Tech Tips

• How do I capture VLAN packets?
• I have a firewall installed. What port must be added to connect to my engine?
• How can I collect and save Statistics on the engine?
• Where can I find a definition for the expert messages?
• I installed the engine successfully but why can’t I start the OmniEngine service?
• How can I import my company’s network diagram into Peer Map?
• Is there a reference standard for passive MOS?
• Is jitter measured 'one way' (only one direction in the flow)?
• Is there a way to only capture the header of a packet?
• What do the colors of the globes represent in the WLAN view?
• a NIC connected to a SPAN/Mirror port also be used for network services?
• How can OmniEngine Enterprise help me baseline my network?
• I created a filter but it is not showing up in the filter list. Why?
• What is the difference between OmniVirtual, OmniEngine Desktop and OmniEngine Enterprise?
• Can you explain the Peer Map view?
• How do I set the Apdex threshold duration?
• How do I start a Forensics Capture?
• Why does the Dashboard view display Traffic History and Top Talkers by IP Address as not available?
• Does OmniEngine support WPA?
• What type of encryption does the OmniEngine support?
• Can I use both the OmniEngine and OmniPeek Analyzer at the same time on the same machine?
• When I use OmniEngine to monitor my high speed network, the application tends to slow down. Are there any tips to optimize performance?
• When trying to connect to the engine, why do I receive the following error? "An error occurred: The login attempt failed (Error code: 0x8009030C)"
• I am unable to start a wireless capture. When I select 'OK' in the Capture Options I receive the error 'The adapter "Wireless Network Connection" is not supported by this product. What am I missing?
• Can you explain the Profiles, Configuration and Node Visibilities tabs in the Peer Map?
• I have entered the correct key or passphrase but the TKIP encrypted packets are not being decrypted. Can you please tell me what's wrong?

How do I capture VLAN packets?

First be sure the analyzer is placed where the tagged frames exist, this is generally on a switch trunk (a link that connects switch-to-switch).

Second verify that your switch is not stripping the VLAN tags, you may need to contact your switch manufacturer.

Lastly, the network interface card may strip 802.1q tags at the adapter/driver level. By default, Intel adapters strip the VLAN tag before passing it up the stack. Some Broadcom adapters also exhibit this behavior. Possible fixes for Intel and Broadcom adapters can be found below, for other adapters please contact your NIC manufacturer.

Unsupported Fix for Broadcom Adapters:

** Please backup your registry before making these modifications. **

Please look for the following registry key and follow the steps listed below. This fix is not supported by WildPackets.

HKEY_LOCAL_MACHINE-->SYSTEM-->CurrentControlSet

1. You need to find the right instance of the driver in the registry.
2. Run Regedit.
3. Search for "TxCoalescingTicks" and ensure this is the only instance that you have.
4. Right-click on the instance number (eg. 0008) and add new string value.
5. Enter "PreserveVlanInfoInRxPacket" and give it value "1".

Unsupported Fix for Intel Adapters:

http://support.intel.com/support/network/sb/CS-009720.htm

Another solution is to purchase a tap. TAPs are passive and independent of the network. Please call (925) 937-3200 or write to sales@wildpackets.com to find out more about TAPs.

I have a firewall installed. What port must be added to connect to my engine?

OmniEngine uses port 6367/TCP/UDP.

How can I collect and save Statistics on the engine?

Start a Monitoring Capture or a New Capture -> Select the Statistics Output View. Reports can be saved in CSV, TEXT, or XML, HTML.

Where can I find a definition for the expert messages?

Right-click on any Expert event and choose EventFinder Settings. Click the Show Info button for a description of the event and possible causes and remedies.

I installed the engine successfully but why can’t I start the OmniEngine service?

If the "Client for Microsoft Networks" driver is not installed, the service "Workstation" is also not installed, which may cause OmniEngine to not start up.

How can I import my company’s network diagram into Peer Map?

Click the Peer Map view and click Open. The supported file types are *.BMP, *.JPEG, *.GIF, *.EMF, *.WMF, *.TIFF, *.PNG, *.ICO.

Is there a reference standard for passive MOS?

• The reference standard for passive MOS is ETSI 101329-5 Annex E
• The algorithm used in OmniPeek is VQmon from Telchemy
• Telchemy has several reference docs at http://www.telchemy.com/reference/23td062.pdf

Is jitter measured 'one way' (only one direction in the flow)?

Jitter is independent either direction. If both end VoIP devices send out periodic RTCP report packets, then the expert is checking jitter from the perspective of both endpoints, i.e. both ways. If only one device is sending RTCP packets, then it's the direction TO that device. Not all VoIP devices send RTCP reports.

To measure data at the point of capture, OmniPeek analyzes the RTP stream independently of RTCP reports. This is not necessarily the jitter as received by an end-point (unless OmniPeek Professional is on the end segment), but rather gives you a reading for jitter for some intermediate path.

Is there a way to only capture the header of a packet?

Yes, here’s how:

1. Click View/Filters to bring up the filters window.
2. Click the Insert button (Green +)
3. Select Simple or Advanced for Filter Type.
4. Select Protocol Filter.
5. Select the Protocol and check Slice to Header.

What do the colors of the globes represent in the WLAN view?

• Blue – ESSID
• Pink – Access Point or Ad Hoc Equivalent
• Orange – STA or Client
• Gray – Admin or otherwise unknown
• Gray with (?) – Indications for a particular node are contradictory or unexpected

Can a NIC connected to a SPAN/Mirror port also be used for network services?

You will need an additional adapter to use for network services or use a multi-port adapter like the Intel dual or quad port adapters. These cards could connect via one port and capture on the additional, available ports.

How can OmniEngine Enterprise help me baseline my network?

The summary statistics feature allows you to monitor key network statistics in real time and save these statistics for later comparison. Use this feature to baseline “normal” network activity, save the data, then compare saved statistics with those observed during periods of erratic network behavior to help pinpoint the cause of the problem.

Summary statistics are also extremely valuable in comparing the performance of two different network segments. For example, a field support engineer could compare the real-time statistics on a client’s network with a saved “healthy” router snapshot and easily diagnose or eliminate the source of inconsistent or poor router performance.

To baseline with summary statistics:

Choose Monitor > Summary. The Summary Statistics window appears.

I created a filter but it is not showing up in the filter list. Why?

Be sure you have clicked the yellow bar "Click here to send changes".

What is the difference between OmniVirtual, OmniEngine Desktop and OmniEngine Enterprise?

OmniVirtual	Small, lightweight service for troubleshooting, optimizing and securing virtual applications Windows service that enables network engineers to remotely diagnose problems on desktops running Ethernet and Wireless Distributed capture and analysis designed for enterprise networks, including networks running Wi-Fi, VoIP, and Gigabit and 10 Gigabit segments
OmniEngine Desktop	Windows service that enables network engineers to remotely diagnose problems on desktops running Ethernet and Wireless
OmniEngine Enterprise	Distributed capture and analysis designed for enterprise networks, including networks running Wi-Fi, VoIP, and Gigabit and 10 Gigabit segments

Can you explain the Peer Map view?

Communications between nodes is indicated with line segments. The line between nodes can be color-coded to show which protocol is used. The thickness of the line indicates the volume of traffic between nodes. For more information see the OmniPeek User Guide or the online Help.

How do I set the Apdex threshold duration?

1. Click the Event Finder Settings icon in the Expert view toolbar.
2. Expand the Expert Events under Application and select an Apdex related event.
3. Set the Apdex Threshold Duration to the desired number of seconds.
   Note: A single Apdex Threshold Duration value is applied to all of the Apdex related events.
4. Choose View > Colors > Independent. The upper pane Application view displays shows the following:
   • Green: Apdex score 0.85-1.00 (Good or excellent application response time)
   • Black: Apdex score 0.70.-0.84 (Fair application response time)
   • Red: Apdex score 0.00-0.69 (Poor or unacceptable application response time)
   • Grey: Small sample size -10-99 samples (Statistically untrustworthy)

How do I start a Forensics Capture?

To start a Forensics Capture:

1. Click the Home Tab and select New Forensics Capture under New Capture. In Capture Options you will notice that some settings are preconfigured for Forensics Capture, such as Continuous capture with save to disk.
2. Click the Adapters view and select an adapter for the capture.
3. Click the Performance view. All statistics are disabled in order to optimize packet capture to disk.
4. Click Ok.

Why does the Dashboard view display Traffic History and Top Talkers by IP Address as not available?

Be sure the modules are enabled. Start a new Monitoring Capture or New Capture -> Click the Performance View -> Traffic History and Top Talker Statistics should be checked.

Please also note that the Dashboard view is available only when Monitoring and Capturing. Forensic Captures by default have all Performance Statistics unchecked.

Does OmniEngine support WPA?

Yes, with the use of a supported Atheros chipset-based adapter and the WildPackets 3.0.1.12 and 4.2.2.9 Atheros driver.

What type of encryption does the OmniEngine support?

The OmniEngine supports WPA-PSK and WEP encryption.

Can I use both the OmniEngine and OmniPeek Analyzer at the same time on the same machine?

The only console that was designed to work simultaneously with an engine is OmniPeek Connect. OmniPeek Connect provides the ability to locally configure and view the engine’s analysis as the engine is capturing packets and performing analysis.

When I use OmniEngine to monitor my high speed network, the application tends to slow down. Are there any tips to optimize performance?

In the Capture/Monitor Options, select Performance. For peak performance, right click on one of the features and choose Disable All. This way, the OmniEngine will function at peak performance, but the features are still available when needed. When you need a particular feature, you can always enable it. As you enable/disable individual features, the performance bar at the bottom of the Performance Options dialog will move to show you an estimate of the impact of each feature.

Here are a few more tips to improve the performance of the OmniEngine:

• Disable the Monitor adapter (Monitor/Select Monitor Adapter/None)
• Turn off scroll during capture. Control + K will start/stop scroll.
• Disable passive name resolution. Under Tools/Options/Name Resolution, uncheck enable passive name resolution.
• Turn off any automatic report production for monitor and/or capture. Under Monitor or Capture options, select Statistics Output. Uncheck Save statistics report.

The following component is an additional module (not included in the standard package):

• Disable RMONGrabber (Tools/Options/Analysis Modules)

If you need one of the other features, you can enable it when you are actually viewing the capture file. Also if you're on a switched network, you can try using the switch's mirroring or monitoring capability to zero-in on the traffic you're looking for. Try only mirroring ports one by one to avoid overloading the analyzer with traffic. For more information, please see our whitepaper which also applies to the OmniEngine product: Applying EtherPeek to Switched and Gigabit Ethernet Network Management.

When trying to connect to the engine, why do I receive the following error? "An error occurred: The login attempt failed (Error code: 0x8009030C)".

The OmniEngine will not allow logins with a blank password. Please add a password to your account and try logging in again. If you are not logging in with a blank password, please see the instructions below.

OmniEngine supports authentication using Windows authentication services. In order to allow remote users to connect to an engine, the system administrator must configure the computer where the engine is to be installed.

Security Note: Users allowed to use OmniEngine are NOT required to have Administrative privileges and we recommend restricting their rights to minimize potential security risks, especially if the engine is accessed from outside of a firewall.

Disable Guest Network Logins
By default a network login will give each user "guest" credentials. This must be changed so that network logins will provide credentials based on the user's identity. Note: If your network uses a domain to control access, you must disable the Guest account on the domain controller.

Windows XP/Windows Server 2003: Please use the following steps to configure the system:

• Open the "Local Security Policy" editor from the "Start | Settings | Control Panel | Administrative Tools" menu. Alternatively, launch the "Administrative Tools" from the Control panel window.
• Under the "Local Policies" heading, click on "Security Options".
• Ensure the following settings are set:
• Accounts: Guest Account Status - Disabled
• Network Access: Sharing and security model for local accounts - Classic

I am unable to start a wireless capture. When I select 'OK' in the Capture Options I receive the error 'The adapter "Wireless Network Connection" is not supported by this product. What am I missing?

In order to capture wireless traffic with the OmniEngine, you must install a custom WildPackets driver.

A list of supported cards and the WildPackets drivers can be found here:
http://www.wildpackets.com/support/downloads/drivers

Please find your card from the list and download the appropriate driver.

***First install and test the adapter with the OEM driver. Do not install the WildPackets driver until the adapter is functioning properly on your network using the OEM driver.***

Also, be sure to follow the ReadMe carefully; you must choose 'Don't search. I will choose the driver to install.'

Can you explain the Profiles, Configuration and Node Visibilities tabs in the Peer Map?

The Profile tab lets you save Peer Map configurations settings into a single profile that controls the appearance and layout of the Peer Map.

The Configuration tab lets you control what part of the traffic in the Capture window’s buffer is displayed in Peer Map.

The Node Visibilities tab displays node counts, and nodes that are both shown and hidden in the Peer Map. For example, if this option is set to Always Hide, then all nodes that have not had their visibility assigned by the user will be hidden. This is useful if, during a live capture, the user doesn’t want new nodes to appear on the Peer Map as they are discovered.

I have entered the correct key or passphrase but the TKIP encrypted packets are not being decrypted. Can you please tell me what's wrong?

Peek *must* capture the complete (EAPOL) key exchange to successfully decrypt WPA-PSK encrypted traffic. This exchange consists of the 4 packet Pairwise Master key (PMK) and the 2 packet Group Temporal Key (GTK). The below is an example of a successful EAPOL capture.