OmniPeek Enterprise Tech Tips

OmniPeek Enterprise

Return to top of page Why has Compass stopped generating/saving statistic information?

There must be at least 500MB of free disk space or Compass will stop generating/saving statistic information until enough disk space is freed.

Return to top of page How do I configure the VLAN-MPLS Node filter?
  1. Create an Advanced Filter with a VLAN-MPLS node.
  2. Enable the VLAN IDs checkbox and enter one or more VLAN IDs.
    Note: You can enter a single value or ID range, (for example, 200-210). Values and ranges may be separated by spaces, commas, and semicolons.
  3. Enable the MPLS Labels checkbox and enter one or more MPLS Labels.
    Note: You can enter a single value, or an MPLS label range (for example, 100-110). Values and ranges may be separated by spaces, commas, and semicolons.
  4. Create a new Capture and enable the VLAN-MPLS Filter.
  5. Start the capture.

Return to top of page I get a message on my Compass Screen that says, “Flash not installed”, I am using Windows Server 2012, what is the problem? Flash is typically not installed automatically on Windows Server 2012 so it must be added manually through the server manager.
Follow these steps:
  1. Open up the Control Panel
  2. Notice that the Flash Player is not listed as being installed
  3. Open up the Server Manager
  4. Select "Local Server" from the left pane
  5. Scroll down to "Roles and Features" in the right pane
  6. Select "Features" from the left pane
  7. Click the "Tasks" drop down next to "Roles and Features" and select "Add roles and features"
  8. Inside the tree-list box in the right pane, expand "User Interfaces and Infrastructure"
  9. You should see that "Desktop Experience" is not checked
  10. Check "Desktop Experience" to install Flash (and other things as well)
  11. Continue through the "Add roles and features" section and click "Install"
  12. After the reboot, open the control panel and you will see that Flash is now listed as being installed
  13. Flash will now be installed for Compass in OmniPeek

Return to top of page How do you configure Cisco and Aruba controllers and AP’s to capture 802.11ac packets?

The link below will give you tips on how to accomplish this task:

https://mypeek.wildpackets.com/plugin_tips.php

Return to top of page OmniPeek can read pcap and pcapng files with PPI (Per Packet Information) headers but why can't I see the headers in the decode view?

The PPI headers themselves are not visible from within OmniPeek. Rather, the headers will be parsed and the relevant information (channel, band, signal, etc.) is visible in OmniPeek just as it would be when loading any other file.

Return to top of page I am attempting to save my capture to disk files as pcap or pcapng and they are still saving as a *.pkt format. What is the problem?

The pcap or pcapng file format for capture to disk needs to have a period in front of the file extension, for example: "C:\Users\Username\Documents\Capture 1-.pcap".

Return to top of page When I merge packets files I can only save them as (*.pkt, *.wpz) formats. Once the file is saved can I change it to another format?

Yes, once the merged file is opened in OmniPeek, you can change the file to a number of different formats by going to the File->Save All Packets selection.

Return to top of page I want to view packets that are associated to a Log entry, how do I accomplish this task?

On the Log view right click on a Log entry, choose option “Select Related Packets” and copy the selected packets to a new window.

Return to top of page How come the "Create RPCap Interfaces" button is grayed out?

The button is available only if the WinPcap driver and libraries are installed on your computer. You can install the driver and libraries by going to www.WinPcap.org.

Return to top of page Why can’t I see the new Spatial Streams and MCS columns in the packets list view? There can be a couple reasons:
  1. The columns for the Spatial Streams and MCS values do not appear by default. You will need to right click on the title columns bar and enable them.
  2. If you are using a WildPackets OmniWiFi adapter, the current Ralink 3.2.4.5 driver does not support MCS or Spatial Stream values. We are currently working closely with Ralink on a new driver that will support these features. However, WildPackets can display these values from a capture file that already contains the MCS or Spatial Stream values.

Return to top of page After I added multiple IP Addresses to my Address Filter, I get an error “Address Format Invalid”. What does this error mean?

The error means that in the Address Filter configuration the wrong type was selected or an address or addresses were typed incorrect. All addresses must be properly formatted of the type selected from the "Type" dropdown.

Return to top of page How do I create a new Multi-Segment Analysis (MSA) project for packet files in OmniPeek?
  1. From the File menu, choose "New Multi-Segment Analysis Project".
  2. Then select “Use packets files”.
  3. Insert the files and click Next.
  4. Then click Finish.

Return to top of page How do copy and paste filter content to another filter?
  1. Select an Advanced Filter to Edit.
  2. Right Click on the node and select Copy or Copy Tree.
  3. Go to the filter you want to add it to, right click and select Paste And or Paste Or.

Return to top of page How do I access the CDR (Call Detail Records)?

In the Capture Options Statictics Output, enable the "Save statistics report". Then under the "Report type" select the Call Detail Records option.

Return to top of page What is the difference between the Peek Split and the Compass Plug-In for opening up large files in OmniPeek?

The pull down menu Peek Split can take large .pkt file and split them into smaller .pkt files. For example, it is good when you are opening a 1GB file and splitting it up into four files. With Compass you can open many large files into 1 Database file and view an interactive dashboard for forensics of large quantities of wired and wireless network traffic. Compass employs an intuitive interactive graph, allowing you to visualize and interact with utilization statistics from large quantities of network data, before actually loading a specific time range of packets.

Return to top of page What is the best way to analyze large amounts of network data contained in multiple files?

WildPackets Compass for the OmniPeek Console is an interactive dashboard for post-capture forensics on large quantities of wired and wireless network traffic. Compass employs an intuitive interactive graph, allowing you to visualize and interact with utilization statistics from large quantities of network data, before actually loading a specific time range of packets.

Return to top of page Can I search a trace file based on Time, Date, Address or Port?

Yes, this is possible with the Integrated Compass plug-in.

WildPackets Compass for the OmniPeek Console is an interactive dashboard for forensics of large quantities of wired and wireless network traffic. Compass employs a nice looking interactive graph, allowing you to visualize and interact with utilization statistics from large quantities of network data, before actually loading a specific time range of packets. It is now integrated with OmniPeek and no longer need to be added as a pulg-in

Return to top of page When I try to open a *.pkt file, I receive a "Not Enough Storage Space" error.

This error means that there are not enough memory/resources available to load the file.

A solution would be our integrated Compass plug-in.

This plug-in creates real-time captures and monitoring, aggregates muliple filesis a single dashboard view, integrated drill down to packets and provides ket network statistics in real-time as well as post capture.

Return to top of page In Compass, the zoom in button is disabled or not visible so how do I zoom into a selection of time in the network utilization graph?

The zoom in/out feature is not available for real time captures. In non-real-time capture situations, the zoom in button will become available (enabled) when a small enough range of time is selected in the network utilization graph. To determine how small the time range needs to be, hovering your mouse over the zoom in button will display a tooltip with this information.

Return to top of page I have entered the correct key or passphrase but the encrypted packets are not being decrypted. Can you please tell me what's wrong?

OmniPeek *must* capture the complete (EAPOL) key exchange to successfully decrypt WPA/WPA2 encrypted traffic.

Return to top of page How do I create a filter to span multiple ports?

You can create an Advanced or Simple filter to span individual ports. Ports can be entered and separated by commas and/or semicolons.

Here is how:

  1. Click View/Filters to bring up the filters window.
  2. Click the Insert button (Green).
  3. Select Simple or Advanced for Filter Type.
  4. Select Port Filter and add the port numbers. Use commas and semicolons to separate the port numbers.

Return to top of page How do I capture VLAN packets?

First be sure the analyzer is placed where the tagged frames exist, this is generally on a switch trunk (a link that connects switch-to-switch).

Second verify that your switch is not stripping the VLAN tags, you may need to contact your switch manufacturer.

Lastly, the network interface card may strip 802.1q tags at the adapter/driver level. By default, Intel adapters strip the VLAN tag before passing it up the stack. Some Broadcom adapters also exhibit this behavior. Possible fixes for Intel and Broadcom adapters can be found below, for other adapters please contact your NIC manufacturer.

Unsupported Fix for Broadcom Adapters:

** Please backup your registry before making these modifications **

Please look for the following registry key and follow the steps listed below. This fix is not supported by WildPackets.

HKEY_LOCAL_MACHINE-->SYSTEM-->CurrentControlSet

  1. You need to find the right instance of the driver in the registry.
  2. Run Regedit.
  3. Search for "TxCoalescingTicks" and ensure this is the only instance that you have.
  4. Right-click on the instance number (eg. 0008) and add new string value.
  5. Enter "PreserveVlanInfoInRxPacket" and give it value "1".

Unsupported Fix for Intel Adapters:

http://www.intel.com/support/network/sb/cs- 005897.htm

Another solution is to purchase a tap. TAPs are passive and independent of the network. Please call (925) 937-3200 or write to sales@wildpackets.com to find out more about TAPs.

Return to top of page Where can I find a definition for the expert messages?

Right-click on any Expert event and choose EventFinder Settings. Click the Show Info button for a description of the event and possible causes and remedies.

Return to top of page Is there a way to only capture the header of a packet?

Yes, here's how:

  1. Click View/Filters to bring up the filters window.
  2. Click the Insert button (Green )
  3. Select Simple or Advanced for Filter Type.
  4. Select Protocol Filter.
  5. Select the Protocol and check Slice to Header.

Return to top of page Can I compare two different captures?

Yes, open the captures you would like to compare.

  1. Choose the Expert Flat view.
  2. Right-click on one of the flows and choose Visual Expert.
  3. Click the Compare tab.
  4. Click the drop-down arrow to select the captures.

Return to top of page How can I start multiple captures simultaneously?
  1. Click the Window menu and arrange the captures.
  2. To Start: Hold down Ctrl Alt Y
  3. To Stop: Hold down Ctrl Alt Y

Return to top of page Can a NIC connected to a SPAN/Mirror port also be used for network services?

No, you will need an additional adapter to use for network services or use a multi-port adapter like the Intel dual or quad port adapters. These cards could connect via one port and capture on the additional, available ports.

Return to top of page How do I change port numbers for an existing protocol? <

For example, maybe you want all traffic on port 80 and port 8000 to show up under HTTP in the Packet view, Protocol statistics, etc. In that case, you will need to modify the following file with a Text Editor:

C:Program Files\WildPackets\OmniPeek\1033\pspecs.xml

You can search for your protocol's PSpec Name (i.e. HTTP) and when you find the protocol, you can modify the existing port number(s).

For more information on ProtoSpecs, please log into MyPeek and under the Resources section go to Developer Documentation and take a look at the ProtoSpecs XML Writing Guidelines.

http://mypeek.wildpackets.com/

Return to top of page How do I add port numbers for an existing protocol?

The tag will define a port number. The example is using port number 1234. You can add additional ports by adding additional tags. See example below.

1234
1235
1236

For more information on ProtoSpecs, please log into MyPeek and under the Resources section go to Developer Documentation and take a look at the ProtoSpecs XML Writing Guidelines.

http://mypeek.wildpackets.com/

Return to top of page How do I add a custom protocol to OmniPeek?
  1. Exit OmniPeek.
  2. First, make a backup copy of the pspecs.xml file. OmniPeek will not load if the pspecs.xml file is missing or corrupted.
    Note: By default the pspecs.xml file is located in "C:Program Files\WildPackets\OmniPeek\1033" for the English-localized version. For other languages, the final subdirectory ("1033") will be equal to the language code for the OmniPeek's localized language.
  3. Open the pspecs.xml file in your favorite text or XML editor.
    Note: Please make sure you add the protocols in the right section (TCP/UDP) and that the higher port numbers go further down in the file.
  4. Create a new entry (see example below).

    1483
    MyProtocol - Long Name
    MyProtocol - Short Name
    This is my protocol.
    color_2
    1234

Quick Notes:

The PSpecID is a numerical identifier for the protocol. It must be unique-that is, no two protocols are allowed to have the same PSpecID. You must choose a PSpecID that is not used anywhere else in the file.

The tag will define a port number. The example is using port number 1234. You can add additional ports by adding additional tags. See example below.

1234
1235
1236

The PSpec Name will be displayed in the Protocol column of the Packets tab.

The LName will be displayed in the Protocol Info dialog box (accessed by right-clicking the protocol and choosing Protocol Info).

The SName will be displayed in the Protocol statistics.

The Desc will be displayed in the Protocol Info box (Desc is optional. You can delete it if you don't want to write a description for your protocol).

Color will be the color used for the protocol. Colors are defined at the beginning of the document. Color is optional. You can delete it and OmniPeek will choose a color for the protocol.

CondSwitch tells OmniPeek how to recognize the protocol. For now, all you have to do is edit the "SrcPort ==" and "DestPort ==" entries to contain the port number that your protocol uses. These two entries should be the same.

For more information on ProtoSpecs, please log into MyPeek and under the Resources section go to Developer Documentation and take a look at the ProtoSpecs XML Writing Guidelines.

http://mypeek.wildpackets.com/

Return to top of page How can OmniPeek Enterprise help me baseline my network?

The summary statistics feature allows you to monitor key network statistics in real time and save these statistics for later comparison. Use this feature to baseline normal network activity, save the data, then compare saved statistics with those observed during periods of erratic network behavior to help pinpoint the cause of the problem.

Summary statistics are also extremely valuable in comparing the performance of two different network segments. For example, a field support engineer could compare the real-time statistics on a client network with a saved healthy router snapshot and easily diagnose or eliminate the source of inconsistent or poor router performance.

To baseline with summary statistics:

Choose Monitor > Summary. The Summary Statistics window appears.

Return to top of page What are some of the keyboard shortcuts?

Return to top of page What is the difference between OmniPeek Enterprise and OmniPeek Enterprise Connect?

Return to top of page Can you explain the Peer Map view?

Communications between nodes is indicated with line segments. The line between nodes can be color-coded to show which protocol is used. The thickness of the line indicates the volume of traffic between nodes.

Return to top of page How can I import my company's network diagram into Peer Map?

Click the Peer Map view and click Open. The supported file types are *.BMP, *.JPEG, *.GIF, *.EMF, *.WMF, *.TIFF, *.PNG, *.ICO.

Return to top of page Why does some activity in the Peer Map contain spaces?

The space shows you where protocol segments start and stop within conversations.

Return to top of page Can you explain the Profiles, Configuration and Node Visibilities tabs in the Peer Map view?

The Profile tab lets you save Peer Map configurations settings into a single profile that controls the appearance and layout of the Peer Map.

The Configuration tab lets you control what part of the traffic in the Capture window's buffer is displayed in Peer Map.

The Node Visibilities tab displays node counts, and nodes that are both shown and hidden in the Peer Map. For example, if this option is set to Always Hide, then all nodes that have not had their visibility assigned by the user will be hidden. This is useful if, during a live capture, the user doesn't want new nodes to appear on the Peer Map as they are discovered.

Return to top of page It appears that my router is being misidentified?

Because routers forward traffic from other networks at OSI Layer 3, the logical address (IP) is forwarded unchanged but the physical address (MAC) is changed to that of the router doing the forwarding. In this case, Peek might misidentify your router when it tries to resolve the name using the Resolve Name/Passive Name resolution option (Tools->Name Resolution). To properly identify routers, we recommend that you add your routers to the Name Table.

Return to top of page Can I use the Peek analyzer to assist with firewall rules?

The following steps will give you some indication of which ports are open:

  1. Packet slice at 70 Bytes (gives you TCP/UDP headers)
  2. Go to the Expert and select Flat
  3. Enable "Port Numbers" optional Column
  4. Disable Resolve Port Names (right click)
  5. Click and sort Port Numbers

Return to top of page What is the default timestamp format?

The default Timestamp format is Microseconds. This setting can be changed by clicking on one of the columns in the Packets view and selecting the Format tab or by right-clicking a packet in the Packets View and selecting Packet List Options.

Return to top of page How do I use port numbers instead of port names?

Right click the column header and select the fields you would like to see. Then right click again and choose Packet List Options > Format tab and deselect "Show port names". You should now see port numbers instead of names.

Also good to know, the source and port field numbers are always displayed in the 'Summary' field (Src=###,Dst=##) in addition to other packet information.

Return to top of page Can I use both an OmniEngine and an OmniPeek console at the same time on the same machine?

The only console that was designed to work simultaneously with an engine is OmniPeek Connect. OmniPeek Connect provides the ability to locally configure and view the engine's analysis as the engine is capturing packets and performing analysis.

Return to top of page How secure is OmniPeek?

Network analysis tools are powerful and must be protected from misuse. Data captured and sent across the network may be sensitive, so OmniPeek has been designed from the ground up to adhere to strict IT security requirements. By default, all traffic between the engine and console is compressed and encrypted and in addition to Windows® Security being used for access control to the OmniEngine and application features, TACACs and RADIUS authentication are supported also.

MyPeek Product Portal
Manage your products, get plug-ins, and much more.
Login to MyPeek
WildPackets Training
Register now for upcoming courses and get network and protocol analysis training.

Register for courses

WildPackets Forums
Join in the discussion forum for WildPackets products and general networking issues.

Visit the forum