Editing Custom Display Filters | Cisco Systems 5, NAM instruction

Chapter 4 Capturing and Decoding Packet Data

Viewing Packet Decode Information

Field	Filter By	Format

tcp.port	TCP port number	A decimal number from 0 to 65535.
tcp.srcport
tcp.dstport

udp.port	UDP port number	A decimal number from 0 to 65535.
udp.srcport
udp.dstport

protocol	Protocol	Click the Protocol list in the Custom Decode Filter dialog box to see the
		list of protocols on which you can filter.

protocol [offset:length]	Protocol data pattern	hh:hh:hh:hh..., where hh is a hexadecimal number fro 0 to 9 or a to f.
		offset and length are decimal numbers.
		offset starts at 0 and is relative to the beginning of the protocol
		portion of the packet.

frame.pkt_len	Packet length	A decimal number that represents the packet length, not the truncated
		capture packet length.

Examples of Custom Decode Filter Expressions

•To match SNMP packets from 111.122.133.144, enter:

snmp and (ip.src == 111.122.133.144)

•To match IP packets from the 111.122 Class B network, enter:

ip.addr == 111.122.0.0/16

•To match TCP packets to and from port 80, enter:

tcp.port == 80

•The TOS value is stored in byte 1 (the second byte) in the IP header. To match the IP packet with the TOS value 16 (0x10), enter:

ip[1:1] == 10

•The TCP acknowledgement number is stored in bytes 8 through 11 in the TCP header. To match the TCP packet with acknowledgement number 12345678 (0xBC614E), enter:

tcp[8:4] == 00:BC:61:4E

Note You can use a filter expression with other fields in the Custom Decode Filter dialog box. In this case, the filter expression is ANDed with other conditions.

Invalid or conflicting filter expressions result in no packet match.

Editing Custom Display Filters

To edit custom display filters:

Step 1 Choose Capture > Packet Capture/Decode > Display Filters.

Step 2 Choose the filter to edit, then click Edit.

Step 3 Change the information in each of the fields as appropriate.

	User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
4-26	OL-22617-01

Image 186

Cisco Systems 5, NAM Editing Custom Display Filters, Field Filter By Format, Examples of Custom Decode Filter Expressions

Contents

Americas Headquarters Text Part Number OL-22617-01Page N T E N T S Span Network Sites URL Nbar System Administration Resources Audit Trail Understanding Traffic Patterns at the Network Layer About This Guide Chapter Overview Convention AudienceConventions Boldface font Obtaining Documentation and Submitting a Service Request Xiv Introducing NAM Traffic Analyzer A P T E R Dashboards Logical Site New Application Classification Architecture Standards-Based NBI NetFlow v9 Data Export Historical Analysis WS-SVC-NAM-1-250S Snmp v3 Support -- NAM to Router/Switch SupportOverview of the NAM Platforms WS-SVC-NAM-2-250S Cisco Branch Routers Common Navigation and Control Elements LoggingNavigating the User Interface Menu Bar Detailed Views Context Menus Quick Capture Chart View / Grid View Interactive Report Zoom/Pan Charts Mouse-Over for Details Sort Grid Bytes / PacketsStatistics Understanding How the NAM Works Context-Sensitive Online Help Configuration/guide/span.html Configuration/guide/nde.htmlPorts VLANs Module Cisco IOS Software Understanding How the NAM Uses SpanUnderstanding How the NAM Uses VACLs Guide/span.html Understanding How the NAM Uses NDE Guide/vacl.html Understanding How the NAM Uses Waas Configuration Overview Action Description GUI Location User Guide Location Setup Network Sites Administration SystemSetup Data Export Setup Alarms Actions Capture Packet Configuring and Viewing DataAdministration Users Capture/Decode Cisco Waas NAM Virtual Service Blade Default Functions Traffic Analysis Voice Signaling/RTP Stream Monitoring Application Response Time MetricsAnalyze Media Voice Call Statistics About Span Sessions TrafficTraffic Usage Statistics SPAN, Data Sources, Hardware Deduplication, NAM Traffic Analyzer the NAM GUI Switch CLIMethod Usage Notes Supervisor portCopyTable Snmp Column Description Creating a Span Session State Description Field Description Choose Setup Traffic Span Sessions Editing a Span SessionDialog Box Data Sources Deleting a Span SessionSPAN, ERSPAN, VACL, NetFlow, WAAS, Fields are explained in -7, NAM Data Sources Router or switch or WAE deviceOr Disabled Data Port if it is a local physical port, or the IP address Enabling Auto-Creation of Erspan Data Sources Using the CLI Click Setup Traffic NAM Data Sources Disabling Auto-Creation of Erspan Data Sources Using the CLI Creating Erspan Data Sources Using the Web GUI Creating Erspan Data Sources Using the CLI Deleting Erspan Data Sources Using the Web GUI Enter the device ID from StepEnter the name you would like for the data source required Deleting Erspan Data Sources Using the CLI Use the no data-sourcecommand to delete the data sourceClick the Delete button along the bottom of the window Sample Configuration of Erspan Source Configuring Erspan on DevicesUse the no device command to delete the device Sample Configuration of Erspan Destination Configuring Vacl on a WAN Interface Sample Configuration Configuring Vacl on a LAN Vlan NetFlow Understanding NetFlow Interfaces Understanding NetFlow Flow Records Configuring NetFlow on Devices Managing NetFlow Data SourcesOutput Interface Are Flows Reported? For Devices Running Cisco IOS For NAMs Located in a Device Slot Enabling Auto-Creation of NetFlow Data Sources Using the CLI Creating NetFlow Data Sources Using the Web GUI Snmp Credentials Creating NetFlow Data Sources Using the CLI Security Level Deleting NetFlow Data Sources Using the Web GUI Deleting NetFlow Data Sources Using the CLI Testing NetFlow Devices Understanding Waas Contact information for the deviceSnmp read test result. For the local device only Point, configure a Client WAN data source Setting DescriptionConfigure a Client data source Configure a Server WAN data source Monitoring Server Data Sources Monitoring Client Data SourcesMonitoring WAN Data Sources Server data source Managing Waas Devices Deployment ScenariosDeployment Scenario Choose Setup Traffic NAM Data Sources Adding Data Sources for New Waas Device Editing Waas Data Sources Deleting a Waas Data Source Choose Setup Traffic Hardware Deduplication Hardware DeduplicationAuto Create of New Waas Devices Alarms Alarm ActionsAlarm Actions, Thresholds, User Scenario, Alarm Action Configuration Editing Alarm Actions Deleting Alarm ActionsChoose Setup Alarms Actions Application associated with this threshold ThresholdsName of the threshold Site associated with this threshold Choose Setup Alarms Thresholds Setting Host ThresholdsAlarm Summary dashboard Monitor Overview Alarm Summary Field Setting Conversation Thresholds Setting Application Thresholds Dashboard Monitor Overview Alarm Summary , where you Setting Response Time Thresholds Dashboard Monitor Overview Alarm Summary, where you Setting Dscp ThresholdsGive the Dscp Alarm Threshold a name Chose a Dscp value from the list High, Low, or High and Low alarms Setting RTP Stream ThresholdsGive the RTP Streams Alarm Threshold a name Alarm actions Setting Voice Signaling Thresholds Give the NDE Interface Alarm Threshold a name Setting NDE Interface ThresholdsDashboard Monitor Overview Alarm Summary , where you can Choose a data source from the list Editing an Alarm Threshold Deleting a NAM Threshold NetFlow Data ExportUser Scenario NetFlow, Scheduled Exports, Custom Export, Viewing Configured NetFlow Exports Choose Setup Data Export NetFlowNetFlow Exports screen appears shown in Figure Port number of the device to be exported to Configuring NetFlow Data ExportDescription of the NetFlow Export Valid characters 1-9. Length Min 1, Max Host Record types supported by NAM for NetFlow areApplication ART Client Server Application Scheduled Exports Editing NetFlow Data ExportClick Choose Setup Data Export Scheduled Exports Editing a Scheduled ExportDeleting a Scheduled Export Managed Device Custom ExportDevice Information Name of the network administrator for the router Choose Setup Managed Device Device InformationTotal time the switch has been running Name of the Snmp read-write community string configured on Nbar Protocol Discovery Field / Operation Description NetworkSites Sites, NDE Interface Capacity, Dscp Groups, Specifying a Site Using Subnets Specifying a Site Using WAE devices Waas Data SourcesDefinition Rules Specifying a Site Using Multiple Rules Viewing Defined SitesResolving Ambiguity Overlapping Site Definitions Name of the site Shows if the site is Enabled or DisabledDefining a Site Description of what the site includes Optional text string for describing site See -7for an exampleUnique text string for naming a site Subnet Detection Editing a Site Subnet DetectionEnter an IPv4 or IPv6 address NDE Interface Capacity Dscp GroupsCreating an NDE Interface Field Description Usage Notes Choose Setup Network Dscp GroupsCreating a Dscp Group Through Dscp AF/EF/CS Format Bit Field Format Classification Editing a Dscp GroupDeleting a Dscp Group Applications 8shows an example of what the screen may look like Choose Setup Classification Applications Creating a New Application Editing an Application That list, highlight it and click the left arrowRepeat through as many times as desired Deleting a Protocol Choose Setup Classification Application GroupsApplication Groups Creating an Application Group Deleting an Application Group URL-based ApplicationsEditing an Application Group To edit an application group Choose Setup Classification URL-based Applications Example Editing a URL-Based Application Deleting a URL-based Application Encapsulations Choose Setup Classification EncapsulationsMonitoring Aggregation Intervals, Response Time, Voice, RTP Filter, Choose Setup Monitoring Aggregation Intervals Aggregation IntervalsURL, Waas Monitored Servers, Short-Term Long-Term Choose Setup Monitoring Response TimeResponse Time Normal Minimum Voice Choose Setup Monitoring VoiceMonitor Setup Window Field Appliance 10,000 500 1,750 000 1,000 250 Choose Setup Monitoring RTP FilterRTP Filter Enabling a URL Collection Changing a URL Collection Choose Setup Monitoring URL Enabling a URL CollectionDisabling a URL Collection To change a URL collection Changing a URL CollectionElement Description Usage Notes URL page -10displays Disabling a URL Collection Choose Setup Monitoring URL CollectionWaas Monitored Servers Adding a Waas Monitored Server Choose Setup Monitoring Waas Servers Deleting a Waas Monitored ServerTo delete a Waas monitored server data source Navigation, MonitorAnalyze Navigation Interactive Report Saving Filter Parameters Saving Filter Information Traffic Summary Response Time Summary Alarm Summary Site Summary Top N Applications by Alarm Count Top N Sites by Alarm CountTop N Hosts by Site and Alarm Count Top N Applications by Site and Alarm Count Analyzing Traffic Application Hosts Detail Host Applications Detail Monitored as a whole NDE Interface Traffic AnalysisApplication group set of applications that can be Traffic rate number of bytes per second Viewing Interface Details Dscp DetailDscp value Application Groups Detail Applicable site or Unassigned if no site Filtering a URL Collection List URL HitsViewing Collected URLs Viewing Collected URLs Filtering a URL Collection List Host Conversations Network ConversationTop Application Traffic Top Application Traffic WAN Optimization Application Traffic By HostTop Talkers Detail Application Performance Analysis Conversation Multi-Segments Response Time NAM Application Response Time Measurements 7lists and describes the ART metrics measured by NAM Metric Description Metric Description Application Response Time Network Response TimeNetwork Client-Server Response Time Server Response TimeClient Response Time Server Application Responses Server Application Transactions Detailed Views Server Application Transactions Server Network Responses Client-Server Application Responses Client-Server Application Transactions Client-Server Network Responses Server-response packet, excluding retransmission timePacket as observed at NAM probing point Interface, Interface Interfaces Stats TableHealth, NBAR, Switch Health HealthInterface Statistics Over Time CPU usage Chassis HealthChassis Information Backplane Utilization Crossbar Switching Fabric Ternary Content Addressable Memory Information Router Health Router Health Router Information Media Information on how to contact this personCurrent state of the power supply being instrumented Time in hundredths of a second since the network management RTP Stream Information RTP StreamsPurpose RTP Stream Stats Summary Voice Call Statistics Monitoring RTP StreamsRTP Stream Stats Details Calling number as it appears in the signaling protocol Called number as it appears in the signaling protocolCalls Table Time when the call was detected to start From inspecting the call signaling protocolInspecting call signaling protocol Time when the call was detected to end RTP Conversation Field Purpose NAM calculated score that takes into account Synchronization source number as it appear in the RTPHeader Duration of the stream OL-22617-01 Capturing and Decoding Packet Data Quick Capture Sessions Many times as necessary Viewing Capture SessionsName of the capture session Size of the session Configuring Capture Sessions Operation DescriptionChoose Capture Packet/Capture Decode Sessions Configure Capture Session Window Name of the capture Enter a capture name Administration System Capture Data Storage Maximum Capture Session Sizes for NAM PlatformsMaximum Session NAM Platform Size NAM Platform Size Software FiltersMaximum Session 300 MB Creating a Software Filter Choose Capture Packet Capture/Decode SessionsSoftware Filter Dialog -4 displays For MAC address, enter hh hh hh hh hh hh, where hh is a IPv4 address in dotted-quad format n.n.n.n, where n is 0 toDefault if blank is Hexadecimal number from 0 to 9 or a to f. The default is Choose GTP.IPv6 for IPV6 address for tunneled packet over Editing a Software Capture Filter To edit software capture filters Hardware Assisted Filters Configuring a Hardware FilterTo cancel the changes, click Cancel Vlan and IP IP and TCP/UDP IP and Payload Data Vlan and IP List is also shown in Figure IP and TCP/UDP IP and Payload Data Files Payload Data Display the packets in a file Delete files Displays a graphic image of network traffic KB/second Error ScanAnalyzing Capture Files Displays packets and bytes transferred for each protocol Downloading Capture Files Choose Capture Packet Capture/Decode Files Deleting a Capture File Deleting Multiple Files Load and decode the previous block of packets from the NAM Viewing Packet Decode InformationStop packet loading Load and decode the next block of packets from the NAM Filtering Packets Displayed in the Packet Decoder Choose a Filter ModeBrowsing Packets in the Packet Decoder Choose an Address Filter Viewing Detailed Protocol Decode Information Define a Protocol Filter Creating Custom Display Filters Using Alarm-Triggered CapturesCustom Display Filters To create custom display filters Custom Decode Filter Dialog Box Operator Meaning Tips for Creating Custom Decode Filter ExpressionsSee Tips for Creating Custom Decode Filter Expressions Format Examples of Custom Decode Filter Expressions Editing Custom Display FiltersField Filter By Format Choose Capture Packet Capture/Decode Display Filters Deleting Custom Display Filters To delete custom display filters OL-22617-01 User and System Administration System Administration Choose Administration System Network Parameters ResourcesNetwork Parameters Snmp Agent Creating NAM Community Strings Choose Administration System Snmp AgentWorking with NAM Community Strings Snmp Agent Dialog Box displays Deleting NAM Community Strings Testing the Router Community StringsSystem Time To delete the NAM community strings Synchronizing the NAM System Time Locally Synchronizing the NAM System Time with the Switch or RouterChoose Administration System System Time Clock set hhmmss mm/dd/yyyy Mail Setting Configuring the NAM System Time with an NTP ServerChoose Administration System E-Mail Setting Web Data Publication To enable Web Data PublishingChoose Administration System Web Data Publication Capture Data Storage Configuring the NFS Server Configuring the NFS Storage Location on the NAMCreating NFS Storage Locations Editing NFS Storage Locations Editing iSCSI Storage Locations ISCSI target name configured on the remote iSCSI serverCreating iSCSI Storage Locations Name of the remote storage entry Choose Administration System Syslog Setting Syslog SettingSnmp Trap Setting Choose Administration System Snmp Trap Setting Preferences Editing a NAM Trap DestinationDeleting a NAM Trap Destination Audit Trail DiagnosticsSystem Alerts System Alerts, Audit Trail, Tech Support, Tech Support Choose Administration Diagnostics Audit TrailChoose Administration Diagnostics Tech Support Downloading Core Files Privilege Access Level User AdministrationRecovering Passwords Local Database Choose Administration Users Local Database Creating a New UserTo create a new user Choose the Administration Users Local Database Editing a UserDeleting a User Establishing TACACS+ Authentication and Authorization Field Usage Notes For Windows NT and 2000 Systems Configuring a Cisco ACS TACACS+ ServerClick Network Configuration Click Add Entry Click Submit/Restart Configuring a Generic TACACS+ Server Adding a NAM User or User Group Current User Sessions Parameter Enter NAM Traffic Analyzer 5.0 Usage Scenarios Deploying NAMs for Voice/Video applications DeploymentDeploying NAMs in the Branch Deploying NAMs for WAN Optimization Autodiscovery Capabilities of NAM Creating Custom ApplicationsIntegrating NAM with Third Party Reporting Tools See Dscp Groups, Integrating NAM with LMSUnderstanding Traffic Patterns at the Network Layer See Application Response Time, See Thresholds, Troubleshooting Using NAM for Problem Isolation Using NAM for SmartGrid Visibility Troubleshooting General NAM Issues Packet Drops Error MessagesDoes the session from the switch/router work? NAM Not Responding Waas Troubleshooting NAM Behavior OL-19530-02 Supported MIBs Module Object Identifier OID and Description Source Mib-21.rmon16.tokenRing10.ringStation RFC Mib-21.rmon16.tokenRing10.ringStationConfig RFCObjects10 Power, Temperature and Fan Status Mib-21.rmon16.tokenRing10.ringStation RFC OrderTable3 Cat6kXbarMIBObjects1 Cisco9.workgroup5.ciscoStackMIB1.ciscoStatckCiscoMgmt9.ciscoCat6kCrossbarMIB217.cisco Crossbar statistics OL-22617-01 Custom display filters Capture settings, configuringDownloading to a file Creating Configuring as datasource IN-2 Alarm thresholds Ipesp IPIP4 Creating Deleting Editing Spanning, directing traffic for IN-4 Authentication and authorization, establishing Server, configuring to support NAM Voice data Collecting Viewing Voice signaling thresholds See Virtual Switch Software Waas data sources