 |
Tech Tips |
|
Yes, here’s how: APeek.exe [/autoload |/autostart ] [template1] [templateN] The /autoload switch loads the specified Capture Template (*.ctf) file(s). The /autostart switch loads the specified template(s) and begins capture. Multiple templates may be listed, separated by a space. You can use the * (asterisk) character or the ? (question mark) character as wildcards in specifying template names, following standard Windows wildcard usage. In a default installation of AiroPeek, the command line would be started from: To automatically load template file capture1.ctf, for example, the command would be:
The Peek Country setting in the driver would need to be set to ‘ Japan’ to support these frequencies. In order to capture packets in a regulatory domain (i.e. country) different than the one the adapter was bought in originally, you must change the "Peek Country" code being used by the adapter. The "Peek Country" code is only used by Peek and does not have any effect on the country code used for network services. To change the adapter's "Peek Country" code on Windows XP, follow these steps:
To change the adapter's "Peek Country" code on Windows 2000, follow these steps:
You can create an Advanced or Simple filter to span multiple ports. Ports can be entered and separated by commas and/or semicolons. Here’s how:
Yes, here’s how:
For example, maybe you want all traffic on port 80 and port 8000 to show up under HTTP in the Packet view, Protocol statistics, etc. In that case, you will need to modify the following file with a Text Editor:
You can search for your protocol's PSpec Name (i.e. HTTP) and when you find the protocol, you can modify the existing port number(s).
The <CondSwitch> tag will define a port number. The example is using port number 1234. You can add additional ports by adding additional <CondSwitch></CondSwitch> tags. See example below.
For more information on ProtoSpecs, please visit our The WildPackets Developer Network (WPDN) and under the documentation section, take a look at the ProtoSpecs XML Writing Guidelines.
Quick Notes: The PSpecID is a numerical identifier for the protocol. It must be unique-that is, no two protocols are allowed to have the same PSpecID. You must choose a PSpecID that is not used anywhere else in the file. The <CondSwitch> tag will define a port number. The example is using port number 1234. You can add additional ports by adding additional <CondSwitch></CondSwitch> tags. See example below. <CondSwitch>1234</CondSwitch> The PSpec Name will be displayed in the Protocol column of the Packets tab. The LName will be displayed in the Protocol Info dialog box (accessed by right-clicking the protocol and choosing Protocol Info). The SName will be displayed in the Protocol statistics. The Desc will be displayed in the Protocol Info box (Desc is optional. You can delete it if you don't want to write a description for your protocol). Color will be the color used for the protocol. Colors are defined at the beginning of the document. Color is optional. You can delete it and AiroPeek will choose a color for the protocol. CondSwitch tells AiroPeek how to recognize the protocol. For now, all you have to do is edit the "SrcPort ==" and "DestPort ==" entries to contain the port number that your protocol uses. These two entries should be the same. For more information on ProtoSpecs, please visit The WildPackets Developer Network (WPDN) and under the documentation section take a look at the ProtoSpecs XML Writing Guidelines.
You can use the Locate Node feature if you are using AiroPeek on a laptop. Under the Wireless View, select WLAN. Right-click the source and choose Locate Node. AiroPeek will create a live signal strength graph for this node in the Graphs tab, and then switch your display to the new graph automatically. The higher the signal strength, the closer you have moved to the source node. Please also see our white paper on Identifying and Locating Rogue Access Points. http://www.wildpackets.com/elements/tutorials/RogueAccessPoints.pdf
The summary statistics feature allows you to monitor key network statistics in real time and save these statistics for later comparison. Use this feature to baseline “normal” network activity, save the data, then compare saved statistics with those observed during periods of erratic network behavior to help pinpoint the cause of the problem. Summary statistics are also extremely valuable in comparing the performance of two different network segments. For example, a field support engineer could compare the real-time statistics on a client’s network with a saved “healthy” router snapshot and easily diagnose or eliminate the source of inconsistent or poor router performance. To baseline with summary statistics: Choose Monitor > Summary. The Summary Statistics window appears.
Hold down <Ctrl> + <E>
Yes, you can automate captures based on an alarm, here’s how. In this example we will use “Average Utilization”.
Instructions Either time/date or packets passing through the filters activate triggers. Alarm messages create a signal that is acted upon by the notifications module, which causes an action to occur (Log, Email, Sound, Execute, log to syslog server or send SNMP traps).
Yes, this is possible. For instance, if I have the vendor ID of the MAC (00:04:75 for 3Com), your filter would like look this 00:04:75:*:*:* First, confirm Capture Options/General/Continuous capture is checked. If you are using Windows XP, you will need to turn off "Wireless Zero Configuration". This service sometimes tries to take control of the wireless adapter, when you are capturing packets. If this happens, AiroPeek will stop capturing. You can go to properties on your wireless card, select the wireless networks tab, and uncheck the "Use Windows to config my wireless network settings" box, or go into services to stop the wireless zero config service.
This is a known issue with the driver. Please go to http://www.wildpackets.com/support/hardware/ap_atheros5001plus_driver for more information and an updated driver.
AiroPeek uses RF monitor mode to capture packets from the network. RF monitor mode is superior because it allows AiroPeek to capture all of the packets it sees on a single channel, no matter what Access Point they are going to, what vendor's equipment sent the packets, or who the packets are addressed to. Unfortunately, as you have noticed, when the wireless NIC is placed into RF monitor mode, it cannot be used for normal data transfer. This is not a limitation of AiroPeek, the drivers, or even the wireless NIC; it is simply a physical limitation of the RF technology. Some customers have gotten around this limitation by placing two wireless cards into their laptops simultaneously. One card is used for data transmission and the other card is used for capturing with AiroPeek. This depends on whether the NICs' form factor allows it. For example, the Cisco cards are relatively thin and will fit into the bottom PCMCIA slot with an Agere card on top, but Agere cards are thicker and probably won't fit in the bottom slot with a Cisco card on top. In order to keep the drivers separate, the cards should be from different vendors- this is very important! So, for example, you might use a Cisco 340 card for AiroPeek and an Agere card for sending data.
We use the maximum link speed of the wireless card which would be 11Mbits/s.
First, make certain that your adapter card is working normally on your network. Are you associated with an Access Point? Can you browse the internet? Verify you have installed a supported driver. Next, make sure you are capturing on the correct channel, Go to Capture/Capture Options/802.11. If you have checked these two things and still can't capture, contact us via ourTechnical Support Form.
Unfortunately, Atheros does not support this usage so the WildPackets driver also does not support the simultaneous use of multiple Atheros-based adapters. One of the Atheros-based cards would need to be disabled for the other Atheros-based card to function. If you must connect to the network and also use AiroPeek, you will need to obtain another card with a different chipset, i.e. Realtek, Agere, Symbol, please check our list of supported adapters: http://www.wildpackets.com/support/product_support/airopeek/hardware
AiroPeek recognizes the type of preamble from the Capability Info field contained in management and control frames from the AP.
Yes, by using AiroPeek’s ability to have multiple capture windows. First set up a Capture 1 window as a continuous capture with your filter as a Stop Trigger event. This gives you a snapshot of what was happening just before your trigger. Then set up a Capture 2 window as you normally would with a Start Trigger when the filter event happens. This lets you capture what happened after the event. Click the Start Capture (Stop trigger active) on Capture 1 and click the Start Trigger button on Capture 2. The packet that triggers the event will be the last packet in Capture 1 and will be the first packet in Capture 2. In a similar way you can capture what happens after a Stop Trigger event. Set up your Capture 1 Stop Trigger normally. Set up a second capture with buffer options to stop when the buffer is full (do not checkmark Continuous) and set the buffer size based on how much additional traffic you want to see. Set this second capture with a Start Trigger on the same filter event as your Capture 1 Stop Trigger. It will run until this buffer is full.
Monitor Statistics continuously accumulate while the program is running. Eight statistics are available under the Monitor menu. When Monitor Statistics are enabled, AiroPeek records information about the traffic on the segment. The buffer for Monitor statistics is not affected by any sort of filters, packet slicing or anything else; it is simply on or off. Capture statistics accumulate after opening a Capture window and starting the capture. Select one of the views of a Capture window to see the statistics. Also, the buffers for individual Capture windows or Packet File windows are different than the buffer for Monitor Statistics. Filters restrict which packets are accepted into the buffer of a Capture window. (Packet slicing, by capturing only a part of each packet, can limit the information available to AiroPeek.)
Because routers forward traffic from other networks at OSI Layer 3, the logical address (IP) is forwarded unchanged but the physical address (MAC) is changed to that of the router doing the forwarding. In this case, OmniPeek might misidentify your router when it tries to resolve the name using the Resolve Name/Passive Name resolution option (Tools->Name Resolution). To properly identify routers, we recommend that you add your routers to the Name Table.
The following steps will give you some indication of which ports are open:
The default Timestamp format is Microseconds. This setting can be changed by clicking on one of the columns in the Packets view and selecting the Format tab or by right-clicking a packet in the Packets View and selecting Packet List Options.
Right click the column header and select the fields you would like to see. Then right click again and choose Packet List Options > Format tab and deselect "Show port names". You should now see port numbers instead of names. Also good to know, the source and port field numbers are always displayed in the 'Summary' field (Src=###,Dst=##) in addition to other packet information.
In regards to wireless, if using an Atheros driver v3.0.1.x and above the accuracy is approximately 1 micro-second as the packets are being time-stamped by the hardware, versions under 3.0.1.x use software timestamps. If using WinXP and other NT based systems packets have an approximate accuracy of .1 milliseconds. |
| Copyright © 2008 WildPackets, Inc |
| All registered and unregistered trademarks are the sole property of their respective owners |
