 |
||
United States
UK
 |
||
       |
||
 |
||
OmniPeek Enterprise
OmniEngine Enterprise
OmniPeek Professional
Support FAQs
Tech Tips
Supported Hardware
Decodes
System Requirements
Getting Started Guide (pdf)
Users Guide (pdf)
Users Guide (html)
OmniPeek Basic
OmniEngine Desktop
OmniVirtual
Omnipliance
Omnipliance Portable
Omni Wireless Sensor
|
How do I create a filter to span multiple ports?
You can create an Advanced or Simple filter to span individual ports. Ports can be entered and separated by commas and/or semicolons. Here’s how:
How do I capture VLAN packets?
First be sure the analyzer is placed where the tagged frames exist, this is generally on a switch trunk (a link that connects switch-to-switch). Second verify that your switch is not stripping the VLAN tags, you may need to contact your switch manufacturer. Lastly, the network interface card may strip 802.1q tags at the adapter/driver level. By default, Intel adapters strip the VLAN tag before passing it up the stack. Some Broadcom adapters also exhibit this behavior. Possible fixes for Intel and Broadcom adapters can be found below, for other adapters please contact your NIC manufacturer. Unsupported Fix for Broadcom Adapters: **Please backup your registry before making these modifications.** Please look for the following registry key and follow the steps listed below. This fix is not supported by WildPackets. HKEY_LOCAL_MACHINE-->SYSTEM-->CurrentControlSet
Unsupported Fix for Intel Adapters: http://www.intel.com/support/network/sb/cs-005897.htm Another solution is to purchase a tap. TAPs are passive and independent of the network. Please call (925) 937-3200 or write to sales@wildpackets.com to find out more about TAPs.
Where can I find a definition for the expert messages?
Right-click on any Expert event and choose EventFinder Settings. Click the Show Info button for a description of the event and possible causes and remedies.
How can I import my company's network diagram into Peer Map?
Click the Peer Map view and click Open. The supported file types are *.BMP, *.JPEG, *.GIF, *.EMF, *.WMF, *.TIFF, *.PNG, *.ICO.
Is jitter measured 'one way' (only one direction in the flow)?
Jitter is independent either direction. If both end VoIP devices send out periodic RTCP report packets, then the expert is checking jitter from the perspective of both endpoints, i.e. both ways. If only one device is sending RTCP packets, then it's the direction TO that device. Not all VoIP devices send RTCP reports. To measure data at the point of capture, OmniPeek analyzes the RTP stream independently of RTCP reports. This is not necessarily the jitter as received by an end-point (unless OmniPeek Professional is on the end segment), but rather gives you a reading for jitter for some intermediate path.
Is there a way to only capture the header of a packet?
Yes, here’s how:
What do the colors of the globes represent in the WLAN view?
Can I compare two different captures?
Yes, open the captures you would like to compare.
How can I start multiple captures simultaneously?
Can a NIC connected to a SPAN/Mirror port also be used for network services?
You will need an additional adapter to use for network services or use a multi-port adapter like the Intel dual or quad port adapters. These cards could connect via one port and capture on the additional, available ports.
How do I change port numbers for an existing protocol?
For example, maybe you want all traffic on port 80 and port 8000 to show up under HTTP in the Packet view, Protocol statistics, etc. In that case, you will need to modify the following file with a Text Editor: C:\Program Files\WildPackets\OmniPeek\1033\pspecs.xml You can search for your protocol's PSpec Name (i.e. HTTP) and when you find the protocol, you can modify the existing port number(s). For more information on ProtoSpecs, please MyPeek and under the Resources section take a look at the ProtoSpecs XML Writing Guidelines. http://mypeek.wildpackets.com/
How do I add port numbers for an existing protocol?
The <CondSwitch> tag will define a port number. The example is using port number 1234. You can add additional ports by adding additional <CondSwitch></CondSwitch> tags. See example below. <CondSwitch>1234</CondSwitch> For more information on ProtoSpecs, please visit our The WildPackets Developer's Network (WPDN) and under the documentation section take a look at the ProtoSpecs XML Writing Guidelines.
How can OmniPeek Professional help me baseline my network?
The summary statistics feature allows you to monitor key network statistics in real time and save these statistics for later comparison. Use this feature to baseline “normal” network activity, save the data, then compare saved statistics with those observed during periods of erratic network behavior to help pinpoint the cause of the problem. Summary statistics are also extremely valuable in comparing the performance of two different network segments. For example, a field support engineer could compare the real-time statistics on a client’s network with a saved “healthy” router snapshot and easily diagnose or eliminate the source of inconsistent or poor router performance. To baseline with summary statistics:
How do I add a custom protocol to OmniPeek?
Quick Notes: The PSpecID is a numerical identifier for the protocol. It must be unique-that is, no two protocols are allowed to have the same PSpecID. You must choose a PSpecID that is not used anywhere else in the file. The <CondSwitch> tag will define a port number. The example is using port number 1234. You can add additional ports by adding additional <CondSwitch></CondSwitch> tags. See example below. <CondSwitch>1234</CondSwitch> The PSpec Name will be displayed in the Protocol column of the Packets tab. The LName will be displayed in the Protocol Info dialog box (accessed by right-clicking the protocol and choosing Protocol Info). The SName will be displayed in the Protocol statistics. The Desc will be displayed in the Protocol Info box (Desc is optional. You can delete it if you don't want to write a description for your protocol). Color will be the color used for the protocol. Colors are defined at the beginning of the document. Color is optional. You can delete it and OmniPeek will choose a color for the protocol. CondSwitch tells OmniPeek how to recognize the protocol. For now, all you have to do is edit the "SrcPort ==" and "DestPort ==" entries to contain the port number that your protocol uses. These two entries should be the same. For more information on ProtoSpecs, please visit MyPeek and under the Resources section take a look at the ProtoSpecs XML Writing Guidelines. http://mypeek.wildpackets.com/
Is there a way to locate a Rogue or Unknown device?
You can use the Locate Node feature if you are using OmniPeek on a laptop. Select the source and choose Locate Node. OmniPeek will create a live signal strength graph for this node in the Graphs tab, and then switch your display to the new graph automatically. The higher the signal strength, the closer you have moved to the source node.
What are some of the keyboard shortcuts?
Can you explain the Peer Map view?
Communications between nodes is indicated with line segments. The line between nodes can be color-coded to show which protocol is used. The thickness of the line indicates the volume of traffic between nodes.
It appears that my router is being misidentified?
Because routers forward traffic from other networks at OSI Layer 3, the logical address (IP) is forwarded unchanged but the physical address (MAC) is changed to that of the router doing the forwarding. In this case, Peek might misidentify your router when it tries to resolve the name using the Resolve Name/Passive Name resolution option (Tools->Name Resolution). To properly identify routers, we recommend that you add your routers to the Name Table.
Can I use the Peek analyzer to assist with firewall rules?
The following steps will give you some indication of which ports are open:
What is the default timestamp format?
The default Timestamp format is Microseconds. This setting can be changed by clicking on one of the columns in the Packets view and selecting the Format tab or by right-clicking a packet in the Packets View and selecting Packet List Options.
How do I use port numbers instead of port names?
Right click the column header and select the fields you would like to see. Then right click again and choose Packet List Options -> Format tab and deselect "Show port names". You should now see port numbers instead of names. Also good to know, the source and port field numbers are always displayed in the 'Summary' field (Src=###,Dst=##) in addition to other packet information.
How accurate are the Delta and Relative times in the Packet view?
In regards to wireless, if using an Atheros driver v3.0.1.x and above the accuracy is approximately 1 micro-second as the packets are being time-stamped by the hardware, versions under 3.0.1.x use software timestamps. If using WinXP and other NT based systems packets have an approximate accuracy of .1 milliseconds. In regards to Ethernet, non-GAC Ethernet adapters use software timestamps and the accuracy depends on the OS. If using WinXP and other NT based systems packets have an approximate accuracy of .1 milliseconds. The WildPackets Gigabit Analyzer Cards provide hardware timestamps and have an approximate accuracy of 10 nanoseconds.
What is Apdex?
Apdex is an attempt to represent user satisfaction with application performance as a numeric score from 0.00 (horrible) to 1.00 (perfect). Calculations are based on how long it takes to complete each measured task.
How are Apdex tasks measured?
Each individual task gets an Apdex score of 1.00, 0.50, or 0.00, depending on task duration relative to a user-defined threshold duration "T":
If an individual task completes within a user-defined threshold duration, the user is considered "satisfied" with application performance, and the task gets an Apdex score of 1.00. If an individual task takes between one and four times the user-defined threshold duration, the user is considered "tolerating" application performance, and the task gets an Apdex score of 0.50. If an individual task takes more than four times the user-defined threshold duration, the user is considered "frustrated" with application performance, and the task gets an Apdex score of 0.00. For example, if you set the threshold for web applications at 3 seconds, then any time you can completely load a web page within 3 seconds, you are "satisfied" and score 1.00. If it takes more than 3 seconds, but no more than 12 seconds (4 times 3 seconds), you are merely "tolerating" performance, and score 0.50. If it ever takes more than 12 seconds, you are frustrated, and get an Apdex score of 0.00.
How do I set the Apdex threshold duration?
Why does some activity in the Peer Map contain spaces?
The space shows you where protocol segments start and stop within conversations.
Can OmniPeek Professional connect to multiple engines?
Yes but OmniPeek Professional does have a limit of five remote engine connections. Because OmniPeek puts the processing power at the point of capture, multiple connections and diverse configurations can be used without creating a strain on network bandwidth. Only the packets, statistical data, and other information required to refresh the display need to be sent from the Remote Engine.
Can you explain the Profiles, Configuration and Node Visibilities tabs in the Peer Map view?
The Profile tab lets you save Peer Map configuration settings into a single profile that controls the appearance and layout of the Peer Map. The Configuration tab lets you control what part of the traffic in the Capture window’s buffer is displayed in Peer Map. The Node Visibilities tab displays node counts, and nodes that are both shown and hidden in the Peer Map. For example, if this option is set to Always Hide, then all nodes that have not had their visibility assigned by the user will be hidden. This is useful if, during a live capture, the user doesn’t want new nodes to appear on the Peer Map as they are discovered.
Can I use both an OmniEngine and an OmniPeek console at the same time on the same machine?
The only console that was designed to work simultaneously with an engine is OmniPeek Connect. OmniPeek Connect provides the ability to locally configure and view the engine’s analysis as the engine is capturing packets and performing analysis.
I am unable to start a wireless capture. When I select 'OK' in the Capture Options I receive the error 'The adapter "Wireless Network Connection" is not supported by this product. What am I missing?
In order to capture wireless traffic with OmniPeek, you must install a custom WildPackets driver. A list of supported cards and the WildPackets drivers can be found here: Please find your card from the list and download the appropriate driver. ***First install and test the adapter with the OEM driver. Do not install the WildPackets driver until the adapter is functioning properly on your network using the OEM driver.*** Also, be sure to follow the ReadMe carefully; you must choose 'Don't search. I will choose the driver to install.'
Can WildPackets Gigabit and WAN Analyzer Cards be used to send packets?
The GACs and WACs do not send as they are optimized for capture only.
I changed some settings on my GAC or WAC, do I need to restart my computer?
No, the changes will be applied once the Analyzer Card is selected to monitor or capture.
Why can my GAC only apply one hardware profile?
The GAC only supports one hardware profile at a time.
When I try to open a *.pkt file, I receive a "Not Enough Storage Space" error.
This error means that there are not enough memory/resources available to load the file. A solution would be our SQL filter plug-in. This plug-in creates a SQL database of packet headers from real-time captures or loaded file captures. Once installed, the SQL Filter plug-in will appear under the Tools view in OmniPeek, you will be able to select packets based on the results of queries that were entered. By using the SQL Filter Plug-in to index trace files into a database, files of any size can be read back into OmniPeek using SQL queries. The SQL Filter Plug-in is available to MyPeek members; you can sign up for an account here:
How secure is OmniPeek?
Network analysis tools are powerful and must be protected from misuse. Data captured and sent across the network may be sensitive, so OmniPeek has been designed from the ground up to adhere to strict IT security requirements. By default, all traffic between the Engine and Console is compressed and encrypted and in addition to Windows® Security being used for access control to the OmniEngine and application features, TACACs+ and RADIUS authentication are supported also.
When I use OmniPeek to monitor my high speed network, the application tends to slow down. Are there any tips to optimize performance?
In the Capture/Monitor Options, select Performance. For peak performance, right click on one of the features and choose Disable All. This way, OmniPeek will function at peak performance, but the features are still available when needed. When you need a particular feature, you can always enable it. As you enable/disable individual features, the performance bar at the bottom of the Performance Options dialog will move to show you an estimate of the impact of each feature. Here are a few more tips to improve the performance of OmniPeek: Disable the Monitor adapter (Monitor/Select Monitor Adapter/None) Turn off scroll during capture. Control + K will start/stop scroll. Disable passive name resolution. Under Tools/Options/Name Resolution, uncheck enable passive name resolution. Turn off any automatic report production for monitor and/or capture. Under Monitor or Capture options, select Statistics Output. Uncheck Save statistics report. The following component is an additional module (not included in the standard package): Disable RMONGrabber (Tools/Options/Analysis Modules) If you need one of the other features, you can enable it when you are actually viewing the capture file. Also if you're on a switched network, you can try using the switch's mirroring or monitoring capability to zero-in on the traffic you're looking for. Try only mirroring ports one by one to avoid overloading the analyzer with traffic. For more information, please see our whitepaper which also applies to the OmniPeek Analyzer products: Applying EtherPeek to Switched and Gigabit Ethernet Network Management.
Peek *must* capture the complete (EAPOL) key exchange to successfully decrypt WPA-PSK encrypted traffic. This exchange consists of the 4 packet Pairwise Master key (PMK) and the 2 packet Group Temporal Key (GTK). Below is an example of a successful EAPOL capture.
When I try to open a *.pkt file, I receive a "Not Enough Storage Space" error.
This error means that there are not enough memory/resources available to load the file. A solution would be our SQL filter plug-in. This plug-in creates a SQL database of packet headers from real-time captures or loaded file captures. Once installed, the SQL Filter plug-in will appear under the Tools view in OmniPeek, you will be able to select packets based on the results of queries that were entered. By using the SQL Filter Plug-in to index trace files into a database, files of any size can be read back into OmniPeek using SQL queries. The SQL Filter Plug-in is available to WPDN (WildPackets Developer Network) members; you can sign up for an account here:
Can I search a trace file based on Time, Date, Address or Port?
Yes, this is possible with the SQL filter plug-in. This plug-in creates a SQL database of packet headers from real-time captures or loaded file captures. Once installed, the SQL Filter plug-in will appear under the Tools view in OmniPeek, you will be able to select packets based on the results of queries that were entered. The SQL Filter Plug-in is available to WPDN (WildPackets Developer Network) members; you can sign up for an account here:
What is the SQL Filter Plug-in?
The SQL Filter plug-in creates a SQL database of packet headers from real-time captures or loaded file captures this enables you to submit SQL queries to locate key data in packet captures. The SQL Filter Plug-in is available to WPDN (WildPackets Developer Network) members; you can sign up for an account here:
Can I install the SQL Filter Plug-in on my engine?
No, at this time only local captures are supported.
I have captured the required EAPOL keys but why can't I decrypt the WPA traffic?
When WMM (802.11e) is enabled WPA-PSK decryption will fail, some adapters have an Advanced Settings Tab that will allow this feature to be disabled. If your adapter does not have this setting, disable the feature on the corresponding Access Point. Once you have disabled the feature on the client's adapter who is sending the traffic of interest or the AP, you should be able to decrypt the traffic completely.
Can I start OmniPeek from the command line?
Yes, here’s how: Opeek.exe [/autoload |/autostart ] [template1] [templateN] The /autoload switch loads the specified Capture Template (*.ctf) file(s). The /autostart switch loads the specified template(s) and begins capture. Multiple templates may be listed, separated by a space. You can use the * (asterisk) character or the ? (question mark) character as wildcards in specifying template names, following standard Windows wildcard usage. In a default installation of OmniPeek, the command line would be started from: C:\Program Files\WildPackets\OmniPeek To automatically load template file capture1.ctf, for example, the command would be: opeek /autoload [template file location]\capture1.ctf |
|
||||||||||
| COPYRIGHT © 2008 WILDPACKETS, INC — PRIVACY STATEMENT · CONTACT US | CORPORATE · PRODUCTS · SOLUTIONS · SERVICES · SUPPORT · PARTNERS · BUY NOW |
|
All registered and unregistered trademarks are the sole property of their respective owners |
|