Operator Meaning, Format | Cisco Systems NAM, 5 manual

Chapter 4 Capturing and Decoding Packet Data

Viewing Packet Decode Information

Table 4-11	Custom Decode Filter Dialog Box (continued)

Field		Description	Usage Notes

Data Pattern		The data to be matched with the packet.	Enter hh hh hh ..., where hh are hexadecimal numbers from
			0-9 or a-f.
			Leave blank if not applicable.

Filter Expression		An advanced feature to set up complex filter	See Tips for Creating Custom Decode Filter Expressions,
		conditions.	page 4-25.
		The simplest filter allows you to check for the
		existence of a protocol or field. For example,
		to see all packets that contain the IPX
		protocol, you can use the simple filter
		expression ipx.

Step 4 Do one of the following:

•To create the filter, click Submit.

•To cancel filter creation, click Cancel.

Tips for Creating Custom Decode Filter Expressions

You can construct custom decode filter expressions using the following logical and comparison operators listed in Table 4-12.

		Table 4-12		Logical and Comparison Operators

		Operator			Meaning

		and			Logical AND

		or			Logical OR

		xor			Logical XOR

		not			Logical NOT

		==			Equal

		!=			Not equal

		>			Greater than

		You can also group subexpressions within parentheses. You can use the following fields in filter
		expressions:

	Field		Filter By			Format

	eth.addr		MAC address			hh:hh:hh:hh:hh:hh, where h is a hexadecimal number from 0 to 9 or a
	eth.src					to f.
	eth.dst

	ip.addr		IP address			n.n.n.n or n.n.n.n/s , where n is a number from 0 to 255 and s is a
	ip.src					0-32 hostname that does not contain a hyphen.
	ip.dst

					User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0


	OL-22617-01								4-25
	OL-22617-01								4-25

Image 185

Cisco Systems NAM, 5 manual Tips for Creating Custom Decode Filter Expressions, Operator Meaning, Format

Contents

Text Part Number OL-22617-01 Americas HeadquartersPage N T E N T S Span Network Sites URL Nbar System Administration Resources Audit Trail Understanding Traffic Patterns at the Network Layer Chapter Overview About This Guide Conventions AudienceConvention Boldface font Obtaining Documentation and Submitting a Service Request Xiv A P T E R Introducing NAM Traffic Analyzer Logical Site Dashboards Standards-Based NBI New Application Classification Architecture Historical Analysis NetFlow v9 Data Export Overview of the NAM Platforms Snmp v3 Support -- NAM to Router/Switch SupportWS-SVC-NAM-1-250S WS-SVC-NAM-2-250S Cisco Branch Routers Navigating the User Interface LoggingCommon Navigation and Control Elements Menu Bar Detailed Views Quick Capture Context Menus Interactive Report Chart View / Grid View Mouse-Over for Details Zoom/Pan Charts Statistics Sort GridBytes / Packets Context-Sensitive Online Help Understanding How the NAM Works Ports VLANs Configuration/guide/span.htmlConfiguration/guide/nde.html Understanding How the NAM Uses VACLs Understanding How the NAM Uses SpanModule Cisco IOS Software Guide/span.html Guide/vacl.html Understanding How the NAM Uses NDE Understanding How the NAM Uses Waas Action Description GUI Location User Guide Location Configuration Overview Setup Data Export Administration SystemSetup Network Sites Setup Alarms Actions Administration Users Configuring and Viewing DataCapture Packet Capture/Decode Cisco Waas NAM Virtual Service Blade Traffic Analysis Default Functions Analyze Media Voice Call Statistics Voice Signaling/RTP Stream MonitoringApplication Response Time Metrics Traffic Usage Statistics TrafficAbout Span Sessions SPAN, Data Sources, Hardware Deduplication, Method Usage Notes Switch CLINAM Traffic Analyzer the NAM GUI Supervisor portCopyTable Snmp Column Description State Description Creating a Span Session Field Description Dialog Box Choose Setup Traffic Span SessionsEditing a Span Session SPAN, ERSPAN, VACL, NetFlow, WAAS, Data SourcesDeleting a Span Session Or Disabled Router or switch or WAE deviceFields are explained in -7, NAM Data Sources Data Port if it is a local physical port, or the IP address Click Setup Traffic NAM Data Sources Enabling Auto-Creation of Erspan Data Sources Using the CLI Creating Erspan Data Sources Using the Web GUI Disabling Auto-Creation of Erspan Data Sources Using the CLI Creating Erspan Data Sources Using the CLI Enter the name you would like for the data source required Deleting Erspan Data Sources Using the Web GUIEnter the device ID from Step Click the Delete button along the bottom of the window Deleting Erspan Data Sources Using the CLIUse the no data-sourcecommand to delete the data source Use the no device command to delete the device Configuring Erspan on DevicesSample Configuration of Erspan Source Sample Configuration of Erspan Destination Sample Configuration Configuring Vacl on a WAN Interface NetFlow Configuring Vacl on a LAN Vlan Understanding NetFlow Flow Records Understanding NetFlow Interfaces Output Interface Are Flows Reported? Configuring NetFlow on DevicesManaging NetFlow Data Sources For Devices Running Cisco IOS For NAMs Located in a Device Slot Creating NetFlow Data Sources Using the Web GUI Enabling Auto-Creation of NetFlow Data Sources Using the CLI Snmp Credentials Creating NetFlow Data Sources Using the CLI Security Level Deleting NetFlow Data Sources Using the CLI Deleting NetFlow Data Sources Using the Web GUI Testing NetFlow Devices Snmp read test result. For the local device only Understanding WaasContact information for the device Configure a Client data source Setting DescriptionPoint, configure a Client WAN data source Configure a Server WAN data source Monitoring WAN Data Sources Monitoring Client Data SourcesMonitoring Server Data Sources Server data source Deployment Scenario Managing Waas DevicesDeployment Scenarios Adding Data Sources for New Waas Device Choose Setup Traffic NAM Data Sources Deleting a Waas Data Source Editing Waas Data Sources Auto Create of New Waas Devices Choose Setup Traffic Hardware DeduplicationHardware Deduplication Alarm Actions, Thresholds, User Scenario, AlarmsAlarm Actions Alarm Action Configuration Choose Setup Alarms Actions Editing Alarm ActionsDeleting Alarm Actions Name of the threshold ThresholdsApplication associated with this threshold Site associated with this threshold Alarm Summary dashboard Monitor Overview Alarm Summary Setting Host ThresholdsChoose Setup Alarms Thresholds Field Setting Conversation Thresholds Dashboard Monitor Overview Alarm Summary , where you Setting Application Thresholds Setting Response Time Thresholds Give the Dscp Alarm Threshold a name Setting Dscp ThresholdsDashboard Monitor Overview Alarm Summary, where you Chose a Dscp value from the list Give the RTP Streams Alarm Threshold a name Setting RTP Stream ThresholdsHigh, Low, or High and Low alarms Alarm actions Setting Voice Signaling Thresholds Dashboard Monitor Overview Alarm Summary , where you can Setting NDE Interface ThresholdsGive the NDE Interface Alarm Threshold a name Choose a data source from the list Deleting a NAM Threshold Editing an Alarm Threshold User Scenario Data ExportNetFlow NetFlow, Scheduled Exports, Custom Export, NetFlow Exports screen appears shown in Figure Viewing Configured NetFlow ExportsChoose Setup Data Export NetFlow Description of the NetFlow Export Configuring NetFlow Data ExportPort number of the device to be exported to Valid characters 1-9. Length Min 1, Max Application Record types supported by NAM for NetFlow areHost ART Client Server Application Click Scheduled ExportsEditing NetFlow Data Export Deleting a Scheduled Export Choose Setup Data Export Scheduled ExportsEditing a Scheduled Export Device Information Managed DeviceCustom Export Total time the switch has been running Choose Setup Managed Device Device InformationName of the network administrator for the router Name of the Snmp read-write community string configured on Nbar Protocol Discovery Sites NetworkField / Operation Description Sites, NDE Interface Capacity, Dscp Groups, Definition Rules Specifying a Site Using SubnetsSpecifying a Site Using WAE devices Waas Data Sources Resolving Ambiguity Overlapping Site Definitions Specifying a Site Using Multiple RulesViewing Defined Sites Defining a Site Shows if the site is Enabled or DisabledName of the site Description of what the site includes Unique text string for naming a site See -7for an exampleOptional text string for describing site Subnet Detection Enter an IPv4 or IPv6 address Editing a SiteSubnet Detection Creating an NDE Interface NDE Interface CapacityDscp Groups Creating a Dscp Group Choose Setup Network Dscp GroupsField Description Usage Notes Through Dscp AF/EF/CS Format Bit Field Format Deleting a Dscp Group ClassificationEditing a Dscp Group 8shows an example of what the screen may look like Applications Creating a New Application Choose Setup Classification Applications Repeat through as many times as desired Editing an ApplicationThat list, highlight it and click the left arrow Application Groups Choose Setup Classification Application GroupsDeleting a Protocol Creating an Application Group Editing an Application Group URL-based ApplicationsDeleting an Application Group To edit an application group Example Choose Setup Classification URL-based Applications Deleting a URL-based Application Editing a URL-Based Application Monitoring Choose Setup Classification EncapsulationsEncapsulations Aggregation Intervals, Response Time, Voice, RTP Filter, URL, Waas Monitored Servers, Choose Setup Monitoring Aggregation IntervalsAggregation Intervals Response Time Choose Setup Monitoring Response TimeShort-Term Long-Term Normal Minimum Monitor Setup Window Choose Setup Monitoring VoiceVoice Field Appliance RTP Filter Choose Setup Monitoring RTP Filter10,000 500 1,750 000 1,000 250 Enabling a URL Collection Changing a URL Collection Disabling a URL Collection Choose Setup Monitoring URLEnabling a URL Collection Element Description Usage Notes Changing a URL CollectionTo change a URL collection URL page -10displays Waas Monitored Servers Choose Setup Monitoring URL CollectionDisabling a URL Collection Adding a Waas Monitored Server To delete a Waas monitored server data source Choose Setup Monitoring Waas ServersDeleting a Waas Monitored Server Analyze Navigation,Monitor Interactive Report Navigation Saving Filter Information Saving Filter Parameters Traffic Summary Response Time Summary Site Summary Alarm Summary Top N Hosts by Site and Alarm Count Top N Sites by Alarm CountTop N Applications by Alarm Count Top N Applications by Site and Alarm Count Analyzing Traffic Hosts Detail Application Applications Detail Host Application group set of applications that can be NDE Interface Traffic AnalysisMonitored as a whole Traffic rate number of bytes per second Dscp value Viewing Interface DetailsDscp Detail Applicable site or Unassigned if no site Application Groups Detail Viewing Collected URLs URL HitsFiltering a URL Collection List Viewing Collected URLs Filtering a URL Collection List Top Application Traffic Host ConversationsNetwork Conversation Top Application Traffic Top Talkers Detail WAN OptimizationApplication Traffic By Host Conversation Multi-Segments Application Performance Analysis NAM Application Response Time Measurements Response Time Metric Description 7lists and describes the ART metrics measured by NAM Metric Description Network Application Response TimeNetwork Response Time Client Response Time Server Response TimeClient-Server Response Time Server Application Responses Detailed Views Server Application Transactions Server Application Transactions Server Network Responses Client-Server Application Responses Client-Server Application Transactions Packet as observed at NAM probing point Client-Server Network ResponsesServer-response packet, excluding retransmission time Interface, Health, NBAR, InterfaceInterfaces Stats Table Interface Statistics Over Time Switch HealthHealth Chassis Information Chassis HealthCPU usage Backplane Utilization Crossbar Switching Fabric Ternary Content Addressable Memory Information Router Health Router Health Router Information Current state of the power supply being instrumented Information on how to contact this personMedia Time in hundredths of a second since the network management Purpose RTP StreamsRTP Stream Information RTP Stream Stats Summary RTP Stream Stats Details Voice Call StatisticsMonitoring RTP Streams Calls Table Calling number as it appears in the signaling protocolCalled number as it appears in the signaling protocol Inspecting call signaling protocol From inspecting the call signaling protocolTime when the call was detected to start Time when the call was detected to end Field Purpose RTP Conversation Header Synchronization source number as it appear in the RTPNAM calculated score that takes into account Duration of the stream OL-22617-01 Quick Capture Capturing and Decoding Packet Data Sessions Name of the capture session Viewing Capture SessionsMany times as necessary Size of the session Choose Capture Packet/Capture Decode Sessions Configuring Capture SessionsOperation Description Name of the capture Enter a capture name Configure Capture Session Window Maximum Session NAM Platform Size Administration System Capture Data StorageMaximum Capture Session Sizes for NAM Platforms Maximum Session Software FiltersNAM Platform Size 300 MB Software Filter Dialog -4 displays Creating a Software FilterChoose Capture Packet Capture/Decode Sessions Default if blank is IPv4 address in dotted-quad format n.n.n.n, where n is 0 toFor MAC address, enter hh hh hh hh hh hh, where hh is a Hexadecimal number from 0 to 9 or a to f. The default is Choose GTP.IPv6 for IPV6 address for tunneled packet over To edit software capture filters Editing a Software Capture Filter To cancel the changes, click Cancel Configuring a Hardware FilterHardware Assisted Filters Vlan and IP IP and TCP/UDP IP and Payload Data List is also shown in Figure Vlan and IP IP and Payload Data IP and TCP/UDP Payload Data Files Delete files Display the packets in a file Analyzing Capture Files Error ScanDisplays a graphic image of network traffic KB/second Displays packets and bytes transferred for each protocol Choose Capture Packet Capture/Decode Files Downloading Capture Files Deleting Multiple Files Deleting a Capture File Stop packet loading Viewing Packet Decode InformationLoad and decode the previous block of packets from the NAM Load and decode the next block of packets from the NAM Browsing Packets in the Packet Decoder Choose a Filter ModeFiltering Packets Displayed in the Packet Decoder Choose an Address Filter Define a Protocol Filter Viewing Detailed Protocol Decode Information Custom Display Filters Using Alarm-Triggered CapturesCreating Custom Display Filters To create custom display filters Custom Decode Filter Dialog Box See Tips for Creating Custom Decode Filter Expressions Tips for Creating Custom Decode Filter ExpressionsOperator Meaning Format Field Filter By Format Editing Custom Display FiltersExamples of Custom Decode Filter Expressions Choose Capture Packet Capture/Decode Display Filters To delete custom display filters Deleting Custom Display Filters OL-22617-01 System Administration User and System Administration Network Parameters Choose Administration System Network ParametersResources Snmp Agent Working with NAM Community Strings Choose Administration System Snmp AgentCreating NAM Community Strings Snmp Agent Dialog Box displays System Time Testing the Router Community StringsDeleting NAM Community Strings To delete the NAM community strings Choose Administration System System Time Synchronizing the NAM System Time with the Switch or RouterSynchronizing the NAM System Time Locally Clock set hhmmss mm/dd/yyyy Choose Administration System E-Mail Setting Mail SettingConfiguring the NAM System Time with an NTP Server Choose Administration System Web Data Publication To enable Web Data PublishingWeb Data Publication Capture Data Storage Creating NFS Storage Locations Configuring the NFS ServerConfiguring the NFS Storage Location on the NAM Editing NFS Storage Locations Creating iSCSI Storage Locations ISCSI target name configured on the remote iSCSI serverEditing iSCSI Storage Locations Name of the remote storage entry Snmp Trap Setting Syslog SettingChoose Administration System Syslog Setting Choose Administration System Snmp Trap Setting Deleting a NAM Trap Destination PreferencesEditing a NAM Trap Destination System Alerts DiagnosticsAudit Trail System Alerts, Audit Trail, Tech Support, Choose Administration Diagnostics Tech Support Choose Administration Diagnostics Audit TrailTech Support Downloading Core Files Recovering Passwords User AdministrationPrivilege Access Level Local Database To create a new user Choose Administration Users Local DatabaseCreating a New User Deleting a User Choose the Administration Users Local DatabaseEditing a User Field Usage Notes Establishing TACACS+ Authentication and Authorization Click Network Configuration Click Add Entry Configuring a Cisco ACS TACACS+ ServerFor Windows NT and 2000 Systems Click Submit/Restart Adding a NAM User or User Group Configuring a Generic TACACS+ Server Parameter Enter Current User Sessions NAM Traffic Analyzer 5.0 Usage Scenarios Deploying NAMs in the Branch DeploymentDeploying NAMs for Voice/Video applications Deploying NAMs for WAN Optimization Integrating NAM with Third Party Reporting Tools Autodiscovery Capabilities of NAMCreating Custom Applications Understanding Traffic Patterns at the Network Layer Integrating NAM with LMSSee Dscp Groups, See Application Response Time, See Thresholds, Using NAM for Problem Isolation Troubleshooting Using NAM for SmartGrid Visibility General NAM Issues Troubleshooting Does the session from the switch/router work? Error MessagesPacket Drops NAM Not Responding NAM Behavior Waas Troubleshooting OL-19530-02 Module Object Identifier OID and Description Source Supported MIBs Objects10 Power, Temperature and Fan Status Mib-21.rmon16.tokenRing10.ringStationConfig RFCMib-21.rmon16.tokenRing10.ringStation RFC Mib-21.rmon16.tokenRing10.ringStation RFC OrderTable3 CiscoMgmt9.ciscoCat6kCrossbarMIB217.cisco Cisco9.workgroup5.ciscoStackMIB1.ciscoStatckCat6kXbarMIBObjects1 Crossbar statistics OL-22617-01 Downloading to a file Capture settings, configuringCustom display filters Creating IN-2 Configuring as datasource Ipesp IPIP4 Alarm thresholds IN-4 Creating Deleting Editing Spanning, directing traffic for Server, configuring to support NAM Authentication and authorization, establishing See Virtual Switch Software Waas data sources Voice data Collecting Viewing Voice signaling thresholds