|
Customizing the way you View a Capture File |
The Distinct Network Monitor includes a number of features to aid you in viewing the portion of your capture that is most useful to you as efficiently as possible. It includes both general display options that can be set by selecting Display Settings in the Configure menu as well as very specific display options that become available when you right click the mouse on a specific packet in the one of the Network Monitor windows. In the Summary Window right click the mouse to display the following menu options:
|
|
Display only Packets of this Connection |
This option is extremely handy and allows you to quickly look through the packets related to a specific TCP connection. Note this feature is only available when you are currently positioned on a TCP packet. For example, as you scroll through your summary window and come across a problem, right click the mouse and select this option. Now you will see only those packets that are part of this TCP connection. The default number of connections whose history is kept is 64, depending on your memory availability, this may be increased as needed in the Advanced Configuration tab. You will need to close the application and start it again when changing this value.
|
|
Display Highest Protocol Summary |
This is the default display for the Summary window and displays the highest level of protocol in the packet summary line. For example if the packet is an FTP packet it will display this here.
|
|
Display Lowest Protocol Summary |
This option will display only the lowest level protocol for a packet in the Summary window. For example Ethernet, Token Ring or PPP.
|
|
Color Code Packets of the same Connection |
This allows you to turn the color-coding of packets of a single connection off. Color coding is actually very useful as it helps you quickly distinguish the different connections.
|
|
Display Header Fields |
Display header fields allows you to customize which packet header fields will be displayed in the Summary Window. Changes made to the display fields will be remembered by Network Monitor for subsequent monitoring sessions. The header fields to be displayed may also be selected through the Headers tab in the Configuration menu.
|
The following are the different packet header fields that can be selected:
Packet Number
This is the sequence number of the packet in the capture. Each packet capture will start from one.
Length
Shows the total packet length.
Date and Time
Displays the actual date and time when the packet was captured.
Time (in seconds)
Gives the lapse in time between the start of the packet capture and time that this packet was received.
Delta (in seconds)
Gives the time in seconds since the previous packet was received. This can come in useful when checking round trip time.
|
Source MAC Address
Displays the MAC address of the system that is sending the packet. Note that if there is a proxy server on the network this will be the address of that server.
Destination MAC Address
This is the MAC address of the system that received the packet.
Source IP Address
This is the IP address of the system that initiated the packet. Note that if there is a proxy server on the network this will be the address of that server.
Destination IP Address
This is the IP address of the system to which the packet is directed.
Source Port
This is the port from which the packet was sent.
Destination Port
This is the port on which the packet was received.
TCP Sequence
The sequence number is a number that identifies the bytes in the stream of data between the sending and receiving systems. For each new connection the sender allocates an initial sequence number for the connection. Subsequent sequence numbers for packets of the same connection will be incremental.
TCP Acknowledgement
The acknowledgement number is the last sequence number received plus 1. This is valid only if the ACK flag is on.
TCP Flags
The TCP header may have one or more of the following six flags set:
U – this is the urgent pointer flag and is used by protocols such as Telnet and Rlogin to indicate to the client that a portion of the content (data) in this packet should be processed immediately (possibly ahead of data already in the in buffer for that socket). This is used, for example, to send control characters (such as ^C to interrupt), which should be processed immediately.
A –this is the ACK. It indicates the sequence number of the last data byte, which was successfully received. Every packet except the first in the connection must contain an ACK. If there was no new data, then the previous ACK value is resent.
P – the push flag indicates that the destination should pass this data on to the application as soon as possible. It usually indicates that the packet contains user input and should be processed quickly. However its use is sometimes abused, and some protocols/implementations send everything with push flag.
R – the reset flag is sent whenever a packet segment arrives that does not appear to be correct. It can also be used as a quick way to abort a connection. It tells the other side not to send any more packets on that connection. For example, it is sent if data comes in after a FIN packet.
S – this is the synchronize sequence numbers used to initiate a connection. This is the number of the first byte of data that will be sent over this connection. The other side acknowledges this sequence number by returning it in the ACK field of reply. Both the sequence and the acknowledge numbers are simply the sequence number of a data byte. When sending, the sequence number of the first byte of data in the packet is sent as SEQ, and the sequence number of the last byte received from the other side is sent as ACK.
F – indicates that the sender is finished sending data and that it will close the connection once the other side flushes its outgoing buffer.
TCP Window
This is the TCP windows size. This is the number of bytes available in the in buffer, or, how much data the TCP socket can accept, in addition to the already acknowledged data bytes.
Description
Provides a summarized description of the packet contents. For example it may tell you that the packet is an FTP packet and contains the STOR command.
|
|
Viewing Protocol Errors and Warnings |
Packets containing a protocol warning are preceded by a white X and packets containing a protocol error are preceded by a black X. You can quickly move from one error to the next in a packet capture file by either selecting the appropriate option from the Capture menu or by pressing CTRL E to move to the next packet that has a protocol error or CTRL W to move to the next packet that has a protocol error or warning.
|
|
Ports and Captured Packets |
Distinct Network Monitor parses packets and assigns them to their parsers by PORT number.
By default the Network Monitor will assume that the various protocols are using their default or well-known port. For example, packets communicating on port 23 will be assumed to be Telnet packets. In addition, Network Monitor reads in the port numbers from the Services file on the system it is capturing on and will also use the ports defined there to parse the various protocols. This may, however, not be enough to parse all the packets in a capture taken on a certain subnet. For example, one of the systems in the subnet could be accessing an FTP server connecting on port 42 instead of the normal default port of 21. To parse these packets you need to add 42 as a port for parsing FTP packets. This is done by selecting the Ports command in the Configure menu and then selecting the protocol for which a port needs to be assigned. In the case of our example this is FTP. Once this is selected you need to add the special port assignment in the next available text box. Click the OK button once completed.
When defining additional ports for a specific protocol you may select to use these port definitions only for this capture file or for all subsequent captures.
|
|
Searching a Capture File |
You can easily search for a specific text sting in any packet by using the search capability that is built into the Network Monitor. Either choose the Search Packet command from the Capture menu or press CTRL+S and enter the string to be searched for in the capture file.
|
|
Saving Parts of a Capture File with Another Name |
You can save a capture file on which you have applied a filter to another file. This will make it easier for you to navigate through the packets that are of interest to you. You may also save a range of packets from a capture file to another file. For example if you have a large capture file but have identified your problem area to be between packet 5900 and 6100, you could save this range of packets to a separate capture file. The new file will be much faster to navigate through. To save a filtered file or a packet range from a particular file simply:
- Select the Save As command from the File menu.
- Enter the name of the file it is to be saved as. Make sure that the file type is set to .cap.
- If you have preselected the packets to save by highlighting them, selection will be automatically selected as the Range. Otherwise select All packets or give the range of packets to be saved in the Save as Capture File dialog box.
- Click the Save button to actually save the file.
Note: You may also save selected packets from a file that are not necessarily in a sequence. To do this, select all the packets to be saved using the Shift or Ctrl key with the left mouse button, then select Save As from the File menu.
|
|
Modifying and Resending Captured Packets |
Software developers testing their application are able to capture a packet, quickly modify it to test the various needs of their application and resend it on the network. To do this, you need to highlight the packet you wish to test, then right-click the mouse. A hex edit box will be displayed.
You can modify the hex value for the byte you are trying to test by positioning the cursor in front of the character you wish to change and then keying in the new value. When you have finished your modifications, click on the Next button.
You can now select the number of times you wish to retransmit the modified packet and the time interval in seconds from one send to the next. If your system has more than one NIC card you must select the card you wish to transmit from, before clicking on the Send button.
|
<<< Table of Contents >>> | |