Cisco Security Packet Analyzer User Guide, 6.2(2)

Managed device IP address and VDC on the managed device.

ID of the SPAN session.

• Extended: Allows for IP extended input ACLs to receive a copy of a dropped packed on a destination port even if the actual incoming packet is dropped.
• Multicast Best Effort:  Multicast packets are delivered to a group using best - effort reliability, just like IPv6 unicast packets.
• Sampling: Collects NetFlow statistics for a subset of incoming (ingress) IPv4 traffic on the interface, selecting only one out of "N" sequential packets, where "N" is a configurable parameter.
• MTU Truncation: Maximum bytes allowed for each replicated packet in a SPAN session
• Rate Limit: Sets Committed Access Rate and Distributed Committed Access Rates for the interface's bandwidth

• Switch Port
• VLAN
• EtherChannel
• RSPAN VLAN

You can have only one RSPAN VLAN source per SPAN session.

The Packet Analyzer interface to which you want to send data.

Module of the switch

Direction of the SPAN traffic.

SPAN sources available for the selected SPAN type.

DATA PORT if it is a local physical port or the IP address of the device that is sending Packet Analyzer data.

The source of traffic for the Packet Analyzer.

DATA PORT if it is a local physical port.

WAAS, ERSPAN, or NETFLOW, if a data stream exported from the router or switch or WAE device.

Enter the activity details.

ACTIVE or INACTIVE.

Choose the data source.

Physical Port or information about the data source being Enabled or Disabled.

Managed device IP address and VDC on the managed device.

ID of the SPAN session.

• Extended: Allows for IP extended input ACLs to receive a copy of a dropped packed on a destination port even if the actual incoming packet is dropped.
• Multicast Best Effort:  Multicast packets are delivered to a group using best - effort reliability, just like IPv6 unicast packets.
• Sampling: Collects NetFlow statistics for a subset of incoming (ingress) IPv4 traffic on the interface, selecting only one out of "N" sequential packets, where "N" is a configurable parameter.
• MTU Truncation: Maximum bytes allowed for each replicated packet in a SPAN session
• Rate Limit: Sets Committed Access Rate and Distributed Committed Access Rates for the interface's bandwidth

• Switch Port
• VLAN
• EtherChannel
• RSPAN VLAN

You can have only one RSPAN VLAN source per SPAN session.

The Packet Analyzer interface to which you want to send data.

Direction of the SPAN traffic.

SPAN sources available for the selected SPAN type.

SNMP will be used in a mode with no authentication and no privacy.

SNMP will be used in a mode with authentication, but no privacy.

SNMP will be used in a mode with both authentication and privacy.

Enter a username, which will match the username configured on the device.

Enter the authentication password associated with the username that was configured on the device. Verify the password.

Choose the authentication standard which is configured on the device (MD5 or SHA-1).

Enter the privacy password, which is configured on the device. Verify the password.

Enter the privacy algorithm, which is configured on the device (AES or DES).

A textual description which should contain the manufacturer's name for the physical entity and be set to a distinct value for each version or model of the physical entity.

The current software version running on the device.

Total time the device has been running since the last reboot.

SNMP read test result. For the local device only.

Name given to the alarm at setup.

Enable if turned on. Disable if turned off. Choose Administration > System > E-Mail Setting.

Community: xxxxx if configured. If not configured it is blank. Choose Administration > System > SNMP Trap Setting.

Session:xxxxx if configured. If no captures are configured it is blank. Choose Capture > Packet Capture/Decode > Sessions.

Enable if turned on. Disable if turned off. Choose Administration > System > Syslog Setting.

Missing Trap means that the trap configured for that alarm action has been deleted.

OK means the Alarm action was successfully created.

You can configure eight types of thresholds.

Choose an application from the list.

Choose a site from the list.

Choose a host from the list.

High or Low (user-configured classification). These alarms are displayed on the Alarm Summary dashboard (Monitor > Overview > Alarm Summary). You can choose to view High, Low, or High and Low alarms.

Rising action and Falling action (if configured). Alarms are predefined conditions based on a rising data threshold, a falling data threshold, or both.

OK if configuration is complete. Otherwise, the issue displays (for example, Missing Src Site).

Adds another row.

Removes that Metrics row.

Enter the name.

Choose a site from the list. See Configuring Sites for information on setting up a site.

Choose a host from the list.

You can enter the name of the host if the drop-down list does not contain the desired host.

Choose an application from the list. You can enter the first few characters to narrow the selection in the drop-down list.

Choose a DSCP value from the list. You can enter the first few characters to narrow the selection in the drop-down list.

Choose High or Low. These display on the Alarm Summary dashboard (Monitor > Overview >Alarm Summary), where you can choose to view High, Low, or High and Low alarms.

From the drop-down lists, choose a Rising action and a Falling action (optional). During threshold creation, by default, the falling action is the same as rising action. See Viewing Alarm Actions for information on setting up alarm actions.

Choose the type of metric from the list, and then enter a value for a Rising threshold and a Falling threshold.

Enter the name.

Choose an application from the list. You can start typing the first few characters to narrow the list.

Choose High or Low. These display on the Alarm Summary dashboard (Monitor > Overview >Alarm Summary), where you can choose to view High, Low, or High and Low alarms.

Make a selection from the drop-down lists, or leave as Any. See Configuring Sites for information on setting up a site.

Make a selection from the drop-down lists, or leave as Any. See Configuring Sites for information on setting up a site.

From the lists, choose a Rising action and a Falling action (optional). See Viewing Alarm Actions for information on setting up alarm actions.

Choose from one of the six metrics, and then enter a Rising threshold and a Falling threshold.

Enter the name.

Choose a site from the list. See Configuring Sites for information on setting up a site.

Choose an application from the list. You can start typing the first few characters to narrow the list.

Choose a DSCP value 0-63, or Any.

Choose High or Low. These display on the Alarm Summary dashboard (Monitor > Overview >Alarm Summary), where you can choose to view High, Low, or High and Low alarms.

From the lists, choose a Rising action and a Falling action (optional). See Configuring Alarm Actions for information on setting up alarm actions.

Choose Bits or Bytes, and then enter a Rising threshold and a Falling threshold.

Enter the name.

Choose an application from the list. You can start typing the first few characters to narrow the list.

Choose High or Low. These display on the Alarm Summary dashboard (Monitor > Overview > Alarm Summary), where you can choose to view High, Low, or High and Low alarms.

Make a selection from the lists. See Configuring Sites for information on setting up a site.

Make a selection from the lists, or leave as “Any.” See Configuring Sites for information on setting up a site.

From the lists, choose a Rising action and a Falling action (optional). See Viewing Alarm Actions for information on setting up alarm actions.

Choose a metric from the list, and then enter a Rising threshold and a Falling threshold. For the Packets and Bytes-related metrics, the entry is per second. For the time-related metrics, the unit is per microseconds (u).

Give the DSCP Alarm Threshold a name.

Choose a site from the list. See Configuring Sites for information on setting up a site.

Choose a DSCP value from the list.

Choose High or Low. These display on the Alarm Summary dashboard (Monitor > Overview >Alarm Summary), where you can choose to view High, Low, or High and Low alarms.

From the drop-down lists, choose a Rising action and a Falling action (optional).

Choose one of the metric types from the list, and then enter a Rising threshold and a Falling threshold.

Enter the name.

Choose High or Low. These display on the Alarm Summary dashboard (Monitor > Overview >Alarm Summary), where you can choose to view High, Low, or High and Low alarms.

Choose a Codec from the list.

Make a selection from the drop-down lists, or leave as “Any.” See Configuring Sites for information on setting up a site.

Choose High or Low. These display on the Alarm Summary dashboard (Monitor > Overview >Alarm Summary), where you can choose to view High, Low, or High and Low alarms.

From the drop-down lists, choose a Rising action and a Falling action (optional). See Viewing Alarm Actions for information on setting up alarm actions.

Choose a metric from the list:

• Jitter: Variation of packet arrival time compare to expected arrival time.
• Adjusted packet loss percent: Percent of packet loss which includes packets actually lost and packets that arrived beyond the expected buffering capability of the endpoint.
• Actual packet loss percent: Percent of packets that Packet Analyzer has never seen.
• MOS: Mean opinion score that is composed of both jitter and adjusted packet loss.
• Concealment seconds: Number of seconds in which Packet Analyzer detected packets lost.
• Severe concealment seconds: Number of seconds in which Packet Analyzer detected packets lost of more than 5%.

Enter a Rising threshold and a Falling threshold.

Enter the name.

Choose High or Low. These display on the Alarm Summary dashboard (Monitor > Overview >Alarm Summary), where you can choose to view High, Low, or High and Low alarms.

Choose a Rising action and a Falling action from the lists (optional). See Viewing Alarm Actions for information on setting up alarm actions.

Choose Jitter to enable an alarm when the software detects jitter to be more than the value set here.

Check Packet Loss % to enable an alarm when the software detects Packet Loss percentage to be outside of the values you entered.

Choose Ingress or Egress.

Choose High or Low. These display on the Alarm Summary dashboard (Monitor > Overview >Alarm Summary), where you can choose to view High, Low, or High and Low alarms.

Choose a Rising action and a Falling action from the lists (optional). See Viewing Alarm Actions for information on setting up alarm actions.

Choose Bytes or Packets, and enter a Rising and Falling threshold.

Name given to the video stream,

Choose High or Low. These display on the Alarm Summary dashboard (Monitor > Overview > Alarm Summary), where you can choose to view High, Low, or High and Low alarms.

Choose a Codec from the list.

Make a selection from the drop-down lists, or leave as “Any.” See Configuring Sites for information on setting up a site.

Choose High or Low. These display on the Alarm Summary dashboard (Monitor > Overview >Alarm Summary), where you can choose to view High, Low, or High and Low alarms.

From the drop-down lists, choose a Rising action and a Falling action (optional). See Viewing Alarm Actions for information on setting up alarm actions.

Choose a metric from the list:

• I Frame Loss%: Percentage of I frame loss.
• I Frame Loss Count: The loss count of I frames.
• All Frame Loss%: Percentage of frame loss of all types.
• All Frame Loss Count: The loss count of all types of frames.

Enter a Rising threshold and a Falling threshold.

Name given to the video MDI Stream.

Choose High or Low. These display on the Alarm Summary dashboard (Monitor > Overview >Alarm Summary), where you can choose to view High, Low, or High and Low alarms.

Make a selection from the drop-down lists, or leave as “Any.” See Configuring Sites for information on setting up a site.

Choose High or Low. These display on the Alarm Summary dashboard (Monitor > Overview >Alarm Summary), where you can choose to view High, Low, or High and Low alarms.

From the drop-down lists, choose a Rising action and a Falling action (optional). See Viewing Alarm Actions for information on setting up alarm actions.

Choose a metric from the list:

• Delay Factor: RFC-4445 delay factor.
• Media Loss Rate: RFC-4445 media loss rate.

Enter a Rising threshold and a Falling threshold.

Enter the name.

A textual description which should contain the manufacturer's name for the physical entity and be set to a distinct value for each version or model of the physical entity.

Current software version of the router.

Total time the router or switch has been running.

Choose the location.

The textual identification of the contact person for this managed device and information on how to contact this person.

IP address of the router.

Enter the community string.

Reenter the community string.

Check the check box to enable SNMP Version 3. If SNMPv3 is not enabled, the community string is used.

SNMP is used in a mode with no authentication and no privacy.

SNMP is used in a mode with authentication, but no privacy.

SNMP is used in a mode with both authentication and privacy.

Enter a username, which will match the username configured on the device.

Enter the authentication password associated with the username that was configured on the device. Verify the password.

Choose the authentication standard which is configured on the device (MD5 or SHA-1).

Enter the privacy password, which is configured on the device. Verify the password.

Enter the privacy algorithm, which is configured on the device (AES or DES).

Displays the IP address of the Packet Analyzer and the switch on which the SNMP test occurred.

Enter the name.

A textual description which should contain the manufacturer's name for the physical entity and be set to a distinct value for each version or model of the physical entity.

The software version of the device.

Total time the device has been running.

SNMP read test result.

SNMP write test result.

For Cisco IOS devices, displays the status if there are any ports with Mini-RMON configured (Available) or not (Unavailable).

Displays if NBAR is available on the device.

Displays if VLAN data is Available or Unavailable.

Note Catalyst 6500 Series switches require a Supervisor 2 or MSFC2 card.

For Catalyst 6500 Series devices running Cisco IOS, if NetFlow is configured on the device, Remote export to Packet Analyzer<address> on port <number> displays, otherwise the status displays Configuration unavailable.

Check indicates that NBAR is enabled.

Depending on the IOS running on the Supervisor, port names are displayed differently.

Newer versions of IOS software display a port name as Gi2/1 to represent a Gigabit port on module 2 port 1.

In the Virtual Switch software (VSS), a port name might be displayed as Gi1/2/1to represent a Gigabit port on switch 1, module2, port 1.

Description of the interface.

Enter the name.

Enter the description.

If you check this check box, the software will skip this site when classifying traffic. This is useful if the site is no longer active, but the user would still like to access historical site data in the database. Otherwise, the user should delete sites that are not needed.

IP address subnet (IPv4/IPv6 address and mask); for example, 10.1.1.0/24. Click the blue i to get information about Site Rules.

You can click the Detect button to tell the software to look for subnets in the traffic. See Configuring Sites Using Subnets.

Specify the data source from where the site traffic originates.

Leave this field blank if the site traffic can come from multiple data sources.

Enter the subnet mask.

Note If the bit mask is 32 or less, the software will detect an IPv4 subnet. If the bit mask is between 33 and 64, then it will detect an IPv6 subnet.

Choose the data source in which you would like to detect subnets.

Choose the interface in which you would like to detect subnets.

Enter an IPv4 or IPv6 address

The “Unassigned” site includes any that do not match any of your site configurations. Sites are classified at the time of packet processing.

Enter the name.

Enter the description.

Lists the first rule assigned to the selected site. If you see periods next to the site rule (...), then multiple rules were created for that site. To see the list of all rules, click the quick view icon (after highlighting the site, click the small arrow on the right).

Shows if the site is Enabled or Disabled.

Enter the IPv4 or IPv6 address.

Unique identifying number associated with a physical or logical interface. Valid characters: 0-9.

Name of the interface. Valid characters are A-Z, a-z, 0-9.

An estimate of the interface’s current bandwidth in bits per second.

Name of the profile.

Enter the name of the profile you are creating. The maximum is 64 characters.

DSCP

DSCP numbers from 0 to 63. After selecting the DSCP radio button, you can freely choose any of the 64 possible values and assign them to Groups.

AF / EF / CS

Assured Forwarding (AF) guarantees a certain amount of bandwidth to an AF class and allows access to extra bandwidth,

Expedited Forwarding (EF) is used for traffic that is very sensitive to delay, loss and jitter, such as voice or video traffic.

Class Selector (CS) the last 3 bits of the 6-bit DSCP field, so these correspond to DSCP 0 through DSCP 7.

Bit Field

Six bits in the IP header of a packet.

DSCP 0

-

000000

DSCP 8

CS1

001000

DSCP 10

AF11

001010

DSCP 12

AF12

001100

DSCP 14

AF13

001110

DSCP 16

CS2

010000

DSCP 18

AF21

010010

DSCP 20

AF22

010100

DSCP 22

AF23

010110

DSCP 24

CS3

011000

DSCP 26

AF31

011010

DSCP 28

AF32

011100

DSCP 30

AF33

011110

DSCP 32

CS4

100000

DSCP 34

AF41

100010

DSCP 36

AF42

100100

DSCP 38

AF43

100110

DSCP 40

CS5

101000

DSCP 46

EF

101110

DSCP 48

CS6

110000

DSCP 56

CS7

111000

Unique 1 to 64 character descriptive name.

Enter the description.

(Optional) Leave blank. An arbitrary number up to 4-digits, unique within an engine-id. It is automatically assigned if left blank. Identification number is autogenerated if left blank. Range is from 1 to 65535.

This allows you to configure applications consistently across multiple Packet Analyzer, so that the same user-created application is exported with the same value. This should be used when configuring the same custom applications on multiple Packet Analyzer.

The application tag for user-created applications is a combination of the engine ID and the Selector. The 32 bit is generated by using the engine ID as the highest order byte, and the Selector makes up the other 3 bytes. For standard application/protocols, the application tag is predefined.

Select application type: Protocol, HTTP URL-based or Server IP Address.

Add the application protocol and port you want to track.

Protocol —Lists predefined protocols. If your option is not included, you can create a custom URL-based application classification.

Port —Enter the port number or port number range to monitor. The port is an arbitrary number you assign to handle the additional ports for the protocol family. This protocol number must be unique so it does not conflict with standard protocol/port assignments.

The port number range will vary depending on the protocol type selected. You can create additional ports to enable Packet Analyzer to handle additional traffic for standard applications.

Create custom URL-based applications by selecting this option. Enter at least one of the values below.

URL Host —The host name identified in the header from which the traffic is originating.

URL Path —The specific URL path that identifies the traffic.

Identifies the type of application (including ethertype, iana-14, iana-13, lic, L7, or custom).

System generated tag which can be used when multiple Packet Analyzer are being monitored.

(Optional) Custom description to define your application. Limited to 75 characters.

Active means that network traffic is being analyzed. Inactive means that the application is not being analyzed, possibly due to a duplication of effort. The Interactive Report filter may still list inactive applications if there is any historical data for the inactive application in the database, but it is not collecting new data.

Unique 1 to 64 character descriptive name.

Displays application type: Protocol, HTTP URL-based or Server IP Address.

An arbitrary number up to 4-digits, unique within an engine-id. It is automatically assigned if left blank.

This allows you to configure applications consistently across multiple Packet Analyzer, so that the same user-created application is exported with the same value. This should be used when configuring the same custom applications on multiple Packet Analyzer.

The application tag for user-created applications is a combination of the engine ID and the selector. The 32 bit number is generated by using the engine ID as the highest order byte, and the selector makes up the other 3 bytes. For standard application/protocols, the application tag is predefined.

Identifies the type of application (including ethertype, iana-14, iana-13, lic, L7, or custom)

System generated tag which can be used when multiple Packet Analyzer are being monitored.

If a system-defined, contains system information about the application type. If user-defined, enter custom description to define your application. Limited to 75 characters.

Active means that network traffic is being analyzed. Inactive means that the application is not being analyzed, possibly due to a duplication of effort. The Interactive Report filter may still list inactive applications, but it is not monitored by Packet Analyzer and is therefore not classified or displayed on Packet Analyzer dashboards.

A unique number (1-64) of each URL-based application. You can define up to 64 URL-based applications in Packet Analyzer.

Matching criteria in the host portion of the URL string appears in HTTP packets. This match is a POSIX Regular Expression¹.

Matching criteria in the path portion of the URL string appears in HTTP packets. This match is a POSIX Regular Expression ¹ .

Matching criteria in the Content-Type field of the HTTP packets. This match is a POSIX Regular Expression ¹ .

Description of this URL-based application.

Range 1 (μs)

Upper response time limit for the first container

Enter a number in microseconds. The default is 1 to 1,000 μs

Range 2 (μs)

Upper response time limit for the second container

Enter a number in microseconds. The default is 1,001 to 5,000 μs

Range 3 (μs)

Upper response time limit for the third container

Enter a number in microseconds. The default is 5,001 to 10,000 μs

Range 4 (μs)

Upper response time limit for the fourth container

Enter a number in microseconds. The default is 10,001 to 50,000 μs

Range 5 (μs)

Upper response time limit for the fifth container

Enter a number in microseconds. The default is 50,001 to 100,000 μs

Range 6 (μs)

Upper response time limit for the sixth container

Enter a number in microseconds. The default is 100,001 to 500,000 μs

Range 7 (μs)

Upper response time limit for the seventh container

Enter a number in microseconds. The default is 500,001 to 1,000,000 μs

Range 8 (μs)

Upper response time limit for the eighth container. This is the maximum interval that Packet Analyzer waits for a server response to a client request.

This range cannot be edited. Enter a number in microseconds. The default is 1,000,001 μs to infinity.

Enabled

Enables voice monitoring. Ensure this check box is selected if you are interested in voice monitoring.

Excellent

MOS scores listed here indicate excellent quality voice transmission (where 5.0 is the highest score). The default setting considers the range between 4.34 to 5.0 as excellent.

Good

MOS score listed here indicate good quality voice transmission. The default setting considers the range between 4.03 to 4.33 as good.

Fair

MOS score listed here indicate fair quality voice transmission. The default setting considers the range between 3.6 to 4.02 as fair.

Poor

MOS score listed here indicate poor quality voice transmission. The default setting considers the range between 0.0 and 3.59 as poor. This default cannot be changed.

Enabled

Enables video monitoring. Ensure this check box is selected if you are interested in video monitoring.

Poor

MDI score listed here indicate poor quality video transmission. The default setting considers 10.000ms 0.0050pps and above as poor.

Fair

MDI score listed here indicate fair quality video transmission. The default setting considers the range between 5.000ms 0.0010pps and 10.000ms 0.0050pps as fair.

Good

MDI score listed here indicate good quality video transmission. The default setting considers the range between 1.000ms 0.0005pps and 5.000ms 0.0010pps as good.

Excellent

MDI scores listed here indicate excellent quality video transmission. The default setting considers the range between 0.000ms 0.0000pps and 1.000ms 0.0005pps as excellent. This default cannot be changed.

Identifies type of traffic incoming from the application.

Select one of the options from the drop- down box.

Maximum number of URLS to collect.

Select one of the following options from the drop-down box:

• 100
• 500
• 1000

The application URL to match.

Optional parameter to limit collection of URLs that match the regular expression of this field.

A description of the NetFlow Export.

The IP address of the device to be exported to. IPv4 and IPv6 addresses are supported.

The port number of the device to be exported to.

Valid characters: 1-9. Length: Min 1, Max 65535.

The record types supported by Packet Analyzer for NetFlow are:

• Client Server Response Time
• Application Conversation
• Network Conversation
• RTP Metrics

This will be five minutes for Client Server Response Time and one minute for the other record type.

Select v9 or IPFIX to export.

The NetFlow option selection contains a set of check boxes. These allow independent selections of on or off settings for individual NetFlow options, which can be exported in addition to the NDE packets with data and templates, as follows:

• Mapping of integer application ID values into application names (as strings)
• Mapping of integer site ID values into site names and descriptions (as strings)

If there are several NetFlow Export Descriptors defined for the same destination, then the last user’s selection of option exports flags is enforced on all descriptor instances that exist for the same export.

IP Address of the managed device.

The IfIndex of the switch interface connected to that DATA PORT. Use the switch CLI command show snmp mib ifmib ifindex to find the appropriate ifIndex value.

Note The number of DATA PORT# items displayed will vary depending on the Packet Analyzer platform. For example, Packet Analyzer-2400 have 2 data ports.

v1/v2 or v3

If SNMP v1/v2 is selected, then the SNMP community string must be provided.

If SNMP v3 is selected, then appropriate SNMPv3 security parameters (e.g., security mode/level, username, auth password, auth protocol/algorithm, privacy password, and/or privacy protocol/algorithm) must be provided.

Note If selecting a mode that requires Auth Password and/or Privacy Password, each must be at least 12 characters long.

95

4

Application ID

96

24

Application Name

94

55

Application Description

Site Template

42006

4

Site ID

4 42016

24

Site Name

42017

55

Site Description

42001

4

Data source ID

42018

24

Data source name

42019

55

Data source description

Network Conversation IPv4 Template

8

4

IPv4 source address

12

4

IPv4 destination address

42002

4

source site ID

42003

4

destination site ID

42001

4

data source ID

10

4

input SNMP if-index

14

4

output SNMP if-index

58

2

input VLAN ID

59

2

output VLAN ID

195

1

input DSCP

98

1

output DSCP

151

4

flow end seconds

1

8

byte count

2

8

packet count

Network Conversation IPv6 Template

27

16

IPv6 source address

28

16

IPv6 destination address

42002

4

source site ID

42003

4

destination site ID

42001

4

data source ID

10

4

input SNMP if-index

14

4

output SNMP if-index

58

2

input VLAN ID

59

2

output VLAN ID

195

1

input DSCP

98

1

output DSCP

151

4

flow end seconds

1

8

byte count

2

8

packet count

Application Conversation IPv4 Templates

8

4

IPv4 source address

12

4

IPv4 destination address

42002

4

source site ID

42003

4

destination site ID

42001

4

data source ID

95

4

application ID

42010

4

network encapsulation ID

10

4

input SNMP if-index

14

4

output SNMP if-index

58

2

input VLAN ID

59

2

output VLAN ID

4

1

protocol

195

1

input DSCP

98

1

output DSCP

151

4

flow end seconds

1

8

byte count

2

8

packet count

Application Conversation IPv6 Templates

8

4

IPv4 source address

12

4

IPv4 destination address

27

16

IPv6 source address

28

16

IPv6 destination address

Application Response Time IPv4 Templates

42004

4

server site

42007

4

server IPv4 address

42005

4

client site

42008

4

client IPv4 address

95

4

app ID

42001

4

data source

58

2

VLAN ID

195

1

DSCP

151

4

duration of the flow

42010

4

net encapsulation

32792

2

server port

42020

1

waas optimization segments

42060

4

number of responses

42061

4

number of responses in bucket1

42062

4

number of responses in bucket2

42063

4

number of responses in bucket3

42064

4

number of responses in bucket4

42065

4

number of responses in bucket5

42066

4

number of responses in bucket6

42067

4

number of responses in bucket7

42068

4

number of late responses

42071

4

sum response time

42072

4

maximum response time

42073

4

minimum response time

42074

4

sum application response time

42075

4

maximum application response time

42076

4

minimum application response time

42077

4

sum total response time

42078

4

maximum total response time

42079

4

minimum total response time

42040

4

sum number of transaction

42041

4

sum transaction time

42042

4

maximum transaction time

42043

4

minimum transaction time

42050

4

number of new connections

42054

4

sum session duration

42084

4

sum client network time

42085

4

maximum client network time

42086

4

minimum client network time

42087

4

sum server network time

42088

4

maximum server network time

42089

4

minimum server network time

42081

4

sum network delay

Application Response Time IPv6 Templates

42004

4

server site

28

16

server IPv6 address

42005

4

client site

27

16

client IPv6 address

95

4

app ID

42001

4

data source

58

2

VLAN ID

195

1

DSCP

151

4

duration of the flow

42010

4

net encapsulation

32792

2

server port

42020

1

waas optimization segments

42060

4

number of responses

42061

4

number of responses in bucket1

42062

4

number of responses in bucket2

42063

4

number of responses in bucket3

42064

4

number of responses in bucket4

42065

4

number of responses in bucket5

42066

4

number of responses in bucket6

42067

4

number of responses in bucket7

42068

4

number of late responses

42071

4

sum response time

42072

4

maximum response time

42073

4

minimum response time

42074

4

sum application response time

42075

4

maximum application response time

42076

4

minimum application response time

42077

4

sum total response time

42078

4

maximum total response time

42079

4

minimum total response time

42040

4

sum number of transaction

42041

4

sum transaction time

42042

4

maximum transaction time

42043

4

minimum transaction time

42050

4

number of new connections

42054

4

sum session duration

42084

4

sum client network time

42085

4

maximum client network time

42086

4

minimum client network time

42087

4

sum server network time

42088

4

maximum server network time

42089

4

minimum server network time

RTP IPv4 Templates

8

4

source IPv4 Address

12

4

destination IPv4 Address

42002

4

source site

42003

4

destination site

42101

4

rtp ssrc

42102

1

rtp payload type

7

2

source port

11

2

destination port

195

1

DSCP

58

2

VLAN ID

151

4

flow end seconds

42001

4

data source

42010

4

net encap

42112

4

rtp duration

42113

4

average MOSx100

42115

4

worst/lowest MOSx100

37023

4

jitter x 100

37019

4

actual packet loss count

37014

4

expected packet count

RTP IPv6 Templates

27

4

source IPv6 Address

28

4

destination IPv6 Address

42002

4

source site

42003

4

destination site

42101

4

rtp ssrc

42102

1

rtp payload type

7

2

source port

11

2

destination port

195

1

DSCP

58

2

VLAN ID

151

4

flow end seconds

42001

4

data source

42010

4

net encap

42112

4

rtp duration

42113

4

average MOSx100

42115

4

worst/lowest MOSx100

37023

4

jitter x 100

37019

4

actual packet loss count

37014

4

expected packet count

This contains site or source and destination sites (source - destination) of the network traffic that generated the alarm message.

Details information of the network traffic that generated the alarm message. The format of the alarm triggered by string are:

• Triggered by application threshold: application
• Triggered by application with DSCP threshold: DSCP:codepoint - application
• Triggered by host threshold: host
• Triggered by host with application threshold: host - application
• Triggered by host with application and DSCP: DSCP: code point - host - application
• Triggered by host with DSCP: DSCP: code point - host
• Triggered by conversation: source - destination
• Triggered by conversation with application: source - application - destination
• Triggered by response time: IAP: client - application - server.
• Triggered by DSCP: DSCP: code point
• Triggered by RTP stream: source - source port - codec(codec string) - SSRC(number) - destination - destination port
• Triggered by voice signaling: Calling (address - number) Called (address - number) ID/References (id() - ref (calling:called))
• Triggered by NetFlow interfaces: NetFlow: Device (address) - If-Index(number) - Ingress/Egress

Parameter of the threshold that is used to evaluate alarm condition.

User defined rising value of the threshold variable.

Time when the alarm condition was found occurred.

Parameter value when the alarm condition was raised. Note: The triggered value could be - when the viewing window does not included the alarm when it was occurring.

Time when the alarm condition was resolved. The alarm variable has fallen below the falling threshold value.

Software services classified by Packet Analyzer from analyze and monitor traffic.

The application group (set of applications that can be monitored as a whole).

Traffic rate; number of bytes per second

Traffic rate; number of packets per second

The application group (set of applications that can be monitored as a whole).

Applicable site (or Unassigned if no site)

Traffic rate; number of bytes per second

Traffic rate; number of packets per second

Average Response Time

Response Time is the time between the client request and the first response packet from the server, as observed at the Packet Analyzer probing point. Increases in the response time usually indicate problems with server resources, such as the CPU, Memory, Disk, or I/O due to a lack of necessary resources or a poorly written application.

This and other Response Time metrics are in microseconds (μs) units.

Min Response Time

Max Response Time

Number of Responses

Total number of request-response pairs observed during the monitoring interval

Number of Late Responses

Total number of responses that exceed the Max Response Time

Number of Responses 1

Number of responses with a response time less than RspTime1 threshold

Number of Responses 2

Number of responses with response time less than RspTime2 and larger than RspTime1

Number of Responses 3

Number of responses with response time less than RspTime3 and larger than RspTime2

Number of Responses 4

Number of responses with response time less than RspTime4 and larger than RspTime3

Number of Responses 5

Number of responses with response time less than RspTime5 and larger than RspTime4

Number of Responses 6

Number of responses with response time less than RspTime6 and larger than RspTime5

Number of Responses 7

Number of responses with response time less than LateRsp and larger than RspTime6

Client Bits

Number of TCP payload bits sent from the client(s) during the monitoring interval

Server Bits

Number of TCP payload bits sent from the server(s) during the monitoring interval

Client Packets

Number of TCP packets sent from the client(s) during the monitoring interval

Server Packets

Number of TCP packets sent from the server(s) during the monitoring interval

Average number of concurrent connections

Average number of concurrent TCP connections during the reporting interval

Number of new connections

Number of new TCP connections made (TCP 3-way handshake) during the monitoring interval

Number of closed connections

Number of TCP connections closed during the monitoring interval

Number of unresponsive connections

Number of TCP connection requests (SYN) that are not responded during the monitoring interval

Number of refused connections

Number of TCP connection requests (SYN) that are refused during the monitoring interval

Average Connection duration

Average duration of TCP connections during the monitoring interval

Average Server Response Time

Server Response Time is the time it takes an application server (for example, a web server) to respond to a request. This is the server think time, which is the time between the client request arriving at the server and the first response packet being returned by the server.

Increases in the server response time usually indicate problems with application and/or server resources, such as the CPU, Memory, Disk, or I/O.

Min Server Response Time

Max Server Response Time

Average Network Time

Network time between a client and a server. Network Time is the sum of Client Network Time and Server Network Time. Packet Analyzer measures the Network Time using TCP 3-way handshakes. If there are no new TCP connections made during the monitoring interval, this metric is not reported.

Min Network Time

Max Network Time

Average Client Network Time

Client Network Time is the network time between a client and the Packet Analyzer switch or router.

In WAAS monitoring, Client Network Time from a WAE client data source represents the network RTT between the client and its edge WAE, while Client Network Time from the WAE server data source represents the WAN RTT (between the edge and core WAEs).

Min Client Network Time

Max Client Network Time

Average Server Network Time

Server Network Time is the network time between a server and Packet Analyzer probing point.

In WAAS monitoring, Server Network Time from a server data source represents the network time between the server and its core WAE.

Min Server Network Time

Max Server Network Time

Average Total Response Time

Total Response Time is the total amount of time between the client request and when the client receives the first response packet from the server.

Use Total Response Time with care because it is not measured directly and mixes the server response time metric with the network time metric.

Min Total Response Time

Max Total Response Time

Average Transaction Time

Transaction Time is the total amount of time between the client request and the final response packet from the server.

Transaction times may vary depending upon client usages and application types. Transaction Time is a key indicator for monitoring client experiences and detecting application performance anomalies.

Min Transaction Time

Max Transaction Time

Number of Transactions

The number of transactions completed during the monitoring interval.

Average Data Transmission Time

Elapsed time from the first server-response packet to the last server-response packet, excluding retransmission time.

Average Data Time

Data Time: Average data time portion of transaction time.

Packets Retransmitted

Number of retransmitted packets detected during the monitoring interval

Bits Retransmitted

Number of retransmitted bits detected during the monitoring interval

Average Retransmission Time

Average time to retransmit lost packets per transaction

Client ACK Round Trip Time

Average network time for the client to acknowledge (ACK) a server data packet as observed at Packet Analyzer probing point

Number of Client ACK Round Trips

Number of client ACK RTs observed during the monitoring interval

Total number of responses observed during the monitoring interval

Minimum network time measured by analyzing TCP three-way handshake sequence.

Average network time measured by analyzing TCP three-way handshake sequence.

Maximum network time measured by analyzing TCP three-way handshake sequence.

Minimum network time between a server and Packet Analyzer probing point.

Average network time between a server and Packet Analyzer probing point.

Maximum network time between a server and Packet Analyzer probing point.

The total amount of time between the client request and the final response packet from the server.

Average time (ms) elapsed from the start of a client request to the completion of server response. Transaction times might vary significantly depending upon application types. Relative thresholds are useful in this situation.

Transaction time is a key indicator when detecting application performance anomalies.

The total amount of time between the client request and the final response packet from the server.

Total number of transactions observed during the monitoring interval.

Average time elapsed from the start of a client request to the completion of server response. Transaction times might vary significantly depending upon application types. Relative thresholds are useful in this situation.

Transaction time is a key indicator when detecting application performance anomalies.

Amount of time it takes a server to send the initial response to a client request as seen by the Packet Analyzer.

Elapsed time from the first server-response packet to the last server-response packet, excluding retransmission time.

Average time to retransmit lost packets per transaction

Average network time for the client to acknowledge (ACK) a server data packet as observed at Packet Analyzer probing point

Minimum network time measured by analyzing TCP three-way handshake sequence.

Average network time measured by analyzing TCP three-way handshake sequence.

Maximum network time measured by analyzing TCP three-way handshake sequence.

Minimum network time measured by analyzing TCP three-way handshake sequence.

Average network time measured by analyzing TCP three-way handshake sequence.

Maximum network time measured by analyzing TCP three-way handshake sequence.

Minimum of the network time measured by analyzing TCP three-way handshake sequence.

Network Time is the sum of Client Network Time and Server Network Time. Packet Analyzer measures the Network Time using TCP 3-way handshakes. If there are no new TCP connections made during the monitoring interval, this metric is not reported.

Average of the network time measured by analyzing TCP three-way handshake sequence.

Maximum of the network time measured by analyzing TCP three-way handshake sequence.

Traffic rate; number of bytes per second. In Administration > System > Preferences, you can choose to display Packet Analyzer data in Bits or Bytes.

Traffic rate; number of packets per second

Number of bits per second incoming

Number of packets per second incoming

Number of bits per second outgoing

Number of packets per second outgoing

Interface number.

Utilization percentage of the port.

Utilization percentage of the port.

Number of incoming packets collected per second.

Number of outgoing packets sent out per second.

Number of bits collected per second.

Number of bits sent out per second.

Number of non-unicasts collected per second.

Number of non-unicasts sent out per second.

Number of discards collected per second.

Number of discards sent out per second.

Number of errors collected per second.

Number of errors sent out per second.

This contains site or source and destination sites (source - destination) of the network traffic that generated the alarm message.

Details information of the network traffic that generated the alarm message. The format of the alarm triggered by string are:

• Triggered by application threshold: application
• Triggered by application with DSCP threshold: DSCP:codepoint - application
• Triggered by host threshold: host
• Triggered by host with application threshold: host - application
• Triggered by host with application and DSCP: DSCP: code point - host - application
• Triggered by host with DSCP: DSCP: code point - host
• Triggered by conversation: source - destination
• Triggered by conversation with application: source - application - destination
• Triggered by response time: IAP: client - application - server.
• Triggered by DSCP: DSCP: code point
• Triggered by RTP stream: source - source port - codec(codec string) - SSRC(number) - destination - destination port
• Triggered by voice signaling: Calling (address - number) Called (address - number) ID/References (id() - ref (calling:called))
• Triggered by NetFlow interfaces: NetFlow: Device (address) - If-Index(number) - Ingress/Egress

Parameter of the threshold that is used to evaluate alarm condition.

User defined rising value of the threshold variable.

Time when the alarm condition was found occurred.

Parameter value when the alarm condition was raised. Note: The triggered value could be - when the viewing window does not included the alarm when it was occurring.

Time when the alarm condition was resolved. The alarm variable has fallen below the falling threshold value.

Client Network Time is the network time between a client and the Packet Analyzer switch or router.

In WAAS monitoring, Client Network Time from a WAE client data source represents the network RTT between the client and its edge WAE, while Client Network Time from the WAE server data source represents the WAN RTT (between the edge and core WAEs).

Server Response Time is the time it takes an application server (for example, a web server) to respond to a request. This is the server think time, which is the time between the client request arriving at the server and the first response packet being returned by the server.

Increases in the server response time usually indicate problems with application and/or server resources, such as the CPU, Memory, Disk, or I/O.

Total Response Time is the total amount of time between the client request and when the client receives the first response packet from the server.

Average time (ms) elapsed from the start of a client request to the completion of server response. Transaction times might vary significantly depending upon application types. Relative thresholds are useful in this situation.

Transaction time is a key indicator when detecting application performance anomalies.

Amount of time it takes a server to send the initial response to a client request as seen by the Packet Analyzer.

Average elapsed time from the first server-response packet to the last server-response packet, excluding retransmission time. Data transfer time is always measured in the server-to-client direction and can be used to detect problems for a particular type of transaction of an application.

Average time to retransmit lost packets, per transaction.

Average round trip time for the client to acknowledge (ACK) a server TCP packet.

Average of the Server Network Time (network time between a server and Packet Analyzer probing point).

Maximum of the Server Network Time (network time between a server and Packet Analyzer probing point).

Average of the network time between client and server. Network Time is the sum of Client Network Time and Server Network Time. Packet Analyzer measures the Network Time using TCP 3-way handshakes. If there are no new TCP connections made during the monitoring interval, this metric is not reported.

Maximum of the network time between client and server.

Number of TCP payload bytes sent from the server(s) during the monitoring interval.

Number of TCP payload bytes sent from the client(s) during the monitoring interval.

Calling number as it appears in the signaling protocol.

Called number as it appears in the signaling protocol.

RTP receiving address of the calling party detected by the Packet Analyzer from inspecting the call signaling protocol.

RTP receiving port of the calling party detected by Packet Analyzer from inspecting call signaling protocol.

Calling party name detected by Packet Analyzer from inspecting call signaling protocol.

IP address of the phone receiving the call.

Port of the phone receiving the call.

Alias name, MGCP endpoint ID, or SIP URI of the called party phone.

Jitter value reported by calling party at the end of the call.

Percentage of packet loss reported by calling party at the end of the call.

Time when the call was detected to start.

Time when the call was detected to end.

Duration of the call.

Note When the call signaling’s call tear down sequence is not detected by the Packet Analyzer, the Packet Analyzer will assume:
- the call ended after 3 hours in low call volume per interval
- the call ended after 1 hour in high call volume per interval (high call volume is defined as call table filled up during the interval.)

Jitter value reported by called party at the end of the call.

Percentage of packet loss reported by called party at the end of the call.

IP Address of the originator of the RTP stream

UDP port of the originator of the RTP stream

IP address of the receiver of the RTP stream

UDP port of the receiver of the RTP stream

Encoding decoding format/algorithm of the RTP stream

Synchronization source number as it appear in the RTP header

Packet Analyzer calculated score that takes into account of the duration of the stream

Jitter that takes into account of the duration of the RTP stream among all per-interval reports

Percentile of adjust packets lost against total packets of all per-interval RTP reports.

Video stream sending IP address/L4 port of the signaling session detected by the Packet Analyzer from the media signaling protocol.

Video stream receiving IP address/L4 port of the signaling session detected by the Packet Analyzer from the media signaling protocol.

Signaling protocol.

Encoding decoding format/algorithm of the video stream.

RTP payload type in video stream detected by Packet Analyzer from inspecting call signaling protocol.

Transport protocol of video stream detected by Packet Analyzer from inspecting call signaling protocol.

Video source host name or calling party name detected by Packet Analyzer from inspecting call signaling protocol.

Video destination host name or calling party name detected by Packet Analyzer from inspecting call signaling protocol.

Synchronization source number in the RTP header from inspecting call signaling protocol.

Time when the video channel was setup and detected by the Packet Analyzer.

Time when the video channel was ended and detected by the Packet Analyzer.

Video stream duration.

IP Address/L4 port of signaling server.

IP Address/L4 port of signaling client.

VLAN of signaling session packets.

Transport layer protocol of signaling session.

IP Address/L4 port of the originator of video stream.

IP Address/L4 port of the receiver of video stream.

Synchronization source number as it appears in the RTP header of the video stream.

Program ID for MPEG2-TS video traffic.

Encoding decoding format/algorithm of the video stream.

Codec protocol, it could be H264, MPEG2-TS or the others supported by Packet Analyzer.

I-Frame loss rate in average of this period in percentage.

Frame loss rate in average of this period in percentage.

Delay Factor average of this period in unit of ms.

Media Loss Rate in average of this period, it is the percentage rate of packets loss.

IP Address/L4 port of video server or video sender of calling party.

IP Address/L4 port of video client or video receiver of calling party.

Calling party name detected by Packet Analyzer from inspecting call signaling protocol or video server alias. It could be MGCP endpoint ID, or SIP URI of the called party phone and so on.

Called party name detected by Packet Analyzer from inspecting call signaling protocol or video client alias. It could be MGCP endpoint ID, or SIP URI of the called party phone etc.

Signaling protocol of this media session.

Time when the signaling session was detected to start.

Time when the signaling session was detected to end.

Duration of this signaling session.

Calling number as it appears in the signaling protocol, if it is a VoIP call.

Called number as it appears in the signaling protocol, if it is a VoIP call.

IP address or UDP port of the originator of the RTP stream.

IP address or UDP port of the receiver of the RTP stream.

Encoding decoding format/algorithm of the RTP stream.

Synchronization source number as it appears in the RTP header.

Packet Analyzer calculated score that takes into account of the duration of the stream.

Time when the RTP stream was discovered by the Packet Analyzer

IP Address of the originator of the RTP stream

UDP port of the originator of the RTP stream

IP address of the receiver of the RTP stream

UDP port of the receiver of the RTP stream

Encoding decoding format/algorithm of the RTP stream

Synchronization source number as it appear in the RTP header

Packet Analyzer calculated score that takes into account of the duration of the stream

Provides a summary of the displayed capture including number of packets captured, bytes captured, average packet size, capture start time, duration of capture, and data transfer rate (both bytes and bits per second)

Displays a graphic image of network traffic (KB/second)

Displays packets and bytes transferred for each protocol

Displays packets and bytes transferred for each host address

Time the capture was last started. You can stop and restart the capture as many times as necessary.

Size of the session

Note Capture to files indicates the capture is being stored in one or more files and is a link to those files.

The capture file size is limited to 500 MB on Nexus 1000V and vNAM. On all other Packet Analyzer platforms, the capture file size limit is 2,000 MB.

The current status of the capture:

• Running—Packet capture is in progress
• Stopped—Packet capture is stopped. Captured packets remain in buffer, but no new packets are captured
• Full—The memory or file is full, and no new packets will be captured.

The location of the capture (Memory, Local Disk, and external storage).

Create a new capture session. See Configuring Capture Sessions.

Edit the settings of the selected capture.

Delete a selected session. Not available if capture session is running.

Start capturing to a selected session. The number in the Packets column for that session will start to increase.

Stop capturing to the selected session (no packets will go through). Capture data remains in the capture memory buffer, but no new data is stored. Click Start to resume the capture.

Clear captured data from memory.

Display details of the capture session.

Save a session to a file on the Packet Analyzer hard disk. See Working with Capture Files.

The slice size in bytes; used to limit the size of the captured packets.

Enter a value between 64 and 9000. Enter zero (0) to not perform slicing.

If you have a small session but want to capture as many packets as possible, use a small slice size.

If the packet size is larger than the specified slice size, the packet is sliced before it is saved in the capture session. For example, if the packet is 1000 bytes and slice size is 200 bytes, only the first 200 bytes of the packet is stored in the capture session.

Data-Ports or ERSPAN

Choose the capture source (check one or more check boxes):

• Data-ports: This accepts SPAN, RSPAN, and VACL capture.
• ERSPAN: Locally terminated is recommended.

Note On some platforms, you may be limited to selecting only one of the dataports at a time. Most platforms allow you to select both dataports at once.

Check to store captures in memory

Enter values for Memory Size for this capture. Enter a number from 1 up to your platform maximum. If system memory is low, the actual session size allocated might be less than the number specified here.

Check (if desired) Wrap when Full to enable continuous capture (when the session is full, older packet data is removed to make room for new incoming packets). If you do not check Wrap when Full, the capture will end when the amount of data reaches size of session.

File Size (MB)

Enter a value for File Size (file size can be from 1 MB to 500/2000 MB depending on your platform). If disk space is not available, you are not able to start new capture-to-disk sessions.

Number of Files

Enter a value for Number Of Files to use for capture. The maximum is determined on the size of the file, numbers of files stored, and the amount of disk space available at the location where these files are stored.

Rotate Files

Use this feature if you plan to capture sets of small files that allow you to perform instantaneous downloads, decodes, and analysis. Rotating files allows you to automatically maintain your storage space.

Check the Rotate Files check box to rotate files. Available only for remote storage or Packet Analyzer appliances. For information about configuring remote storage, see About Capturing to Data Storage.

If you choose the Rotate Files option, when you reach the highest number file, the earliest file is overwritten. For example, if you specify No. Files to 10, file CaptureA_1 is overwritten after the Packet Analyzer writes capture data to file CaptureA_10. To determine the most recent capture, check each file’s time stamp.

File Location

If file data storage is available, choose one of the storage targets in the drop-down list. The drop-down list displays only those targets in the Ready state.

Local disk is the default, or choose a previously configured remote storage location if available. Each option shows the amount of disk space available for capture packet storage.

Maximum capture session size for capture to disk is determined by the available space on the capture target. You can manage these locations from the Capture > Data Storage page (see Utilizing Capture Data Storage).

The protocol to match with the packet.

Choose a protocol from the list. (Select All to match all packets regardless of protocol.)

Indicates whether to filter by MAC or IP address.

Choose MAC to filter using the source/destination MAC address of the packets.

Choose IP to filter using the source/destination addresses of the packets.

Indicates whether the filter is applied to traffic in both directions.

If the source is host A and the destination is host B, enabling both directions filters packets from A to B and B to A.

If the source is host A and the destination is not specified, enabling both directions filters packets both to and from host A.

The offset (in bytes) from the Base where packet data-matching begins.

Enter a decimal number.

The base from which the offset is calculated.

If you select absolute, the offset is calculated from the absolute beginning of the packet (for example, the beginning of the Ethernet frame).

If you select protocol, the offset is calculated from the beginning of the protocol portion of the packet. If the packet does not contain the protocol, the packet fails this match.

Choose absolute or a protocol.

The data to be matched with the packet.

Enter hh hh hh..., where hh are hexadecimal numbers from 0-9 or a-f. Leave blank if not applicable.

An advanced feature to set up complex filter conditions.

The simplest filter allows you to check for the existence of a protocol or field. For example, to see all packets that contain the IPX protocol, you can use the simple filter expression ipx.

See Tips for Creating Custom Decode Filter Expressions.

eth.addr
eth.src
eth.dst

MAC address

hh:hh:hh:hh:hh:hh, where h is a hexadecimal number from 0 to 9 or a to f.

ip.addr
ip.src
ip.dst

IP address

n.n.n.n or n.n.n.n/s, where n is a number from 0 to 255 and s is a 0-32 hostname that does not contain a hyphen.

tcp.port
tcp.srcport
tcp.dstport

TCP port number

A decimal number from 0 to 65535.

udp.port
udp.srcport
udp.dstport

UDP port number

A decimal number from 0 to 65535.

protocol

Protocol

Click the Protocol list in the Custom Decode Filter dialog box to see the list of protocols on which you can filter.

protocol [ offset : length ]

Protocol data pattern

hh:hh:hh:hh..., where hh is a hexadecimal number fro 0 to 9 or a to f.

offset and length are decimal numbers.

offset starts at 0 and is relative to the beginning of the protocol portion of the packet.

frame.pkt_len

Packet length

A decimal number that represents the packet length, not the truncated capture packet length.

Warn : Warning; for example, an application returned an unusual error code

Error : A serious problem, such as malformed packets

Checksum : A checksum was invalid

Sequence : Protocol sequence is problematic

Response Code : Problem with the application response code

Request Code : An application request

Undecoded : Dissector incomplete or data can’t be decoded

Reassemble : Problems while reassembling

Malformed : Malformed packet or dissector has a bug; dissection of this packet aborted

Both Ports, Data Port 1, Data Port 2

—

Equal To, Not Equal To, Greater Than, Less Than

Min. 64, Max 65535

Equal To, Not Equal To, Greater Than, Less Than

Min. 1, Max 4095

Equal To, Not Equal To

Min. 0, Max 1048575

Equal To, Not Equal To

IPv4 address

Equal To, Not Equal To

IPv4 address

Equal To, Not Equal To

ICMP, IGMP, IP in IP, GRE, L2Tp, TCP, UDP, Integer

With Custom, you can enter a custom value that is not in the list of common protocols. Enter min. 1, max 255.

Equal To, Not Equal To

Min. 1, Max 65535

Equal To, Not Equal To

Min. 1, Max 65535

Filters packets based on 4-byte hexadecimal patterns anywhere in the first 256 bytes.

Equal To, Not Equal To

Packet numbers, listed numerically in capture sequence. If the decode (display) filter is active, the packet numbers might not be consecutive.

Time the packet was captured relative to the first packet displayed (not the first packet in the session). To see the absolute time, see the Detail window.

Packet source, which might be displayed as hostname, IP, IPX, or MAC address. To turn hostname resolution on and off for IP addresses, choose the Setup tab and change this setting under Preferences.

Packet destination, which might be displayed as hostname, IP, IPX, or MAC address.