Cisco Prime Network Analysis Module Software 5.1 User Guide
Capturing and Decoding Packet Data
Downloads: This chapterpdf (PDF - 874.0KB) The complete bookPDF (PDF - 7.15MB) | Feedback

Capturing and Decoding Packet Data

Table Of Contents

Capturing and Decoding Packet Data

Sessions

Viewing Capture Sessions

Configuring Capture Sessions

Software Filters

Creating a Software Filter

Editing a Software Capture Filter

Hardware Filters

Configuring a Hardware Filter

Files

Analyzing Capture Files

Error Scan

Downloading Capture Files

Deleting a Capture File

Deleting All Capture Files

Viewing Packet Decode Information

Browsing Packets in the Packet Decoder

Filtering Packets Displayed in the Packet Decoder

Viewing Detailed Protocol Decode Information

Using Alarm-Triggered Captures

Custom Display Filters

Creating Custom Display Filters

Editing Custom Display Filters

Deleting Custom Display Filters


Capturing and Decoding Packet Data


The Capture feature of Cisco Prime Network Analysis Module (NAM) Traffic Analyzer 5.1 allows you to set up multiple sessions for capturing, filtering, and decoding packet data, manage the data in a file control system, and display the contents of the packets.


Note Capture does not apply to the NAM Virtual Service Blades.


This chapter contains the following sections:

Sessions

Software Filters

Hardware Filters

Files

Viewing Packet Decode Information.

Quick Capture

From the Context menu of many of the dashboard bar charts which show Applications or Hosts or VLANs. you can start a capture. For example, when you click on an Application in a bar chart (as shown in Figure 4-1) and choose "Capture," the following is done automatically:

A memory-based capture session is created

A software filter is created using that application

The capture session is started

The decode window pops open and you can immediately see packets being captured

Figure 4-1 Quick Capture

Sessions

The purpose of Capture Sessions is to capture, filter, and decode packet data, manage the data in a file control system, and display the contents of the packets. The captured packets can then be decoded and analyzed on the NAM for more efficient problem isolation.

As shown in Figure 4-2, network packets coming into NAM must pass at least one hardware filter in order to go on to the next step. If no hardware filters are configured, all packets pass through. See Hardware Filters for more information about hardware filters.


Note Hardware filters apply only to the Cisco 2200 Series Appliances.


Packets must then pass at least one software filter in that particular session to be saved by that session. If no software filters are configured for a session, then all packets are captured. See Software Filters for more information about software filters.

For each hardware and software filter, every field you configure must match if the packet is to pass through that filter. The more fields you configure inside a filter, the more specific that filter is, and therefore fewer packets will pass through it.

Figure 4-2 NAM Capture Sessions

This section contains the following subjects:

Viewing Capture Sessions

Configuring Capture Sessions

Software Filters

Viewing Capture Sessions

To access the basic operations for capturing, viewing and decoding packet data on the NAM, choose Capture > Packet Capture/Decode > Sessions. The Capture Sessions window shows the list of capture sessions. If none have been configured, the list will be blank.

Capture Session Fields, Table 4-1, describes the Capture Sessions fields.

Table 4-1 Capture Session Fields 

Operation
Description
Name

Name of the capture session

Start Time

Time the capture was last started. You can stop and restart the capture as many times as necessary.

Size (MB) (Capture to Memory)
Size(MB) x No. files (Capture to Files)

Size of the session

Note Capture to files indicates the capture is being stored in one or more files and is a clickable link to those files.

Packets

Number of packets

State

The current status of the capture:

Running—Packet capture is in progress

Stopped—Packet capture is stopped. Captured packets remain in buffer, but no new packets are captured

Full (Cisco 2200 Series appliances only)—The memory or file is full, and no new packets will be captured.

Location

The location of the chapter (Memory, Local Disk, NFS, iSCSI).


Table 4-2, Buttons in the Capture Session Operations Window describes the operations that you can perform from the Capture Sessions window.

Table 4-2 Buttons in the Capture Session Operations Window 

Operation
Description
Create

Create a new capture session. See Configuring Capture Sessions.

Edit

Edit the settings of the selected capture.

Delete

Delete a selected session.

Start

Start capturing to a selected session. The number in the Packets column for that session will start to rise.

Stop

Stop capturing to the selected session (no packets will go through). Capture data remains in the capture memory buffer, but no new data is stored. Click Start to resume the capture.

Clear

Clear captured data from memory.

Decode

Display details of the capture session.

Save to File

Save a session to a file on the NAM hard disk. See Files.


Configuring Capture Sessions

You can configure up to ten capture sessions. As part of configuring a capture session, you can also create software filters, if desired (see Creating a Software Filter).

To configure a new capture session:


Step 1 Choose Capture > Packet/Capture Decode > Sessions.

Step 2 Click the Create button to set up a new capture. The NAM displays the Configure Capture Session window (shown in Figure 4-3). The Capture Settings window provides a field for you to enter a name for the capture and four status indicators described in Table 4-3.

Figure 4-3 Configure Capture Session Window

Step 3 Enter information in the Capture Settings Fields (Table 4-3) as appropriate.

Table 4-3 Capture Settings Fields 

Field
Description
Usage Notes
Name

Name of the capture

Enter a capture name.

Packet Slice Size (bytes)

The slice size in bytes; used to limit the size of the captured packets.

Enter a value of 64 or higher. Enter zero (0) to not perform slicing.

If you have a small session but want to capture as many packets as possible, use a small slice size.

If the packet size is larger than the specified slice size, the packet is sliced before it is saved in the capture session. For example, if the packet is 1000 bytes and slice size is 200 bytes, only the first 200 bytes of the packet is stored in the capture session.

Capture Source

Data-Port or ERSPAN

Choose the capture source (check one or more check boxes):

Data-port: This accepts SPAN, RSPAN, and VACL capture. For NME-NAM, internal, external, or both.

ERSPAN: Locally terminated is recommended.

Storage Type: Memory

Check to store captures in memory

Enter values for Memory Size for this capture. Enter a number from 1 up to your platform maximum. If system memory is low, the actual session size allocated might be less than the number specified here. See Table 4-4 for maximum session sizes for each NAM platform.

The NAM will grant less memory than requested if the available memory is less than requested.

Check (if desired) Wrap when Full to enable continuous capture (when the session is full, older packet data is removed to make room for new incoming packets). If you do not check Wrap when Full, the capture will end when the amount of data reaches size of session.

Storage Type: File(s)

File Size (MB)

Enter a value for File Size (file size can be from 1 to 2 GB or up to 10 GB for the NAM appliances). About 400MB of free disk space is reserved for working files. If available disk space is below 400 MB, you will not be able to start new capture-to-disk sessions. See Table 4-4, Maximum Capture Session Sizes for NAM Platforms.

Number of Files

Enter a value for Number Of Files to use for continuous capture.

Rotate Files

Check the Rotate Files check box to rotate files in continuous capture. Available only for remote storage or NAM 2200 Series appliances. See section Capture Data Storage, page 2-18, for information about configuring remote storage.

The Rotate Files option can only be used with remote storage or the NAM 2200 Series appliance's local disk. See the section Capture Data Storage, page 2-18, for information about configuring remote storage.

If you choose the Rotate Files option, when you reach the highest number file, the earliest file is overwritten. For example, if you specify No. Files to 10, file CaptureA_1 is overwritten after the NAM writes capture data to file CaptureA_10. To determine the most recent capture, check each file's time stamp.

File Location

Choose a location from File Location. Local disk is the default, or choose a previously configured remote storage location. You can add (NFS and iSCSI) remote storage locations by going to Administration > System > Capture Data Storage.


Table 4-4 lists the hardware platforms that NAM 5.1 supports and their maximum session size. This is the maximum capture memory buffer size for all capture sessions together, not individually.

Table 4-4 Maximum Capture Session Sizes for NAM Platforms  

NAM Platform
Maximum Session Size

WS-SVC-NAM-1

125 MB

WS-SVC-NAM-1 with memory upgrade (MEM-C6KNAM-2GB)

500 MB

WS-SVC-NAM-1-250S

200 MB

WS-SVC-NAM-2

300 MB

WS-SVC-NAM-2 with memory upgrade (MEM-C6KNAM-2GB)

500 MB

WS-SVC-NAM-2-250S

500 MB

NAM2204-RJ45

2 GB

NAM2204-SFP

2 GB

NAM2220

10 GB

NME-NAM-80S

132 MB

NME-NAM-120S

300 MB

SM-SRE-700

1 GB

SM-SRE-900

1 GB


When capturing to multiple files, a suffix is added to the file name. For example, the first file for a capture named CaptureA would be labeled as CaptureA_1 the second CaptureA_2, and so on.


Note When configuring capture to disk sessions, it is important to keep track of your free disk space and manage your capture files. The NAM allows you to create more capture files than you have the free disk space to store. For example, you might have 400 MB of free disk space when you set up two capture sessions that each store 160 MB of capture files. A little later, before the previous capture sessions have each written 160 MB of data, you might notice you still have 160 MB of free disk space and set up another capture session to store an addition 120 MB of capture files. You will then eventually run out of disk space, causing all active capture sessions to end with errors.


Step 4 Click the Submit button to finish configuration for this session, or configure Software Filters for this session (see the next section, Software Filters).


Software Filters

You can create and save specialized filters that will disregard everything except the information you are interested in when you capture data (see Figure 4-2). Starting in NAM 5.1, you can configure multiple software filters for each session (up to six). This allows you to narrow in on the traffic that you are interested in, and it also saves resources (either memory or disk space).

If you create a session and then start it, you cannot edit the session without stopping it. If you edit a session containing already captured data, you will get a warning saying that the session will be cleared and the data removed. If you ignore the warning and add a filter to the session, and submit it, the new filter settings will be used.

The application filter can be used to filter on the highest layer of the protocol parsing; that is usually a layer 4 protocol (based on port). If you want to filter on the transport protocol (for example, UDP or TCP), you will need to use the "IP Protocol" selector. Selecting, for example, TCP in the "IP Protocol" selector will filter on all packets using TCP.

See these topics for help setting up and managing software filters:

Creating a Software Filter

Editing a Software Capture Filter

Creating a Software Filter

You can define a software filter to filter based on any of the following:

Source host address

Destination host address

Network encapsulation

VLAN or VLAN range

Application

Source port or port range

Destination port or port range

To create a software capture filter:


Step 1 Choose Capture > Packet Capture/Decode > Sessions. The Configure Capture Session dialog box is displayed.

Step 2 The bottom half of the window displays any configured Software Filters. Click the Create button at the bottom of the Software Filters area to create a new software filter.

The Software Filter Dialog (Figure 4-4) displays.

Figure 4-4 Software Filter Dialog

Step 3 Enter information in each of the fields as appropriate. See Table 4-5 for descriptions of the fields.

Table 4-5 Software Filter Dialog Box 

Field
Description
Usage Notes
Name

Enter a name of the new filter.

 
Source Address /
Mask

Source address of the packets.

For IP, IPIP4, GRE.IP, or GTP.IPv4 addresses, enter a valid IPv4 address in dotted-quad format n.n.n.n, where n is 0 to 255. The default (if blank) is 255.255.255.255.

For IPv6 or GTP.IPv6 addresses, enter a valid IPv6 address in any allowed IPv6 address format. For example:

1080::8:800:200C:417A

::FFF:129.144.52.38

Note See RFC 2373 for valid text representations.

For MAC address, enter hh hh hh hh hh hh, where hh is a hexadecimal number from 0 to 9 or a to f. The default is
ff ff ff ff ff ff.

The mask applied to the source address.

If a bit in the Source Mask is set to 1, the corresponding bit in the address is relevant.

If a bit in the Source Mask is set to 0, the corresponding bit in the address is ignored.

For IP, IPIP4, GRE.IP, or GTP.IPv4 addresses, enter a valid IPv4 address in dotted-quad format n.n.n.n, where n is 0 to 255. The default (if blank) is 255.255.255.255.

For IPv6 or GTP.IPv6 addresses, enter a valid IPv6 address in any allowed IPv6 address format. The default mask (if blank) for IPv6 addresses is ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Note See RFC 2373 for valid text representations.

For MAC address, enter hh hh hh hh hh hh, where hh is a hexadecimal number from 0 to 9 or a to f. The default is
ff ff ff ff ff ff.

Destination Address / Mask

Destination address of the packets.

For IP, IPIP4, GRE.IP, or GTP.IPv4 addresses, enter a valid IPv4 address in dotted-quad format n.n.n.n, where n is 0 to 255. The default (if blank) is 255.255.255.255.

For IPv6 or GTP.IPv6 addresses, enter a valid IPv6 address in any allowed IPv6 address format. For example:

1080::8:800:200C:417A

Note See RFC 2373 for valid text representations.

For MAC address, enter hh hh hh hh hh hh, where hh is a hexadecimal number from 0 to 9 or a to f. The default is
ff ff ff ff ff ff.

The mask applied to the destination address.

If a bit in the Dest. Mask is set to 1, the corresponding bit in the address is relevant.

If a bit in the Dest. Mask is set to 0, the corresponding bit in the address is ignored.

For IP, IPIP4, GRE.IP, or GTP.IPv4 addresses, enter a valid IPv4 address in dotted-quad format n.n.n.n, where n is 0 to 255. The default (if blank) is 255.255.255.255.

For IPv6 or GTP.IPv6 addresses, enter a valid IPv6 address in any allowed IPv6 address format. The default mask (if blank) for IPv6 addresses is ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Note See RFC 2373 for valid text representations.

For MAC address, enter hh hh hh hh hh hh, where hh is a hexadecimal number from 0 to 9 or a to f. The default is
ff ff ff ff ff ff.

Network Encapsulation

The protocol to match with the packet.

Choose the protocol from the drop-down list.

Choose MAC to use the source/ destination MAC address of the packets.

Choose IP to use the source/destination IP addresses of the packets.

Choose IPIP4 for IP addresses including those tunneled over IP protocol 4.

Choose GRE.IP for IP addresses including those tunneled over GRE.

Choose IPv6 for addresses using IP version 6.

Choose GTP.IPv4 for IPv4 address for tunneled packet over GTP.

Choose GTP.IPv6 for IPV6 address for tunneled packet over GTP.

Both Directions (check box)

This check box indicates whether the filter is applied to traffic in both directions.

If the source is host A and the destination is host B, enabling both directions filters packets from A to B and B to A.

If the source is host A and the destination is not specified, enabling both directions filters packets both to and from host A.

The "both directions" check box also affects the ports and not only the addresses (the same logic applies).

VLAN Identifier(s)

The 12-bit field specifying the VLAN to which the packet belongs.

Choose a VLAN Range or enter from one to four individual VLAN IDs.

For better performance, use as narrow a range as possible. The VLAN ID can range from 1-4095.

Application 1

Select the Application radio button to filter by application.

Choose one or more protocols to capture from the Application drop-down list.

Use Shift + Click to select multiple protocols.

Port

Select the Port radio button to filter by Port.

In the Source Port(s) field, enter one or more ports separated by commas.

In the Destination Port(s) field, enter one or more ports separated by commas.

From the IP Protocol pull-down menu, choose TCP, UDP, or SCTP. No selection (default) means that any will be allowed.

1 The application filter can be used to filter on the highest layer of the protocol parsing; that is usually a layer 4 protocol (based on port). If you want to filter on the transport protocol (for example, UDP or TCP), you will need to use the "IP Protocol" selector. Selecting, for example, TCP in the "IP Protocol" selector will filter on all packets using TCP.



Note The parameters described in the table above are independently evaluated by the NAM. Therefore, the NAM will allow you to enter parameters that are contradictory, but you will not be able to get meaningful results if they do not match.

For example, the parameters Network Encapsulation and Source/Destination Address are independently evaluated. If a filter is specified with contradicting parameters such as "Network Encapsulation=IP4" and "Source Address=an IPv6 address", it will never match any traffic, and the result will be 0 packets captured.


Step 4 Click the Submit button to create the filter, or click Cancel to close the dialog box without creating a software filter.


Editing a Software Capture Filter

To edit software capture filters:


Step 1 Choose Capture > Packet Capture/Decode > Sessions.

The Software Filters box is displayed at the bottom of the page.

Step 2 Choose the filter to edit, then click Edit.

The Software Filter dialog box (see Table 4-5) is displayed.

Step 3 Enter information in each of the fields as appropriate.

Step 4 Do one of the following:

To apply the changes, click Submit.

To cancel the changes, click Cancel.


Hardware Filters

Hardware Filters enable you to improve capture performance by providing hardware-specific filters that eliminate as much extraneous traffic as possible. The packets filtered out by hardware filters are not processed by the NAM, and therefore capture performance improves.

Software filters add flexibility to your filtering, but a capture session is most efficient when you use only hardware filters. The less traffic requiring software filtering, the more efficient the filtering.

Configuring a Hardware Filter

The Hardware Filters window appears at the bottom of the Capture > Packet Capture/Decode > Sessions window. To configure a hardware filter:


Step 1 Choose Capture > Packet Capture/Decode > Sessions.

Step 2 At the bottom of the window, in the Hardware Filters section, click the Create button.

Step 3 Enter a name in the Name field.

Step 4 Choose one of the following types of filters from the Type drop-down list:

VLAN

VLAN and IP

IP

IP and TCP/UDP

IP and Payload Data

Payload Data

The list is also shown in Figure 4-5.

Figure 4-5 Hardware Filter Type

Step 5 Data fields will then appear that correspond with the type of hardware filter you selected. Fill in the desired fields. See the following sections for more specific information.

Step 6 Click Submit to complete the configuration of the capture session. Otherwise, click Reset to revert to the previous settings, or click Cancel to abort.


VLAN

To configure a VLAN hardware filter:


Step 1 Enter a Filter Name.

Step 2 From the Type drop-down menu, choose VLAN.

Step 3 Choose either the Range or Individuals radio button. For Range, enter a range of VLANs. For Individuals, enter up to four individual VLANs.

Step 4 Click the Submit button.


VLAN and IP

To configure a VLAN and IP hardware filter:


Step 1 Enter a Filter Name.

Step 2 From the Type drop-down menu, choose VLAN and IP.

Step 3 Enter the ID of the desired VLAN. The VLAN ID can range from 1-4095.

Step 4 Enter a Source Address / Mask (optional).

Step 5 Enter a Destination Address / Mask (optional).

Step 6 Choose a Layer 4 Protocol (optional).

Step 7 Click Submit.


IP

To configure an IP hardware filter:


Step 1 Enter a Filter Name.

Step 2 From the Type drop-down menu, choose IP.

Step 3 Enter a Source Address / Mask (optional).

Step 4 Enter a Destination Address / Mask (optional).

Step 5 Choose a Layer 4 IP Protocol (optional)

Step 6 Click Submit.


IP and TCP/UDP

To configure an IP and TCP/UDP hardware filter:


Step 1 Enter a Filter Name.

Step 2 From the Type drop-down menu, choose IP and TCP/UDP

Step 3 Enter a Source Address / Mask (optional).

Step 4 Enter a Destination Address / Mask (optional).

Step 5 Choose an IP Protocol, either TCP or UDP.

Step 6 Enter a TCP/UDP Source Port (optional).

Step 7 Enter a TCP/UDP Destination Port (optional).

Step 8 Click Submit.


IP and Payload Data

To configure an IP and Payload Data hardware filter:


Step 1 Enter a Filter Name.

Step 2 From the Type drop-down menu, choose IP and Payload Data.

Step 3 Enter a Source Address / Mask (optional).

Step 4 Enter a Destination Address / Mask (optional).

Step 5 Choose an IP Protocol, either TCP or UDP.

Step 6 Enter the values for Payload Data:

Enter an Offset from 1-1023. The offset is relative to the beginning of the payload (Layer 5).

Enter a Value of up to four bytes (eight hex characters).

Enter a Mask of up to four bytes (eight hex characters).

Step 7 Repeat Step 6 for up to four payload data segments.


Note Only one payload segment (one row) is required. Be careful not to create overlapping payload segments. If overlapping segments have different values the filter will never match anything due to the inherent AND logic.


Step 8 Click Submit.


Payload Data

To configure a Payload Data hardware filter:


Step 1 Enter a Filter Name.

Step 2 From the Type drop-down menu, choose Payload Data.

Step 3 Choose an IP Protocol, either TCP or UDP.

Step 4 Enter the values for Payload Data:

Enter an Offset from 1-1023. The offset is relative to the beginning of the payload (Layer 5).

Enter a Value of up to four bytes (eight hex characters).

Enter a Mask of up to four bytes (eight hex characters).

Step 5 Repeat Step 4 for up to four payload data segments.


Note Only one payload segment (one row) is required. Be careful not to create overlapping payload segments. If overlapping segments have different values the filter will never match anything due to the inherent AND logic.


Step 6 Click Submit.


Files

Use the Files option to decode, download, rename, convert/merge, delete, analyze, or error-scan saved capture files. See the section Sessions and Table 4-2 for information about how to save capture sessions to files. You can download files in either .enc or .pcap file formats. See Preferences, page 5-13, for information about setting the download file format.


Caution If you have capture files with a state of Full and the NAM is rebooted, the capture will be triggered again and these files may be overwritten by the new capture. If you want to retain the file, save the file before rebooting.

Choose Capture > Packet Capture/Decode > Files to display the Capture Files window. The Capture Files window shows the following information:

Name:

Size:

Date:

State:

Location:

If you are using a Cisco 2200 Series appliance, the NAM will create a xxx.pcap file. If you click on the download button, a xxx.pcap file will be created regardless of whether you accept the download action or cancel it (a xxx.pcap file will be created once the download button is clicked). This is why one capture using an appliance could have an extra file compared with a capture from another NAM platform.

Table 4-6 Buttons in the Capture Files Operations Window 

Operation
Description
Decode

Display the packets in a file.

Download

Download a file to your computer in .enc or .pcap file format.


Note Do not add a file suffix when you provide the filename. The suffix .pcap is added automatically.



Note .capture to .pcap conversion will occur when you download a capture file. You will need to manually delete the .pcap file when it is done.


Rename

Give the file a new name. A dialog box displays and asks you to enter the new name for the selected capture file.

Merge or Convert/Merge

Merge packets of files.(in chronological order). A dialog box displays and asks you to enter the new name for the merged capture files. Enter a name for the merged capture files and choose OK.


Note Merged files cannot exceed 2 GB.


On the Cisco NAM 2200 Series appliances, this button is called "Convert/Merge." This can be used to convert one .capture file to a .pcap file, so the Error Scan and the Analyze functions can be performed on that converted file. Otherwise, Analyze and Error Scan cannot be performed on a .capture file which only shows up on appliances.

Delete

Delete files.

Analyze

View statistical analysis of the selected capture. See Analyzing Capture Files.

Errors Scan

View more information about the file (Packed ID, Protocol, Severity, Group, and Description). From here you can also decode the packet. For more information see Error Scan.



Note Capture files on the NAM 2200 Series appliances are stored in native NAM format. You can convert the capture file format to .pcap using the Convert/Rename/Merge button on the Capture > Packet Capture/Decode > Files window.


Analyzing Capture Files

The Capture Files window (Capture > Packet Capture/Decode > Files) enables you to obtain various statistics including traffic rate (bytes/second) over a capture period, lists of hosts, conversations, and applications associated with network traffic.

This window also enables you to drill-down for a more detailed look at a particular set of network traffic. The pane above the Traffic over Time graph displays the time shown in the graph in the From: and To: fields. It also provides fields for Protocol and Host/subnet, and a Drill-Down button.


Note After clicking the Drill-Down button, the Host Statistics results table will display both source and destination hosts, if either the source or destination host of the traffic belongs to the Host/Subnet that you had specified.


Each slice in the Traffic over Time graph displays the amount of traffic for the amount of time set in the Granularity of the capture file.

You can view more detail about a specific time frame by entering the time in the From: and To: fields and choosing Drill-Down. You can also drill-down on a specific Protocol or Host/subnet address.

Table 4-7 describes the different areas of the capture analysis window.

Table 4-7 Capture Analysis Window Fields 

Field
Description
Capture Overview

Provides a summary of the displayed capture including number of packets captured, bytes captured, average packet size, capture start time, duration of capture, and data transfer rate (both bytes and bits per second)

Traffic over Time

Displays a graphic image of network traffic (KB/second)

Protocol Statistics

Displays packets and bytes transferred for each protocol

Hosts Statistics

Displays packets and bytes transferred for each host address


Error Scan


Note This feature is available for .pcap files, but not for .capture files.


The Capture Errors and Warnings Information window shows warnings and errors, and packet irregularities. From here, you can launch the Packet Decode Window, where you can drill-down to packet details (select a row in the table and click the Decode Packet button).

To get to the Capture Errors and Warnings Information window, choose Capture > Packet Capture/Decode > Files. Highlight a file and click the Errors scan button.

The Error Scan window is shown in Figure 4-6.

Figure 4-6 Error Scan

The fields are described in Table 4-8.

Table 4-8 Error Scan Window Descriptions 

Field
Description
Packet ID

ID of the packet in the capture file.

Protocol

Protocol the packet arrived on.

Severity

Warn: Warning; for example, an application returned an unusual error code

Error: A serious problem, such as malformed packets

Group

Checksum: A checksum was invalid

Sequence: Protocol sequence is problematic

Response Code: Problem with the application response code

Request Code: An application request

Undecoded: Dissector incomplete or data can't be decoded

Reassemble: Problems while reassembling

Malformed: Malformed packet or dissector has a bug; dissection of this packet aborted

Description

Description of the error or warning


Downloading Capture Files

You can only download one capture file at a time. To download a capture file to your computer:


Step 1 Choose Capture > Packet Capture/Decode > Files.

Step 2 Choose a capture file from the list of captures.

Step 3 Click Download.

A File Download dialog box displays and asks "Do you want to save this file?"

Figure 4-7 Download Capture File Dialog Box

Step 4 Click Save.

A Save As dialog box opens and provides a way for you to rename and save the file at a location of your choice.


Deleting a Capture File

To delete a capture file:


Step 1 Choose Capture > Packet Capture/Decode > Files.

Step 2 Click the check box to select a capture file from the list of captures, or select more than one if desired.

Step 3 Click Delete. A dialog box displays and asks "Delete the following file(s)?" and displays the file name.

Step 4 Click OK to delete the file(s) or Cancel to allow the file(s) to remain.


Deleting All Capture Files

To delete all capture files at once:


Step 1 Choose Capture > Packet Capture/Decode > Files.

Step 2 Check at least one check box to select a capture.

Step 3 Click the Delete All button to delete all captures. A dialog box displays and asks "Are you sure you want to delete all files?"

Step 4 Click OK to delete all the files or Cancel to allow them to remain.


Viewing Packet Decode Information

After some packets or files have been captured, you can use the Packet Decoder to view the packet contents.

The Packet Decoder window has four parts:

Packet Decoder operations

Packet browser pane

Protocol decode (see Viewing Detailed Protocol Decode Information)

Packet hexadecimal dump

To view packet decode information:


Step 1 Choose Capture > Packet Capture/Decode > Sessions, or Capture > Packet Capture/Decode > Files (depending on which type you would like to decode).

Step 2 Choose a capture session or file, and then click the Decode button. The Packet Decoder window displays. Table 4-9 describes the packet decoder operations on the NAM - Packet Decoder window.

Table 4-9 Packet Decoder Operations 

Button
Description
Stop

Stop packet loading

Prev

Load and decode the previous block of packets from the NAM

Next

Load and decode the next block of packets from the NAM

Go To

Load and decode a block of packets starting from the specified packet number.

Display Filter

Launch the Display Filter dialog. See Filtering Packets Displayed in the Packet Decoder.

TCP Stream

Follow the TCP stream of the selected TCP packet. This might take a long time depending on the traffic pattern.


Table 4-10 describes the columns displayed in the packet browser pane.

Table 4-10 Packet Browser 

Field
Description
Pkt

Packet numbers, listed numerically in capture sequence. If the decode (display) filter is active, the packet numbers might not be consecutive.

Time

Time the packet was captured relative to the first packet displayed (not the first packet in the session). To see the absolute time, see the Detail window.

Size

Size of the packet, in bytes.

Source

Packet source, which might be displayed as hostname, IP, IPX, or MAC address. To turn hostname resolution on and off for IP addresses, choose the Setup tab and change this setting under Preferences.

Destination

Packet destination, which might be displayed as hostname, IP, IPX, or MAC address.

Protocol

Top-level protocol of the packet.

Info

Brief text information about the packet contents.



Browsing Packets in the Packet Decoder

You can use the packet browser to browse the list of captured packets and do the following:

Filter by protocol, IP address, MAC address, and custom display filter.

Use the Next, Previous, and Go To buttons to load packets from the capture session.


Note The capture must be paused or stopped for you to use these features.


Filtering Packets Displayed in the Packet Decoder

To filter packets displayed in the packet decoder:


Step 1 From the Packet Decoder window, click the Display Filter button. The Packet Decoder - Display Filter Window displays.

Step 2 Do the following:

Choose a Filter Mode:

Inclusive displays packets that match the condition(s.)

Exclusive displays packets that do not match the condition(s).

Choose an Address Filter:

IP address filters on IP address.

MAC Address filter on MAC address.

Source allows you to specify the source address, or leave it blank if not applicable.

Destination allows you to specify the destination address, or leave it blank if not applicable.

Both Directions allows you to match of packets travelling in both directions.

Define a Protocol Filter.

Click Match any to display packets that match any of the protocols or fields

or

Click Match all to display packets that match all of the protocols or fields.

Choose a protocol from the Protocols list.


Note You can enter the first few letters of the protocol name to go directly to the protocol. If you make a typo, press ESC or SPACE to reset.


Choose a protocol field from the Fields list, then specify the field value if applicable.

Choose a Custom Filter. See Custom Display Filters for how to set up a custom display filter.

Step 3 Click OK to apply the filter and close the window.

Click Submit to apply the filter and keep the window open.

Click Clear Filter to clear all of the fields.

Click Cancel to close the window without any action.


Viewing Detailed Protocol Decode Information

To view detailed protocol information:


Step 1 Highlight the packet number about which you want more information.

Detailed information about that packet is displayed in the Protocol Decode and hexadecimal dump panes at the bottom of the window.


Note If you highlight the details in the Protocol Decode pane, the corresponding bytes are highlighted in the hexadecimal dump pane below it.


Step 2 To review the information, use the scrolling bar in the lower panes.


Note When you decode SCCP traffic, the NAM lists the protocol as skinny, not SCCP.




TipProtocols are color coded both in the Packet Browser and the Protocol Decode pane.

Choose the protocol name in the Protocol Decode pane to collapse and expand protocol information.

To adjust the size of any of the panes, click and drag the pane frame up or down.


Using Alarm-Triggered Captures

You can configure multiple alarm-triggered captures that start and stop automatically by alarm events you define. To set up an alarm-triggered capture:


Step 1 Create an alarm event from the Setup > Alarms > Alarm Events window.

Configure an Alarm Event for the type of event for which you want to capture data. See Alarm Action Configuration, page 2-41, for more information.

Step 2 Set a threshold for the event from the Setup > Alarms > Alarm Thresholds window.

Configure the threshold of parameters of interest in the associated Alarm Event. See Thresholds, page 2-42, for more information.

Step 3 Set up a capture session from the Capture > Packet Capture/Decode > Sessions window. Click Create.

Choose the Start Event and/or the Stop Event for the associated Alarm Event. See Configuring Capture Sessions, for more information.


Custom Display Filters

Use custom display filters to create and save customized filters to use in the Decode window to limit which packets are to be displayed.

See these topics for help setting up and managing custom display filters:

Creating Custom Display Filters

Editing Custom Display Filters

Deleting Custom Display Filters

Creating Custom Display Filters

To create custom display filters:


Step 1 Choose Capture > Packet Capture/Decode > Sessions.

The Hardware Filters box is displayed at the bottom of the page.

Step 2 Click Create. The Custom Decode Filter Dialog Box, Table 4-11, displays.

Step 3 Enter information in each of the fields as appropriate.

Table 4-11 Custom Decode Filter Dialog Box 

Field
Description
Usage Notes
Filter Name

The name of the capture filter.

Enter the name of the filter to be created.

Description

The description of the capture filter.

Enter a description of the filter.

Protocol

The protocol to match with the packet.

Choose a protocol from the list. (Select All to match all packets regardless of protocol.)

Address
(MAC or IP)

Indicates whether to filter by MAC or IP address.

Choose MAC to filter using the source/destination MAC address of the packets.

Choose IP to filter using the source/destination addresses of the packets.

Both Directions

Indicates whether the filter is applied to traffic in both directions.

If the source is host A and the destination is host B, enabling both directions filters packets from A to B and B to A.

If the source is host A and the destination is not specified, enabling both directions filters packets both to and from host A.

Offset

The offset (in bytes) from the Base where packet data-matching begins.

Enter a decimal number.

Base

The base from which the offset is calculated.

If you select absolute, the offset is calculated from the absolute beginning of the packet (for example, the beginning of the Ethernet frame).

If you select protocol, the offset is calculated from the beginning of the protocol portion of the packet. If the packet does not contain the protocol, the packet fails this match.

Choose absolute or a protocol.

Data Pattern

The data to be matched with the packet.

Enter hh hh hh ..., where hh are hexadecimal numbers from 0-9 or a-f. Leave blank if not applicable.

Filter Expression

An advanced feature to set up complex filter conditions.

The simplest filter allows you to check for the existence of a protocol or field. For example, to see all packets that contain the IPX protocol, you can use the simple filter expression ipx.

See Tips for Creating Custom Decode Filter Expressions.


Step 4 Do one of the following:

To create the filter, click Submit.

To cancel filter creation, click Cancel.


Tips for Creating Custom Decode Filter Expressions

You can construct custom decode filter expressions using the following logical and comparison operators listed in Table 4-12.

Table 4-12 Logical and Comparison Operators 

Operator
Meaning

and

Logical AND

or

Logical OR

xor

Logical XOR

not

Logical NOT

==

Equal

!=

Not equal

>

Greater than


You can also group subexpressions within parentheses. You can use the following fields in filter expressions:

Field
Filter By
Format

eth.addr
eth.src
eth.dst

MAC address

hh:hh:hh:hh:hh:hh, where h is a hexadecimal number from 0 to 9 or a to f.

ip.addr
ip.src
ip.dst

IP address

n.n.n.n or n.n.n.n/s , where n is a number from 0 to 255 and s is a 0-32 hostname that does not contain a hyphen.

tcp.port
tcp.srcport
tcp.dstport

TCP port number

A decimal number from 0 to 65535.

udp.port
udp.srcport
udp.dstport

UDP port number

A decimal number from 0 to 65535.

protocol

Protocol

Click the Protocol list in the Custom Decode Filter dialog box to see the list of protocols on which you can filter.

protocol [offset:length]

Protocol data pattern

hh:hh:hh:hh..., where hh is a hexadecimal number fro 0 to 9 or a to f.

offset and length are decimal numbers.

offset starts at 0 and is relative to the beginning of the protocol portion of the packet.

frame.pkt_len

Packet length

A decimal number that represents the packet length, not the truncated capture packet length.


Examples of Custom Decode Filter Expressions

To match SNMP packets from 111.122.133.144, enter:

snmp and (ip.src == 111.122.133.144) 

To match IP packets from the 111.122 Class B network, enter:

ip.addr == 111.122.0.0/16 

To match TCP packets to and from port 80, enter:

tcp.port == 80 

The TOS value is stored in byte 1 (the second byte) in the IP header. To match the IP packet with the TOS value 16 (0x10), enter:

ip[1:1] == 10 

The TCP acknowledgement number is stored in bytes 8 through 11 in the TCP header. To match the TCP packet with acknowledgement number 12345678 (0xBC614E), enter:

tcp[8:4] == 00:BC:61:4E

Note You can use a filter expression with other fields in the Custom Decode Filter dialog box. In this case, the filter expression is ANDed with other conditions.
Invalid or conflicting filter expressions result in no packet match.


Editing Custom Display Filters

To edit custom display filters:


Step 1 Choose Capture > Packet Capture/Decode > Display Filters.

Step 2 Choose the filter to edit, then click Edit.

Step 3 Change the information in each of the fields as appropriate.

Step 4 Do one of the following:

To apply the changes, click Submit.

To clear the page of your changes, click Reset.

To exit the page without applying the changes, click Cancel.


Deleting Custom Display Filters

To delete custom display filters:


Step 1 Choose Capture > Packet Capture/Decode > Display Filters.

Step 2 Choose the filter to delete, then click Delete.

Step 3 In the confirmation dialog box, do one of the following:

To delete the filter, click OK.

To cancel, click Cancel.