OmniPeek Enterprise Tech Tips

 

Tips:

How come when I attempt to upgrade OmniPeek to 9.0 it fails because I have another copy of OmniPeek on my system? Shouldn’t it remove this automatically?

No, the new OmniPeek 9.0 uses the Microsoft installer (.msi). Before you can install OmniPeek 9.0 you will need to go to the Control Panel and uninstall it there. After this is done you will be able to install OmniPeek 9.0.

Back to the top

How can I determine what nodes are using a particular application?

You can right-click on an application in the Applications view and the details will show all nodes associated with that applications. Conversely, in the Nodes view, you can right click on any node, and the details will display all applications associated to that node.

Back to the top

How do I filter on an application in OmniPeek 9.0?

When a new filter is inserted, the most popular applications are available for filtering. The Filter GUI defaults to applications in the Application/Protocol dialog box. Simply check the box and select the application you would like to filter on.

Back to the top

How do I label packets in OmniPeek 9.0?

Select the packets you wish to label, right click on one of them, and you can Label selected packets in the color you wish. This makes it very easy to identify different groups of packets in a trace file.

Back to the top

I want to change the port on the Access Point Capture Adapter in the Capture Options dialog but I don’t see a way to accomplish this, how do I change the port?

You need to go to the Tools pull down menu in OmniPeek and select Options. Then under Analysis Modules select the Access Point Capture Adapter Options. Then you can change the port there by selecting Options.

Back to the top

How come I am not seeing any data rates in the Compass view?

You are viewing a wired capture and need to load a wireless one. Wired captures do not show data rates because data rates of NIC cards are fixed as 1G, 10G, etc.

Back to the top

Why has Compass stopped generating/saving statistic information?

There must be at least 500MB of free disk space or Compass will stop generating/saving statistic information until enough disk space is freed.

Back to the top

How do I configure the VLAN-MPLS Node filter?

  1. Create an Advanced Filter with a VLAN-MPLS node.
  2. Enable the VLAN IDs checkbox and enter one or more VLAN IDs.
    Note: You can enter a single value or ID range, (for example, 200-210). Values and ranges may be separated by spaces, commas, and semicolons.
  3. Enable the MPLS Labels checkbox and enter one or more MPLS Labels.
    Note: You can enter a single value, or an MPLS label range (for example, 100-110). Values and ranges may be separated by spaces, commas, and semicolons.
  4. Create a new Capture and enable the VLAN-MPLS Filter.
  5. Start the capture.
Back to the top

I get a message on my Compass Screen that says, “Flash not installed”, I am using Windows Server 2012, what is the problem?

Flash is typically not installed automatically on Windows Server 2012 so it must be added manually through the server manager.

Follow these steps:

  1. Open up the Control Panel
  2. Notice that the Flash Player is not listed as being installed
  3. Open up the Server Manager
  4. Select "Local Server" from the left pane
  5. Scroll down to "Roles and Features" in the right pane
  6. Select "Features" from the left pane
  7. Click the "Tasks" drop down next to "Roles and Features" and select "Add roles and features"
  8. Inside the tree-list box in the right pane, expand "User Interfaces and Infrastructure"
  9. You should see that "Desktop Experience" is not checked
  10. Check "Desktop Experience" to install Flash (and other things as well)
  11. Continue through the "Add roles and features" section and click "Install"
  12. After the reboot, open the control panel and you will see that Flash is now listed as being installed
  13. Flash will now be installed for Compass in OmniPeek
Back to the top

How do you configure Cisco and Aruba controllers and AP’s to capture 802.11ac packets?

The link below will give you tips on how to accomplish this task:

https://mypeek.wildpackets.com/plugin_tips.php

Back to the top

OmniPeek can read pcap and pcapng files with PPI (Per Packet Information) headers but why can't I see the headers in the decode view?

The PPI headers themselves are not visible from within OmniPeek. Rather, the headers will be parsed and the relevant information (channel, band, signal, etc.) is visible in OmniPeek just as it would be when loading any other file.

Back to the top

I am attempting to save my capture to disk files as pcap or pcapng and they are still saving as a *.pkt format. What is the problem?

The pcap or pcapng file format for capture to disk needs to have a period in front of the file extension, for example: "C:UsersUsernameDocumentsCapture 1-.pcap".

Back to the top

When I merge packets files I can only save them as (*.pkt, *.wpz) formats. Once the file is saved can I change it to another format?

Yes, once the merged file is opened in OmniPeek, you can change the file to a number of different formats by going to the File->Save All Packets selection.

Back to the top

I want to view packets that are associated to a Log entry, how do I accomplish this task?

On the Log view right click on a Log entry, choose option “Select Related Packets” and copy the selected packets to a new window.

Back to the top

How come the "Create RPCap Interfaces" button is grayed out?

The button is available only if the WinPcap driver and libraries are installed on your computer. You can install the driver and libraries by going to www.WinPcap.org.

Back to the top

Why can’t I see the new Spatial Streams and MCS columns in the packets list view?

There can be a couple reasons:

  1. The columns for the Spatial Streams and MCS values do not appear by default. You will need to right click on the title columns bar and enable them.
  2. If you are using a WildPackets OmniWiFi adapter, the current Ralink 3.2.4.5 driver does not support MCS or Spatial Stream values. We are currently working closely with Ralink on a new driver that will support these features. However, WildPackets can display these values from a capture file that already contains the MCS or Spatial Stream values.
Back to the top

After I added multiple IP Addresses to my Address Filter, I get an error “Address Format Invalid”. What does this error mean?

The error means that in the Address Filter configuration the wrong type was selected or an address or addresses were typed incorrect. All addresses must be properly formatted of the type selected from the "Type" dropdown.

Back to the top

How do I create a new Multi-Segment Analysis (MSA) project for packet files in OmniPeek?

  1. From the File menu, choose "New Multi-Segment Analysis Project".
  2. Then select “Use packets files”.
  3. Insert the files and click Next.
  4. Then click Finish.
Back to the top

I have entered the correct key or passphrase but the encrypted packets are not being decrypted. Can you please tell me what's wrong?

OmniPeek *must* capture the complete (EAPOL) key exchange to successfully decrypt WPA/WPA2 encrypted traffic.

Back to the top

How do I create a filter to span multiple ports?

You can create an Advanced or Simple filter to span individual ports. Ports can be entered and separated by commas and/or semicolons.

Here is how:

  1. Click View/Filters to bring up the filters window.
  2. Click the Insert button (Green).
  3. Select Simple or Advanced for Filter Type.
  4. Select Port Filter and add the port numbers. Use commas and semicolons to separate the port numbers.
Back to the top

How do I capture VLAN packets?

First be sure the analyzer is placed where the tagged frames exist, this is generally on a switch trunk (a link that connects switch-to-switch).

Second verify that your switch is not stripping the VLAN tags, you may need to contact your switch manufacturer.

Lastly, the network interface card may strip 802.1q tags at the adapter/driver level. By default, Intel adapters strip the VLAN tag before passing it up the stack. Some Broadcom adapters also exhibit this behavior. Possible fixes for Intel and Broadcom adapters can be found below, for other adapters please contact your NIC manufacturer.

Unsupported Fix for Broadcom Adapters:

** Please backup your registry before making these modifications **

Please look for the following registry key and follow the steps listed below. This fix is not supported by WildPackets.

HKEY_LOCAL_MACHINE-->SYSTEM-->CurrentControlSet

  1. You need to find the right instance of the driver in the registry.
  2. Run Regedit.
  3. Search for "TxCoalescingTicks" and ensure this is the only instance that you have.
  4. Right-click on the instance number (eg. 0008) and add new string value.
  5. Enter "PreserveVlanInfoInRxPacket" and give it value "1".

Unsupported Fix for Intel Adapters:

http://www.intel.com/support/network/sb/cs-005897.htm

Another solution is to purchase a tap. TAPs are passive and independent of the network. Please call (925) 937-3200 or write to sales@wildpackets.com to find out more about TAPs.

Back to the top

Where can I find a definition for the expert messages?

Right-click on any Expert event and choose EventFinder Settings. Click the Show Info button for a description of the event and possible causes and remedies.

Back to the top

Is there a way to only capture the header of a packet?

Yes, here's how:

  1. Click View/Filters to bring up the filters window.
  2. Click the Insert button (Green)
  3. Select Simple or Advanced for Filter Type.
  4. Select Protocol Filter.
  5. Select the Protocol and check Slice to Header.
Back to the top

Can I compare two different captures?

Yes, open the captures you would like to compare.

  1. Choose the Expert Flat view.
  2. Right-click on one of the flows and choose Visual Expert.
  3. Click the Compare tab.
  4. Click the drop-down arrow to select the captures.
Back to the top

How do I change port numbers for an existing protocol?

For example, maybe you want all traffic on port 80 and port 8000 to show up under HTTP in the Packet view, Protocol statistics, etc. In that case, you will need to modify the following file with a Text Editor:

C:Program FilesWildPacketsOmniPeek1033pspecs.xml

You can search for your protocol's PSpec Name (i.e. HTTP) and when you find the protocol, you can modify the existing port number(s).

For more information on ProtoSpecs, please log into MyPeek and under the Resources section go to Developer Documentation and take a look at the ProtoSpecs XML Writing Guidelines.

http://mypeek.wildpackets.com/

Back to the top

How do I add port numbers for an existing protocol?

The <CondSwitch> tag will define a port number. The example is using port number 1234. You can add additional ports by adding additional <CondSwitch></CondSwitch> tags. See example below.

<CondSwitch>1234</CondSwitch>
<CondSwitch>1235</CondSwitch>
<CondSwitch>1236</CondSwitch>

For more information on ProtoSpecs, please log into MyPeek and under the Resources section go to Developer Documentation and take a look at the ProtoSpecs XML Writing Guidelines.

http://mypeek.wildpackets.com/

Back to the top

How do I add a custom protocol to OmniPeek?

  1. Exit OmniPeek.
  2. First, make a backup copy of the pspecs.xml file. OmniPeek will not load if the pspecs.xml file is missing or corrupted.
    Note: By default the pspecs.xml file is located in "C:Program FilesWildPacketsOmniPeek1033" for the English-localized version. For other languages, the final subdirectory ("1033") will be equal to the language code for the OmniPeek's localized language.
  3. Open the pspecs.xml file in your favorite text or XML editor.
    Note: Please make sure you add the protocols in the right section (TCP/UDP) and that the higher port numbers go further down in the file.
  4. Create a new entry (see example below).
    <PSpec Name="MyProtocol">
    <PSpecID>1483</PSpecID>
    <LName>MyProtocol - Long Name</LName>
    <SName>MyProtocol - Short Name</SName>
    <Desc>This is my protocol.</Desc>
    <Color>color_2</Color>
    <CondSwitch>1234</CondSwitch>
    </PSpec>

Quick Notes:

The PSpecID is a numerical identifier for the protocol. It must be unique-that is, no two protocols are allowed to have the same PSpecID. You must choose a PSpecID that is not used anywhere else in the file.

The tag will define a port number. The example is using port number 1234. You can add additional ports by adding additional tags. See example below.

<CondSwitch>1234</CondSwitch>
<CondSwitch>1235</CondSwitch>
<CondSwitch>1236</CondSwitch>

The PSpec Name will be displayed in the Protocol column of the Packets tab.

The LName will be displayed in the Protocol Info dialog box (accessed by right-clicking the protocol and choosing Protocol Info).

The SName will be displayed in the Protocol statistics.

The Desc will be displayed in the Protocol Info box (Desc is optional. You can delete it if you don't want to write a description for your protocol).

Color will be the color used for the protocol. Colors are defined at the beginning of the document. Color is optional. You can delete it and OmniPeek will choose a color for the protocol.

CondSwitch tells OmniPeek how to recognize the protocol. For now, all you have to do is edit the "SrcPort ==" and "DestPort ==" entries to contain the port number that your protocol uses. These two entries should be the same.

For more information on ProtoSpecs, please log into MyPeek and under the Resources section go to Developer Documentation and take a look at the ProtoSpecs XML Writing Guidelines.

http://mypeek.wildpackets.com/

Back to the top

How can OmniPeek Enterprise help me baseline my network?

The summary statistics feature allows you to monitor key network statistics in real time and save these statistics for later comparison. Use this feature to baseline normal network activity, save the data, then compare saved statistics with those observed during periods of erratic network behavior to help pinpoint the cause of the problem.

Summary statistics are also extremely valuable in comparing the performance of two different network segments. For example, a field support engineer could compare the real-time statistics on a client network with a saved healthy router snapshot and easily diagnose or eliminate the source of inconsistent or poor router performance.

To baseline with summary statistics:

Choose Monitor > Summary. The Summary Statistics window appears.

Back to the top

How do I use port numbers instead of port names?

Right click the column header and select the fields you would like to see. Then right click again and choose Packet List Options > Format tab and deselect "Show port names". You should now see port numbers instead of names.

Also good to know, the source and port field numbers are always displayed in the 'Summary' field (Src=###,Dst=##) in addition to other packet information.

Back to the top
Contact Us Savvius Blog Follow Savvius on Twitter Like Savvius on Facebook Follow Savvius on LinkedIn Follow Savvius on YouTube Follow Savvius on Slideshare