Tad

im

Ss

ine aaa aS Fe RH mE RRS eens i sajeie ites , a AREA ip Sha peatatahatig cay

AiG a HSts:

asia tas tae ail ie ane MLA

peatgebs APL Ss Sebi Seakinsinsah pay Wk Hh heibeen sesh om 4 ‘Ae vend bad La S 14 hn wdamst ads 3055; SL) Ce yah deed Sav get 8 Bi eresss HMA BACIN GG SOT MES whe A RRB SS: bb ebebbon tacts oe | Met leti ts eet Slose ape pepmdnasesacel HDi MateITS pdt SIRE Sh S ST OC Cc oe co: 2s Oh rarities be tstes eS} Ever tomet tei RG LE pend SST SE Cilre oe SESE IES Th re

be ie SL WK AT a aay

PoC PPP eee ee lhl

5) enimiiciasieae SANE RAB a ia Bai nant Aa mae esti at

Saft

| mem cone ttt LS el

| TM in Be Ethernet® Network Portable

Protocol Analyzer

Operation and Reference Manual

Model PA-302

Network General

Ethernet® Network Portable Protocol Analyzer

Operation and Reference Manual

Model PA-302

Network General Corporation 1945A Charleston Road, Mountain View, California 94043

DISCLAIMER OF WARRANTIES

The information in this document has been reviewed and is believed to be reliable; nevertheless, Network General Corporation makes no warranties, either expressed or implied, with respect to this manual or with respect to the software and hardware described in this manual, its quality, performance, merchantability, or fitness for any particular purpose. The entire risk as to its quality and performance is with the buyer. The software herein is transferred “AS IS.”

Network General Corporation reserves the right to make changes to any products described herein to improve their function or design.

In no event will Network General Corporation be liable for direct, indirect, incidental or conse- quential damages at law or in equity resulting from any defect in the software, even if Network General Corporation has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of implied warranties or liability for incidental or consequential damages, so the above limitation or exclusion may not apply to you.

This document is copyrighted and all rights are reserved. This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent, in writing, from Network General Corporation.

The Sniffer and TeleSniffer are trademarks of Network General Corporation. ARCNET is a trademark of Datapoint Corporation. DataShow is a trademark of Eastman Kodak Corporation. DECnet is a trademark of Digital Equipment Corporation Ethernet is a trademark of Xerox Corporation.

IBM is a registered trademark of IBM Corporation. Novell NetWare is a trademark of Novell, Inc.

Plan Series is a trademark of Nestar Systems, Inc. StarLAN is a trademark of AT&T-— Bell Labs.

Unix is a trademark of AT&T Bell Labs.

3Com and 3+ are trademarks of 3Com Corporation.

©Copyright 1986 1988 by Network General Corporation. All rights reserved. Present copyright law protects not only the actual text, but also the “look and feel” of the product screens, as upheld in the Atari and Broderbund cases.

Manual prepared by Paul Berry Appendices by Leonard J. Shustek Updated and edited by David M. Trousdale June 1988

Ethernet Version

Table of Contents

Chapter 1. Overview: What the Sniffer Does ............ccccccsssessssseesees

The Sniffer Is

Self-Contained séc.csciscesscccccscsaceccsheveasenecdcauseesedecoessvescacscecesies

Menu-Driven Controls ............ccccccssssccccsccccsccscsccscecsccecscesssscscsssscscescsceceeeess

Color Monitor The Sniffer Is

OF LED Displays: ccavscsysvds icsceadsacecdececovsavss vescegsssesesaaiwaewcosesses a Specialized Station on the Network..........ccccssssesccescereeeees

Capturing Frames from the Network...... sehaeoas sdebunsesvegessseccoseseans bibesbocesseuasea The Sniffer “Hears” Every Frame..........ssccsssssccsscccsssccssscccescccsceessseeesssesees Capture Filters sccessscccccdseecdeosstsctsscvesavccctncedsectcpesdaseeesseanrenusesdeosseevesatsessssses Real-Time Displays of Network Traffic............ccccssssssssscecsseessssessesseseceeeeees The Capture Buffer .............ccccossccssssseeecccccovssscsscccencesssccsccseoseacsserssenereeccees The Trigger Detector Scans Incoming Frames ............cccccccsssssssscecessereeeeees A Trigger Event Stops Capture and Freezes the Buffer ................cccceeeeeeee Specifying the Trigger Pattern ...............cccccssseccerseeceecsesseceeeessceeeeeesceseoesees

Displaying the Frames in the Capture Buffer ..............scccccsesssssessesesecceeees Saving the Capture Buffer for Later Analysis................:sssccsccsssssseseeeeeeeees Selecting the Form of Display................:cccssccccccessssesececeeeceeesseeesceseeeeeeeeees Windows in the Display...............sssssccsssssececssssccecessseseecssseeseecsescusecsseseneeees Two-Station:. Format :::.iiccscecccetiswssescvadsescecntscronedesdssstbevcntesosunstuceesteeesesacess Higher-level Addresses ............sscccsccssssssssccecccsceescscssscsceeecaascescessseearseseseeees TWO ViGWDOIMts iescccccon secs sccatecasseseareteccoaccsescsdceaceceseveevesvcesesoseceaseseaveceesesoesss Saving and Restoring Setups .............cccssssccsssssscccrssssceeesssseeesssseeseeseesseenens

The Protocol Interpreters ...........cccccccccccssccccccccsscsccccccssccssccsscsccecssceecccseeeeeeees

Traffic Generator......ccccccccossess ecbees ssvadedesveedseaes tedececodeUssusdecesevseseesussssassnescseses

Playback ....... sense

Schematic View. Key to Figure

Coecccccvccccocccsecceoeces 0000000000 COCO COC OO OOOO OOO OOOO OOO ODO OOOO OOO OOO OOOO OOOO OOLOOOO2O8

Poecoccccccccccvesceeosenre Covcccccccccoce Pocrercccccccccscccccoooceces Pecccccccccccccococs

POeeeeeeU ORO ee Vere reer errr eee)

KB © OO OHO MW WAAAWANNANABDHAGH Aan»niriakthL_ wwwownsn nd &

Contents

iil

Ethernet Version

iv

Chapter 2. The Sniffer at Work........... sakiedins’ ee Live: Bxam ples ..:..s0.cceceis.se.0eceeseeseecasconsssauecunoe vee

Example 1: Over-Eager Acknowledgment........... Replaying the Original Capture.............:ssccsseeeees AGUPeSSES: «..605péseiicascvessicctsacsesbesebeess(eetigeeuesaedetiae Names for Addresses .........c::ssssssceccecceeeeesseeseeeees Summary Display, Unfillered ..............cceseeseeeeees

eovcccccoccocce Coecccccccccsocccoce

emcee cee cveccccccccccccccecvcesecceeee

Ce ercccvesccvcccesecvccveseceosoveseons

Pere erecccscceccerereccsccescersceceses

Perc rcccccceccecccccceseecesessececsces

Identifying the Message’s Origin and Destination .................sseeeeeeeeeeseeeeeees

Acknowledgments of Telnet Transactions ........... Questions to ASk.............ccscsscsscceccececscescsccscveveess

Example 2: A Problem with Routing ............ccc088 The Request that Started Ito... eeeeeeeeeeeeee Prompt Reply to the Query ...........csscesssseceeeeeeeees Repeated Frames Carrying the Same Response.. The Bouncing Frame...............:.sccsssssssceressseeeeeees Protests: Filed iss. cscisesacistacceddsicecsesevscevcesesesveceveens

Pew rorcccccveccccccoeeeseccocecseoneeoes

Perce cercccecevccescccceenccecscecenees

Cece e re aceccccreeresnesesceeseneeeseees

How Long Should an ICMP Redirect Frame Live? ...............scessesesseeeeeeeseees

Impact on the Network .............csssscccssseeeseeeesseees Example 3: Who Sifts the Outgoing Mail?...........

Peer ccccccccccccccccccccceceeoseseceeee

Pattern of Name Queries from “Lindy” to “Forsythe” .............cccsccssesseeeeees

Displaying the Demo Data On Your Own Sniffer

The Sniffer: Operation and Reference Manual

Pooceeccccsccccccccccecccceseercncoeeee

13

14 14 16 16 17 19 21 23

23 24 26 27 28 29 30 31

33 35

Chapter 3. Setting Up the Sniffer ................ccccsssscccrscsscccccesscceceeesesees

Ethernet Version

Wnpackinigiictiicccsexeseea cavece ecatbvacebedcad accuses sosccas Soaeesae we esaca Weaceesbaedeacserte asieese Documentation ..ssciciccedecatesascsecectusidetecuascccheeetesivads cies eeadenede ced sdeeetesditeateve AERA WUE serena ciousaistees ont usaae Oca es was Seats ptataealunaee le gud names eatausatuasacteinigenmaasancdes Connections to the Network Adapter ...........::scccsssccccssssececsssececesseceseasseceees IN Oberle Che aos npacnn sasictenceries tance nvascecstaeaseh daban toads aysalususaSaivaandenanatnnecaraoats Lockposts vs. ScrewS.........:sscccccssssssssssecccceeeeessseeeccceeeeessceeccesceesseseecceeeeeuaes Installing the Adapter Plate for Screw Connections...............ccsseceeeseeeeeeeees Installing a Transceiver..............cccccssseccccnsssececcesceceeseecceeeesecceassesseaseseneues Color Monitor Option .c.csccaisscevnssedssisnessceveccesssnde cesses ccasatanveansievesasevesveseveses Color, Resolution, and Brightness ................ccccscccssseccseseccescceesceseeeseescesecees

LCD

PYOJOCUON: sev esdens dececeeaileescccdessceel svcd vatnsevacuasinee sad soe eieessueuedeseaetual gusteans

Soft ware ......cccccccccscccccscsscccccsvceccescecs pacesdispcacedcsadecsedseoiecssoesssacsososeceveseceseconenss

Starting

the: Sin let ss csissssesscsecsecie deck ciec ceceaceds ds cdicscscsaveowecesesececesdescoassesescesocse

First Time Precautions ...........ccccccscscccccccccccccssscscseccccsscescessssscesccecescssscssoosecs Backing Up the Contents of the Hard Disk ..............ccsssssecceesseeccenesseceneesees Restoring Files on the Hard Disk from a Backup ............ccccssesececeeseeeceeeeees

The Snrriffer’s Menus ............ccccccsscsssccssccssccescsssccssccssccssccssccssccesccsscsssesscosscoeces Phe: Malin Men iis inicio sea dctascedes cds ve ches code seeckes sus cavescacesascoasdeeesaseesescuteseenses A Movable Viewport: the Center Panel..............ssscccssssseeccssseeececeseccensseees Leafward: the Panel to the Right................ccccssccssseccsssecensecessceessccceseseneees Rootward: the Panel to the Left............cccccsssscccsssssecccssssecsceseecesasesscceeessees Choices in the Main Menu ............ccccssccsssccssssccessccssccssseccssccssceensessansceseoes Preparing. to. Captures .icsces ace icecivss cde cucdesvedeecdeusdicaebiedassdcaecsenseedetisdessriesses Preparing to Display: vviccccrecescessncuscdscasevsevsssevecesessvaesesnsosecksenteseduasscoseessusoas To Comelude: Wr ies: co0scccsasce0d0c castes obive cei cuca cveec usd tansddsecseesseibencedsseceaseveesseie

Pe oem ee reer eer ee eee ee recesses re eee eee OOD E SOTTO OODLE OOEE OE EH DEO HE OEE E EOE DETECTS EE LEE HEELERS EET EES

Contents

39 39 39 39

Ethernet Version

vi

Chapter 4. Capturing Frames, Generating

Testing the Cable ...........ccccccssscccscsscsccscscessoscsccccsscesssssosescossesses

Capture and Display .............:-ssccseseeseeeeseeseeee Files of Captured Frames............:ssscccssssesseees

Capture Overview ..........cccccccsccrccssccccccsssccseeccces The Signal to Start Capture .............eeeeeeeee eee

Setting the Capture Filters.............cccccscssecsssseee

Station Address Filters ...........ccccecsessscsceceees

Protocols in the Capture Filter ..................c008

Pattern-Matching in the Capture Filter ......... Filtering Defective Frames.............cssssccssseoees

Setting the Triggerr.............ccccssccccscsccccssccsceeseees

Traffic, and

Pe rceecvcccccccccccereceeceseseesseeeesesons

wer orecccceccecceccercasceesecseesosereceeee

Cee rcec cece sees seeseTeseeseseseeeseeeeseee

Pcercccccccccccccccnseccccccceeoscececceeeee cc cre cccecce ee nvecccseaeccccssesesccescsceee cece ec eccccnccceseceseccsccesccceseccneccees eee ce ee cececccecescescescceseccccceneesceses

Pe everccccccecercccescceeseceeseseesesessens

COCO R COCO OOOO SOOO OOOO DOLOOOOO OOOO EOOOOLEEE®

Positioning the Trigger Frame in the Capture Buffer.............cccccccssseseserrees

Marking the Trigger Frame .............:sscsseeseees Stopping When the Buffer is Full .................. Continuous Capture ..........ccscccsssecsesceeeeeeeeesees

Setting the Capture Menu Options................00

Automatic Cable Test............cccecccscecnscsceceeeees

Source From Which Frames Are Captured.... Identifying a Playback File... eee eee ones Audible Clicks .............cssssccssssesescecssesecssreonsees Truncating the Captured Frames ..............006 Real-Time Displays of Network Traffic.......... Counter Over flow..........cccssssccessscceessssssseeeeees Pail COUNUS: divcesteccaswccsisnsdcdseaed dvessnsvadecsedscseedss Individual Counts..............csscssssseeesesseseeeenseees DR YMG. sec es ceeded aad secivegevedelaes dscesccesesetewces’ Units for Measuring Traffic Density.............. Real-time Traffic Density Bar Graph............. Bar Graph Scales...........cccssscsescccsscecseseeoeeseees Traffic Counters.........ccccesscscsssercnnsesscensccaseooes Chime Signals............cccccssccessoresccoescorsossecesees Noting Unrepresented DLC Addresses ..........

Naming Stations .............ccccssccsssceesseeeeesssenenes

Capture Buffer Storage Space .........cccessseeeeeee Options During Capture .............csesecsesesseeeeees

Options During Pause ...........ccssssecseesseesceeneees

Highspeed Capture ...........cccccssccsrscssccersescseeeeees Generating Traffic to Load the Network .........

Starting the Traffic Generator..........ccceseseeeees

Format of the Transmitted Frames ...............

Sequence Number in Each Generated Frame.

Using the Sniffer to Help Locate Cable Faults

The Sniffer: Operation and Reference Manual

Pere eccccccccscescesesccecceencesececececees

Pe cercccccserccccccersvececccucceceesesesees

Perec ccccccecccncccersccccseccercesecceeeecs

COCOCC OOOO OOOO OOO OEOOO OOOO OOOSOOOOOSOOOOD

Pe rencrceserecrccecesecceesevecseseeeevesene

Per cccccccccccccccccseasececceccescesesecees

Peco ccc ccccceccccressvececcececcseesseseseee

Pe rererccscccereccecseccesceseesessereeeeees

Pee reecrccceccccecesrcesecccesececeeesoeaeees

Po ccvccccceeveveceressececcscesesseeeseceees

ec cecccccrcecscccesesccsacccccccecsscoecoses

Perec ecccccccccceceeneccecesceceeeccesseeee

Oe eeccccevevecceceseresevceecececeeesesoeeee

Pec ceecccreccenecoesssccesesecceseesereseee

ee rcccrecceccccccesccececcccseseesessesesees

eee ec ccc cccccscessceccccceeseccccecvessceee

ere revccrcrercccesececescccseecseeseseesees

Pee erecccvccececeecessevcvecesceseeoeeeeeees

Pere rerecceccccceveesececsesveresseseseceene

POC CCCCCO COCO OOOO TOO DEO ESO OOO LOC OOOD OOO DSOOD

0000 eo Coo CeO O COCO SOLO OOS OODODDOLOOE9EO®

emer cocececcvcccecerccccsccecescvesessseese

Pere eccccccrcesccecececescceeesecseseececeee

Pe erecccesccccsccscseeecceveccccseesesececes

000000000 CC OOOO OO ELE OOS DOO OO OSOODEOOS0008

57 60 61 63 64 67 67 68 68

68 69 70 71 72 72 73 74 74 76 77 79 79 79 80 81 81 82 83 86

87

88 89 89 90 90

Ethernet Version

Chapter 5. Displaying and Interpreting the Captured Data........... 95

The Display Menu..........cccccsssssssscceccccsssscssceseesenesssccsersescesssccseaaeessenseseoeees 95 Deciding Which Set of Captured Data to Display ...........::::sssesseeeeeeeeereeeeees 96 Setting the Display Filters.................ccccccccsccccccsesececceseesssersseseseesscsscsescsseeeees 96 Criteria for Filtering iisisscciccscasvessssatecscoesscgorscssonssccesssideenstvbsancanscvevansnedasnes 97 Procedure for Setting Display Filters.............sssscsccssscsessssceseccennssesseeseeeenees 99 Setting the Address Level Filter .............sccccsscsssssssssceceeenensssseeeeseeesesseseeeees 99 Address Level Filter Affects Names in the Display ...............ccssscssesseeeeeeees 100 Setting the Protocol Filter...............sscccsscsccsssssssessssasseccceseoneaseasssoossasoassess 100 Three Ways to View Frames............cccccssssceeees ievadvdedeccuseuevessseressoseucecvesceseess 102 The Summary View......cccccssssssccccccssccssscscecececessscescsseeeeesessccerseesessceeeseeonnes 102 Two-Station Format.........sccccccsssccscssssccscsseccssssecesscsceeeeesecseessseeeensceeenenseees 104 Selecting Stations to Show in Two-Station Format.............:cccccccssssesseeeeeees 104 Multiple Levels wcciccccassscssiceesveressecssnnsctesenecsecnedoucs nedaandentsnasakenkeaeunseeasearnes 105 Use of Symbolic Names..........:..sccccssssccecssscecscssesccenceceeansseeeeescenesssesseeneeses 105 Width of Symbolic Names ..........c:ccssseccssssesceeeessceeeeeeceeeeseceeeseseeseenseeeseeeees 106 Phage Option cp ceonceivasvnscevcnonssonnsaqasesnsisavendstanessttahinnes wien ipeeetaasentenas nia eevnes 107 Displaying Time, Network Utilization, and Size............ccccccccceeseesssseeneeeees 108 The. Detail View i -cccccd. cccccistesesnseueveacenuvsdeacesesieccevcepecvecveresecsseseseceansaavecasente 110 Frame Error Reports...........ccsssssssssccsssccsscccscscesscceesscnsssesscceeessenseeasssenereeee 112 The Hexadecimal View............sssscssscsssssscsssccsssecseseecceeeenensssseessseasesseeeeeeees 113 Windows and ViewS .......cccscccssccccssccscscccsccccscccccsecccscccscscescceeeccees Sisavbsnsededesesed 114 Scrolling Within a Window ............ccccccssssssscesscccessssceeseeecesssseseseeessseseeseees 114 Numbering of Frames ..........:::sssscssseccecccsssceesececceescsesssceeuceeecccsseseaesseseeeeees 115 The Active Window...........ssccccsssccsscssssccsssssccesecscescesscesenseseceasscseeeesccesenesees 115 Displaying Simultaneous ViewS............ssscccccccsssessscecceeeecesseseceeseanssseseeeeees 115 Scrolling in Simultaneous ViewS ............csssccscsssssccseceseceessseeeeseceeeeseeeeeeners 116 Two Viewports Side-by-Side.............sscccsseseccnseeseeeeeecececesscceeenssseseescseesneseees 116 Highlighting Detail in the Hex View ...........ccccccscsssscccesesssssseeeeeseeeesseeeeeeenes 118 Options During Display ...........00c0e0e0 segddepasesocedsonesdeaseesesstessseuseseseosedeesseesessees 119 Searching and JUMping............-.ccscccsesscccsssssscesssseeuseveeeeesccsseneeesseesesceseenes 120 Printing a Report on Frames in the Capture Buffer..............004 scastesecasacess 124

i ee eae Ue nanan SSE UIE SIE EE EES ne

Contents vii

Ethernet Version

Chapter 6. Directories, Files, and Name Management ...........0000088 129

Saving and Loading Frames and Setups............ccccccccssccscssecsescseeeeees Sesabaeees 129 Loading a File of Previously-Saved Frames ............cccssssssessceseeeeseceeeeereeeeees 129 Saving a-Pile Of Frainess..cccsseccesniscocsajescesccsscessncadessacessescoavetevesvevesdsoaecosvesve 130 Saving Your Current Setup... csssccecssssccceseseeceescscceencesseceeecesensseesseeeeees 131 Contents of a Setup Pile iccccsccsecccssdvesecectenccuss cvs sescuecdssestecssesevecsaeseqesvecosaees 132 Using a Saved Setup File .............cccccssscosssccnecccsssccescecsscevssscecscessscesesssacvens 132 Creating a New Startup Setup ..........cccccssssccccsesecceesseceessceeeceeesesseeeeeseeeuenees 133

Managing Names Used in Displays and Filters ...... Nesessdavessece aceaecceevsanstswedee 134 Building the Name Table...............cccssscccsscccscecsseeeesscecseccsceeencceneseenssssseseees 134 Formats for Displaying Higher-Level Addresses.............sssssssscessesseesereeeeees 135 Naming Stations ss ciccesiscecsve ss sccccewcasetasSeasees dn tceeeiveweas sve ieopeets ce eusoseaeoecsssne ones’ 136 Editing the Name Table ............cccccsssssccccsssscccnscsccecesecsecsseesseaseeseeuesceseeeneces 137 Clearing the Working Name Table ..............ccssccesscceecceeeeeeencceeevceeesseeseseeeees 139 Looking Up Machine Names ..............csccssscesccescesscesceesseecesssseesesseuceasseeesees 139 Saving NaMes ic. issceee ie edkceecedeoi cake sdebench ii donevte rack wba ed sensececedaaeetisecagesemees sa 140 Resolving Names from an External Directory............:cccecseseceeeseeseeeeeeeseeeees 140 Building Name Dictionaries ..............ccccccessccesseeeeeeceecesesceseeseeesseaeseeectseeeees 140 Alphabetization of Station Names ...........:scccsssccssseccssecoescceseceeesseesseeersseeeees 142

Organization of Software on the Hard Disk............... saebsdiesescaadedoesseee ebswedees 144 The Autoexec Wiles ic.c..ccsccsidecessaccenseaadcacagsdeseseaad sides ssdeuncaees coed sedewcadnossesacess 144 The Sniffer’s Directory Conventions ..............cceseesceeeeceecceesescesesseeesseesseeeeees 145 Several Directories for Capture Files..............c ccc eesceesecenesceeeeeeenesteeserenseeeeas 145 Creating a New Directory ............cccssecesccssccseccesecsccsecceeessseesseeeseesseesssseceens 145 Setting a Path to a Different Directory...........cccecssscesecceeeceeeseceeseseenssenseseees 146 Switching to Another Directory from within a List of Files ...............::e0e0e 147 Several Names: Piles 2.2: 0ic5csescdicesstesssvcicedsesasecbtubeareestcvesnteedovesdeovesebeesteetacts 148

viii The Sniffer: Operation and Reference Manual

Ethernet Version

Appendices

A. Format of Saved Data Files. ..............ccccccscsssscccccccscccsccccccccccccscsceees B. File Name Conventions ..........cccccsccssssscssccocccccscsscscvcscccccscescecsocsecces

C. Extending Sniffer Protocol Interpreters ...............ccccccsssescesceseoeees

Overview......... iseeeseseas seebsowseee soaeees savededevekdesedbensssessccenssgs wiceabdesverdess Mosesbonwesedsss What Does a Protocol Interpreter Do? ...........cccccseccssscceescesseecneeecensceeeseecees Calling Conventions for Protocol Interpreters..............ccccssssseceeeseeeeeesseseoes Registering Protocol Interpreters ............c.cccsscossccnscosscesccesscesccesccesceesceeseees The Protocol Interpreter Data Structure .........cceccessssseeeeceeeeesssonteeeeeeeeenes Generating Output from Protocol Interpreters ..............:cccccccceeeeeeeeeeeeeeeeees Adding Symbolic Names to the Name Table ................ccceccsecceeceeecoeceeeecoees Declaring Embedded Addresses .............cssccssccssecesccescanccsecensccesconsccessesseoers Displaying Symbolic Names .............ccccecsceccseceseccecescssccenccenscecsssccscessesoess Adding Summary Line Flags..............sssccsssssecccsssescccsssscccessseceeasssseeassssceees Using Other Protocol Interpreters.............sccccsscccsssccsseccsscccessccassecseccaeeceas Advanced Topic: Dependencies on Other Frames ..............sscccsssccesecceseeees Debugging Messages ...........cssscsssccsssscccsscccsscccsssccceccceseccuscseeesceeseceasccseescees Advanced Topic: Using the PIF Formatting Routines..............:c:ccccesseeeeees Building a New Sniffer 0.0.0... cceccsssscccssccossccesseccseccseccascceeseceasccoseseeeeses Ain Exam ple cise esicek sich dcssaacisccdiveceavassbcdcareteaiesstessitedelevapeadeseegesscadsadowaaee dace Programming and Debugging Hints ..............ccsccccssscceseccesecccssecensccesseeceesees

D. A Brief Summary of the Ethernet Network Architecture ........

Physical Interconnection and Speed ...........ccccccccccccsssssscscccsssssccsscscceesseseeees Phick Wthel'niets fcc sisceiss sdneedivces seeks aedadeceeselessgvecdhiccide gees atigaedadenesusensesdvens Thin Ethernet (“Cheapernet”)............:ssccccssssccccccssccccessesccesssseeceesseeenasseecees Other Ether nets esis scsceessaies cSeccecasicacacesevsceaeveveniecdescsecneesseteacatelec¥avaciiecaads

Access Control...........sceee0 asedenesssesixes Sacabescees sdaeaVesssesdeeesdedispassseonesdesesasescuedwsss

Other Transceiver Functions........ se SoaveesdecassdessnawesssebeusessOsesesssdensveseswsetesssuses

The Format of & Frame .........cccccccsscsssssccsssccssscccsccoessscsessees eiceastes avaveksisassces e

The Format of the Data...........ccccscsssssccssccccsscccsscscesscccsceeccsssccsscesccecccesceccoeesees LLG, Pains iceicssieiecedivsecuaadescestevsesssceisessasiecdes capebds wave vcdeesesnss oxbacectiooddeccees

Assignment of Network Addresses ..........sscccscssssossscssscescrsscnes seatsoas ieGessvweoe’

Contents

149

153

_ an ao

—_

Se me aaan ann

~]

158 158 159 160 160 161 161 163 165 166 172 174 176

ix

Ethernet Version

E. Glossary of Acronyms and Specialized Terms. ..........cccessees eee ERT

F. Sniffer Specifications................. ‘Mdendcaincencd aes Wanianesieiicscvsee- LO7

G.. References s...ccccccrccssosessesessessecnsvsscaccsescnsncscccssssncsqsoossesesaseseseseseseneess «= 199 H. Troubleshooting Checklist................. dai eae avadnianatesentuaieons wiereronmees < 804

Index...... eeccccvccccce Coccvcccccccccccccocs eecccccccccccecs ecccccccccce eecccccce eoccccccce Cocccccccccceccs 205

x The Sniffer: Operation and Reference Manual

Ethernet Version

List of Figures

1-1 2-1

2-2 2-3

2-4 2-5 2-6 2-7

2-8 2-9

2-10 2-11 2-12 2-13 2-14 2-15

2-16

2-17 2-18

2-19 2-20

2-21

2-22

2-23

2-24

Schematic representation of the Sniffer’s FUNCHIONS........ccceccereeerrrereeees

The main menu ready to play back the capture of frames from the file TDEMO.ENC............sesssccrccsscsesssceccorsccsereccesenacscesscccenassasensccnaeossenees

Meters and counters based on playback of file TDEMO.ENC.............000

Meters and counters, but with symbolic names for the station AACLESSOB coccasce3 csas:eshusoacsdeecsdoncdeudvcaweseduauccecasdevesosensseseevoniiavecsseeceeseceaees

Summary display of the first twenty frames. ........cccccccccccecerneeneneeeeenenees Telnet frames exchanged between two Stations. .........cccccsccereseeeceneeeeeeees Detail view of the first Frame, .............ccccssssceeesseeeeeeeeceeenesseseneesenseeeeseoees

Displaying higher-level addresses reveals the source and destination OF Creme D ecas Fo 55 ces deesceecee Soe esehes cack oias cacties daduascdeneseseediedessedvecosesupese tents

Acknowledgments to Telnet frames, shown in two-station format..........

Selecting two viewports facilitates comparison of the acknowledgments of frames 3 and 4.........ccccsseeesecccesseseseseeeceeseeneeseeeeeoees

Similar comparison of frames 4 And 7...........cccccreceessssssssssssseeeseserteeeees Unfiltered list of frames following the name query in frame 32. ............ Detail view, showing the origin and destination of frame 32...............065 Content of the DNS name query in frame 32. .........cccceecsseceeseeeceesseesceees IP level of the frame containing Argus’ reply to the name query. ..........

Part of the DNS reply from Argus, mentioning that it has nine answers for the query that was asked............:ssscccsscsssssseeesecseessseeeeeeenees

A succession of frames, each an attempt to carry the reply from Argus te 1Cbrenolr. wvicscsvesscesessansnstiesnssondssunanatoosiendunavestanensaccheveginenssaves

The reply from Argus is about to die after 30 relays. ........cccccceeresereeenes

The frame destined for ucbrenoir bounces fruitlessly between Frodo ANC UAL RUB ss siseieccacsoussdediendusesesedeacoageeeredecwecncsseselgsasscosoasdeaveseeesseeaseoeces

Each bounce generates an ICMP frame protesting a misrouting. ...........

Comparing time-to-live in ICMP frames sent by two different INACHINES, .o3si nave cbeskseoeedcse sca vdanddezacue caSuawteies dan etic deapeeveseseesdesvesaeaeseGageneeees

Menu to select Network Utilization and to select the size of the window around each frarne. .......cccccccccececcececcseccccececesceseseccscecenceceaeeseeeens

Percentage utilization of the network’s bandwidth for a 100 millisecond window around frames related to the request for name BOL VICO so. nceck cea eeecssecdagiestasideceaceensebsccasuenes ecbieosnas ven the sas pages dodue tease dan deoneSeas

Bytes transmitted for frames related to the request for name service, accumulated from frame 32...........ceceeccssecceeseceerecceseseeseeesseenes

Unfiltered display reveals a number of name service requests. ............+5

Table of Contents

10

15 15

17 18 19 19

19 20

21 22 23 24 24

26

26 27

28 29

30

31

31

32 33

xi

Ethernet Version

2-25 Detail view of frame 5, showing part of the IP interpretation, including the message’s source and destination. ...........cccccssssceeeesesseeeneeee

2-26 Detail view of frame 5, showing interpretation of DNS-level

INCSSALECs. <iccccaseetvelaccevcansdees sexe ccudeTussvasceledctevasaveccovnncushenereresceteyessperepereoubs 2-27 Summary view of DNS queries from Forsythe to Lindy. .....................00 3-1 Connections to the Sniffer’s adapter cards..............cccccsssseeeeesseseereeeeeeenees 3-la Adapter plate ready for attachment to a D-connector with lockposts....... 8-1b Connecting a cable with adapter plate to the Sniffer’s network

AG Apter: CAL. e. sa ccsecessedeessdcedavesdccaevitenavesbes coteusovedsiadse:dcaed cgae cdaiseesbtondtes 3-2 The Sniffer’s initial selection MENU. .............ccssescesseccneesceeteceoesecceesceseeeees 3-3 The first panel of the Sniffer’s main MENU. ...........ccccsceeeseceeeeeeeceeceeseeceens 4-1 Default settings of capture filters for station address. .............:::ssseeeeseees 4-2 Menu to select a station for a station address filter. ............sssssesssesseeeeees 4-3 Window for inserting a new name and station address. ..............ccceeseeeeee 4-4 Menu to select Ethertypes and SAPs for the capture filter. ................004. 4-5 Menu to specify pattern match for the capture filter. 0.0.0... ssceseeeeeeeee 4-6 Inserting the text of a new pattern. .......... cc ceseccsesecsceeeeessceeeeesceeeneessseeaens 4-7 Specifying the offset for a pattern in the capture filter. ..........ccccscseeeeeeees 4-7a Menu for filtering defective frames during Capture. ...........ccsceecceeeeeeeeeeees 4-8 Default settings of the trigger. ................cesccesssseceeeeesereeesceseeeeeecesseeseseeees 4-9 Window in which to supply trigger pattern.............ccccccsssseseeeseesesseeeeseeees 4-10 Window to supply the location (offset) of the trigger pattern................... 4-11 Selecting the rule for stopping Capture. ..............csecccesceeeesseseceeeeeeeeneeeeenes 4-12 Capture Option in the Main MENU............ceeeeeeseeeeesceceeeeesceeeeeceeseeeeeeessees 4-13 Capture menu showing field labeled From indicating source from

which frames will be captured. .............s:scscccesseeceeeeesceceeesesenseeesesseenseseees 4-14 Window showing list of trace files from which you may elect to

capture during playback. ..............ccsssscsssccccessceeesenesceeeeeseeesceessceesssceesseees 4-15 Capture menu showing playback file selected. ..............ccccssssseseseeceeeeeenees 4-16 Menu to limit the length of captured frames..............sssscccsssseseeessseseeeenees 4-17 Pairwise tabulation during capture by sending station and

AAA OSS CO ecco isissecevess side ceoshcvecuauess concness doesiate eeadsesssaUecvadeancuspediavevsnsosvencsse 4-18 Individual tabulation by sending station during capture......... seateetentansctee 4-19 Skylines graphs during capture...........cccsssssccccseeeccceseseeceeeseceeeesssesseneeesees 4-20 The amount of buffer storage space available for frames during

CAPUULEC, ws ccusccsdessveecesvesietovduacesecevads osiacdeecdeevceessvesousegedapeudesaues soncasesenbeedescay 4-21 Skylines graphs during capture and after pressing F7, View

ALIOL 3 vadeceavieceteasuéscehs oacdcctue evan delistageedas iocbeuedecsneseseeveedsabecgeeiesexcentyeessbe 4-21a Display and counters operative during highspeed capture...............sssce+

xii The Sniffer: Operation and Reference Manual

4-22 4-23 4-24 4-24a 4-24b 4-24c 4-24d 5-1

5-2 5-3 5-4 5-5 5-6

5-7 5-8

5-9

5-12 5-13 5-14 5-15 5-16

5-18 5-19 5-20

5-21

5-22

Ethernet Version

Panels showing options for the Traffic Generator. ..........:sccscccsssssseessesees Screen visible when the Sniffer is generating traffic. ............cccccccceceeeeees Display of a captured frame generated by another Sniffer. ...............0000. Menu to activate the Sniffer’s Ethernet Cable Tester. .............:::cseeeeseees Display when the Sniffer detects no cable faults. ............ssssessessessesseseeees Sniffer report of an open cable. ...........cccccccccsssssesssssscscecscesesseeecsesssssseeess

Sniffer report of a cable short. .........0cssssecsssssscsscscosesssassocescssnanccecesonveess

The main menu showing the Display option and its principal

PSPC ING sacar des esac divas dod uiizeau noes vision asiauirexaatica ans sencwoeadaxdan (canvrvinntiehaneeesoses Menu to establish display filters.................ssssssssssssccsseccsssscccccsceseceeseesees

Display filters menu showing a list of address levels. ............cccceeeeesseeees

Display filters menu showing list of protocol levels. .............cccccssseeerereees Stibmentst for SUMIMALY View. ..s6ssciowwseceserenescacensauavoccnnevavssddvestannctsassenaves

Summary view showing frame 35 in the context of neighboring

Two-station form of the Summary View. ........ccccccsssssesesceccccccssssesecesceeees

Summary display with the highest-level-only restriction removed (here shown in two-station format).............:s::sssssssssssseeseseeececeeeeseccesesees

A two-viewport display showing the Flags column as well as a simultaneous display of Relative Time, Size, and Network TUE sss sas sda Canis awn danseceintunneabuabenseskerakuunikesvtiveiauts<aesaitledia donde chnodsata>

Menu to select the form of time display, average network utilization, and DYteS..........ccccccssssccccssscccccsssccccecssssccccssccccceessessassccesensess

Part of the Detail view of the frame that is visible in hexadecimal in PENE ictaehg ccc ab saa ne a pn nab an ad vag oP esdns Vad nds sn da vada andoccta danas laste

Scrolling reveals other levels of detail in the same frame.........s.cccccccceees Hexadecinial view of 2 frames cociscsscsccssiscesssenivnacecdssasescesancivascdavedusasoayses Menu to select the translation of hex characters. ..........ccccccceceecceeeeeceseees Summary, Detail and Hex views shown in three windows. ..........cccseceee

Menu to select two independent side-by-side viewports, each containing a Summary display...........cccccssesccsssssscccesssecccscssceceeecessesecenes

Display with two viewports each containing a Summary window and a Detail window. .............cccsssssssssseccccceeeesssseeeecccceeeesssseeececsssececeeeeens

Two viewports, each with three Windows. ...........cccssssseescecsccseeessceeeeeeess Highlighting detail in the Hex window...............:ccscssseeeeeeeseeeeeeeeeeeesesseees

Superimposed menu showing options for moving around in the Captuite. buffers vic.ic cies sessiaasseescveschsseasczeeescbedsivsaei ot eaevssceksctadosdasvedeeseuacees

Window in which to write the number of the frame to which you WANE LO: 20. sosssscsedeebuscodessguvacecsttcscededssevetesssécvegenage ves ovcoedeseveasseuandesucatecs

Text search function in the Display Options menu................cccccceeeeeeeeees

Table of Contents

88 89 90 91 91 92 93

95 97 99 101 102

103 104

105

108

110

111 112 113 114 116

117

117 118 119

121

122 122

xiii

Ethernet Version

Xiv

5-23 5-24 5-25 5-26

5-27 5-28 6-1

6-2 6-3 6-4

6-5 6-6 6-7 6-8

6-10 6-11

6-12

B-1 C-1

Window for entering text to search in a Summary display. ............00000

Specifying a pattern to jump t0............cccccsssssssceeccceeeeeeeeeresenseascessasseeeees

Menu to select printing of a report on frames in the capture buffer

Option to specify the range of frames to be included in a printed

TOPOL. ........seccecceccsccenceceecscccececscscnccsseeeeescnseessssseaseasseesceeeessesenseseseseeeeeees

Window to name the file when you choose print to a file.............seecceeeeees

Printed report of a SuMMALyY VICW.........ccscccseesescceeneceeceeeseceeeeeeseeeeeeeoenes

Main menu showing choices you select to load the capture buffer

with data froma files. cicccsccccdscclccsieiecceveseeiedssecassnacevessccndcnedseceescessecessscees

LOAD DATA FROM panel with list of previously-saved files......... Menu for saving data files. ................sccsssssescecseseceeeseeeeeeeeceneeeeeesees

List of saved setup files which can be loaded when alternative configurations are required. ...........cscccscssssssececsceeeessessesceeseneesseeeeees

Menu options for managing names used in Sniffer displays............ Display of the name ‘tables c<sisccccisccsiscuscuasnareosa egexcesnseseoneverenneeresstes Window to provide a new symbolic name for a station............ces00

Window to provide an address and a symbolic name for a new BUALION sc decsieisceacocacecedcessoscocedenceossdecctoecosccdsctesecsssoveeasacetocedeedccesseesae

Sample directory of station addresses and symbolic names, to illustrate its format. ..........sscccccssscecccesecceceeecececenecceeeneeseseaeeseeeeesenes

The sample directory of Figure 6-8 rewritten to use default types. The Make Directory window for entering a new directory path

The Change Path window for switching the directory path used for saving and loading data and setup files. ............:ssssssseeeseeeeeseeeeeeees

eoccccce

File extensions and locations SUMMALY. ..........:.sccceessseecessscceeeeesceeeeeseeees

Summary Of PIF routines, ............cscessccecssssscccescecceeseeceeeeseceeeeeesees

The Sniffer: Operation and Reference Manual

123 124 125

126 127 128

129 130 131

133 137 137 138

139

140 142

146

147 154 167

Ethernet Version

Chapter 1. Overview: What the Sniffer Does

You can observe a lot by watching. Yogi Berra.

The Sniffer collects, analyzes and interprets data transmitted in a local-area network (LAN). It exists in several versions, each tailored to the devices and conventions of a particular network, such as ARCNET or Ethernet. This manual describes the Ethernet version.

The various versions of the Sniffer provide the same capabilities and report them in the same way. However, they are not identical. Differences between the various systems of transmission require corresponding differences in what the Sniffer does.

When attached to a network in the same way as other stations, the Sniffer listens to all transmission between any stations on the network. (It is characteristic of a LAN that every message is physically present at every station, although ordinarily each station ignores all traffic except messages addressed to it.)

The Sniffer maintains real-time counts of the flow of frames. It selects some of the frames it sees and records them for later analysis. Its detailed reports include protocol interpreters which translate the various levels of code and display them in English, from the data-link level on which everything else rests up to the session level used by network applications.

With its detailed records of exactly what transpires during network transactions, it is a powerful too! for trouble-shooting and tuning a network and for testing and refining high-performance network software.

Chapter 1. Overview: What the Sniffer Does 1

Ethernet Version

The Sniffer Is Self- Contained

Menu-Driven Controls

Color Monitor or LCD Display

The Sniffer is a fully portable computer and is completely self- contained. It comes with its own Ethernet adapter already installed, its own hard disk, and its own operating system and software ready to run.

To start using the Sniffer, you need only plug its power cord to a suitable outlet and connect it to the network. You may be able to plug it directly to an existing transceiver (perhaps temporarily replacing the station usually connected there). Alternatively, you may need to install an additional transceiver just for the Sniffer.

Because there is such a variety of possible connectors, the Sniffer does not include the cable by which you attach it to the network, but this document explains what you’ll need and how you attach it.

The only customizing of the software you’ll probably find desirable is to augment the Sniffer’s definition file of station names. The Sniffer can then display both the address codes it observes and the names by which you refer to the various machines. (You can build your name tables as you go along; see “Managing Names Used in Displays and Filters” in Chapter 6.)

An autoexec batch file already installed on the hard disk starts the Sniffer software as soon as you turn the machine on. You operate the Sniffer from a menu screen. You move the cursor to the choices you want, select options by pressing the space bar while they’re highlighted, and press Enter or one of the function keys to start an action. Whenever a function key is operative, it’s highlighted and labeled in the screen display.

There is no command language, and there are no commands to learn. About the only information you supply by typing is the name for a file you wish to save or the details of particular transmissions you want to look for.

When you exit from the Sniffer’s software, it returns you to its operating system, MS DOS. The Sniffer is then a standard AT- class personal computer operating under DOS. A DOS manual is included with the Sniffer.

The Sniffer’s built-in monitor is high-resolution orange plasma display with four intensity levels. You can also connect your own color monitor or an external LCD display. The Sniffer provides a DB-9 jack for an RGBI monitor that supports the IBM color graphics monitor (CGA or EGA). You have only to plug in your equipment and to select the corresponding option in the Sniffer’s initial menu.

2 The Sniffer: Operation and Reference Manual

The Sniffer Is a Specialized Station on the Network

Capturing Frames from the Network

The Sniffer “Hears” Every Frame

Capture Filters

Ethernet Version

Like most of the other network devices, the Sniffer is an independent computer with its own software and hardware and its own network adapter. It does not need (and does not include) a copy of the network management software used by ordinary stations on the network.

As far as the other stations on the network are concerned, the Sniffer is a passive member. Like any ordinary station on the network, it hears the transmissions from all other stations. It notes them for analysis but never responds to the other stations or acts as receiver for messages that other stations send. It originates traffic addressed to other stations only in a test mode designed to load the network. Finally, it can emit test pulses to look for cable faults.

Complete analysis of network activity includes two broad phases: capture and display. In the first phase, arriving frames are captured and stored in a buffer, and the Sniffer performs some analysis with real-time displays of network activity. In the second phase, frames displayed in a variety of formats for further analytic work.

Ethernet is a bus system. All stations are connected to a common bus. Like every other station on the network, the Sniffer hears every frame transmitted.

The Sniffer’s adapter card makes a temporary record of each frame and passes it to the Sniffer’s on-board processor for review. The processor filters these just-received frames. It records those that pass the capture filter you’ve set and records them for later analysis and interpretation, and it discards the rest.

The number of frames reaching the Sniffer’s network adapter is potentially so large that it’s essential to select only a subset. The Sniffer applies a filter to each newly-arrived frame and discards the frames that do not meet its test. Capture filters are of three types:

° Selection by station address: The Sniffer keeps frames sent from or received by a particular station or pair of stations.

e Selection by protocol: The Sniffer keeps frames

containing any of the protocols you specify.

® Selection by pattern: The Sniffer keeps frames containing a specified pattern of data at a particular position in the frame.

(Yor example, a typical filter might admit only messages to or

from a particular user and a server with which the user is

Chapter 1. Overview: What the Sniffer Does 3

Ethernet Version

Real-Time Displays of Network Traffic

experiencing a problem and only those frames involving a particular protocol.)

Setting an appropriate filter is your first step in collecting data. Often the majority of arriving frames are immediately discarded. The frames that your filter admits then pass to a buffer area from which you may display or analyze them, send them to storage, or discard them.

While the Sniffer is collecting data, it measures the rate at which frames are arriving and gives you a real-time graphic display of meters (which show the data-rate) and traffic statistics (which show running calculations of network activity).

Common to all displays is the traffic density bar, the set of traffic statistics above the traffic density bar, and an elapsed time counter.

® Traffic density bar. Displays traffic as kilobytes per second, as frames per second, or as a percentage of the network’s available bandwidth. You can display all three measures of traffic density on either a linear or on a logarithmic scale.

e Traffic statistics. Just above the traffic density bar are two rows of statistics displayed by the Sniffer. hese include counters for the number of good frames seen by the Sniffer as well as for defective and lost frames. In addition, there are counters for the number of frames seen, and the number of kilobytes and frames accepted, by the Sniffer. Finally, the percentage of the capture buffer used by the Sniffer is continuously updated.

6 Elapsed time counter. Shows total elapsed time during which traffic statistics are accumulated.

In addition to the features common to all displays, there are features which are unique to particular displays and which provide alternative perspectives on network activity. Three optional displays of network activity are:

e Individual counts. The display shows either a count of frames per second or kilobytes per second for each station contributing to network traffic. The display is expanded in real-time. As the Sniffer notices traffic involving stations it hasn’t seen before, it makes room in the display to include them.

6 Pair counts. The display reports traffic in terms of senders and addressees. For each pair of communicating stations, the Sniffer updates a counter for frames per second or for kilobytes per second. The pair counts display also expands in real-time.

4 The Sniffer: Operation and Reference Manual

The Capture Buffer

The Trigger Detector Scans Incoming Frames

A Trigger Event Stops

Capture and Freezes the Buffer

Ethernet Version

e Skylines. Shows the real-time display as a moving “skyline.” You see two graphs: one shows either the number of frames per second, or the number of Kbytes per second, being captured within a time interval which you set; the other shows the number of active stations, i.e., stations that have sent frames in the interval. You can display all three measures of traffic density on either linear or on logarithmic scales.

After they’ve been counted, frames that the filter accepts pass to the capture buffer. (On the way, they’re examined by the trigger detector, described in a moment.) The capture buffer has room for a moderate number of frames (thousands of medium-sized frames). Frames accumulate in the buffer in the order they are received.

When the capture buffer becomes full, the Sniffer may halt capture or may discard older frames to make way for new arrivals, as you’ve elected. If you do nothing to retain the frames in the capture buffer, the Sniffer automatically discards them; in that case, the frames that remain in the buffer are the ones most recently received.

The trigger detector scans the stream of incoming frames. It’s located after the capture filter, so that it looks only at frames that have passed through the filter but haven’t yet reached the capture buffer (Figure 1-1).

The trigger detector looks for a frame containing a particular pattern that you’ve described. When it finds such a frame, it signals a trigger event. The trigger event freezes the capture buffer so you can examine the trigger frame and the frames that precede or follow it.

When the trigger detector signals a trigger event, capture ceases, either immediately or with enough delay to collect some of the following frames. Once capture has been halted, you can:

e Copy the contents of the capture buffer to a file for later analysis or display.

e Browse through various displays of the frames in the capture buffer.

@ Impose a display filter to select which frames are displayed. e Select one or more views (ways of displaying a frame).

8 Print the contents of the buffer, according to the filters and views you’ve specified.

Chapter 1. Overview: What the Sniffer Does 5

Ethernet Version

Specifying the Trigger Pattern

Displaying the Frames in the Capture Buffer

Saving the Capture Buffer for Later Analysis

Selecting the Form of Display

A trigger event halts the processing of incoming data. It causes the Sniffer to cease capturing frames until you say you’re again ready to receive them.

A trigger pattern is a set of characters at a particular position in a frame. You can make the test match either the presence or the absence of the pattern.

For example, if you’re examining complaints of intermittent problems with access to a particular file server, you might set up a collection filter that accepts only frames to or from that station and a trigger that signals when it spots an error return code.

The frame that matches the trigger pattern is called the trigger frame. When it appears in your display of the capture buffer, the trigger frame is identified by a letter T beside it. One of the actions during display is Jump to trigger.

When you set up a trigger pattern, you also indicate where in the capture buffer you want the trigger frame to appear. That determines whether the buffer contains frames that preceded the trigger frame, frames that followed it, or some on either side.

You have many options for displaying the contents of the capture buffer, either to the Sniffer’s screen or to a printer. (You can direct. printer output either to a locally-attached printer or to a file on one of the Sniffer’s disk drives.)

You can set up a display filter so that frames that don’t interest you are omitted from the display (even though they remain in the capture buffer). The mechanism for filtering frames from the capture buffer is like the mechanism for filtering frames during capture.

From the keyboard, you can select a command that saves the contents of the capture buffer to a file. You can save the entire capture buffer or just the frames that are selected by your current display filter.

All displays and analyses work with the data in the capture buffer. You can display data that has arrived and is still in the buffer, or you can load the capture buffer with data you earlier saved to a file.

The display may contain any or all of the following three reports:

e Summary view. This condensed form abbreviates and truncates some of the information from the Hexadecimal view and some of the information from the Detail view. It

6 The Sniffer: Operation and Reference Manual

Windows in the Display

Two-Station Format

Ethernet Version

forces each level of interpretation to fit on a single line. The display contains one line for each level of protocol in the frame. You can elect to show only the highest level; in that case, the Summary view has one line per frame.

e Detail view. Each frame is decoded to show the type of frame and the values of its various fields. If you provide a file of symbolic names for station addresses, the Detail view augments the station names with the symbolic names provided in your file of definitions.

For high-level frames, the interpretation may take several levels. The “higher” level interpretation of a frame is more deeply nested within it. The various interpretations are shown with the “higher” protocol levels (i.e., the ones that are more “deeply” embedded) after the lower ones.

e Hexadecimal view. The entire frame is listed. You can elect whether you want character data displayed according to ASCII or EBCDIC conventions.

The Hexadecimal view and the Detail view show data for just one frame. The Summary view shows not only the frame you’re now examining but a few on either side of it as well to give context.

Each view you elect appears in a window. The screen may also be divided into two, three, four, or six equal-sized windows, according to the number of views and viewports you request.

The window that contains the cursor bar is the active window. The Tab key moves the highlight from one window to the next, activating the window where it arrives. When a fraine’s display won't fit within its window, you can scroll the active window to see the information you want. You can also zoom in to the active window, temporarily giving it the entire screen until you zoom out and restore the other windows.

Frequently, analysis concerns the flow of commands back and forth between a pair of stations. In that situation, it is often helpful to