In today's networks, many organizations have moved heavily towards using virtualization solutions to alleviate many headaches associated to stand-alone systems, like the overhead of management, power efficiency, physical space, and overall costs. But with that move from physical to virtual, one thing that often gets somewhat overlooked is the network traffic, especially the traffic between those machines that you just put in a virtual environment. After all, you just eliminated virtually all network latency! What is happening in there?!
Cyber Security news and articles seem to be written on a daily basis, and the attacks they talk about are happening even more often. The statistics are staggering, and although I will not go into them here, the numbers prove that this subject cannot be ignored.
Do you know whether WMM is used bi-directionally for your real time traffic? If not, you may have VoIP quality issues. This tip walks you through how to validate this by building a filter to watch for WMM classifications.
Did you know that the OmniEngine Manager provides you a way to manage multiple distributed capture engines and is installed by default with Omnipeek? If in your environment you have more than one engine, software updates, configuration changes, alarms, filter and graphs updates can be a difficult task across multiple engines.
In most cases when we build address filters, we look for all traffic to and from a specific address, or pair of addresses. At times we want all the traffic for a given subnet or MAC OUI, so OmniPeek allows address filters with asterisk (*) wildcards. We can also use "slash" notation to specify subnets (e.g. 10.10.7.0/24 for a 24-bit subnet mask). Yet these methods aren't always specific enough to filter for a particular set of nodes.
More specifically, put it on OmniPeek's Tab! This month's tip is going to focus on one of the primary new UI improvements in OmniPeek 6.0, the Tabs documents style. The Tabs style is a new way to organize your open files, captures, Filters, Name Tables, etc. This is an option that you can use in OmniPeek, or if you prefer you can go back to the older 'Multiple Windows' view style.
When building filters in the OmniPeek Network Analyzer, there is often a temptation to build complex filters containing multiple conditions connected by several AND/OR/NOT operators. When building some filters, such as signature filters for viruses or worms, complex filters are necessary since most forms of malware have very unique characteristics that require filter conditions that you are unlikely to reuse.
The purpose of this tip is to show you how to find and extract the network flows that use uncommon or nonstandard ports.
"Filters" is a powerful feature in Omni that can make your analysis efforts more efficient and effective. Yet most Omni users rarely take full advantage of filters used in combination. A single filter can isolate packets based on very specific criteria, but combinations of filters can be used to perform more complex tasks. When used with triggers, multiple filters can enable Omni to perform more complex and granular analysis.
Recently, when doing a consulting engagement I came across some interesting behavior with my WNIC and thought I would pass it along as a tip.
One of the strengths of WildPackets® OmniEngine and WildPackets® Omnipliance is their ability to manage simultaneous captures from multiple network adapters. Yet, by using several adapters and creating multiple capture sessions, you may inadvertently ask the system to collect packets more rapidly than the CPU and system bus can process them, and more quickly than the hard drive controller can write them to disk.
This month I'm going to address the need of being able to actively select certain packets from an active capture. This occurs when you have an active capture running, which you cannot stop for whatever reason, but you wish to apply a filter to it.
If you are using WildPackets® OmniEngine or WildPackets® Omnipliance, chances are you are interested in collecting, storing, and analyzing very large volumes of packet data. The key word here is VOLUME! On highly utilized gigabit or 10 gigabit links, hundreds of thousands, or even millions, of packets can be collected in just a few seconds. Processing that many packets takes a lot of horsepower, and OmniEngine is strong enough to handle the flow in most cases. However, every computer system has its limits, so you need to know how to maximize the packet volume that OmniEngine can accommodate. Here are some best practices to consider when setting up your capture options.
A lot of people seem to have the same questions about Wireless captures, so I thought it would be a good idea to focus on those questions this month.
WildPackets’ Technical Support Team regularly receives questions about capturing VLAN (Virtual LAN) tags in packets. Some customers report that they cannot see VLAN tags when capturing packets from their switches. The tags are usually missing because the capture configuration or the location of OmniPeek (or Omni Engine) is incorrect. So, this tip is aimed at understanding VLAN tags and how they can be captured using OmniPeek Product Family.
NEWS FLASH! We NOW have the capability to use USB adapters. Yes, they do have to be models that are supported, but they can be found from companies like Linksys and DLink, and many others. The base ingredients are that they must be USB and have a chipset by a company called Ralink.
Since the infancy of computer networks, network folks and server folks have engaged in a nearly constant debate when it comes to the source of slow application performance – is it the server’s fault or the network’s fault? Finger pointing abounds in these skirmishes and often creates real animosity among various IT groups. In fact, the WildPackets Professional Services team has occasionally been summoned to do nothing more than settle such arguments. This is one dispute that OmniPeek is well-suited to settle. Let’s take a look at a couple of TCP conversations, and you’ll get the idea…
Documentation! Reports! Paperwork, Paperwork, Paperwork! Enough already. Your boss keeps asking for them, but you don’t even have time to do your primary job, and they want reports of the network. And what do they want in the reports? Pictures, not words! Graphs!
One thing the WildPackets instructor corps enjoys most about teaching is that we always learn at least as much as we teach. In one of our recent analysis classes, Brian Cantor from Nationwide Insurance provided us with a great tip that we want to share with you! During the class, we were building filters to find various types of TCP packets based on the TCP Flags field.
Sometimes, you may find that you want to save files that match the timeframe of the statistics output you are doing. Omni 5 added a new capture feature that will allow you to save files based on a specific time interval. It will allow you to save a new file every ‘x’ amount of time. The benefit of this is that now you can save statistics output at the same interval as your file save interval, which will make them directly correlate for future reference.
Application performance – are they simple words, or are they really your two-word job description? Whether you write software, maintain servers, or manage the network infrastructure, application performance is really the bottom line of your professional existence! If the applications don’t work so that users can be productive, then you’re in the doghouse!
So, you have determined that you need to scan for and locate any Rogue WLAN devices in your environment. First, you need to determine if you have any rogues. Then comes the fun part, you need to physically locate them. Let OmniPeek help you take a lot of the effort out of both these steps. All you need is OmniPeek and a supported WLAN card with the proper drivers.
More and more companies are finally deciding to retire their aged phone systems in favor of Voice over IP, so don’t be surprised if the boss puts a VoIP project under your IT tree this year. While VoIP does offer many economic and operational advantages over traditional telephone technology, it also comes bearing gifts of latency, packet loss, and jitter. Some folks like to get puzzles as gifts, but I’m not sure these are the types of brainteasers you really want to battle for fun! When jitter bells start ringing in your network, rely on the new features in OmniPeek version 5.1 to help you isolate and solve the problem.
Performance is an area of interest to everyone. What performance should you expect? The answer to that is very difficult as it depends on many bits of information including utilization, packet sizes, and what options are turned on.
So it has happened again – a user has called to complain about a server taking forever to fulfill a request. You need a quick way to evaluate that server’s traffic to determine how busy it is, and to see what types of traffic are consuming its time. The Peer Map has always been a very useful way to get a “satellite” view of traffic patterns on the network. This feature has been a part of all of the Peek products for quite some time, and has proven its worth time and time again as an indispensable part of our analysis arsenal. In spite of the Peer Map’s successful history, we never want to rest on our laurels! So some of our software engineers got together and said, “Let’s make a better Peer Map!”
If you have upgraded to Omni 5.0, which was recently released, you have probably noticed the new Filter Bar. This bar may completely change the way you make and apply filters. The really nice part about the Bar is that you can now manipulate filters using operators, and create expressions, to give you unlimited options when dealing with filters. It is also very handy for quickly applying expressions or filters simply by typing in what you want.
It’s an age old problem with network analysis and troubleshooting – the problem never occurs when you’re there to see it! Fortunately, Peek analyzers facilitate the automation of captures so that they can start and/or stop even when you’re not there. In this tip, we’ll focus on a little-known and rarely-used automation feature of the Peek products.
So, you ask, what does a plug-in do within the Peek products? And that’s my cue to tell you in order to fully answer that question, you must go to http://wpdn.wildpackets.com. There you will find not only the plug-ins that currently exist (over 30), but also the directions and tools that are helpful if you wish to write your own plug-in or custom decode to analyze that proprietary protocol you have running on that legacy application.
This month’s tip is based on a question that has been repeatedly asked by our customers over the last few months. Several members of our technical team have provided individual responses to the question, but we wanted to spread the word with this tip. The question is: When the Peek analyzer examines a conversation, how does it determine who is the client and who is the server?
So, what if I told you I could show you how to get your baselines with less than 30 seconds of effort? And yes, you could do multiple baselines at one time to save even more time. Well, I’m sure you would be hesitant to believe me, but read on and I’ll tell you how to do it and show you just how easy it is.
The Peek analyzer’s Peer Map is an often-overlooked feature that can be very powerful when used to its full potential. Unfortunately, many Peek users simply go to the Peer map, glance at the traffic diagram, and then move on to other views provided by the analyzer. A quick look at the following Peer Map sample reveals an immediate problem.
Your network infrastructure is at the core of your entire network. And with all the talk about threats and security breaches, you would think we would do more to validate that our infrastructures are working the way we expect them to.
This month’s tip is all about casting off the lines of the traditional Peek Analyzer GUI, and setting sail into new waters of analysis bliss. OK, so maybe this tip really won’t change your life in a profound way, but it’s still really good stuff! It’s all about a new Peek feature that enhances your ability to multitask. So raise the main sail and put to sea!
This month's tip is about real estate, but probably not the type you are thinking of. No, we are not trying to sell you land. If you have been reading our tips over the past many months and years, you are probably having a problem doing all the things that we have shown you. Why? Because you don't have enough real estate... 'display' real estate that is. And with the 'Peeks' not having any limitations on the number of concurrent captures that you can run, plus the new capability in OmniPeek to undock windows (which we will cover in next month's tip), available screen real estate is becoming a huge limitation.