Tech Tips

• Can I start EtherPeek from the command line?
• How do I create a filter to span multiple ports?
• Is there a way to only capture the header of a packet?
• How can I start multiple captures simultaneously?
• How do I change port numbers for an existing protocol?
• How do I add port numbers for an existing protocol?
• How do I add a custom protocol to EtherPeek?
• How can EtherPeek help me baseline my network?
• What is the keyboard shortcut to apply a filter post-capture?
• What are some of the other keyboard shortcuts?
• Can I trigger a capture based on an alarm?
• Is it possible to use wildcards to create a filter?
• I know how to capture traffic starting with a certain trigger event. Can I also capture the traffic just before the Start Trigger event?
• What is the difference between Monitor Statistics and Capture Statistics?
• The software installed with no problem, but I still can't capture packets. What could be wrong?
• Why can't I see all the traffic from my auto-sensing dual speed hub?
• It appears that my router is being misidentified?
• Can I use the Peek analyzer to assist with firewall rules?
• What is the default timestamp format?
• How do I use port numbers instead of port names?
• How accurate are the Delta and Relative times in the Packet view?

Can I start EtherPeek from the command line?

Yes, here’s how:

EPeek.exe [/autoload |/autostart ] [template1] [templateN]

The /autoload switch loads the specified Capture Template (*.ctf) file(s). The /autostart switch loads the specified template(s) and begins capture. Multiple templates may be listed, separated by a space. You can use the * (asterisk) character or the ? (question mark) character as wildcards in specifying template names, following standard Windows wildcard usage.

In a default installation of EtherPeek, the command line would be started from:
C:\Program Files\WildPackets\EtherPeek

To automatically load template file capture1.ctf, for example, the command would be:
apeek /autoload [template file location]\capture1.ctf

How do I create a filter to span multiple ports?

You can create an Advanced or Simple filter to span multiple ports. Ports can be entered and separated by commas and/or semicolons.

Here’s how:

1. Click View/Filters to bring up the filters window.
2. Click the Insert button (Green +)
3. Select Simple or Advanced for Filter Type.
4. Select Port Filter and add the port numbers. Use commas and semicolons to separate the port numbers.

Is there a way to only capture the header of a packet?

Yes, here’s how:

1. Click View/Filters to bring up the filters window.
2. Click the Insert button (Green +)
3. Select Simple or Advanced for Filter Type.
4. Select Protocol Filter.
5. Select the Protocol and check Slice to Header.

How can I start multiple captures simultaneously?

1. Click the Window menu and arrange the captures.
2. To Start: Hold down Ctrl +Alt + Click the Start button.
3. To Stop: Hold down Ctrl +Alt + Click the Stop button.

How do I change port numbers for an existing protocol?

For example, maybe you want all traffic on port 80 and port 8000 to show up under HTTP in the Packet view, Protocol statistics, etc. In that case, you will need to modify the following file with a Text Editor:

C:\Program Files\WildPackets\EtherPeek\1033\pspecs.xml

You can search for your protocol's PSpec Name (i.e. HTTP) and when you find the protocol, you can modify the existing port number(s).

How do I add port numbers for an existing protocol?

The <CondSwitch> tag will define a port number. The example is using port number 1234. You can add additional ports by adding additional <CondSwitch></CondSwitch> tags. See example below.

<CondSwitch>1234</CondSwitch>
<CondSwitch>1235</CondSwitch>
<CondSwitch>1236</CondSwitch>

For more information on ProtoSpecs, please visit our The WildPackets Developer Network (WPDN) and under the documentation section take a look at the ProtoSpecs XML Writing Guidelines.

https://wpdn.wildpackets.com/

How do I add a custom protocol to EtherPeek?

1. Exit EtherPeek.

2. First, make a backup copy of the pspecs.xml file. EtherPeek will not load if the pspecs.xml file is missing or corrupted.

   Note: By default the pspecs.xml file is located in "C:\Program Files\WildPackets\EtherPeek\1033" for the English-localized version. For other languages, the final subdirectory ("1033") will be equal to the language code for the EtherPeek's localized language.

3. Open the pspecs.xml file in your favorite text or XML editor.

   Note: Please make sure you add the protocols in the right section (TCP/UDP) and that the higher port numbers go further down in the file.

4. Create a new entry (see example below).

   <PSpec Name="MyProtocol">
   <PSpecID>1483</PSpecID>
   <LName>MyProtocol - Long Name</LName>
   <SName>MyProtocol - Short Name</SName>
   <Desc>This is my protocol.</Desc>
   <Color>color_2</Color>
   <CondSwitch>1234</CondSwitch>
   </PSpec>

Quick Notes:

The PSpecID is a numerical identifier for the protocol. It must be unique-that is, no two protocols are allowed to have the same PSpecID. You must choose a PSpecID that is not used anywhere else in the file.

The <CondSwitch> tag will define a port number. The example is using port number 1234. You can add additional ports by adding additional <CondSwitch></CondSwitch> tags. See example below.

<CondSwitch>1234</CondSwitch>
<CondSwitch>1235</CondSwitch>
<CondSwitch>1236</CondSwitch>

The PSpec Name will be displayed in the Protocol column of the Packets tab.

The LName will be displayed in the Protocol Info dialog box (accessed by right-clicking the protocol and choosing Protocol Info).

The SName will be displayed in the Protocol statistics.

The Desc will be displayed in the Protocol Info box (Desc is optional. You can delete it if you don't want to write a description for your protocol).

Color will be the color used for the protocol. Colors are defined at the beginning of the document. Color is optional. You can delete it and EtherPeek will choose a color for the protocol.

CondSwitch tells EtherPeek how to recognize the protocol. For now, all you have to do is edit the "SrcPort ==" and "DestPort ==" entries to contain the port number that your protocol uses. These two entries should be the same.

For more information on ProtoSpecs, please visit our The WildPackets Developer Network (WPDN) and under the documentation section take a look at the ProtoSpecs XML Writing Guidelines.

https://wpdn.wildpackets.com/

How can EtherPeek help me baseline my network?

The summary statistics feature allows you to monitor key network statistics in real time and save these statistics for later comparison. Use this feature to baseline “normal” network activity, save the data, then compare saved statistics with those observed during periods of erratic network behavior to help pinpoint the cause of the problem.

Summary statistics are also extremely valuable in comparing the performance of two different network segments. For example, a field support engineer could compare the real-time statistics on a client’s network with a saved “healthy” router snapshot and easily diagnose or eliminate the source of inconsistent or poor router performance.

To baseline with summary statistics:

Choose Monitor > Summary. The Summary Statistics window appears.

What is the keyboard shortcut to apply a filter post-capture?

Hold down <Ctrl> + <E>

What are some of the other keyboard shortcuts?

Can I trigger a capture based on an alarm?

Yes, you can automate captures based on an alarm, here’s how.

In this example we will use “Average Utilization”.

• Double click on "average utilization” and set it to your liking.
• By default, the problem alarm is set to notify when the average utilization exceeds 75/s for 5 seconds.
• Be sure to set the severity level to "Severe" from the dropdown.
• After that, you need to change every other alarm that is set to "Severe" and bring them down to "Major". That way the only Severe notification remaining would be the average utilization alarm.
• Next, you will create a command line notification for any "Severe" alarm that is activated.
• In this case, our "Severe” utilization alarm. The command notification will be a PING that initiates a capture.

Instructions

Either time/date or packets passing through the filters activate triggers. Alarm messages create a signal that is acted upon by the notifications module, which causes an action to occur (Log, Email, Sound, Execute, log to syslog server or send SNMP traps).

1. Create an address filter combined with the ICMP Protocol

   (example: Protocol =ICMP AND Address = 1.2.3.4) this will be your trigger filter. Name this filter PING TRIGGER.

   [Note: IP address 1.2.3.4 is used as an example. The IP address must be a valid host address that can echo a reply. Maybe you can PING your Gateway or some other host/device you are certain will be available to echo-reply.]

2. Go to Tools ' Options and create a new notification with the action type set to 'Execute' a Ping and check only the SEVERE box.

   [Note: You must enter the full path to the PING executable.

   Here's an example of the settings:

   Command: C:\WINDOWS\system32\ping.exe

   Arguments: 1.2.3.4 -n 1

   The above argument example will send one ICMP PING packet to whatever valid IP address you choose. A loopback address will not work since the packets never reach the wire.]

3. Modify your problem alarm settings for "Utilization" and set it to SEVERE as mentioned above - also make sure that no other Alarm levels are set to Severe, or they too will activate your trigger.

4. Set up a new capture; set your capture options to have your new PING TRIGGER as the "Start Trigger Event". When the utilization alarm is activated, the alarm will execute a PING, which will start your capture.

   You can then set a stop trigger event based on a time, elapsed time, bytes captured, or filter etc. You could then use the save to disk option and Repeat mode; so the trigger would go off every time the severe alarm was activated and save a separate capture for each run.

Is it possible to use wildcards to create a filter?

Yes, this is possible. For instance, if I have the vendor ID of the MAC (00:04:75 for 3Com), your filter would like look this 00:04:75:*:*:*

I know how to capture traffic starting with a certain trigger event. Can I also capture the traffic just before the Start Trigger event?

Yes, by using EtherPeek’s ability to have multiple capture windows. First set up a Capture 1 window as a continuous capture with your filter as a Stop Trigger event. This gives you a snapshot of what was happening just before your trigger. Then set up a Capture 2 window as you normally would with a Start Trigger when the filter event happens. This lets you capture what happened after the event. Click the Start Capture (Stop trigger active) on Capture 1 and click the Start Trigger button on Capture 2. The packet that triggers the event will be the last packet in Capture 1 and will be the first packet in Capture 2.

In a similar way you can capture what happens after a Stop Trigger event. Set up your Capture 1 Stop Trigger normally. Set up a second capture with buffer options to stop when the buffer is full (do not checkmark Continuous) and set the buffer size based on how much additional traffic you want to see. Set this second capture with a Start Trigger on the same filter event as your Capture 1 Stop Trigger. It will run until this buffer is full.

What is the difference between Monitor Statistics and Capture Statistics?

Monitor Statistics continuously accumulate while the program is running. Eight statistics are available under the Monitor menu. When Monitor Statistics are enabled, EtherPeek records information about the traffic on the segment. The buffer for Monitor statistics is not affected by any sort of filters, packet slicing or anything else; it is simply on or off.

Capture statistics accumulate after opening a Capture window and starting the capture. Select one of the views of a Capture window to see the statistics. Also, the buffers for individual Capture windows or Packet File windows are different than the buffer for Monitor Statistics. Filters restrict which packets are accepted into the buffer of a Capture window. (Packet slicing, by capturing only a part of each packet, can limit the information available to EtherPeek.)

The software installed with no problem, but I still can't capture packets. What could be wrong?

First, make certain that your adapter card is working normally on your network. A simple way to verify this is to see if there are other machines in the "Network Neighborhood" folder. Next, make certain that the NIC card selected has promiscuous capture capabilities. In EtherPeek 4, you need to choose New from the File menu and complete the Capture Buffer Options dialog in order to capture and see packets. If you have checked these two things and still can't capture, contact us via our Technical Support Form.

Why can't I see all the traffic from my auto-sensing dual speed hub?

It appears that these auto-sensing dual speed hubs automatically manage network traffic so 100 Mbit traffic does not unnecessarily crowd the 10 Mbit network segment and 10 Mbit traffic does not crowd the 100 Mbit segment. Because these hubs have switching features, they need some kind of management port for EtherPeek or any analyzer to use in order to see all traffic.

Here's a hypothetical situation to clarify what is happening:

• Port 1 connects to a 100Mb NIC in a machine running EtherPeek.
• Port 2 connects to a 10Mb NIC in another machine.
• Port 3 connects via 10Mb to a DSL modem.

A packet comes in from the Internet to the DSL modem on port 3. The packet is addressed to the machine attached to port 2. Since ports 2 and 3 are both part of the 10 Mb segment, the packet will never bridge to the 100Mb segment, thus EtherPeek will not see the packet.

For any dual speed hubs that function in this way, you will need a hub with a management port or mirroring capabilities in order for EtherPeek to see and analyze all traffic. For more information, please download "Applying EtherPeek to Switched Network Management."

It appears that my router is being misidentified?

Because routers forward traffic from other networks at OSI Layer 3, the logical address (IP) is forwarded unchanged but the physical address (MAC) is changed to that of the router doing the forwarding. In this case, Peek might misidentify your router when it tries to resolve the name using the Resolve Name/Passive Name resolution option (Tools->Name Resolution). To properly identify routers, we recommend that you add your routers to the Name Table.

Can I use the Peek analyzer to assist with firewall rules?

The following steps will give you some indication of which ports are open:

1. Packet slice at 70Bytes (gives you TCP/UDP headers)
2. Go to the Expert and select Flat
3. Enable "Port Numbers" optional Column
4. Disable Resolve Port Names (right click)
5. Click and sort Port Numbers

What is the default timestamp format?

The default Timestamp format is Microseconds. This setting can be changed by clicking on one of the columns in the Packets view and selecting the Format tab or by right-clicking a packet in the Packets View and selecting Packet List Options.

How do I use port numbers instead of port names?

Right click the column header and select the fields you would like to see. Then right click again and choose Packet List Options > Format tab and deselect "Show port names". You should now see port numbers instead of names.

Also good to know, the source and port field numbers are always displayed in the 'Summary' field (Src=###,Dst=##) in addition to other packet information.

How accurate are the Delta and Relative times in the Packet view?

Non-GAC Ethernet adapters use software timestamps and the accuracy depends on the OS. If using WinXP and other NT based systems packets have an approximate accuracy of .1 milliseconds. The WildPackets Gigabit Analyzer Cards provide hardware timestamps and have an approximate accuracy of 10 nanoseconds.