Tech Tips

• Can I start AiroPeek from the command line
• How do I change the frequency to the 4.9GHz band?
• How do I create a filter to span multiple ports?
• Where can I find a definition for the expert messages?
• How can I import my company’s network diagram into Peer Map?
• Is there a reference standard for passive MOS?
• Is jitter measured 'one way' (only one direction in the flow)?
• Is there a way to only capture the header of a packet?
• What do the colors of the globes represent in the WLAN view?
• Is there a way to view the packet payload of a conversation or flow?
• How can I compare two different captures?
• How can I start multiple captures simultaneously?
• How do I change port numbers for an existing protocol?
• How do I add port numbers for an existing protocol?
• How do I add a custom protocol to AiroPeek?
• Is there a way to locate a Rogue or Unknown device?
• How can AiroPeek help me baseline my network?
• Can you explain the Peer Map view?
• Does the Call Playback feature have a playback limitation?
• What is the keyboard shortcut to apply a filter post-capture?
• What are some of the other keyboard shortcuts?
• Can I trigger a capture based on an alarm?
• Is it possible to use wildcards to create a filter?
• AiroPeek stops capturing.
• I can't change the channel on my wireless ABG card and AiroPeek says that all packets are coming from channel 0. What could be wrong?
• My wireless client loses association with the access point while running AiroPeek. Can you tell me why this is happening?
• Can you please tell me how utilization percentage is calculated in the Summary tab?
• The software installed with no problem, but I still can't capture packets. What could be wrong?
• Is it possible to use two Atheros-based adapters simultaneously with AiroPeek?
• Does AiroPeek recognize short and long preambles?
• How do I save my personal settings in the VoIP view?
• How do I add custom VoIP ports?
• Can I ignore signaling and only analyze media packets?
• I am unable to start a wireless capture. When I select 'OK' in the Capture Options I receive the error 'The adapter "Wireless Network Connection" is not supported by this product.’ What am I missing?
• I have entered the correct key or passphrase but the TKIP encrypted packets are not being decrypted. Can you please tell me what's wrong?

Can I start AiroPeek from the command line?

Yes, here’s how:

APeek.exe [/autoload |/autostart ] [template1] [templateN]

The /autoload switch loads the specified Capture Template (*.ctf) file(s). The /autostart switch loads the specified template(s) and begins capture. Multiple templates

may be listed, separated by a space. You can use the * (asterisk) character or the ? (question mark) character as wildcards in specifying template names, following standard Windows wildcard usage.

In a default installation of AiroPeek, the command line would be started from:

C:\Program Files\WildPackets\AiroPeek

To automatically load template file capture1.ctf, for example, the command would be:

apeek /autoload [template file location]\capture1.ctf

How do I change the frequency to the 4.9GHz band?

The Peek Country setting in the driver would need to be set to ‘ Japan’ to support these frequencies.

In order to capture packets in a regulatory domain (i.e. country) different than the one the adapter was bought in originally, you must change the "Peek Country" code being used by the adapter.

The "Peek Country" code is only used by Peek and does not have any effect on the country code used for network services.

To change the adapter's "Peek Country" code on Windows XP, follow these steps:

1. Stop all captures and quit Peek.
2. Open the Network Connections Control Panel.
3. Locate your wireless network adapter, right-click on it, and select Properties.
4. Click on Configure, then the Advanced tab.
5. Change the value of the "Peek Country" to the desired country.
6. Click on OK and close all the windows you just opened.
7. Restart Peek, you should now have access to a different set of channels.

To change the adapter's "Peek Country" code on Windows 2000, follow these steps:

1. Stop all captures and quit Peek.
2. Go to Start Menu | Settings | Network and Dial-up Connections.
3. Locate your wireless network adapter, right-click on it, and select Properties.
4. Click on Configure, then the Advanced tab.
5. Change the value of the "Peek Country" to the desired country.
6. Click on OK and close all the windows you just opened.
7. Restart Peek, you should now have access to a different set of channels.

How do I create a filter to span multiple ports?

You can create an Advanced or Simple filter to span multiple ports. Ports can be entered and separated by commas and/or semicolons.

Here’s how:

1. Click View/Filters to bring up the filters window.
2. Click the Insert button (Green +)
3. Select Simple or Advanced for Filter Type.
4. Select Port Filter and add the port numbers. Use commas and semicolons to separate the port numbers.

Where can I find a definition for the expert messages?

Right-click on any Expert event and choose EventFinder Settings. Click the Show Info button for a description of the event and possible causes and remedies.

How can I import my company’s network diagram into Peer Map?

Click the Peer Map view and click Open. The supported file types are *.BMP, *.JPEG, *.GIF, *.EMF, *.WMF, *.TIFF, *.PNG, *.ICO.

Is there a reference standard for passive MOS?

• The reference standard for passive MOS is ETSI 101329-5 Annex E
• The algorithm used in AiroPeek is VQmon from Telchemy
• Telchemy has several reference docs at http://www.telchemy.com/reference/23td062.pdf

Is jitter measured 'one way' (only one direction in the flow)?

Jitter is independent either direction. If both end VoIP devices send out periodic RTCP report packets, then the expert is checking jitter from the perspective of both endpoints, i.e. both ways. If only one device is sending RTCP packets, then it's the direction TO that device. Not all VoIP devices send RTCP reports.

To measure data at the point of capture, AiroPeek analyzes the RTP stream independently of RTCP reports. This is not necessarily the jitter as received by an end-point (unless AiroPeek is on the end segment), but rather gives you a reading for jitter for some intermediate path.

Is there a way to only capture the header of a packet?

Yes, here’s how:

1. Click View/Filters to bring up the filters window.
2. Click the Insert button (Green +)
3. Select Simple or Advanced for Filter Type.
4. Select Protocol Filter.
5. Select the Protocol and check Slice to Header.

What do the colors of the globes represent in the WLAN view?

• Blue – ESSID
• Pink – Access Point or Ad Hoc Equivalent
• Orange – STA or Client
• Gray – Admin or otherwise unknown
• Gray with (?) – Indications for a particular node are contradictory or unexpected

Is there a way to view the packet payload of a conversation or flow?

The Visual Expert shows pictures of what is happening in a selected conversation, or flow.

Click on the Expert View.
When choosing the Hierarchy and Application view click on the '+' sign next to a node to expand the conversation.
Right click on one of the sub-points and choose Visual Expert.
When the Visual Expert appears, click on one of the 6 tabs.

There are 6 tabs of the Visual Expert:

1. The PacketVisualizer displays all of the packets for both sides of a flow. Packets are displayed as horizontal bars, with arrow and position cues to show in which direction each packet was sent.
2. The Payload view reconstructs the TCP data without the header information. It keeps track of TCP sequence numbers, reassembling out-of-sequence and retransmitted packets. Text protocols such as POP3, SMTP, and HTTP can be read as text, while non-text characters are converted to dots.
3. 5 expert graphs: Throughput, Latency, Sequence, and tcptrace and TCP Window.
4. What if lets you estimate the effect of changes in various network and application parameters throughput, utilization, transaction times in the current flow.
5. When a flow is open in the Visual Expert, the Compare tab can find that same flow in any other open file or capture.
6. Summary displays the same data that appears in the Node Details view in the Expert when the same flow is selected.

How can I compare two different captures?

Open the captures you would like to compare.

1. Choose the Expert Flat view.
2. Right-click on one of the flows and choose Visual Expert.
3. Click the Compare tab.
4. Click the drop-down arrow to select the captures.

How can I start multiple captures simultaneously?

1. Click the Window menu and arrange the captures.
2. To Start: Hold down Ctrl +Alt + Click the Start button.
3. To Stop: Hold down Ctrl +Alt + Click the Stop button.

How do I change port numbers for an existing protocol?

For example, maybe you want all traffic on port 80 and port 8000 to show up under HTTP in the Packet view, Protocol statistics, etc. In that case, you will need to modify the following file with a Text Editor:

C:\Program Files\WildPackets\AiroPeek\1033\pspecs.xml

You can search for your protocol's PSpec Name (i.e. HTTP) and when you find the protocol, you can modify the existing port number(s).

How do I add port numbers for an existing protocol?

The <CondSwitch> tag will define a port number. The example is using port number 1234. You can add additional ports by adding additional <CondSwitch></CondSwitch> tags. See example below.

<CondSwitch>1234</CondSwitch>
<CondSwitch>1235</CondSwitch>
<CondSwitch>1236</CondSwitch>

For more information on ProtoSpecs, please visit our The WildPackets Developer Network (WPDN) and under the documentation section take a look at the ProtoSpecs XML Writing Guidelines.

https://wpdn.wildpackets.com/

How do I add a custom protocol to AiroPeek?

1. Exit AiroPeek.

2. First, make a backup copy of the pspecs.xml file. AiroPeek will not load if the pspecs.xml file is missing or corrupted.

   Note: By default the pspecs.xml file is located in "C:\Program Files\WildPackets\AiroPeek\1033" for the English-localized version. For other languages, the final subdirectory ("1033") will be equal to the language code for AiroPeek's localized language.

3. Open the pspecs.xml file in your favorite text or XML editor.

   Note: Please make sure you add the protocols in the right section (TCP/UDP) and that the higher port numbers go further down in the file.

4. Create a new entry (see example below).

   <PSpec Name="MyProtocol">
   <PSpecID>1483</PSpecID>
   <LName>MyProtocol - Long Name</LName>
   <SName>MyProtocol - Short Name</SName>
   <Desc>This is my protocol.</Desc>
   <Color>color_2</Color>
   <CondSwitch>1234</CondSwitch>
   </PSpec>

Quick Notes:

The PSpecID is a numerical identifier for the protocol. It must be unique-that is, no two protocols are allowed to have the same PSpecID. You must choose a PSpecID that is not used anywhere else in the file.

The <CondSwitch> tag will define a port number. The example is using port number 1234. You can add additional ports by adding additional <CondSwitch></CondSwitch> tags. See example below.

<CondSwitch>1234</CondSwitch>
<CondSwitch>1235</CondSwitch>
<CondSwitch>1236</CondSwitch>

The PSpec Name will be displayed in the Protocol column of the Packets tab.

The LName will be displayed in the Protocol Info dialog box (accessed by right-clicking the protocol and choosing Protocol Info).

The SName will be displayed in the Protocol statistics.

The Desc will be displayed in the Protocol Info box (Desc is optional. You can delete it if you don't want to write a description for your protocol).

Color will be the color used for the protocol. Colors are defined at the beginning of the document. Color is optional. You can delete it and AiroPeek will choose a color for the protocol.

CondSwitch tells AiroPeek how to recognize the protocol. For now, all you have to do is edit the "SrcPort ==" and "DestPort ==" entries to contain the port number that your protocol uses. These two entries should be the same.

For more information on ProtoSpecs, please visit our The WildPackets Developer Network (WPDN) and under the documentation section take a look at the ProtoSpecs XML Writing Guidelines.

https://wpdn.wildpackets.com/

Is there a way to locate a Rogue or Unknown device?

You can use the Locate Node feature if you are using AiroPeek on a laptop. Under the Wireless View, select WLAN. Right-click the source and choose Locate Node. AiroPeek will create a live signal strength graph for this node in the Graphs tab, and then switch your display to the new graph automatically. The higher the signal strength, the closer you have moved to the source node. Please also see our white paper on Identifying and Locating Rogue Access Points.

http://www.wildpackets.com/elements/tutorials/RogueAccessPoints.pdf

How can AiroPeek help me baseline my network?

The summary statistics feature allows you to monitor key network statistics in real time and save these statistics for later comparison. Use this feature to baseline “normal” network activity, save the data, then compare saved statistics with those observed during periods of erratic network behavior to help pinpoint the cause of the problem.

Summary statistics are also extremely valuable in comparing the performance of two different network segments. For example, a field support engineer could compare the real-time statistics on a client’s network with a saved “healthy” router snapshot and easily diagnose or eliminate the source of inconsistent or poor router performance.

To baseline with summary statistics:

Choose Monitor > Summary. The Summary Statistics window appears.

Can you explain the Peer Map view?

Communications between nodes is indicated with line segments. The line between nodes can be color-coded to show which protocol is used. The thickness of the line indicates the volume of traffic between nodes.

Does the Call Playback feature have a playback limitation?

Yes, you can play up to 5000 voice packets.

What is the keyboard shortcut to apply a filter post-capture?

Hold down <Ctrl> + <E>

What are some of the other keyboard shortcuts?

Can I trigger a capture based on an alarm?

Yes, you can automate captures based on an alarm, here’s how:

In this example we will use “Average Utilization”.

• Double click on "average utilization” and set it to your liking.
• By default, the problem alarm is set to notify when the average utilization exceeds 75/s for 5 seconds.
• Be sure to set the severity level to "Severe" from the dropdown.
• After that, you need to change every other alarm that is set to "Severe" and bring them down to "Major". That way the only Severe notification remaining would be the average utilization alarm.
• Next, you will create a command line notification for any "Severe" alarm that is activated.
• In this case, our "Severe” utilization alarm. The command notification will be a PING that initiates a capture.

Instructions

Either time/date or packets passing through the filters activate triggers. Alarm messages create a signal that is acted upon by the notifications module, which causes an action to occur (Log, Email, Sound, Execute, log to syslog server or send SNMP traps).

1. Create an address filter combined with the ICMP Protocol

   (example: Protocol =ICMP AND Address = 1.2.3.4) this will be your trigger filter. Name this filter PING TRIGGER.

   [Note: IP address 1.2.3.4 is used as an example. The IP address must be a valid host address that can echo a reply. Maybe you can PING your Gateway or some other host/device you are certain will be available to echo-reply.]

2. Go to Tools ' Options and create a new notification with the action type set to 'Execute' a Ping and check only the SEVERE box.

   [Note: You must enter the full path to the PING executable.

   Here's an example of the settings:

   Command: C:\WINDOWS\system32\ping.exe

   Arguments: 1.2.3.4 -n 1

   The above argument example will send one ICMP PING packet to whatever valid IP address you choose. A loopback address will not work since the packets never reach the wire.]

3. Modify your problem alarm settings for "Utilization" and set it to SEVERE as mentioned above - also make sure that no other Alarm levels are set to Severe, or they too will activate your trigger.

4. Set up a new capture; set your capture options to have your new PING TRIGGER as the "Start Trigger Event". When the utilization alarm is activated, the alarm will execute a PING, which will start your capture.

   You can then set a stop trigger event based on a time, elapsed time, bytes captured, or filter, etc. You could then use the save to disk option and Repeat mode; so the trigger would go off every time the severe alarm was activated and save a separate capture for each run.

Is it possible to use wildcards to create a filter?

Yes, this is possible. For instance, if I have the vendor ID of the MAC (00:04:75 for 3Com), your filter would like look this 00:04:75:*:*:*

AiroPeek stops capturing.

First, confirm Capture Options/General/Continuous capture is checked.

If you are using Windows XP, you will need to turn off "Wireless Zero Configuration". This service sometimes tries to take control of the wireless adapter, when you are capturing packets. If this happens, AiroPeek will stop capturing. You can go to properties on your wireless card, select the wireless networks tab, and uncheck the "Use Windows to config my wireless network settings" box, or go into services to stop the wireless zero config service.

I can't change the channel on my wireless ABG card and AiroPeek says that all packets are coming from channel 0. What could be wrong?

This is a known issue with the driver. Please go to http://www.wildpackets.com/support/hardware/ap_atheros5001plus_driver for more information and an updated driver.

My wireless client loses association with the access point while running AiroPeek. Can you tell me why this is happening?

AiroPeek uses RF monitor mode to capture packets from the network. RF monitor mode is superior because it allows AiroPeek to capture all of the packets it sees on a single channel, no matter what Access Point they are going to, what vendor's equipment sent the packets, or who the packets are addressed to. Unfortunately, as you have noticed, when the wireless NIC is placed into RF monitor mode, it cannot be used for normal data transfer. This is not a limitation of AiroPeek, the drivers, or even the wireless NIC; it is simply a physical limitation of the RF technology.

Some customers have gotten around this limitation by placing two wireless cards into their laptops simultaneously. One card is used for data transmission and the other card is used for capturing with AiroPeek. This depends on whether the NICs' form factor allows it. For example, the Cisco cards are relatively thin and will fit into the bottom PCMCIA slot with an Agere card on top, but Agere cards are thicker and probably won't fit in the bottom slot with a Cisco card on top. In order to keep the drivers separate, the cards should be from different vendors- this is very important! So, for example, you might use a Cisco 340 card for AiroPeek and an Agere card for sending data.

Can you please tell me how utilization percentage is calculated in the Summary tab?

We use the maximum link speed of the wireless card which would be 11Mbits/s.

For example if you found the following within the summary tab:

Current Utilization (percent) 0.267
Current Utilization (bits/s) 29,352.000


29,352.000 / 11,000,000 = utilization %

The software installed with no problem, but I still can't capture packets. What could be wrong?

First, make certain that your adapter card is working normally on your network. Are you associated with an Access Point? Can you browse the internet? Verify you have installed a supported driver. Next, make sure you capturing on the correct channel, Go to Capture/Capture Options/802.11. If you have checked these two things and still can't capture, contact us via our Technical Support Form.

Is it possible to use two Atheros-based adapters simultaneously with AiroPeek?

Unfortunately, Atheros does not support this usage so the WildPackets driver also does not support the simultaneous use of multiple Atheros-based adapters. One of the Atheros-based cards would need to be disabled for the other Atheros-based card to function. If you must connect to the network and also use AiroPeek, you will need to obtain another card with a different chipset, i.e. Realtek, Agere, Symbol, please check our list of supported adapters: http://www.wildpackets.com/support/product_support/airopeek/hardware

Does AiroPeek recognize short and long preambles?

AiroPeek recognizes the type of preamble from the Capability Info field contained in management and control frames from the AP.

How do I save my personal settings in the VoIP view?

You will need to create a VoIP Analysis Module .ini file.

• Open AiroPeek VX
• Start a New Capture
• Go to the VoIP view
• Click on the icon that has the Hammer w/ Disk
• Choose the location to save the file and give the file a name
• This will create a *.gst
• Open the *.gst file in your favorite text editor

Example *.gst file

@WildPackets Setup
@Created time = Wednesday, October 26, 2005, 10:25:35.00000
@general configuration---------------------------------------
##GENERAL=
MaxRTPFrameCnt=5000
MaxRTCPFrameCnt=12
MaxOnlineSessionCnt=20
MaxOnlineSpace=512
WaitTimeout=30
Time=relative
HardwareFilter=Yes

How do I add custom VoIP ports?

To add custom ports to Peek VX, click on the VoIP tab.
In the top left, click on the hammer icon. This will launch the VoIP Settings window.
Click the Ports tab.
Click Add and enter your additional ports.
Click the >> button, then click OK on the Additional Ports window.
Click OK on the VoIP Settings window.
Click Edit/Reprocess All Packets.

Can I ignore signaling and only analyze media packets?

Yes. To ignore signaling:

• On the VoIP view, click on the hammer. This will bring up the VoIP Settings window. (Note: These settings reset EVERY time. If you want to keep settings, save the Peek VX General Setup file using the Save As... button.)
• Click the Detection tab.
• Uncheck detect media and check verify payload.
• Click OK.
• Click Edit/Reprocess All Packets.

(Note: After this, you will not see signaling on the VoIP view.)

I am unable to start a wireless capture. When I select 'OK' in the Capture Options I receive the error 'The adapter "Wireless Network Connection" is not supported by this product.’ What am I missing?

In order to capture wireless traffic with AiroPeek, you must install a custom WildPackets driver. A list of supported cards and the WildPackets drivers can be found here:

http://www.wildpackets.com/support/product_support/airopeek/hardware

Please find your card from the list and download the appropriate driver.

***First install and test the adapter with the OEM driver. Do not install the WildPackets driver until the adapter is functioning properly on your network using the OEM driver***

Also, be sure to follow the ReadMe carefully; you must choose 'Don't search. I will choose the driver to install.'

I have entered the correct key or passphrase but the TKIP encrypted packets are not being decrypted. Can you please tell me what's wrong?

Peek *must* capture the complete (EAPOL) key exchange to successfully decrypt WPA-PSK encrypted traffic. This exchange consists of the 4 packet Pairwise Master key (PMK) and the 2 packet Group Temporal Key (GTK). Below is an example of a successful EAPOL capture.

Note: If the initial key exchange is not captured, you will have to wait for your access point to re-key, or force a re-key by re-association.