Sniffer:
Using the Capture Panel
by Laura Chappell
[Released September
2, 2000]
[Available in PDF
format also]
When you start capturing data with Network
Associates' Sniffer, the capture panel will not automatically
open up. Instead, you can find out how many packets you've
captured by looking at the capture inset window at the bottom
right hand corner of the screen, as shown in Figure 1.
Figure 1: When you start capturing,
you can see how many packets you've captured in the Capture
Inset Window. [Click to
Enlarge]
If, however, you would like more information
on the capture buffer status, click on the Capture Panel button,
as noted in Figure 1. The capture window gauge screen (shown
in Figure 2) displays to dials:
- The Packets Dial
- The Buffer Dial
The Packets Dial shows how many packets
have been captured into the trace buffer. Although the dial
goes up to 1 million, the actual number of packets you can capture
will be dependent upon the size of the buffer. The buffer itself
is configurable by selecting the capture filter and clicking
on the buffer tab, as shown in Figure 3. 
Figure 2: The Capture Gauge Window
and the Capture Detail Window.
The buffer percentage dial shows how
full the trace buffer is. When the trace buffer fills to 100
percent, either the Sniffer will stop capturing, or it will
wrap the buffer (begin rewriting the first packets first in
the buffer). Again this is a configurable option, as shown
in Figure 3.
If you look at the bottom of the capture
window, you'll notice and Detail tab. When you click on the
Detail tab, you are provided with additional information about
the status of the trace buffer, as shown in Figure 4. This
includes information about the current settings such as:
- buffer size
- buffer action
- file saved to (if defined)
The detail window will also show
you if the analyzer has dropped any packets. You may find that
your analyzer drops packets when the network becomes extremely
busy. In some cases, if you have installed a cheap card in your
analyzer, you'll find that you may drop packets more often that
if you had selected a high-quality card. The
detail window will also indicate if the analyzer has rejected
any packets because they did not meet the filter specified.
The slice size indicates whether the analyzer is capturing
entire packets, or just a portion of the packets. For example,
if you wanted to capture a large number of packets, but you
continuously overran and the buffer, you can choose to only
capture the first 32 bytes of each packet. This enables you
to look at the Ethernet header (14 bytes for an Ethernet II
header) and a portion of the IP header (typically 20 bytes
long) of each packet. The amount of time that the analyzer
has been capturing packets will also show in the elapsed time
field.
Finally, the file wrap field indicates
whether packets saved to file have been overwritten.
Figure 3: The Capture buffer configuration
window.
Spend some time playing with the capture
buffer settings, but beware -- if you play with the 'Save
to File' option, you'd better have plenty of disk space! It's
easy to fill up a hard drive with packets from your network.
Got other ideas
for articles/documentation or training? Send email directly
to Laura at lchappell@packet-level.com.
Laura Chappell
Sr. Protocol Analyst
Copyright 2000 Protocol Analysis Institute, L.L.C.
Other Articles:
• Catching
the Lovsan Worm in Action [PDF]
• Time is of the Essence
• The Wonderful Thing About Triggers...
[PDF]
• The Pain of Gnutella
• About the 2301 Traffic
• 10 Cool Things You Can Do with the EtherPeek
Demo [PDF]
• Basic Packet Filtering [PDF]
• Advanced Packet Filtering [PDF]
• Looking at the Sniffer Dashboard [PDF]
• TrenchTime: Ports to Watch
• Did Your Know: Wireless Networks are Not Immune
to Sniffing? [PDF]
• The 10 Truths of Network Troubleshooting
[PDF]
• Carnivore? [PDF]
• Sniffer: Using the Capture Panel [PDF]
|
