Omnipeek Professional Tech Tips

 

Tips:

<

How do you configure the new Protocol Translations in Omnipeek?

  1. Go to Tools>Options>Protocol Translations
  2. Select Insert
  3. Choose TCP or UDP
  4. Enter the Port number
  5. Choose the Sub-Protocol by clicking “Choose” then click OK
Back to the top

Why can’t I see the Top Application Categories or the Applications under Statistics?

Go to the Capture Options>Analysis Options and enable the Application Statistics option.

Back to the top

How do I configure the new Compass "Group Nodes" option?

Go to the Capture Options>Analysis Options and double-click on Compass. Then you will see the “Group Nodes By” field under the Statistics Options.

Back to the top

Why can't I see the Files view on the Navigation Pane?

Most likely the "Files View", in Analysis Options is disabled. Go to Capture Options>Analysis Options, and in the Analysis Options dialog enable the "Files View" option..

Back to the top

I am not able to modify the decode column I added, why not?

Once you add a decode column to the Packet List Columns, you cannot modify it, only delete it. Right-Click on the decode you have added, uncheck it, the decode will be deleted and you may add a new one.

Back to the top

How come my Overview Graph in not visible on a running capture?

The Overview Graph is only visible on an opened capture file.

Back to the top

All Expert views (Clients/Servers, Flows, Applications) have "3-Way Handshake" enabled in the columns, but they are all blank. Why is this happening?

This column is blank for non-TCP flows, or any flows which did not have a 3-way handshake.

Back to the top

How do I import Security Events into the Events view of an Omnipeek capture file?

From the Events view, right-click in the Events list, and choose "Import Events". This invokes an Open File dialog allowing you to choose the file from which to import events.

Note: This function requires that Snort and/or Suricata is running on the Omnipeek machine and has capture the same traffic at the same time as Omnipeek.

Back to the top

I imported the IDS event and the timestamps are off, why is this happening?

Depending on how the packets were captured and events generated, it may be very difficult to correlate events back to packets. For example, if the IDS machine was different from the capture machine (and it almost certainly was), then the timestamps won't exactly match.

Back to the top

I don't to see the Countries capture window under the Statistics title in the navigation pane, how do I enable it?

Go to the Capture Options>Analysis Options and put a check mark in the box next to the Country Statistics.

Back to the top

I can only see the Country column in the Packets View, how do I get the rest of the geographical titles on the screen?

Right click on the Packets view title bar and you can enable any or all of the geographical columns: Source Country, Source Latitude, Source Longitude, Dest. Country, Dest. Latitude, Dest. Longitude.

Back to the top

How can I determine what nodes are using a particular application?

You can right-click on an application in the Applications view and the details will show all nodes associated with that applications. Conversely, in the Nodes view, you can right click on any node, and the details will display all applications associated to that node.

Back to the top

How do I filter on an application in Omnipeek?

When a filter is inserted, the most popular applications are available for filtering. The Filter GUI defaults to applications in the Application/Protocol dialog box. Simply check the box and select the application you would like to filter on.

Back to the top

How do I label packets in Omnipeek?

Select the packets you wish to label, right click on one of them, and you can Label selected packets in the color you wish. This makes it very easy to identify different groups of packets in a trace file.

Back to the top

I want to change the port on the Access Point Capture Adapter in the Capture Options dialog but I don't see a way to accomplish this, how do I change the port?

You need to go to the Tools pull down menu in Omnipeek and select Options. Then under Analysis Modules select the Access Point Capture Adapter Options. Then you can change the port there by selecting Options.

Back to the top

Why has Compass stopped generating/saving statistic information?

There must be at least 500MB of free disk space or Compass will stop generating/saving statistic information until enough disk space is freed.

Back to the top

I get a message on my Compass Screen that says, "Flash not installed", I am using Windows Server 2012, what is the problem?

Flash is typically not installed automatically on Windows Server 2012 so it must be added manually through the server manager.

Follow these steps:

  1. Open up the Control Panel
  2. Notice that the Flash Player is not listed as being installed
  3. Open up the Server Manager
  4. Select "Local Server" from the left pane
  5. Scroll down to "Roles and Features" in the right pane
  6. Select "Features" from the left pane
  7. Click the "Tasks" drop down next to "Roles and Features" and select "Add roles and features"
  8. Inside the tree-list box in the right pane, expand "User Interfaces and Infrastructure"
  9. You should see that "Desktop Experience" is not checked
  10. Check "Desktop Experience" to install Flash (and other things as well)
  11. Continue through the "Add roles and features" section and click "Install"
  12. After the reboot, open the control panel and you will see that Flash is now listed as being installed
  13. Flash will now be installed for Compass in Omnipeek
Back to the top

How do you configure Cisco and Aruba controllers and AP's to capture 802.11ac packets?

The link below will give you tips on how to accomplish this task:

https://mypeek.savvius.com/plugin_tips.php

Back to the top

Omnipeek can read pcap and pcapng files with PPI (Per Packet Information) headers but why can't I see the headers in the decode view?

The PPI headers themselves are not visible from within Omnipeek. Rather, the headers will be parsed and the relevant information (channel, band, signal, etc.) is visible in Omnipeek just as it would be when loading any other file.

Back to the top

I am attempting to save my capture to disk files as pcap or pcapng and they are still saving as a *.pkt format. What is the problem?

The pcap or pcapng file format for capture to disk needs to have a period in front of the file extension, for example: "C:UsersUsernameDocumentsCapture 1-.pcap".

Back to the top

When I merge packets files I can only save them as (*.pkt, *.wpz) formats. Once the file is saved can I change it to another format?

Yes, once the merged file is opened in Omnipeek, you can change the file to a number of different formats by going to the File->Save All Packets selection.

Back to the top

How come the "Create RPCap Interfaces" button is grayed out?

The button is available only if the WinPcap driver and libraries are installed on your computer. You can install the driver and libraries by going to www.WinPcap.org.

Back to the top

I have entered the correct key or passphrase but the encrypted packets are not being decrypted. Can you please tell me what's wrong?

Omnipeek *must* capture the complete (EAPOL) key exchange to successfully decrypt WPA/WPA2 encrypted traffic.

Back to the top

How do I create a filter to span multiple ports?

You can create an Advanced or Simple filter to span individual ports. Ports can be entered and separated by commas and/or semicolons.

Here is how:

  1. Click View/Filters to bring up the filters window
  2. Click the Insert button (Green)
  3. Select Simple or Advanced for Filter Type
  4. Select Port Filter and add the port numbers. Use commas and semicolons to separate the port numbers.
Back to the top

How do I capture VLAN packets?

First be sure the analyzer is placed where the tagged frames exist, this is generally on a switch trunk (a link that connects switch-to-switch).

Second verify that your switch is not stripping the VLAN tags, you may need to contact your switch manufacturer.

Lastly, the network interface card may strip 802.1q tags at the adapter/driver level. By default, Intel adapters strip the VLAN tag before passing it up the stack. Some Broadcom adapters also exhibit this behavior. Possible fixes for Intel and Broadcom adapters can be found below, for other adapters please contact your NIC manufacturer.

Unsupported Fix for Broadcom Adapters:

** Please backup your registry before making these modifications **

Please look for the following registry key and follow the steps listed below. This fix is not supported by Savvius.

HKEY_LOCAL_MACHINE-->SYSTEM-->CurrentControlSet

  1. You need to find the right instance of the driver in the registry.
  2. Run Regedit.
  3. Search for "TxCoalescingTicks" and ensure this is the only instance that you have.
  4. Right-click on the instance number (eg. 0008) and add new string value.
  5. Enter "PreserveVlanInfoInRxPacket" and give it value "1".

Unsupported Fix for Intel Adapters:

http://www.intel.com/support/network/sb/cs-005897.htm

Another solution is to purchase a tap. TAPs are passive and independent of the network. Please call (925) 937-3200 or write to sales@savvius.com to find out more about TAPs.

Back to the top

Where can I find a definition for the expert messages?

Right-click on any Expert event and choose EventFinder Settings. Click the Show Info button for a description of the event and possible causes and remedies.

Back to the top

Is there a way to only capture the header of a packet?

Yes, here's how:

  1. Click View/Filters to bring up the filters window
  2. Click the Insert button (Green)
  3. Select Simple or Advanced for Filter Type
  4. Select Protocol Filter
  5. Select the Protocol and check Slice to Header
Back to the top

Can I compare two different captures?

Yes, open the captures you would like to compare.

  1. Choose the Expert Flat view
  2. Right-click on one of the flows and choose Visual Expert
  3. Click the Compare tab
  4. Click the drop-down arrow to select the captures
Back to the top

How do I change port numbers for an existing protocol?

For example, maybe you want all traffic on port 80 and port 8000 to show up under HTTP in the Packet view, Protocol statistics, etc. In that case, you will need to modify the following file with a Text Editor:

C:Program FilesWildPacketsOmnipeek1033pspecs.xml

You can search for your protocol's PSpec Name (i.e. HTTP) and when you find the protocol, you can modify the existing port number(s).

For more information on ProtoSpecs, please log into MyPeek and under the Resources section go to Developer Documentation and take a look at the ProtoSpecs XML Writing Guidelines.

http://mypeek.savvius.com/

Back to the top

How do I add port numbers for an existing protocol?

The tag will define a port number. The example is using port number 1234. You can add additional ports by adding additional tags. See example below.

1234
1235
1236

For more information on ProtoSpecs, please log into MyPeek and under the Resources section go to Developer Documentation and take a look at the ProtoSpecs XML Writing Guidelines.

http://mypeek.savvius.com/

Back to the top

How do I add a custom protocol to Omnipeek?

  1. Exit Omnipeek.
  2. First, make a backup copy of the pspecs.xml file. Omnipeek will not load if the pspecs.xml file is missing or corrupted.
    Note: By default the pspecs.xml file is located in "C:Program FilesWildPacketsOmnipeek1033" for the English-localized version. For other languages, the final subdirectory ("1033") will be equal to the language code for the Omnipeek's localized language.
  3. Open the pspecs.xml file in your favorite text or XML editor.
    Note: Please make sure you add the protocols in the right section (TCP/UDP) and that the higher port numbers go further down in the file.
  4. Create a new entry (see example below).

    1483
    MyProtocol - Long Name
    MyProtocol - Short Name
    This is my protocol.
    color_2
    1234

Quick Notes:

The PSpecID is a numerical identifier for the protocol. It must be unique-that is, no two protocols are allowed to have the same PSpecID. You must choose a PSpecID that is not used anywhere else in the file.

The tag will define a port number. The example is using port number 1234. You can add additional ports by adding additional tags. See example below.

1234
1235
1236

The PSpec Name will be displayed in the Protocol column of the Packets tab.

The LName will be displayed in the Protocol Info dialog box (accessed by right-clicking the protocol and choosing Protocol Info).

The SName will be displayed in the Protocol statistics.

The Desc will be displayed in the Protocol Info box (Desc is optional. You can delete it if you don't want to write a description for your protocol).

Color will be the color used for the protocol. Colors are defined at the beginning of the document. Color is optional. You can delete it and Omnipeek will choose a color for the protocol.

CondSwitch tells Omnipeek how to recognize the protocol. For now, all you have to do is edit the "SrcPort ==" and "DestPort ==" entries to contain the port number that your protocol uses. These two entries should be the same.

For more information on ProtoSpecs, please log into MyPeek and under the Resources section go to Developer Documentation and take a look at the ProtoSpecs XML Writing Guidelines.

http://mypeek.savvius.com/

Back to the top

How can Omnipeek help me baseline my network?

The summary statistics feature allows you to monitor key network statistics in real time and save these statistics for later comparison. Use this feature to baseline normal network activity, save the data, then compare saved statistics with those observed during periods of erratic network behavior to help pinpoint the cause of the problem.

Summary statistics are also extremely valuable in comparing the performance of two different network segments. For example, a field support engineer could compare the real-time statistics on a client network with a saved healthy router snapshot and easily diagnose or eliminate the source of inconsistent or poor router performance.

To baseline with summary statistics:

Choose Monitor > Summary. The Summary Statistics window appears.

Back to the top

How do I use port numbers instead of port names?

Right click the column header and select the fields you would like to see. Then right click again and choose Packet List Options > Format tab and deselect "Show port names". You should now see port numbers instead of names.

Also good to know, the source and port field numbers are always displayed in the 'Summary' field (Src=###,Dst=##) in addition to other packet information.

Back to the top
Contact Us Savvius Blog Follow Savvius on Twitter Like Savvius on Facebook Follow Savvius on LinkedIn Follow Savvius on YouTube