Tad
im
Ss
ine aaa aS Fe RH mE RRS eens i sajeie ites , a AREA ip Sha peatatahatig cay
AiG a HSts:
asia tas tae ail ie ane MLA
peatgebs APL Ss Sebi Seakinsinsah pay Wk Hh heibeen sesh om 4 ‘Ae vend bad La S 14 hn wdamst ads 3055; SL) Ce yah deed Sav get 8 Bi eresss HMA BACIN GG SOT MES whe A RRB SS: bb ebebbon tacts oe | Met leti ts eet Slose ape pepmdnasesacel HDi MateITS pdt SIRE Sh S ST OC Cc oe co: 2s Oh rarities be tstes eS} Ever tomet tei RG LE pend SST SE Cilre oe SESE IES Th re
be ie SL WK AT a aay
PoC PPP eee ee lhl
5) enimiiciasieae SANE RAB a ia Bai nant Aa mae esti at
Saft
| mem cone ttt LS el
| TM in Be Ethernet® Network Portable
Protocol Analyzer
Operation and Reference Manual
Model PA-302
Network General
Operation and Reference Manual
Model PA-302
Network General Corporation 1945A Charleston Road, Mountain View, California 94043
DISCLAIMER OF WARRANTIES
The information in this document has been reviewed and is believed to be reliable; nevertheless, Network General Corporation makes no warranties, either expressed or implied, with respect to this manual or with respect to the software and hardware described in this manual, its quality, performance, merchantability, or fitness for any particular purpose. The entire risk as to its quality and performance is with the buyer. The software herein is transferred “AS IS.”
Network General Corporation reserves the right to make changes to any products described herein to improve their function or design.
In no event will Network General Corporation be liable for direct, indirect, incidental or conse- quential damages at law or in equity resulting from any defect in the software, even if Network General Corporation has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of implied warranties or liability for incidental or consequential damages, so the above limitation or exclusion may not apply to you.
This document is copyrighted and all rights are reserved. This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent, in writing, from Network General Corporation.
The Sniffer and TeleSniffer are trademarks of Network General Corporation. ARCNET is a trademark of Datapoint Corporation. DataShow is a trademark of Eastman Kodak Corporation. DECnet is a trademark of Digital Equipment Corporation Ethernet is a trademark of Xerox Corporation.
IBM is a registered trademark of IBM Corporation. Novell NetWare is a trademark of Novell, Inc.
Plan Series is a trademark of Nestar Systems, Inc. StarLAN is a trademark of AT&T-— Bell Labs.
Unix is a trademark of AT&T — Bell Labs.
3Com and 3+ are trademarks of 3Com Corporation.
©Copyright 1986 — 1988 by Network General Corporation. All rights reserved. Present copyright law protects not only the actual text, but also the “look and feel” of the product screens, as upheld in the Atari and Broderbund cases.
Manual prepared by Paul Berry Appendices by Leonard J. Shustek Updated and edited by David M. Trousdale June 1988
Ethernet Version
Table of Contents
Chapter 1. Overview: What the Sniffer Does ............ccccccsssessssseesees
The Sniffer Is
Self-Contained séc.csciscesscccccscsaceccsheveasenecdcauseesedecoessvescacscecesies
Menu-Driven Controls ............ccccccssssccccsccccsccscsccscecsccecscesssscscsssscscescsceceeeess
Color Monitor The Sniffer Is
OF LED Displays: ccavscsysvds icsceadsacecdececovsavss vescegsssesesaaiwaewcosesses a Specialized Station on the Network..........ccccssssesccescereeeees
Capturing Frames from the Network...... sehaeoas sdebunsesvegessseccoseseans bibesbocesseuasea The Sniffer “Hears” Every Frame..........ssccsssssccsscccsssccssscccescccsceessseeesssesees Capture Filters sccessscccccdseecdeosstsctsscvesavccctncedsectcpesdaseeesseanrenusesdeosseevesatsessssses Real-Time Displays of Network Traffic............ccccssssssssscecsseessssessesseseceeeeees The Capture Buffer .............ccccossccssssseeecccccovssscsscccencesssccsccseoseacsserssenereeccees The Trigger Detector Scans Incoming Frames ............cccccccsssssssscecessereeeeees A Trigger Event Stops Capture and Freezes the Buffer ................cccceeeeeeee Specifying the Trigger Pattern ...............cccccssseccerseeceecsesseceeeessceeeeeesceseoesees
Displaying the Frames in the Capture Buffer ..............scccccsesssssessesesecceeees Saving the Capture Buffer for Later Analysis................:sssccsccsssssseseeeeeeeees Selecting the Form of Display................:cccssccccccessssesececeeeceeesseeesceseeeeeeeeees Windows in the Display...............sssssccsssssececssssccecessseseecssseeseecsescusecsseseneeees Two-Station:. Format :::.iiccscecccetiswssescvadsescecntscronedesdssstbevcntesosunstuceesteeesesacess Higher-level Addresses ............sscccsccssssssssccecccsceescscssscsceeecaascescessseearseseseeees TWO ViGWDOIMts iescccccon secs sccatecasseseareteccoaccsescsdceaceceseveevesvcesesoseceaseseaveceesesoesss Saving and Restoring Setups .............cccssssccsssssscccrssssceeesssseeesssseeseeseesseenens
The Protocol Interpreters ...........cccccccccccssccccccccsscsccccccssccssccsscsccecssceecccseeeeeeees
Traffic Generator......ccccccccossess ecbees ssvadedesveedseaes tedececodeUssusdecesevseseesussssassnescseses
Playback ....... sense
Schematic View. Key to Figure
Coecccccvccccocccsecceoeces 0000000000 COCO COC OO OOOO OOO OOOO OOO ODO OOOO OOO OOO OOOO OOOO OOLOOOO2O8
Poecoccccccccccvesceeosenre Covcccccccccoce Pocrercccccccccscccccoooceces Pecccccccccccccococs
POeeeeeeU ORO ee Vere reer errr eee)
KB © OO OHO MW WAAAWANNANABDHAGH Aan»niriakthL_ wwwownsn nd &
Contents
iil
Ethernet Version
iv
Chapter 2. The Sniffer at Work........... sakiedins’ ee Live: Bxam ples ..:..s0.cceceis.se.0eceeseeseecasconsssauecunoe vee
Example 1: Over-Eager Acknowledgment........... Replaying the Original Capture.............:ssccsseeeees AGUPeSSES: «..605péseiicascvessicctsacsesbesebeess(eetigeeuesaedetiae Names for Addresses .........c::ssssssceccecceeeeesseeseeeees Summary Display, Unfillered ..............cceseeseeeeees
eovcccccoccocce Coecccccccccsocccoce
emcee cee cveccccccccccccccecvcesecceeee
Ce ercccvesccvcccesecvccveseceosoveseons
Pere erecccscceccerereccsccescersceceses
Perc rcccccceccecccccceseecesessececsces
Identifying the Message’s Origin and Destination .................sseeeeeeeeeeseeeeeees
Acknowledgments of Telnet Transactions ........... Questions to ASk.............ccscsscsscceccececscescsccscveveess
Example 2: A Problem with Routing ............ccc088 The Request that Started Ito... eeeeeeeeeeeeee Prompt Reply to the Query ...........csscesssseceeeeeeeees Repeated Frames Carrying the Same Response.. The Bouncing Frame...............:.sccsssssssceressseeeeeees Protests: Filed iss. cscisesacistacceddsicecsesevscevcesesesveceveens
Pew rorcccccveccccccoeeeseccocecseoneeoes
Perce cercccecevccescccceenccecscecenees
Cece e re aceccccreeresnesesceeseneeeseees
How Long Should an ICMP Redirect Frame Live? ...............scessesesseeeeeeeseees
Impact on the Network .............csssscccssseeeseeeesseees Example 3: Who Sifts the Outgoing Mail?...........
Peer ccccccccccccccccccccceceeoseseceeee
Pattern of Name Queries from “Lindy” to “Forsythe” .............cccsccssesseeeeees
Displaying the Demo Data On Your Own Sniffer
The Sniffer: Operation and Reference Manual
Pooceeccccsccccccccccecccceseercncoeeee
13
14 14 16 16 17 19 21 23
23 24 26 27 28 29 30 31
33 35
Chapter 3. Setting Up the Sniffer ................ccccsssscccrscsscccccesscceceeesesees
Ethernet Version
Wnpackinigiictiicccsexeseea cavece ecatbvacebedcad accuses sosccas Soaeesae we esaca Weaceesbaedeacserte asieese Documentation ..ssciciccedecatesascsecectusidetecuascccheeetesivads cies eeadenede ced sdeeetesditeateve AERA WUE serena ciousaistees ont usaae Oca es was Seats ptataealunaee le gud names eatausatuasacteinigenmaasancdes Connections to the Network Adapter ...........::scccsssccccssssececsssececesseceseasseceees IN Oberle Che aos npacnn sasictenceries tance nvascecstaeaseh daban toads aysalususaSaivaandenanatnnecaraoats Lockposts vs. ScrewS.........:sscccccssssssssssecccceeeeessseeeccceeeeessceeccesceesseseecceeeeeuaes Installing the Adapter Plate for Screw Connections...............ccsseceeeseeeeeeeees Installing a Transceiver..............cccccssseccccnsssececcesceceeseecceeeesecceassesseaseseneues Color Monitor Option .c.csccaisscevnssedssisnessceveccesssnde cesses ccasatanveansievesasevesveseveses Color, Resolution, and Brightness ................ccccscccssseccseseccescceesceseeeseescesecees
LCD
PYOJOCUON: sev esdens dececeeaileescccdessceel svcd vatnsevacuasinee sad soe eieessueuedeseaetual gusteans
Soft ware ......cccccccccscccccscsscccccsvceccescecs pacesdispcacedcsadecsedseoiecssoesssacsososeceveseceseconenss
Starting
the: Sin let ss csissssesscsecsecie deck ciec ceceaceds ds cdicscscsaveowecesesececesdescoassesescesocse
First Time Precautions ...........ccccccscscccccccccccccssscscseccccsscescessssscesccecescssscssoosecs Backing Up the Contents of the Hard Disk ..............ccsssssecceesseeccenesseceneesees Restoring Files on the Hard Disk from a Backup ............ccccssesececeeseeeceeeeees
The Snrriffer’s Menus ............ccccccsscsssccssccssccescsssccssccssccssccssccssccesccsscsssesscosscoeces Phe: Malin Men iis inicio sea dctascedes cds ve ches code seeckes sus cavescacesascoasdeeesaseesescuteseenses A Movable Viewport: the Center Panel..............ssscccssssseeccssseeececeseccensseees Leafward: the Panel to the Right................ccccssccssseccsssecensecessceessccceseseneees Rootward: the Panel to the Left............cccccsssscccsssssecccssssecsceseecesasesscceeessees Choices in the Main Menu ............ccccssccsssccssssccessccssccssseccssccssceensessansceseoes Preparing. to. Captures .icsces ace icecivss cde cucdesvedeecdeusdicaebiedassdcaecsenseedetisdessriesses Preparing to Display: vviccccrecescessncuscdscasevsevsssevecesessvaesesnsosecksenteseduasscoseessusoas To Comelude: Wr ies: co0scccsasce0d0c castes obive cei cuca cveec usd tansddsecseesseibencedsseceaseveesseie
Pe oem ee reer eer ee eee ee recesses re eee eee OOD E SOTTO OODLE OOEE OE EH DEO HE OEE E EOE DETECTS EE LEE HEELERS EET EES
Contents
39 39 39 39
Ethernet Version
vi
Chapter 4. Capturing Frames, Generating
Testing the Cable ...........ccccccssscccscsscsccscscessoscsccccsscesssssosescossesses
Capture and Display .............:-ssccseseeseeeeseeseeee Files of Captured Frames............:ssscccssssesseees
Capture Overview ..........cccccccsccrccssccccccsssccseeccces The Signal to Start Capture .............eeeeeeeee eee
Setting the Capture Filters.............cccccscssecsssseee
Station Address Filters ...........ccccecsessscsceceees
Protocols in the Capture Filter ..................c008
Pattern-Matching in the Capture Filter ......... Filtering Defective Frames.............cssssccssseoees
Setting the Triggerr.............ccccssccccscsccccssccsceeseees
Traffic, and
Pe rceecvcccccccccccereceeceseseesseeeesesons
wer orecccceccecceccercasceesecseesosereceeee
Cee rcec cece sees seeseTeseeseseseeeseeeeseee
Pcercccccccccccccccnseccccccceeoscececceeeee cc cre cccecce ee nvecccseaeccccssesesccescsceee cece ec eccccnccceseceseccsccesccceseccneccees eee ce ee cececccecescescescceseccccceneesceses
Pe everccccccecercccescceeseceeseseesesessens
COCO R COCO OOOO SOOO OOOO DOLOOOOO OOOO EOOOOLEEE®
Positioning the Trigger Frame in the Capture Buffer.............cccccccssseseserrees
Marking the Trigger Frame .............:sscsseeseees Stopping When the Buffer is Full .................. Continuous Capture ..........ccscccsssecsesceeeeeeeeesees
Setting the Capture Menu Options................00
Automatic Cable Test............cccecccscecnscsceceeeees
Source From Which Frames Are Captured.... Identifying a Playback File... eee eee ones Audible Clicks .............cssssccssssesescecssesecssreonsees Truncating the Captured Frames ..............006 Real-Time Displays of Network Traffic.......... Counter Over flow..........cccssssccessscceessssssseeeeees Pail COUNUS: divcesteccaswccsisnsdcdseaed dvessnsvadecsedscseedss Individual Counts..............csscssssseeesesseseeeenseees DR YMG. sec es ceeded aad secivegevedelaes dscesccesesetewces’ Units for Measuring Traffic Density.............. Real-time Traffic Density Bar Graph............. Bar Graph Scales...........cccssscsescccsscecseseeoeeseees Traffic Counters.........ccccesscscsssercnnsesscensccaseooes Chime Signals............cccccssccessoresccoescorsossecesees Noting Unrepresented DLC Addresses ..........
Naming Stations .............ccccssccsssceesseeeeesssenenes
Capture Buffer Storage Space .........cccessseeeeeee Options During Capture .............csesecsesesseeeeees
Options During Pause ...........ccssssecseesseesceeneees
Highspeed Capture ...........cccccssccsrscssccersescseeeeees Generating Traffic to Load the Network .........
Starting the Traffic Generator..........ccceseseeeees
Format of the Transmitted Frames ...............
Sequence Number in Each Generated Frame.
Using the Sniffer to Help Locate Cable Faults
The Sniffer: Operation and Reference Manual
Pere eccccccccscescesesccecceencesececececees
Pe cercccccserccccccersvececccucceceesesesees
Perec ccccccecccncccersccccseccercesecceeeecs
COCOCC OOOO OOOO OOO OEOOO OOOO OOOSOOOOOSOOOOD
Pe rencrceserecrccecesecceesevecseseeeevesene
Per cccccccccccccccccseasececceccescesesecees
Peco ccc ccccceccccressvececcececcseesseseseee
Pe rererccscccereccecseccesceseesessereeeeees
Pee reecrccceccccecesrcesecccesececeeesoeaeees
Po ccvccccceeveveceressececcscesesseeeseceees
ec cecccccrcecscccesesccsacccccccecsscoecoses
Perec ecccccccccceceeneccecesceceeeccesseeee
Oe eeccccevevecceceseresevceecececeeesesoeeee
Pec ceecccreccenecoesssccesesecceseesereseee
ee rcccrecceccccccesccececcccseseesessesesees
eee ec ccc cccccscessceccccceeseccccecvessceee
ere revccrcrercccesececescccseecseeseseesees
Pee erecccvccececeecessevcvecesceseeoeeeeeees
Pere rerecceccccceveesececsesveresseseseceene
POC CCCCCO COCO OOOO TOO DEO ESO OOO LOC OOOD OOO DSOOD
0000 eo Coo CeO O COCO SOLO OOS OODODDOLOOE9EO®
emer cocececcvcccecerccccsccecescvesessseese
Pere eccccccrcesccecececescceeesecseseececeee
Pe erecccesccccsccscseeecceveccccseesesececes
000000000 CC OOOO OO ELE OOS DOO OO OSOODEOOS0008
57 60 61 63 64 67 67 68 68
68 69 70 71 72 72 73 74 74 76 77 79 79 79 80 81 81 82 83 86
87
88 89 89 90 90
Ethernet Version
Chapter 5. Displaying and Interpreting the Captured Data........... 95
The Display Menu..........cccccsssssssscceccccsssscssceseesenesssccsersescesssccseaaeessenseseoeees 95 Deciding Which Set of Captured Data to Display ...........::::sssesseeeeeeeeereeeeees 96 Setting the Display Filters.................ccccccccsccccccsesececceseesssersseseseesscsscsescsseeeees 96 Criteria for Filtering iisisscciccscasvessssatecscoesscgorscssonssccesssideenstvbsancanscvevansnedasnes 97 Procedure for Setting Display Filters.............sssscsccssscsessssceseccennssesseeseeeenees 99 Setting the Address Level Filter .............sccccsscsssssssssceceeenensssseeeeseeesesseseeeees 99 Address Level Filter Affects Names in the Display ...............ccssscssesseeeeeeees 100 Setting the Protocol Filter...............sscccsscsccsssssssessssasseccceseoneaseasssoossasoassess 100 Three Ways to View Frames............cccccssssceeees ievadvdedeccuseuevessseressoseucecvesceseess 102 The Summary View......cccccssssssccccccssccssscscecececessscescsseeeeesessccerseesessceeeseeonnes 102 Two-Station Format.........sccccccsssccscssssccscsseccssssecesscsceeeeesecseessseeeensceeenenseees 104 Selecting Stations to Show in Two-Station Format.............:cccccccssssesseeeeeees 104 Multiple Levels wcciccccassscssiceesveressecssnnsctesenecsecnedoucs nedaandentsnasakenkeaeunseeasearnes 105 Use of Symbolic Names..........:..sccccssssccecssscecscssesccenceceeansseeeeescenesssesseeneeses 105 Width of Symbolic Names ..........c:ccssseccssssesceeeessceeeeeeceeeeseceeeseseeseenseeeseeeees 106 Phage Option cp ceonceivasvnscevcnonssonnsaqasesnsisavendstanessttahinnes wien ipeeetaasentenas nia eevnes 107 Displaying Time, Network Utilization, and Size............ccccccccceeseesssseeneeeees 108 The. Detail View i -cccccd. cccccistesesnseueveacenuvsdeacesesieccevcepecvecveresecsseseseceansaavecasente 110 Frame Error Reports...........ccsssssssssccsssccsscccscscesscceesscnsssesscceeessenseeasssenereeee 112 The Hexadecimal View............sssscssscsssssscsssccsssecseseecceeeenensssseessseasesseeeeeeees 113 Windows and ViewS .......cccscccssccccssccscscccsccccscccccsecccscccscscescceeeccees Sisavbsnsededesesed 114 Scrolling Within a Window ............ccccccssssssscesscccessssceeseeecesssseseseeessseseeseees 114 Numbering of Frames ..........:::sssscssseccecccsssceesececceescsesssceeuceeecccsseseaesseseeeeees 115 The Active Window...........ssccccsssccsscssssccsssssccesecscescesscesenseseceasscseeeesccesenesees 115 Displaying Simultaneous ViewS............ssscccccccsssessscecceeeecesseseceeseanssseseeeeees 115 Scrolling in Simultaneous ViewS ............csssccscsssssccseceseceessseeeeseceeeeseeeeeeners 116 Two Viewports Side-by-Side.............sscccsseseccnseeseeeeeecececesscceeenssseseescseesneseees 116 Highlighting Detail in the Hex View ...........ccccccscsssscccesesssssseeeeeseeeesseeeeeeenes 118 Options During Display ...........00c0e0e0 segddepasesocedsonesdeaseesesstessseuseseseosedeesseesessees 119 Searching and JUMping............-.ccscccsesscccsssssscesssseeuseveeeeesccsseneeesseesesceseenes 120 Printing a Report on Frames in the Capture Buffer..............004 scastesecasacess 124
i ee eae Ue nanan SSE UIE SIE EE EES ne
Contents vii
Ethernet Version
Chapter 6. Directories, Files, and Name Management ...........0000088 129
Saving and Loading Frames and Setups............ccccccccssccscssecsescseeeeees Sesabaeees 129 Loading a File of Previously-Saved Frames ............cccssssssessceseeeeseceeeeereeeeees 129 Saving a-Pile Of Frainess..cccsseccesniscocsajescesccsscessncadessacessescoavetevesvevesdsoaecosvesve 130 Saving Your Current Setup... csssccecssssccceseseeceescscceencesseceeecesensseesseeeeees 131 Contents of a Setup Pile iccccsccsecccssdvesecectenccuss cvs sescuecdssestecssesevecsaeseqesvecosaees 132 Using a Saved Setup File .............cccccssscosssccnecccsssccescecsscevssscecscessscesesssacvens 132 Creating a New Startup Setup ..........cccccssssccccsesecceesseceessceeeceeesesseeeeeseeeuenees 133
Managing Names Used in Displays and Filters ...... Nesessdavessece aceaecceevsanstswedee 134 Building the Name Table...............cccssscccsscccscecsseeeesscecseccsceeencceneseenssssseseees 134 Formats for Displaying Higher-Level Addresses.............sssssssscessesseesereeeeees 135 Naming Stations ss ciccesiscecsve ss sccccewcasetasSeasees dn tceeeiveweas sve ieopeets ce eusoseaeoecsssne ones’ 136 Editing the Name Table ............cccccsssssccccsssscccnscsccecesecsecsseesseaseeseeuesceseeeneces 137 Clearing the Working Name Table ..............ccssccesscceecceeeeeeencceeevceeesseeseseeeees 139 Looking Up Machine Names ..............csccssscesccescesscesceesseecesssseesesseuceasseeesees 139 Saving NaMes ic. issceee ie edkceecedeoi cake sdebench ii donevte rack wba ed sensececedaaeetisecagesemees sa 140 Resolving Names from an External Directory............:cccecseseceeeseeseeeeeeeseeeees 140 Building Name Dictionaries ..............ccccccessccesseeeeeeceecesesceseeseeesseaeseeectseeeees 140 Alphabetization of Station Names ...........:scccsssccssseccssecoescceseceeesseesseeersseeeees 142
Organization of Software on the Hard Disk............... saebsdiesescaadedoesseee ebswedees 144 The Autoexec Wiles ic.c..ccsccsidecessaccenseaadcacagsdeseseaad sides ssdeuncaees coed sedewcadnossesacess 144 The Sniffer’s Directory Conventions ..............cceseesceeeeceecceesescesesseeesseesseeeeees 145 Several Directories for Capture Files..............c ccc eesceesecenesceeeeeeenesteeserenseeeeas 145 Creating a New Directory ............cccssecesccssccseccesecsccsecceeessseesseeeseesseesssseceens 145 Setting a Path to a Different Directory...........cccecssscesecceeeceeeseceeseseenssenseseees 146 Switching to Another Directory from within a List of Files ...............::e0e0e 147 Several Names: Piles 2.2: 0ic5csescdicesstesssvcicedsesasecbtubeareestcvesnteedovesdeovesebeesteetacts 148
viii The Sniffer: Operation and Reference Manual
Ethernet Version
Appendices
A. Format of Saved Data Files. ..............ccccccscsssscccccccscccsccccccccccccscsceees B. File Name Conventions ..........cccccsccssssscssccocccccscsscscvcscccccscescecsocsecces
C. Extending Sniffer Protocol Interpreters ...............ccccccsssescesceseoeees
Overview......... iseeeseseas seebsowseee soaeees savededevekdesedbensssessccenssgs wiceabdesverdess Mosesbonwesedsss What Does a Protocol Interpreter Do? ...........cccccseccssscceescesseecneeecensceeeseecees Calling Conventions for Protocol Interpreters..............ccccssssseceeeseeeeeesseseoes Registering Protocol Interpreters ............c.cccsscossccnscosscesccesscesccesccesceesceeseees The Protocol Interpreter Data Structure .........cceccessssseeeeceeeeesssonteeeeeeeeenes Generating Output from Protocol Interpreters ..............:cccccccceeeeeeeeeeeeeeeeees Adding Symbolic Names to the Name Table ................ccceccsecceeceeecoeceeeecoees Declaring Embedded Addresses .............cssccssccssecesccescanccsecensccesconsccessesseoers Displaying Symbolic Names .............ccccecsceccseceseccecescssccenccenscecsssccscessesoess Adding Summary Line Flags..............sssccsssssecccsssescccsssscccessseceeasssseeassssceees Using Other Protocol Interpreters.............sccccsscccsssccsseccsscccessccassecseccaeeceas Advanced Topic: Dependencies on Other Frames ..............sscccsssccesecceseeees Debugging Messages ...........cssscsssccsssscccsscccsscccsssccceccceseccuscseeesceeseceasccseescees Advanced Topic: Using the PIF Formatting Routines..............:c:ccccesseeeeees Building a New Sniffer 0.0.0... cceccsssscccssccossccesseccseccseccascceeseceasccoseseeeeses Ain Exam ple cise esicek sich dcssaacisccdiveceavassbcdcareteaiesstessitedelevapeadeseegesscadsadowaaee dace Programming and Debugging Hints ..............ccsccccssscceseccesecccssecensccesseeceesees
D. A Brief Summary of the Ethernet Network Architecture ........
Physical Interconnection and Speed ...........ccccccccccccsssssscscccsssssccsscscceesseseeees Phick Wthel'niets fcc sisceiss sdneedivces seeks aedadeceeselessgvecdhiccide gees atigaedadenesusensesdvens Thin Ethernet (“Cheapernet”)............:ssccccssssccccccssccccessesccesssseeceesseeenasseecees Other Ether nets esis scsceessaies cSeccecasicacacesevsceaeveveniecdescsecneesseteacatelec¥avaciiecaads
Access Control...........sceee0 asedenesssesixes Sacabescees sdaeaVesssesdeeesdedispassseonesdesesasescuedwsss
Other Transceiver Functions........ se SoaveesdecassdessnawesssebeusessOsesesssdensveseswsetesssuses
The Format of & Frame .........cccccccsscsssssccsssccssscccsccoessscsessees eiceastes avaveksisassces e
The Format of the Data...........ccccscsssssccssccccsscccsscscesscccsceeccsssccsscesccecccesceccoeesees LLG, Pains iceicssieiecedivsecuaadescestevsesssceisessasiecdes capebds wave vcdeesesnss oxbacectiooddeccees
Assignment of Network Addresses ..........sscccscssssossscssscescrsscnes seatsoas ieGessvweoe’ ‘
Contents
149
153
_ an ao
—_
Se me aaan ann
~]
158 158 159 160 160 161 161 163 165 166 172 174 176
ix
Ethernet Version
E. Glossary of Acronyms and Specialized Terms. ..........cccessees eee ERT
F. Sniffer Specifications................. ‘Mdendcaincencd aes Wanianesieiicscvsee- LO7
G.. References s...ccccccrccssosessesessessecnsvsscaccsescnsncscccssssncsqsoossesesaseseseseseseneess «= 199 H. Troubleshooting Checklist................. dai eae avadnianatesentuaieons wiereronmees < 804
Index...... eeccccvccccce Coccvcccccccccccccocs eecccccccccccecs ecccccccccce eecccccce eoccccccce Cocccccccccceccs 205
x The Sniffer: Operation and Reference Manual
Ethernet Version
List of Figures
1-1 2-1
2-2 2-3
2-4 2-5 2-6 2-7
2-8 2-9
2-10 2-11 2-12 2-13 2-14 2-15
2-16
2-17 2-18
2-19 2-20
2-21
2-22
2-23
2-24
Schematic representation of the Sniffer’s FUNCHIONS........ccceccereeerrrereeees
The main menu ready to play back the capture of frames from the file TDEMO.ENC............sesssccrccsscsesssceccorsccsereccesenacscesscccenassasensccnaeossenees
Meters and counters based on playback of file TDEMO.ENC.............000
Meters and counters, but with symbolic names for the station AACLESSOB coccasce3 csas:eshusoacsdeecsdoncdeudvcaweseduauccecasdevesosensseseevoniiavecsseeceeseceaees
Summary display of the first twenty frames. ........cccccccccccecerneeneneeeeenenees Telnet frames exchanged between two Stations. .........cccccsccereseeeceneeeeeeees Detail view of the first Frame, .............ccccssssceeesseeeeeeeeceeenesseseneesenseeeeseoees
Displaying higher-level addresses reveals the source and destination OF Creme D ecas Fo 55 ces deesceecee Soe esehes cack oias cacties daduascdeneseseediedessedvecosesupese tents
Acknowledgments to Telnet frames, shown in two-station format..........
Selecting two viewports facilitates comparison of the acknowledgments of frames 3 and 4.........ccccsseeesecccesseseseseeeceeseeneeseeeeeoees
Similar comparison of frames 4 And 7...........cccccreceessssssssssssseeeseserteeeees Unfiltered list of frames following the name query in frame 32. ............ Detail view, showing the origin and destination of frame 32...............065 Content of the DNS name query in frame 32. .........cccceecsseceeseeeceesseesceees IP level of the frame containing Argus’ reply to the name query. ..........
Part of the DNS reply from Argus, mentioning that it has nine answers for the query that was asked............:ssscccsscsssssseeesecseessseeeeeeenees
A succession of frames, each an attempt to carry the reply from Argus te 1Cbrenolr. wvicscsvesscesessansnstiesnssondssunanatoosiendunavestanensaccheveginenssaves
The reply from Argus is about to die after 30 relays. ........cccccceeresereeenes
The frame destined for ucbrenoir bounces fruitlessly between Frodo ANC UAL RUB ss siseieccacsoussdediendusesesedeacoageeeredecwecncsseselgsasscosoasdeaveseeesseeaseoeces
Each bounce generates an ICMP frame protesting a misrouting. ...........
Comparing time-to-live in ICMP frames sent by two different INACHINES, .o3si nave cbeskseoeedcse sca vdanddezacue caSuawteies dan etic deapeeveseseesdesvesaeaeseGageneeees
Menu to select Network Utilization and to select the size of the window around each frarne. .......cccccccccececcececcseccccececesceseseccscecenceceaeeseeeens
Percentage utilization of the network’s bandwidth for a 100 millisecond window around frames related to the request for name BOL VICO so. nceck cea eeecssecdagiestasideceaceensebsccasuenes ecbieosnas ven the sas pages dodue tease dan deoneSeas
Bytes transmitted for frames related to the request for name service, accumulated from frame 32...........ceceeccssecceeseceerecceseseeseeesseenes
Unfiltered display reveals a number of name service requests. ............+5
Table of Contents
10
15 15
17 18 19 19
19 20
21 22 23 24 24
26
26 27
28 29
30
31
31
32 33
xi
Ethernet Version
2-25 Detail view of frame 5, showing part of the IP interpretation, including the message’s source and destination. ...........cccccssssceeeesesseeeneeee
2-26 Detail view of frame 5, showing interpretation of DNS-level
INCSSALECs. <iccccaseetvelaccevcansdees sexe ccudeTussvasceledctevasaveccovnncushenereresceteyessperepereoubs 2-27 Summary view of DNS queries from Forsythe to Lindy. .....................00 3-1 Connections to the Sniffer’s adapter cards..............cccccsssseeeeesseseereeeeeeenees 3-la Adapter plate ready for attachment to a D-connector with lockposts....... 8-1b Connecting a cable with adapter plate to the Sniffer’s network
AG Apter: CAL. e. sa ccsecessedeessdcedavesdccaevitenavesbes coteusovedsiadse:dcaed cgae cdaiseesbtondtes 3-2 The Sniffer’s initial selection MENU. .............ccssescesseccneesceeteceoesecceesceseeeees 3-3 The first panel of the Sniffer’s main MENU. ...........ccccsceeeseceeeeeeeceeceeseeceens 4-1 Default settings of capture filters for station address. .............:::ssseeeeseees 4-2 Menu to select a station for a station address filter. ............sssssesssesseeeeees 4-3 Window for inserting a new name and station address. ..............ccceeseeeeee 4-4 Menu to select Ethertypes and SAPs for the capture filter. ................004. 4-5 Menu to specify pattern match for the capture filter. 0.0.0... ssceseeeeeeeee 4-6 Inserting the text of a new pattern. .......... cc ceseccsesecsceeeeessceeeeesceeeneessseeaens 4-7 Specifying the offset for a pattern in the capture filter. ..........ccccscseeeeeeees 4-7a Menu for filtering defective frames during Capture. ...........ccsceecceeeeeeeeeeees 4-8 Default settings of the trigger. ................cesccesssseceeeeesereeesceseeeeeecesseeseseeees 4-9 Window in which to supply trigger pattern.............ccccccsssseseeeseesesseeeeseeees 4-10 Window to supply the location (offset) of the trigger pattern................... 4-11 Selecting the rule for stopping Capture. ..............csecccesceeeesseseceeeeeeeeneeeeenes 4-12 Capture Option in the Main MENU............ceeeeeeseeeeesceceeeeesceeeeeceeseeeeeeessees 4-13 Capture menu showing field labeled From indicating source from
which frames will be captured. .............s:scscccesseeceeeeesceceeesesenseeesesseenseseees 4-14 Window showing list of trace files from which you may elect to
capture during playback. ..............ccsssscsssccccessceeesenesceeeeeseeesceessceesssceesseees 4-15 Capture menu showing playback file selected. ..............ccccssssseseseeceeeeeenees 4-16 Menu to limit the length of captured frames..............sssscccsssseseeessseseeeenees 4-17 Pairwise tabulation during capture by sending station and
AAA OSS CO ecco isissecevess side ceoshcvecuauess concness doesiate eeadsesssaUecvadeancuspediavevsnsosvencsse 4-18 Individual tabulation by sending station during capture......... seateetentansctee 4-19 Skylines graphs during capture...........cccsssssccccseeeccceseseeceeeseceeeesssesseneeesees 4-20 The amount of buffer storage space available for frames during
CAPUULEC, ws ccusccsdessveecesvesietovduacesecevads osiacdeecdeevceessvesousegedapeudesaues soncasesenbeedescay 4-21 Skylines graphs during capture and after pressing F7, View
ALIOL 3 vadeceavieceteasuéscehs oacdcctue evan delistageedas iocbeuedecsneseseeveedsabecgeeiesexcentyeessbe 4-21a Display and counters operative during highspeed capture...............sssce+
xii The Sniffer: Operation and Reference Manual
4-22 4-23 4-24 4-24a 4-24b 4-24c 4-24d 5-1
5-2 5-3 5-4 5-5 5-6
5-7 5-8
5-9
5-12 5-13 5-14 5-15 5-16
5-18 5-19 5-20
5-21
5-22
Ethernet Version
Panels showing options for the Traffic Generator. ..........:sccscccsssssseessesees Screen visible when the Sniffer is generating traffic. ............cccccccceceeeeees Display of a captured frame generated by another Sniffer. ...............0000. Menu to activate the Sniffer’s Ethernet Cable Tester. .............:::cseeeeseees Display when the Sniffer detects no cable faults. ............ssssessessessesseseeees Sniffer report of an open cable. ...........cccccccccsssssesssssscscecscesesseeecsesssssseeess
Sniffer report of a cable short. .........0cssssecsssssscsscscosesssassocescssnanccecesonveess
The main menu showing the Display option and its principal
PSPC ING sacar des esac divas dod uiizeau noes vision asiauirexaatica ans sencwoeadaxdan (canvrvinntiehaneeesoses Menu to establish display filters.................ssssssssssssccsseccsssscccccsceseceeseesees
Display filters menu showing a list of address levels. ............cccceeeeesseeees
Display filters menu showing list of protocol levels. .............cccccssseeerereees Stibmentst for SUMIMALY View. ..s6ssciowwseceserenescacensauavoccnnevavssddvestannctsassenaves
Summary view showing frame 35 in the context of neighboring
Two-station form of the Summary View. ........ccccccsssssesesceccccccssssesecesceeees
Summary display with the highest-level-only restriction removed (here shown in two-station format).............:s::sssssssssssseeseseeececeeeeseccesesees
A two-viewport display showing the Flags column as well as a simultaneous display of Relative Time, Size, and Network TUE sss sas sda Canis awn danseceintunneabuabenseskerakuunikesvtiveiauts<aesaitledia donde chnodsata>
Menu to select the form of time display, average network utilization, and DYteS..........ccccccssssccccssscccccsssccccecssssccccssccccceessessassccesensess
Part of the Detail view of the frame that is visible in hexadecimal in PENE ictaehg ccc ab saa ne a pn nab an ad vag oP esdns Vad nds sn da vada andoccta danas laste
Scrolling reveals other levels of detail in the same frame.........s.cccccccceees Hexadecinial view of 2 frames cociscsscsccssiscesssenivnacecdssasescesancivascdavedusasoayses Menu to select the translation of hex characters. ..........ccccccceceecceeeeeceseees Summary, Detail and Hex views shown in three windows. ..........cccseceee
Menu to select two independent side-by-side viewports, each containing a Summary display...........cccccssesccsssssscccesssecccscssceceeecessesecenes
Display with two viewports each containing a Summary window and a Detail window. .............cccsssssssssseccccceeeesssseeeecccceeeesssseeececsssececeeeeens
Two viewports, each with three Windows. ...........cccssssseescecsccseeessceeeeeeess Highlighting detail in the Hex window...............:ccscssseeeeeeeseeeeeeeeeeeesesseees
Superimposed menu showing options for moving around in the Captuite. buffers vic.ic cies sessiaasseescveschsseasczeeescbedsivsaei ot eaevssceksctadosdasvedeeseuacees
Window in which to write the number of the frame to which you WANE LO: 20. sosssscsedeebuscodessguvacecsttcscededssevetesssécvegenage ves ovcoedeseveasseuandesucatecs
Text search function in the Display Options menu................cccccceeeeeeeeees
Table of Contents
88 89 90 91 91 92 93
95 97 99 101 102
103 104
105
108
110
111 112 113 114 116
117
117 118 119
121
122 122
xiii
Ethernet Version
Xiv
5-23 5-24 5-25 5-26
5-27 5-28 6-1
6-2 6-3 6-4
6-5 6-6 6-7 6-8
6-10 6-11
6-12
B-1 C-1
Window for entering text to search in a Summary display. ............00000
Specifying a pattern to jump t0............cccccsssssssceeccceeeeeeeeeresenseascessasseeeees
Menu to select printing of a report on frames in the capture buffer
Option to specify the range of frames to be included in a printed
TOPOL. ........seccecceccsccenceceecscccececscscnccsseeeeescnseessssseaseasseesceeeessesenseseseseeeeeees
Window to name the file when you choose print to a file.............seecceeeeees
Printed report of a SuMMALyY VICW.........ccscccseesescceeneceeceeeseceeeeeeseeeeeeeoenes
Main menu showing choices you select to load the capture buffer
with data froma files. cicccsccccdscclccsieiecceveseeiedssecassnacevessccndcnedseceescessecessscees
LOAD DATA FROM panel with list of previously-saved files......... Menu for saving data files. ................sccsssssescecseseceeeseeeeeeeeceneeeeeesees
List of saved setup files which can be loaded when alternative configurations are required. ...........cscccscssssssececsceeeessessesceeseneesseeeeees
Menu options for managing names used in Sniffer displays............ Display of the name ‘tables c<sisccccisccsiscuscuasnareosa egexcesnseseoneverenneeresstes Window to provide a new symbolic name for a station............ces00
Window to provide an address and a symbolic name for a new BUALION sc decsieisceacocacecedcessoscocedenceossdecctoecosccdsctesecsssoveeasacetocedeedccesseesae
Sample directory of station addresses and symbolic names, to illustrate its format. ..........sscccccssscecccesecceceeecececenecceeeneeseseaeeseeeeesenes
The sample directory of Figure 6-8 rewritten to use default types. The Make Directory window for entering a new directory path
The Change Path window for switching the directory path used for saving and loading data and setup files. ............:ssssssseeeseeeeeseeeeeeees
eoccccce
File extensions and locations SUMMALY. ..........:.sccceessseecessscceeeeesceeeeeseeees
Summary Of PIF routines, ............cscessccecssssscccescecceeseeceeeeseceeeeeesees
The Sniffer: Operation and Reference Manual
123 124 125
126 127 128
129 130 131
133 137 137 138
139
140 142
146
147 154 167
Ethernet Version
Chapter 1. Overview: What the Sniffer Does
You can observe a lot by watching. — — Yogi Berra.
The Sniffer collects, analyzes and interprets data transmitted in a local-area network (LAN). It exists in several versions, each tailored to the devices and conventions of a particular network, such as ARCNET or Ethernet. This manual describes the Ethernet version.
The various versions of the Sniffer provide the same capabilities and report them in the same way. However, they are not identical. Differences between the various systems of transmission require corresponding differences in what the Sniffer does.
When attached to a network in the same way as other stations, the Sniffer listens to all transmission between any stations on the network. (It is characteristic of a LAN that every message is physically present at every station, although ordinarily each station ignores all traffic except messages addressed to it.)
The Sniffer maintains real-time counts of the flow of frames. It selects some of the frames it sees and records them for later analysis. Its detailed reports include protocol interpreters which translate the various levels of code and display them in English, from the data-link level on which everything else rests up to the session level used by network applications.
With its detailed records of exactly what transpires during network transactions, it is a powerful too! for trouble-shooting and tuning a network and for testing and refining high-performance network software.
Chapter 1. Overview: What the Sniffer Does 1
Ethernet Version
The Sniffer Is Self- Contained
Menu-Driven Controls
Color Monitor or LCD Display
The Sniffer is a fully portable computer and is completely self- contained. It comes with its own Ethernet adapter already installed, its own hard disk, and its own operating system and software ready to run.
To start using the Sniffer, you need only plug its power cord to a suitable outlet and connect it to the network. You may be able to plug it directly to an existing transceiver (perhaps temporarily replacing the station usually connected there). Alternatively, you may need to install an additional transceiver just for the Sniffer.
Because there is such a variety of possible connectors, the Sniffer does not include the cable by which you attach it to the network, but this document explains what you’ll need and how you attach it.
The only customizing of the software you’ll probably find desirable is to augment the Sniffer’s definition file of station names. The Sniffer can then display both the address codes it observes and the names by which you refer to the various machines. (You can build your name tables as you go along; see “Managing Names Used in Displays and Filters” in Chapter 6.)
An autoexec batch file already installed on the hard disk starts the Sniffer software as soon as you turn the machine on. You operate the Sniffer from a menu screen. You move the cursor to the choices you want, select options by pressing the space bar while they’re highlighted, and press Enter or one of the function keys to start an action. Whenever a function key is operative, it’s highlighted and labeled in the screen display.
There is no command language, and there are no commands to learn. About the only information you supply by typing is the name for a file you wish to save or the details of particular transmissions you want to look for.
When you exit from the Sniffer’s software, it returns you to its operating system, MS DOS. The Sniffer is then a standard AT- class personal computer operating under DOS. A DOS manual is included with the Sniffer.
The Sniffer’s built-in monitor is high-resolution orange plasma display with four intensity levels. You can also connect your own color monitor or an external LCD display. The Sniffer provides a DB-9 jack for an RGBI monitor that supports the IBM color graphics monitor (CGA or EGA). You have only to plug in your equipment and to select the corresponding option in the Sniffer’s initial menu.
2 The Sniffer: Operation and Reference Manual
The Sniffer Is a Specialized Station on the Network
Capturing Frames from the Network
The Sniffer “Hears” Every Frame
Capture Filters
Ethernet Version
Like most of the other network devices, the Sniffer is an independent computer with its own software and hardware and its own network adapter. It does not need (and does not include) a copy of the network management software used by ordinary stations on the network.
As far as the other stations on the network are concerned, the Sniffer is a passive member. Like any ordinary station on the network, it hears the transmissions from all other stations. It notes them for analysis but never responds to the other stations or acts as receiver for messages that other stations send. It originates traffic addressed to other stations only in a test mode designed to load the network. Finally, it can emit test pulses to look for cable faults.
Complete analysis of network activity includes two broad phases: capture and display. In the first phase, arriving frames are captured and stored in a buffer, and the Sniffer performs some analysis with real-time displays of network activity. In the second phase, frames displayed in a variety of formats for further analytic work.
Ethernet is a bus system. All stations are connected to a common bus. Like every other station on the network, the Sniffer hears every frame transmitted.
The Sniffer’s adapter card makes a temporary record of each frame and passes it to the Sniffer’s on-board processor for review. The processor filters these just-received frames. It records those that pass the capture filter you’ve set and records them for later analysis and interpretation, and it discards the rest.
The number of frames reaching the Sniffer’s network adapter is potentially so large that it’s essential to select only a subset. The Sniffer applies a filter to each newly-arrived frame and discards the frames that do not meet its test. Capture filters are of three types:
° Selection by station address: The Sniffer keeps frames sent from or received by a particular station or pair of stations.
e Selection by protocol: The Sniffer keeps frames
containing any of the protocols you specify.
® Selection by pattern: The Sniffer keeps frames containing a specified pattern of data at a particular position in the frame.
(Yor example, a typical filter might admit only messages to or
from a particular user and a server with which the user is
Chapter 1. Overview: What the Sniffer Does 3
Ethernet Version
Real-Time Displays of Network Traffic
experiencing a problem and only those frames involving a particular protocol.)
Setting an appropriate filter is your first step in collecting data. Often the majority of arriving frames are immediately discarded. The frames that your filter admits then pass to a buffer area from which you may display or analyze them, send them to storage, or discard them.
While the Sniffer is collecting data, it measures the rate at which frames are arriving and gives you a real-time graphic display of meters (which show the data-rate) and traffic statistics (which show running calculations of network activity).
Common to all displays is the traffic density bar, the set of traffic statistics above the traffic density bar, and an elapsed time counter.
® Traffic density bar. Displays traffic as kilobytes per second, as frames per second, or as a percentage of the network’s available bandwidth. You can display all three measures of traffic density on either a linear or on a logarithmic scale.
e Traffic statistics. Just above the traffic density bar are two rows of statistics displayed by the Sniffer. hese include counters for the number of good frames seen by the Sniffer as well as for defective and lost frames. In addition, there are counters for the number of frames seen, and the number of kilobytes and frames accepted, by the Sniffer. Finally, the percentage of the capture buffer used by the Sniffer is continuously updated.
6 Elapsed time counter. Shows total elapsed time during which traffic statistics are accumulated.
In addition to the features common to all displays, there are features which are unique to particular displays and which provide alternative perspectives on network activity. Three optional displays of network activity are:
e Individual counts. The display shows either a count of frames per second or kilobytes per second for each station contributing to network traffic. The display is expanded in real-time. As the Sniffer notices traffic involving stations it hasn’t seen before, it makes room in the display to include them.
6 Pair counts. The display reports traffic in terms of senders and addressees. For each pair of communicating stations, the Sniffer updates a counter for frames per second or for kilobytes per second. The pair counts display also expands in real-time.
4 The Sniffer: Operation and Reference Manual
The Capture Buffer
The Trigger Detector Scans Incoming Frames
A Trigger Event Stops
Capture and Freezes the Buffer
Ethernet Version
e Skylines. Shows the real-time display as a moving “skyline.” You see two graphs: one shows either the number of frames per second, or the number of Kbytes per second, being captured within a time interval which you set; the other shows the number of active stations, i.e., stations that have sent frames in the interval. You can display all three measures of traffic density on either linear or on logarithmic scales.
After they’ve been counted, frames that the filter accepts pass to the capture buffer. (On the way, they’re examined by the trigger detector, described in a moment.) The capture buffer has room for a moderate number of frames (thousands of medium-sized frames). Frames accumulate in the buffer in the order they are received.
When the capture buffer becomes full, the Sniffer may halt capture or may discard older frames to make way for new arrivals, as you’ve elected. If you do nothing to retain the frames in the capture buffer, the Sniffer automatically discards them; in that case, the frames that remain in the buffer are the ones most recently received.
The trigger detector scans the stream of incoming frames. It’s located after the capture filter, so that it looks only at frames that have passed through the filter but haven’t yet reached the capture buffer (Figure 1-1).
The trigger detector looks for a frame containing a particular pattern that you’ve described. When it finds such a frame, it signals a trigger event. The trigger event freezes the capture buffer so you can examine the trigger frame and the frames that precede or follow it.
When the trigger detector signals a trigger event, capture ceases, either immediately or with enough delay to collect some of the following frames. Once capture has been halted, you can:
e Copy the contents of the capture buffer to a file for later analysis or display.
e Browse through various displays of the frames in the capture buffer.
@ Impose a display filter to select which frames are displayed. e Select one or more views (ways of displaying a frame).
8 Print the contents of the buffer, according to the filters and views you’ve specified.
Chapter 1. Overview: What the Sniffer Does 5
Ethernet Version
Specifying the Trigger Pattern
Displaying the Frames in the Capture Buffer
Saving the Capture Buffer for Later Analysis
Selecting the Form of Display
A trigger event halts the processing of incoming data. It causes the Sniffer to cease capturing frames until you say you’re again ready to receive them.
A trigger pattern is a set of characters at a particular position in a frame. You can make the test match either the presence or the absence of the pattern.
For example, if you’re examining complaints of intermittent problems with access to a particular file server, you might set up a collection filter that accepts only frames to or from that station and a trigger that signals when it spots an error return code.
The frame that matches the trigger pattern is called the trigger frame. When it appears in your display of the capture buffer, the trigger frame is identified by a letter T beside it. One of the actions during display is Jump to trigger.
When you set up a trigger pattern, you also indicate where in the capture buffer you want the trigger frame to appear. That determines whether the buffer contains frames that preceded the trigger frame, frames that followed it, or some on either side.
You have many options for displaying the contents of the capture buffer, either to the Sniffer’s screen or to a printer. (You can direct. printer output either to a locally-attached printer or to a file on one of the Sniffer’s disk drives.)
You can set up a display filter so that frames that don’t interest you are omitted from the display (even though they remain in the capture buffer). The mechanism for filtering frames from the capture buffer is like the mechanism for filtering frames during capture.
From the keyboard, you can select a command that saves the contents of the capture buffer to a file. You can save the entire capture buffer or just the frames that are selected by your current display filter.
All displays and analyses work with the data in the capture buffer. You can display data that has arrived and is still in the buffer, or you can load the capture buffer with data you earlier saved to a file.
The display may contain any or all of the following three reports:
e Summary view. This condensed form abbreviates and truncates some of the information from the Hexadecimal view and some of the information from the Detail view. It
6 The Sniffer: Operation and Reference Manual
Windows in the Display
Two-Station Format
Ethernet Version
forces each level of interpretation to fit on a single line. The display contains one line for each level of protocol in the frame. You can elect to show only the highest level; in that case, the Summary view has one line per frame.
e Detail view. Each frame is decoded to show the type of frame and the values of its various fields. If you provide a file of symbolic names for station addresses, the Detail view augments the station names with the symbolic names provided in your file of definitions.
For high-level frames, the interpretation may take several levels. The “higher” level interpretation of a frame is more deeply nested within it. The various interpretations are shown with the “higher” protocol levels (i.e., the ones that are more “deeply” embedded) after the lower ones.
e Hexadecimal view. The entire frame is listed. You can elect whether you want character data displayed according to ASCII or EBCDIC conventions.
The Hexadecimal view and the Detail view show data for just one frame. The Summary view shows not only the frame you’re now examining but a few on either side of it as well to give context.
Each view you elect appears in a window. The screen may also be divided into two, three, four, or six equal-sized windows, according to the number of views and viewports you request.
The window that contains the cursor bar is the active window. The Tab key moves the highlight from one window to the next, activating the window where it arrives. When a fraine’s display won't fit within its window, you can scroll the active window to see the information you want. You can also zoom in to the active window, temporarily giving it the entire screen until you zoom out and restore the other windows.
Frequently, analysis concerns the flow of commands back and forth between a pair of stations. In that situation, it is often helpful to