Capture Engine for Omnipeek Tech Tips



How do you configure the new Protocol Translations the Capture Engine?

  1. Go to the tab in Settings>Protocol Translations
  2. Click the Insert Button
  3. Choose TCP or UDP
  4. Enter the Port number
  5. Choose the Sub-Protocol by clicking “Choose” then click OK
Back to the top

How do I configure the new Compass “Group Nodes” option?

  1. Go to the Tools pull down menu and select Options
  2. Then select Analysis Modules and double-click the Compass Analysis
  3. You will see the “Group Nodes By” field under the Statistics Options
  4. Select one of the options Nodes by Node & MAC, Node or MAC then click OK
Back to the top

How do you configure the Packet File Indexing to increase performance for Forensic Searches?

  1. Go to Capture Options>Packet File Indexing
  2. Select the packet characteristics you are most likely to use in a forensic search software filter then click OK
Back to the top

I am not able to modify the decode column I added, why not?

Once you add a decode column to the Packet List Columns, you cannot modify it, only delete it. Right-Click on the decode you have added, uncheck it, the decode will be deleted and you may add a new one.

Back to the top

I want to use Compass for the Capture Engine but I do not see it in the Capture View pane, what is wrong?

The Compass program is enabled and disabled in the Analysis OptionS. Please go to Capture Options>Analysis Options and enable it there.

Back to the top

What if I don't want some of my users downloading files from the Capture Engine?

This is feature is available when the ACL is being used. Go to the Access Control page of the Capture Engine Configuration Wizard. There is a new Policy called, "Download Files". Highlight it and select the user you want to give permission to download files from the Capture Engine.

Back to the top

I have Omnipeek and I am trying to connect to my Capture Engine. I know my credentials are correct, but I cannot connect. Why?

You must either disable the Windows firewall, or add Capture Engine port 6367 and 6369 for TCP to the exceptions list, in order to make Capture Engine accessible from the Omnipeek machine.

Back to the top

Why can't I access the Label option on the Capture Engine, I can in Omnipeek?

The Label packets option is only for local captures done in Omnipeek.

Back to the top

I configured the TCPDump adapter on my Capture Engine and it is not capturing all the packets visible to the interface, what is the problem?

"Capture all traffic on interface (Promiscuous Mode)" is not selected in the Save Adapter Dialog and only traffic destined for the interface will be captured.

Back to the top

How can I determine what nodes are using a particular application?

You can right-click on an application in the Applications view and the details will show all nodes associated with that applications. Conversely, in the Nodes view, you can right click on any node, and the details will display all applications associated to that node.

Back to the top

Why can't I see any VoIP stats on my Timeline graph after enabling it in the Capture Options?

You may not have any Open calls in the capture. Only open calls are graphed. Also, make sure you have the Call Quality selected in the View Type field.

Back to the top

How do I configure the VLAN-MPLS Node filter?

  1. Create an Advanced Filter with a VLAN-MPLS node.
  2. Enable the VLAN IDs checkbox and enter one or more VLAN IDs.
    Note: You can enter a single value or ID range, (for example, 200-210). Values and ranges may be separated by spaces, commas, and semicolons.
  3. Enable the MPLS Labels checkbox and enter one or more MPLS Labels.
    Note: You can enter a single value, or an MPLS label range (for example, 100-110). Values and ranges may be separated by spaces, commas, and semicolons.
  4. Create a new Capture and enable the VLAN-MPLS Filter.
  5. Start the capture

At this point, only traffic that meets the criteria of the filter will be accepted into the Capture's buffer.

Back to the top

I selected a large portion of my disk space for my capture to disk but it is stopping after the allotted disk space is used up, what is the problem?

If Continuous capture is disabled, the capture stops when this amount of disk space has been filled. Enable Continuous capture and it will recycle the files and keep capturing.

Back to the top

I am attempting to save my capture to disk files as pcap or pcapng and they are still saving as a *.pkt format. What is the problem?

The pcap or pcapng file format for capture to disk needs to have a period in front of the file extension, for example: C:UsersUsernameDocumentsCapture 1-.pcap.

Back to the top

When using the Download Engine Packet Files to retrieve files from various engines and merge them, can I save it as a format other than *.wpz or *.pkt?

Yes, once you have merged the files into one, you can open it up in Omnipeek and then change the file to a number of different formats.

Back to the top

Using the Download Engine Packet Files feature, I select the engines I want to search and in the Capture Session dialog a couple come back with "No results were found". There is saved data on those engines, what is the problem?

This means that there is no data that was found during the specified time frame that was allocated for the search. Also, the data it retrieves must have had the Timeline Stats enabled in the Capture Options before the capture starts. You can verify this by looking in the Forensics tab.

Back to the top

How do I save the Support tab information?

There are buttons to save this as a text file and to copy it to the clipboard.

  1. The save icon saves all information. There is a menu item for save as well, File>Save Support Info. The default file save name is Capture Engine Support.txt.
  2. The copy button (as well as the Edit>Copy menu item) will copy only the selected text to the clipboard. If there is no selection, it will copy everything.

Note: There is a refresh button which will update the information (re-query and re-receive it from the engine). There is no auto-refresh, however each time you switch to this tab, the information there will be refreshed.

Back to the top

When I enter a new number in the Log max field and click next in the Capture Engine Configuration Wizard, I receive a prompt that says "Enter an integer between 10000 and 100000000". I have entered a number between those ranges, what is wrong

When you enter the numbers in the range, do not include commas.

Back to the top

How do you configure the new multiple authentication servers?

  1. Go to the Capture Engine Configuration Wizard or use OEM configuration icon.
  2. Go to the Security menu
  3. Select Enable Third-party Authentication.
  4. Add any authentication servers on your network.
Back to the top

How do I add files to the Capture Engine?

  1. Go to the Files tab.
  2. Click on the Upload Packets icon.
  3. Select the files you want to add to the Capture Engine.
  4. Click Open.
Back to the top

How do I access the new CDR (Call Detail Records)?

In the Capture Options Statistics Output, enable the "Save statistics report". Then under the "Report type" select the Call Detail Records option.

Back to the top

Will all Omnipeek Users Need Access to the Capture Engine Data Folder?

Yes, the data folder used by Capture Engine to store trace files must have write permissions for all users who want to use Omnipeek. The Capture Engine data folder is configured using the Capture Engine Manager (on the General tab of the Remote Engine Properties dialog).

Back to the top

Is Capture Engine Enterprise compatible with User Account Control (UAC) under Windows 7?

No, In to run Capture Engine under Windows 7 you must disable UAC.

Back to the top

Is there a way to only capture the header of a packet?

Yes, here's how:

  1. Click View/Filters to bring up the filters window.
  2. Click the Insert button (Green)
  3. Select Simple or Advanced for Filter Type.
  4. Select Protocol Filter.
  5. Select the Protocol and check Slice to Header.
Back to the top

Can a NIC connected to a SPAN/Mirror port also be used for network services?

No, you will need an additional adapter to use for network services or use a multi-port adapter like the Intel dual or quad port adapters. These cards could connect via one port and capture on the additional, available ports.

Back to the top

Why does the Dashboard view display Traffic History and Top Talkers by IP Address as not available?

Be sure the modules are enabled. Start a new Monitoring Capture or New Capture>Click the Performance View>Traffic History and Top Talker Statistics should be checked.

Please also note that the Dashboard view is available only when Monitoring and Capturing. Forensic Captures by default have all Analysis Options unchecked.

Back to the top
Contact Us Savvius Blog Follow Savvius on Twitter Like Savvius on Facebook Follow Savvius on LinkedIn Follow Savvius on YouTube