Read an Excerpt
Capturing TrafficAs you already know, Sniffer Pro is a great tool to help you capture traffic. Network problems are not a rare thing for a network administrator to experience. Unfortunately, broadcast storms, slow responses, or network attacks happen quite frequently. You have to choose the best way to identify each problem, analyze it, and sort it out. Using Sniffer Pro to capture traffic is one of the fastest ways to obtain a complete picture of what is happening on your network, analyze captured information, and resolve the issue. It is also possible to capture traffic and to experiment with it, to analyze in a test environment the ways your network would react to specific groups of data.
When you use Sniffer Pro, all captured traffic goes straight to the capture buffer. Captured data can be saved on a hard drive to be used for future reference and review.
You can also send the captures to your colleagues to share some ideas, or you can open captures made by somebody else for you. In some cases, you might also want to use captured data for baselining purposes. Besides the ability to capture all the data that is flowing on your network, Sniffer Pro has broad filtering capabilities that greatly facilitate troubleshooting on highly loaded networks. You can perform filtering by station addresses, data pattern, or different protocols. You will learn more about filtering in Chapter 8.
How to Capture Traffic
When you capture traffic, it is important for you to make up your mind whether you want to capture all the packets Sniffer Pro can see and select interesting ones using display filters, or whether you want to define a capture filter beforehand and capture only the packets that are related to the problem you are exploring. Both methods have their advantages and disadvantages.
In the first case, when you capture all the traffic, you have more flexibility afterward because you have a full snapshot of your network’s traffic. There is one drawback here: Thousands of packets per second can flow through your network, carrying many megabytes of data. Regardless of how big your hard drive, you probably do not want to store gigabytes of almost useless information on it. This does not mean capturing all the data is a completely ineffective choice. Capturing all the data on the network without a filter applied allows you to see all the traffic passed over the transmission media, thus giving you a very clear picture of exactly what is there. It allows you to “feel” the customer’s network and, in some cases, even resolve the problem that the customer is complaining about, without using sophisticated filtering and troubleshooting techniques.
You can always apply a filter to a capture buffer after you’ve stopped the capture process to filter out data that is relevant to the problem you are working on. You can even apply another filter to the data you to which have already applied a filter, to get more granular information. We discuss how to do this later in this chapter.
After you have taken a snapshot of your customer’s network, you might want to get a more precise picture and start capturing only the data related to the problem you are troubleshooting. In this case, you can then define a specific capture filter so that you can find particular things you are looking for, making the capture considerably shorter. This also means that you won’t have to worry about your PC resources. Keep in mind the main disadvantage of this process: You might miss something very important if you define an incorrect filter.
Taking Captures from the Menu and the Toolbar
There are a few different ways of taking captures:
By choosing Capture | Start from the main menu
By pressing the F10 key
By pressing the Start button on the main toolbar (it looks like the Play button on your VCR)
You must understand how to use a number of other buttons on the main toolbar and Capture menu as well (see Figure 6.1). The first four buttons along the top are the familiar buttons to open, save, print, and stop printing. The functions of the next eight buttons are described in Table 6.1.
Figure 6.1 The Main Menu and the Toolbar
Table 6.1 The Main Toolbar and Capture Menu Buttons
Start capture By pressing this icon, you can start the capturing process. You can also start the capturing process by pressing the F10 key.
Pause capture By pressing this icon, you can stop the capturing process at any time and resume it later.
Stop capture Terminates the capturing process. You can stop the process to view the information or save it to a file. You can also stop capturing by pressing the F10 key.
Stop and Display Stops capturing and displays the frames captured. You can do the same thing by pressing the F9 key.
Display Displays a stopped capture. You can get the same result by pressing the F5 key.
Define filter Defines the filter used to capture the frames. Although
Chapter 8 is dedicated to the detailed discussion of filters, we define a few simple filters in this chapter.
Select filter Chooses a filter from the list of filters you have defined.
Capture Panel Brings up the Capture Panel, which we discuss in greater detail later in this chapter.
Address Book Lets you to assign recognized names for your network nodes.
Pulling Up the Capture Panel
The Capture Panel is at the center of your capturing process. It gives you all the information about the capturing process, such as how many packets have been captured, how much space is left in your buffer, and much, much more.
To pull up the Capture Panel, you can either go to the Capture menu and select Capture Panel or click the Capture Panel button in the main toolbar. The Capture Panel is very important because it is used to view the status of the capture process. At the bottom of the panel are two tabs: Gauge (see Figure 6.2) and Detail (see Figure 6.3). On the Gauge tab, you can see two gauges that show the following:
The number of packets captured
How full the buffer is
Figure 6.2 The Capture Panel’s Gauge Tab
Figure 6.3 The Capture Panel’s Detail Tab
Note that when the buffer is 100-percent full, the packets can be dropped or the capturing process can cease, depending on the settings, which we discuss a little later in the chapter. The Detail tab shows you additional details:
# Seen The number of frames Sniffer Pro sees.
# Dropped The number of frames dropped due to the lack of performance of the computer on which you are running Sniffer Pro. Packets are often dropped during periods of high network activity.
# Accepted Shows the number of frames that were put into the capturing buffer.
# Rejected Indicates how many frames did not satisfy the filtering rules you have defined. Frames can also be rejected if your buffer is 100-percent full.
Buffer size The size of the capturing buffer you have defined. We discuss the process of buffer definition in the following section.
Buffer Action Indicates the status of the buffer. Wrap means that the buffer will wrap as soon at it becomes full. Wrapped means that the buffer has wrapped. Stop means that the capture process will stop as soon as the buffer becomes full. Stopped means that the capture has stopped because the buffer is full.
Saved file # Shows to which file the capturing is being saved.
Slice size Shows whether Sniffer Pro captures the whole frame or just a part of it.
Elapsed time Indicates how long ago Sniffer Pro was started.
File wrap Wrap indicates that the files have been overwritten as the number of saved files has been reached. We talk about this option in the following section.
Please pay attention to the fact that the Capture Panel we have just discussed is not the same as the Sniffer Pro Dashboard, although their gauge tabs look alike. To access the Capture Panel, select Capture | Capture Panel. To access the Dashboard, select Monitor | Dashboard.
As a Sniffer Pro expert, you should understand that the Capture Panel can be quite useful. You can use it to easily see how many packets have traversed your network since you have started capturing, how many frames were filtered out (rejected), and how many frames Sniffer Pro dropped because your computer did not have enough resources to capture them.
Saving and Using Captures
It is very important to know how to save the information you have captured, because you will definitely need to open these captures later for future analysis. As a network analyst, you can spend hours looking into the data that took you only a few minutes or even seconds to capture! Sometimes you might decide to send the capture to your colleagues to get a second opinion on a problem you are investigating.
Throughout Sniffer Pro’s evolution, a variety of captured files formats have been used. Some of them could support compression; others could not. In addition to the file formats used to save captures, Sniffer Pro uses some other file formats for additional information. Table 6.2 lists all these formats.
Table 6.2 Sniffer Pro File Extensions
.cap Uncompressed capture files
.caz Compresses capture files; Sniffer automatically compresses data if you select this format
.enc Original format for Ethernet traces
.trc Original format for Token Ring traces
.fdc Original format for FDDI traces
.etm Broadcast and functional addresses
.trm Broadcast and functional addresses
.hst Saved history samples
.csv Saved history samples
.btr Token Ring Sniffer Pro table of assigned manufacturer IDs
.bet Ethernet Sniffer Pro table of assigned manufacturer IDs
In addition to understanding various Sniffer Pro formats, you should be able to distinguish among them and use the formats of other packet analyzers so that you can open files captured using other tools. We discuss all these processes in detail in the following sections.
Now that you know why it is important to save captured data, you need to understand how to save this data for future analysis. When using Sniffer Pro, you could come across a troubleshooting scenario in which you need to remotely capture data from multiple locations. If this is the case, the versions of Sniffer Pro covered in this book (versions 3 and 4) will not allow you to natively perform this task. You can't capture traffic on different remote segments with this product, so if you need to do that, you might need to purchase an enhanced version of Sniffer Pro called Sniffer Distributed. This product will allow you to capture traffic on all key segments of your network using Sniffer Distributed agents. Is there a way you can circumvent this issue for now and capture the remote traffic? Yes, there is a way, but the logistics of doing so could become quite a hassle. You can always ask someone to capture that data for you (or you can do that with a remotely controlled workstation). Once the data is captured, you can upload the capture files and analyze the captures from the comfort of your own machine.
After you or somebody else has captured the traffic, you need to be able to save it for future analysis. There are two ways of saving data captures:
Automatic saving when the capturing buffer is full
Manual saving is very popular because you can view the data you have captured and save it only if you find it necessary to do so. To perform manual saving, you must stop capturing and display the capture buffer (select Capture | Stop and Display or simply press the F9 button). Then you can actually save the data in your capture buffer. To do so, from the main menu, choose File | Save or Save As. Another alternative is to click the Floppy icon in the main toolbar (refer back to Figure 6.1). A standard Windows Save As dialog window appears on your screen. From here you can select the directory into which you want to save your capture, the filename, and the extension or type of file. (Refer back to Table 6.2 for the list of known extensions.)
Automatic capture is useful if you want to capture a great deal of data, such as a volume that would not fit into your computer’s memory. Automatic capture is also helpful if you definitely know that the data you are capturing is required for future analysis and you want to save it on your hard drive right away, without going through the manual-saving process. Before you begin capturing, you must define a special filter profile (although no actual filtering is done here; you save all the packets you have received). The filter profile allows Sniffer Pro to save the buffer content to a file.
It is usually not a good idea to modify a Default profile because it is used as a starting point for any new profile you create on your computer. For that reason, you should always create a new profile for new filters.
Let’s create a new a new capture profile by following these steps (see Figure 6.4):
1. Select Define Filter from the Capture menu.
2. In the Define Filter window that appears on your screen, press the Profiles button.
3. In the Capture Profiles window, press the New button.
4. Choose an appropriate name for your profile (for example, LightPave), and select OK.
5. Press Done to close the Capture Profiles window.
Figure 6.4 Creating a New Capture Profile
Now you are ready to modify the new profile you have just created. Switch to the Buffer tab. The Buffer tab window is divided into four main areas (see
When buffer is full
Let’s take a close look at each of these sections.
Figure 6.5 The Buffer Tab in the Define Filter Window
Buffer size allows you to select how much memory on your computer is actually used for the capture buffer. If your computer has a very limited amount of memory and you overset the buffer size, you can crash your computer or freeze Sniffer Pro. To avoid this situation, you should decrease the size of the buffer and use the Save to File option we discuss shortly. Note that the capture buffer’s default size is 8MB. You can manually modify the buffer size in a range from 256KB to 40MB. The available buffer sizes are:
You can check how much memory is available for a buffer on your computer by executing Task Manager on Windows 2000/NT or System Monitor on Windows 98/95. Make sure that the buffer size you have configured does not exceed available memory on your computer. We also recommend you close background applications (such as ICQ, Office Panel, or Real Player) to maximize the memory available for Sniffer Pro. Disabling unnecessary Sniffer Pro Expert Objects also allows you to optimize memory usage.
For example, if you have a notebook with 96MB of RAM, your Windows 2000 can use approximately 46MB of the available memory and Sniffer Pro can use approximately 30MB, so your buffer size can be anywhere between 256KB and 20MB. The standard 8MB buffer size looks like a good choice in this case. The Packet size option allows you to choose if the whole packet should be captured (the default option) or only some part of it (between 32 bytes and 18,432 bytes).
The When buffer is full option allows you to modify Sniffer Pro’s behavior in the event that the capture buffer becomes full. The program can either Stop capture or Wrap buffer and keep capturing data.
To enable automatic saving, choose the Save to File option and specify the filename prefix as well as the number of files you want to be created on your hard drive. Indicate the directory to which you want the files to be saved.
Other options you should specify to complete your setup are as follows:
Filename prefix Defines a common prefix of saved capture files.
Unique names This option specifies whether the analyzer must use a unique filename for each saved file. Sniffer Pro will make sure that the filenames are unique by assigning three random letters prior to the extension, as shown see in the following example. This option can be useful if you want to be sure that you don’t overwrite the files you have previously captured. Check to make sure that you have enough space on your hard drive to accommodate all the files.
Number of files This option sets the maximum number of files Sniffer Pro will create on the hard drive.
Wrap filenames This option specifies whether the files for this capture can be overwritten as soon as the number of saved files has been reached. Disabling of this option tells Sniffer Pro that it should stop capturing as soon as it fills its buffer and saves the number of files you have specified.
To better understand what these options actually do, perform the following exercise. Modify the new profile you have just created using these options:
1. Type LightPave as the filename prefix.
2. Select 3 as the number of files.
3. Enable the Unique Names option. Do not enable the Wrap filenames option, so Sniffer Pro will stop after the files become full.
4. Specify C:\Capture as the capture buffer directory.
5. Start the capturing process by pressing the F10 key. Sniffer Pro will automatically stop capturing as soon as three files are filled.
Now if you look into the C:\Capture directory to which you saved the captures, you will see three files that will look like the following:
LightPave here is the file prefix you chose; 001, 002, and 003 are the file numbers; and ajr is the randomly generated unique file identifier, so it can be different if you repeat this exercise.
Table 6.2 summarized different file types used by Sniffer Pro. Now let’s talk about the file types that are directly related to saving captured data—the ones you can select while saving your captured data on a hard drive.
When Sniffer Pro was introduced, capture files had extensions that depended on the type of network adapter used. Ethernet files had an extension *.ENC, Token Ring files had *.TRC, and FDDI files had *.FDC.
With the release of the Windows version of Sniffer Pro, new file formats were invented. Now Sniffer Pro uses the same *.CAP format for all types of interfaces. Sniffer Pro saves files in a unified uncompressed format, so the files can grow dramatically if you capture too much data. To prevent this situation, you can save your captures with the *.CAZ extension. In this case, Sniffer Pro automatically compresses your data. In the majority of cases, this extension will significantly reduce the drive space needed to save your captures.
For backward compatibility with other versions, Sniffer Pro permits you to save captures in the original Sniffer formats (*.ENC, *.TRC, and *.FDC).