Viewing and Decoding Packets
About packets
Capturing packets into a capture window
Viewing captured packets
Applying decryption in the Packets view
Saving captured packets
Printing packet lists and packet decode windows
Decoding packets
Showing data offsets and mask information
Applying decryption from the packet decode window
Choosing a decoder
Decode reassembled PDU
Using thread intelligence
About packets
Packets, the units of data carried on the network, are the basis for all higher level network analysis. When troubleshooting network problems, it is important to be able to drill down into the packets themselves by looking at their individual decodes as well as use the packets captured into the buffer as the foundation for expert and statistical analysis. The Packets view of a capture window is where you can view information about the individual packets transmitted on your network.
Packets can be captured in multiple configurable capture windows, each with its own selected adapter, its own dedicated capture buffer, and its own settings for filters, triggers, and statistics output. With OmniPeek, you can have capture windows for capturing packets locally from OmniPeek, and remotely from an OmniEngine. The number of capture windows you can have open at one time is only limited by the amount of available memory.
Capturing packets into a capture window
To capture packets:
- Select the Packets view of the capture window.
- Click Start Capture to begin capturing packets. The Start Capture button changes to the Stop Capture button and packets begin populating the capture window.
|
Tip: You can right-click a column heading to hide or display column headings. See Packet list columns for a list of available columns.
|
- Click Stop Capture when you want to stop capturing packets. You have various options for saving captured packets. See Saving captured packets. Review the rest of this online help to learn how you can use the data from the captured packets to analyze your network.
|
Tip: To resume capturing from where you left off, hold down the Shift key and click the Start Capture button. To empty the capture buffer and start a new capture, simply click the Start Capture button again.
|
OmniEngines Captures tab
The Captures tab in the OmniEngines window is where you create and manage the captures taking place on a particular OmniEngine.
The Captures tab lists all the currently defined captures for a particular OmniEngine, along with summary information about each OmniEngine. Right-click any column header to display a list of available columns to display. See OmniEngine capture tab columns for a description of the available columns.
The clickable buttons in the toolbar of the OmniEngines window are described below:
- Insert: Creates a new OmniEngine capture window.
|
Important: When you create an OmniEngine capture, that capture continues to exist on the OmniEngine until you delete it, regardless of whether its OmniEngine capture window is open. By contrast, when you close an OmniPeek console capture window, the capture is stopped.
|
- Delete: Deletes the selected capture.
- Start Capture: Starts capturing packets for the selected capture. This button also works when the OmniEngine capture window is open. When an OmniEngine capture window is open in OmniPeek, you can also click the Start Capture button of the window to start capture.
- Stop Capture: Stops capturing packets for the selected captures. This icon also works when the OmniEngine capture window is open. When an OmniEngine capture window is open in OmniPeek, you can also click the Stop Capture button of the window to stop capture.
- Capture Options: Displays the Capture Options dialog for the selected capture.
- Refresh: Updates the information in the Captures view, retrieving the most current information from an OmniEngine. You can also set an automatic refresh interval by selecting an interval from the drop-down list to the right of the Refresh button.
|
Important: Users that do not have permission to create or modify OmniEngine capture windows will find features grayed out, missing, or will receive an error message indicating the task is not allowed. For details, see the OmniEngine Getting Started Guide or the online help in the Omni Management Console application.
|
Viewing captured packets
The Packets view displays details about each packet, including information provided by the Expert function and Analysis Modules. You can show or hide the Decode and Hex panes of the packets view to see a decode, as well as the raw hexadecimal and ASCII values of the selected packet.
Navigating the Packets view
The Packets view can display any combination of the Packet List, Decode, Hex, and ASCII panes. The toolbar lets you show or hide the panes. The filter bar lets you create a wide variety of advanced filters quickly and directly from the capture window. See Creating filters with the filter bar.
The buttons in the Packets view toolbar are described here:
- Decode Previous: Decodes the previous packet.
- Decode Next: Decodes the next packet.
- Show Packet List: Shows or hides the Packet List view.
- Show Decode View: Shows or hides the Decode view.
- Show Hex View: Shows or hides the Hex view.
- Toggle Orientation: Changes the orientation of how the Packet List, Decode, and Hex views are displayed.
- Zoom Pane: Shows only the view of what is currently selected.
- Auto Scroll: Enables or disables the scrolling of packets when packets are being captured. Alternatively, you can press CTRL+K to enable or disable scrolling.
- Display Filter: Displays in the packet list only the packets that pass (match) the selected filter. Choosing All shows all packets. This functionality is available with capture windows; however, it cannot be used while capturing (you must stop the capture first). See Display filters.
|
Tip: Hold down the Shift key to show only those packets which do NOT match the selected filter for the entire buffer. Hold down the Ctrl key to apply the filter for only those packets which are currently visible. Hold down both Shift and Ctrl together to hide any currently visible packets which do not match the selected filter.
|
- Make Filter: Opens the Insert Filter dialog to create a filter based on the selected packet.
- Insert Into Name Table: Opens a dialog to add the selected packet into the Name Table. From the dialog, you can also select Node type icons that will appear to the left of the selected packet. For example, Workstation, Server, Router, or Access Point.
- Resolve Names: Checks the DNS server for a name to match the supplied address.
- Edit Note: Opens the Edit Note dialog to add a note to the selected packet.
- Delete Note: Deletes any note entered for the selected packet.
- Properties: Displays properties for the capture window. A note can be added to the properties of the capture window.
The Packets view panes are described here:
- Packet List: This pane displays information about each packet in a table with user-configurable columns. Right-click a column head to show or hide other available columns. You can also drag column heads to other positions within the table. See Packet list columns. You can also right-click a packet for additional options, including Select Related Packets. See Selecting related packets.
|
Important: By selecting, hiding, and unhiding packets in the Packet List, you can force a recalculation of statistics in other views of the window, based only on the packets that remain visible. See also Copying selected packets to a new window.
|
- Decode: This pane displays detailed information about the selected packet. Click a detail and the corresponding hexadecimal values and ASCII characters are automatically highlighted in the Hex pane. See Decoding packets for more information.
|
Tip: You can double-click a packet to display its Decode window.
|
- Hex: This pane displays the selected packet as raw hexadecimal values and ASCII characters. Click a hexadecimal value or an ASCII character and the corresponding details are automatically highlighted in the Decode pane.
Customizing packet views
You can customize the way packets are displayed in the Packets view by using the Packet List Options dialog.
To open the Packet List Options dialog:
Adding notes to packets
You can add descriptive notes to individual packets. The notes are saved whenever the capture window is saved to any of the native OmniPeek capture file formats. See Save file formats.
|
Note: Adding notes to packets is not supported in the Packets view of an OmniEngine capture window.
|
To add a note:
- Select the packet in either the Packets List or in its own Packet Decode window.
- Click the Edit Note button. The Edit Note dialog appears.
- Type the text for the note and click OK.
|
Tip: You can also make a note on the contents of a capture window by entering text in the Properties dialog. Click the Properties button to open the Properties dialog.
|
Applying decryption in the Packets view
You can apply a particular key set to decrypt all or some of the encrypted packets in a capture window. An encrypted packet appears in the Packets view with a W in the Flag column and 802.11 TKIP Data or 802.11 WEP Data in the Protocols column.
To apply decryption in the packets tab:
- Choose Tools > Decrypt WLAN Packets.... The Decrypt WLAN Packets dialog appears.
- Select All packets, Selected packets only, or those packets in the current window which are Encrypted only. Your key set will be applied to this selection of packets.
|
Important: If you are using a WPA key set, you must select All packets to ensure the inclusion of the four-way handshake authentication that established the PTK (Pairwise transient key) and GTK (Group transient key) used to encrypt the target packets.
|
- Select an existing key set under Use key set or browse to open the Key Set options to create a new key set.
- When you have made your selections, click OK to apply the chosen key set to the chosen packets. A new capture window opens containing the results of the decryption. This new window has the name of the original target window, with the string "- Decrypted" appended to it.
|
Note: An 802.11 key set cannot be changed while capture is under way. A new key set will not be applied until a capture is stopped and a new capture is created.
|
Saving captured packets
You can save captured packets to a supported file format for later examination and comparison. You can choose to save all packets currently visible in the active window, or just the packets currently selected.
To save all packets:
- Choose File > Save All Packets....
- Select the file format and click Save. (See Save file formats for a description of the available file formats.)
To save selected packets:
- Select the desired packets.
- Choose File > Save Selected Packets....
- Select the file format and click Save. (See Save file formats for a description of the available file formats.)
Save file formats
You can save packets to the supported file formats below.
Capture file formats
The capture file formats are:
- WildPackets Packet File (*.pkt)-The packets are saved to a WildPackets packet file format, with a *.pkt extension.
- WildPackets Packet File (compressed) (*.wpz)-The packets are saved to a compressed WildPackets packet file format used to save disk space. This file format uses a *.wpz extension.
- WildPackets Classic Packet File (*.pkt)-The packets are saved to a WildPackes packet file format compatible with older WildPackets programs, such as older versions of AiroPeek, EtherPeek SE (5.0 and earlier), EtherPeek NX (2.0 and earlier), NetSense, and ProConvert. This file format uses a *.pkt extension.
- NG Sniffer DOS file (*.enc)-The packets are saved as a SnifferŽ trace file in DOS format. This file format uses a *.enc extension.
|
Note: The compressed Packet File format (*.wpz) is not supported for automatic file creation during packet capture. When a capture window is set to Continuous Capture, Save to Disk, only the uncompressed format (*.pkt) can be used to automatically save the resulting files. The compressed format can be used normally to Save All Packets... or Save Selected Packets... from any capture window.
|
Other file formats
In addition to the capture file formats above, you can save packets from any media type to the following formats.
- Packet List (Tab delimited, UTF-8) (*.txt)-The packets and columns displayed in the Packet List are saved to a tab-delimited text file in UTF-8 encoding.
- Packet List (Comma delimited, ASCII) (*.csv)-The packets and columns displayed in the Packet List are saved to a comma-delimited text file in ASCII encoding.
- Decoded Packets (*.txt)-The packets are decoded and saved to a plain text file.
- Decoded Packets (*.rtf)-The packets are decoded and saved to an RTF file that preserves the text formatting and page layout of the same packets in the Decode view of the Packet Decode window.
- Decoded Packets (*.htm)-The packets are decoded and saved to an HTML file that preserves the text formatting and page layout of the same packets in the Decode view of the Packet Decode window.
- Libpcap (Wireshark, Tcpdump, Ethereal, etc.) (*.pcap)-The packets are saved to a binary format compatible with many free/open source programs such as tcpdump and Ethereal.
- Raw Packet Data (*.txt)-The packets are saved to a file as raw text. The file includes raw hexadecimal and ASCII data, 16 bytes per line, hex on the left, ASCII on the right.
- TCP/UDP/RTP Data File (*.*)-The part of the packet that is after the end of the TCP, UDP, or RTP header, up to and including the data at the offset specified by the Total Length field of the IP header is saved to a filename and file format that you must specify. This part of the packet typically contains the application data for file transfers. If multiple packets are selected, their contents are saved as one continuous file, in packet number order.
Deleting all packets
You can only choose to delete all packets, and not a selected group of packets.
|
Note: There is no direct command to delete packets from an OmniEngine capture window. If you restart a capture in the OmniEngine capture window, all existing packets are deleted first. Capture files already saved to disk are not affected. Capture files saved to disk can be managed through the Files tab of the OmniEngines window.
|
To delete all packets, including any hidden packets:
Printing packet lists and packet decode windows
You have several options for printing packets from a capture window.
To print the packets currently displayed in the Packets view:
To print selected packets as decoded packets:
The packets are decoded and saved to an RTF file that preserves the text formatting and page layout of the same packets in the Decode view of the Packet Decode window.
|
Tip: You can also save the packets as decoded packets in an RTF or HTML format, and then print them from another application that can read and print those file types. This alternative preserves the formatting of the Packet Decode window and allows multiple packets to be printed on individual pages.
|
Decoding packets
When troubleshooting your network or tracking down a security breach, analyzing the details of a packet can be very useful. You can view the details of a packet by opening the packet in a Packet Decode window.
The Packet Decode window makes packet headers readable and understandable.
To open a packet in a Packet Decode window:
Window header
The window header has the following parts:
- Title bar: Displays the capture window name and the number of the packet.
- Navigation and display icons: These icons let you navigate through packets and control display options for the Packet Decode window.
- Decode Previous: Displays the previous packet (you can also press F7 to display the previous packet)
- Decode Next: Displays the next packet (you can also press F8 to display the next packet)
- Show Decode View: Shows or hides the Decode view
- Show Hex View: Shows or hides the Hex view
- Toggle Orientation: Changes the orientation of both the Decode and Hex view, when both views are displayed.
- Zoom Pane: Displays only the currently active view (the view with the current active highlight). Click this icon again to toggle back to the previous view.
- Decoder options:
Decode view
The Decode view displays decoded packet data in byte order from top to bottom. Click the minus or plus signs to collapse or expand the view of any header section. In collapsed mode, you get a summary of the layer.
The Packet Info (in green) at the top is generated automatically by OmniPeek. The following table lists the parameters that may appear in Packet Info.
|
Parameter
|
Description
|
|
Flags
|
Denotes the flag of a packet. Packets can be flagged, based on their match with a variety of conditions. Flags vary from one network medium to another.
|
|
Status
|
Indicates any one of several conditions, including that the packet was truncated or sliced. Shows a value of 0x00 when the packet does not have any of these other conditions.
|
|
Packet Length
|
The number of bytes that the card retrieved off the network for this packet, including all header information and FCS.
|
|
Slice Length
|
When Slice Length appears, it indicates the number of bytes of the packet which were captured. This is shown only if packet slicing was used on a packet, or if data was truncated because it was unavailable.
|
|
Timestamp
|
The time the packet was received.
|
|
Data Rate
|
The data rate at which the body of the 802.11 WLAN packet was transmitted.
|
|
Channel
|
The 802.11 WLAN channel number and radio frequency at which the packet was transmitted.
|
|
Signal Level
|
The signal strength of the transmission in which the 802.11 WLAN packet was received, expressed as the RSSI normalized to a percentage.
|
|
Signal dBm
|
The signal strength of the transmission in which the 802.11 WLAN packet was received, expressed in dBm (decibel-milliWatts). If the packet was captured on an adapter that does not report values for signal level in dBm, this item will not be shown.
|
|
Noise Level
|
The noise level reported in the receipt of this 802.11 WLAN packet, expressed as a percentage. If the packet was captured on an adapter that does not report values for noise, this will show as 0%.
|
|
Noise dBm
|
The noise level reported in the receipt of this 802.11 WLAN packet, expressed in dBm (decibel milliWatts). If the packet was captured on an adapter that does not report values for noise in dBm, this item will not be shown.
|
|
Note: OmniPeek decodes hundreds of network, transport, application and device control protocols, displaying both the commands and their meaning. When the data portion of the packet is listed toward the end of the Decode view simply as data, OmniPeek has reached a layer of the packet that it cannot decode with the current or default decoder. For details about selecting an alternative decoder, see Choosing a decoder. If you are writing your own protocols and wish to write your own decoders, see Writing your own decoders.
|
Hex and ASCII views
The Hex view displays the actual packet contents as raw hexadecimal values and its ASCII (or EBCDIC) equivalent.
Color coding is used to link the Decode view with the Hex view for both Hex and its ASCII equivalent. The Hex and ASCII views are in turn linked to the color of the protocol shown in the Protocols column of the Packet List.
When you highlight a section of the Decode view, the corresponding portion of the hex data and the ASCII data in the Hex view is shown in gray. Conversely, if you highlight a section in the Hex view, the corresponding portion of the Decode view is also highlighted.
You can choose display options by right-clicking inside the Hex and ASCII views and selecting from the following options:
- Copy: Copies the selected data in the Decode, Hex, and ASCII views. If a data field is selected in the Decode view, the data field and value is copied. If a Hex value is selected in the Hex view, the data field and value is copied. If an ASCII value is selected in the ACSCII view, the ASCII value is copied.
- ASCII: Displays the text portion of the Hex view as ASCII
- EBCDIC: Displays the text portion of the Hex view as EBCDIC
- Decimal Offsets: Displays the offsets to the left of the hexadecimal values as decimal values
- Hexadecimal Offsets: Displays the offsets to the left of the hexadecimal values as hexadecimal values
- Show Offsets: Hides or displays the Offset values
- Show Hex: Hides or displays the hexadecimal values
- Show ASCII: Hides or displays the ASCII values
- Show Colors: Hides or displays color
- Bytes Per Row: Controls the width of the Hex view
|
Important: Many protocols, especially the older Internet protocols such as HTTP, POP3, FTP, Telnet, and others transmit packet data in plain ASCII text. To prevent unauthorized access to this data, controlling access to OmniPeek should be a normal part of your security routine.
|
Showing data offsets and mask information
Offsets are a measure of location within a packet, counted as the distance in bytes from the first byte of the packet. The offset of the first byte is "0," that of the second byte is "1," and so on.
The mask is a mathematical way of defining a particular bit or bits within a byte. The offset and mask information is especially useful when developing protocols, constructing filters, and in a variety of other detailed packet analysis tasks.
To hide or display offsets in the Decode view:
Applying decryption from the packet decode window
You can decrypt WPA or WEP-encrypted packets directly from the Packet Decode window.
To decrypt a WPA or WEP-encrypted packet:
- Click the Apply Decryption icon. The Decrypt WLAN Packets dialog appears.
Choosing a decoder
Decoders provide the instructions required to display packet contents, based on the type of protocols used. For certain packets, you can choose a decoder directly from the Packet Decode window. Choosing a decoder is particularly useful in environments where new protocols are under development, or where TCP or UDP applications are using non-standard ports.
When the Choose Decoder option is available for a certain packet, the Choose Decoder icon appears in the Packet Decode window.
To choose a decoder for the packet:
- Click the Choose Decoder icon if it is available in the Packet Decode window. The Select Decoder dialog appears with a list of decoders available for the packet.
- Select the desired decoder and click Use Decoder.
The decoder you choose will be used for the current packet and all subsequent packets of the same type.
|
Important: To restore the default, select Default Decoder from the Select Decoder window.
|
|
Note: WildPackets provides decoders for hundreds of protocols and subprotocols (see http://www.wildpackets.com/support). The modules that decode packets are installed in the Decodes folder where the program is installed.
|
Line decoders
The Select Decoder window shows a context-sensitive list of decoders which can be applied to the current packet. If the packet contains TCP or UDP, this list will include generic line decoders such as Display Number Of Bytes. The following table lists the available line decoders and their behavior.
|
Decoder
|
Shows
|
|
Default Decoder
|
When you select this decoder, the program returns to its default behavior when decoding packets of the current type. Use this selection to stop using any decoder previously selected in the Select Decoder window and restore the program's ability to choose its own decoder.
|
|
Display Number Of Bytes
|
This line decoder displays only the number of bytes in the UDP or TCP payload of the packet.
|
|
Display Text And Binary
|
This line decoder displays 0x00 through 0x1F as their code equivalents (0x00, for example, is <NULL>), displays (non-extended) ASCII characters as ASCII text, and displays any other values as a dot (.).
In contrast, the ASCII part of the Hex view displays the extended ASCII character set (which includes accented characters, for example) and displays all non-ASCII values as dots.
|
|
Display All Lines
|
This line decoder displays only (non-extended) ASCII characters, plus line feed / carriage return (0x0D and 0x0A). When it encounters the first value outside this set, the decoder stops and displays the number of bytes remaining in the payload portion of the UDP or TCP packet.
|
|
Display Fields And Lines
|
This line decoder searches for lines containing semi-colons (;). Each line with a semi-colon is split in two, with the part before the semi-colon treated as the label and the part to the right of the semi-colon treated as the data. Lines containing text without semi-colons are treated as for the Display All Lines decoder above. That is, non-extended ASCII text is displayed until the first non-ASCII character is reached. The decoder then displays the number of bytes remaining in the payload of the TCP or UDP packet.
This decoder is particularly useful for scanning through the Label;Value pairs found in HTTP and FTP packets, particularly when the transactions are taking place on ports other than the default port 80 (HTTP) or port 21 (FTP).
|
|
Display Text Lines Only
|
This line decoder displays all the non-extended ASCII characters, plus line feeds and carriage returns (LF/CR), ignoring all other characters. If no LF/CR is encountered, lines are automatically wrapped at 120 characters.
|
|
Display Dotted Names Only
|
This line decoder searches for lines of non-extended ASCII text containing the period character(.). It displays each such line. All other lines are ignored. This decoder is useful when scanning for file names and IP names and addresses that use dotted notation.
|
Writing your own decoders
If you find proprietary protocols on your network for which WildPackets does not supply decoders, or if you are developing your own protocols, you may want to write your own decoders. See http://wpdn.wildpackets.com for information on writing decoders.
Decode reassembled PDU
The PDU is the Protocol Data Unit: the payload of a network application packet. When a web page, for example, is sent over the Internet, the page is broken into convenient sized pieces and transmitted in a series of packets. You can attempt to locate all of the other pieces of this page, decode them, and present the results in a single temporary Packet Decode window.
|
Note: Decode reassembled PDU is not supported from an OmniEngine.
|
To decode and reassemble a PDU:
- Right-click a packet containing one of the fragments of the web page and choose Decode Reassembled PDU
An attempt is made to locate all of the other pieces of the page and decode them; the results are presented in a single temporary Packet Decode window. The title bar of the window shows a packet number, followed by (Reassembled PDU). The packet number is the packet identified as the one containing the first part of the PDU.
|
Tip: You can choose to save or print the decode of the individual Packet Decode window containing the reassembled PDU (choose Save Packet..., or Print from the File menu).
|
|
Note: The Packet Decode window containing the decoded reassembled PDU is temporary. If you close the window without saving, the information is discarded. In any case, creating a reassembled PDU does not change the contents of any of the packets in the capture window.
|
Using thread intelligence
The information required to decode packets into their protocol components are usually contained within the packet. For some protocols, however, the required information is not contained in the packet itself, but in a previous packet exchanged between the same two nodes. Thread intelligence is supported for some protocols, including Simple Network Management Protocol (SNMP), Simple Mail Transfer Protocol (SMTP), AppleTalk Session Protocol (ASP), Printer Access Protocol (PAP), NetWare Core Protocol (NCP), and others.
|
Note: Thread intelligence is not supported from an OmniEngine.
|
When two or more packets are related to the same session in one of these protocols, the packets can be pre-decoded in the order in which they arrived, allowing the Request/Response pairs to be connected. This provides a richer set of decode information than would otherwise be available. This relationship between packets is called a thread, and the pre-decoding done to establish the thread is called making a thread. Making threads operates on packets still in the buffer.
Threads are used to keep track of the protocol type in decoding Response packets associated with a particular Request. There are two ways to employ thread intelligence:
- The Select Related Packets command-to find possibly related threads.
- The Make Threads command-to automatically create any threads from packets near the selected packets.
To make threads:
- Select the packets in the Packet List where you believe threads may exist (you can use Ctrl + A to select all packets).
- Right-click and choose Make Threads.
Manually selecting further decode options
If you view the Request packet first, OmniPeek keeps track of the thread when you open the corresponding Response packets. However, if you view a Response packet before you have opened a preceding Request, no thread will have been started, and OmniPeek displays a question mark (?) instead of the protocol type at the top of the Packet Decode window.
You can click the Choose Decoder icon (a question mark) if it is available for the packet to open the Select Decoder dialog, and then manually choose the decoder to use.
As an alternative to manually selecting options for further decoding packets, you can instruct OmniPeek to make threads before opening any packets. This ensures that the threads will exist even if you open a Response packet first.
To make threads in the background before you open packets, use the Select Related Packets command or Select All Packets (either from the Edit menu or from the context menu), and then choose the Make Threads command from the context menu (right-click). You can then view packets in any order.
China
Japan
UK
United States
