ports, setup the columns in the following order:<br />
1 Column 1 - Port<br />
2 Column 2 - IP Address<br />
3 Column 3 - Packets (sorted in ascending order)<br />
a
EARLY FIELD TRIAL<br />
VLAN ID Tab<br />
Using the Statistics Panel<br />
The VLAN tab (a) provides statistics for individual VLAN IDs on your<br />
network. Packets, Bytes, Packets/sec, and Bytes/sec are displayed<br />
by default for each entry in the tab. Use the Statistics panel controls to<br />
filter, sort, select, collapse, and expand the statistical data. See Using<br />
the Statistics Panel Tools on page 99.<br />
NOTE: If <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> is connected to a<br />
switch SPAN port, make sure you enable VLAN data collection on<br />
the network interface card to prevent VLAN IDs from being stripped<br />
before the application sees them.<br />
Refer to the <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> Installation Guide for<br />
details on usin g the sniffer_vlan_edit.exe tool included with the<br />
product to enable VLAN data collection for adapters using Intel and<br />
Broadcom chipsets.<br />
Figure 4-11. VLAN Tab<br />
a<br />
User’s Guide 85
EARLY FIELD TRIAL Chapter 4<br />
IP Protocol Tab<br />
86 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The IP Protocol tab (a) lists the IP protocols detected in the network<br />
traffic. Both the decimal notation and the common name are included.<br />
If an alias is defined for the protocol under Quick Select > Options ><br />
Aliases, the alias appears instead of the common name.<br />
NOTE: For a list of mappings between the decimal notation and the<br />
common names, see http://www.iana.org/assignments/protocolnumbers.<br />
Packets, Bytes, Packets/sec, and Bytes/sec are displayed by<br />
default for each entry in the tab. Use the Statistics panel controls to<br />
filter, sort, select, collapse, and expand the statistical data. See Using<br />
the Statistics Panel Tools on page 99.<br />
Figure 4-12. IP Protocol Tab<br />
a
EARLY FIELD TRIAL<br />
<br />
Reports Tabs<br />
Using the Statistics Panel<br />
You can also create new Statistics panel tabs including just those fields<br />
in which you are interested. See Modifying Statistics Panel Columns and<br />
Tabs on page 104.<br />
The following sub-tabs are included on the Reports tab:<br />
Top Talkers on page 88<br />
Top Conversations on page 89<br />
Top <strong>Application</strong>s on page 90<br />
Multicast Protocols on page 91<br />
Multicast Groups on page 92<br />
on page 92<br />
User’s Guide 87
EARLY FIELD TRIAL Chapter 4<br />
Top Talkers<br />
88 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Top Talkers (a) tab displays the IP Addresses that are most active<br />
on the network in the Talkers report.<br />
Select data in the Statistics panel, then right-click the Graph panel and<br />
choose Chart selections only to update the report values. The items<br />
checked in the Statistics panel are now displayed in the chart. Deselect<br />
Chart selections only to toggle back to the default values.<br />
Modify the chart’s data time window by changing the selection in the<br />
Time Selection drop down list (b). Using a different time selection will<br />
dynamically update the chart. Send the output to your printer using the<br />
button at the right of the Graph panel.<br />
a b<br />
Figure 4-13. Top Talkers Tab
EARLY FIELD TRIAL<br />
Top Conversations<br />
Using the Statistics Panel<br />
The Top Conversations tab (a) displays the ports that are most active<br />
on the network in the Conversations report.<br />
Select data in the Statistics panel, then right-click the Graph panel and<br />
choose Chart selections only to update the report values. The items<br />
checked in the Statistics panel are now displayed in the chart. Deselect<br />
Chart selections only to toggle back to the default values.<br />
Modify the chart’s data time window by changing the selection in the<br />
Time Selection drop down list (b). Using a different time selection will<br />
dynamically update the chart. Send the output to your printer using the<br />
button at the right of the Graph panel.<br />
a<br />
b<br />
Figure 4-14. Top Conversations Tab<br />
User’s Guide 89
EARLY FIELD TRIAL Chapter 4<br />
Top <strong>Application</strong>s<br />
90 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Top <strong>Application</strong>s tab (a) displays the ports that are most active on<br />
the network in the <strong>Application</strong>s report.<br />
Select data in the Statistics panel, then right-click the Graph panel and<br />
choose Chart selections only to update the report values. The items<br />
checked in the Statistics panel are now displayed in the chart. Deselect<br />
Chart selections only to toggle back to the default values.<br />
Modify the chart’s data time window by changing the selection in the<br />
Time Selection drop down list (b). Using a different time selection will<br />
dynamically update the chart. Send the output to your printer using the<br />
button at the right of the Graph panel.<br />
b<br />
a<br />
Figure 4-15. Top <strong>Application</strong>s Tab
EARLY FIELD TRIAL<br />
Multicast Protocols<br />
Using the Statistics Panel<br />
The Multicast Protocols tab (a) displays the IP Protocols that are most<br />
active in network multicasts, in the Multicast Protocols report.<br />
Select data in the Statistics panel, then right-click the Graph panel and<br />
choose Chart selections only to update the report values. The items<br />
checked in the Statistics panel are now displayed in the chart. Deselect<br />
Chart selections only to toggle back to the default values.<br />
Modify the chart’s data time window by changing the selection in the<br />
Time Selection drop down list (b). Using a different time selection will<br />
dynamically update the chart. Send the output to your printer using the<br />
button at the right of the Graph panel.<br />
b a<br />
Figure 4-16. Multicast Protocols Tab<br />
User’s Guide 91
EARLY FIELD TRIAL Chapter 4<br />
Multicast Groups<br />
<br />
92 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Multicast Groups tab (a) displays the multicast source and<br />
destination addressing that are most active on the network in the Top N<br />
Multicast Groups report.<br />
Select data in the Statistics panel, then right-click the Graph panel and<br />
choose Chart selections only to update the report values. The items<br />
checked in the Statistics panel are now displayed in the chart. Deselect<br />
Chart selections only to toggle back to the default values.<br />
Modify the chart’s data time window by changing the selection in the<br />
Time Selection drop down list (b). Using a different time selection will<br />
dynamically update the chart. Send the output to your printer using the<br />
button at the right of the Graph panel.<br />
b a<br />
Figure 4-17. Multicast Groups Tab<br />
You can also create new Reports tabs including just those fields in which<br />
you are interested. See Modifying Statistics Panel Columns and Tabs on<br />
page 104.
EARLY FIELD TRIAL<br />
Working with the Statistics Panel<br />
Using the Statistics Panel<br />
This section describes how to perform different tasks in the Statistics<br />
panel, including how to set Statistics Filters, work with the Top N<br />
feature, and so on. It includes the following topics:<br />
Using Statistics Filtering on page 93<br />
Refreshing Statistics on page 97<br />
Selecting and Deselecting Rows on page 97<br />
Sorting Statistics Panel Tabs on page 98<br />
Using the Statistics Panel Tools on page 99<br />
Using Statistics Filtering<br />
The Statistics Filtering features are found below the Statistics panel<br />
(Figure 4-18). These features let you limit the data displayed in the<br />
Statistics panel. <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> includes the<br />
following Statistics Filtering features:<br />
Statistics Filter – Lets you select any currently defined Mining<br />
Filter and apply it as a Statistics filter. See Selecting a Statistics<br />
Filter on page 94.<br />
NOTE: Filters with a Pattern Match component cannot be used<br />
as Statistics filters. An error message will appear if you<br />
attempt to select such a filter.<br />
Top N (approx.) – Lets you limit the number of conversation<br />
records displayed. The Console will only display the Top N<br />
conversation records in each of the time buckets required to satisfy<br />
the current Graph panel selection. See Working with the Top N<br />
Feature on page 95.<br />
Figure 4-18. Statistics Filtering Options<br />
Statistics Filters versus Top N<br />
The Statistics Filters and Top N features serve different,<br />
complementary purposes:<br />
User’s Guide 93
EARLY FIELD TRIAL Chapter 4<br />
94 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
In general, Statistics Filters are most useful when you know what<br />
sort of data you would like to focus on in the Statistics panel. You<br />
can quickly focus the Statistics panel displays on all traffic related<br />
to a particular IP subnet, a particular combination of ports, a VLAN<br />
ID, and so on, temporarily eliminating the data that does not<br />
interest you. Because you can apply any Quick Select filter as a<br />
Statistics filter, you have a high degree of control in determining<br />
exactly what data is displayed.<br />
In contrast to Statistics Filters, which limit data upload quite<br />
precisely and are usually most useful in network analysis situations<br />
with specific needs, the Top N feature is a more generalized way<br />
to improve performance, limiting the number of unique<br />
conversation items displayed to the specified number.<br />
You will most likely apply and remove different Statistics Filters<br />
depending on your short-term analysis needs. In contrast, you will<br />
probably want to find a value for Top N that optimizes the<br />
Console’s performance in your particular network and let it remain<br />
set.<br />
Statistic Filtering and the Global Statistics Tab<br />
When using Statistics filters on a stream to reduce data in the Graph<br />
panel, the Global Statistics tab will not reflect the filtered data set. This<br />
behavior is intentionally designed to prevent the <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> PC from becoming bogged down by filtering<br />
massive data flows associated with Gigabit Ethernet traffic. Use the<br />
Selected Statistics tab to view filtered data in the Graph panel.<br />
Selecting a Statistics Filter<br />
The Statistics Filter dropdown includes all filters set up using the<br />
adjacent Create/Edit Filter controls. As described in Capturing and<br />
Mining Data on page 109,filters can be quite complex combinations of<br />
different addresses, ports, protocols, and so on. You can set up filters to<br />
focus the Statistics panel on exactly the data you want to see.<br />
NOTE: Filters that include a Pattern Match component cannot be<br />
used as Statistics filters. An error message will appear if you<br />
attempt to select such a filter.<br />
To apply a Statistics Filter:<br />
1 Use the Create/Edit Filter controls to define at least one filter. See<br />
Using the Mining Summary Dialog on page 116 for details on how<br />
to do this.
EARLY FIELD TRIAL<br />
Using the Statistics Panel<br />
2 Click the Statistics Filter dropdown to list the filters available for<br />
application as Statistics Filters.<br />
3 Select the Statistics Filter to apply from the list.<br />
The data in the Statistics panel tabs for the current Graph panel<br />
selection is filtered according to the selected filter.<br />
To remove a Statistics Filter, click the Statistics Filter dropdown<br />
again and set it to [None]. All data statistics in the Graph panel<br />
selection will be displayed.<br />
Working with the Top N Feature<br />
The Top N feature provides a way to optimize Console performance by<br />
limiting the number of records displayed in the Statistics panel. Instead<br />
of downloading all data for the period selected in the Graph panel, you<br />
can set a Top N value to limit the number of unique conversation<br />
records transferred to the Top N.<br />
IMPORTANT: The Top N conversation records are sorted by bytes.<br />
The lower you set this option, the more responsive the Console will be<br />
when viewing statistics from a very busy network. However, this<br />
responsiveness comes at the expense of data accuracy and<br />
completeness. Conversely, you can disable the Top N feature entirely<br />
by setting it to All. In this case, all conversation records will be<br />
displayed, but at the expense of Console performance.<br />
IMPORTANT: The value you specify for N will almost always NOT be the<br />
exact number of conversation records returned. See Top N – The Details on<br />
page 96 for the details on how this works.<br />
Setting the Top N Value<br />
Set a default value for the Top N feature in the Quick Select > Options<br />
> General tab. This value will be in force for all streams by default.<br />
However, while connected to a stream, you can always change the<br />
current setting temporarily by clicking the Change button next to the<br />
Top N entry below the Statistics panel and entering a new value (Figure<br />
4-18 on page 93).<br />
User’s Guide 95
EARLY FIELD TRIAL Chapter 4<br />
96 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The new Top N setting will take effect the next time the Statistics panel<br />
refreshes, either automatically or in response to the Refresh button. It<br />
will remain in effect until you close the stream or change the value again.<br />
Note, however, that the next time you open this stream, it will use the<br />
default Top N value specified in the Quick Select > Options > General<br />
tab. To change the Top N value permanently, you must change the<br />
setting in the General tab.<br />
Tabs Affected by the Top N Value<br />
The Top N value affects all tabs populated using Conversation records.<br />
This includes the following tabs:<br />
IP Address<br />
Port<br />
Network<br />
Conversation<br />
Advanced<br />
VLAN ID<br />
IP Protocol<br />
IMPORTANT: The Top N feature does not affect the use of RMON<br />
statistics in the Statistics panel’s Summary, Errors, or Destination<br />
tabs. Because of this, when a Top N value is specified, the statistics<br />
shown in the Summary, Errors, and Destination tabs reflect the entire<br />
stream, while the other tabs reflect only a subset of the total data seen<br />
on the stream.<br />
Top N – The Details<br />
The Top N feature does not result in the display of exactly the number<br />
of conversation records specified for N. Instead, it results in the display<br />
of approximately N number of conversation records from each bucket<br />
of conversation records required to represent the current Graph<br />
panel time selection.<br />
This will almost always be an approximate multiple of N depending on<br />
the number of buckets required to represent the current time selection<br />
and the number of records in those buckets.
EARLY FIELD TRIAL<br />
Refreshing Statistics<br />
Using the Statistics Panel<br />
By default, the Console automatically refreshes the Graph and Statistics<br />
panel data each time you adjust the time selector and scroll bar. You can<br />
change the default by disabling the Refresh statistics whenever<br />
graph selection changes option on the Quick Select > Options ><br />
General tab. When the automatic refresh is disabled, you must click the<br />
Refresh button to refresh the Statistics panel data after a new time<br />
selection.<br />
Canceling a Statistics Refresh<br />
Whenever a statistics refresh is in progress, the Refresh button changes<br />
into a Cancel button. You can click the Cancel button to stop a statistics<br />
refresh in progress. After clicking the Cancel button on an in-progress<br />
statistics refresh, the Availability meter will temporarily appear in red.<br />
The meter will return to its correct state at the next automatic or manual<br />
refresh.<br />
Selecting and Deselecting Rows<br />
From the Statistics panel, select a row by clicking the row’s checkbox. A<br />
unique color is assigned (a) for each selection and appears next to the<br />
entry. This color is carried over into the Graph panel, and identifies data<br />
appearing in the charts. Use either the eraser icon or the Clear All<br />
Selections command in the right-click context menu to clear all<br />
selections on the currently selected tab.<br />
NOTE: You can change the default colors assigned to selected rows.<br />
See Using Custom Colors in the Quick Select Window on page 67.<br />
Selecting a row also makes that row part of the current settings eligible<br />
for an Auto Filter. For example, if you select a row in the IP Address<br />
tab, set the Create/Edit Filter dropdown to Auto Filter, and click<br />
Create, the Create/Edit Filters dialog box automatically populates with<br />
a filter template containing traffic to and from the selected IP address.<br />
You can either accept the Auto Filter as is or refine it further using the<br />
options in the Create/Edit Filters dialog box. See Using the Mining<br />
Summary Dialog on page 116 for details.<br />
NOTE: The eraser icon does not clear selections made on inactive<br />
tabs.<br />
User’s Guide 97
EARLY FIELD TRIAL Chapter 4<br />
98 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Figure 4-19. IP Address Tab (with some rows selected and highlighted)<br />
Sorting Statistics Panel Tabs<br />
You can sort the Statistics panel tabs by any available entity or metric<br />
by clicking in a column heading. Click a second time to reverse the sort<br />
order. For example, you can sort the IP Address tab by packets by<br />
clicking in the Packets column heading. In response, the IP Address<br />
with the most packets will be shown at the top of the tab. Clicking a<br />
second time shows the IP Address with the least amount of packets at<br />
the top of the tab.<br />
Sorts Not Applied to Aliases<br />
When you sort on a tab’s index column, the sort is not applied to<br />
aliases. Instead, the sort applies to the underlying values for any entity<br />
displayed with an alias. This is true of both predefined and custom<br />
aliases.<br />
For example, if you sorted the IP Protocol tab by the IP Protocol<br />
column, the addresses would be sorted by their numerical identifiers<br />
rather than the textual aliases. This means that after a sort by IP<br />
Protocol, TCP would appear ahead of RSVP because its numerical ID<br />
(6) is less than RSVP’s (46) even though its alias is alphabetically after<br />
RSVP.<br />
Sorts and “0.0.0.0” IP Addresses<br />
When you sort a Statistics Panel tab on an IP Address column, the<br />
0.0.0.0 IP address, if present in the selected traffic, appears in the<br />
opposite position of what you would normally expect:<br />
When an ascending sort is applied and addresses are sorted from<br />
least to greatest (for example, from 192.168.1.1 to 192.168.1.75),<br />
the 0.0.0.0 address, if present in the selected traffic, would appear<br />
at the end of the list, after 192.168.1.75.<br />
When a descending sort is applied and addresses are sorted from<br />
greatest to least (for example, from 192.168.1.75 to 192.168.1.1),<br />
the 0.0.0.0 address, if present in the selected traffic, would appear<br />
at the start of the list, before 192.168.1.75.<br />
a
EARLY FIELD TRIAL<br />
Using the Statistics Panel<br />
NOTE: The IP address 0.0.0.0 is sometimes used as a client IP<br />
address in DHCP Discover and Request packets.<br />
Using the Statistics Panel Tools<br />
The Statistics panel includes controls that let you change the way data<br />
is displayed in the Statistics panel tabs. You can expand and collapse<br />
columns, show and hide aliases and alias groups, and so on. Most of<br />
these tools are accessed by right-clicking a cell in a Statistics tab and<br />
selecting from the context menu that appears (Figure 4-20). The exact<br />
options available depend up on the cell in which you right-click.<br />
Figure 4-20. Statistics Panel Tools (Context Menu)<br />
The following topics describe how to use these tools:<br />
Clearing Selections<br />
Clearing Selections on page 99<br />
Showing/Clearing Highlights on page 100<br />
Collapsing and Expanding Column Data on page 100<br />
Showing and Hiding Aliases and Alias Groups on page 101<br />
Showing and Hiding Conversation Reciprocals on page 101<br />
Resolving DNS Names on page 103<br />
Use either the eraser icon or the Clear All Selections command in<br />
the context menu to clear all selections on the currently selected tab.<br />
User’s Guide 99
EARLY FIELD TRIAL Chapter 4<br />
Showing/Clearing Highlights<br />
100 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
When working with large volumes of data, viewing a long list of statistics<br />
may require significant scrolling within the Statistics window. To reduce<br />
the volume of displayed data, click the data cells you want to focus on<br />
in an Index column, then right-click the cell and choose Show Highlight<br />
Only.<br />
Show Highlight Only removes all of the data that is not<br />
highlighted, leaving only the rows you have selected. Continue<br />
reducing data in this window until you have isolated just the items<br />
you need for analysis.<br />
Clear Highlights restores the original data set.<br />
When you select a cell all duplicate entries are automatically selected.<br />
To remove the highlight treatment from a data cell, click the highlighted<br />
cell again.<br />
Collapsing and Expanding Column Data<br />
If two or more index columns exist on a Statistics Panel tab, any of the<br />
index columns can be collapsed to display the number of entities in that<br />
column that are associated with the neighbor index column.<br />
For example, if you want to isolate which IP Address is scanning ports<br />
on your network, select the Advanced tab and right-click the Port<br />
column (b), then select Collapse. The collapse command shuffles and<br />
reorders data to display how column (b) data relates to data in the<br />
neighbor column (a).<br />
In this example, the Port (b) column shows the number of ports to<br />
which each IP Address (a) sent messages.<br />
a<br />
b<br />
Figure 4-21. Collapsing Columns<br />
NOTE: Click Expand to reverse the Collapse command and display<br />
all data values as they originally appeared. Collapsing or expanding<br />
an index column will clear all the checkbox selections on the current<br />
Statistics panel tab.
EARLY FIELD TRIAL<br />
Showing and Hiding Aliases and Alias Groups<br />
Using the Statistics Panel<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> provides a wide variety of aliasing<br />
options in the Quick Select > Options > Aliases tab. You can set up<br />
custom aliases for a wide variety of network entities, including IP<br />
addresses, IP protocols, TCP/UDP ports, VLAN IDs, and so on.<br />
In this release, you can also add aliases for groups of addresses, ports,<br />
IDs and protocols so that, for example, you can automatically roll up and<br />
display statistics for all IP addresses belonging to a particular subnet.<br />
By default, aliases are substituted in all Statistics panel displays, as well<br />
as the Filter dialog box. However, you can use the Statistics panel tools<br />
to quickly show or hide aliases in a particular column in the Statistics<br />
panel. Right-click in a Statistics panel column and choose from the<br />
following options:<br />
Hide/Show Aliases – Toggle to specify whether aliases are<br />
substituted in the Statistics panel.<br />
Show/Hide Alias Groups – Toggle to specify whether group<br />
aliases are substituted in the Statistics panel.<br />
Show Alias Groups Only – Only entities belonging to a group<br />
alias appear in the Statistics panel.<br />
NOTE: The Hide Aliases and Show Alias Groups/Show Alias<br />
Groups Only options are mutually exclusive. Group alias options<br />
cannot be enabled until the Show Aliases option is enabled. Also,<br />
the Hide Aliases option is unavailable until the Hide Alias Groups<br />
option is enabled.<br />
NOTE: See Setting Aliases Tab Options on page 250 for details on how<br />
to set up aliases.<br />
Showing and Hiding Conversation Reciprocals<br />
By default, Statistics panel tabs showing conversations provide only a<br />
single entry for a particular conversation – they hide conversation<br />
reciprocals. For example, a conversation between the IP addresses<br />
192.168.1.25 and 192.168.1.50 would result in a single entry on the<br />
Conversations tab with one address in the IP Address A column and<br />
the other in the IP Address B column.<br />
User’s Guide 101
EARLY FIELD TRIAL Chapter 4<br />
102 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
You can use the Show Conversation Reciprocals option in the rightclick<br />
context menu to specify that the Statistics panel provide two<br />
entries for this conversation – one with 192.168.1.25 in the IP Address<br />
A column and one with 192.168.1.50 in the IP Address A column.<br />
When you enable this feature, the data for each conversation is shown<br />
twice – once in each row. However, this feature does provide you with a<br />
means of seeing all addresses participating in conversations in a single<br />
column.<br />
NOTE: By default, this feature is only available in the<br />
Conversations tab. However, if you modify one of the other tabs to<br />
include an Address B column so that the tab ends up showing<br />
conversations (for example, you add a MAC Address B column to<br />
the MAC Address tab), the feature becomes available.<br />
The figure below provides a simple illustration of how this works:<br />
Reciprocals hidden<br />
Use context menu<br />
Reciprocals shown<br />
Figure 4-22. Showing\Hiding Conversation Reciprocals
EARLY FIELD TRIAL<br />
Resolving DNS Names<br />
Using the Statistics Panel<br />
You can resolve DNS names on either a selected IP address or all IP<br />
addresses visible in the Statistics panel.<br />
Right-click an IP address in the Statistics panel and select the<br />
Resolve DNS Name command to perform a DNS lookup of the<br />
selected IP address.<br />
Right-click in a Statistics panel tab displaying IP addresses and<br />
select the Resolve Visible DNS Names command to perform DNS<br />
lookups on all IP addresses visible in the display.<br />
In both cases, the name(s) returned from the DNS (if any) will be<br />
substituted for the IP address(es) in Statistics panel displays.<br />
NOTE: Once the DNS name has been resolved, it cannot be hidden<br />
again.<br />
User’s Guide 103
Modifying Statistics Panel Columns and Tabs<br />
EARLY FIELD TRIAL Chapter 4<br />
104 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
In the Statistics panel, you can add new columns and tabs, modify the<br />
tab order, and modify the column order:<br />
Adding New Columns<br />
Adding New Columns<br />
Adding New Tabs on page 106<br />
Reordering and Deleting Columns and Tabs on page 106<br />
To add a new column, click the heading and a list of<br />
categories appear. Categories vary according to the data type available<br />
on each tab. A complete list of categories are listed in the following table.<br />
Note, however, that the exact meanings of these statistics change<br />
depending on the tab in which it is displayed.<br />
NOTE: Statistics columns cannot be added until there is at least<br />
one index column added on the Statistics panel tab. Note, however,<br />
that adding an index column will clear all existing checkbox and<br />
highlighted selections on the current Statistics panel tab.<br />
Table 4-1. New Column Heading Options (1 of 3)<br />
Column Category Description<br />
MAC Address A The hardware address for a station sending packets on the<br />
network.<br />
MAC Address B The hardware address for a station receiving packets on the<br />
network.<br />
VLAN ID The ID for a VLAN on the network.<br />
NOTE: This statistic is only available for VLAN stream types.<br />
Layer 2 The layer two protocol for the selected statistic. For example,<br />
IP_ARP, Spanning_Tree, and so on.<br />
Network A subnet address on the network, including the mask. For<br />
example, 192.168.1.0/24 indicates the 192.168.1 subnet with a<br />
24-bit (Class C) subnet mask.<br />
IP Address A The IP address for a station sending packets on the network.<br />
IP Address B The IP address for a station receiving packets.
EARLY FIELD TRIAL<br />
Table 4-1. New Column Heading Options (2 of 3)<br />
Column Category Description<br />
Using the Statistics Panel<br />
IP Protocol The next layer protocol indicated in the IP header. Both the decimal<br />
notation and the common name are included. If an alias is defined<br />
for the protocol under Quick Select > Options > Aliases, the<br />
alias appears instead of the common name.<br />
For a list of mappings between the decimal notation and the<br />
common names, see http://www.iana.org/assignments/protocolnumbers.<br />
Port A The source port for transmitted network data. For well-known or<br />
aliased ports, the display includes the common or aliased name as<br />
well.<br />
For a list of well-known TCP/UDP port numbers, see http://<br />
www.iana.org/assignments/port-numbers. For port aliases, see<br />
Quick Select > Options > Aliases.<br />
Port B The destination port for transmitted network data.<br />
ToS Depending on the implementation, the value of the Type of<br />
Service or Differentiated Services (Diff-Serv, or DSCP) field in<br />
the IP header.<br />
The ToS field is used in IP to assign different priority levels to<br />
different packets, allowing for efficient allocation of bandwidth to<br />
the applications that need it most. DSCP is an evolution of the<br />
original IPv4 ToS field that allows for greater granularity in traffic<br />
prioritization.<br />
MAC Broadcast Src The hardware address of the client that is transmitting to the<br />
broadcast address.<br />
MAC Multicast Src The hardware address of the client that is transmitting to the<br />
multicast group.<br />
MAC Multicast Dst The destination hardware multicast address.<br />
IP Multicast Src The IP address of the service that is transmitting to the multicast<br />
client.<br />
IP Multicast Dst The destination multicast IP address.<br />
Bytes The number bytes transmitted and received.<br />
Bytes TX The number of bytes transmitted.<br />
Bytes RX The number of bytes received.<br />
Bits The number of bits transmitted and received.<br />
Bits TX The number of bits transmitted.<br />
Bits RX The number of bits received.<br />
Packets The number of packets transmitted and received.<br />
Packets TX The number of packets transmitted.<br />
User’s Guide 105
Table 4-1. New Column Heading Options (3 of 3)<br />
Column Category Description<br />
Packets RX The number of packets received.<br />
Bits/sec. The number of bits per second.<br />
Bytes/sec. The number of bytes that have been recorded per second.<br />
Packets/sec. The number of packets that have been recorded per second.<br />
Adding New Tabs<br />
EARLY FIELD TRIAL Chapter 4<br />
106 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
To add a new tab, click the heading and the New Tab Name<br />
dialog box appears. Enter a new name in the field provided and click OK.<br />
Then, add columns to the new tab using the instructions in Adding New<br />
Columns on page 104.<br />
Reordering and Deleting Columns and Tabs<br />
To reorder or delete tabs, right-click a tab header and the Configure<br />
Statistics Tabs dialog box appears. Use the dialog box controls to reorder<br />
or delete the tabs in the Statistics panel.<br />
To reorder or delete columns, right-click a tab cell and select Move<br />
Right, Move Left, or Delete from the menu options.<br />
Adding or removing an index column will clear all existing checkbox and<br />
highlighted selections on the current Statistics panel tab. Reordering<br />
index columns will clear all existing highlighted selections on the current<br />
Statistics panel tab.
EARLY FIELD TRIAL<br />
SECTION 2<br />
Capturing and Mining Data<br />
Capturing and Mining Data on page 109<br />
Using Filters in the Quick Select Window on page 119
EARLY FIELD TRIAL
EARLY FIELD TRIAL<br />
Capturing and Mining Data<br />
Overview<br />
5<br />
This section describes how to start capture and mine captured packets.<br />
The following topics are covered.<br />
About Capture on page 110<br />
Configuring and Starting Capture on page 111<br />
Mining Packet Data on page 115<br />
Using the Mining Summary Dialog on page 116<br />
Using the Progress Panel on page 118<br />
User’s Guide 109
About Capture<br />
EARLY FIELD TRIAL Chapter 5<br />
110 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Unlike the monitoring function, which stores statistical measurements<br />
about your network traffic, capture collects and stores packet data from<br />
your network in a capture buffer. The packet data stored during capture<br />
can be either <strong>Adaptive</strong> Session Packets or raw packets, depending on<br />
your capture mode (refer to Configuring and Starting Capture on page<br />
111 for details on selecting a capture mode).<br />
Capture <strong>Mode</strong> Packet Data Captured<br />
<strong>Adaptive</strong> • <strong>Adaptive</strong> Session Packets for supported protocols.<br />
• Other packets can be captured in raw form with<br />
an optional slice size or filtered entirely.<br />
Packet Packets are captured as they are seen on the wire<br />
(with an optional slice size).<br />
After packet data has been captured, you use the Mining feature to<br />
decode and display the packets in the capture buffer, providing you with<br />
detailed information about network transactions (postcapture analysis).<br />
When you click the Mine button to launch postcapture analysis, <strong>Sniffer</strong><br />
<strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> automatically launches the postcapture<br />
view corresponding to your selected capture mode, <strong>Adaptive</strong> or Packet;<br />
refer to <strong>Adaptive</strong> Session Analysis on page 141 for details.
EARLY FIELD TRIAL<br />
Configuring and Starting Capture<br />
Capturing and Mining Data<br />
You start, stop, and configure capture using the Capture Controls in the<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> toolbar (Figure 5-1).<br />
Start Capture<br />
Stop Capture<br />
Figure 5-1. The Capture Controls<br />
Select a Capture <strong>Mode</strong><br />
Select a capture mode by clicking the Configure Capture button and<br />
enabling either <strong>Adaptive</strong> Capture or Raw Capture (Figure 5-2). The<br />
table below summarizes the differences between the two capture<br />
modes:<br />
Figure 5-2. Configuring Capture Options<br />
Configure Capture<br />
User’s Guide 111
Capture<br />
<strong>Mode</strong><br />
<strong>Adaptive</strong><br />
Capture<br />
(Default)<br />
Raw<br />
Capture<br />
EARLY FIELD TRIAL Chapter 5<br />
Summary Postcapture Analysis<br />
In <strong>Adaptive</strong> Capture mode, <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> extracts key fields from<br />
supported protocols and generates <strong>Adaptive</strong> Session<br />
Packets (ASPs) with derived payloads and<br />
compressed packet headers through the transport<br />
(TCP/UDP) layer. Hexadecimal bytes are not<br />
displayed for ASPs.<br />
In addition, <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
stores metadata correlating ASPs with parent<br />
sessions to provide a flow-aware view of network<br />
data. You can drill between the session view and the<br />
decode view during postcapture analysis to get both<br />
the top-down and bottom-up perspective.<br />
In Raw Capture mode, <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong><br />
<strong>Analyzer</strong> records packets as seen on the wire,<br />
including payloads (an optional packet slice setting<br />
can be used). In addition session statistics are not<br />
available. Instead, traditional tri-paned packet<br />
decodes, Expert analysis, and post-analysis tabs are<br />
available.<br />
Set a Capture Buffer Size<br />
112 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Use the Capture Buffer Size field to specify the size of the <strong>Sniffer</strong><br />
<strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> capture buffer. You can enter values from<br />
200 MB - 1 GB. Capture stops automatically when the buffer fills.<br />
Set the Packet Slice Size<br />
Separate, correlated views<br />
provide session and packet<br />
statistics:<br />
• <strong>Adaptive</strong> Session View<br />
provides access to<br />
adaptive session<br />
records (ASRs).<br />
• <strong>Adaptive</strong> Decode View<br />
provides line by line<br />
interpretation of<br />
adaptive session<br />
packets (ASPs).<br />
•Tri-pane packet<br />
decodes<br />
• Expert analyzer<br />
• Post-analysis tabs<br />
(Host Table, Matrix,<br />
Protocol Distribution,<br />
Statistics)<br />
The Configure Capture dialog box provides a different slicing option<br />
depending on the selected capture mode. The table below summarizes<br />
how to configure packet slicing for both <strong>Adaptive</strong> and Raw mode.
EARLY FIELD TRIAL<br />
Capture<br />
<strong>Mode</strong><br />
<strong>Adaptive</strong><br />
Capture<br />
(Default)<br />
Raw<br />
Capture<br />
Available Packet<br />
Slice Option<br />
<strong>Adaptive</strong> Packet<br />
Slice Size<br />
Raw Packet Slice<br />
Size<br />
Start Capture!<br />
Description<br />
Capturing and Mining Data<br />
When <strong>Adaptive</strong> capture is enabled, <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> generates <strong>Adaptive</strong> Session Packets for<br />
all protocols with an ASI Protocol Interpreter. You use the<br />
<strong>Adaptive</strong> Packet Slice Size option to specify how much of<br />
each packet without an ASI protocol interpreter <strong>Sniffer</strong><br />
<strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> should capture.<br />
There are two classes of packets without an ASI Protocol<br />
Interpreter:<br />
• Standard IPv4 Protocols on Well-Known TCP/UDP<br />
Ports<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> still records generic<br />
session metadata for these protocols, either listing them<br />
using hardcoded aliases or identifying them as GENERIC<br />
(refer to Session View for GENERIC Protocols on page 150<br />
for details.<br />
• Others (Non-IPv4)<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> does not record any<br />
session metadata for these packets.<br />
Refer to Protocols Supported for <strong>Sniffer</strong> <strong>Adaptive</strong> Processing<br />
on page 18 for a list of protocols with ASI protocol<br />
interpreters.<br />
When Raw capture is enabled, you use the Raw Packet<br />
Slice Size option to specify how much of each packet to<br />
capture.<br />
Once you have finished configuring the capture session, start capture<br />
with either the Start Capture button in the toolbar or the Quick<br />
Select > Start Capture menu item.<br />
Once you start capturing packets, the Availability Meter at the base of<br />
the Graph panel changes from Yellow to Green (Figure 5-3), indicating<br />
that both packet data (adaptive or raw) and monitoring statistics are<br />
available. You can view statistics in the Statistics panel, as well as mine<br />
this portion of the stream for packets. Refer to Availability Meter on page<br />
56 for details.<br />
User’s Guide 113
EARLY FIELD TRIAL Chapter 5<br />
114 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Figure 5-3. Availability Meter after Capture Starts<br />
Availability Meter changes from yellow<br />
to green when capture starts,<br />
indicating packets and statistics are<br />
available for the time selection.
EARLY FIELD TRIAL<br />
Mining Packet Data<br />
Capturing and Mining Data<br />
In general, mining packet data is as simple as making a selection in the<br />
Graph Panel and clicking the Mine button. <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong><br />
<strong>Analyzer</strong> automatically launches the postcapture analysis views<br />
corresponding to the current capture mode, <strong>Adaptive</strong> or Packet (Figure<br />
5-4).<br />
You can also apply a Mining filter as part of the request. Mining filters<br />
limit the data returned in the postcapture analysis views according to the<br />
filter’s definition. The procedure below describes how to select a Mining<br />
filter; refer to Using Filters in the Quick Select Window on page 119 for<br />
details on creating filters.<br />
1 Select a segment of packet data in the the Graph Panel. Available<br />
packet data (ASPs or raw packets) is indicated by green in the<br />
Availability Meter (Figure 5-3 on page 114).<br />
2 If you want to use a Mining filter to limit the data returned in the<br />
postcapture analysis views, use one of the following options:<br />
Select an existing filter from the Mining Filtering dropdown.<br />
Create an Auto Mining Filter by selecting entities in the<br />
Statistics Panel. For example, you could create an Auto Mining<br />
Filter by selecting individual IP addresses in the IP Address<br />
tab.<br />
3 Click Mine.<br />
The Summary dialog box appears, summarizing the mining request<br />
and allowing you to fine-tune the time selection and/or filter.<br />
4 If you created an optional Auto Mining Filter, click Edit Filter and<br />
select the Auto Filter entry to use it for mining.<br />
5 Refine your mining request as desired and click OK to begin packet<br />
mining.<br />
NOTE: Refer to Using the Mining Summary Dialog for details on<br />
how to use Summary dialog options.<br />
Postcapture Analysis by Capture <strong>Mode</strong> – <strong>Adaptive</strong> or Raw<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> mines the selected time window<br />
and automatically launches the postcapture analysis views<br />
corresponding to your capture mode, as summarized in the table below.<br />
Refer to Capturing and Mining Data on page 109 for details on using the<br />
postcapture analysis views.<br />
User’s Guide 115
Capture<br />
<strong>Mode</strong><br />
<strong>Adaptive</strong><br />
Capture<br />
(Default)<br />
Using the Mining Summary Dialog<br />
EARLY FIELD TRIAL Chapter 5<br />
Postcapture Analysis Views Refer to:<br />
Separate, correlated views provide session and packet<br />
statistics:<br />
• <strong>Adaptive</strong> Session View<br />
• <strong>Adaptive</strong> Decode View (two-pane)<br />
Raw Capture • Tri-pane packet decodes<br />
• Expert analyzer<br />
• Post-analysis tabs (Host Table, Matrix, Protocol<br />
Distribution, Statistics)<br />
116 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
When you click Mine, the Console displays an optional mining Summary<br />
dialog box providing a quick synopsis of your Time Selection and Mining<br />
Filter settings.<br />
Figure 5-4. Summary Dialog Box<br />
<strong>Adaptive</strong> <strong>Mode</strong><br />
Postcapture<br />
Analysis on page<br />
143<br />
Raw Capture <strong>Mode</strong><br />
Postcapture<br />
Analysis on page<br />
161<br />
NOTE: The Summary dialog box automatically appears when you<br />
click Mine unless you’ve disabled the Mining Request Summary<br />
option in the Quick Select > Options > Mining Options tab.<br />
This dialog box provides an opportunity to modify your time and filter<br />
selections before analyzing packet data. Use the following options to<br />
fine-tune both the time selection and the filter:
EARLY FIELD TRIAL<br />
Capturing and Mining Data<br />
Adjust Times – Click this button to access the Adjust Time<br />
Selection dialog box (Figure 5-5) and make time adjustments up to<br />
the length of the available packet data displayed in the Graph<br />
window.<br />
Figure 5-5. Adjust Time Selection Dialog Box<br />
First packet lets you move your start time to the first packet<br />
in the stream while maintaining your existing duration.<br />
Last packet lets you move your end time to the last packet<br />
in the stream while maintaining your existing duration.<br />
Start Time lets you enter a new start time, overriding the<br />
existing start time.<br />
Duration lets you enter a new time window (in days, hours,<br />
minutes, seconds), while overriding the existing duration. Use<br />
this option to specify a duration up to the full length of your<br />
selected stream.<br />
Edit Filter – Click this button to make adjustments to the filter<br />
settings in the Create/Edit Filters dialog box. See Defining Quick<br />
Select Filters on page 124.<br />
User’s Guide 117
Using the Progress Panel<br />
EARLY FIELD TRIAL Chapter 5<br />
118 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Progress panel at the bottom right of the Quick Select window,<br />
gauges the progress of your mining operations. During a transaction the<br />
following is displayed:<br />
Scanning indicates that <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> is<br />
searching the total number of packets for your requested packets.<br />
Found indicates that <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> has<br />
identified the total number of packets matching your filter criteria.<br />
Items indicates the items count that replaces the Scanning and<br />
Found results when you click a Statistics panel tab. The Items value<br />
represents the total number of rows in the current tab list.<br />
Progress time is <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>’s current<br />
“scanning time” location in the stream.<br />
Progress bar is the bar that fills based on the progress of a variety<br />
of <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> operations.
EARLY FIELD TRIAL<br />
Using Filters in the Quick<br />
Select Window<br />
Overview<br />
6<br />
This section explains how to use filters in the Quick Select window. The<br />
following topics are covered:<br />
About Quick Select Filters on page 120<br />
Defining Quick Select Filters on page 124<br />
Applying Quick Select Filters on page 132<br />
Applying Mining Filters on page 133<br />
Applying Source Filters on page 134<br />
Applying <strong>Adaptive</strong> Display Filters on page 136<br />
Applying Statistics Filters on page 138<br />
NOTE: <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> also provides a<br />
separate display filter mechanism for the traditional postcapture<br />
packet decode display. Refer to Working with Display Filters on page<br />
172 for information on these filters.<br />
User’s Guide 119
About Quick Select Filters<br />
EARLY FIELD TRIAL Chapter 6<br />
120 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> provides centralized filter creation<br />
and management using the Mining Filtering controls at the base of the<br />
Quick Select window (Figure 6-1).<br />
Figure 6-1. Centralized Filter Creation in <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong><br />
<strong>Analyzer</strong><br />
Quick Select filters let you include/exclude packets matching precise<br />
combinations of network criteria, including MAC addresses, IP<br />
addresses, ports, IP protocols, pattern matches, and so on.<br />
Quick Select filters can be very simple, consisting of a single term, or<br />
very sophisticated, involving multiple terms connected by Boolean AND/<br />
OR/NOT operators. You can also specify that specific terms be included<br />
or excluded.
EARLY FIELD TRIAL<br />
Reusable Filters with Multiple Filter Points<br />
Using Filters in the Quick Select Window<br />
Once you have created a filter from the Quick Select window, you can<br />
use (and reuse) it as a Mining filter, Source filter, Display filter, or<br />
Statistics filter. Table 6-1 summarizes the differences between each of<br />
these filter points. Figure 6-2 illustrates the Source, Mining, and<br />
Statistics filter points; refer to Applying <strong>Adaptive</strong> Display Filters on page<br />
136 for information on using Quick Select filters as Display filters with<br />
<strong>Adaptive</strong> Session/Packet data.<br />
Table 6-1. Quick Select Window Filters<br />
Filter Type & Description How Applied? <strong>Mode</strong>?<br />
Source Filters<br />
Source Filters are applied at the network interface.<br />
They exclude packets matching specified criteria<br />
from monitoring or capture:<br />
• Monitor statistics in the Quick Select window<br />
will not include packets excluded by a source<br />
filter. This includes both the Graph panel and all<br />
Statistics panel tabs.<br />
• Postcapture analysis will not include packets<br />
excluded by a source filter. This includes both<br />
<strong>Adaptive</strong> and raw packet postcapture views.<br />
Note: Because source filters prevent matching<br />
packets from ever being seen by <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong>, you should apply them<br />
carefully.<br />
Mining Filters<br />
Mining filters are applied when you click the Mine<br />
button to retrieve stored packet data (ASPs or raw<br />
packets) from the capture buffer. They are used to<br />
focus postcapture analysis on packet data matching<br />
specified criteria.<br />
Right-click a stream in the<br />
Navigation panel, choose Apply<br />
Source Filter, and select the<br />
filter to use as a source filter.<br />
Once you’ve applied a source<br />
filter to a stream, its entry in the<br />
Navigation panel appears with a<br />
distinctive icon when selected.<br />
Select a filter from the Mining<br />
Filtering dropdown at the base<br />
of the Quick Select window<br />
before clicking the Mine button.<br />
Alternatively, you can use the<br />
Edit Filter button in the<br />
Summary dialog box that<br />
appears after clicking Mine.<br />
<strong>Adaptive</strong><br />
and Raw<br />
<strong>Adaptive</strong><br />
and Raw<br />
User’s Guide 121
Table 6-1. Quick Select Window Filters<br />
Filter Type & Description How Applied? <strong>Mode</strong>?<br />
<strong>Adaptive</strong> Display Filters<br />
Display filters are applied after you’ve mined<br />
adaptive session packets and session records into<br />
the postcapture display. Display filters open a new<br />
postcapture display window containing just those<br />
ASPs or ASRs matching the selected filter.<br />
Statistics Filters<br />
Statistics filters are applied when displaying metrics<br />
in the Statistics panel based on the current selection<br />
in the Graph panel. They are used to focus the<br />
Statistics panel displays on particular network<br />
entities, temporarily eliminating the data that does<br />
not interest you.<br />
EARLY FIELD TRIAL Chapter 6<br />
122 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Use Create/Apply Filter<br />
command, either from the<br />
Display menu or from the rightclick<br />
context menu. Note that<br />
the filter only applies to the<br />
currently active window,<br />
<strong>Adaptive</strong> Session or <strong>Adaptive</strong><br />
Decode, and not both<br />
simultaneously.<br />
Select a filter from the<br />
Statistics Filter dropdown at<br />
the base of the Quick Select<br />
window. The Statistics panel<br />
automatically refreshes based<br />
on the selected filter.<br />
<strong>Adaptive</strong><br />
only<br />
<strong>Adaptive</strong><br />
and Raw
EARLY FIELD TRIAL<br />
Figure 6-2. Applying Quick Select Window Filters<br />
Using Filters in the Quick Select Window<br />
User’s Guide 123
Defining Quick Select Filters<br />
a<br />
b<br />
EARLY FIELD TRIAL Chapter 6<br />
124 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
You work with Quick Select filter definitions in the Create/Edit Filters<br />
dialog box. The Create/Edit Filters dialog box lets you manage your<br />
existing filter list, create new filters, or fine-tune an existing filter’s<br />
definitions. You can save filters for temporary analysis, save edited<br />
filters with new names, and so on.<br />
The Create/Edit Filters dialog box (Figure 6-3) appears whenever you<br />
click the Create or Edit button in the Mining Filtering controls at the<br />
base of the Quick Select window (refer to Figure 6-1 on page 120).<br />
d<br />
Figure 6-3. Create/Edit Filters Dialog Box<br />
The Create/Edit Filters dialog box is divided into the Filter List (a) and<br />
Filter Editor (c) panes, each with its own set of corresponding buttons.<br />
Working with Auto Filters on page 125<br />
Working with the Filter List Pane (a) on page 125<br />
Working with the Filter Editor Pane (c) on page 126<br />
Adding Terms to the Create/Edit Filters Dialog Box on page 129<br />
Using Pattern Matches with Mining Filters on page 131<br />
c
EARLY FIELD TRIAL<br />
Working with Auto Filters<br />
Using Filters in the Quick Select Window<br />
You also use the Create/Edit Filter dialog box to work with Auto Filters.<br />
After making checkbox selections in the Statistics panel, <strong>Sniffer</strong><br />
<strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> automatically reads your selections and<br />
constructs a custom filter based on them and the Auto Filter option<br />
appears in the Create/Edit Filter dropdown.<br />
Click Edit to fine-tune the Auto Filter in the Create/Edit Filters<br />
dialog box<br />
Click Mine to apply the filter right away.<br />
NOTE: Once you edit an Auto Filter, you can set it as a<br />
temporary filter for one-time use, save it for future use, or<br />
save it under a different name.<br />
Working with the Filter List Pane (a)<br />
The Filter List (a in Figure 6-3 on page 124) pane lists each of the<br />
currently defined filters in the filter list. Select a filter entry and its<br />
definition appears in the adjacent Filter Editor. The Filter List includes<br />
each filter with the following information:<br />
Filter Name – The name assigned to this filter.<br />
Modified – Whether or not the selected filter has unsaved<br />
changes. If you edit an existing filter, an asterisk will appear in the<br />
Modified column until your changes are saved.<br />
NOTE: If the Create/Edit Filters dialog was opened from Edit Auto<br />
Filter, the Filter List (a) will only list the current filter. The Filter List<br />
(a) will list all the saved filters if you select a saved filter and press<br />
the Edit button.<br />
Filter List Buttons<br />
Use the following Filter List buttons (b) to manage the filter list:<br />
User’s Guide 125
Table 6-2. Filter List Buttons<br />
Button Description<br />
New Creates a new entry in the filter list with the default name New Filter x (where x<br />
increments sequentially as new filters are added to the list – New Filter 1, New<br />
Filter 2, and so on). You can rename the filter to something more meaningful by<br />
selecting its entry and clicking the Rename button.<br />
Delete Removes the selected filter(s) from the list.<br />
NOTE: You can use familiar Ctrl-Click and Shift-Click techniques to select<br />
multiple entries in the list for deletion.<br />
NOTE: You can delete all of the entries in the list quickly by selecting the topmost<br />
filter and pressing the Delete button repeatedly until all entries are deleted.<br />
However, if you select a filter entry in the middle of the list and press the Delete<br />
button repeatedly, you will only be able to delete entries from the selected filter<br />
to the end of the list. When you reach the end of the list, the filter above the<br />
selected entry will not be automatically selected in order to protect you from<br />
inadvertently deleting the entire list.<br />
Rename Opens a dialog box where you can supply a new name for the selected filter.<br />
Save Saves the currently selected filter(s).<br />
NOTE: You can use familiar Ctrl-Click and Shift-Click techniques to select<br />
multiple entries in the list for saving.<br />
NOTE: The Create/Edit Filters dialog box will not let you save empty filters –<br />
filters with no associated terms.<br />
Clone Creates a duplicate of the selected filter with the name New Filter x (where x<br />
increments sequentially as new filters are added to the list – New Filter 1, New<br />
Filter 2, and so on).<br />
TIP: Cloning a filter is particularly useful when you want to tweak an existing<br />
filter’s definition for a particular analysis situation without losing the original filter.<br />
Working with the Filter Editor Pane (c)<br />
EARLY FIELD TRIAL Chapter 6<br />
126 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Filter Editor workspace (c in Figure 6-3 on page 124) shows the<br />
current filter settings in a tree-like diagram with Boolean logical<br />
operators connecting different terms. A summary of each logical level of<br />
the filter appears adjacent to the operator.<br />
You can select a portion of the filter and use the Filter Editing (d)<br />
buttons to edit the filter’s definition. Filter Editing buttons let you<br />
manage terms and operators at the location specified in the Filter Editor,<br />
as described in the table below:<br />
IMPORTANT: You can also right-click in the Filter Editor workspace to<br />
access the context menu. The context menu gives you easy access to<br />
most of the same functionality as the buttons in the table below and also
EARLY FIELD TRIAL<br />
Table 6-3. Filter Editing Buttons<br />
Button Description<br />
Using Filters in the Quick Select Window<br />
adds Copy and Paste functionality. See Using the Filter Editor Context<br />
Menu on page 128.<br />
Add AND/OR Adds a new AND/OR operator at the specified location.<br />
You can toggle the new operator between AND and OR by double-clicking its<br />
entry in Filter Editor or by clicking the Toggle AND/OR button.<br />
Toggle AND/OR Toggles the selected operator between AND and OR. You can perform the<br />
same operation by double-clicking its entry in the Filter Editor.<br />
Toggle NOT Toggles the selected term between Include and Exclude (NOT). You can<br />
perform the same operating by double-clicking a term’s entry in the Filter<br />
Editor.<br />
Direction Opens a dialog box in which you can select whether to mine packets in both<br />
directions on the selected conversation, from the Source to the Destination<br />
only, or from the Destination to the Source only.<br />
NOTE: This button is only available when a “directional” term is selected – for<br />
example, a conversation between two IP stations.<br />
Edit Item Opens a dialog box in which you can edit the selected term’s definition. The<br />
exact options that appear depend on the type of term selected. See Adding<br />
Terms to the Create/Edit Filters Dialog Box on page 129 for information on<br />
the options that can appear.<br />
Delete Item Removes the selected item from the Filter Editor.<br />
Add Opens a dialog box in which you can define the term selected in the adjacent<br />
dropdown list for addition to the Filter Editor. For example, if IP Address is<br />
selected, a dialog box appears in which you can specify the IP address and<br />
subnet mask to be added to the Filter Editor.<br />
See Adding Terms to the Create/Edit Filters Dialog Box on page 129 for<br />
details on the different terms you can add and how to define them.<br />
Clear Removes all definitions in the Filter Editor and creates a blank workspace.<br />
Other Buttons in the Create/Edit Filters Dialog Box<br />
OK accepts the current filter definitions and exits the Create/Edit<br />
Filters dialog box. When you click the OK button, the Create/Edit<br />
Filters dialog box takes the following actions:<br />
Saves all changes made to named filters.<br />
Sets the currently selected filter for mining analysis.<br />
If the Auto Filter or Temporary filter is selected, saves the<br />
settings as the new temporary filter and sets it for analysis.<br />
The old temporary filter will be overwritten.<br />
User’s Guide 127
EARLY FIELD TRIAL Chapter 6<br />
128 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
IMPORTANT: Clicking OK only saves changes to an Auto<br />
Filter or Temporary filter if it is selected. If it is not selected,<br />
changes made to an Auto Filter or Temporary filter will not be<br />
saved when you click OK.<br />
IMPORTANT: The Auto Filter and Temporary filters are<br />
special, reserved filters used by the system. These filter types<br />
provide you with the ability to set up filters quickly without<br />
worrying about saving them right away. The Auto Filter and<br />
Temporary filter settings stay preserved in memory until a<br />
new temporary filter is created.<br />
NOTE: If you click OK after editing an Auto Filter, the Auto<br />
Filter will be saved as a Temporary filter. You can still return<br />
to the Create/Edit Filters dialog box and save it with a<br />
permanent name, but you must do so before creating a new<br />
Temporary filter. Creating a new Temporary filter remove’s<br />
the previous Temporary filter’s settings from memory.<br />
Cancel cancels all actions and returns you to the Quick Select<br />
window.<br />
Help displays context-sensitive help for the Create/Edit Filters<br />
dialog box.<br />
Using the Filter Editor Context Menu<br />
You can right-click in the Filter Editor workspace to access the context<br />
menu (Figure 6-4). The context menu gives you easy access to most of<br />
the same functionality as the buttons described in Table 6-3 on page 127<br />
and also adds Copy, Cut, and Paste functionality. You can insert and<br />
delete terms and operators, rename terms, toggle operators and terms,<br />
and change directions, just as you would with the buttons at the base of<br />
the Filter Editor workspace.<br />
Figure 6-4. Filter Editor Context Menu
EARLY FIELD TRIAL<br />
Using Filters in the Quick Select Window<br />
Adding Terms to the Create/Edit Filters Dialog Box<br />
When adding terms to a filter, different options appear depending on the<br />
type of term you are adding, as described in the table below.<br />
For all terms, you can either Exclude the term by checking the Exclude<br />
box in the dialog box that appears when you click Add, or Include the<br />
term by leaving the box blank. You can toggle this selection later using<br />
the Toggle NOT button.<br />
Maximum Number of Filter Terms<br />
The maximum number of filter terms supported for a single filter is 140.<br />
Filter Validation<br />
Table 6-4. Adding Terms to a Filter<br />
Term Options<br />
MAC Address<br />
(VLAN/MPLS)<br />
When you click the Mine button at the base of the Quick Select window,<br />
the <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> will evaluate the selected filter<br />
to see if it contains any terms that do not apply to the selected stream<br />
or trace file. If the selected filter is incompatible with the selected stream<br />
or trace file, you will be prompted to select a new filter or modify the<br />
current filter.<br />
Filter Criteria for <strong>Adaptive</strong> Workflows<br />
When creating filters from the <strong>Adaptive</strong> Session or Decode views, only<br />
IP Address and Port criteria are available for use.<br />
Filters created from the Quick Select window that include criteria other<br />
than IP addresses and ports (for example, a MAC address) will not return<br />
any matching data when used against the <strong>Adaptive</strong> views.<br />
Supply in hexadecimal format.<br />
IP Address Supply in familiar dotted-quad notation with the appropriate number of<br />
subnet mask bits in the Mask field.<br />
Port Supply either a single port number, or click the Port Range button to add a<br />
range of ports.<br />
VLAN (VLAN) Supply a VLAN ID.<br />
IP Protocol Supply the IP protocol number.<br />
NOTE: For a list of mappings between the decimal notation for IP Protocol<br />
numbers and the common names, see http://www.iana.org/assignments/<br />
protocol-numbers.<br />
User’s Guide 129
Table 6-4. Adding Terms to a Filter<br />
Term Options<br />
Layer 2 Use the Protocol Dialog to select the Layer 2 protocols to be used as part of<br />
this filter.<br />
ToS Supply the ToS value as an integer.<br />
Network Supply an IP subnet address in familiar dotted-quad notation with the<br />
appropriate number of subnet mask bits in the Mask field.<br />
Pattern Match Supply up to 32 bytes of Hex or ASCII pattern, along with a fixed offset into<br />
the packet. Optional masking allows you to turn specific pattern bits on or<br />
off for more complex patterns. See Using Pattern Matches with Mining<br />
Filters on page 131.<br />
EARLY FIELD TRIAL Chapter 6<br />
130 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>
EARLY FIELD TRIAL<br />
Using Pattern Matches with Mining Filters<br />
Using Filters in the Quick Select Window<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> includes a Pattern Matching<br />
feature that lets you search for any data pattern at a fixed offset within<br />
your captured packet data. This is extremely useful when you're<br />
searching for packets containing addresses in encapsulated frames or a<br />
custom application value that occurs at a predetermined offset in the<br />
packet. Pattern Matching optimizes your mining performance by<br />
returning only those packets that match your pattern-specific search<br />
parameters.<br />
NOTE: For ASCII Pattern Match filtering to be successful, you must<br />
supply the exact offset at which the specified ASCII string will be<br />
found. ASCII data must be within the valid range of printing ASCII<br />
characters (33-126 decimal; 0x21 - 0x7F hexadecimal).<br />
To add a Pattern Match filter term:<br />
1 Open the Mining Filters window by clicking either the Create or<br />
Edit button in the Mining Filtering controls at the base of the Quick<br />
Select window.<br />
2 Add a Pattern Match term by clicking the dropdown listing available<br />
filter terms, selecting Pattern Match, and clicking Add.<br />
3 The Edit Pattern dialog box appears. Use this dialog to configure<br />
your new filter term.<br />
Figure 6-5. Edit Pattern Dialog Box<br />
Pattern Match terms can include up to 32 bytes of Hex or ASCII pattern,<br />
along with a fixed offset into the packet. Optional masking allows you to<br />
turn specific pattern bits on or off for more complex patterns.<br />
User’s Guide 131
EARLY FIELD TRIAL Chapter 6<br />
132 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
IMPORTANT: Be careful to use a hexadecimal offset value rather than<br />
decimal for best results.<br />
Notes on Pattern Match Filters<br />
Keep in mind the following when using Pattern Match filters:<br />
No Pattern Matches in Statistics Filters – Mining filters that include<br />
a Pattern Match component cannot be used as Statistics filters. An<br />
error message will appear if you attempt to select such a filter.<br />
Special Characters Not Allowed – Special characters such as<br />
periods (.) are not allowed when entering ASCII for pattern match<br />
filters. Only ASCII characters from the valid printable range are<br />
allowed (decimal 33-126).<br />
Pattern Match Filters and IPv6 – When using fixed-offset Pattern<br />
Match filters on IPv6 traffic, you must set the From option to Frame<br />
and not IP, TCP, or UDP for successful results.<br />
Applying Quick Select Filters<br />
This section describes how how to apply filters created using the Create/<br />
Edit Filters dialog box. You can apply filters as mining, source, or<br />
statistics filters – refer to Table 6-1 on page 121 for a summary of the<br />
differences between these filter types.<br />
Applying Mining Filters on page 133<br />
Applying Source Filters on page 134<br />
Applying <strong>Adaptive</strong> Display Filters on page 136<br />
Applying Statistics Filters on page 138<br />
NOTE: <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> also provides a<br />
separate display filter mechanism for the traditional postcapture<br />
packet decode display. Refer to Working with Display Filters on page<br />
172 for information on these filters.
EARLY FIELD TRIAL<br />
Applying Mining Filters<br />
Using Filters in the Quick Select Window<br />
Use the Mining Filtering controls at the base of the Quick Select<br />
window to select an existing filter for use as a Mining filter. Mining filters<br />
are used to retrieve a specific set of packets (<strong>Adaptive</strong> Session Packets<br />
or raw packets) from the time selection in the Graph panel. Mining filters<br />
are applied when you click the Mine button.<br />
NOTE: Refer to Figure 6-2 on page 123 for a summary of where the<br />
different filter types are applied.<br />
Figure 6-6. Mining Filtering<br />
The dropdown lists all filters created using the Create/Edit Filters<br />
dialog box. You can select an existing Mining Filter from the<br />
dropdown list.<br />
Select (None) to disable filtering and return all of the packets<br />
within your time selection.<br />
Click Edit to change the settings for the currently selected filter. If<br />
the dropdown is set to (None), this button reads Create; click it<br />
to start the filter creation process.<br />
Using the Frame Slice Option – Raw Packet Capture Only<br />
Frame Slicing is a performance optimization tool that truncates each<br />
frame to a specified length during mining. This option can be used when<br />
capturing in raw packet mode to limit mined packets to headers and<br />
some portion of the payload.<br />
IMPORTANT: This option is not supported when capturing in <strong>Adaptive</strong><br />
mode. <strong>Sniffer</strong> <strong>Adaptive</strong> processing already intelligently condenses packet<br />
contents to just those details necessary for analysis. Slicing doesn’t<br />
make sense in this context.<br />
When capturing in raw packet mode, frame slicing can decrease the time<br />
it takes to return a mining request and the size of a trace file, however<br />
it can also limit analysis capabilities. The Expert analyzer uses a best<br />
effort approach in its analysis of sliced frames based on the specified<br />
packet length.<br />
User’s Guide 133
EARLY FIELD TRIAL Chapter 6<br />
134 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Apply frame slicing to the filter using the values defined in the Frame<br />
Slice dropdown list. Options include, Full Packet, 64 bytes, 128<br />
bytes, 256 bytes, 512 bytes, 768 bytes, and 1024 bytes.<br />
Applying Source Filters<br />
Apply source filters by right-clicking a stream’s entry in the Navigation<br />
panel and selecting the Apply Source Filter command (Figure 6-7).<br />
Figure 6-7. Applying Source Filters<br />
As summarized in the figure above, Source Filters are applied at the<br />
network interface. They exclude packets matching specified criteria from<br />
monitoring or capture:
EARLY FIELD TRIAL<br />
Using Filters in the Quick Select Window<br />
Monitor statistics in the Quick Select window will not include<br />
packets excluded by a source filter. This includes both the Graph<br />
panel and all Statistics panel tabs.<br />
Postcapture analysis will not include packets excluded by a source<br />
filter. This includes both <strong>Adaptive</strong> and raw packet postcapture<br />
views.<br />
Using the Apply Source Filter Dialog Box<br />
The Apply Source Filter dialog box appears when you right-click a stream<br />
in the Navigation panel and select the Apply Source Filter command<br />
(Figure 6-7):<br />
Use the Select Filter dropdown to select an existing filter for use<br />
as a Source filter. The dropdown includes all filters constructed<br />
using the Create/Edit Filter dialog box.<br />
Once you select a filter from the dropdown, the Filter Summary<br />
populates with a synopsis of its settings.<br />
Use the Edit Filter button to launch the Create/Edit Filter dialog<br />
box. From here, you can either fine-tune the selected filter or<br />
create an entirely new filter.<br />
Indication of Source Filter Usage<br />
Because source filters prevent matching packets from ever being seen<br />
by <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>, it’s important to understand<br />
when one is applied (and what it’s removing!). Because of this, <strong>Sniffer</strong><br />
<strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> displays streams with a source filter<br />
applied with a distinctive icon (Figure 6-8). The stream returns to its<br />
normal appearance when a source filter is no longer applied.<br />
“Source Filter Applied” icon<br />
appears when source filter is<br />
applied.<br />
Stream returns to<br />
normal color/letter<br />
designation when<br />
source filter is removed.<br />
Figure 6-8. Source Filter Indication in Navigation Panel<br />
User’s Guide 135
Applying <strong>Adaptive</strong> Display Filters<br />
EARLY FIELD TRIAL Chapter 6<br />
136 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Apply Quick Select filters as <strong>Adaptive</strong> display filters from either the<br />
<strong>Adaptive</strong> Session or <strong>Adaptive</strong> Decode view by choosing the Create/<br />
Apply Filter command, either from the Display menu or from the rightclick<br />
context menu (Figure 6-9).<br />
Figure 6-9. Using Quick Select Filters as <strong>Adaptive</strong> Display Filters
EARLY FIELD TRIAL<br />
<strong>Adaptive</strong> Display Filter Notes<br />
Using Filters in the Quick Select Window<br />
Keep in mind the following notes when using display filters with <strong>Adaptive</strong><br />
Session (ASR) and <strong>Adaptive</strong> Decode (ASP) data:<br />
Display filters used with the <strong>Adaptive</strong> views can only include IP<br />
address and Port criteria. Other criteria are not available when<br />
creating filters from the <strong>Adaptive</strong> views.<br />
Filters created from the Quick Select window that include criteria<br />
other than IP addresses and ports (for example, a MAC address)<br />
will not return any matching data when used against the <strong>Adaptive</strong><br />
views.<br />
Display filters must be applied separately against the <strong>Adaptive</strong><br />
Session (ASR) and <strong>Adaptive</strong> Decode (ASP) views.<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> also provides a separate<br />
display filter mechanism for the traditional postcapture packet<br />
decode display. Refer to Working with Display Filters on page 172<br />
for information on these filters.<br />
User’s Guide 137
Applying Statistics Filters<br />
EARLY FIELD TRIAL Chapter 6<br />
138 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Use the Statistics Filtering controls at the base of the Quick Select<br />
window to select an existing filter for use as a Statistics filter. Statistics<br />
filters are applied when displaying metrics in the Statistics panel based<br />
on the current selection in the Graph panel. They are used to focus the<br />
Statistics panel displays on particular network entities, temporarily<br />
eliminating the data that does not interest you.<br />
Refer to Using Statistics Filtering on page 93 for details on Statistics<br />
filtering use cases.<br />
NOTE: Refer to Figure 6-2 on page 123 for a summary of where the<br />
different filter types are applied.<br />
Figure 6-10. Statistics Filtering<br />
The dropdown lists all filters created using the Create/Edit Filters<br />
dialog box. You can select an existing filter from the dropdown list.<br />
Alternatively, you can select (None) to disable filtering and return<br />
all statistics within your time selection.
EARLY FIELD TRIAL<br />
SECTION 3<br />
Analyzing Data<br />
Postcapture Analysis by Capture <strong>Mode</strong> on page 141<br />
<strong>Adaptive</strong> <strong>Mode</strong> Postcapture Analysis on page 143<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis on page 161<br />
Expert Analysis on page 219
EARLY FIELD TRIAL
EARLY FIELD TRIAL<br />
<strong>Adaptive</strong> Session Analysis<br />
Overview<br />
7<br />
This chapter describes postcapture analysis views for data captured in<br />
<strong>Adaptive</strong> mode. In <strong>Adaptive</strong> mode, <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
stores condensed <strong>Adaptive</strong> Session Packets for supported protocols<br />
while also recording session-based metadata.<br />
IMPORTANT: Refer to Raw Capture <strong>Mode</strong> Postcapture Analysis on page<br />
161 for information on the postcapture views available for Raw mode.<br />
Also, refer to Postcapture Analysis by Capture <strong>Mode</strong> on page 141 for a<br />
discussion of the postcapture views available for different capture modes.<br />
The section includes the following major topics:<br />
Postcapture Analysis by Capture <strong>Mode</strong> on page 141<br />
<strong>Adaptive</strong> <strong>Mode</strong> Postcapture Analysis on page 143<br />
How <strong>Adaptive</strong> Processing Works on page 144<br />
<strong>Adaptive</strong> Postcapture Analysis Views on page 146<br />
Postcapture Analysis by Capture <strong>Mode</strong><br />
When you mine captured data, <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong><br />
<strong>Analyzer</strong>automatically displays the postcapture analysis views<br />
corresponding to your capture mode – <strong>Adaptive</strong> or Raw Capture. The<br />
available views are summarized in Figure 7-1:<br />
<strong>Adaptive</strong> <strong>Mode</strong> – <strong>Adaptive</strong> Session and <strong>Adaptive</strong> Decode views.<br />
Refer to <strong>Adaptive</strong> <strong>Mode</strong> Postcapture Analysis on page 143 for<br />
details on these views.<br />
Raw <strong>Mode</strong> – Expert, Decode, Matrix, Host Table, Protocol<br />
Distribution, and Statistics tabs. Refer to Raw Capture <strong>Mode</strong><br />
Postcapture Analysis on page 161 and Expert Analysis on page 219<br />
for details on these tabs.<br />
User’s Guide 141
EARLY FIELD TRIAL Chapter 7<br />
142 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Figure 7-1. Postcapture Analysis by Capture <strong>Mode</strong> (<strong>Adaptive</strong> or Packet)
EARLY FIELD TRIAL<br />
<strong>Adaptive</strong> <strong>Mode</strong> Postcapture Analysis<br />
<strong>Adaptive</strong> Session Analysis<br />
When you mine data captured in <strong>Adaptive</strong> mode, <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> presents separate <strong>Adaptive</strong> Session (ASR) and<br />
<strong>Adaptive</strong> Decode (ASP) views with correlated drilling between the two<br />
views.<br />
This section discusses how <strong>Adaptive</strong> processing works, how to work with<br />
the <strong>Adaptive</strong> postcapture views, and details on the individual protocols<br />
supported for <strong>Adaptive</strong> processing in this release. Refer to the following<br />
topics for details:<br />
How <strong>Adaptive</strong> Processing Works on page 144<br />
<strong>Adaptive</strong> Postcapture Analysis Views on page 146<br />
<strong>Adaptive</strong> Session View on page 147<br />
<strong>Adaptive</strong> Decode View on page 153<br />
Searching <strong>Adaptive</strong> Views on page 158<br />
Using Filters with <strong>Adaptive</strong> Postcapture Views on page 159<br />
User’s Guide 143
How <strong>Adaptive</strong> Processing Works<br />
EARLY FIELD TRIAL Chapter 7<br />
144 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
<strong>Adaptive</strong> Session processing works differently than traditional packet<br />
capture, condensing packet data in to <strong>Adaptive</strong> Session Packets (ASPs)<br />
and recording end-to-end session metrics in <strong>Adaptive</strong> Session Records<br />
(ASRs). This section summarizes how <strong>Adaptive</strong> processing works, as<br />
well as how the results are presented (Figure 7-2).<br />
<strong>Adaptive</strong> Packet Processing in the <strong>Adaptive</strong> Decode View<br />
Packets with an ASI protocol interpreter are condensed into<br />
<strong>Adaptive</strong> Session Packets (ASPs).<br />
ASPs include compressed packet headers through the transport<br />
layer and an intelligently “derived” payload rather than the actual<br />
payload. ASPs are much smaller than their raw counterparts and<br />
can be stored and analyzed much more efficiently. The exact fields<br />
preserved in an ASP vary by protocol but include compressed MAC/<br />
IP headers and key data fields (for example, SQL calls embedded<br />
in the data portion of an HTTP packet).<br />
TCP/UDP v4 packets without an ASI protocol interpreter are<br />
captured with compressed headers and a raw application payload<br />
(with an optional slice size starting after the TCP/UDP header).<br />
Generic session data is also available for these packets.<br />
Other IP packets (including IPv6) can be captured as raw packets<br />
with an optional slice size. No session data is available for these<br />
packets.<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> presents ASPs in the <strong>Adaptive</strong><br />
Decode view. ASPs are also correlated with their parent ASRs for drillup<br />
analysis.<br />
<strong>Adaptive</strong> Session Processing in the <strong>Adaptive</strong> Session View<br />
In addition to condensing packets into ASPs, <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong><br />
<strong>Analyzer</strong> also records flow-based metadata in <strong>Adaptive</strong> Session<br />
Records (ASRs) for session analysis.<br />
Session analysis for flows with an ASI protocol interpreter include<br />
application-specific metrics in addition to standard transaction<br />
metrics, including:<br />
Source/Destination Identifiers<br />
Session start/end times<br />
Latency metrics, success/failure codes, and error messages.
EARLY FIELD TRIAL<br />
<strong>Adaptive</strong> Session Analysis<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> also provides session analysis<br />
for TCP/UDP v4 flows without an ASI protocol interpreter, providing<br />
transaction metrics under GENERIC entries in the Session Decode<br />
view.<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> presents ASRs in the <strong>Adaptive</strong><br />
Session view. ASRs are also correlated with their underlying ASPs for<br />
drilldown analysis.<br />
Figure 7-2. Postcapture Views for <strong>Adaptive</strong> <strong>Mode</strong><br />
<strong>Adaptive</strong> capture produces<br />
session statistics. Here we<br />
see flow statistics for an FTP<br />
session.<br />
Use the <strong>Adaptive</strong> Packet Drill<br />
Down command to view the<br />
underlying packet events.<br />
Packet events are available<br />
for viewing in the <strong>Adaptive</strong><br />
Decode view. Standard<br />
Summary and Detail panes let<br />
you browse through the<br />
events. Here we see one of the<br />
FTP packets associated with<br />
the session listed above.<br />
Use the Open ASR command<br />
to drill up to the session file<br />
containing the parent flow.<br />
User’s Guide 145
<strong>Adaptive</strong> Postcapture Analysis Views<br />
EARLY FIELD TRIAL Chapter 7<br />
146 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
When you mine data captured in <strong>Adaptive</strong> mode, <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> presents the <strong>Adaptive</strong> Session View summarizing<br />
end-to-end session metrics for TCP/UDP-based sessions seen in the<br />
Graph Panel time selection. From there, you can drill down to the<br />
underlying ASPs using the <strong>Adaptive</strong> Packet Drill Down command.<br />
This section describes the <strong>Adaptive</strong> Session and Decode views:<br />
<strong>Adaptive</strong> Session View on page 147<br />
Drilling Down to <strong>Adaptive</strong> Session Packets on page 151<br />
About the ASR File Format on page 152<br />
<strong>Adaptive</strong> Decode View on page 153<br />
Searching <strong>Adaptive</strong> Views on page 158<br />
Using Filters with <strong>Adaptive</strong> Postcapture Views on page 159<br />
<strong>Adaptive</strong> Session/Decode View Mechanics<br />
The <strong>Adaptive</strong> Session and Decode Views use the same familiar interface<br />
as the standard Decode tab for raw packets. Because of this, the general<br />
mechanics of working with the views are very similar to those described<br />
in Raw Capture <strong>Mode</strong> Postcapture Analysis on page 161.<br />
In general, options for navigating the line-by-line display, setting<br />
Display Setup Options, printing the contents of the display, and using<br />
context-menu commands are all identical or quite similar to the Decode<br />
tab. Any Raw mode commands that aren’t supported with <strong>Adaptive</strong> data<br />
are grayed out of the interface when working with the <strong>Adaptive</strong> views.<br />
For general operating information on working with Decode views, refer<br />
to the following topics:<br />
Introducing the Packet Decode Tab on page 165<br />
Navigating the Decode Tab on page 167<br />
Setting Display Setup Options on page 191<br />
IMPORTANT: Keep in mind that the Address Book feature available for<br />
use with data captured in Raw mode is not used for the <strong>Adaptive</strong><br />
postcapture displays. Network stations still appear with their addresses<br />
in the <strong>Adaptive</strong> displays even if they have an entry in the Address Book.
EARLY FIELD TRIAL<br />
<strong>Adaptive</strong> Session View<br />
a<br />
b<br />
<strong>Adaptive</strong> Session Analysis<br />
The <strong>Adaptive</strong> Session View (Figure 7-3) appears when <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> mines data captured in <strong>Adaptive</strong> mode, providing<br />
end-to-end transaction metrics for TCP/UDP-based sessions.<br />
The mechanics of the <strong>Adaptive</strong> Session View will be familiar to anyone<br />
accustomed to traditional <strong>Sniffer</strong> decodes – individual sessions are listed<br />
line-by-line in a Summary pane (a) at the top of the window. Selecting<br />
a session in the Summary pane populates the lower Detail pane (b) with<br />
statistics for the selected session.<br />
Figure 7-3. <strong>Adaptive</strong> Session View<br />
The actual data presented in the <strong>Adaptive</strong> Session View is much different<br />
than traditional packet decodes, however. Instead of listing individual<br />
raw packets, the Session View rolls up statistics for entire TCP/UDPbased<br />
sessions between a Client (requesting station) and Server<br />
(responding station). You get true source/destination identification,<br />
along with packet/byte counts broken out by direction. Separate Detail<br />
pane “layers” provide the following information (Figure 7-3):<br />
Overview – A summary of the selected session, including start/<br />
end times, duration, application, and, for protocols with an ASI<br />
protocol interpreter, a short session description (for example, the<br />
URL of an HTTP session).<br />
TCP/UDP Connection Details – TCP/IP statistics for the session,<br />
including endpoint addresses/ports, packet/octet counts in each<br />
direction, and TCP statistics.<br />
User’s Guide 147
EARLY FIELD TRIAL Chapter 7<br />
148 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Protocol-Specific Metrics – Protocols with an ASI protocol<br />
interpreter include protocol-specific metrics, as summarized below.<br />
Each of these sections can be cascaded open/closed using the +/- icons<br />
in the left margin.<br />
Session View for Protocols with an <strong>Adaptive</strong> Interpreter<br />
Session statistics for protocols with an ASI protocol interpreter are<br />
augmented with protocol-specific metrics. Consider the HTTP session<br />
shown in Figure 7-3. The Detail view for this session includes both the<br />
standard Overview and TCP/UDP Connection Details provided for any<br />
session. In addition, however, there is also a separate list of HTTP<br />
Transactions detailing individual transactions, result codes, and<br />
response times for the session – in this case, a series of GET Request/<br />
Response exchanges. Figure 7-4 shows the entire set of metrics<br />
provided for the HTTP Session selected in Figure 7-3.
EARLY FIELD TRIAL<br />
Session Overview<br />
provides a quick<br />
summary of the session.<br />
Connection Details break<br />
out TCP/UDP statistics<br />
for the session.<br />
Sessions with an ASI<br />
protocol interpreter have<br />
additional protocolspecific<br />
metrics.<br />
Figure 7-4. <strong>Adaptive</strong> Session Details (HTTP)<br />
<strong>Adaptive</strong> Session Analysis<br />
User’s Guide 149
Sessions without an ASI<br />
Protocol Interpreter are<br />
listed as GENERIC.<br />
GENERIC Sessions<br />
are still listed with a<br />
Session Overview<br />
and TCP/UDP<br />
statistics.<br />
EARLY FIELD TRIAL Chapter 7<br />
150 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Session View for GENERIC Protocols<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> still records statistics for sessions<br />
using protocols without an ASI interpreter. These sessions are listed as<br />
GENERIC in the Summary panel (Figure 7-5).<br />
Statistics provided for GENERIC sessions are limited to the Overview and<br />
TCP/UDP Connection information, as shown in Figure 7-5.<br />
Figure 7-5. Detail Pane View for GENERIC Sessions
EARLY FIELD TRIAL<br />
Drilling Down to <strong>Adaptive</strong> Session Packets<br />
<strong>Adaptive</strong> Session Analysis<br />
You can drill down to the <strong>Adaptive</strong> Session Packets for a session by rightclicking<br />
its entry in the Summary pane and selecting the <strong>Adaptive</strong> Packet<br />
Drill down command. <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
automatically retrieves the ASPs for the selected session and displays<br />
them in a new <strong>Adaptive</strong> Decode view (Figure 7-6).<br />
Refer to <strong>Adaptive</strong> Decode View on page 153 for information on working<br />
with ASPs in the <strong>Adaptive</strong> Decode View.<br />
Figure 7-6. Drilling Down to ASPs from the Session View<br />
User’s Guide 151
EARLY FIELD TRIAL Chapter 7<br />
No ASPs for Session?<br />
152 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Sessions do not always start and end neatly within the specified mining<br />
window. Because of this, it’s possible that the <strong>Adaptive</strong> Session view will<br />
show sessions that are continuations of ongoing sessions that started<br />
earlier than the specified mining window. In cases like these, <strong>Adaptive</strong><br />
Packet Drill Down will not produce any packets. You can address this by<br />
refining the mining request to start at an earlier time.<br />
About the ASR File Format<br />
The <strong>Adaptive</strong> Session View is populated using <strong>Adaptive</strong> Session Records.<br />
These records are saved in .asr files. Each .asr file has a companion<br />
<strong>Adaptive</strong> Session Packet (.asp) file where the packet-level details are<br />
stored.<br />
When you mine data captured in <strong>Adaptive</strong> mode, <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> automatically creates temporary .asr/.asp files for<br />
the mining request and stores them in the <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong><br />
<strong>Analyzer</strong> program directory under \bin\Local-x. You can use standard<br />
File > Open commands to open .asr/.asp files. You must use File ><br />
Save As to save any mined <strong>Adaptive</strong> trace files permanently.<br />
IMPORTANT: The exact name of the folder varies according to the<br />
number of NICs/agents in the PC – <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
uses separate \Local-x folders for each local agent.<br />
IMPORTANT: The .asr/.asp files are paired – make sure you don’t<br />
delete one half of the pair and expect to perform full analysis on the<br />
other. For example, if you delete an .asp file, you will not be able to drill<br />
down to adaptive session packets from the companion Session (.asr) file.
EARLY FIELD TRIAL<br />
<strong>Adaptive</strong> Decode View<br />
a<br />
b<br />
<strong>Adaptive</strong> Session Analysis<br />
The <strong>Adaptive</strong> Decode View (Figure 7-7) provides line-by-line protocol<br />
decodes for data captured in <strong>Adaptive</strong> mode. You can display the<br />
<strong>Adaptive</strong> Decode View in either of the following ways:<br />
Drill down from the <strong>Adaptive</strong> Session view using the <strong>Adaptive</strong><br />
Packet Drill Down command (refer to Drilling Down to <strong>Adaptive</strong><br />
Session Packets on page 151 for details on how to do this).<br />
Drilling down from the Session View opens just those ASPs<br />
associated with flow selected in the Session view.<br />
Open an <strong>Adaptive</strong> Session Packet (.asp) file directly using File ><br />
Open. Depending on how the ASP file was saved, this could<br />
produce just those ASPs retrieved during a drilldown, or, if you<br />
open the full ASP file automatically saved during mining, all packet<br />
data in the time selection, including raw packets. Refer to Opening<br />
ASP Files on page 155 for more information on opening ASP files.<br />
<strong>Adaptive</strong> Decode View Mechanics<br />
The mechanics of the <strong>Adaptive</strong> Decode View will be familiar to anyone<br />
accustomed to traditional <strong>Sniffer</strong> decodes – individual ASPs are listed<br />
line-by-line in a Summary pane (a) at the top of the window. Selecting<br />
an ASP in the Summary pane populates the lower Detail pane (b) with<br />
the <strong>Adaptive</strong> decode for the selected packet. In contrast to the<br />
traditional, tri-pane <strong>Sniffer</strong> decode window, the Hex pane is not present.<br />
Figure 7-7. <strong>Adaptive</strong> Decode View<br />
User’s Guide 153
EARLY FIELD TRIAL Chapter 7<br />
Drilling Up to <strong>Adaptive</strong> Session Records<br />
154 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
You can drill up to the <strong>Adaptive</strong> Session Records (ASR) file for an ASP by<br />
right-clicking its entry in the Summary pane and selecting the Open<br />
ASR command. <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> automatically<br />
opens the Session file corresponding to the selected ASP file and<br />
displays the session in an <strong>Adaptive</strong> Session view (Figure 7-8).<br />
Refer to <strong>Adaptive</strong> Session View on page 147 for information on working<br />
with ASRs in the <strong>Adaptive</strong> Session View.<br />
Figure 7-8. Drilling Up to ASRs from the <strong>Adaptive</strong> Decode View
EARLY FIELD TRIAL<br />
Opening ASP Files<br />
<strong>Adaptive</strong> Session Analysis<br />
The <strong>Adaptive</strong> Decode View is populated using <strong>Adaptive</strong> Session Packets.<br />
These packets are saved in .asp files. Each .asp file has a companion<br />
<strong>Adaptive</strong> Session Record (.asr) file where the session-level metadata is<br />
stored.<br />
When you mine data captured in <strong>Adaptive</strong> mode, <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> automatically creates temporary .asr/.asp files for<br />
the mining request and stores them in the <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong><br />
<strong>Analyzer</strong> program directory under \bin\Local-x. You can use standard<br />
File > Open commands to open .asr/.asp files.<br />
IMPORTANT: The exact name of the folder varies according to the<br />
number of NICs/agents in the PC – <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
uses separate \Local-x folders for each local agent.<br />
IMPORTANT: The .asr/.asp files are paired – make sure you don’t<br />
delete one half of the pair and expect to perform full analysis on the<br />
other. For example, if you delete an .asr file, you will not be able to drill<br />
up to session metadata from the companion ASP file.<br />
Opening ASP Files Directly vs. Drilling Down<br />
Keep in mind that the <strong>Adaptive</strong> Decode View will show different results<br />
when drilling down from the Session View vs. opening an ASP file<br />
directly:<br />
When you drill down from the Session View, <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> displays just those ASPs belonging to the<br />
selected session. This generally results in an ASP view with only a<br />
few events shown, all of which are ASPs.<br />
In contrast, when you open an ASP file directly using File > Open,<br />
you see all captured ASPs in the mined time selection. This includes<br />
ASPs with an ASI Protocol Interpreter and those without.<br />
So, for example, where a drill down to ASPs may show only a few FTP<br />
ASPs, opening an ASP file directly will typically produce a wide variety of<br />
packet data, including raw packets and packets without an ASP protocol<br />
interpreter. Note the following in Figure 7-9:<br />
The total number of ASPs shown in the title bar of the Session View<br />
is far greater when opening an ASP file directly.<br />
The directly-opened ASP file includes packets without an IP layer<br />
(ARP and BPDUCONFIG) captured as raw packets.<br />
User’s Guide 155
EARLY FIELD TRIAL Chapter 7<br />
156 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The directly-opened ASP file includes IPv4 packets without an ASI<br />
protocol interpreters (UDP, in this case).<br />
Both files include all packets supported for <strong>Adaptive</strong> processing.
EARLY FIELD TRIAL<br />
Figure 7-9. Opening ASPs Directly vs. Drilling Down<br />
<strong>Adaptive</strong> Session Analysis<br />
User’s Guide 157
Searching <strong>Adaptive</strong> Views<br />
EARLY FIELD TRIAL Chapter 7<br />
158 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Because the postcapture display can include thousands and thousands<br />
of entries, it can be useful to search for particular frames. Using <strong>Sniffer</strong><br />
<strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>’s powerful search abilities, you can search<br />
for frames in the <strong>Adaptive</strong> Session and Decode views that match a text<br />
string in either the Summary or Detail views.<br />
NOTE: In addition to searching for frames, you can also advance to<br />
a particular frame in the Decode tab by specifying its number. Do<br />
this by selecting the Go to Frame command from the Display menu<br />
and supplying the frame number in the dialog box that appears.<br />
To search for packets matching a text string:<br />
1 Display the Find Frame dialog box using any of the following<br />
commands:<br />
Select Find Frame from the Display menu.<br />
Select Find Frame from the Decode tab’s context menu<br />
(activated by right-clicking anywhere on the Decode tab).<br />
Use the Alt-F3 keyboard shortcut.<br />
The Find Frame dialog box contains only a Text tab when launched<br />
from an <strong>Adaptive</strong> view. The Text tab lets you search for frames<br />
containing a specified text string.<br />
2 Enter the text to search in the field provided. The dropdown list<br />
includes previously performed text searches.<br />
3 Specify in which portion of the Decode tab to search for the<br />
specified from the options provided.<br />
4 Specify whether the search is case-sensitive using the Match case<br />
option.<br />
5 Specify the search direction.<br />
6 Click OK. If the string is found, the entry containing the text will be<br />
displayed in the postcapture. Press F3 to search for the next packet<br />
matching the same criteria.
EARLY FIELD TRIAL<br />
Using Filters with <strong>Adaptive</strong> Postcapture Views<br />
<strong>Adaptive</strong> Session Analysis<br />
You can use filters created from the Quick Select window independently<br />
against both the <strong>Adaptive</strong> Session and <strong>Adaptive</strong> Decode views. Use the<br />
the Create/Apply Filter command, either from the Display menu or<br />
from the right-click context menu. Keep in mind that display filters used<br />
with <strong>Adaptive</strong> views are limited to IP Address and Port criteria.<br />
Refer to Applying <strong>Adaptive</strong> Display Filters on page 136 for details on<br />
using filters with <strong>Adaptive</strong> views.<br />
Enabling VLAN Data Collection<br />
If <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> is connected to a switch SPAN<br />
port, make sure you enable VLAN data collection on the network<br />
interface card to prevent VLAN IDs from being stripped before the<br />
application sees them. With VLAN data collection enabled, you’ll be able<br />
to see VLAN IDs in postcapture decodes.<br />
Refer to the <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> Installation Guide for<br />
details on usin g the sniffer_vlan_edit.exe tool included with the<br />
product to enable VLAN data collection for adapters using Intel and<br />
Broadcom chipsets.<br />
User’s Guide 159
EARLY FIELD TRIAL Chapter 7<br />
160 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>
EARLY FIELD TRIAL<br />
Raw Capture <strong>Mode</strong><br />
Postcapture Analysis<br />
Overview<br />
8<br />
This chapter describes postcapture analysis views for data captured in<br />
Raw Capture mode. In Raw Capture mode, <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong><br />
<strong>Analyzer</strong> stores raw packets rather than condensed <strong>Adaptive</strong> Session<br />
Packets. <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>automatically displays the<br />
postcapture analysis views corresponding to your capture mode –<br />
<strong>Adaptive</strong> or Raw Capture.<br />
IMPORTANT: Refer to <strong>Adaptive</strong> Session Analysis on page 141 for<br />
information on the postcapture views available for data captured in<br />
<strong>Adaptive</strong> mode. Also, see Postcapture Analysis by Capture <strong>Mode</strong> on page<br />
141 for a discussion of the postcapture views available for different<br />
capture modes.<br />
When you mine data captured in raw Raw Capture mode, <strong>Sniffer</strong><br />
<strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> displays the selected packets in a variety<br />
of formats, including the Expert tab, classic line-by-line decode tab, and<br />
a variety of other formats. This section includes the following major<br />
topics:<br />
Introducing the Raw <strong>Mode</strong> Postcapture Window on page 162<br />
Introducing the Packet Decode Tab on page 165<br />
Navigating the Decode Tab on page 167<br />
Working with Display Filters on page 172<br />
Setting Display Setup Options on page 191<br />
Searching for Frames in the Decode Display on page 197<br />
Using the Matrix Tab on page 209<br />
Using the Host Table Tab on page 212<br />
Using the Protocol Distribution Tab on page 214<br />
Using the Statistics Tab on page 216<br />
User’s Guide 161
Introducing the Raw <strong>Mode</strong> Postcapture<br />
Window<br />
EARLY FIELD TRIAL Chapter 8<br />
162 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
When you mine data captured in Raw <strong>Mode</strong>, <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong><br />
<strong>Analyzer</strong> automatically displays the results of analysis in the Raw <strong>Mode</strong><br />
postcapture display window (Figure 8-1):<br />
The Raw <strong>Mode</strong> postcapture display window features two main tabs –<br />
Expert and Decode – as well as a variety of others providing different<br />
views of the data. Available tabs are summarized in the table below:<br />
Postcapture display tabs. The Decode<br />
tab always appears. The other tabs<br />
appear by default, but can be disabled.<br />
Figure 8-1. Raw <strong>Mode</strong> Postcapture Display Window
EARLY FIELD TRIAL<br />
Table 8-1. Postcapture Display Tabs<br />
Tab Description<br />
Selecting Tabs for Postcapture Display<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
Expert Displays the results of proprietary Expert analysis, showing network objects,<br />
symptoms, and diagnoses by network layer.<br />
See Expert Analysis on page 219.<br />
Decode Provides classic, line-by-line protocol decodes in a tri-pane window. Sophisticated<br />
automatic filtering features let you select a packet in the Summary pane and<br />
automatically filter on different components of the packet (source/destination<br />
addresses, ports, and so on).<br />
See Introducing the Packet Decode Tab on page 165.<br />
Matrix Provides statistics on conversations taking place on the network.<br />
See Using the Matrix Tab on page 209<br />
Host Table Provides statistics broken out for each host detected on the network. Different tabs<br />
let you focus on IP hosts, MAC hosts, and so on.<br />
See Using the Host Table Tab on page 212.<br />
Protocol<br />
Distribution<br />
Provides statistics broken out by protocol family. You can focus on MAC, IP, or IPX<br />
layer protocols.<br />
See Using the Protocol Distribution Tab on page 214.<br />
Statistics Provides a variety of global statistics, including capture start/stop times, average<br />
speeds, and packet counts for a variety of basic categories.<br />
See Using the Statistics Tab on page 216.<br />
Filtered<br />
Tabs<br />
By default, display filters return the filtered frames in a new tab at the bottom of<br />
the postcapture display window. If you prefer, you can enable the Select<br />
matching option. When this option is enabled, frames matching the filter appear<br />
“marked” in the leftmost column of the active Decode tab – their checkboxes are<br />
checked.<br />
See Working with Display Filters on page 172 for more information on how to use<br />
display filters in the Decode tab.<br />
The Matrix, Host table, Protocol Distribution, and Statistics tabs appear<br />
at the bottom of the Display window only if the Post analysis tabs box<br />
is checked on the General tab of the Display > Display Setup dialog<br />
box. Similarly, the Expert tab only appears if the Expert tab box is<br />
checked. Refer to Figure 8-1, below.<br />
User’s Guide 163
EARLY FIELD TRIAL Chapter 8<br />
164 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Figure 8-2. Display > Display Setup Dialog Box
EARLY FIELD TRIAL<br />
Introducing the Packet Decode Tab<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
The Decode tab provides classic, line-by-line protocol interpretation of<br />
captured packets. When you display mined packets or a capture<br />
file,<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> interprets and decodes the<br />
higher-level protocols within the captured packets using its protocol<br />
interpreters. The Decode tab shows the results of this protocol analysis<br />
in three color-coded viewing panes: summary, detail, and hex. Figure<br />
8-3 shows a sample Decode display.<br />
a<br />
c<br />
b<br />
Figure 8-3. Decode Tab<br />
(a) Summary pane shows an overview of the packets captured in<br />
line-by-line summarized format. Each summary line shows the<br />
packet number for this capture period, packet status, source and<br />
destination addresses, the protocol layer, a summary of key packet<br />
information, packet length, relative time from the beginning of the<br />
capture, delta time from the previous packet captured, and the<br />
date and time. See Understanding Timestamps on page 166 for<br />
more information.<br />
Additionally, the Status column in the Summary pane shows the<br />
letter associated with this stream in the Quick Select window’s<br />
Navigation panel so you can quickly associate a packet with its<br />
stream when working with merged data.<br />
NOTE: The position and size of each column can be adjusted<br />
by dragging the column title border with the mouse.<br />
User’s Guide 165
EARLY FIELD TRIAL Chapter 8<br />
166 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
(b) Detail pane shows the detailed contents of the packet<br />
currently selected in the Summary pane. Each layer of the protocol<br />
is interpreted and displayed. Display the detailed protocol layers in<br />
three different views – fully expanded decode, one-line summary,<br />
or a mixture of the two.<br />
By default, the application expands underlying protocol layers in<br />
the Detail pane. To save viewing space, click the minus (-) sign in<br />
front of the protocol sub-layer line. To expand the protocol display,<br />
click the plus (+) sign.<br />
NOTE: You can control the maximum number of lines allowed<br />
in the Detail Display by right-clicking anywhere in the Decode<br />
tab, selecting the Display Setup option, and setting the<br />
Maximum # of Detail Lines option in the General tab of the<br />
dialog box that appears.<br />
(c) Hex pane shows the selected packet in hexadecimal and ASCII<br />
(or EBCDIC) format.<br />
When you select a packet on the Summary pane, or a detailed<br />
protocol field in the Detail pane, the equivalent hexadecimal octets<br />
in the packet are highlighted in the Hex pane. This quickly shows<br />
you the correspondence between the protocol field and its<br />
equivalent bytes in the packet.<br />
Understanding Timestamps<br />
Once a frame is received, a timestamp is attached. The timestamp<br />
records the time according to the capturing device’s internal clock at the<br />
moment it received the last byte of the frame. All displays of time (for<br />
example, the Delta Time and Relative Time fields in the Summary pane)<br />
are computed from the absolute value recorded with each frame.<br />
As a general rule, the timestamps are:<br />
Resolved to the nearest microsecond (see Table 8-2 for the<br />
details).<br />
Have accuracy that can vary from 20 microseconds to several<br />
milliseconds, depending on ongoing operating system tasks and/or<br />
ongoing processing of arriving packets.<br />
IMPORTANT: 10/100/1000/10000-BaseT adapters timestamp packets<br />
in software. Under most circumstances, this provides acceptable<br />
performance – up to 250 microseconds granularity and correct packet<br />
sequencing.
EARLY FIELD TRIAL<br />
Granularity in Decode Timestamps<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
The Decode tab provides both Relative Time and Delta Time values.<br />
The following table summarizes the units for these timestamps in <strong>Sniffer</strong><br />
<strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>.<br />
Table 8-2. Granularity in Decode Timestamps<br />
Topology Relative Time Delta Time<br />
Ethernet hr:min:sec.millisec sec.millisec.microsec<br />
Gigabit Ethernet sec.millisec.microsec.nanosec sec.millisec.microsec.nanosec<br />
Navigating the Decode Tab<br />
You navigate Decode tabs with a combination of keyboard, mouse, and<br />
toolbar, moving between the different panes and zooming as necessary<br />
to see exactly the lines you’re interested in.<br />
Each pane can be resized by clicking and dragging the separator bar<br />
between the panes. Each pane also contains scroll bars that let you use<br />
the mouse to manipulate the viewing position in the pane. You can also<br />
use the cursor control keys to provide a similar function for the pane that<br />
has the focus.<br />
To maximize efficiency in scanning packets for details, follow these<br />
suggestions:<br />
Adjust the Packet Display size, and the individual pane to maximize<br />
the viewing area for your particular interests.<br />
Select the starting packet of interest in the Summary pane by<br />
clicking on it.<br />
Click the Detail pane to gain focus. The cursor movement and PgUp<br />
/ PgDn keys will now apply to the Detail pane.<br />
Use the F7 key to move to the previous packet. Use the F8 to move<br />
to the next packet.<br />
Use the mouse wheel to scroll in any Decode pane (Summary,<br />
Detail, or Hex).<br />
If you want to move the viewing area in the Detail pane, use the<br />
mouse wheel, cursor, or Page Up / Page Down keys.<br />
You can search for packets by selecting the Find Frame command<br />
from either the Display menu or the context menu (accessed by<br />
right-clicking on the Display window). See Searching for Frames in<br />
the Decode Display on page 197 for details.<br />
User’s Guide 167
EARLY FIELD TRIAL Chapter 8<br />
168 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
You can copy text from the Detail pane. You can copy either a<br />
selected line in the pane (Copy Highlights in the right-click<br />
context menu or the Ctrl-C keyboard shortcut) or all of the text in<br />
the pane (Copy All in the right-click context menu<br />
Use the keys shown in Table 8-4 to navigate the Decode display. You can<br />
also use the corresponding commands in the Display menu.<br />
Table 8-3. Keyboard Shortcuts for the Display Pane<br />
Page Up View the previous page in the active<br />
pane.<br />
Page Down View the next page in the active pane.<br />
Cursor Up View the previous line in the active pane.<br />
Cursor Down View the next line in the active pane.<br />
F2 - Next Selected Move the display to the next selected<br />
packet in the summary pane.<br />
Shift+F2 - Previous Selected Move the display to the previous<br />
selected packet in the summary pane.<br />
Ctrl+F2 - Select Toggle Toggle the packet between selected and<br />
unselected state.<br />
Alt+F3 - Find Frame Open the Find Frame dialog box to<br />
specify what to search for in the Display<br />
pane.<br />
Shift+F3 Toggle Two-Station format on and off.<br />
F3 - Find Next Frame Repeat the last search performed in Find<br />
Frame dialog box.<br />
F4 - Zoom Pane Zoom in/out of the selected Decode<br />
pane.<br />
F7 - Previous View the previous packet in the<br />
summary pane.<br />
F8 - Next View the next packet in the summary<br />
pane.
EARLY FIELD TRIAL<br />
Packet Status Flags in the Summary Pane<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
The Status column in the Summary pane is empty if the packet is<br />
normal with no errors, symptoms, or diagnoses associated with it.<br />
Otherwise, Table 8-5 lists the flags used in the Status column of the<br />
Summary pane.<br />
Table 8-4. Status Flags<br />
M Packet is marked. Mark a packet to return quickly to a<br />
particular spot in a decoded set of frames.<br />
A Packet was captured from Port A on the pod or adapter<br />
card.<br />
B Packet was captured from Port B on the pod or adapter<br />
card.<br />
# Packet has a symptom or diagnosis associated with it.<br />
Trigger Packet is an event filter trigger<br />
CRC CRC error packet with normal packet size<br />
Jabber CRC error packet with oversize error<br />
Runt Packet size is less than 64 bytes (including the 4 CRC<br />
bytes) but with valid CRC<br />
Fragment Packet size is less than 64 bytes (including the 4 CRC<br />
bytes) with CRC error<br />
Oversize Packet size is more than 1518 (including the 4 CRC bytes)<br />
but with valid CRC<br />
Collision Packet was damaged by a collision<br />
Alignment Packet length is not an integer multiple of 8 bits.<br />
User’s Guide 169
Selecting Packets in the Decode Tab<br />
EARLY FIELD TRIAL Chapter 8<br />
170 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
You can select individual packets or a group of packets in the summary<br />
pane. Selecting packets allows you to mark key packets that are of<br />
interest to you, so that you can view and use them more easily. You can:<br />
Save the selected packets to a file (Display > Save Selected).<br />
Treat the selected packets as bookmarks, and use F2 to advance<br />
from one selected packet to the next.<br />
Using the Decode Tab Toolbar<br />
The Decode tab provides a toolbar at the top of the window with<br />
shortcuts to useful functionality (Figure 8-4). Each of the buttons in the<br />
toolbar is described in the table that follows.<br />
Figure 8-4. Decode Tab Toolbar<br />
Table 8-5. Decode Tab Toolbar Buttons<br />
Button Title Description<br />
Two Station Format Toggles the two-station format on and off. The<br />
two-station format splits the display into left<br />
and right panes, showing traffic between two<br />
stations. See Display Setup > General Options<br />
on page 192 for details.<br />
Show/Hide All Layers Toggles the Show All Layers option on and off.<br />
If enabled, the Summary pane shows one line<br />
for each protocol level contained in a frame. If<br />
disabled, only one line (for the highest enabled<br />
protocol level) is shown.<br />
Display Setup Displays the Display Setup dialog box. See<br />
Setting Display Setup Options on page 191.<br />
Automatic Filter Type<br />
Selection<br />
Use this dropdown to specify which information<br />
in the currently selected packet should be used<br />
to automatically populate the Define Filter<br />
dialog box’s fields when you click the Define<br />
Display Filter or Add to Last Filter button.<br />
You can populate based on source/destination<br />
IP addresses, ports, and MAC addresses.<br />
See Using Automatic Display Filters on page<br />
174.
EARLY FIELD TRIAL<br />
Table 8-5. Decode Tab Toolbar Buttons<br />
Button Title Description<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
Define Display Filter Displays the Define Filter dialog box with<br />
settings automatically populated based on the<br />
currently selected packet and the setting of the<br />
adjacent Filter Type Selection dropdown.<br />
See Using Automatic Display Filters on page<br />
174.<br />
Add to Last Filter Takes the type of information specified in the<br />
Filter Type Selection dropdown from the<br />
currently selected packet and adds it to the last<br />
filter used in the Define Filter dialog.<br />
See Combining Filter Components (“Add to Last<br />
Filter”) on page 179 for details.<br />
Quick Filter Automatically filters the display based on the<br />
selected information in the currently selected<br />
packet. For example, if the Filter Type Selection<br />
dropdown is set to Connection, clicking Quick<br />
Filter will filter the display based on the source/<br />
destination addresses and ports (that is, the<br />
connection).<br />
Use the Display > Display Setup > Packet<br />
Selection tab to specify how Quick Filters will<br />
be applied (for example, whether matching<br />
packets are returned in a new tab or shown<br />
selected in the active tab, and so on).<br />
See Using Quick Filters on page 178 for details.<br />
User’s Guide 171
Working with Display Filters<br />
EARLY FIELD TRIAL Chapter 8<br />
172 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
A filter applied to the display of captured data is called a display filter.<br />
Display filters let you select the packets you want to display in a Decode<br />
tab. Display filters do not affect the contents of the capture buffer. They<br />
just prevent some of the data from being displayed.<br />
You can use display filters to view only:<br />
Packets transmitted between network nodes (or address pairs)<br />
Packets that belong to one or more protocol groups<br />
Packets that match predefined data patterns<br />
Error packets<br />
Packets that belong to a certain size range<br />
Packets that match various combinations of the above<br />
specifications
EARLY FIELD TRIAL<br />
Types of Display Filters<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> provides several types of display<br />
filters:<br />
NOTE: Display filters are separate from Quick Select window filters.<br />
Refer to Using Filters in the Quick Select Window on page 119 for<br />
information on how to create Quick Select window filters and apply<br />
them as source, mining, and statistics filters.<br />
Table 8-6. <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> Display Filters<br />
Filter Type Description<br />
Automatic Display Filters<br />
Using Automatic Display<br />
Filters on page 174<br />
Quick Display Filters<br />
Using Quick Filters on page<br />
178<br />
Manual Display Filters<br />
(Display > Define Filter)<br />
Using Manual Filters (Display<br />
> Define Filter) on page 183<br />
Expert Display Filters<br />
Setting Automatic Expert<br />
Display Filters on page 222<br />
You can automatically populate the Define Filter - Display dialog<br />
box’s tabs with filter settings based on selected portions of the<br />
currently selected packet in the Decode tab. You do this by using<br />
the dropdown at the top of the Decode tab to specify which portion<br />
of the selected packet you want to use as a filter (for example, just<br />
the source IP address) and clicking the Define Display Filter<br />
button.<br />
Quick Display Filters are similar to automatic display filters – they<br />
filter the active Decode tab based on selected portions of the<br />
currently selected packet in the Decode tab. The main difference is<br />
that they take effect immediately without displaying the Define<br />
Filter dialog box first.<br />
You set Quick Filters by using the dropdown at the top of the<br />
Decode tab to specify which portion of the selected packet you<br />
want to use as a filter (for example, just the source port) and<br />
clicking the Quick Filter button.<br />
Note: You set global options for how Quick Filters are applied in the<br />
Display > Display Setup > Packet Selection tab. These options<br />
specify to which packets Quick Filters should be applied (all or<br />
selected) and how results should be returned (by selecting/clearing<br />
packets in the active tab or by showing a new filtered tab at the<br />
base of the postcapture display window).<br />
You can set Display filters manually in the Define Filter - Display<br />
dialog box. This dialog box is available by using the Display ><br />
Define Filter command. Then, you have full access to the<br />
standard Define Filter tabs described in Using Manual Filters<br />
(Display > Define Filter) on page 183.<br />
You can also set automatic Expert filters that only display data<br />
associated with a particular network object, symptom, or diagnosis.<br />
You do this by displaying the Expert tab, selecting an object,<br />
symptom, or diagnosis and clicking the Display Filter button.<br />
User’s Guide 173
Using Automatic Display Filters<br />
EARLY FIELD TRIAL Chapter 8<br />
174 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
You can automatically populate the Define Filter - Display dialog box’s<br />
tabs with filter settings based on selected portions of the currently<br />
selected packet in the Decode tab.<br />
To set an automatic display filter:<br />
1 In a Decode tab, select the packet to use as a filter source.<br />
2 Use the Automatic Filter Type Selection dropdown in the<br />
Decode toolbar to specify which portion of the packet you want to<br />
use as a filter (Figure 8-5).<br />
Figure 8-5. Selecting the Automatic Filter Type<br />
You can select from the following options:<br />
Table 8-7. Automatic Filter Type Selection Options<br />
Connection<br />
IP Source Address<br />
IP Destination<br />
Address<br />
IP Addresses<br />
Source Port<br />
Destination Port<br />
Use both the source/destination IP<br />
addresses and source/destination ports as a<br />
filter.<br />
Use only the source IP address as a filter.<br />
Use only the destination IP address as a<br />
filter.<br />
Use both the source and destination IP<br />
addresses as a filter (traffic flowing between<br />
these two addresses only).<br />
Use only the source port as a filter.<br />
Use only the destination port as a filter.
EARLY FIELD TRIAL<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
Table 8-7. Automatic Filter Type Selection Options<br />
b<br />
Ports<br />
Source <strong>Application</strong><br />
Destination<br />
<strong>Application</strong><br />
MAC Addresses<br />
3 Click the Define Display Filter button .<br />
The Define Filter - Display dialog box appears populated based on<br />
the specified portion of the selected frame (Figure 8-6). Notice that<br />
the settings already populated in this dialog box correspond to<br />
those shown in the selected packet in the Summary pane in Figure<br />
8-5.<br />
Figure 8-6. Define Filter - Display Dialog Box<br />
Use both the source and destination port as<br />
a filter.<br />
Use both the source IP address and port as<br />
a filter.<br />
Use both the destination IP address and port<br />
as a filter.<br />
Use the source and destination MAC<br />
addresses as a filter.<br />
Note the following important points about the Define Filter - Display<br />
dialog box:<br />
You can change which parts of the selected frame are used for<br />
an automatic filter by clicking the dropdown at the top of the<br />
Define Filter dialog box (a in Figure 8-6) and selecting a<br />
different option.<br />
a<br />
User’s Guide 175
EARLY FIELD TRIAL Chapter 8<br />
176 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
You can reset all Define Filter fields by clicking Reset.<br />
You can specify how the filter is applied and how results are<br />
returned using the Select matching, Clear selected, and<br />
Apply on selected set options (b in Figure 8-6). See Filtered<br />
Tabs or Marked Frames? on page 176 for details.<br />
4 When you have set the options in the Define Filter - Display dialog<br />
box as desired, click Apply to filter the active tab with your filter<br />
settings.<br />
Filtered Tabs or Marked Frames?<br />
When you apply a display filter, <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
examines the packets in the active tab, looking for matches. Then, it<br />
returns the matching packets, either in a new tab at the bottom of the<br />
display window (b in Figure 8-7), or by “selecting” all matching packets<br />
in the Summary pane (a in Figure 8-7).<br />
“Selected” packets appear in the Summary pane with the boxes in the<br />
leftmost column checked. Additionally, if you’ve enabled the Highlight<br />
selected frames option in the Display Setup > Summary Display<br />
tab, selected frames will appear highlighted in the Summary pane.<br />
You specify how you would like matching packets returned in the Define<br />
Filter dialog box’s Summary tab (Figure 8-6 on page 175):<br />
If neither the Select matching nor Clear selected option is<br />
enabled, a new filter tab will appear each time you apply a display<br />
filter.<br />
If the Select matching option is enabled, <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> will mark packets matching the filter in the<br />
currently active Decode tab.<br />
If the Clear selected option is enabled, <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> will deselect packets matching the filter in the<br />
currently active Decode tab.<br />
NOTE: Quick filters provide this same functionality. However, for<br />
Quick filters, you set the Select matching option in the Display<br />
Setup dialog box’s Packet Selection tab. See Display Setup > Packet<br />
Selection Options on page 195 for details.
EARLY FIELD TRIAL<br />
a<br />
The “Apply on Selected Set” Option<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
You can also use the Apply on selected set option together with either<br />
the Select matching or Clear selected options to apply a filter to only<br />
a subset of the packets in the active Decode tab. When using the Apply<br />
on selected set option, you may want to use the Display > Select<br />
Range command to select a large set of packets quickly.<br />
Figure 8-7. Selected Packets<br />
b<br />
User’s Guide 177
Using Quick Filters<br />
EARLY FIELD TRIAL Chapter 8<br />
178 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Quick Display Filters are similar to the automatic display filters described<br />
in Using Automatic Display Filters on page 174 – they filter the active<br />
Decode tab based on selected portions of the currently selected packet<br />
in the Decode tab.<br />
The main differences between Quick Filters and Automatic Display Filters<br />
are as follows:<br />
Quick Filters take effect immediately without displaying the Define<br />
Filter dialog box.<br />
The Select matching, Clear selected, and Apply on selected<br />
set options all work the same way for Quick Filters as they do for<br />
Automatic Display Filters, as described in Filtered Tabs or Marked<br />
Frames? on page 176. However, instead of using the Define Filter<br />
- Display dialog box to set these options, you set them globally for<br />
Quick Filters in the Display > Display Setup > Packet Selection<br />
tab (see Display Setup > Packet Selection Options on page 195).<br />
To set a Quick Filter:<br />
1 In a Decode tab, select the packet to use as a filter source.<br />
2 Use the Automatic Filter Type Selection dropdown in the Decode<br />
toolbar to specify which portion of the packet you want to use as a<br />
filter (Figure 8-8).<br />
Figure 8-8. Selecting the Automatic Filter Type<br />
You can select from the same options available for Automatic<br />
Display Filters, as described in Table 8-7 on page 174.<br />
3 Click the Quick Filter button .
EARLY FIELD TRIAL<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> sifts through the packets in<br />
the active tab, looking for matches. Then, it returns the matching<br />
packets, either in a new tab at the bottom of the display window (b<br />
in Figure 8-7 on page 177), or by “selecting” all matching packets<br />
in the Summary pane (a in Figure 8-7 on page 177). You choose<br />
which action the Console takes by setting the options in the<br />
Display > Display Setup > Packet Selection tab (see Display<br />
Setup > Packet Selection Options on page 195).<br />
Combining Filter Components (“Add to Last Filter”)<br />
You can use the Add to Last Filter button to add a new filter<br />
component from the currently selected packet to the last filter used in<br />
the Define Filter dialog box.<br />
For example, if the last filter you created was based on the Source Port<br />
in the selected frame, you could add source and destination addresses<br />
to the same filter by setting the Automatic Filter Type Selection<br />
dropdown to IP Addresses and clicking the the Add to Last Filter<br />
button.<br />
To use the Add to Last Filter button:<br />
1 In a Decode tab, select the packet to use as a filter source.<br />
2 Use the Automatic Filter Type Selection dropdown in the Decode<br />
toolbar to specify which portion of the packet you want to use as a<br />
filter (Figure 8-9).<br />
Figure 8-9. Selecting the Automatic Filter Type<br />
You can select from the same options available for Automatic<br />
Display Filters, as described in Table 8-7 on page 174.<br />
3 Click the Add to Last Filter button .<br />
User’s Guide 179
EARLY FIELD TRIAL Chapter 8<br />
180 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Console displays the Define Filter dialog box with the specified<br />
component of the selected frame added to the last used filter<br />
definition. You can edit the settings in this dialog box, if necessary.<br />
When you are satisfied with the filter definition, click Apply to filter<br />
the active tab.<br />
Selecting Filters / Combining Multiple Filters<br />
You use the Display > Select Filter command to display a dialog box<br />
in which you can select display filters to apply. The dialog box lists all<br />
display filters you have created.<br />
You can either use a single listed filter or check the Multiple Filter <strong>Mode</strong><br />
option and check the boxes for multiple filters.<br />
To select a display filter:<br />
1 Use the Display > Select Filter command.<br />
The Select Filter dialog box appears (Figure 8-10).<br />
Figure 8-10. The Select Filter Dialog Box<br />
2 Do you want to use a single filter or combine multiple filters from<br />
the list?<br />
Multiple Filter <strong>Mode</strong>. If you want to combine multiple filters<br />
from the list, enable the Multiple Filter <strong>Mode</strong> option. Then,<br />
check the boxes corresponding to the filters you want to use.
EARLY FIELD TRIAL<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
Multiple filter mode allows you to select two or more display<br />
filters to apply. Select options from the list of available filters<br />
to create a single filter using combinations of existing filters.<br />
If you select a parent category, all the filters within the<br />
category are selected automatically. When the parent<br />
category is unselected, all the filters within the category are<br />
deselected.<br />
NOTE: When the combination filter is applied, it acts as an<br />
“OR” between the selected filters. Because of this, Multiple<br />
Filter <strong>Mode</strong> may return unexpected results when using Exclude<br />
filters (filters set to remove matching traffic). See Multiple<br />
Filter <strong>Mode</strong> and Exclude Filters on page 182 for details.<br />
Single Filter <strong>Mode</strong>. If you are using only a single filter, leave<br />
Single Filter <strong>Mode</strong> enabled and check the box corresponding to<br />
the filter you want to use.<br />
Single filter mode functions as a regular, single filter. With<br />
the Single Filter <strong>Mode</strong> option, you are limited to only one<br />
filter selection in the Select Filter dialog box. Selecting one<br />
filter automatically deselects the previously selected filter.<br />
Selecting a “parent” filter is not a valid filter. You must<br />
specify a single filter within the parent grouping.<br />
3 Use the Select matching, Clear selected, and Apply on<br />
selected set options to specify how the display filter will be applied<br />
and its results returned. See Filtered Tabs or Marked Frames? on<br />
page 176 and The “Apply on Selected Set” Option on page 177 for<br />
more information.<br />
4 Click OK to apply the selected filter(s) on the active Decode tab.<br />
User’s Guide 181
EARLY FIELD TRIAL Chapter 8<br />
Multiple Filter <strong>Mode</strong> and Exclude Filters<br />
182 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
When combining multiple filters in Multiple Filter <strong>Mode</strong>,<strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> joins the filter with a logical OR rather than an AND.<br />
Because of this, joining multiple Exclude filters will always result in ALL<br />
packets passing the filter and being returned. Consider the following<br />
examples:<br />
Combing Include Filters in Multiple Filter <strong>Mode</strong><br />
For example, suppose you set up the following filters:<br />
Filter 1 includes all packets of type A<br />
Filter 2 includes all packets of type B<br />
Combining these filters in Multiple Filter <strong>Mode</strong> and applying them to a<br />
trace file with packets of type A,B and C, will result in a filtered display<br />
with just packets of Type A and B.<br />
Combing Exclude Filters in Multiple Filter <strong>Mode</strong><br />
Now, let’s apply the same logic to Exclude filters:<br />
Filter 1 excludes all packets of type A<br />
Filter 2 excludes all packets of type B<br />
Combining these filters in Multiple Filter <strong>Mode</strong> and applying them to a<br />
trace file with packets of type A,B and C, will result in a filtered display<br />
with packets of Type A, B, and C – all packets will pass the filter.<br />
This happens because the Exclude filters are joined with an OR condition<br />
between the filters. For a packet to be excluded from the filtered display,<br />
both the conditions must return FALSE. If even one condition returns<br />
TRUE, the packet gets included.<br />
The Boolean logic for this is:<br />
Not (Filter A or Filter B) = Not Filter A AND Not Filter B.
EARLY FIELD TRIAL<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
Saving Sets of Filtered Frames / Creating New Windows<br />
You can save sets of filtered frames by selecting File > Save As with a<br />
filtered tab selected. A new window is created with the set of filtered<br />
frames in it, followed by the appearance of the Save As dialog box.<br />
When you use the Save As command on a set of filtered frames, the<br />
filtered frames in the new window are renumbered sequentially with new<br />
sequence numbers - the original sequence numbers are not preserved.<br />
You can also create new windows for filtered sets of frames by rightclicking<br />
a filtered tab and selecting the Create New Window command.<br />
A new postcapture window with just the filtered frames will appear.<br />
For a description of how to define a filter, see Using Manual Filters<br />
(Display > Define Filter) on page 183.<br />
Using Manual Filters (Display > Define Filter)<br />
This section describes how to use the Display Filter dialog box to create,<br />
manage, and apply manual display filters.<br />
Each time you create a new filter, you start by clicking the Profiles<br />
button in the Define Filter dialog box (Display > Define Filter). Then,<br />
click the New button to open a dialog that lets you assign the filter a<br />
profile name. Once you have successfully created a filter profile, it will<br />
appear in the Settings For panel so you can fine tune and apply the<br />
filter whenever you like.<br />
To create a filter profile:<br />
1 Go to Display > Define Filter and the Define Filter dialog box<br />
appears.<br />
or<br />
Click the Define Filter icon<br />
2 Click the Profiles button.<br />
The Capture Profiles dialog box appears, listing the filter profiles<br />
previously defined.<br />
User’s Guide 183
EARLY FIELD TRIAL Chapter 8<br />
184 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Figure 8-11. The Capture Profiles Dialog Box<br />
3 Click the New button to create a new filter profile. The New<br />
Capture Profile dialog box appears.<br />
Figure 8-12. The New Capture Profile Dialog Box<br />
4 Use the New Capture Profile dialog box to enter a name for the filter<br />
profile. In addition, you can copy the settings for this filter from<br />
either an existing defined profile (Copy Existing Profile option) or<br />
from one of the many samples provided with <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> (Copy Sample Profile option).<br />
5 Click OK.<br />
6 Click Done in the Capture Profiles dialog box.<br />
The filter appears in the Settings For panel of the Define Filter dialog<br />
box. At this point, you can fine tune the settings for this filter in the other<br />
tabs of the Define Filter dialog box (Address, Data Pattern,<br />
Advanced, and so on).
EARLY FIELD TRIAL<br />
Using the Manual Display Filter Tabs<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
Use the following tabs to filter using a variety of criteria:<br />
Filtering by Address<br />
Filtering by Address on page 185<br />
Filtering by Port on page 186<br />
Filtering by Data Pattern on page 187<br />
Filtering by Packet Size, Protocol, and Packet Types on page 189<br />
Use the options on the Address tab to set up a filter to display packets<br />
between up to ten pairs of network nodes by their addresses.<br />
To filter by address:<br />
1 Go to Display > Define Filter, then click the Profiles button.<br />
Assign the filter a name and configure the settings.<br />
If you are modifying an existing filter, ensure that filter is selected<br />
from the Settings For: list before continuing.<br />
2 Click the Address tab.<br />
3 From the Address type dropdown list, define the address as either<br />
a network Hardware, IP, or IPX address.<br />
4 Under <strong>Mode</strong>, select Include or Exclude to include or exclude<br />
packets that match the address specification.<br />
5 Drag and drop a symbolic address from the Known Address list into<br />
the Station 1 or Station 2 fields. Known addresses come from<br />
Broadcast Addresses, the Host Table, or the Address Book.<br />
You can also just type in an address manually. When entering a<br />
specific IP address, you can use an asterisk (*) to designate a wild<br />
card, for instance 10.20.90.*, 10.20.*.9, 10.*.90.9, or *.20.90.9<br />
6 Select which direction the traffic flows by setting the Dir option<br />
between stations.<br />
7 Click OK.<br />
User’s Guide 185
EARLY FIELD TRIAL Chapter 8<br />
Filtering by Port<br />
Figure 8-13. Setting Address Filters<br />
186 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Use the options on the Port tab to define a filters for specific network<br />
traffic traveling on designated software ports. Filtering can be performed<br />
between TCP and UDP ports using various directional flows.<br />
NOTE: Port filters are software-based filters and do not support<br />
hardware ports. You must select either IP or IPX in the Address<br />
tab for the Known Ports tree to display the known IP or IPX ports. If<br />
Hardware is selected in the Address tab, the Port tab is disabled.<br />
To filter by Port:<br />
1 Go to Display > Define Filter, then click the Profiles button.<br />
Assign the filter a name and configure the settings.<br />
If you are modifying an existing filter, ensure that filter is selected<br />
from the Settings For: list before continuing.<br />
2 Click the Port tab.<br />
3 The Known Ports box includes ports already known to <strong>Sniffer</strong><br />
<strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>. You can click and drag ports from<br />
the Known Ports box into the Port 1 or Port 2 fields to filter on<br />
these ports.<br />
You can also enter a port manually in the Port 1 and Port 2 fields<br />
provided. Port 1 and Port 2 columns identify which ports are<br />
assigned to the filter.<br />
4 Select which direction the traffic flows between the ports by setting<br />
the Dir option.
EARLY FIELD TRIAL<br />
5 Click OK.<br />
Figure 8-14. Setting Port Filters<br />
Filtering by Data Pattern<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
Use the Data Pattern tab to define a filter that will capture or display<br />
packets that match a data pattern you specify. A data pattern is a<br />
particular sequence of bits, the length of the sequence, or the offset<br />
position within the packet. The maximum data pattern length is 32<br />
bytes. You can specify the offset from the beginning of the packet or<br />
from the protocol boundary.<br />
A data pattern filter can be simple, consisting of a single data pattern,<br />
or very sophisticated, involving multiple data patterns connected by<br />
Boolean operators AND, OR, and NOT.<br />
See Copying a Data Pattern from the Decode Screen on page 189.<br />
To filter by data pattern:<br />
1 Go to Display > Define Filter, then click the Profiles button.<br />
Assign the filter a name and configure the settings.<br />
If you are modifying an existing filter, ensure that filter is selected<br />
from the Settings For: list before continuing.<br />
2 Click the Data Pattern tab.<br />
3 From the buttons available, you can define or modify a data pattern<br />
using the following:<br />
User’s Guide 187
EARLY FIELD TRIAL Chapter 8<br />
188 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Add AND/OR. Click to create a new Boolean Operator AND/<br />
OR.<br />
Toggle AND/OR. Click to toggle the selected Boolean<br />
operator between AND and OR.<br />
Toggle NOT. Click to turn on or off the NOT operator.<br />
Add NOT. Creates a NOT operator.<br />
Add Pattern. Click Add Pattern to create a new data<br />
pattern.<br />
Edit Pattern. Click to modify the selected data pattern.<br />
Delete. Click to delete the selected Boolean operator or data<br />
pattern. If the operator has child operators or data patterns,<br />
they will be deleted with the parent.<br />
Evaluate. Evaluates the Boolean equation immediately. If the<br />
equation is incomplete, an error message is generated.<br />
NOTE: You can use a wildcard to look for an ASCII or Hexadecimal<br />
string within the boundaries you define.<br />
4 Click OK.<br />
Figure 8-15. Setting Data Pattern Filters
EARLY FIELD TRIAL<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
Copying a Data Pattern from the Decode Screen<br />
You can copy the data pattern for your filter from the display decode<br />
screen. To do this, select the packet before you invoke the define filter<br />
function. In the Data Pattern tab, select Add Pattern, then Set Data.<br />
This copies the data field from the selected packet into the data pattern<br />
fields, and calculates the offset and length. In addition, you can use the<br />
selected pattern as a template, editing it in the display to suit your<br />
needs.<br />
Filtering by Packet Size, Protocol, and Packet Types<br />
Use options on the Advanced tab to define a filter based on packet size,<br />
protocol type, or packet type.<br />
To create packet size, protocol, and packet type filters:<br />
1 Go to Display > Define Filter, then click the Profiles button.<br />
Assign the filter a name and configure the settings.<br />
If you are modifying an existing filter, ensure that filter is selected<br />
from the Settings For: list before continuing.<br />
2 Click the Advanced tab.<br />
3 To define a new filter, first click the Profiles button and give the<br />
new filter a name. Then, configure your settings.<br />
If you are modifying an existing filter, ensure that filter is selected<br />
from the Settings For: list before continuing.<br />
4 Specify one or more network protocols on which to filter. All<br />
network protocols with a check mark will be included.<br />
You can select one or more protocols or sub protocols to act as a<br />
filter. If the packet matches one of the selected protocol types, it<br />
will pass through the filter. If no protocol is selected, all protocol<br />
types will be captured.<br />
If a protocol you need is not defined in the protocol list, you can<br />
define your own protocol filter using the data pattern filter controls.<br />
NOTE: Not all protocols in the list are supported by the<br />
Expert. For a list of currently supported protocols for Expert,<br />
see the online Help.<br />
5 From the Packet Size dropdown list, specify the packet size on<br />
which to filter. You can specify packets that are equal to, greater<br />
than, or less than a specific packet size, or in a range or outside of<br />
a range of packet sizes.<br />
User’s Guide 189
Importing and Exporting Filters<br />
EARLY FIELD TRIAL Chapter 8<br />
190 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Using the Display Profiles dialog box, you can import and export filters<br />
between <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> machines.<br />
To import and export Display filters:<br />
1 Go to Display > Define Filter and the Define Filter Display<br />
window appears.<br />
2 Click Profiles and the Display Profiles dialog appears.<br />
3 Click Export to select a default directory, such as a network<br />
location. Map to a common network share that multiple<br />
installations can access, then save the Display filter.<br />
or<br />
Click Import to select a Display filter from a network location to<br />
save locally on the <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> machine.
EARLY FIELD TRIAL<br />
Setting Display Setup Options<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
You can customize the way data is displayed in the decode display. You<br />
can:<br />
Exclude certain subprotocols from the summary pane (this is a<br />
more detailed control than a display filter).<br />
Set the summary address field format (network or hardware).<br />
Specify whether the two-station display format should be used.<br />
Select optional fields to be shown in the summary display.<br />
Color-code packets displayed in the summary pane based on their<br />
protocol.<br />
Select the font for the detail display.<br />
To set the display options:<br />
1 Select Display Setup from the Display menu. The Display Setup<br />
dialog tabs are summarized in the following table.<br />
Table 8-8. Display Setup Options<br />
Display Setup Tab Settings for...<br />
General Select which tabs show on the Display. You<br />
can show/hide the Expert tab and the post<br />
analysis tabs (Host Table, Matrix, Protocol<br />
Distribution, and Statistics). The Decode<br />
tab is always displayed. You can also set<br />
options that affect how fast data is<br />
decoded. See Display Setup > General<br />
Options on page 192.<br />
Summary Display Specify the symptoms and protocol detail<br />
in the Decode Summary pane. See Display<br />
Setup > Summary Display Options on<br />
page 193.<br />
Protocol Color Click here to change the colors used for<br />
protocols in the summary pane.<br />
Protocol Expand Click here to set each protocol’s display<br />
mode in the Detail pane to fully expanded<br />
or one-line summary.<br />
User’s Guide 191
EARLY FIELD TRIAL Chapter 8<br />
Table 8-8. Display Setup Options<br />
Display Setup > General Options<br />
192 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Display Setup Tab Settings for...<br />
Decode Font Click here to change font type, style, and<br />
size for the text in the Decode display.<br />
Packet Selection Click here to specify whether or not you<br />
would like a new tab created when you are<br />
filtering in the Decode > Summary pane<br />
(Decode tab) or mark the selected packets<br />
in the Decode > Summary pane. See<br />
Display Setup > Packet Selection Options<br />
on page 195.<br />
The Display > Display Setup > General tab contains options that can<br />
improve decode performance when working with large buffers or trace<br />
files.<br />
In previous releases, when decoding a trace file or buffer, protocol<br />
interpreters would start by performing a prescan of the entire trace or<br />
buffer. For large trace files and buffers, this process could take a long<br />
time.<br />
To address this issue, <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> provides the<br />
option of a windowed approach. Using the windowed approach, <strong>Sniffer</strong><br />
<strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> starts by prescanning a user-specified<br />
portion of the trace file or buffer. When moving from window to window<br />
within the buffer or trace file, the previous prescanned information will<br />
be cleared from memory so the new window can be scanned. This way,<br />
decoded information is available more quickly.<br />
You specify both whether to use the windowed approach and the size of<br />
the window to be used in the Display > Display Setup > General tab.<br />
Set the reassembly options as follows:<br />
Reassemble entire trace file— Enable this option if you would<br />
like to reassemble the entire trace file or buffer before displaying<br />
decoded data. Disable this option if you would like to reassemble<br />
the trace file in “chunks.”<br />
Reassembly window size — Use this option to specify the size<br />
(in terms of the number of frames) of the “chunk” to be<br />
reassembled and displayed. As you move between chunks, one<br />
chunk is cleared out and scan another is scanned.<br />
The default and minimum value for the Reassembly window size<br />
is 5000. This value is configurable, but it is recommended that you<br />
edit this value only if it is absolutely necessary.
EARLY FIELD TRIAL<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
NOTE: When Frame Slicing is enabled on the Capture > Define<br />
Filter > Buffer tab, windowed reassembly is not supported.<br />
Enabling windowed reassembly and frame slicing can result in some<br />
minor display problems.<br />
Display Setup > Summary Display Options<br />
The following table summarizes the options you can set in the Display<br />
Setup > Summary Display tab.<br />
Table 8-9. Summary Display Options<br />
Show Expert symptoms If enabled, the Summary display shows<br />
the last symptom found (if any) for each<br />
frame.<br />
Show all layers If enabled, the Summary pane shows one<br />
line for each protocol level contained in a<br />
frame. If disabled, only one line (for the<br />
highest enabled protocol level) is shown.<br />
Show network address If enabled, the Summary pane shows<br />
addresses as network addresses. If<br />
disabled, the Summary pane shows<br />
addresses as hardware (DLC) addresses.<br />
Display vendor ID on MAC<br />
Address<br />
Resolve name on Network<br />
address<br />
Use Address Book to resolve<br />
name<br />
If enabled, the Summary pane shows<br />
vendor names for the first portion<br />
(manufacturer’s ID) of MAC addresses<br />
instead of numerical addresses.<br />
If enabled, the Summary pane shows<br />
names for network addresses instead of<br />
numerical addresses.<br />
If enabled, the Summary pane will<br />
substitute names for addresses for any<br />
stations that are named in the Address<br />
Book.<br />
User’s Guide 193
EARLY FIELD TRIAL Chapter 8<br />
194 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Table 8-9. Summary Display Options<br />
Two-station format If enabled, splits the display into left and<br />
right panes, showing traffic between two<br />
stations.<br />
When you examine network activity, you<br />
often want to focus on traffic between a<br />
pair of stations. To do this, you can set up<br />
display filters that define the two stations<br />
and enable the Two-station format in<br />
the Summary Display tab.<br />
The two-station format shows transmission<br />
from one station (the station that was<br />
detected first) on the left side of the screen<br />
and transmissions from the other station<br />
on the right. The Source and Destination<br />
columns from the single station display are<br />
removed. Instead, there are two columns,<br />
title From xxx and From yyy. A frame<br />
from the station on the left is assumed to<br />
be addressed to the station on the right,<br />
and vice versa.<br />
If you do not set filters limiting the display<br />
of frames to two stations, <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong> will display frames<br />
from additional stations in the usual<br />
format. Since this is inconsistent with the<br />
two-station format, it makes the feature<br />
less useful.<br />
Highlight selected frames If enabled, selected frames are highlighted<br />
in the Summary pane.
EARLY FIELD TRIAL<br />
Table 8-9. Summary Display Options<br />
Display Setup > Packet Selection Options<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
Optional Fields • Status. Flags associated with a<br />
frame. See Packet Status Flags in the<br />
Summary Pane on page 169 for a<br />
description of the flags that can<br />
appear in the Status column.<br />
• Absolute time. When the frame was<br />
received.<br />
• Delta time. The interval between the<br />
current frame and the previous frame.<br />
• Relative time. The interval between<br />
the current frame and the marked<br />
frame.<br />
• (Len) Bytes. The frame’s length.<br />
• Cumulative bytes. The length of all<br />
frames, starting with the marked<br />
frame and including the current<br />
frame.<br />
Exclude protocols Checked protocols are excluded from the<br />
Decode tab. Click All to exclude all<br />
protocols or click None to include all<br />
protocols.<br />
Use the options in the Display Setup > Packet Selection tab to<br />
specify how Quick Filters are applied and how new tabs of filtered<br />
frames are named (the Filtered Tab Name option).<br />
Set the following options:<br />
Table 8-10. Packet Selection Tab Options<br />
Option Description<br />
Select Packets When this option is enabled, quick filters either<br />
select or clear matching packets in the active<br />
Decode tab, depending on whether Select<br />
Matching or Clear Selected is set.<br />
When this option is not enabled, quick filters return<br />
matching packets in a new tab of filtered packets.<br />
Select Matching When this option is enabled, quick filters select<br />
matching packets in the active Decode tab (check<br />
the boxes in the leftmost column of the Summary<br />
pane).<br />
User’s Guide 195
Setting Protocol Aliases for the Postcapture Display<br />
EARLY FIELD TRIAL Chapter 8<br />
196 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Table 8-10. Packet Selection Tab Options<br />
Option Description<br />
Clear Selected When this option is enabled, quick filters clear the<br />
selection of matching packets in the active Decode<br />
tab.<br />
Apply on Selected<br />
Set<br />
When this option is enabled, quick filters are<br />
applied only to the currently selected packets in<br />
the active Decode tab.<br />
Filtered Tab Name Use this option to specify how new tabs of filtered<br />
frames are named. New tabs will be added using<br />
the name you specify here along with a sequence<br />
number.<br />
Use the Tools > Options > Protocols tab to specify on what ports the<br />
postcapture display should expect various upper layer protocols running<br />
over TCP, UDP, or IPX (separate options are provided for each). The<br />
commonly established port for each upper layer protocol is provided by<br />
default. For most networks, the default port number for the listed upper<br />
layer protocols will be correct. However, If your network uses a<br />
proprietary implementation of a particular protocol, you can specify<br />
custom ports here. You can also rename existing protocols by<br />
overwriting the default name supplied in this tab.<br />
In addition, you can also add entirely custom protocols by clicking in a<br />
blank cell at the end of the list and supplying a protocol and port pair for<br />
a given transport. The postcapture display will provide traffic counts for<br />
the named protocol/port pair in its Protocol Distribution tab.<br />
NOTE: The aliases entered on this tab affect data display in the<br />
Protocol Distribution tab of the postcapture window. They do not<br />
affect data shown in the Quick Select window. To set aliases for<br />
data in the Quick Select window, use the Quick Select > Options ><br />
Aliases tab. See Setting Aliases Tab Options on page 250.<br />
Exporting and Importing Protocols Tab Settings<br />
The Tools > Options > Protocols tab includes Import and Export<br />
buttons that let you change the Protocols tab settings in force:<br />
The Export button opens a common Save As dialog box, allowing<br />
you to save out Protocols tab settings to an XML file.
EARLY FIELD TRIAL<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
The Import button opens a common Browse dialog box in which<br />
you can navigate to an XML file of saved Protocols tab settings for<br />
import.<br />
The Import and Export buttons are particularly useful in the following<br />
situations:<br />
You want to create files of saved Protocols tab settings for use in<br />
different network environments. For example, you may commonly<br />
analyze network segments with protocol loads running over known<br />
but non-standard ports. You can switch Protocols tab settings in<br />
and out quickly using these buttons.<br />
You want to share Protocols tab settings with another <strong>Sniffer</strong> unit<br />
supporting this feature. You can export your settings to a file and<br />
then import them on a second unit.<br />
Searching for Frames in the Decode Display<br />
Because the Decode display can include thousands and thousands of<br />
frames, it can be useful to search for particular frames. Using <strong>Sniffer</strong><br />
<strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>’s powerful search abilities, you can search<br />
for frames in the Decode display that match a text string, a certain data<br />
pattern, a certain status flag, or have an Expert symptom or diagnosis<br />
associated with them.<br />
NOTE: In addition to searching for frames, you can also advance to<br />
a particular frame in the Decode tab by specifying its number. Do<br />
this by selecting the Go to Frame command from the Display menu<br />
and supplying the frame number in the dialog box that appears.<br />
Use the Find Frame dialog box to search for frames. Display the Find<br />
Frame dialog box using any of the following commands:<br />
Select Find Frame from the Display menu.<br />
Select Find Frame from the Decode tab’s context menu (activated<br />
by right-clicking anywhere on the Decode tab).<br />
Use the Alt-F3 keyboard shortcut.<br />
The Find Frame dialog box contains the following tabs:<br />
Text — The Text tab lets you search for frames containing a<br />
specified text string.<br />
Time — The Time tab lets you search for frames with specific text<br />
in the delta, relative, or absolute time fields.<br />
User’s Guide 197
EARLY FIELD TRIAL Chapter 8<br />
198 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Data — The Data tab lets you search for frames containing a<br />
specified data pattern.<br />
Status — The Status tab lets you search for frames with a<br />
particular status flag.<br />
Expert — The Expert tab lets you search for frames with a<br />
particular associated Expert symptom or diagnosis.<br />
The following sections describe how to perform searches from each of<br />
these tabs.
EARLY FIELD TRIAL<br />
Searching for Frames Matching Text Strings<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
To search for packets matching a text string:<br />
1 Display the Find Frame dialog box using any of the following<br />
commands:<br />
Select Find Frame from the Display menu.<br />
Select Find Frame from the Decode tab’s context menu<br />
(activated by right-clicking anywhere on the Decode tab).<br />
Use the Alt-F3 keyboard shortcut.<br />
2 Click the Text tab.<br />
3 Enter the text to search in the field provided. The dropdown list<br />
includes previously performed text searches.<br />
4 Specify in which portion of the Decode tab to search for the<br />
specified from the options provided.<br />
5 Specify whether the search is case-sensitive using the Match case<br />
option.<br />
6 Specify the search direction.<br />
7 Click OK. If the string is found, the frame containing the pattern<br />
will be displayed in the Decode Display. Press F3 to search for the<br />
next packet matching the same criteria.<br />
Figure 8-16. Text Tab of the Find Frame Dialog Box<br />
User’s Guide 199
EARLY FIELD TRIAL Chapter 8<br />
Searching for Frames Matching Time Criteria<br />
200 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
To search for frames matching time criteria:<br />
1 Display the Find Frame dialog box using any of the following<br />
commands:<br />
Select Find Frame from the Display menu.<br />
Select Find Frame from the Decode tab’s context menu<br />
(activated by right-clicking anywhere on the Decode tab).<br />
Use the Alt-F3 keyboard shortcut.<br />
2 Click the Time tab. Search for packets with specific text in the<br />
Delta Time, Relative Time, or Absolute Time fields in the<br />
Summary pane here.<br />
To search for a value in the Delta Time field, enable the Delta<br />
Time option and supply the text to search for.<br />
To search for a value in the Relative Time field, enable the<br />
Relative Time option and supply the text to search for.<br />
To search for a value in the Absolute Time field, enable the<br />
Absolute Time option and use the dropdown fields to select<br />
the value to search for.<br />
NOTE: You can select any combination of values in the<br />
dropdown lists. Leaving a field blank will cause the search to<br />
accept any value for that field.<br />
3 Use the Up and Down fields to specify whether to search in an<br />
upward or downward direction from the currently selected frame.<br />
4 Use the Search Condition fields to specify which type of search<br />
you would like to perform, as follows:<br />
Simple Partial Search — A simple partial search will find any<br />
occurrence of the specified value anywhere within the<br />
specified field.<br />
Advanced Complete Search — An advanced complete<br />
search will find an exact match only.<br />
5 Click OK.
EARLY FIELD TRIAL<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
Figure 8-17. Time Tab of the Find Frame Dialog Box<br />
User’s Guide 201
EARLY FIELD TRIAL Chapter 8<br />
Searching for Frames Matching Data Patterns<br />
202 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
You can also search for data patterns by Searching for Frames in the<br />
Decode Display.<br />
To search for frame matching specific data patterns:<br />
1 Display the Find Frame dialog box using any of the following<br />
commands:<br />
Select Find Frame from the Display menu.<br />
Select Find Frame from the Decode tab’s context menu<br />
(activated by right-clicking anywhere on the Decode tab).<br />
Use the Alt-F3 keyboard shortcut.<br />
2 Click the Data tab.<br />
3 From the Form dropdown list, specify whether to search for data<br />
from a packet, protocol, or either.<br />
4 In the Offset field, specify the offset at which to search for the<br />
specified pattern.<br />
5 From the Format field, specify the format in which the data to<br />
search for is specified.<br />
6 Click Up or Down to specify the search direction.<br />
7 Click OK.<br />
NOTE: If desired, click Reset to reset all the fields in the Data tab<br />
to start a new search.
EARLY FIELD TRIAL<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
Figure 8-18. Data Tab of the Find Frame Dialog Box<br />
User’s Guide 203
EARLY FIELD TRIAL Chapter 8<br />
Searching for Data Patterns using a Pattern from a Known<br />
Packet<br />
204 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
In addition to Searching for Frames in the Decode Display, the easiest<br />
way to search for a data pattern is to use a pattern from a known packet.<br />
To search for data patterns using a pattern from a known<br />
packet:<br />
1 Locate and highlight either:<br />
A packet in the Summary pane.<br />
A protocol field or a data pattern in the Detail pane.<br />
2 Open the Find Frame dialog box by selecting the Find Frame<br />
command from the Display menu (or from the context menu).<br />
3 Select the Data tab.<br />
If you selected a packet in the Summary pane, the Data tab<br />
will already contain some data from the selected packet.<br />
If you selected a protocol field or data pattern in the Detail<br />
pane, the Data tab will already contain the selected field or<br />
pattern.<br />
4 Set the From list box to Don’t Care.<br />
5 You can click the Set Data button to open the Set Data dialog box,<br />
containing a line-by-line decode of the selected packet.<br />
Figure 8-19. The Set Data Dialog Box<br />
6 Select a line from the Set Data dialog box and click OK.<br />
7 The data from the selected line is placed in the data pattern area<br />
of the Find Frame dialog box. Adjust the data and the length if<br />
necessary
EARLY FIELD TRIAL<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
8 Click OK to start the search. If a pattern match is found, the packet<br />
containing the pattern will be displayed in the Decode Display.<br />
Press F3 to search for the next packet.<br />
Searching for Frames Matching Packet Status Flags<br />
To search for packets with a a particular Status flag:<br />
1 Display the Find Frame dialog box using any of the following<br />
commands:<br />
Select Find Frame from the Display menu.<br />
Select Find Frame from the Decode tab’s context menu<br />
(activated by right-clicking anywhere on the Decode tab).<br />
Use the Alt-F3 keyboard shortcut.<br />
2 Click the Status tab.<br />
3 Select the status flag(s) to search for.<br />
4 Click Up or Down to specify the search direction.<br />
5 Click OK. If a frame with one of the specified flags is found, the<br />
frame containing the will be displayed in the Decode Display. Press<br />
F3 to search for the next packet matching the same criteria.<br />
For descriptions of the various possible packet status flags, see Packet<br />
Status Flags in the Summary Pane on page 169.<br />
Figure 8-20. Status Tab of the Find Frame Dialog Box<br />
User’s Guide 205
EARLY FIELD TRIAL Chapter 8<br />
Searching for Frames with Expert Alarms<br />
206 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
To search for packets exhibiting a particular Expert symptom<br />
or diagnosis:<br />
1 Display the Find Frame dialog box using any of the following<br />
commands:<br />
Select Find Frame from the Display menu.<br />
Select Find Frame from the Decode tab’s context menu<br />
(activated by right-clicking anywhere on the Decode tab).<br />
Use the Alt-F3 keyboard shortcut.<br />
2 Click the Expert tab.<br />
3 Select the Expert alarm to search for from the dropdown list<br />
provided. The list includes each of the Expert alarms found<br />
somewhere in the currently displayed Decode tab.<br />
4 Click Up or Down to specify the search direction.<br />
5 Click OK. If a frame exhibiting the specified Expert alarm is found,<br />
the frame will be displayed in the Decode Display. Press F3 to<br />
search for the next packet matching the same criteria.<br />
Figure 8-21. Expert Tab of the Find Frame Dialog Box
EARLY FIELD TRIAL<br />
Printing Decoded Packets<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
You can print the decoded data packets in the Decode Display. You can<br />
print a line-by-line list of the packets in the Summary pane, a list of<br />
protocol fields in the Detail pane, the hex data in the Hex pane, or a<br />
combination of any of the three panes.<br />
To print decoded packets, select Print from the File menu to display the<br />
Print dialog box. Use this dialog box as follows:<br />
In the Print Range area, select the range of packets you want to<br />
print.<br />
In the Format area, select which panes (Summary, Detail, Hex)<br />
you want to print and whether to print the data in commaseparated<br />
values format for import into a spreadsheet application.<br />
If you enable the CSV Format and Print to file options, you may<br />
want to replace the default .PRN extension for printed output with<br />
a .CSV extension. The .CSV extension tells most spreadsheet<br />
applications (including MS-Excel) to expect comma-delimited data<br />
and import it accordingly (that is, with each comma-separated<br />
value in its own column).<br />
NOTE: If you open a CSV Format file saved with the default<br />
.PRN extension in MS-Excel, you will be prompted to supply<br />
the character used for the delimiter in the file. As you would<br />
expect when the CSV Format option is enabled, the delimiter<br />
used in the saved output file is a comma.<br />
Check the Print to File option to output the decoded data packets<br />
to a file.<br />
During printing, you can use the Abort Printing toolbar button or File<br />
> Abort Printing menu selection to abort the current print job.<br />
Changing the Format of Printed Summary Pane Data<br />
You can control which optional fields in the Summary pane are included<br />
in printed output, and what order they are printed in. Summary pane<br />
fields are printed in a "what you see is what you get" ("WYSIWYG")<br />
format -- columns in the pane are printed in the same order in which<br />
they are show in the Decode display. Because of this, you can use the<br />
following techniques to control the format of printed summary data:<br />
User’s Guide 207
EARLY FIELD TRIAL Chapter 8<br />
208 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Use the Optional Fields list in the Summary Display tab of the<br />
Display > Display Setup dialog box to specify which optional<br />
fields are included in the Summary pane display. The only optional<br />
fields included in printed output will be those enabled in this list.<br />
However, printed output will always include the standard nonoptional<br />
frame number, source address, destination address, and<br />
summary text fields.<br />
See Display Setup > Summary Display Options on page 193 for<br />
information on specifying optional fields for the Summary pane.<br />
Use standard drag-and-drop techniques to rearrange the columns<br />
in the Summary pane. Summary pane fields will be printed in the<br />
same order in which they are shown in the Decode display.<br />
NOTE: Although you can resize columns in the Summary pane<br />
display using standard click-and-drag techniques, columns in<br />
printed Summary pane output are automatically resized to<br />
accommodate the largest entry in a given column. This way, data is<br />
not inadvertently truncated in printed output.<br />
The Summary Field in Printed Summary Pane Data<br />
The Summary pane of the Decode Display always includes a Summary<br />
column. The data in this column provides a quick synopsis of the packet<br />
in question -- it's highest layer protocol, the frame type, any pertinent<br />
status flags, and so on. The width of the data in the Summary column<br />
can vary widely and is often much wider than the other columns in the<br />
Summary pane. Because of this, <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
treats Summary column data as follows in printed output:<br />
When packets are printed with the CSV Format option enabled,<br />
the Summary column will be on the same line as the rest of the<br />
data for a given packet (Source Address, Dest Address, and so<br />
on).<br />
When packets are printed without the CSV Format option enabled<br />
(either to a printer or to a file), the Summary column will be on its<br />
own line immediately following a line containing the rest of the<br />
information for the packet (Status, Source Address, Dest<br />
Address, and so on, depending on the current selections in<br />
Display > Display Setup > Summary Display and your own<br />
drag-and-drop settings).
EARLY FIELD TRIAL<br />
Using the Matrix Tab<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
The Matrix tab collects statistics for conversations between network<br />
nodes. For LANs, the matrix tab accumulates MAC, IP network, IP<br />
application, IPX network, and IPX transport-layer information. For WAN<br />
traces, the matrix tab accumulates link layer (for example, DLCI), IP<br />
network, IP application, IPX network, and IPX transport-layer<br />
information.<br />
By selecting one of the toolbar buttons, you can view traffic as a traffic<br />
map, as an outline or detail table, or as bar or pie charts showing Top<br />
10 statistics.<br />
The traffic map in the figure provides a graphical view of network<br />
traffic patterns between network nodes.<br />
The matrix tables show traffic statistics for conversations. The table<br />
may be sorted by any of its statistical variables, in either ascending<br />
or descending order.<br />
To sort a column, click on the column heading. Click a second time to<br />
sort in reverse order. See Using the Matrix Tab Toolbar on page 210 for<br />
information about viewing the Matrix Tab data in a variety of formats.<br />
Figure 8-22. Matrix Tab<br />
User’s Guide 209
EARLY FIELD TRIAL Chapter 8<br />
Using the Matrix Tab Toolbar<br />
Table 8-11. Matrix Tab Toolbar<br />
210 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Icon Name Description<br />
Map Provides a birds-eye view of network traffic<br />
patterns between nodes. You can filter out<br />
unwanted traffic by deselecting certain<br />
protocols, or by selecting specific network<br />
nodes to show.<br />
Outline Provides a quick summary of total bytes and<br />
packets transmitted between pairs of network<br />
nodes.<br />
Detail Provides a quick summary of the higher layer<br />
protocol type and its traffic load transmitted in<br />
and out of each conversation node pair.<br />
Top N Bar Shows the top 10 busiest conversation node<br />
pairs in a graphical bar chart format.<br />
Top N Pie Shows the top 10 busiest conversation node<br />
pairs as relative percentages of the total load<br />
of traffic in a graphical bar chart format.<br />
Display Filter Lets you apply a display filter to the matrix<br />
data (Map view only).<br />
Sort Lets you sort the matrix data (TopN Bar and<br />
TopN Pie views only).<br />
Export CSV Lets you export data in .csv format (Outline<br />
and Detail views only).<br />
Export HTML Lets you export data in HTML format (Outline<br />
and Detail views only).
EARLY FIELD TRIAL<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
Using the Traffic Map to Define a Display Filter<br />
The traffic map can be used to automatically define a Display filter. You<br />
can select stations and particular protocols displayed on the traffic map<br />
and automatically configure a Display filter to match your selections. See<br />
Working with Display Filters on page 172 for information about creating<br />
and using Display filters.<br />
To use the Traffic Map to define a Display filter:<br />
1 From the Matrix tab open the traffic map.<br />
2 Highlight any network node(s) you want to filter. To select more<br />
than one node, hold the Ctrl key down while you click additional<br />
nodes.<br />
3 Click the Display Filter icon and the Filter x tab appears, with<br />
the filtered network node selections you made.<br />
Using the Traffic Map to Identify Others Protocol Type<br />
The traffic map’s capacity to create a Display filter provides an ideal way<br />
to investigate Others protocol types in the capture buffer. Others are<br />
protocols that do not fall into the protocol categories that are predefined.<br />
To define a filter to select Others protocols:<br />
1 From the Matrix tab open the traffic map.<br />
2 Unchecked all protocols listed in the traffic map except the Others<br />
box.<br />
3 Click the Display Filter icon and the Filter x tab appears, with<br />
the data filtered based on the Others protocol selection.<br />
User’s Guide 211
Using the Host Table Tab<br />
EARLY FIELD TRIAL Chapter 8<br />
212 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Host Table collects each network node’s traffic statistics. For LANs,<br />
the Host Table tab accumulates MAC, IP network, IP application, IPX<br />
network, and IPX transport-layer information. By selecting one of the<br />
toolbar buttons, you can view traffic as an outline or detail table, or as<br />
bar or pie charts showing Top 10 statistics.<br />
For WANs, the Host Table tab accumulates link layer (for example,<br />
DLCI), IP network, IP application, IPX network, and IPX transportlayer<br />
information.<br />
For ATM circuits, the Host Table also includes an ATMCNX view<br />
that lets you view ATM traffic by VPI.VCI<br />
The Host Table may be sorted by any of its statistical variables, in either<br />
ascending or descending order. To sort a column, click on the column<br />
heading. Click a second time to sort in reverse order. Select a layer from<br />
the drop down list. Click the plus icon (+) to show protocol information<br />
and the minus icon (-) to hide the protocol information.<br />
See Using the Host Table Toolbar on page 213 for information about<br />
viewing the Host Table data in a variety of formats.<br />
Figure 8-23. Host Table (Outline View)
EARLY FIELD TRIAL<br />
Using the Host Table Toolbar<br />
Table 8-12. Host Table Toolbar<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
Icon Name Description<br />
Outline Shows traffic count statistics for each<br />
network node, provides a quick<br />
summary of total bytes and packets<br />
transmitted in and out of each network<br />
node.<br />
Detail Shows traffic count statistics for each<br />
network node, providing a quick<br />
summary of the higher layer protocol<br />
type and its traffic load transmitted in<br />
and out of each network node.<br />
Top N Bar Shows the 10 busiest host nodes in real<br />
time.<br />
Top N Pie Shows the top 10 busiest conversation<br />
node pairs as relative percentages of<br />
the total load of traffic in a graphical bar<br />
chart format.<br />
Sort Click to sort data.<br />
Export CSV Click to export data in .csv format.<br />
Export HTML Click to export data in HTML format.<br />
User’s Guide 213
Using the Protocol Distribution Tab<br />
EARLY FIELD TRIAL Chapter 8<br />
214 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Protocol Distribution tab reports network usage based on the<br />
network-layer, transport-layer, and application-layer protocols.<br />
Protocol distribution monitors popular IP applications, such as NFS, FTP,<br />
Telnet, SMTP, POP2, POP3, HTTP (www), Gopher, NNTP, SNMP, X-<br />
Window, and others.<br />
It also monitors IPX transport-layer protocols such as NCP, SAP, RIP,<br />
NetBIOS, Diagnostic, Serialization, NMPI, NLSP, SNMP, and SPX.<br />
For ATM traces, the Protocol Distribution tab also includes an ATMCNX<br />
view that lets you view the different types of ATM traffic in the trace (for<br />
example, PNNI signaling).<br />
See Using the Protocol Distribution Toolbar on page 215 for information<br />
about viewing the Protocol Distribution data in a variety of formats.<br />
Figure 8-24. Protocol Distribution Tab
EARLY FIELD TRIAL<br />
Using the Protocol Distribution Toolbar<br />
Table 8-13. Protocol Distribution Toolbar<br />
Icon Name Description<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
Table Shows a tabular summary of the total<br />
bytes and packets transmitted per<br />
protocol.<br />
Top N Bar Shows a summary of the higher layer<br />
protocol types and traffic load<br />
transmitted per protocol by number of<br />
packets or bytes.<br />
Top N Pie Shows a summary of the higher layer<br />
protocol types and traffic load<br />
transmitted per protocol by percentage<br />
of total packets or bytes.<br />
Packets Show total number or percentage of<br />
packets.<br />
Bytes Show total number or percentage of<br />
bytes.<br />
Export CSV Click to export data in .csv format.<br />
Export HTML Click to export data in HTML format.<br />
User’s Guide 215
Using the Statistics Tab<br />
EARLY FIELD TRIAL Chapter 8<br />
216 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Use the Statistics tab to view statistical information accumulated for<br />
each capture session, and to help you analyze the network traffic during<br />
the capture period. A summary of this data appears in a table format.<br />
The Statistics table shows:<br />
The date and time of the capture<br />
The amount of traffic seen during the capture period<br />
Utilization statistics<br />
NOTE: The exact statistics that appear in this tab depend on the<br />
type of network you are analyzing. For example, when showing<br />
Gigabit Ethernet data, the Statistics tab includes additional Auto<br />
Config Ordered Sets and Auto Config 10-Bit Codes statistics.<br />
Figure 8-25. Statistics Tab
EARLY FIELD TRIAL<br />
Enabling VLAN Data Collection<br />
Raw Capture <strong>Mode</strong> Postcapture Analysis<br />
If <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> is connected to a switch SPAN<br />
port, make sure you enable VLAN data collection on the network<br />
interface card to prevent VLAN IDs from being stripped before the<br />
application sees them. With VLAN data collection enabled, you’ll be able<br />
to see VLAN IDs in postcapture decodes.<br />
Refer to the <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> Installation Guide for<br />
details on usin g the sniffer_vlan_edit.exe tool included with the<br />
product to enable VLAN data collection for adapters using Intel and<br />
Broadcom chipsets.<br />
User’s Guide 217
EARLY FIELD TRIAL Chapter 8<br />
218 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>
EARLY FIELD TRIAL<br />
Expert Analysis<br />
Overview<br />
Expert Analysis<br />
This section describes how to use the Expert analysis available in the<br />
postcapture analysis window for raw packets. Expert analysis is not<br />
available for <strong>Adaptive</strong> Session packets.<br />
The section includes the following major topics:<br />
Expert Analysis on page 219<br />
Setting Expert Options on page 225<br />
Exporting Expert Data on page 239<br />
9<br />
The Expert analyzer alerts you to symptoms and diagnoses in network<br />
traffic:<br />
A symptom indicates that a particular traffic element has exceeded<br />
a threshold and may indicate a problem on your network.<br />
A diagnosis can be several symptoms analyzed together, high rates<br />
of recurrence of specific symptoms, or single instances of particular<br />
network events that cause the Expert to conclude that the network<br />
has a real problem. A diagnosis should be investigated<br />
immediately.<br />
The Expert tab shows the results of Expert analysis (symptoms and<br />
diagnoses) in five viewing panes. These panes function together so you<br />
can view and select information on all network levels.<br />
User’s Guide 219
EARLY FIELD TRIAL Chapter 9<br />
Figure 9-1. The Expert Tab Panes<br />
220 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
a<br />
c d e<br />
The Expert Overview pane (a) shows the network analysis layers<br />
(similar in concept to the ISO layers) and the Expert overview<br />
statistics (objects, symptoms, or diagnoses) for each layer. By<br />
selecting a combination of layer and statistic type, you control the<br />
display of Expert analysis data in the other Expert panes. Click the<br />
arrow icon (a) to open/close this pane.<br />
The Expert Summary pane (b) shows key summary information<br />
for the layer and statistic selected in the Expert Overview pane. The<br />
column headings for the Expert Summary display will change,<br />
depending on what layer and statistic you have selected.<br />
The Protocol Statistics pane (c) shows the amount of traffic (in<br />
frames and bytes) for each protocol encountered for the layer you<br />
selected in the Expert Overview pane. (This pane is not displayed<br />
when the Expert Overview pane is narrow.)<br />
The Detail Tree pane (d) shows a hierarchical listing of all layers<br />
at or below those selected in the Expert Overview and Expert<br />
Summary panes. You can expand or collapse each layer in a<br />
manner similar to Windows Explorer. Click on any item in the Detail<br />
Tree to show its Expert detail data.<br />
The Expert Details pane (e) is a collection of information tables<br />
for the data selected by the other panes. The content of the Expert<br />
Detail pane will vary, depending on what items are selected in the<br />
various other panes.<br />
b
EARLY FIELD TRIAL<br />
Expert Tool Bar<br />
Table 9-1. Expert Toolbar Icons<br />
Icon Name Description<br />
Rearranging Expert Panes<br />
Expert Analysis<br />
Display Filter See Exporting Expert Data on page<br />
239.<br />
Export HTML See Exporting Expert Data on page<br />
239.<br />
Show<br />
Discovered<br />
Addresses<br />
See RIP Options Settings on page 234.<br />
Export CSV See Exporting Expert Data on page<br />
239.<br />
You can rearrange the Expert tab panes into the various viewing<br />
configurations:<br />
All five viewing panes appear at the same time (as shown in Figure<br />
9-2).<br />
Only the Expert Overview and Expert Summary panes (with or<br />
without the Protocol Statistics pane).<br />
Only the Detail tree and Expert Detail panes.<br />
In the Expert Overview pane, click the arrow icon (a) to open/close<br />
this pane and the Protocol Statistics pane. Drag the dividing bar (b) up<br />
to show the Detail Tree and Expert Details panes. Similarly, perform the<br />
reverse action to hide these panes.<br />
User’s Guide 221
EARLY FIELD TRIAL Chapter 9<br />
222 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Figure 9-2. Rearranging the Expert Tab Panes<br />
Setting Automatic Expert Display Filters<br />
You can use Expert display filters to automatically display all traffic in the<br />
capture buffer related to a specific:<br />
Network object<br />
Symptom or diagnosis<br />
You apply an Expert display filter by selecting a network object,<br />
symptom, or diagnosis in the summary pane of the Expert window and<br />
clicking the Define Filter button in the upper left corner of the Expert<br />
window. In response, the Expert adds a new tab to the display window<br />
(titled Filtered xx, where xx is the sequential number of the filter you<br />
applied) containing just those frames associated with the selected<br />
network object, symptom, or diagnosis.<br />
The frames may be displayed with skipped frame numbers on the<br />
Filtered tab, because the network object filter does not change the<br />
frame numbers of frames it selects for display. Thus, you may see frame<br />
30 followed by frame 35 because the network object filter excluded<br />
frames 31-34. If you save the filtered frames as a new file (using the<br />
Save As) command, the filtered frames will be renumbered<br />
sequentially.<br />
Limitations of the Expert Filter<br />
The Expert filter has some limitations:<br />
a<br />
b
EARLY FIELD TRIAL<br />
Expert Analysis<br />
Some symptoms and diagnoses, such as Broadcast storm, have<br />
no associated network object on which the analyzer can filter. In<br />
those cases, the Define Filter button will not appear at the upper<br />
left of the display, indicating that an Expert filter cannot be set.<br />
Occasionally you will see the message:<br />
No frames matched the filter.<br />
This message appears when one or more of the following conditions<br />
exist:<br />
The highlighted object has not sent or received a frame.<br />
The highlighted object has been filtered out by a standard<br />
Display filter.<br />
There are no longer any frames in the buffer associated with<br />
the object because the capture buffer has wrapped.<br />
During a capture in which the buffer is set to wrap, some of<br />
the frames the Expert used to create network objects will<br />
pass out of the capture buffer to make room for new frames.<br />
Setting an Expert filter on such an object can result in no<br />
frames being available for display.<br />
Other Notes About Expert Filters<br />
The Expert analyzer uses several algorithms to decide which frames are<br />
associated with a network object. Sometimes, these algorithms may<br />
eliminate frames you consider relevant.<br />
Certain maintenance frames may not be shown. For example, if<br />
you set an Expert filter on a Novell Netware connection-layer<br />
connection, the Expert analyzer would show all those related<br />
frames with NCP layers, but would not show certain connection<br />
maintenance frames it considers irrelevant.<br />
When you set a filter on a connection object, the frame that<br />
initiates the connection is not shown. This is because Expert does<br />
not create a connection object until the connection is completed.<br />
When you filter on an application object, TCP continuation frames<br />
are not shown.<br />
Displaying Context-Sensitive Explain Messages<br />
The Expert provides an explanation of the information in each pane of<br />
the Expert window. Click inside the pane on which you need information<br />
and press F1.<br />
User’s Guide 223
EARLY FIELD TRIAL Chapter 9<br />
224 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Expert also provides concise explanations for each symptom and<br />
diagnosis generated. To display a detailed explanation of a symptom or<br />
diagnosis, click the question mark (?) to the right of the symptom/<br />
diagnosis description in the Expert Detail pane. (You may have to scroll<br />
to the right of the pane to see the ?.)<br />
Postcapture Expert/Decode Statistics and CRCs<br />
Postcapture Decode and Expert statistics for raw packets do not take<br />
into account the CRC bytes attached to frames. This is by design, as the<br />
CRC bytes are not a part of the frame. Because of this, the Expert will<br />
show average frame sizes that are smaller than those reported by other<br />
views that do include the CRC – for example, the Statistics tab in the<br />
postcapture display, and all displays in the Quick Select window. For<br />
Ethernet, the difference will be 4 bytes; for WAN PPP, either 2 or 4 bytes,<br />
depending on how the network implements the CRC field.<br />
Extra Characters in Expert Displays for High Counts?<br />
Occasionally, you may see counts in the Expert displays followed by the<br />
letters M, G, or T. These letters stand for Million, Giga, and Tera,<br />
respectively.<br />
Saving Expert Objects with Trace Files<br />
During capture, the Expert creates Expert objects based on the frames<br />
it sees. Over a long capture, some of the frames which the Expert used<br />
to create these objects will most likely pass out of the capture buffer to<br />
make room for new ones. However, the Expert objects themselves will<br />
still be in the database.<br />
You can make sure that all the Expert objects created during a capture<br />
session are saved along with your trace file by enabling the Save Expert<br />
Objects checkbox in the Save As dialog box. When this option is<br />
enabled, all of the Expert objects in the database are written to the end<br />
of the saved trace file. Then, when you open a trace with saved Expert<br />
objects, make sure to enable the Load Expert Objects checkbox in the<br />
Open dialog box. This way, when you reopen a saved trace file, you can<br />
make sure you see all the Expert objects created during a capture<br />
session instead of just the ones the Expert creates based on the frames<br />
still in the file.<br />
Notes on the Save/Load Expert Objects Feature<br />
If you enable the Load Expert Objects option when opening a<br />
trace file that has no saved Expert objects, no error will occur. The<br />
saved file will simply be loaded normally.
EARLY FIELD TRIAL<br />
Setting Expert Options<br />
Expert Analysis<br />
Configure Expert options for effective network analysis. From the<br />
Console, select Tools > Expert Options and the Expert UI Objects<br />
Properties dialog box appears.<br />
Figure 9-3. Expert UI Object Properties Dialog Box<br />
You can set options in the following tabs:<br />
Objects Tab on page 226<br />
Alarms on page 229<br />
Protocols on page 231<br />
Subnet Masks on page 233<br />
RIP Options Settings on page 234<br />
VoIP Options Settings on page 236<br />
Oracle Options on page 237<br />
Mobile Options on page 237<br />
User’s Guide 225
Objects Tab<br />
EARLY FIELD TRIAL Chapter 9<br />
226 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
During analysis, the Expert constructs a database of network objects<br />
from the traffic it sees and categorizes network problems according to<br />
the Expert layer at which they occur. The Expert’s network layering<br />
structure is similar to the OSI model. However, the two schemes do not<br />
always map on a one-to-one basis.)<br />
Figure 9-4. Objects Tab<br />
Configure the following object settings.<br />
Analyze on page 227<br />
Max. Objects on page 227<br />
Max. Objects on page 227<br />
Recycle Expert Objects on page 227<br />
Alarm Maximum on page 228<br />
Data Update Rate on page 228
EARLY FIELD TRIAL<br />
Analyze<br />
Expert Analysis<br />
In addition to using capture filters, which let you select the particular<br />
traffic you need for network analysis, you can exclude certain Expert<br />
layers from processing. This enables you to focus on specific network<br />
problems precisely.<br />
IMPORTANT: Keep in mind that if you exclude a certain layer from<br />
Expert processing, you are also automatically excluding Expert<br />
processing from occurring at any layers above the excluded layer. For<br />
example, if you exclude the Connection layer from Expert processing, no<br />
Expert analysis will occur at the Session, <strong>Application</strong>, or Service layers.<br />
Expert requires the analysis provided at the supporting layers to provide<br />
analysis for higher layers.<br />
Max. Objects<br />
To reduce the amount of memory needed to create network objects, you<br />
can specify the maximum number of objects that the Expert can create<br />
for each Expert layer. To help with configuration, the Expert shows the<br />
estimated amount of memory needed for the number of objects selected<br />
for each layer.<br />
When the maximum number is reached, Expert will recycle old objects<br />
(if the Recycle Expert Objects options is selected) or stop creating<br />
new objects. The range for this option is 0 to 99999.<br />
Est. Memory<br />
The Est. Memory column to the right of Max Objects shows the<br />
estimated amount of memory needed to process the number of objects<br />
specified in the Max Objects column for each Expert layer. The total<br />
estimated amount of memory needed to process all selected objects is<br />
shown under the grid.<br />
Recycle Expert Objects<br />
The Experts’ database of network objects is built from information<br />
accumulated in the capture buffer. Because some networks can be<br />
immensely complex in their structure, at some point the Expert will have<br />
no more memory for new network objects. If you recycle objects, the<br />
Expert continues to add new objects to the database, overwriting the<br />
least interesting objects when it runs out of memory (in general, older<br />
objects with no associated errors are considered “least interesting”).<br />
If you don’t recycle objects, the Expert stops creating new objects when<br />
it runs out of memory, and instead, continues to interpret traffic in<br />
accordance with the information it has already stored in its database.<br />
User’s Guide 227
EARLY FIELD TRIAL Chapter 9<br />
About Reusing Network Objects<br />
228 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
When Expert reuses the memory associated with less interesting<br />
network objects, it does so using a smart algorithm that, in effect, allows<br />
it to forget outdated network information. The list below summarizes the<br />
types of network objects the Expert does and does not reuse.<br />
Expert does not reuse:<br />
Network objects that have symptoms or diagnoses associated with<br />
them.<br />
A network object currently highlighted in the Expert window.<br />
Expert does reuse:<br />
Network objects with ten or fewer associated frames and no<br />
associated errors.<br />
Alarm Maximum<br />
When the maximum number of alarms are reached in the Expert<br />
database, Expert will either recycle the oldest and lowest priority alarms<br />
(if the Recycle Alarms option is selected) or stop creating new alarms.<br />
The default is 1000. The range is 0 to 99999.<br />
Data Update Rate<br />
Specify how often the Expert Displays are updated with new data, as<br />
well as the delay between resorting the Expert’s database of objects and<br />
refreshing the Expert’s summary display.<br />
To configure the Expert Objects tab:<br />
1 Double click the Analyze column to activate the cell’s drop down<br />
menu. Select Yes to activate the layer or No to exclude the layer<br />
from Expert processing.<br />
2 Double click the Max Objects column to specify the maximum<br />
number of objects that can be created in the Expert database for<br />
each activated layer.<br />
3 In the Est. Memory field, enter the estimated amount of memory<br />
needed for the number of objects specified for each layer shown.<br />
4 For the Recycle Expert Objects option:<br />
Check this option if you want Expert to create new objects by<br />
overwriting older objects when Expert runs out of memory.<br />
Or
EARLY FIELD TRIAL<br />
Alarms<br />
Expert Analysis<br />
Uncheck this option if you want Expert to stop creating new objects<br />
and continue interpreting traffic according to information already in<br />
the database.<br />
5 In the Alarms area: Enter the maximum number of alarms that<br />
can be created in the Expert database.<br />
NOTE: When the maximum number is reached, the Expert will<br />
either recycle the oldest and lowest priority alarms (if the<br />
Recycle Alarms option is selected) or stop creating new<br />
alarms.<br />
6 In the Data Updated Rate and Resorting Rate fields, specify<br />
how often you would like Expert to update with new data.<br />
7 Click OK.<br />
Configure alarms, thresholds, and severity using the Alarms tab. Expert<br />
thresholds determine whether the Expert generates a symptom or a<br />
diagnosis (also called an alarm) based on a given network event.<br />
Figure 9-5. Alarms Tab<br />
User’s Guide 229
EARLY FIELD TRIAL Chapter 9<br />
In the Alarms tab, you can:<br />
230 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Set the threshold level for Expert alarms (symptoms and<br />
diagnoses).<br />
Set the severity level for each Expert alarm.<br />
Specify that an alarm is recorded in the <strong>Sniffer</strong> Alarm log (Alarm<br />
Logged).<br />
IMPORTANT: The Alarm Logged option is not used by<br />
InfiniStream appliances. It is only used by <strong>Sniffer</strong> Portable and<br />
<strong>Sniffer</strong> Distributed.<br />
There are two main columns in this tab:<br />
The Description column contains the alarms (symptoms and<br />
diagnoses) organized under the various Expert layers. The relevant<br />
layers depend upon the currently selected topology; however, in all<br />
cases the Service, <strong>Application</strong>, Session, Connection, Station, DLC,<br />
Global, and Route layers are relevant.<br />
The Value column contains the values set for each alarm. The<br />
values are shown only when the Expert layer is expanded and the<br />
alarms are displayed.
EARLY FIELD TRIAL<br />
Protocols<br />
To configure the Expert Alarms:<br />
Expert Analysis<br />
1 Click the zero/one icons to expand/collapse all the Expert<br />
layers.<br />
or<br />
Click the plus icon to open an Expert layer and show all the<br />
symptoms and diagnoses (alarms).<br />
2 Click the plus icon to show the settings for each alarm.<br />
3 Double click the Threshold value cell and enter a new threshold<br />
value.<br />
NOTE: The Threshold value cell appears last in the Expert<br />
Alarms setting list.<br />
4 Repeat this process for all Expert Alarms, and then click OK.<br />
Concentrate Expert analysis only on the protocols you are interested in<br />
analyzing (and thereby improve Expert performance). In the Tools ><br />
Expert Options Protocols tab, select the protocols you would like to<br />
Expert to analyze for each layer.<br />
Be default, all protocols are enabled. However, if you are only interested<br />
in specific protocols at a given layer, you can improve Expert<br />
performance by disabling some protocols.<br />
IMPORTANT: Keep in mind that if you exclude a certain layer from<br />
Expert processing, you are also automatically excluding Expert<br />
processing from occurring at any layers above the excluded layer. For<br />
example, if you exclude the Connection layer from Expert processing, no<br />
Expert analysis will occur at the Session, <strong>Application</strong>, or Service layers.<br />
Expert requires analysis provided at the supporting layers to provide<br />
analysis for higher layers.<br />
User’s Guide 231
EARLY FIELD TRIAL Chapter 9<br />
Figure 9-6. Protocols Tab<br />
To configure Expert Protocols:<br />
232 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
1 Select Tools > Expert Options from the Quick Select window and<br />
the Expert UI Objects Properties window appears.<br />
2 Select the Protocols tab and click the zero icon to expand/<br />
collapse all the Expert layers.<br />
or<br />
Click the plus icon to open an Expert layer and show all the<br />
protocols.<br />
3 Double click the Analyze cell and select:Yes to activate Expert<br />
Analysis for that protocol, or No to deactivate Expert Analysis for<br />
that protocol.<br />
4 Click OK.<br />
Defining Protocols<br />
Use the Tools > Options Protocols tab to add and group upper-layer<br />
protocols and ports into user-defined groups. User-defined groups<br />
appear in the Post Analysis window for improved data assimilation and<br />
viewing efficiency.
EARLY FIELD TRIAL<br />
Subnet Masks<br />
To define protocols:<br />
Expert Analysis<br />
1 Select Tools > Options from the Quick Select window and the<br />
Options window appears.<br />
2 Enter a protocol name and port(s) in the appropriate tab.<br />
3 Click OK.<br />
TCP/IP subnet masks traditionally reserve specific bits within an IP<br />
network address for the subnet mask depending on the class of address.<br />
The Expert comes with default subnet mask settings.<br />
Class A - 255.0.0.0<br />
Class B - 255.255.0.0<br />
Class C - 255.255.255.0<br />
Certain networks may use nontraditional subnet masks. If the Expert is<br />
attached to a network segment that uses nontraditional subnet masks,<br />
it may register spurious network objects and diagnoses. This happens<br />
because the Expert expects address information at a location within the<br />
address field other than where it actually is.<br />
If your networks use nontraditional subnet masks, you must add the IP<br />
network address and appropriate subnet mask for the networks from<br />
which the Expert will see frames.<br />
User’s Guide 233
EARLY FIELD TRIAL Chapter 9<br />
Figure 9-7. Subnet Masks Tab<br />
234 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
To add an IP Network Address and Subnet Mask:<br />
1 Click the Add button to create a new entry.<br />
2 Enter the IP address in the IP Net Address column using the x.x.x.x<br />
format, where each x is an integer from 0 - 255.<br />
3 Enter the subnet mask associated with the IP address in the Subnet<br />
Mask column.<br />
4 Click Apply.<br />
5 Click OK.<br />
RIP Options Settings<br />
The Expert performs RIP (Routing Information Protocol) analysis and<br />
builds a routing table by parsing RIP and other routing protocols in<br />
captured frames. RIP analysis is shown in the Route layer in the Expert<br />
tab and lets you detect common routing problems.You can disable RIP<br />
analysis, or specify the level of analysis you want to perform (traffic<br />
counts and misdirected frames, or traffic counts only).
EARLY FIELD TRIAL<br />
To configure or disable RIP analysis:<br />
Expert Analysis<br />
1 From the RIP Options drop down list, select the level of RIP analysis<br />
you would like to perform:<br />
No traffic analysis (RIP disabled) disables RIP Expert.<br />
Traffic counts only<br />
Full traffic analysis (counts and analysis) produces traffic<br />
counts and detects misdirected frames.<br />
2 Check Auto Discover Subnets if you would like Expert to find<br />
subnets on your network.<br />
NOTE: Expert discovers the routers on the network and shows<br />
them in the router table. Similarly, Expert discovers the<br />
subnets on the network and shows them in the Subnet table.<br />
The Subnet Source column indicates if the subnet is detected<br />
by the Expert (network) or added manually (user).<br />
IMPORTANT: The RIP Expert requires that the IP subnet<br />
address and subnet mask be configured in the Subnet Masks<br />
tab.<br />
User’s Guide 235
VoIP Options Settings<br />
EARLY FIELD TRIAL Chapter 9<br />
236 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The VoIP Options tab lets you set options specific to Expert analysis of<br />
Voice protocols, in particular RTP.<br />
Figure 9-8. VoIP Options Dialog Box<br />
RTP Packet Gap (ms) -This option tells the Expert to ignore interpacket<br />
variations that exceed the stated value when making RFC<br />
1889 jitter calculations. This way, the RFC1889 jitter calculations<br />
ignore both legitimate line silence (one reason for large RTP packet<br />
gaps) and statistical anomalies, resulting in more accurate<br />
calculations. Setting this option carefully will also result in fewer<br />
false positive High Jitter alarms.<br />
NOTE: This option only affects the Expert's classic RFC1889<br />
jitter calculations (that is, the jitter calculations for the RTP -<br />
High Jitter alarm). It does not affect the RTCP - High Jitter<br />
alarm or the RTP - High Variation alarm.<br />
RTP Inter-Packet Variation - These options let you specify that<br />
the Expert use a custom Codec Packet Interval for RTP packets in<br />
the equations used to calculate and average the deviation from the<br />
expected inter-packet spacing. If this option is not enabled, the<br />
Expert uses its traditional RFC1889 method for jitter calculations,<br />
using the actual RTP timestamps to calculate inter-packet spacing<br />
instead of the Codec Packet Interval.
EARLY FIELD TRIAL<br />
Oracle Options<br />
Mobile Options<br />
Expert Analysis<br />
Enable Calculation: Enable this option if you would like the<br />
Expert to use the stated Codec Packet Interval to calculate jitter<br />
(variation) instead of the timestamps found in the RTP packets.<br />
Codec Packet Interval: The value (in ms) to use for RTP packet<br />
spacing in jitter\variation calculations.<br />
Use the Oracle Options tab to specify the Oracle Error Type numbers<br />
(Oracle Error Codes) for which you would like the Expert to generate<br />
alarms. Whenever the Expert sees one of the error codes listed here, it<br />
will generate the Oracle: ORA Error Type Noticed alarm at the Service<br />
layer.<br />
Use this tab as follows:<br />
Click Add to create a new entry in the grid. Then, type in the<br />
numerical error code to be monitored.<br />
Click Delete to delete the selected error code from the table.<br />
You can modify any entry in the grid by selecting it and revising as<br />
necessary.<br />
Set the options in the Mobile Options tab to specify how the Expert<br />
should analyze Mobile IP data:<br />
Enable IP Home Agent<br />
Tunnel Analysis<br />
Enable GRE Home Agent<br />
Tunnel Analysis<br />
Report Mobile Reg Error<br />
136<br />
Specifies whether IP Home Agent Tunnel<br />
Analysis is enabled. Disabling this option<br />
improves Expert performance.<br />
Specifies whether GRE Home Agent Tunnel<br />
Analysis is enabled. Disabling this option<br />
improves Expert performance.<br />
Specifies whether a Mobile Registration<br />
Reply with a Code value of 136<br />
(Registration Denied by the Home<br />
Agent - Unknown Home Agent Address)<br />
should be considered when generating<br />
Registration Failure Expert alarms. If this<br />
option is disabled, Registration Failure<br />
alarms will not be generated when<br />
registration fails with error code 136.<br />
User’s Guide 237
EARLY FIELD TRIAL Chapter 9<br />
Enable GTP 99 IP Tunnel<br />
Analysis<br />
Mobile IP Registration List<br />
Flush Count<br />
Max Radius Users per<br />
Object<br />
Radius Request List Flush<br />
Count<br />
GTP 99 Create PDP<br />
Context Request Flush<br />
Count<br />
238 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Specifies whether GTP 99 Tunnel Analysis is<br />
enabled. When enabled, protocols inside a<br />
GTP 99 tunnel will be analyzed by the<br />
Expert. Disabling this option improves<br />
Expert performance.<br />
Specifies how often the list of Mobile IP<br />
Registration requests should be checked for<br />
registration timeouts and flushed of expired<br />
Registration Requests.<br />
NOTE: If you set this field to 0, the Expert<br />
treats the field as if were set to 1. Only nonzero<br />
values are supported.<br />
Specifies the maximum number of user data<br />
elements to be tracked with each Radius<br />
object.<br />
Specifies how often the list of Radius<br />
requests for a particular Radius object<br />
should be checked for timeouts and flushed<br />
of expired entries.<br />
NOTE: If you set this field to 0, the Expert<br />
treats the field as if were set to 1. Only nonzero<br />
values are supported.<br />
NOTE: For most situations, setting this field<br />
higher than its default of 1 is not<br />
recommended. Setting the value higher than<br />
1 decreases the likelihood of seeing any<br />
Timed Out alarms for Radius Access and<br />
Accounting requests.<br />
Specifies how often the list of GTP 99 PDP<br />
Context Requests for a particular GTP 99<br />
object should be checked for timeouts and<br />
flushed of expired requests. When the<br />
Expert checks this list and sees at least one<br />
response that exceeds the PDP Context<br />
Request Timeout threshold or no response<br />
at all, it generates the GTP 99 PDP<br />
Context Request Timed Out alarm.<br />
NOTE: If you set this field to 0, the Expert<br />
treats the field as if were set to 1. Only nonzero<br />
values are supported.
EARLY FIELD TRIAL<br />
IP Options<br />
Expert Analysis<br />
Use the IP Options tab to exclude specified IP addresses from<br />
consideration for the Expert’s Duplicate Network Address alarm. The<br />
Expert will not generate Duplicate Network Address alarms for the IP<br />
addresses listed in this tab.<br />
Use this tab as follows:<br />
Click Add and supply an address to add a new IP address to the list<br />
of exclusions.<br />
Select an entry and click Delete to remove the selected IP Address<br />
from the list.<br />
Modify entries by selecting them and editing as necessary.<br />
Exporting Expert Data<br />
Export the contents of the Expert analyzer’s database of network<br />
objects, symptoms, and diagnoses to a file saved in comma-separated<br />
values (CSV) or HTML.<br />
The CSV file format can easily be imported into most spreadsheet<br />
programs.<br />
Click the Export CSV icon in the Expert toolbar and the Export<br />
dialog appears. Specify which portions of the database you would like<br />
to export.<br />
Click the Export HTML icon in the Expert toolbar and the Save dialog<br />
box appears.<br />
User’s Guide 239
EARLY FIELD TRIAL Chapter 9<br />
240 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>
EARLY FIELD TRIAL<br />
SECTION 4<br />
Additional Information<br />
Setting Quick Select Options on page 243<br />
Using the Address Book on page 255
EARLY FIELD TRIAL
EARLY FIELD TRIAL<br />
Setting Quick Select Options<br />
Overview<br />
10<br />
This section describes how to set Quick Select window preferences in the<br />
Quick Select > Options dialog box tabs. The Options dialog box has<br />
the following tabs:<br />
Setting General Tab Options on page 243<br />
Setting Connection Tab Options on page 245<br />
Setting Graph Tab Options on page 247<br />
Setting Files Tab Options on page 248<br />
Setting Aliases Tab Options on page 250<br />
Setting Options in the Mining Options Tab on page 254<br />
Setting General Tab Options<br />
Set the following options in the General tab:<br />
The Statistics Refresh option lets you select whether to refresh<br />
the Quick Select window’s statistics whenever you make changes<br />
in the Graph panel, such as move the time selector. The default<br />
setting is Off.<br />
The Merged Streams Message option enables or disables the<br />
pop-up warning that is generated when selecting two concurrent<br />
streams. The default setting is On.<br />
NOTE: Stream merging is not supported in <strong>Sniffer</strong> <strong>Adaptive</strong><br />
<strong>Application</strong> <strong>Analyzer</strong>.<br />
The Stream Visibility option lets you indicate where to set the<br />
stream start time when first opening the stream:<br />
The earliest statistics-only data. This option exposes the<br />
history data at the beginning of a wrapped stream. In this<br />
case, the Data start time reflects the first instance of history<br />
data in the stream. The system defaults to this setting.<br />
User’s Guide 243
EARLY FIELD TRIAL Chapter 10<br />
244 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The earliest available packet (skip over the statisticsonly<br />
data). This option ignores the statistics-only data at the<br />
beginning of your selected stream by forcing the Data start<br />
time to the first instance of packet data in the stream.<br />
After the stream has wrapped, <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong><br />
<strong>Analyzer</strong> begins replacing packet data in a first-in-first-out<br />
(FIFO) manner, the leading history data will be hidden when<br />
this option is active. However, you may still see sections of<br />
history data in your stream because the FIFO algorithm does<br />
not always reclaim the oldest data, giving priority to leastrecently-used<br />
(LRU) data over those sections of data you<br />
analyzed.<br />
Figure 10-1. General Tab<br />
The File Path Display option lets you enable or disable the<br />
capture file (.cap) path from appearing in the Navigation panel. By<br />
default the path is shown.<br />
NOTE: This release of <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
does not support adding .CAP files to the Navigation Panel for<br />
Quick Select analysis. You can, however, open them directly<br />
using File > Open.
EARLY FIELD TRIAL<br />
Setting Quick Select Options<br />
The Top N option lets you specify the setting for Top N filtering.<br />
The Top N feature provides a way to optimize Console<br />
performance. Instead of downloading all data for the period<br />
selected in the Graph panel, you can set a Top N value to limit the<br />
number of unique conversation records transferred to the Top N.<br />
Alternatively, you can enable the All option so that all conversation<br />
records are transferred.<br />
See Working with the Top N Feature on page 95 for important<br />
details on how this feature works.<br />
Setting Connection Tab Options<br />
Set the following options from the Connection tab:<br />
Figure 10-2. Connection Tab<br />
The Connection Timeout option lets you limit the length of time<br />
the Console attempts connection to the local agent before aborting.<br />
The default setting is 5 seconds.<br />
User’s Guide 245
EARLY FIELD TRIAL Chapter 10<br />
246 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Connection Defaults options are not used in this release. The<br />
Capture Engine Display option lets you specify how to display<br />
capture device entries in the Navigation panel. Choose from the<br />
following: Display the IP Address only, Name only, or name with IP<br />
Address.<br />
NOTE: <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong> uses local capture<br />
interfaces displayed with the loopback IP address of 127.0.0.1.<br />
NOTE: After enabling the Display the Capture Engine name<br />
only option, capture devices still appear in the Navigation<br />
panel with their IP addresses. To remove capture device IP<br />
addresses from the Navigation panel display entirely, deselect<br />
the Show IP Address With Name option in the Configure<br />
Connection dialog box, instead. You can access the Configure<br />
Connection dialog box by right-clicking a capture device in the<br />
Navigation panel and selecting the Configure Connection<br />
command.
EARLY FIELD TRIAL<br />
Setting Graph Tab Options<br />
Setting Quick Select Options<br />
Specify how to display newly opened streams in the Graph Panel:<br />
Figure 10-3. Graph Tab<br />
Data Type displays data in either Packets per second, Bytes per<br />
second, Bits per second, or Utilization.<br />
Graph Style displays the data in either a Stacked bars or Lines<br />
graph.<br />
Data Source displays either the data values you have selected or<br />
presents the Filtered Results.<br />
Graph Scale displays graphs in either a Linear or Logarithmic<br />
format.<br />
Zoom Level configures the default level in which to display data in<br />
the Graph panel.<br />
Monitor Update Frequency lets you select the time interval<br />
between data updates when operating in Active Monitor <strong>Mode</strong>. This<br />
mode displays new data on the Graph panel as it arrives from the<br />
stream. See Monitoring for Updates – Active Monitor <strong>Mode</strong> on page<br />
54.<br />
User’s Guide 247
Setting Files Tab Options<br />
EARLY FIELD TRIAL Chapter 10<br />
248 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Specify how and where the Console stores the results of Raw mode<br />
mining requests from the Files tab:<br />
Figure 10-4. Files Tab<br />
Filename prefix lets you assign the prefix for the saved capture<br />
files. For instance, ICE is the prefix in the capture file ICE-1.cap<br />
Generate unique file names lets you avoid overwriting<br />
previously saved capture files. A new file is generated each<br />
time a capture file is saved.<br />
NOTE: When you elect to generate unique files names,<br />
perform regular data maintenance in the directory where the<br />
files are stored. Failure to maintain this directory will result in<br />
data overload.<br />
Reuse file names lets you overwrite previously created<br />
capture files. When you select this option, you can select<br />
Close and overwrite existing files without warning if you<br />
want to suppress the warning message each time you mine<br />
with this option selected.
EARLY FIELD TRIAL<br />
Setting Quick Select Options<br />
Maximum file size lets you assign a limit on the capture file size.<br />
The Console stores the requested capture packets in as many .CAP<br />
files (in the specified size) as necessary to complete the mining<br />
request.<br />
Directory lets you assign the location within your file system<br />
where the capture files are stored.<br />
Generate an error when available disk space falls below<br />
x MB lets you assign a value when an out-of-disk space<br />
warning appears. When Generate unique file names is<br />
enabled, this option lets you monitor the size of your capture<br />
directory as well.<br />
User’s Guide 249
Setting Aliases Tab Options<br />
EARLY FIELD TRIAL Chapter 10<br />
250 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
The Aliases tab lists the user-defined aliases you have created. Use this<br />
tab to specify alternate names (aliases) for different network entities.<br />
Figure 10-5. Aliases Tab<br />
NOTE: The aliases entered on this tab affect data display in the<br />
Quick Select window. They do not affect data shown in the<br />
postcapture display window. To set aliases for data in the<br />
postcapture window, use the Tools > Options > Protocols tab. See<br />
Setting Protocol Aliases for the Postcapture Display on page 196.<br />
The Aliases tab includes the following fields:<br />
Type lets you select which element you would like to assign an<br />
alias. Options include IP Address, MAC Address, TCP Port, UDP<br />
Port, VLAN ID, IP Protocol, PVC (ATM – WAN/ATM SuperTAP<br />
streams), DLCI (Frame Relay – WAN/ATM SuperTAP streams),<br />
MPLS (that is, an MPLS label), GROUP_IP Address,<br />
GROUP_MAC Address, GROUP_TCP Port, GROUP_UDP Port,<br />
GROUP_VLAN ID, GROUP_IP Protocol, GROUP_MPLS.
EARLY FIELD TRIAL<br />
Setting Quick Select Options<br />
The Quick Select window displays these aliases in the Statistics<br />
panel and Create/Edit Filters dialog box for easy identification<br />
during analysis and troubleshooting.<br />
NOTE: User-defined settings are stored in the alias file<br />
(aliases.adr), which is located at C:\Program<br />
Files\<strong>NetScout</strong>\<strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>\bin.<br />
Preconfigured settings are stored in the aliases.xml file at the<br />
same location.<br />
To create an alias:<br />
1 From the Alias tab, select the type of Alias you would like to create<br />
from the Type: drop down list.<br />
2 Enter the IP address, port, or protocol in the Address field.<br />
3 Assign and enter a name in the Alias field and click the Add button.<br />
4 If you are creating a Group alias, the Alias field remains populated<br />
with the existing Group alias. You can enter a new member of the<br />
Group and click the Add button to add it to the Group alias.<br />
5 Click OK.<br />
User’s Guide 251
Using Group Aliases Effectively<br />
EARLY FIELD TRIAL Chapter 10<br />
252 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Group aliases provide you with a powerful tool for viewing statistics. For<br />
example, you can:<br />
Create a Group alias for all IP addresses in a particular department,<br />
allowing you to view aggregated traffic statistics for those hosts.<br />
Create a Group alias for a particular set of VLANs, allowing you to<br />
view aggregated statistics for those VLANs.<br />
Create a Group alias for a particular set of TCP or UDP ports. This<br />
is particularly helpful when you want to track the performance of<br />
an application running over dynamically allocated ports within a<br />
specific range. You can create a GROUP_TCP Port alias (or<br />
GROUP_UDP Port, depending on the application) and see<br />
aggregated statistics for the application. See Group Alias Example<br />
– Adding a Proprietary Financial <strong>Application</strong> on page 252 for an<br />
example of this.<br />
Group Alias Example – Adding a Proprietary Financial<br />
<strong>Application</strong><br />
Suppose your network runs a proprietary financial application called<br />
MoneyMan. This application runs over a range of dynamically allocated<br />
TCP ports between 5400-5405. You could add a Group alias for this<br />
application as follows:<br />
1 Display the Quick Select > Options > Aliases tab.<br />
2 Set the Type dropdown to GROUP_TCP Port.<br />
3 Enter moneyman in the Alias field<br />
4 Add the first port by entering 5400 in the Address field and<br />
clicking Add.<br />
5 Add ports 5401 - 5405 by repeating the previous step for each port<br />
in sequence. The moneyman alias will remain in the Alias field so<br />
you do not have to re-enter it each time.<br />
6 When you have finished entering ports, the Aliases tab will appear<br />
with moneyman entries like those shown below.<br />
Note that there is not a single entry for a moneyman group.<br />
Instead, you can tell that the ports belong to the same group alias<br />
by noting that the entry in the Alias column is the same for ports<br />
5400 - 5405.
EARLY FIELD TRIAL<br />
Figure 10-6. Adding a Group Alias<br />
Setting Quick Select Options<br />
7 Click OK on the Options dialog box. The group alias is saved. Traffic<br />
seen over ports 5400 - 5405 will be rolled up into a single<br />
moneyman entry in Port columns in Statistics tab panels, so long<br />
as the Show Group Aliases option is enabled. Toggle the Show<br />
Alias Groups setting by right-clicking on a Statistics panel cell and<br />
selecting either Show Alias Groups or Hide Alias Groups.<br />
User’s Guide 253
Setting Options in the Mining Options Tab<br />
EARLY FIELD TRIAL Chapter 10<br />
254 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Configure the mining window behavior from the Mining Options tab:<br />
IDH_OPT_IP_PROTOCOLS<br />
Figure 10-7. Mining Options Tab<br />
The Mining Request Summary option enables or disables the<br />
pop-up Summary dialog box when you click the Expert or<br />
Intelligence button. The Summary dialog box lets you doublecheck<br />
or override your mining request parameters, such as the<br />
time selection and filter options.<br />
The Show Expert option lets you decide whether to show the<br />
Expert window during mining in Raw mode. Deselect this option to<br />
suppress the Expert window while mining data in Raw mode.
EARLY FIELD TRIAL<br />
Using the Address Book<br />
Overview<br />
11<br />
This section explains how to assign familiar and recognizable names to<br />
your network nodes in the postcapture analysis window for raw packets<br />
. The following topics are covered:<br />
Introducing the Address Book on page 255<br />
Adding Addresses Manually on page 258<br />
IMPORTANT: Address Book name resolution is not used in the <strong>Adaptive</strong><br />
postcapture views. It is only used for data captured in Raw mode.<br />
IMPORTANT: You can also assign familiar names to various statistics<br />
shown in the Statistics panel and Create/Edit Filters dialog box using<br />
aliases. See Setting Aliases Tab Options on page 250 for details.<br />
Introducing the Address Book<br />
The Address Book lets you maintain a symbolic names table for your<br />
network. Use symbolic names in place of six-byte hardware addresses,<br />
IP addresses, and IPX addresses in the Expert and postcapture displays<br />
for data captured in Raw mode.<br />
IMPORTANT: Address Book name resolution is not used in the <strong>Adaptive</strong><br />
postcapture views. It is only used for data captured in Raw mode.<br />
Display the address book from Tools > Address Book. See Using the<br />
Address Book Toolbar on page 257.<br />
User’s Guide 255
EARLY FIELD TRIAL Chapter 11<br />
Figure 11-1. Address Book Window<br />
256 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>
EARLY FIELD TRIAL<br />
Using the Address Book Toolbar<br />
Using the Address Book<br />
The Address Bar toolbar lets you perform a variety of tasks. The<br />
following table displays the toolbar icons and defines their corresponding<br />
tasks.<br />
Table 11-1. Address Book Toolbar<br />
Icon Name Description<br />
New Address Press this button to create address<br />
entries.<br />
Edit Address Select an entry in the Address Book,<br />
then press this button to edit your<br />
selection’s data.<br />
Delete<br />
Address<br />
Delete All<br />
Addresses<br />
Select an entry in the Address Book,<br />
then press this button to delete the<br />
address.<br />
Press this button to delete all addresses<br />
in the Address Book.<br />
Undo Press this button to Undo your last<br />
keystroke.<br />
Redo Press this button to Redo your last<br />
keystroke.<br />
Sort by<br />
Medium<br />
Press this button to sort entries by<br />
medium.<br />
Autodiscovery Press this button to automatically<br />
discover address entries.<br />
Export Press this button to export the Address<br />
Book data in .csv format.<br />
Export AP Press this button to export the Address<br />
Book data in AP format.<br />
User’s Guide 257
Adding Addresses Manually<br />
EARLY FIELD TRIAL Chapter 11<br />
258 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Populate the Address Book by entering names manually, importing an<br />
external address table, or automatically discovering names during<br />
Expert analysis.<br />
To add addresses manually:<br />
1 Go to Tools > Address Book and the Address Book opens.<br />
2 Click the New Address icon in the Address Book toolbar and<br />
the New/Edit Address dialog box appears. Enter address<br />
information for a network node in this dialog box.<br />
3 Click Save.<br />
Figure 11-2. New/Edit Address
EARLY FIELD TRIAL<br />
SECTION 5<br />
Reporting<br />
Generating Reports on page 261<br />
Modifying the Report Data Window on page 265<br />
Printing Reports on page 265
EARLY FIELD TRIAL
EARLY FIELD TRIAL<br />
Running Reports<br />
Overview<br />
12<br />
This section explains how to use the Statistics panel tabs to generate<br />
reports. The following topics are covered:<br />
Generating Reports on page 261<br />
Modifying the Report Data Window on page 265<br />
Printing Reports on page 265<br />
Generating Reports<br />
The Statistics panel lets you generate reports:<br />
Generating Reports from the Spreadsheet Tab on page 261<br />
Generating Reports From the Reports Tab on page 264<br />
Generating Reports from the Spreadsheet Tab<br />
You can generate reports from any Statistics panel tab. The exact report<br />
produced depends on the selected column and sort order in place. For<br />
example, all the Statistics Panel tabs (except the Summary, Errors, and<br />
Destination tabs) can generate a report with the following different<br />
combinations:<br />
The report can be<br />
First N tab name Items by ...<br />
Top N tab name Items by ...<br />
Bottom N tab name Items by ...<br />
Selected N tab name Items by ...<br />
Then, each of the above reports can be sorted for each of the statistics<br />
columns, such as,<br />
by Value<br />
by Total Packets<br />
by Total Packets TX<br />
User’s Guide 261
EARLY FIELD TRIAL Chapter 12<br />
by Total Packets RX<br />
by Total Bytes<br />
by Total Bytes TX<br />
by Total Bytes RX<br />
by Total Bits<br />
by Total Bits TX<br />
by Total Bits RX<br />
by Packets/sec.<br />
by Bytes/sec.<br />
by Bits/sec.<br />
262 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
IMPORTANT: The Summary, Errors, and Destination tabs can only<br />
generate First N tab name Items by Total Value reports.<br />
The following table provides examples of some of the reports you can<br />
create:<br />
Table 12-1. Spreadsheet Reports<br />
Report Name View in Spreadsheet subtab...<br />
Local Statistics Summary Tab on page 73<br />
Top N IP Addresses<br />
or<br />
Selected N IP Addresses<br />
First N Ports by Value<br />
or<br />
Selected N Ports by Value<br />
First N Networks by Value<br />
or<br />
Selected N Networks by Value<br />
Bottom N MAC Addresses by Total Bytes<br />
or<br />
Selected N MAC Addresses by Total Bytes<br />
IP Address Tab on page 76<br />
Port Tab on page 77<br />
Network Tab on page 79<br />
MAC Address Tab on page 80<br />
First N Destination by Value Destination Tab on page 81
EARLY FIELD TRIAL<br />
Table 12-1. Spreadsheet Reports<br />
Bottom N Conversations<br />
or<br />
Selected N Conversations<br />
First N “Advanced” Items by Value<br />
or<br />
Selected N “Advanced” Items by Value<br />
To generate a report from the Spreadsheet:<br />
1 From the Statistics panel, select the Spreadsheet sub-tab<br />
associated with the type of report you want to produce.<br />
Running Reports<br />
Report Name View in Spreadsheet subtab...<br />
Bottom N VLAN IDs<br />
or<br />
Selected N VLAN IDs<br />
First N IP Protocols by Value<br />
or<br />
Selected N IP Protocols by Value<br />
2 Change the sort order and selected column to fine-tune the report<br />
displayed in the Graph panel.<br />
3 Right-click the Graph panel and select Chart Selections Only to<br />
view Selected N reports.<br />
or<br />
Conversation Tab on page 82<br />
Advanced Tab on page 84<br />
VLAN ID Tab on page 85<br />
IP Protocol Tab on page 86<br />
Deselect Chart Selections Only to toggle back to the default<br />
report.<br />
4 In the Graph panel, choose either the Pie Chart or Column Chart to<br />
select a chart format.<br />
User’s Guide 263
Generating Reports From the Reports Tab<br />
EARLY FIELD TRIAL Chapter 12<br />
264 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
As with the Spreadsheet tab, you can generate reports from any Reports<br />
tab. The exact report produced depends on the selected column and sort<br />
order in place.<br />
The following table provides examples of some of the reports you can<br />
create from the Reports tab:<br />
Table 12-2. Reports Tab Reports<br />
Report Name View in Reports sub-tab...<br />
Top N Talkers<br />
or<br />
Selected N Talkers<br />
Top N Conversations<br />
or<br />
Selected N Conversations<br />
Top N <strong>Application</strong>s<br />
or<br />
Selected N <strong>Application</strong>s<br />
Top N IP Multicast Protocols<br />
or<br />
Selected N IP Multicast Protocols<br />
First N IP Multicast Groups by Value<br />
or<br />
Selected N IP Multicast Groups by Value<br />
To create a report from the Reports tab:<br />
1 From the Statistics panel, select the Reports sub-tab associated<br />
with the type of report you want to produce.<br />
2 Change the sort order and selected column to fine-tune the report<br />
displayed in the Graph panel.<br />
3 Right-click the Graph panel and select Chart Selections Only to<br />
view Selected N reports.<br />
or<br />
Top Talkers on page 88<br />
Top Conversations on page 89<br />
Top <strong>Application</strong>s on page 90<br />
Multicast Protocols on page 91<br />
Multicast Groups on page 92<br />
Deselect Chart Selections Only to toggle back to the default<br />
report.
EARLY FIELD TRIAL<br />
Running Reports<br />
4 In the Graph panel, choose either the Pie Chart or Column Chart to<br />
select a chart format.<br />
Modifying the Report Data Window<br />
Printing Reports<br />
You can modify the data’s time window in the chart by changing<br />
selection in the Time Selection drop down list. Using a different time<br />
selection will dynamically update the charts that are currently displayed.<br />
Send reports output to your printer by clicking the Print button at the<br />
right of the Graph panel.<br />
User’s Guide 265
EARLY FIELD TRIAL Chapter 12<br />
266 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong>
EARLY FIELD TRIAL<br />
Index<br />
A<br />
About the Statistics panel, 71<br />
Absolute time, 195<br />
Active Monitor Intervals<br />
option, 247<br />
Address Book<br />
adding addresses, 258<br />
introducing, 255<br />
not for <strong>Adaptive</strong>, 146<br />
toolbar, 257<br />
Adjust times<br />
jump to first packet, 52, 117<br />
jump to last packet, 52, 117<br />
new duration, 52, 117<br />
new start time, 52, 117<br />
Adjust Times dialog box<br />
using, 117<br />
Advanced tab<br />
Statistics panel, 84<br />
Advanced tab (Define Filter), 189<br />
Alarm<br />
Expert thresholds, 229<br />
alarm maximum, 228<br />
Alias Type<br />
option, 250<br />
aliases<br />
and sorting, 98<br />
Aliases tab, 250<br />
options<br />
type of alias, 250<br />
Availability meter<br />
using, 56<br />
average frame size<br />
Expert vs. Statistics, 224<br />
C<br />
Cancel button<br />
using, 97<br />
Capture Engine<br />
establishing a Connection, 48<br />
Capture Engine List<br />
managing, 49<br />
Capture Engine list entries<br />
option, 246<br />
Capture Panel tab, 66<br />
changing colors, 67<br />
Color-code packets, 191<br />
colors<br />
changing defaults, 67<br />
custom, 67<br />
Columns<br />
adding, 104<br />
modifying, 104<br />
reordering, 106<br />
Configuring<br />
default routers (Expert), 234<br />
Connection defaults<br />
option, 246<br />
Connection tab, 245<br />
options<br />
Capture Engine entries, 246<br />
defaults, 246<br />
timeout, 245<br />
Connection Timeout<br />
option, 245<br />
Connection time-out, 245<br />
Connection Type<br />
changing, 217<br />
Conversation tab<br />
CRC<br />
CRCs<br />
Statistics panel, 82<br />
not included in Expert<br />
stats, 224<br />
User’s Guide 267
EARLY FIELD TRIAL Chapter 13<br />
268 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
and Expert/Decode Statistics and, 224<br />
and Statistics Panel Packet Sizes vs. Postcapture Packet Sizes, 75<br />
Cumulative bytes, 195<br />
custom colors<br />
and Navigation panel, 69<br />
redefining colors, 67<br />
Customizing<br />
the decode display, 191<br />
D<br />
Data pattern filter, 187<br />
Data Source<br />
option, 247<br />
Data Type<br />
option, 247<br />
Data type<br />
changing, 58<br />
Decode Font, 192<br />
Decode tab, 165<br />
Detail panel, 166<br />
Hex panel, 166<br />
searching for frames, 197<br />
Summary panel, 165<br />
Delta time, 195<br />
Destination tab<br />
Statistics panel, 81<br />
Detail Tree pane, 41<br />
Detail tree panel, 220<br />
Diagnosis in Expert analysis, 219<br />
directionality<br />
IP address columns, 82<br />
Directory<br />
.CAP directory, 249<br />
Disabling<br />
RIP analysis (Expert), 234<br />
discovered connections<br />
editing, 217<br />
Display<br />
customizing the decode display, 191<br />
Decode, 165<br />
Expert, 162<br />
filters, 172<br />
formats, 165
EARLY FIELD TRIAL<br />
Host Table, 212<br />
menu, 168<br />
navigating the decode display, 168<br />
options on General tab, 192<br />
Protocol Distribution, 214<br />
setting decode display options, 191<br />
Display vendor ID on MAC address, 193<br />
Displaying<br />
decoded packets, 165<br />
Expert data, 162<br />
Expert explain messages, 223<br />
DNS names<br />
resolving, 103<br />
doubled counts<br />
packets with same source and destination port, 78<br />
E<br />
Errors tab<br />
Statistics panel, 74<br />
Exclude protocols, 195<br />
Expert<br />
and CRC, 224<br />
diagnoses, 219<br />
display, 162<br />
explain messages, 223<br />
exporting data, 239<br />
layers, 226<br />
M, G, or T indicators, 224<br />
objects, 226<br />
RIP analysis, 234<br />
searching for frames with alarms, 206<br />
special characters in display, 224<br />
subnet mask settings, 233<br />
symptoms, 219<br />
thresholds, 229<br />
Expert Data<br />
exporting, 239<br />
Expert Detail panel, 41, 220<br />
Expert Options<br />
tabs, 225<br />
Expert Overview panel, 41, 220<br />
Expert Summary panel, 41, 220<br />
Expert tab<br />
User’s Guide 269
EARLY FIELD TRIAL Chapter 13<br />
toolbar, 221<br />
Expert window<br />
introducing, 162<br />
rearranging panels, 221<br />
exporting<br />
Protocols tab settings, 196<br />
Exporting Expert data, 239<br />
F<br />
File Path<br />
option, 244<br />
File prefix<br />
option, 248<br />
Files tab, 248<br />
options<br />
filename prefix, 248<br />
Max. size, 249<br />
Filter Profiles<br />
using, 183<br />
filter terms<br />
maximum, 129<br />
Filtering<br />
Filters<br />
maximum number, 129<br />
by address, 185<br />
by Data Pattern, 187<br />
270 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
by packet size, protocol, and packet types, 189<br />
by port, 186<br />
data pattern, 187<br />
display, 172<br />
error type, 189<br />
exporting, 190<br />
importing, 190<br />
packet size, 189<br />
protocol type, 189<br />
finding frames, 197<br />
Found, 118<br />
Frame Slicing<br />
using, 133<br />
function key shortcuts<br />
display, 168
EARLY FIELD TRIAL<br />
G<br />
General tab, 243, 245<br />
options<br />
file path displayed, 244<br />
merged streams message, 243<br />
statistics refresh, 243<br />
stream visibility, 243<br />
Top N options, 245<br />
Generate an error when available disk space falls below, 249<br />
Generate unique file names, 248<br />
granularity<br />
timestamps, 167<br />
Graph panel<br />
Column Chart tab, 63<br />
defined, 46<br />
global statistics tab, 57<br />
introducing, 49<br />
tabs, 57<br />
time indicators<br />
data start and data end, 49<br />
selected, 49<br />
start and end, 49<br />
Time Series Chart tab, 65<br />
Graph panel controls<br />
using, 54<br />
Graph Scale<br />
option, 247<br />
Graph Style<br />
changing, 58<br />
Graph tab, 247<br />
options<br />
active monitoring updates, 247<br />
data source, 247<br />
data type, 247<br />
graph scale, 247<br />
graph type, 247<br />
zoom level, 247<br />
Graph Type<br />
option, 247<br />
H<br />
Hide Alias Groups option, 101<br />
Hide Aliases option, 101<br />
User’s Guide 271
EARLY FIELD TRIAL Chapter 13<br />
Highlight selected frames, 194<br />
Host Table<br />
display tab, 212<br />
hover statistics, 53<br />
I<br />
importing<br />
Protocols tab settings, 196<br />
IP address columns<br />
directionality, 82<br />
IP Address tab<br />
Statistics panel, 76<br />
IP Addresses<br />
272 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
multiple entries for same pair, 83<br />
IP Protocol tab<br />
Statistics panel, 86<br />
Items, 118<br />
J<br />
Jump to first packet, 117<br />
Jump to last packet, 117<br />
K<br />
Key Terms, 23<br />
Keyboard Shortcuts<br />
using, 167<br />
Keyboard usage (decode display), 168<br />
L<br />
Layer 2 statistic, 104<br />
line speed<br />
effect of changes on utilization, 59<br />
line speed changes<br />
and Graph Panel Utilization Values, 59<br />
M<br />
MAC Address tab<br />
Statistics panel, 80<br />
maximum<br />
filter terms, 129<br />
Maximum fie size<br />
option, 249<br />
Merged Streams Message
EARLY FIELD TRIAL<br />
option, 243<br />
Minding tab, 254<br />
Mining Filters<br />
and pattern matches, 131<br />
applying, 124<br />
Modified field<br />
Mining Filters, 125<br />
Multiple Entries for Same Pair of IP Addresses, 83<br />
N<br />
Navigating the decode display, 168<br />
Navigation panel<br />
defined, 46<br />
introduced, 47<br />
Network tab<br />
Statistics panel, 79<br />
O<br />
Opening the Console application, 45<br />
Options<br />
aliases, 250<br />
connection, 245<br />
files, 248<br />
general, 243<br />
Graph, 247<br />
mining, 254<br />
mining request summary, 243<br />
P<br />
Packet capture<br />
overview, 110<br />
Packet display, 165<br />
searching for frames, 197<br />
Packet Selection, 192<br />
Packets<br />
color-coding, 191<br />
selecting, 170<br />
pattern matches<br />
and mining filters, 131<br />
Performance Options<br />
Port tab<br />
Connection tab, 245<br />
Statistics panel, 77<br />
User’s Guide 273
EARLY FIELD TRIAL Chapter 13<br />
Post Analysis<br />
printing<br />
Decode tab, 165<br />
Host Table tab, 212<br />
Host Table Toolbar, 213<br />
Matrix tab, 209<br />
Matrix toolbar, 210<br />
274 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
Protocol Distribution toolbar, 215<br />
decoded packets, 207<br />
to file, 207<br />
Progress bar, 118<br />
Progress panel<br />
found, 118<br />
items, 118<br />
progress bar, 118<br />
progress time, 118<br />
scanning, 118<br />
using, 118<br />
Progress time, 118<br />
Protocol Distribution<br />
display tab, 214<br />
Protocol Expand, 191<br />
Protocol Statistics panel, 41, 220<br />
Protocols tab options, 196<br />
Protocols tab settings<br />
importing/exporting, 196<br />
Q<br />
Quick Start in 6 Steps, 27<br />
R<br />
Reassemble entire trace file option, 192<br />
Reassembly window size option, 192<br />
Refresh button<br />
using, 97<br />
Relative time, 195<br />
Resolve DNS Name command, 103<br />
Resolve name on Network address, 193<br />
Resolve Visible DNS Names, 103<br />
Reuse file names, 248<br />
RIP analysis, 234
EARLY FIELD TRIAL<br />
S<br />
S2DPalette.ini file, 68<br />
Scanning, 118<br />
searching for frames, 197<br />
data pattern searches, 202<br />
Expert alarm searches, 206<br />
status flag searches, 205<br />
text searches, 199<br />
Selecting Data, 51<br />
Selecting packets, 170<br />
Show Alias Groups Only option, 101<br />
Show Alias Groups option, 101<br />
Show Aliases option, 101<br />
Show all layers, 193<br />
Show Expert symptoms, 193<br />
Show network address, 193<br />
sorting<br />
and aliases, 98<br />
Statistics Panel, 98<br />
Specify a new duration, 117<br />
Specify a new start time, 117<br />
Statistics Panel<br />
Data<br />
Port tab, 77<br />
Statistics panel<br />
about, 71<br />
Advanced tab, 84<br />
controls<br />
collapsing columns, 100<br />
deselecting rows, 97<br />
expanding columns, 100<br />
selecting rows, 97<br />
Conversation tab, 82<br />
Data<br />
Port tab, 77<br />
defined, 46<br />
Destination tab, 81<br />
Errors tab, 74<br />
IP Address tab, 76<br />
IP Protocol tab, 86<br />
MAC Address tab, 80<br />
Network tab, 79<br />
Port tab, 77<br />
User’s Guide 275
EARLY FIELD TRIAL Chapter 13<br />
refreshing data, 97<br />
Summary tab, 73<br />
VLAN ID tab, 85<br />
Statistics Refresh<br />
option, 243<br />
Stream Visibility<br />
option, 243<br />
Subnet mask settings, 233<br />
Summary dialog<br />
276 <strong>Sniffer</strong> <strong>Adaptive</strong> <strong>Application</strong> <strong>Analyzer</strong><br />
viewing time selection parameters, 116<br />
Summary Display, 191<br />
Summary tab<br />
Statistics panel, 73<br />
Symptom in Expert analysis, 219<br />
T<br />
Tabs<br />
adding, 104<br />
Graph panel, 57<br />
modifying, 104<br />
reordering, 106<br />
Thresholds<br />
Expert, 229<br />
Time Selection<br />
adjusting time selection, 52<br />
Time selectors<br />
using, 51<br />
Time-out<br />
connection, 245<br />
Timestamps<br />
understanding, 166<br />
timestamps<br />
granularity, 167<br />
Top N<br />
default vs. override, 95<br />
details, 96<br />
setting, 95<br />
tabs affected, 96<br />
using, 95<br />
Top N options, 245<br />
ToS statistic, 105<br />
Two-station format, 194
EARLY FIELD TRIAL<br />
U<br />
Use Address Book to resolve name, 193<br />
utilization<br />
and line speed changes, 59<br />
V<br />
VLAN ID tab<br />
Statistics panel, 85<br />
Z<br />
Zoom Control<br />
selecting window size, 55<br />
Zoom Level<br />
option, 247<br />
User’s Guide 277