Creating and Managing Capture Sessions
You can use capture sessions to capture, filter, and decode packet data, manage the data in a local or remote storage, and display the contents of the packets. The captured packets can be decoded and analyzed using Prime NAM for more efficient problem isolation.
This section contains the following topics:
Configuring Capture Sessions
It is important for you to collect data over time and have various locations for which you want to analyze data, we support multiple sessions per capture location/target. You can collect data using multiple sessions per target, but only one session runs per hard disk target. Concurrent capture sessions can run if capture to buffers or different hard disk based targets. This limitation is mainly to avoid disk fragmentation and better performance. Capture decode filters can be used to view or separate different subset of packets to different files. Prime NAM now supports up to 25 capture sessions. If you have external storage you can save to local disk and some number of LUNs. As part of configuring a capture session, you can also create software filters, if desired (see Creating a Software Capture Filter for a Capture Session).
To configure a new capture session:
Step 1 Choose
Capture
>
Packet/Capture Decode > Sessions
.
Step 2 Click
Create
to set up a new capture. The NAM displays the Configure Capture Session window.
Step 3 Enter information in the Capture Settings Fields (
Table D-61
) as appropriate.
When capturing to multiple files, a suffix is added to the file name. For example, the first file for a capture named
CaptureA
would be labeled as
CaptureA_1
the second
CaptureA_2
, and so on.
Step 4 Click
Submit
to finish configuration for this session, or configure Software Filters for this session (see Understanding Global Capture Settings).
Configuring Software Filters
You can create and save specialized filters that will disregard all capture data except the information in which you are interested (see Figure 4-6). You can configure multiple software filters for each session (up to six). This allows you to narrow in on the traffic that you are interested in, and it also saves resources (either memory or disk space).
Use the following topics for help on filtering network traffic using software filters:
Creating a Software Capture Filter for a Capture Session
You can create software capture filter for many variables. This workflow examines how to create a capture session with a software filter.
To create a software capture filter:
Step 1 Choose
Capture > Packet Capture/Decode > Sessions
.
Step 2 Click
Create
to create a new capture session.
If you already have a capture session to which you want to add a software filter, see Editing a Software Capture Filter for detailed instructions.
Step 3 Click
Create
in
Software Filters
section.
Step 4 Enter information in each of the fields as appropriate. See
Table D-67
for descriptions of the fields.
Step 5 Click
Submit
to create the filter, or click
Cancel
to close the dialog box without creating a software filter.
Note In the case of IP tunneling, such as IP in IP, the address will be matched against the innermost IP address in the package.
Editing a Software Capture Filter
To edit software capture filters:
Step 1 Choose
Capture > Packet Capture/Decode
>
Sessions
.
Step 2 Choose the session to edit, then click
Edit
.
The Software Filter dialog box displays. See
Table D-67
.
Step 3 Choose the
Software Filters
, then click
Edit
.
Step 4 Enter information in each of the fields as appropriate.
Step 5 Do one of the following:
-
To apply the changes, click
Submit
.
-
To cancel the changes, click
Cancel
.
Important Notes about Software Capture Filters
This section contains important software capture filters details that may be helpful to know.
-
Multiple software filters use the “OR” logic; in other words, if a packet passes any software filter, it is captured.
-
If you create a session and then start it, you cannot edit the session or analyze it without stopping it. If you edit a session containing already captured data, you get a warning stating that the session will be cleared and the data removed. If clearing the session and removing the data is acceptable, ignore the warning dialog message, then add a filter to the session and click
Submit
to enable the new filter settings.
-
The application filter can be used to filter on the highest layer of the protocol parsing; that is usually a layer 4 protocol (based on port). If you want to filter on the transport protocol (for example, UDP or TCP), you will need to use the IP Protocol selector. Selecting, for example, TCP in the “IP Protocol” selector will filter on all packets using TCP.
Tip Be careful when setting capture software filtering for encapsulation. If you set a software capture filter with encapsulation for the top three network traffic layers only, data displays only if the top three layers match the specified encapsulation type.
Understanding Software Capture Filter Options
You can define a software filter to filter based on any of the following options:
-
Source host address
-
Destination host address
-
Network encapsulation
-
VLAN or VLAN range
-
TCP Flag bits
-
Application
-
Source port or port range
-
Destination port or port range
-
IP Protocol
Note Software capture filtering is not supported on URL-based applications.
Table D-67
contains descriptions of the Software Filter dialog box fields.
Note The parameters described in the table above are independently evaluated by the NAM. Therefore, the NAM will allow you to enter parameters that are contradictory, but you will not be able to get meaningful results if they do not match.
For example, the parameters Network Encapsulation and Source/Destination Address are independently evaluated. If a filter is specified with contradicting parameters such as “Network Encapsulation=IP4” and “Source Address=an IPv6 address”, it will never match any traffic, and the result will be 0 packets captured.
Configuring Hardware Filters
You can use hardware filtering to help limit the amount of traffic allowed into the NAM for processing. In service modules, there is a hardware datapath throughput limitation and hardware filtering helps to reduce the traffic into the NAM. The NAM hardware platforms that support hardware filtering include:
-
Service Modules—NAM-3 and NAM-NX1
-
Specific NAM 2000 Series Appliance— 2420, 2440 and 2520.
Depending on your NAM, the hardware filter support varies. The following section describes:
Creating NAM Service Modules Hardware Filters
This section is applicable only for NAM-3 and NAM-NX1 service modules.
NAM-3 and NAM-NX1 service modules have specific hardware filter logic. These hardware filters allow you to improve capture performance by eliminating extraneous traffic, since packets excluded from capture processing.
Hardware filters and global packet slicing affect all capture sessions, except for ERSPAN capture sessions. See Figure 4-6, “NAM Capture Sessions Example” for an architectural overview.
NAM-3 and NAM-NX1 support up to four hardware filters. You can disable hardware filters without deleting them.
Within each filter, you can set up conditions with the AND/OR logic. Only the same logic type can be used within the same filter; you cannot mix the AND/OR logic within the same filter. Also, you can combine the filters together with the AND/OR logic. See Figure 4-2 for examples of filter logic you can use.
Figure 4-2 Hardware Filter Logic (AND/OR)
The selections are described in the following sections. For information about how you can achieve specific results, see Configuring Hardware Filter Examples.
Tip Software filters add flexibility to your filtering, but hardware filters are most efficient. The less traffic that requires software filtering, the more efficient the filtering.
See these topics for information about setting up and managing hardware filters:
Choose
Capture
>
Packet Capture/Decode > Sessions
to view the status and settings of hardware filters that are configured on the Cisco NAM. The Hardware Filters box appears at the bottom of the Sessions page.
Creating or Editing a NAM Services Modules Hardware Filter
The Hardware Filters window displays the status and settings of the hardware filters if they have been defined. To configure a capture with hardware filters:
Step 1 Choose
Capture > Packet Capture/Decode > Sessions
. The top half of the window shows Capture Sessions, and the bottom half of the window shows Hardware Filters.
Step 2 In the Hardware Filters section on the bottom of the window, click
Create
. The Hardware Filter Dialog appears.
Step 3 Enter a name for the hardware filter in the Name field. The name should be less than 40 characters and contain only supported characters.
Step 4 Check the
Enable
check box to enable the filter. If the filter is created with the Enable check box unchecked, the filter will be saved but inactive. It can be enabled at a later time by editing the filter and checking the
Enable
check box.
Step 5 Choose either the
AND
or the
OR
radio button. This selection will apply to all of the selections you make in the next step (the selections are described in
Table 4-4
).
Step 6 Check the boxes for the attributes you want to filter on, and then in the corresponding drop-down menu, select the desired option. The
Check All
check box selects all check boxes. See
Table D-65
.
Step 7 Click
Apply
to complete the configuration of the hardware filter.
Configuring Hardware Filter Settings
The Hardware Filter Settings allows you to set global settings for all capture hardware filters.
To add settings that apply to all hardware filters:
Step 1 Choose
Capture > Packet Capture/Decode > Sessions
.
Step 2 In the Hardware Filters section at the bottom, click
Hardware Filter Settings
.
Step 3 Choose the
AND
or
OR
Combination Logic, which will be applied to all configured hardware filters. This logic is used to combine the filters; see the green text in Figure 4-2.
Step 4 Choose the
Include in capture
or
Exclude from capture
Packet Match Logic. This selection will apply to all configured hardware filters.
Exclude from capture
will drop packets that match all of the hardware filters you have configured. Meanwhile, all packets that do not match will be captured.
Step 5 Click
Apply
.
Configuring Hardware Filter Examples
Use these topics to configure the following network traffic:
IP Subnet + L4 Port (L5 Application)
To capture all HTTP traffic emanating from the 10.1.1.0/24 subnet:
Step 1 On the Hardware Filters window, click
Create
.
Step 2 Enter a name in the Name field.
Step 3 Choose the Logic
AND
radio button (this will combine the selections you make below).
Step 4 Check the
Source IP Address
check box and enter the subnet “10.1.1.0/24”.
Step 5 Check the
L4 Source Port
check box and enter the port “80” for HTTP.
Step 6 Click
Apply
.
To see the opposite direction of the HTTP conversations:
Step 1 On the Hardware Filters window, click
Create
.
Step 2 Enter a name in the Name field.
Step 3 Choose the Logic
AND
radio button.
Step 4 Select
Destination IP Address
and enter the same subnet as before, 10.1.1.0/24
Step 5 Select
L4 Destination Port
and enter the same port, 80.
Step 6 Click
Apply
.
Step 7 To see the incoming and the outgoing, click
Hardware Filter Settings
and select the
OR
logic. This will combine the two hardware filters with the OR logic.
VLAN + L4 Protocol
To see all TCP traffic from VLAN 100:
Step 1 On the Hardware Filters window, click
Create
.
Step 2 Enter a name in the Name field.
Step 3 Choose the Logic
AND
radio button.
Step 4 Select
VLAN
and enter the VLAN, 100.
Step 5 Select
L4 Protocol
and choose TCP.
Step 6 Click
Apply
.
Multiple Hosts
To see traffic sent to and from multiple hosts: 1.1.1.1, 2.2.2.2, ...:
Step 1 On the Hardware Filters window, click
Create
.
Step 2 Enter a name in the Name field.
Step 3 Choose the Logic
OR
radio button.
Step 4 Check the
Source IP Address
check box and enter the first host: 1.1.1.1.
Step 5 Check the
Destination IP Address
and enter the same host: 1.1.1.1.
Step 6 Click
Apply
.
Step 7 Click
Create
to make a second hardware filter.
Step 8 Enter a name for the hardware filter in the Name field.
Step 9 Choose the Logic
OR
radio button.
Step 10 Check the
Source IP Address
check box and enter the second host, “2.2.2.2”.
Step 11 Check the
Destination IP Address
check box and enter the second host, “2.2.2.2”.
Step 12 Click
Apply
.
Step 13 Repeat Step 7 through Step 12 for a third and fourth host, if desired.
Step 14 Click
Hardware Filter Settings
and select the logic
OR
radio button.
VLAN Range
To see all traffic from VLANS 10 through 20:
Step 1 On the Hardware Filters window, click
Create
.
Step 2 Enter a name in the Name field.
Step 3 Check the check box for
VLAN IDs
and choose
Greater Than
from the drop-down menu.
Step 4 In the empty field, enter the bottom VLAN range boundary, “9.”
Step 5 Click
Apply
.
Step 6 Click
Create
to make a second filter.
Step 7 Enter a name in the Name field.
Step 8 Check the check box for
VLAN IDs
and choose
Less Than
from the drop-down menu.
Step 9 In the empty field, enter the bottom VLAN range boundary, “21.”
Step 10 Click
Apply
.
Step 11 Click
Hardware Filter Settings
and select the
AND
radio button, which will combine the logic of all hardware filters.
Data Port + Frame Length
To see all traffic spanned to DATA PORT 1 that is less than 200 bytes:
Step 1 On the Hardware Filters window, click
Create
.
Step 2 Enter a name in the Name field.
Step 3 Choose the Logic
AND
radio button.
Step 4 In the
Data Port
drop-down list, choose
DATA PORT 1
.
Step 5 Check the check box for
Frame Length
and choose
Less Than
from the drop-down menu.
Step 6 In the empty field, enter the frame length ceiling, “200.”
Step 7 Click
Apply
.
MPLS
To see traffic in which the first MPLS label is 300:
Step 1 On the Hardware Filters window, click
Create
.
Step 2 Enter a name in the Name field.
Step 3 Check the check box for
MPLS Label
.
Step 4 In the empty field, enter the label, “300.”
Step 5 Click
Apply
.
Bi-Direction Conversation
To see both directions of a conversation between hosts 1.1.1.1 and 2.2.2.2:
Step 1 On the Hardware Filters window, click
Create
.
Step 2 Enter a name in the Name field.
Step 3 Choose the Logic
AND
radio button.
Step 4 Click the
Source IP Address/Mask
check box, select
Equal To
from the drop-down menu, and enter the first host: “1.1.1.1”.
Step 5 Select the
Destination Address/Mask
check box, select
Equal To
from the drop-down menu, and enter the second host: “2.2.2.2.”
Step 6 Click
Apply
.
Step 7 Click
Create
to make a second hardware filter.
Step 8 Enter a name for the hardware filter in the Name field.
Step 9 Choose the Logic
AND
radio button.
Step 10 Click the
Source IP Address/Mask
check box, select
Equal To
from the drop-down menu, and enter the second host: 2.2.2.2.
Step 11 Select the
Destination Address/Mask
check box, select
Equal To
from the drop-down menu, and enter the first host: 1.1.1.1.
Step 12 Click
Apply
.
Step 13 Click
Hardware Filter Settings
and click
OR
.
Step 14 Click
Apply
.
Negative Filter Logic
In the previous example, you set up filters that match the packets. For negative filter logic, these now need to be blocked.
To see everything except the conversation from the previous example:
Step 1 On the Hardware Filters window, click
Hardware Filter Settings
.
Step 2 For Packet Match Logic, select the
Exclude from capture
radio button.
Step 3 Click
Apply
.
Go to the next section, Understanding Global Capture Settings, for information about configuring software filters for capture sessions.
Creating NAM Appliance Hardware Filters
This section describes how to create NAM appliance hardware filters.
The Hardware filters allow you to improve capture performance by eliminating extraneous traffic, since packets filtered out are excluded from capture processing.
Note The hardware filter applies to the NAM 2420, 2440 and 2520 appliance. The NAM does not support hardware filters.
Software filters add flexibility to your filtering, but a capture session is most efficient when you use hardware filters only. The less traffic requiring software filtering, the more efficient the filtering.
For the NAM appliances that support hardware filtering, you can set up to five hardware filters per appliance. When multiple hardware filters are created on the appliance, the logic among them are OR logic.
Hardware filters and global packet slicing affect all capture sessions, except for ERSPAN capture sessions.
All fields within a single filter are combined with AND logic. The filters are then combined with OR logic. See Figure 4-3 for examples of filter logic you can use.
Figure 4-3 Hardware Filter Logic (AND/OR)
See Configuring Supported NAM Appliance Hardware Filters for detailed steps.
Configuring Supported NAM Appliance Hardware Filters
The Hardware Filters window appears at the bottom of the
Capture > Packet Capture/Decode > Sessions
window. To configure a hardware filter:
Step 1 Choose
Capture > Packet Capture/Decode > Sessions
.
Step 2 Click
Create
.
Step 3 Enter a name in the Name field.
Step 4 Choose any or all of the following types of filters:
Note When you use the IP address fields in the hardware filters, tunneled packets will be filtered based on the outer IP address. The NAM will further inspect matching packets to analyze the contents within the tunnel. The NAM will always display the inner IP address in the packet list. See Understanding the NAM Packet Decoder for details.
Step 5 Data fields will then appear that correspond with the type of hardware filter you select. Fill in the desired fields.
Step 6 Click
Submit
to complete the configuration of the capture session.
IP and Payload Data
To configure an IP and Payload Data hardware filter:
Step 1 Enter a Filter Name and select your options.
Step 2 Enter a Source Address / Mask (optional).
Step 3 Enter a Destination Address / Mask (optional).
Step 4 Choose a Layer 4 Protocol, either TCP or UDP.
Step 5 Enter the values for Pattern Match:
-
Enter a Value of up to four bytes (eight hex characters).
-
Enter a Mask of up to four bytes (eight hex characters).
-
Enter an Offset from 1-1023. The offset is relative to the beginning of the payload (Layer 5).
Note Only one payload segment (one row) is required and provided. This is to guard against overlapping payload segments. If overlapping segments have different values the filter will never match anything due to the inherent AND logic.
Step 6 Click
Submit
.
Payload Data
To configure a Payload Data hardware filter:
Step 1 Enter a Filter Name.
Step 2 Choose a Layer 4 Protocol, either TCP or UDP.
Step 3 Enter the values for Payload Data:
-
Enter a Value of up to four bytes (eight hex characters).
-
Enter a Mask of up to four bytes (eight hex characters).
-
Enter an Offset from 1-1023. The offset is relative to the beginning of the payload (Layer 5).
Note Only one payload segment (one row) is required and provided. This is to guard against overlapping payload segments. If overlapping segments have different values the filter will never match anything due to the inherent AND logic.
Step 4 Click
Submit
.
Configuration Example
Figure 4-4 and Figure 4-5 shows configuration examples on how to calculate the offsite value and how to set mask to use the payload feature.
Figure 4-4 Configuration Example
Figure 4-5 Configuration Example (Continued)
Understanding Hardware and Software Capture Sessions Filters
You can filter specific traffic data and manage that information in local or remote storage. This increases your visibility into network issues and allows you to filter out unnecessary information. You can use either hardware or software filters to target specific packet data to receive.
As shown in Figure 4-6, if network packets coming into the NAM pass through the hardware filters you have configured, the packets go on to the next step. If no hardware filters are configured, all packets pass through.
Note Hardware filters are supported on specific Prime NAM platforms. See Configuring Hardware Filters for details.
Packets must then pass at least one software filter in that particular session to be saved by that session. If no software filters are configured for a session, then all packets are captured. For more information about software filters, see Configuring Software Filters.
For better performance for the supported NAM platforms, hardware filters are recommended over software filters, and fewer sessions are recommended over more sessions.
You do not have to configure the items in Figure 4-6 in any particular order. For example, you can set Global Capture Settings first, and then configure Capture Sessions, and then create filters; or, you can create Hardware and Software filters first, and then configure Capture Sessions, and finally apply Global Capture Settings. We recommend that you “Start” the session last; otherwise, you will start capturing before you have configured any filters and before doing any packet slicing.
Global Capture Settings and Hardware Filters can be changed at any time, even when the session is running; they will affect running capture sessions immediately. We recommend that you first stop your capture session to edit it since you may capture some unexpected packets during the filter change. See Understanding Global Capture Settings for details.
Figure 4-6 NAM Capture Sessions Example
Note For traffic that has encapsulation layer inside the packet, hardware filter will always run the filter based on its outer layer instead of the inner layer.
Take below ERSPAN encapsulation packet as an example:
-
If using IP based hardware filter to match the packet, you need to create a filter based on its outer ip (Src:10.79.46.31, Dst:7.1.1.2) which is showed before the ERSPAN header.
-
If you want to do a filter to match its inner IP address (Src: 20.10.150.7, Dst:20.10.10.3), but the Hardware Filter could not get it, you may use Capture Session’s Software Filter to get it.
In some cases, if you are not sure about which IP should be filtered, you can capture without hardware/software filter. You will have to first decode it and understand the packet layers to proceed.
Viewing Capture Sessions
To access the basic operations for capturing, viewing and decoding packet data on the NAM, choose
Capture > Packet Capture/Decode > Sessions
.
The Capture Sessions window shows the list of capture sessions. If none have been configured, the list will be blank.
Table D-60
describes the Capture Sessions fields and operations that you can perform from the Capture Sessions window.
Understanding Global Capture Settings
You can limit the size of the captured packets by using the Global Capture Settings to apply a custom packet slice and error settings for all capture sessions. This setting applies to NAM-3 and NAM-NX1 only. You can change these settings even when a filter is running since they affect the running sessions immediately.
To enable the Global Capture Settings, click Global Capture Settings in the
Capture > Packet Capture/Decode > Sessions
then click
Enable
and complete your selections.
To understand these settings see:
Global Packet Slicing
Global packet slicing affects all capture sessions, as opposed to the per-session Packet Slice Size parameter, and is performed in hardware. Use this feature to capture packets more efficiently when only the first N bytes are of interest to you. The capture buffer/file is smaller and the NAM is able to capture more packets per second.
The default setting for Global Packet Slicing is Disabled.
This setting overrides individual capture session software slicing settings if it is shorter. For example, if you have a capture session with the slicing field set to 100, but you also have Global Packet Slicing set to 56, then all packets will be sliced down to 56 bytes.
Hardware filters and global packet slicing affect all capture sessions, except for ERSPAN capture sessions.
In addition to global packet slicing you can set choose to allow error packets in the packet. For details on error packet settings, see Error Packets.
Error Packets
Error packets are packets that would normally be dropped by the network interface card, such as under size and over size packets, as well as packets with CRC errors. Error packets can be very helpful for troubleshooting the network.
If you want to customize how Prime NAM treats error packets use the following options:
-
Include in capture
(Default)—Includes packets with and without errors.
-
Exclude from capture
—Omits error packets. The packet capture only includes packets without errors.
-
Only error packets in capture
—Omits packets without errors. The packet capture includes only packets with errors. This option will save disk space but may not be as helpful since you may be unable to see the big picture view of all packet details.
This setting applies to all capture sessions on NAM-3 and NAM-NX1 only.
This setting is applied to all capture sessions. In addition to setting error packets, you can also enable global packet slicing. For details on global packet slicing settings, see Global Packet Slicing.
Working with Capture Files
To decode, download, rename, convert/merge, delete, analyze, or error-scan saved packet capture files use the Files option.
This section covers the following topics:
Analyzing Capture Files
The Capture Files window (click
Analyze
button at
Capture > Packet Capture/Decode > Files
) enables you to obtain various statistics including traffic rate (bytes/second) over a capture period and lists of hosts and protocols associated with network traffic.
This window also enables you to drill down for a more detailed look at a particular set of network traffic. The pane above the
Traffic over Time
graph displays the time shown in the graph in the
From:
and
To:
fields. It also provides fields for Protocol and Host/subnet, and a
Drill-Down
button.
Note After clicking the Drill-Down button, the Host Statistics results table will display both source and destination hosts, if either the source or destination host of the traffic belongs to the Host/Subnet that you had specified.
Each slice in the
Traffic over Time
graph displays the amount of traffic for the amount of time set in the Granularity of the capture file.
You can view more detail about a specific time frame by entering the time in the
From:
and
To:
fields and choosing
Drill-Down
. You can also drill down on a specific
Protocol
or
Host/subnet
address.
Table D-59
describes the different areas of the Capture Analysis window.
Drilling Down into Packet Error Details
You can further investigate, or drill down, into packet error details by viewing the decode packet data available on Prime NAM.
The Capture Errors and Warnings Information window shows warnings and errors, and packet irregularities. From here, you can launch the Packet Decode Window, where you can drill down to packet details.
To get to the Capture Errors and Warnings Information window, choose
Capture > Packet Capture/Decode > Files
. Highlight a file and click the
Errors Scan
button. The Error Scan window displays. The fields are described in
Table D-62
. Then select the packet details by selecting a row and clicking the
Decode
Packets
button.
Downloading Capture Files
You can only download one capture file at a time. To download a capture file to your computer:
Step 1 Choose
Capture
>
Packet Capture/Decode > Files
.
Step 2 Choose a capture file from the list of captures.
Step 3 Click
Download
.
Step 4 Click
Save
.
A
Save As
dialog box opens and provides a way for you to rename and save the file at a location of your choice.
Deleting a Capture File
To delete a capture file:
Step 1 Choose
Capture
> Packet Capture/Decode > Files
.
Step 2 Check the check box to select a capture file from the list of captures, or select more than one if desired.
Step 3 Click
Delete
. A dialog box displays and asks “
Are you sure you want to delete file(s)?
” and displays the file name.
Step 4 Click
OK
to delete the file(s) or
Cancel
to allow the file(s) to remain.
Deleting Multiple Capture Files
To delete all capture files at once:
Step 1 Choose
Capture
> Packet Capture/Decode > Files
.
Step 2 Check at least one check box to select a capture.
Step 3 Click
Delete All
to delete all captures.
A dialog box displays and asks “
Are you sure you want to delete all files?
”
Step 4 Click
OK
to delete all the files or
Cancel
to allow them to remain.
Understanding Capture Sessions
To understand how Prime NAM creates capture files with saved packet data, it is important to learn about how NAM handles capture session triggers.
This section contains the following topics:
Types of Capture Triggers
Packet capture sessions can be triggered on the Prime NAM in several ways:
-
Manually, by starting a capture using the Capture menu option or clicking the Start capture button.
-
Scheduled, by specifying a start date/time and maximum duration when you create or edit a capture session.
-
Alarmed, by creating an alarm with an associated trigger capture action that starts a particular capture session.
Resolving Session Conflicts
Prime NAM supports multiple capture sessions associated with the same capture storage location, but only one of these sessions can be running at any given time. Since there are several ways for such capture session to be started, it is possible for conflicts to arise among such capture sessions.
For example, suppose one capture session is started manually, but another capture session is scheduled to begin capturing while the first is still running. If these two sessions capture to the same storage location, there is a conflict. In this case, Prime NAM resolves the conflict by automatically stopping the manual session and allowing the scheduled session to begin.
In general, NAM resolves capture session conflicts by prioritizing them in the following (descending) order:
1. High-severity alarm triggered capture
2. Low-severity alarm triggered capture
3. Scheduled capture
4. Manual capture
If there are existing capture sessions already running on the same storage target, this means there is a conflicting alarm trigger. An alarm trigger is created when you configure an alarm threshold to start collecting packet data. Each alarm has a severity option.
Once a capture session is completed, you can manipulate the file. See
Manipulating Capture Files
This section provides an overview of the tasks you can complete with capture files. See
Table 4-2
.
For information about how to save capture sessions to files, see Creating and Managing Capture Sessions.
Caution If you have capture files with a state of
Full and the NAM is rebooted, the capture is triggered again and these files may be overwritten by the new capture. If you want to retain the file, save the file before you reboot.
Table 4-2 Actions You Can Complete with Capture Files
|
|
|
Display the packets in a file.
|
|
Download a file to your computer in
.pcap
file format.
Note Do not add a file suffix when you provide the filename. The suffix .pcap is added automatically.
|
|
Give the file a new name. A dialog box displays and asks you to enter the new name for the selected capture file.
|
|
Merges capture files that were captured simultaneously in chronological order.
Note Merged files cannot exceed 2,000 MB. This limit is set purposely since many tools can not handle the large size capture files.
|
|
Delete selected capture files.
|
|
View statistical analysis of the selected capture. See Analyzing Capture Files.
|
|
View more information about the file (Packed ID, Protocol, Severity, Group, and Description). From here you can also decode the packet. For more information see Drilling Down into Packet Error Details.
|
Utilizing Capture Data Storage
Cisco Prime Network Analysis Module platforms offer external storage connectivity for extended capture durations and higher capture bandwidths. All platforms support iSCSI data storage. Some platforms may support other forms of data storage, but this document covers only iSCSI data storage.
This section covers the following topics:
Figure 4-7 External Storage Setup
For instructions on installing and configuring external storage not covered here, see your platform-specific guides on Cisco.com or related documentation in the
Cisco NAM Documentation Overview
.
About Capturing to Data Storage
To avoid filling up the local server disk on the NAM, you can capture files to external storage. One of the benefits of using external storage is that it can provide larger capacities, higher read/write speeds, and can be moved from one Cisco NAM to another. The capture files are decoded in the same manner as the
Capture > Packet Capture/Decode > Files
page.
Using Prime NAM, you can perform internal and external storage management using
Capture > Packet Capture/Decode > Data Storage.
This window lists detected storage devices, including the internal hard drive, if one is available. For details on how to install and configure local and external storage, see
Installing and Configuring Local and External Storage
.
This release supports 32 external data storage targets, or Logical Unit Numbers (LUNs).
You can create multiple capture sessions per target. Only one capture per storage target (file location) is allowed at a time. Additionally you can have multiple sessions to memory.
Installing and Configuring Local and External Storage
You can use local or external storage as a repository for long term data for performance comparisons.
This topic covers:
Configuring the iSCSI Array
You may decide that in addition to or instead of local storage that you want to set up an external storage drive using iSCSI. This section contains the required settings for Prime NAM.
Use your vendor's user documentation to ensure you have properly configured the iSCSI array. The Cisco Prime NAM is independent of most array settings, but some are important for accessibility and performance.
Step 1 To configure the disk volumes on the array there is often a Segment Size setting. Larger segment sizes can improve write speeds. Configure the Segment Size setting to use the largest possible segment size (up to 512 KB).
Multiple volumes can be configured on a single array.
Step 2 Assign a Logical Unit Number (LUN) to the disk volume. This number is used for volume identification by the host.
Step 3 Map the LUNs to iSCSI Qualified Names (IQNs) on the array. The NAM's local IQN is listed using
remote-storage iscsi local-iqn
. Each IQN represents a different list of LUNs which hosts (such as the Prime NAM) can access.
Prime NAM supports up to 32 LUNs between all protocols and multiple LUNs mapped to one IQN.
Step 4 Prime NAM also has an IQN, which represents the host side of an iSCSI session. You must give the Prime NAM’s IQN address access to the iSCSI array’s LUNs. The array calls this Host Access. Be sure to give the Prime NAM’s IQN read-write access. Most arrays require this for security reasons to ensure that only certain hosts can access the LUNs.
Each Prime NAM has a unique IQN, so perform this required step for each Prime NAM that requires access and for each target LUN that you want to access. For more details about which CLI command to use, see Locating the Prime NAM IQN.
Caution Only one Prime NAM should connect to a LUN because only one host can have write access at a time. If multiple Prime NAMs connect to the same LUN simultaneously, there will be access conflicts and capture operations may not work properly.
Step 5 Ensure the Prime NAM management Connecting the Storage Arrayport has IP connectivity to the iSCSI array. For details on how to complete this required task, see .
Locating the Prime NAM IQN
To find the Prime NAM IQN, use the remote-storage iscsi local-iqn CLI command:
root@nam.domain# remote-storage iscsi local-iqn Local iSCSI Qualified Name: iqn.1987-05.com.cisco:WS-SVC-NAM3-6G-K9.00:19:55:07:15:9A
For details on how to complete the storage array configuration, see Connecting the Storage Array.
Connecting the Storage Array
After you configure the iSCSI storage arrays, ensure that the array has an IP path to the Prime NAM management port. The array can be connected while the Prime NAM is running.
Some arrays come with multiple storage controller modules. As a security feature, module ownership must often be mapped to each LUN or IQN.
The Prime NAM logs into the storage to start an iSCSI session using the IP address and IQN(s) of the storage array.
To connect the storage array using the user interface:
Step 1 Log into the Prime NAM web interface. To access the Data Storage page, choose
Capture > Packet Capture/Decode > Data Storage
.
Step 2 Click iSCSI Login and enter the iSCSI array IP address. Then click Search IQN Targets.
A list of IQNs available to the Prime NAM host IQN appear.
Step 3 Depending on the outcome, perform one of the following steps:
a. If the IQNs do not appear, check remote-storage iscsi list to verify the iSCSI session was properly started.
The follow example shows how to verify the iSCSI session.
root@
nam.domain
# remote-storage iscsi list
Storage ID: 16
Label:
Status: Ready
Protocol: ISCSI
Target IP: 172.20.122.81
Target IQN: iqn.2011-09:celeros.target11
Type: LUN
Model: IET VIRTUAL-DISK
LUN: 4
Capacity: 24.98GB
Available: 24.98GB
Active iSCSI Sessions:
tcp: [8] 172.20.122.81:3260,1 iqn.2011-09:celeros.target11
The LUN number (in the above example,
LUN 4)
helps you identify one LUN from others mapped to the same IQN. This number is unique to each IQN, meaning two LUNs from different IQNs can have the same number.
b. If the iSCSI session was properly started, check the storage array configuration to verify that:
-
The LUNs are mapped to the target IQN, and
-
The Prime NAM IQN has been given Read/Write access to the LUNs.
c. If you make any configuration changes, logout of the iSCSI session and login again. To logout, use the CLI
remote-storage iscsi logout
or use the GUI and click
iSCSI Logout
. All LUNs mapped to that target IQN will be disconnected from the Prime NAM.
Preparing LUNs for File Storage
Some arrays come with multiple storage controller modules, and the module ownership must often be mapped to each LUN (Logical Unit Numbers). This is a common security feature.
To see if the NAM can access the storage array LUNs and prepare them to store files:
Step 1 Choose
Capture > Packet Capture/Decode > Data Storage
.
New LUNs which have not been used by the NAM show a status of
Unformatted
.
a. Skip to Step 3 if your LUNs are formatted.
b. If no LUNs appear, see Installing and Configuring Local and External Storage and Configuring the iSCSI Array for detailed instructions on how to set up your storage array.
Step 2 To prepare these LUNs for capture use, select the LUN and click
Format
. After a few minutes, the status should change to
Ready
.
Step 3 To apply optional user labels to the LUNs to help differentiate between them, select the LUN and click
Label
.
The Label dialog appears with information about the current label and the last time the LUN was formatted.
You are now ready to use the external storage for capture files.
Using LUNs to Store Packets from a Capture Session
To use a LUN to store packets from a capture session:
Step 1 Go to
Capture > Packet Capture/Decode > Sessions
.
Step 2 Under the Capture Sessions table, click
Create
.
Step 3 Fill in the appropriate fields for creating a session, and for Storage Type choose the
Files
option.
Step 4 Use the File Location table to select the LUN you wish to use. Each list entry includes the protocol and either the model or the user label if it is set. Note that the list will only include targets which are in the
Ready
state.
Step 5 Click
Submit
to create the session.
When a session is
STARTED
, the associated LUN state changes to
In Use
. At that point, no other session can use that LUN until the session is deleted. This prevents contention, corrupted data, and write bandwidth degradation.
Logging In and Out of External Storage LUNs
You can use iSCSI to facilitate data transfers over intranets and to manage your remote capture data storage.
Prime NAM provides a more streamlined workflow to log in and out of your data storage targets. You must log into iSCSI in order to save capture sessions to remote storage. If you do not log in, capture sessions are saved to either local disk or memory locations.
To log in or out of your available remote data storage LUNs:
Step 1 Ensure you have configured your target iSCSI system with read/write permission to your NAM for at least one LUN in the storage array. For details, see About Capturing to Data Storage.
Step 2 Choose
Capture > Packet Capture/Decode > Data Storage
and click
iSCSI Login
.
Step 3 To enable auto discovery of any iSCSI Qualified Name (IQN) target, enter the target IP address of the storage location and click
Search IQN Targets
.
All available IQNs for that location display in the table.
Step 4 To log out, click
iSCSI Logout
. The list of IQNs to which you are currently logged into displays in a table.
Step 5 To view the LUNs which the system will log you out, select one of the IQNs and a popup displays the associated LUNs to select.
.
Connecting and Disconnecting External Storage
Before physically disconnecting an external storage device, it is highly recommended to use the
Unmount
button on the
Capture > Packet Capture/Decode > Storage
window. This notifies the Cisco NAM that the device will be disconnected, so that the Prime NAM can perform important cleanup procedures. After this is done, the storage target displays as
Unmounted
in the status column, and it is safe to remove the external storage device. External storage is automatically unmounted in this manner when the Cisco NAM is powered down.
Caution If this step is skipped, it is possible to corrupt the storage data upon physical disconnect.
If a device has been logically disconnected using the
Unmount
button, but the storage is still physically connected, it can be reactivated using the
Mount
button. It will restore the storage target’s previous state. This makes it unnecessary to physically disconnect and reconnect the storage, which can be particularly useful if the storage is located far away from you.
Recovering Data Storage
In the event that a previously working target displays as
Unformatted
, you can use the CLI to determine what happened by running a filesystem check on it. Use the command
remote-storage <protocol> fsck <storage ID>
, when you know the protocol. You can find the storage ID using
remote-storage <protocol> list
. The filesystem check can potentially resolve filesystem corruption or state issues. If the command succeeds, it automatically mounts the storage and displays as
Ready
.
The following shows a iSCSI recovery example:
root@nam.cisco.com# remote-storage iscsi list Target IQN: iqn.2011-09:celeros.target11 Target IQN: iqn.2011-09:celeros.target16 tcp: [8] 172.20.10.81:3260,1 iqn.2011-09:celeros.target11 tcp: [7] 172.20.10.81:3260,1 iqn.2011-09:celeros.target16 root@nam.cisco.com# remote-storage iscsi fsck 16 FS check completed successfully. root@nam.cisco.com# remote-storage iscsi list Target IQN: iqn.2011-09:celeros.target11 Target IQN: iqn.2011-09:celeros.target16 tcp: [8] 172.20.10.81:3260,1 iqn.2011-09:celeros.target11 tcp: [7] 172.20.10.81:3260,1 iqn.2011-09:celeros.target16
Inspecting Packet Decode Information for Suspicious Traffic
After you have captured some traffic data packets, you can use the NAM packet decoder to view the packet contents and inspect for suspicious traffic.
This section includes the following sections:
Analyzing Packets in the Packet Decoder
Figure 4-8 Packet Decoder Window
Note To use these decode features, you must be capturing to memory with the no rotate option selected. Otherwise, captures must be paused or stopped. For detailed descriptions about the features in this window, see Understanding the NAM Packet Decoder.
To inspect packet decode information for suspicious traffic:
Step 1 Choose
Capture > Packet Capture/Decode > Sessions
and create a capture session. If you already have a capture session choose
Capture > Packet Capture/Decode > Files
.
Step 2 Choose a capture session or file, and then click
Decode
. The Packet Decoder window displays. See Figure 4-8. For table descriptions see
Table D-66
.
Step 3 To quickly filter on a key word or phrase, for example rtp to focus on voice quality, enter the word in the Filter text box (see Figure 4-8). The window refreshes displaying only data that includes the filtered information.
Step 4 To filter packet data based on multiple filters, click
Display Filter
and enter your options in the window, then click
Apply
. This action displays only the distribution of the packets that match your filter. For detailed steps, see Filtering Packets Displayed in the NAM Packet Decoder.
Step 5 To save filters for future use, click
Save Display Filters
on the Display Filter window. You can also edit or remove existing filters as needed.
Step 6 To view the packet capture flow and focus in on a specific time interval or area of interest click on the slider in the Packet Histogram and move the left or right cursors to zoom in (see Figure 4-8). To pan this filtered data, click and hold the slider while moving it inside the histogram. This provides a visual of packet capture flow and enables you to navigate through the packet list.
Step 7 To toggle
-
between a one and two-column layout view, choose
Tools > Toggle Layout
.
-
between the Packet Histogram and the packet paging controls, choose
Tools > Show ...
Step 8 To disable the default colors in the packet window, choose
Tools > Disable Protocol Coloring
.
Step 9 To review capture file information, choose
Tools > Capture Info
.
Step 10 To save the current filtered packet info displayed on this page, choose
Tools > Save Filtered Packets
. Only visible when filters are in use. Saves to memory or to the capture file based on the options in your Capture Sessions window. See Configuring Capture Sessions.
Step 11 To make the font size larger or smaller for the hex data pane, hover over the top-right corner of the pane to see the enlarge option. To increase the font, select the
A+
or to decrease it select the
A-
.
Step 12 Use the Tools menu to perform validation tasks—options have limited support. Options include:
– TCP Checksum Validation check box—filter on TCP in the decode window and use the TCP pane to verify that the checksum has been validated.
– UDP Checksum Validations check box—filter on UDP in the decode window and use the UDP pane to verify that the checksum has been validated.
– IP Host Name Resolution—perform global host name resolution for NAM. Synchronizes with the Administration preferences.
Step 13 Use Decode As option to temporarily force specific tcp and /or udp ports to be decoded as the specific protocols as specified by the user. This is useful for custom protocols that use user defined ports or the same ports may be used by more than one protocols
Step 14 To view packet details including packet range displayed, data port, and number of filtered packets, see the heading in the upper right corner of the NAM window.
Step 15 To reconstruct files from the capture file, choose
Tools
>
Export Objects
, then choose either HTTP, FTP, SMB or IMF(Email) from the protocol drop-down list.
A dialog will be displayed to show all the exported files. See
Table 4-2
for description of the fields in this dialog.
Table 4-3 Description of the fields in object list dialog.
|
|
Packet
|
The packet number in which this object was found. In some cases, there can be multiple objects in the same packet.
|
Hostname
|
The hostname of the server that sent the object.
|
Content Type
|
Derived from content type filed in http header. For other protocols, it could be empty.
|
Size
|
The size of this object.
|
Filename
|
This is a filename, but may be a long complex looking string, which indicates that the file was received in response to a HTTP POST request.
|
Note The exported file will be corrupted if any lost segments and/or out-of-order packets in the packet stream.
Note Empty file will not be listed in the dialog. The exported ftp file will be incomplete when FTP pause and resume happens.
Filtering Packets Displayed in the NAM Packet Decoder
To filter packets based on multiple options for display in the NAMPacket Decoder:
Step 1 From the NAMPacket Decoder, click
Display Filter
. The NAM - Display Filter Window displays.
Step 2 Do the following:
–
Inclusive
displays packets that match the condition(s.)
–
Exclusive
displays packets that do not match the condition(s).
-
Choose an
Address Filter
:
–
IP/Host
address filters on IP address.
–
MAC
address filters on MAC address.
–
Source
allows you to specify the source address, or leave it blank if not applicable.
–
Destination
allows you to specify the destination address, or leave it blank if not applicable.
–
Both Directions
allows you to match of packets traveling in both directions.
-
Define a
Protocol Filter
:
– Click
Match any (or)
to display packets that match any of the protocols or fields.
or
– Click
Match all (and)
to display packets that match all of the protocols or fields.
– Choose a protocol from the
Protocols
list.
Note You can enter the first few letters of the protocol name to go directly to the protocol. If you make a typo, press ESC or SPACE to reset.
– Choose a protocol field from the Fields list, then specify the field value if applicable.
Step 3 To add more protocol filters, click the
+
sign.
Step 4 To delete a defined Protocol Filter, click the
-
sign.
Step 5 Click
OK
to apply the filter and close the window or
Apply
to apply the filter and keep the window open.
Viewing Detailed Protocol Decode Information
To view detailed protocol information:
Step 1 Highlight the packet number about which you want more information.
Detailed information about that packet is displayed in the Protocol Decode and hexadecimal dump panes at the bottom of the window.
Note If you highlight the details in the Protocol Decode pane, the corresponding bytes are highlighted in the hexadecimal dump pane below it.
Step 2 To review the information, use the scrolling bar in the lower panes.
Note When you decode SCCP traffic, Prime NAM lists the protocol as skinny, not SCCP.
Tip • Protocols are color coded both in the Packet Browser and the Protocol Decode pane.
-
Choose the protocol name in the Protocol Decode pane to collapse and expand protocol information.
-
To adjust the size of any of the panes, click and drag the pane frame up or down.
Understanding the NAM Packet Decoder
The NAM, also known as the packet decoder, uses two levels of packet analysis: basic and full. Because preparing a large capture file for full analysis can take a long time, NAM automatically chooses which level to use based on your filtering complexity. This allows you to browse your captured packet data more quickly without having to wait for analysis.
When you select a capture file to analyze for the first time, NAM limits some of the more complex display filters you can use. For example, you can filter using protocol identifiers such as TCP, UDP, SDP, and SIP which allow the packet decode to display more quickly than an advanced filtering selection.
If you enter more advanced filters (such as those with and/or logic operators on the protocol field), NAM automatically begins the full analysis of the capture file and then applies your complex filter to display the results. For example, if you filter using ‘ip.src==192.168.1.1 && tcp.dstport==80’, the NAM starts the full analysis and displays it only after the results have been filtered.
Understanding the NAM Packet Decoder Window and Browser Pane
The NAM Packet Decoder window shows three views of a packet:
-
a summary line briefly describes the packet type
-
the protocol field of interest can be shown and analyzed in the portion of the window directly below the summary line
-
a hexadecimal dump shows exactly what the packet looks like when it goes across the wire.
There are many unique features in the NAM Packet Decoder decode window; for example, it can assemble all the packets in a TCP conversation and highlight the ASCII data in that conversation. You can use the expanded display filter functionality to allow you to view more focused data.
Figure 4-8 is an example of the NAM Packet Decoder window.
You can perform the following tasks in the NAM window:
-
Show Packet histogram display the number of packets over a specific time range. This provides a feel of the packet flow for the capture. You can use the histogram selector control to navigate through the packet list as well. You can apply a display filter to make the histogram show the distribution of the packets that match the applied filter. Can set time range and move across histogram. Firefox is faster than IE performance with this feature.
-
Toggle to Show Packet Paging Controls displays the buffer divided into pages.
-
Toggle layout changes how the three content panes in the decoder are arranged.
-
Display Hex data font size by hovering over two buttons in the top right corner of the hex data content pane of the decoder. You can increase or decrease the font size of the contents.
-
Display the current range of packets in the packet list by selecting the Packet range button. You can also enter the range of packets to view.
-
Use the Display Filter button yo display Saved Display Filters and Manage Display Filters windows.
-
Alter Protocol coloring. You can map custom colors to specific protocols in this release. Default colors
-
Use the Tools menu—options have limited support. Options include:
– TCP Checksum Validation check box—filter on TCP in the decode window and use the TCP pane to verify that the checksum has been validated.
– UDP Checksum Validations check box—filter on UDP in the decode window and use the UDP pane to verify that the checksum has been validated.
– IP Host Name Resolution—perform global host name resolution for NAM. Synchronizes with the Administration preferences.
-
Use Decode As option to temporarily force specific tcp and /or udp ports to be decoded as the specific protocols as specified by the user.
-
Display Filter input field to manually enter display filters.
Customizing Display Filters
Use custom display filters to create and save customized filters to use in the NAM decode window to limit which packets are displayed.
NAM supports most software display filters with the following exceptions:
-
Filters using Perl Regular Expressions. For example:
http.request.uri matches "gl=se$"
-
Filters on a protocol payload (a protocol section in a packet). For example:
See these topics for help setting up and managing custom display filters:
Creating Custom Display Filters
To create custom display filters:
Step 1 Choose
Capture > Packet Capture/Decode > Sessions
.
The Hardware Filters box is displayed at the bottom of the page.
Step 2 Click
Create
. The Hardware Filters Dialog box displays. See
Table D-64
.
Step 3 Enter information in each of the fields as appropriate.
Step 4 Do one of the following:
-
To create the filter, click
Submit
.
-
To cancel filter creation, click
Cancel
.
Tips for Creating Custom Decode Filter Expressions
You can construct custom decode filter expressions using the following logical and comparison operators listed in
Table 4-4
.
Table 4-4 Logical and Comparison Operators
|
|
and
|
Logical AND
|
or
|
Logical OR
|
xor
|
Logical XOR
|
not
|
Logical NOT
|
==
|
Equal
|
!=
|
Not equal
|
>
|
Greater than
|
To group subexpressions within parentheses, use the fields in
Table D-63
to help you add filter expressions.
Examples of Custom Decode Filter Expressions
Table 4-5
provides some examples of basic NAM display filters you can use to filter on application types.
Table 4-5 Basic NAM Display Filters (Limited to Application Types)
|
|
tcp
|
Find all TCP-based applications
|
udp
|
Find all UDP-based applications
|
! eth
|
Find all packets other than Ethernet
|
tcp and not vlan
|
Find all TCP traffic NOT running over vlan
|
http
|
Find all src/dst HTTP application packets (may be not standard port 80 if different application 'decode as' port specified; e.g. 'tcp.port==8080,http')
|
ftp || http
|
Find either ftp or http packets
|
not tcp
|
Exclude all TCP packets
|
! tcp
|
Exclude all TCP packets
|
! (ftp || http)
|
Exclude all FTP and HTTP packets
|
Table 4-6
provides some examples of complex NAM display filters.
Table 4-6 Compound NAM Display Filters
|
|
tcp.port eq 80
|
Find all src/dst HTTP packets on standard HTTP port 80
|
ip.addr == 192.168.1.0/24
|
Find all packets in Class C network (subnet)
|
tcp.flags.reset == 1
|
Find all TCP resets
|
tcp.window_size == 0 && tcp.flags.reset != 1
|
Src is instructing dst to stop sending data (TCP buffer full)
|
Ipv6.addr == ::1
|
Correct statement with IPv6 label and IPv6 address.
|
Table 4-7
provides some examples of protocol field hexbyte filters.
Table 4-7 Protocol Field Hexbyte Filters
|
|
eth.src==00:3c:06:0a:02:68
|
Find source MAC
|
eth.dst==00:3c:06:0a:02:68
|
Find destination MAC
|
eth.addr==00:3c:06:0a:02:68
|
Find source or dest MAC
|
! (eth.addr==00:3c:06:0a:02:68)
|
Find all MAC except specific address
|
eth.addr contains 00:3c
|
Find bytes in any protocol field subrange
|
Table 4-8
provides some examples of protocol field hexbyte subrange filters.
Table 4-8 Protocol Field Hexbyte Subrange Filters
|
|
eth.addr[0:2]==00:3c
|
Find specific subrange in MAC
|
eth.addr[1:3]==3c:06:0a
|
Find specific subrange in MAC
|
Table 4-9
provides some examples of hexbyte data representations syntax.
Table 4-9 Hexbyte Data Representations (Syntax)
|
|
eth.dst == ff:ff:ff:ff:ff:ff
|
Hexbyte separators can be colons
|
eth.dst == ff-ff-ff-ff-ff-ff
|
Hexbyte separators can be dashes
|
eth.dst == ffff.ffff.ffff
|
Hexbyte separators can be dots (one or two bytes
|
Note You can use a filter expression with other fields in the Custom Decode Filter dialog box. In this case, the filter expression is ANDed with other conditions. Invalid or conflicting filter expressions result in no packet match.
Editing or Deleting Custom Display Filters
To edit custom display filters:
Step 1 From the NAM Packet Decoder, choose
Display Filters
.
Step 2 To edit a filter, choose the filter to edit then click
Edit
.
Step 3 Change the information in each of the fields as appropriate.
Step 4 To delete a filter, choose the filter to delete from the Hardware Filters Data Port 1 or Data Port 2 pane, then click
Delete
.