Capture Engine for Omnipeek Tech Tips



I want to use the new Compass for the Capture Engine but I do not see it in the Capture View pane, what is wrong?

The Compass program is enabled and disabled in the Analysis OptionS. Please go to Capture Options>Analysis Options and enable it there.

What if I don't want some of my users downloading files from the Capture Engine?

This is feature is available when the ACL is being used. Go to the Access Control page of the Capture Engine Configuration Wizard. There is a new Policy called, "Download Files". Highlight it and select the user you want to give permission to download files from the Capture Engine.

I have Omnipeek and I am trying to connect to my Capture Engine. I know my credentials are correct, but I cannot connect. Why?

You must either disable the Windows firewall, or add Capture Engine port 6367 and 6369 for TCP to the exceptions list, in order to make Capture Engine accessible from the Omnipeek machine.

Why can't I access the Label option on the Capture Engine, I can in Omnipeek?

The Label packets option is only for local captures done in Omnipeek.

What happened to the Apdex view in Capture Engine?

The Application Statistics Dashboard in the Capture Engine replaced the old Apdex Dashboard. The dashboard includes the following elements:

  • Application utilization - a graph of the Top N applications, similar to the graph in CTD stats.
  • Application latency - using the latency calculation code from Compass to graph the latency of the top 10 applications.
  • Application details (Flows/packets/bytes) - same view as "Statistics>Applications".
I configured the TCPDump adapter on my Capture Engine and it is not capturing all the packets visible to the interface, what is the problem?

"Capture all traffic on interface (Promiscuous Mode)" is not selected in the Save Adapter Dialog and only traffic destined for the interface will be captured.

How can I determine what nodes are using a particular application?

You can right-click on an application in the Applications view and the details will show all nodes associated with that applications. Conversely, in the Nodes view, you can right click on any node, and the details will display all applications associated to that node.

Why can't I see any VoIP stats on my Timeline graph after enabling it in the Capture Options?

You may not have any Open calls in the capture. Only open calls are graphed. Also, make sure you have the Call Quality selected in the View Type field.

How do I configure the VLAN-MPLS Node filter?

  1. Create an Advanced Filter with a VLAN-MPLS node.
  2. Enable the VLAN IDs checkbox and enter one or more VLAN IDs.
    Note: You can enter a single value or ID range, (for example, 200-210). Values and ranges may be separated by spaces, commas, and semicolons.
  3. Enable the MPLS Labels checkbox and enter one or more MPLS Labels.
    Note: You can enter a single value, or an MPLS label range (for example, 100-110). Values and ranges may be separated by spaces, commas, and semicolons.
  4. Create a new Capture and enable the VLAN-MPLS Filter.
  5. Start the capture

At this point, only traffic that meets the criteria of the filter will be accepted into the Capture's buffer.

I selected a large portion of my disk space for my capture to disk but it is stopping after the allotted disk space is used up, what is the problem?

If Continuous capture is disabled, the capture stops when this amount of disk space has been filled. Enable Continuous capture and it will recycle the files and keep capturing.

I am attempting to save my capture to disk files as pcap or pcapng and they are still saving as a *.pkt format. What is the problem?

The pcap or pcapng file format for capture to disk needs to have a period in front of the file extension, for example: C:UsersUsernameDocumentsCapture 1-.pcap.

When using the Download Engine Packet Files to retrieve files from various engines and merge them, can I save it as a format other than *.wpz or *.pkt?

Yes, once you have merged the files into one, you can open it up in Omnipeek and then change the file to a number of different formats.

Using the Download Engine Packet Files feature, I select the engines I want to search and in the Capture Session dialog a couple come back with "No results were found". There is saved data on those engines, what is the problem?

This means that there is no data that was found during the specified time frame that was allocated for the search. Also, the data it retrieves must have had the Timeline Stats enabled in the Capture Options before the capture starts. You can verify this by looking in the Forensics tab.

How do I save the Support tab information?

There are buttons to save this as a text file and to copy it to the clipboard.

  1. The save icon saves all information. There is a menu item for save as well, File>Save Support Info. The default file save name is Capture Engine Support.txt.
  2. The copy button (as well as the Edit>Copy menu item) will copy only the selected text to the clipboard. If there is no selection, it will copy everything.

Note: There is a refresh button which will update the information (re-query and re-receive it from the engine). There is no auto-refresh, however each time you switch to this tab, the information there will be refreshed.

Capture Engine supports Multiple IP Addresses and/or IP Address Ranges Filters, how do I create one?

  1. Open the Filter view on an Engine capture window.
  2. Click on the Insert icon.
  3. Select the Type as Advanced.
  4. Go to the And/Or option and select Address.
  5. Choose capture session and click Next to start the search.
  6. Select the type of address you want to enter.
  7. Began entering your Addresses.
After I added multiple IP Addresses to my Address Filter, I get an error ?ddress Format Invalid? What does this error mean

When you enter the numbers in the range, do not include commas.

When I enter a new number in the Log max field and click next in the Capture Engine Configuration Wizard, I receive a prompt that says "Enter an integer between 10000 and 100000000". I have entered a number between those ranges, what is wrong

When you enter the numbers in the range, do not include commas.

How do you configure the new multiple authentication servers?

  1. Go to the Capture Engine Configuration Wizard or use OEM configuration icon.
  2. Go to the Security menu
  3. SeSelect Enable Third-party Authentication.
  4. Add any authentication servers on your network.
How do I create a new Multi-Segment Analysis (MSA) project for multiple Capture Engines?

  1. From the File menu, choose "New Multi-Segment Analysis Project".
  2. Then select ?earch for packets on remote engines?
  3. Choose the time range and filter for the search.
  4. Choose engines to search.
  5. Choose capture session and click Next to start the search.
How do I add files to the Capture Engine?

  1. Go to the Files tab.
  2. Click on the Upload Packets icon.
  3. Select the files you want to add to the Capture Engine.
  4. Click Open.
How do I access the new CDR (Call Detail Records)?

In the Capture Options Statictics Output, enable the "Save statistics report". Then under the "Report type" select the Call Detail Records option.

Will all Omnipeek Users Need Access to the Capture Engine Data Folder?

Yes, the data folder used by Capture Engine to store trace files must have write permissions for all users who want to use Omnipeek. The Capture Engine data folder is configured using the Capture Engine Manager (on the General tab of the Remote Engine Properties dialog).

Is Capture Engine Enterprise compatible with User Account Control (UAC) under Windows 7?

No, In order to run Capture Engine under Windows 7 you must disable UAC.

Is there a way to only capture the header of a packet?

Yes, here's how:

  1. Click View/Filters to bring up the filters window.
  2. Click the Insert button (Green )
  3. Select Simple or Advanced for Filter Type.
  4. Select Protocol Filter.
  5. Select the Protocol and check Slice to Header.
Can a NIC connected to a SPAN/Mirror port also be used for network services?

No, you will need an additional adapter to use for network services or use a multi-port adapter like the Intel dual or quad port adapters. These cards could connect via one port and capture on the additional, available ports.

I created a filter but it is not showing up in the filter list. Why?

Be sure you have clicked the yellow bar "Click here to send changes".

Why does the Dashboard view display Traffic History and Top Talkers by IP Address as not available?

Be sure the modules are enabled. Start a new Monitoring Capture or New Capture>Click the Performance View>Traffic History and Top Talker Statistics should be checked.

Please also note that the Dashboard view is available only when Monitoring and Capturing. Forensic Captures by default have all Analysis Options unchecked.

Are there any tips to optimize performance?

In the Capture/Monitor Options, select Analysis Options. For peak performance, right click on one of the features and choose Disable All. This way, the Capture Engine will function at peak performance, but the features are still available when needed. When you need a particular feature, you can always enable it. As you enable/disable individual features, the Capture Performance bar at the bottom of the Analysis Options dialog will move to show you an estimate of the impact of each feature.

Here are a few more tips to improve the performance of the Capture Engine:

  • Turn off scroll during capture. Control K will start/stop scroll.
  • Disable passive name resolution. Under Tools/Options/Name Resolution, uncheck enable passive name resolution.
  • Disable Statistics Output and Graphing.
Will Capture Engine work with Windows Firewall enabled (Windows XP Professional and Windows 7)?

You must either disable the Windows Firewall, or add the Capture Engine TCP port to the exceptions list, in order to make an Capture Engine accessible.

