 |
||
China
UK
United States
 |
||
       |
||
 |
||
PacketGrabber
RMONGrabber
Free Utilities
|
Please note that EtherPeek for Mac OS X is no longer sold.All Versions
EtherPeek for Macintosh v4.02 Only
All Versions
EtherPeek for Mac is not supported on systems running the new Intel Dual Core processors and there are no current plans in place to ensure support for these systems as our current development focus is on the OmniPeek Product Family.
Unfortunately, the introduction of new Macintosh hardware and upgraded Mac operating systems has forced us to remove our EtherPeek for Mac product from circulation.
Yes. Support for Panther was added to version 4.2.1 of EtherPeek for Macintosh.
You should download the WildPackets MSBlast filter. To install the filter,
first run EtherPeek and go to 'View' --> 'Filters'. Click on the 'Import'
button and then browse to the msblastv1.sit filter file. This will load it
into your filters. Download the MSBlast Filter now. Although thoroughly tested, these filters are not supported by WildPackets. 
I think I am infected with the Sapphire (aka SQL Slammer) virus. How can I use EtherPeek for the Macintosh to track this traffic?
You should download the WildPackets Sapphire filter. To install the filter,
first run EtherPeek and go to 'View' --> 'Filters'. Click on the 'Import'
button and then browse to the sapphire.flt filter file. This will load it
into your filters. Download the Sapphire Filter now. Note: This download-able filter will not work with EtherPeek for Windows or EtherPeek NX. However, please check the EtherPeek NX FAQs.
What is the difference between Global Statistics and
Capture Statistics?
Global Statistics continuously accumulate while the program is running. Eight statistics are available under the Statistics menu. When Collect Global Statistics is enabled, EtherPeek records information about the traffic on the segment. The buffer for global statistics is not affected by any sort of filters, packet slicing or anything else; it is simply on or off. Capture statistics accumulate after opening a Capture window and starting the capture. Select one of the tabs at the bottom of a Capture window to see the statistics. Also, the buffers for individual Capture windows or Packet File windows are different than the buffer for Global Statistics. Filters restrict which packets are accepted into the buffer of a Capture window. (Packet slicing, by capturing only a part of each packet, can limit the information available to EtherPeek.)
Can I see the port numbers instead of the port names?
Yes. The names displayed for different ports are determined from the port entries in the name table. If you go to View/Name Table, then click on the Ports tab, you'll see the names associated with the different port numbers. To toggle between seeing the port names and seeing the port numbers, click on the packets tab. Go to View/Node Display Format and uncheck 'Name Table Entry'. This will cause EtherPeek to display the numeric values for port names and node names. To turn the port and node names back on, recheck 'Name Table Entry'. To always display port numbers, go to View/Name Table/Ports tab. Press Ctrl+A to select all the port names, then press Delete to delete them. Now, Source Port and Destination Port will always show a number. (To get back the port names at a later time, you can import the default name table by going to View/Name Table and pressing the Import button on the left-hand side. Search for the file "default.nam".)
Why can't I see all the traffic from my auto-sensing dual speed hub?
It appears that these auto-sensing dual speed hubs automatically manage network traffic so 100 Mbit traffic does not unnecessarily crowd the 10 Mbit network segment and 10 Mbit traffic does not crowd the 100 Mbit segment. Because these hubs have switching features, they need some kind of management port for EtherPeek or any analyzer to use in order to see all traffic. Here's a hypothetical situation to clarify what is happening:
A packet comes in from the Internet to the DSL modem on port 3. The packet is addressed to the machine attached to port 2. Since ports 2 and 3 are both part of the 10 Mb segment, the packet will never bridge to the 100Mb segment, thus EtherPeek will not see the packet. For any dual speed hubs that function in this way, you will need a hub with a management port or mirroring capabilities in order for EtherPeek to see and analyze all traffic. For more information, please download "Applying EtherPeek to Switched Network Management."
Is there a way to expand or collapse all nodes or protocols at once?
Yes, it is possible to expand/collapse groups of nodes or protocols. To accomplish this, go to the appropriate tab and select the desired nodes or protocols (<CMD> + <A> for all ). Once selected, hold the command key while pressing the left-arrow key to collapse the selection or the right-arrow key to expand it.
Does EtherPeek support VLAN/802.1Q?
Full support of VLAN packet tagging is a feature people have requested for EtherPeek, and our engineers hope to include it in a future release. While EtherPeek's capture window displays only the MAC addresses and packet size information, EtherPeek does decode individual VLAN packets. One has to open up a packet to have it decoded. We do not currently provide protocol and network statistics or the extra analysis information provided by the plug-in modules for VLAN encoded traffic. EtherPeek's Protocol tab gets its information based on a series of hex offsets. The 4-byte VLAN tag causes the protocol type to display incorrectly, and the pre-made filters that ship with the product will not work. However, all the fields, including the VLAN tag, are decoded correctly. Though you lose the ability to use the simple protocol filters in EtherPeek, you can still use the Advanced Filter aspects of EtherPeek (in particular, Hex pattern match) to build custom filters based on the protocols your network most commonly uses. Save them in the filter table and use them as you would the built-in filters. Another factor you must consider is your network interface card. Some cards pass the VLAN tags up to EtherPeek, others do not. We have received a number of reports that certain Intel cards do not pass the tags, while some Apple built-in adapters and NetGear adapters do. Please check with your NIC manufacturer.
EtherPeek and Security Article
This is an excellent article written by Dr. Bill Hancock on EtherPeek and its uses in building or insuring a secure network environment. Dr. Hancock is the Executive VP/CTO of Network-1 Software and Technology, Inc. a consulting firm and developer of firewall products. If you are addressing any security issues, or just want to review how EtherPeek can assist in detecting security breaches on your own or a client's network, please review this article.
Can EtherPeek for Macintosh see traffic on other LAN segments connected
by bridges or routers?
EtherPeek for Macintosh "sees" traffic on the segment to which the computer from which it is running is attached. This means that all traffic sourced from or destined to any of the devices sharing the same wire as the device from which EtherPeek is running can be seen and reported on by EtherPeek. In a switched environment, EtherPeek will see all traffic sourced from or destined to a particular port of the switch. In many instances, a switch will have a port called the management or protocol analysis port, which will see all traffic passed to any other port on the switch. In these instances, EtherPeek should be connected to this port to see all of this traffic.
How will the program help me identify trouble on my network?
EtherPeek for Macintosh will capture all packet data for all communicating devices on an Ethernet segment, regardless of protocol type. It then provides a simple graphical user interface that includes an overall network traffic statistics window as well as node and protocol statistics windows that reveal, through bar graphs, the levels of traffic being contributed by individual devices and/or protocols. By providing various statistical windows, you can get progressively fine levels of information about your network traffic. Say, for instance, your network is manifesting a significant slowdown. EtherPeek will capture all traffic and show you, through its network statistics window, whether the traffic level, or total bandwidth utilization, is inordinately high. If it is, then you can go to the next level of detail, the node statistics windows, and determine which devices are using significant amounts of bandwidth through a bar graph display. Statistics windows can be easily sorted by packets sent or received, so the top bandwidth abusers' can be identified quickly. Once identified, just double-click on the bandwidth-abusers name or address and find out who its communication partners are. From there, EtherPeek provides a simple "Make Filter" command that allows you to put a filter on the two communicators to discover why, through the traffic they're exchanging, they are using so much bandwidth and preventing other devices from using the network. Or you might find, rather than a communication pairing, that a specific protocol is blasting your network. The protocol statistics window will give you a list of all devices generating the protocol type, at what levels, and allow you to easily identify the offender. These are just a few practical examples of how the program is used to diagnose network problems. A user can go into indivdual packet contents, if needed, to determine a routing problem, faulty application issue and more.
Can I tell which nodes are generating specific levels of traffic?
Yes. EtherPeek provides easily-readable statistics screens that provide information on levels of traffic by individual node contributor. Secondary screens then reveal who the communication partners are for that node, which protocols are being exchanged between the communication partners, largest, smallest and average packet sizes and any errors associated with their communication. EtherPeek also has a Name Table that provides the ability to do name for address translation, so that you can translate logical or physical source and destination addresses into vendor specifiers or familiar device names.
Will EtherPeek for Macintosh 4.x interfere with other network functions?
No. EtherPeek for Macintosh 4.x will run in conjunction with your network services.
Duplicate IP addresses have been identified by EtherPeek on my network.
What is happening?
Duplicate IP address entries in the EtherPeek log are usually caused by multiple routers. Routers forward traffic from other networks at OSI Layer 3, so the logical address (IP) is forwarded as received but the physical address (MAC) is changed to that of the router. The logical source is left intact. When there is more than one router, EtherPeek may see multiple physical addresses associated with a single logical address. Therefore, by telling EtherPeek the physical addresses of all of the routers on the network, EtherPeek will not be fooled by this issue. The best thing to do is to manually enter all of your routers in the Name Table as a router node type. (This may not be possible on a large network.) In addition, you should be seeing Duplicate IP Address Notifications in your Global Log. If you wish to suppress these duplicate IP notifications, please do the following:
If the routers' physical addresses have been added to the Duplicate Address Plug-in or the Name Table and you are still seeing duplicate addresses, a good starting point for analysis would be DHCP or a badly configured IP address. Finally, a multi-homed machine may be the source of a false duplicate address.
Can I create a filter to catch Instant Messenger traffic?
Yes, it is possible to capture and read AOL Instant Messenger traffic. AIM uses port 5190, so all you need to do is create a filter for that port. Also, here is a list of the port numbers of other bandwidth-intensive clients:
You can create a filter for any of these ports. Below is an example for AIM: 1) Create a new filter for source port 5190.
2) Use the filter to catch AIM traffic.
Can I set recurring triggers? For example, could I use a trigger setup to
take 1 minute captures every hour?
Yes, but you must setup individual captures for every hour. There is no way to take sample captures at regular intervals at this time, though this is on the development list for the program. As a workaround, you can create an individual capture with a start trigger for a specific time and stop trigger for one minute later. Then, you would create another capture with different start and stop triggers.
I know how to capture traffic starting with a certain trigger event. Can
I also capture the traffic just before the Start Trigger event?
Yes, by using EtherPeek's ability to have multiple capture windows. First set up a Capture 1 as a continuous capture with your filter as a Stop Trigger event. This gives you a snapshot of what was happening just before your trigger. Then set up a Capture 2 window as you normally would with a Start Trigger when the filter event happens. This lets you capture what happened after the event. Click the Start Capture (Stop trigger active) on Capture 1 and click the Start Trigger button on Capture 2. The packet that triggers the event will be the last packet in Capture 1 and will be the first packet in Capture 2. In a similar way you can capture what happens after a Stop Trigger event. Set up your Capture 1 Stop Trigger normally. Set up a second capture with buffer options to stop when the buffer is full (do not checkmark Continuous) and set the buffer size based on how much additional traffic you want to see. Set this second capture with a Start Trigger on the same filter event as your Capture 1 Stop Trigger. It will run until this buffer is full. I have captured a trace file.
I would like to use a filter to select
traffic on this file. How do I apply a filter to a trace file?
Open the captured trace file. Go to the Edit menu and use the "Select" feature to find the post-capture filtering options. EtherPeek for Macintosh v4.02 Only Why
can I only see incoming traffic on my EtherPeek for Mac machine?
On a Macintosh, you cannot see the traffic generated by your own machine with EtherPeek. This is because the packets you are generating are not looped back when you are in promiscuous mode. If you want to see all the packets from one machine, you will need to run EtherPeek on another machine on the same segment and filter for the traffic to/from the machine of interest. This is required only for EtherPeek for Mac. Windows machines loop back their own generating traffic in promiscuous mode, so EtherPeek for Windows can see the traffic generated from its own computer. A workaround on the Mac platform is to add a supported PCI card for desktop machines or PCMCIA card for PowerBooks (but this is not an option on the iBook). See Interfaces for EtherPeek 4.02 for Macintosh for supported cards. With a second ethernet interface, you would run your Appletalk and IP protocols over one interface, and EtherPeek over the other. (Both connections need to be on the same segment.) Another workaround is to use something like the Farallon Etherwave to do an inline tap to a separate EtherPeek machine without the need of hooking that machine into a hub.
Are there compatibility issues with EtherPeek and MacOS 9.x?
There are some reported problems of various network services degraded or stopped during or after EtherPeek execution only on the following machines when running MacOS 9.x:
We have found that for these machines replacing V2.3/2.42 of the Ethernet extension named "Apple ENet" with V2.1.2 that comes with OS8.6 prevents these problems. To revert to V2.1.2 of Apple ENet, do the following:
We have reported this problem to Apple, but have heard nothing back from them.
I am using an iBook 300 and Timbuktu to remotely connect to EtherPeek. Why
do I receive a Type 2 error every time?
The iBook 300 (the first iBook, aka P1) appears to have a problem running EtherPeek and accessing or being accessed by Timbuktu. All other iBooks have worked well with Timbuktu and EtherPeek in our testing. |
|
||||||
| COPYRIGHT © 2008 WILDPACKETS, INC — PRIVACY STATEMENT · CONTACT US | CORPORATE · PRODUCTS · SOLUTIONS · SERVICES · SUPPORT · PARTNERS · BUY NOW |
|
All registered and unregistered trademarks are the sole property of their respective owners |
|