Manuals / Finisar / Computer Equipment / Network Card

Finisar Surveyor Multiple Byte Patterns in Filter Templates, Creating Custom Filter Templates

Models: Surveyor

1 454

Download 454 pages 42.92 Kb

Page 144

Surveyor

User’s Guide

Multiple Byte Patterns in Filter Templates

Filter templates can be “several templates in one.” For example, HTTP, TELNET, and SNMP are provided as single filter templates, but they consist of both source and destination ports. In other words, the template itself contains an OR condition, and will capture a packet whether it appears in the offset for the source port or the offset for the destination port.

An example Template Description window is shown below. The HTTP port as the source or destination will be selected by the filter template. Two byte patterns are defined:

First Pattern		Second Pattern
Offset	Pattern	Offest	Pattern
12	0800	12	0800
23	06	23	06
34	0050	36	0050

Figure 7-2. Template Description Window Showing a Macro Filter

Creating Custom Filter Templates

Custom filter templates are created from the Filter Design window. Custom filter templates display under Custom_Templates in the Available Filter Templates box of this window. Custom templates allow precise control over the information captured or displayed.

Custom templates are created by modifying a pre-defined template or by directly entering values in the correct offsets in the Current Filter Template Display area.

Custom Templates Based on Pre-Defined Templates

Custom filter templates can be created by selecting a pre-defined template and add- ing conversations or port numbers. For example, assume you want to filter HTTP packets going to or coming from a station. You could select the HTTP filter template and enter the station you want to filter on in the Add Conversation to Template area.

7-8

Image 144

Finisar Surveyor manual Multiple Byte Patterns in Filter Templates, Creating Custom Filter Templates

Contents

Surveyor Trademarks and Copyrights Finisar Software License AgreementLicense TermLimited Software Warranty Restricted Rights LegendPatent and Copyright Indemnification Limitation of LiabilityCustomer Support Phone Customer Support FAXInternet Address World-Wide Web Mailing AddressTable of Contents Configuring Surveyor SurveyorResources and Modes ViewsTransmit Specification Capture and Display FiltersAlarms 10-110-15 10-58 10-102 Multi-QoS 11-112-1 13-1Counters UtilitiesImplementation Profile Pre-Defined Filter TemplatesKeyboard Shortcuts Parser NamesList of Figures 10-1 List of Tables Application Layer Host Table View, Table Column Descriptions 11-21 11-8 Surveyor Introduction Surveyor Functions Surveyor FunctionsFunction Description Introduction Analyzer Devices Protocols SupportedFinisar Analyzer Devices Finisar Device DescriptionXNS AppleTalk Phase2 DECnet PhaseOracle Suite IPX/SPX Suite Banyan Vines SuiteIBM ISO Whats New in Release Capture to Disk and THGsE Analyzer SupportDisk Caching Capture ManagementExpanded Multi-QoS Support Smnp Extended AgentNew and Enhanced Protocol Decodes Surveyor System Requirements System RequirementsRAM PIIUpgrading Surveyor Supported Analyzer Cards and Network Adapter CardsDesktop PC Installing Surveyor Installing Analyzer Hardware Installing Analyzer Hardware in a Desktop PCInstalling the THGm, Windows NT Installing THGm, Windows 2000/XPInstalling Analyzer Hardware in a Notebook PC Cdrom Installation Installing More Than One Analyzer Card in a Notebook PC Compatibility Matrix Hardware/Software Compatibility MatrixSurveyor Surveyor System Launching SurveyorDefault Account Names, Passwords and Privileges Basic Navigation Tips Surveyor Getting Started Buttons and Toolbars Surveyor ToolbarModule Toolbar Summary View Buttons and Toolbars Detail View Toolbar Getting Started Data Views Toolbar Getting Started Surveyor Filter Design Toolbar Filter States Design ToolbarDesign window Surveyor Capture View Toolbar Surveyor Getting Started File Formats Providing a Name Table to Surveyor Establishing Links for THGm Configuring the Interface Customizing Views and WindowsDocking Windows Capture View Display Options Configuring Surveyor Setting Histogram Colors Histogram OptionsSetting Histogram Zoom Factor Setting the Histogram Download SizeSetting the Monitoring View for a Module Choose Monitor View PreferencesConfiguring Chart Views Table ViewsModule Settings Properties Hardware Device PropertiesDefault Module Settings Module Setting Default ValuesBuffer Size Packet Slice Slicing SizeExpert Analysis Mode Non-Well-Known-Ports ModeStop-and-Save Capture Buffer ModesSystem Settings Monitor M-QoS Only ModeConfiguring Ports to Scan WKP4620Configuring Remote Communications RSP Time Out valueSetting Update Timers Protocol Color CodingDefault Display Timer Settings Display Timer Default ValueDisk Options Cache File LocationDisk Capture Location Configuring Alarms Configuring Counter LoggingHistory Log File Settings and Default Values Log Setting Mmddhhmm.ss Mmmonth ddday hhhour mmminute sssecondConfiguring a Multi-Port Tap or Switch Configuring a Multi-Port Tap or Switch Settings for Analyzer Devices Setting the Local COM Port for Taps and SwitchesConnecting a Tap with THGs or THGsE Resetting an Analyzer DeviceClick the Reset Host/Image Upgrade button Updating an Analyzer DeviceAdvanced Configuration Customizing Expert Diagnostic InformationSurveyor.ini File Assigning Names to Protocols Monitor MONITOR.INI FormatMapping= port num,short name,long name Port num Short nameLong name MONITOR.INI ExamplesMapping=921,CXP,Company X Protocol Mapping=6063, XWIN6063,X Windows on portMapping=2900,VIDEO,Video Audio Network Communicator How Surveyor Assigns Protocol Names Monitoring Well-Known Ports11. Default Names for Non-WKP TCP Ports 12. Default Names for Non-WKP UDP PortsMonitoring Non Well-Known Ports Name TCP port valuesAssigning TCP or UDP Ports to Protocol Parsers Mapping=port num,ip addr,parser name,name Port numIp addr Parser nameParser Names Surveyor Resources and Modes Resource BrowserRemote Resources Surveyor SoftwareNaming Remote IP Resources Aliases Host Properties Dialog Box for Establishing an AliasResource Protection Remote User PrivilegesPrivilege Description Settings option from the Module ModesHardware Devices Surveyor Resource Modes Description Resource TypeHardware Device Capabilities Synchronized Resources Hardware Device CapabilitiesNdis Hints and Tips for Resources Surveyor Views Static Data Summary View Module Window Tabs Within Summary ViewTab Description/Action Detail View VlanDetail View Using Capture + Monitor Mode in Detail View Capture View Capture View WindowSummary Pane Configuring the Capture View Display Creating Filters from Capture ViewExporting and Printing Decodes Display OptionsHistogram Options Other OptionsHistogram Color Coding Histogram Display and Button ControlsViews Histogram Display Showing Colors Histogram Default Colors Histogram Display, Large Capture ExampleHistogram Button Controls Histogram Mouse Controls Sizing/Selecting Areas with the MouseRight Mouse Options in the Histogram Saving Portions of the DataLine Graph or Stair Step Linear Scale or Logarithmic ScalePacket Editor Resume AnalysisPacket Editor Buttons Button Description/ActionData Views Editing in Decode ViewEditing in Hex View Ring Statistics View Token Ring OnlyMAC Statistics View Rx MAC Statistics View CaptureMAC Statistics View Tx Frame Size Distribution ViewChart Protocol Distribution ViewProtocol Distribution View, Chart Buttons Protocols Chart Button Description/ActionProtocol Distribution View, Chart Buttons Packets NETUtilization/Error View Protocol Distribution View, Graph Type ButtonsDisplay Button Description/Action 10. Protocol Distribution View, Table Column DescriptionsHost Table View 11. Host Table View, Table Column DescriptionsNetwork Layer Host Table View 12. Network Layer Host Table View, Table Column Descriptions Application Layer Host Table View Host Matrix View 14. Host Matrix View, Table Column Descriptions Network Layer Matrix View 15. Network Layer Matrix View, Table Column DescriptionsApplication Layer Matrix View 16. Application Layer Matrix View, Table Column Descriptions VlanVlan View Address Mapping View 17. Vlan View, Table Column DescriptionsTable Column Description Duplicate Address View Expert plug-in only 18. Address Map View, Table Column Descriptions19. Duplicate Address View, Table Column Descriptions Vlan IDExpert View Expert plug-in only Application Response Time View Expert plug-in onlyMulti-QoS View Multi-QoS software only Hints and Tips for Using Views Surveyor Getting Started with the Filter Interface Press the Create/Modify Capture FilterFilter Design window Creating Filters with Filter Templates Available Filter Templates boxAdd Port Numbers to Custom Filter Templates Sample Filter Design window is shown below Creating and Applying a Conversation Protocol and Frame TypeStation Addresses ISL, Q+EV2Traffic Direction Indicator Apply Conversation to Template Check BoxCreating and Applying a Port Number Selecting Filter TemplatesDefining Port Numbers Conversation Element DescriptionMultiple Byte Patterns in Filter Templates Creating Custom Filter TemplatesCustom Templates Based on Pre-Defined Templates Custom Templates Based on Specification of Byte Patterns Entering Values that Cross Byte Boundaries Bit-Level Filtering Filter Creation Creating Filter Template CombinationsFilter Actions Operator Buttons for Template Combinations DescriptionNot Template Combination boxActions for Capture Filters Capture Filter ActionsAction Description Packets until the buffer is %% full fieldActions for Display Filters Counter Conditions for FiltersDisplay Filter Actions Global Values that Affect Capture Filter Actions Frame TypesCapture Filter Global Values Capture Filter Global DescriptionMulti-State and Multi-Statement Filters Frame types are shown in TableExample Filter States Design Window Filter Structure Filter States Changing States Changing Filter OperationGoTo Current State Filter Statements Capture and Display Filter Differences Activating Display FiltersActivating Capture Filters Filter Examples Filter Example, Capture ConversationSurveyor Filter Example, Template Combination Filter Design Window, Template Combination ExampleSurveyor Filter Example, Capture TCP Port Traffic Filter Design Window, Capture TCP Port ExampleSurveyor Filter Example, Advanced Filter Advanced Filter, Filter States Design WindowRules of the Capture or Display Filter Hints and Tips for Using Filters Filtering Tips Unique to THG-class Devices Transmit Specification Transmit SpecificationsTransmit Specification Dialog Box Defined Streams List BoxRadio Buttons and Fields for Defining a Stream Transmission Mode and Status Controls Transmit Specification Control ButtonsStream Buttons Stream Function ButtonsTransmit Specification Control Buttons Control Button Transmit Specification FunctionRepeating Frames Surveyor Stream Mode Rate Setting Stream ModesBursts Stream ModesTransmission Mode Specifying Transmit DataPacket Editor Changing Fields Directly in the Dialog Box Packet Editor Button Editing FunctionDA and SA Fields Packet TypePacket Size Data FieldUsing Templates Creating TemplatesTransmit Specification Examples Transmitting Capture FilesTransmit Specification Example, Packet Gaps Transmit Specification Example, Bursts Transmit Specification Dialog Box, BurstsHints and Tips for a Transmit Specification Surveyor Alarms Current Module Alarms Current Module AlarmsAlarms Alarm Editor Alarm Editor DescriptionMqos Multi-QoS Alarms Expert Alarms Transport LayerData Link Layer, Ethernet Using Alarms with Different Devices YESThresholds and Alarms Alarm Actions Alarm Actions Description Support by Host TypeLog File Settings Mail SettingsAlarm Actions SettingsPager Settings Snmp Trap SettingsTrap Settings for THGs Trap Settings for Surveyor Hosts Viewing the Alarm List and the Alarm Log Hints and Tips for AlarmsAlarm Examples Alarm Example, UtilizationAlarm Example, MAC Errors Alarm Example, MAC ErrorsAlarm Example, Frame Size Alarm Example, Frame SizeAlarm Example, VoIP Calls Alarm Example, Call Jitter and Call Setup TimeAlarm Example, Expert and Application Response 10. Alarm Example, Expert and Application ResponseSurveyor Expert Features Expert System Views Getting Started with Expert ViewApplication Response Time View Duplicate Network Address ViewExpert Features Expert Overview Details Expert Overview Detail Table Example Expert Layers Layer DescriptionExpert Application Layer Example 10-8 Expert Symptoms and Analyses by Layer Expert Analyses Expert Symptoms, Analyses, and Network Entities SymptomsTables in the Detail Area for Symptoms Analyses Tables in the Detail Area for AnalysesEntities Entities for the Transport Layer Example Application/Session Lists for Entities Transport Lists for EntitiesNetwork Lists for Entities Data Link Lists for Entities Expert Diagnostic Messages Expert Diagnosis ExampleConfiguring the Expert System Working with the Expert SystemModule Settings for the Expert System Setting Expert AlarmsExporting Expert Data Printing Expert DataWorking with Timestamps Application Response Time Working with Analyzer DevicesApplication Layer Excessive Mailslot BroadcastsRate of change of SMB Mailslot Broadcasts=40 FTP Login Attempts Expert SymptomLogin attempts=4 Missed Browser Announcement Time passed since last announcement=4000 ms 3000 msNCP File Retransmission Between 00000010.0207012303E3 and 302A9950.000000000001NCP Read/Write Overlap NCP Request Denied Requests denied within 100 ms=5NCP Request Loop Loops on same request in 100 msNCP Server Busy Rate of change of NCP Server Busy=5NCP Too Many File Retransmissions File retransmission ratio is 8 / 28 = 28%NCP Too Many Requests Denied Requests denied ratio is 8 / 28 = 28%NCP Too Many Request Loops Requests loops ratio is 8 / 28 = 28%NFS Retransmissions No Http Post Response Http Post request not respondedNo Server Response Smtp server not respondedSlow Http GET Response Slow Http GET response=3608 ms 2000 msSlow Http Post Response Slow Http Post response=2918 ms 2000 msSlow Server Connect Slow FTP server connect=298 ms 200 msSlow Server Response Slow Smtp server response=1258 ms 1000 msSMB Invalid Network Name Invalid network name in tree connectSMB Invalid Password Invalid passwordSession Layer No Wins ResponseWins request not responded within 1000 ms TNS Slow Server Connect Slow TNS server connect=298 ms 200 msTNS Slow Server Response Slow TNS server response=238 ms 200 msTransport Layer Idle Too LongNon Responsive Station Station 206.250.228.11 not respondingTCP Checksum Errors SA=206.250.228.69 DA=206.250.228.11TCP Fast Retransmission TCP Frozen Window 10-48 TCP Long Ack TCP Repeat Ack Acknowledgement number is less than the one beforeTCP Retransmissions TCP RST Packets TCP SYN Attack Rate of change of TCP SYN’s=150TCP Window Exceeded CountData length of 128 bytes exceeds last window size TCP Window Probe Between 206.250.228.69/TCP/IP WKP1988 206.250.228.11/SMTPTCP Zero Window Expert DiagnosisToo Many Retransmissions Retransmission ratio is 49 / 50 = 98%Network Layer Duplicate Network AddressAddr=206.250.228.67 Hsrp Coup SA=206.250.226.11 DA=206.250.228.69Hsrp Errors Hsrp Resign Icmp All Errors Parameter ProblemDestination Unreachable Source Quench RedirectIcmp Bad IP Header Icmp Destination Host Access Denied Cannot be reached by SA=206.250.228.11 DA=206.250.228.69Icmp Destination Host Unknown Icmp Destination Network Access Denied Icmp Destination Network Unknown Icmp Destination Unreachable 10-69 Icmp Fragment Reassembly Time Exceeded Icmp Fragmentation Needed D/F set Icmp Host Redirect Icmp Host Redirect for TOS Icmp Host Unreachable Icmp Host Unreachable for TOS Icmp Inconsistent Subnet Mask Addr=206.250.228.69. Subnet mask=255.255.255.240Icmp Network Redirect Icmp Network Redirect for TOS Icmp Network Unreachable Icmp Parameter Problem Icmp Port Unreachable Icmp Protocol Unreachable Icmp Redirect Icmp Required IP Option Missing Icmp Source Quench Icmp Source Route Failed Icmp Time Exceeded Icmp Time to Live Exceeded Illegal Network Source Address Addr=255.255.255.255IP Checksum Errors IP Time to Live Expiring TTL=1 SA=206.250.228.69 and DA=206.250.228.11ISL BPDU/CDP Packets ISL Illegal Vlan ID Vlan ID=1036Ospf Broadcasts RIP Broadcasts Router Storm Rate of change of Router Broadcasts=5Same Network Addresses Addr=255.23.252.6SAP Broadcasts Total Router Broadcasts Unstable MST Rate of change of Topology=10Zero Broadcast Address Addr=0.0.0.0MAC Layer Bad FramesBroadcast/Multicast Storms Rate of change of Bcast/Mcast Packets=500CRC error with more than 63 bytes CRC Frame counterExcessive ARP Rate of change of ARP Requests=20Excessive Bootp Rate of change of Bootp/Dhcp Requests=25Excessive Broadcasts Excessive Collisions Excessive Multicasts CRC error with less than 64 bytes Fragment FrameIllegal MAC Source Address Addr=FFFFFFFFFFFFCRC error with more than 1518 bytes Jabber FrameNetwork Overload Utilization=42%New MAC Stations Oversized Frame Oversized frame has more than 1518 bytesOverload Frame Rate Overload Utilization Percentage Physical Errors Rate of change of Errors=450Runt Frame Runt frame has less than 64 bytesSame MAC Addresses Addr=00800F13A65BTotal MAC Stations Hints and Tips for Expert Features Summary of Expert Counters and Symptoms Response Time Alarm editorConfiguration dialog box Summary of Expert Features Summary of Expert Features TOS ISL BPDU/CDP Surveyor TCP RST Surveyor Multi-QoS Using Multi-QoS with Analyzer Hardware Protocols Supported by Multi-QoSMulti-QoS User Interface Overview Call Summary Range Table All Calls TableChannel View Table Surveyor and Rtcp Jitter Values Summary Range GraphsCall Tables for a Specific Range Call Details for a Single CallConfiguring Multi-QoS Multi-QoS ConfigurationAlarm Log Monitor Only Protocol Type Timeout ValueRefresh Options MQoS Window Management Multi-QoS Performance Optimization Call Filtering with Multi-QoSAll Calls Table H323Red Phone Field Descriptions for All Calls Table All Calls Table Field DescriptionsCall Jitter, Call Rtcp Jitter, Call Setup Time Call Range Graphs and SummariesMulti-QoS Configuration, Call Jitter Ranges Dropped Packets, Rtcp Dropped Packets Multi-QoS Packets Dropped Graph ExampleMulti-QoS Configuration, Packets Dropped Field Descriptions for Call Range Summaries Call Range Summary Field DescriptionsVQMon Metrics Multi-QoS R-factor Example Multi-QoS Configuration, R-factor Ranges Ranges for R-factors Network R-factor User R-factorUtilization Graph 10. Multi-QoS Utilization Graph ExampleField Descriptions for Call Details 11. Example Call Details Window H.323Sccp Call Field Descriptions FIDH.323 Call Field Descriptions Field Name DescriptionSIP Call Field Descriptions Field Name Channel Table Details 10. Unknown Call Field Descriptions12. Channel Table Example 11. H.323, SIP, or Unknown Channel Table Column Descriptions Multi-QoS 12. Sccp Channel Table Column Descriptions Filtering on Single Channels Call PlaybackPlayback PCMU/PCMA Data Customizing Multi-QoS Table Displays Customizing All Calls or Range Summary TablesCustomizing Channel Tables 14. Multi-QoS Channel Table View Options, Sccp ExampleExporting Multi-QoS Data Exporting All Multi-QoS Data to CSV FormatChoose Export Multi-QoS Data... from the File menu Exporting a Single Multi-QoS Table to CSV Format 11-34 Packet Counters MAC Layer Counter TypesCounter Type Description Error Counters Custom CountersCounters Last frame received Expert Counters Network Unknown, Destination Host Unknown, Destination Net Overload Utilization Percent Surveyor Multi-QoS Counters Counter Log File OverviewLog Directory Structure Utilities Name Table Utility Utilities Building a Name Table From the Network NIS-to-Name Table Conversion Utility NIS2NAM output-name-tableSniffer Translator Utility Internet Advisor Translator UtilityGet Version Information Utility Sniffer Translator Utility, Tool Menu OptionsConvert Capture Files to Histogram Files Merge Histogram FilesFrom the Tools menu, choose Merge Histogram Files Extract Frames From a File Using a Filter Logging UtilitiesExport Utilities Exporting PacketsExporting Tables to CSV Format or Graphs to a Bitmap Exporting to Optimal CSV FormatExporting Counter Log Files to Excel Choose Export to Optimal Performance from the File menu13-11 13-12 Buffers How Resources Use BuffersTable A-1. Buffer Types Used By Surveyor Buffer Type DescriptionTable A-2. Resource Use of Buffers Resource Buffer UsageHardware Dependencies Table A-3. Hardware Real-Time FunctionsTable A-4. Hardware Transmit Functions Table A-5. Hardware Capture Functions Table A-6. Hardware ConnectivityAbout Ndis Mode Captured PacketsCapture Rate / Transmit Speed CountersNdis Configuration Options Setting the InterfaceSet Capture Buffer and Packet Slicing Size Pre-Defined Filter Templates Filter TemplatesARP MacdabroadcastHEX Fffffffffff MacdamulticastEigrp IcmpIgmp DECRIP IPX RsvpSAP IPX DNS TCP FTPHttp ImapSccp SmtpTCP TelnetDhcp DNS UDPMgcp UDP NB-DATAGRAMNTP RIP UDPSIP SnmpDsap HEXHEX F0F0 HEX E0E0 NmpiSnap HEX AAAA03Snaparp SnapcdpIslarp Isldns TCPIsleigrp IslftpIslldap HEX FfffffffffffHEX 01005EFFFFFF Islmgcp TCPIslsmtp IslsspIsltcp IsltelnetHEX 0C HEX 0DHEX 0B HEX 2A HEX 0EHEX 0F Nonmac Keyboard Shortcuts Function KeysStandard and Navigational Keys Keyboard Shortcuts Surveyor Recognized Parser Names Table D-1. Parser Names, DLC SuiteParser Name Protocol Table D-2. Parser Names, Applications and OthersTable D-3. Parser Names, Apple Talk Suite Parser Name Protocol NameTable D-4. Parser Names, Banyan Suite Table D-5. Parser Names, Cisco Suite Protocol Name Table D-6. Parser Names, DECnet Suite Protocol NameTable D-7. Parser Names, Fujitsu Suite Protocol Name Table D-8. Parser Names, IBM Suite Table D-9. Parser Names, Internet SuiteTable D-9. Parser Names, Internet Suite Protocol Name Table D-10. Parser Names, Internet Next Generation Suite Table D-11. Parser Names, Netware SuiteTable D-12. Parser Names, PPP Suite Protocol Name Table D-13. Parser Names, XNS Suite Protocol NameTable D-14. Parser Names, H.323 Suite Table D-15. Parser Names, ITU CodecsTable D-17. Parser Names, Other Multimedia Protocol Name Table D-18. Parser Names, Intel Suite Protocol NameTable D-19. Parser Names, VPN Suite Protocol Name Surveyor Glossary Alarm Browser Avvid Capture Mode Dram Expert View Log Files Ndis NIS Pause Sccp Token Error Transmit Specification WKP Index Index-2 Index Index-4 Index-5 Index-6 Index-7 Index-8 Index-9 Index-10 Index-11 Index-12 Index-13 Index-14