Go Wild!
10 Cool Things You Can Do with the Etherpeek Demo by WildPackets

by Laura Chappell
Available in PDF format. [329 KB]

You may not be familiar with the name WildPackets, but you should be familiar with their products. WildPackets (formerly AG Group) makes EtherPeek, which recently went through a product revision and is now on Version 4.1.

I spent the weekend playing with the EtherPeek for Windows online demo (available at www.wildpackets.com) to see what I could do. There are a few limitations of the demo (listed at the end of this article), but you can still do a lot of great things and get a feel for the product by using the demo for a few minutes.

In this article, I’ll document 10 cool things that you can do with the demo.

1. Check For Errors
2. Capture and View Some Packets
3. Find Out What Protocols are Running on Your Network
4. Check Out Your Packet Sizes
5. Create and Apply a Capture Filter
6. Check Out Some History Statistics
7. Set an Alarm
8. Quickly Locate Similar Packets in a Trace
9. Find Out What a Station is Doing
10. Get an Overview of Your Network Communications

After I describe each task a little bit, I’ll give you step-by-step instructions that will help walk you through the product demo (who needs manuals, eh?).

[Click to Enlarge]

Simply click on the Error Statistics button to open the Error Statistics window (shown in Figure 1). Let the analyzer run for the full 5 minutes and check to see if you have any CRC, alignment, runts or oversized packets.

Naturally, ‘red is bad’ and ‘green is good’ and ‘yellow is iffy’. There’s a digital counter, a dial and a table to illustrate the problems on your network.

Figure 1. Error Statistics

Note: EtherPeek can show errors only when it is used with the special Digital driver supplied with the program and a compatible NIC. See the list of compatible NICs.

To do this on your network:

Launch EtherPeek demo program. Click on the Error Statistics button.

2. Capture and View Some Packets
Naturally, being a packet-lovin’ gal, I wanted to immediately capture some packets. I had to really hold myself back from putting this as number 1 on my list.

Figure 2 shows the results of my test (in which I captured my own web-browsing traffic).

Figure 2. The captured packets. [Click to Enlarge]

The Capture Window is pretty standard stuff – source, destination, timestamp (absolute), protocol and summary information. The tabs at the bottom of the capture window are really important – they give you serious in-depth information into the top talkers, protocols, devices, packet size, communication summaries, histories, error/alarm logs and filters related to the captured data.

Click on each of the tabs to see the wealth of information available.

Note: Let me give you a heads-up here… EtherPeek can provide you with a tremendous number of statistics – in many cases, you can get a graphical representation of those statistics (I hope they add more graphing capabilities over time). For an example, see task 5.

To do this on your network:

Launch EtherPeek demo program. Click on the Packet Capture button. Click OK. Click the Start Capture button.

3. Find Out What Protocols are Running on Your Network
It’s easy to find out what protocols are running on the network. The Protocol Statistics window offers protocol details based on protocol type (in a nice layered design that shows the encapsulation of protocols), percentage, bytes and packets.

Figure 3. Checking out the Protocol Statistics [Click to Enlarge]

To do this on your network:

Note: You can also click on the Protocols tab in your trace buffer window to see exactly which protocols were running on your network during your packet capture operation.

4. Check Out Your Packet Sizes
Click on the pie chart icon on the menubar to view packet size distribution statistics, as shown in Figure 4. As you probably know, a bunch of little itty-bitty stinkin’ packets is not a good thing – especially if there are a lot of file transfers going on.

The pie chart is simple to understand.

Figure 4. Checking out the Protocol Error Statistics [Click to Enlarge]

To do this on your network:

Try clicking on the Options button to configure the pie chart differently.

5. Create and Apply a Capture Filter
WildPackets has made filtering a fairly simply process – of course; you need a bit of protocol and product knowledge to create advanced filters (such as Boolean and bit-based filters).

Clicking on the Filters tab takes you right to the filters window.

Figure 5. Setting up basic address and protocol filters is pretty simple. [Click to Enlarge]

To do this on your network:

6. Check Out Some History Statistics
On the menubar, click the Graph button to gather statistics on utilization, packets/second and bytes/second. Figure 6 shows the utilization graph. There are some really hot views available… I like the 3D line view myself.

You can also select the interval/timespan in a drop-down box. When you hold the cursor over any point in the graph, a pop-up box lists the value at that point in the graph.

Figure 6. The utilization history plotted every second for 30 minutes. [Click to Enlarge]

To do this on your network:

Try playing with the look by altering the timespan and structure of the chart.

7. Set an Alarm
Check out some of the devices that communicate on your network. You can easily (and I mean easily) set an alarm on anyone’s actions on the network based on their address, the protocol in use, or a number of ‘interesting’ communications on the network.

Click around – when you see the alarm button, click on it to set an alarm.

Highlight an interesting device listed in the node window and click on the alarm button to access the alarm setting window, as shown in Figure 7.

Figure 7. I’m looking for signs that Chadwick is sending a high number of packets on the network.

To do this on your network:

8. Quickly Locate Similar Packets in a Trace
This is a nice feature! In Figure 8, I’ve right-mouse clicked on DNS and chosen "Select Related Packets." Now I can go back to the ‘Packets’ view and see all the DNS packets highlighted. Quick and simple. Play with this one to see all the different windows you can choose to select related packets on.

Figure 8. Finding related packets is easy – it doesn’t even require a filter setting.

To do this on your network:

9. Find Out What a Station is Doing
The Detail Statistics window enables you to see who your interesting fellow is communicating with and what protocols they are using.

Now I’m really curious about one station that showed up in my trace – it’s Chadwick, a strange fellow on my network.

The layout of this window is fantastic! We can see the devices involved in conversations with our man Chadwick. We can see the direction of the communication. We can see conversations and protocols defined by percentage, bytes and packets. Nice.

Figure 9. Finding related packets is easy – it doesn’t even require a filter setting. [Click to Enlarge]

To do this on your network:

10. Get an Overview of Your Network Communications
Ok… This one I love! Seriously…Thank you WildPackets! My heart beats just a little bit faster every time I see this window…

Click on the Summary button to see what’s happening on your network. This screen provides information on the following categories of communications:

• General
• Errors
• Counts (addresses/protocols)
• Size Distributions
• AppleTalk Details
• Checksums
• Duplicate Addresses
• FTP Details
• ICMP Details
• Internet Attack Plug-Ins
• IP Details
• Napster
• NetWare Details
• Newsgroup Watcher
• SMTP Analysis
• Web Analysis

Figure 10 shows this wonderful window! Aaaaahhhhhh….

Figure 10. My favorite window. [Click to Enlarge]

To do this on your network:

1. Launch EtherPeek demo program.
   
2. Click on the Summary button.

So… Now What?
This demo version brings one thought to mind…

If this is what the demo version can do… imagine the power of the full product!

It’s time for you to check out EtherPeek from WildPackets! I highly recommend it.

Laura Chappell
Sr. Protocol Analyst
Protocol Analysis Institute, LLC
lchappell@packet-level
www.packet-level.com
www.podbooks.com

Demo Limitations

The demo version differs from the full version in the following ways:

1. The demo stops capturing at 250 packets or at 30 seconds duration (whichever comes first).
2. Only 5 capture sessions can be performed each time you launch the demo.
3. Global statistics will only process 5 minutes of packets.
4. The ‘save files’ function is disabled.
5. The ‘print’ function is disabled.
6. You cannot open packet files from other analyzers.
7. Only the first 250 packets of a trace file will be loaded.
8. You can only send 100 packets.

For more information on EtherPeek or WildPackets,
refer to www.wildpackets.com or call them at 925/937-7900.

Got other ideas for articles/documentation or training? Send email directly to Laura at lchappell@packet-level.com.

Other Articles:
• Catching the Lovsan Worm in Action [PDF]
• Time is of the Essence
• The Wonderful Thing About Triggers... [PDF]
• The Pain of Gnutella
• About the 2301 Traffic
• 10 Cool Things You Can Do with the EtherPeek Demo [PDF]
• Basic Packet Filtering [PDF]
• Advanced Packet Filtering [PDF]
• Looking at the Sniffer Dashboard [PDF]
• TrenchTime: Ports to Watch
• Did Your Know: Wireless Networks are Not Immune to Sniffing? [PDF]
• The 10 Truths of Network Troubleshooting [PDF]
• Carnivore? [PDF]
• Sniffer: Using the Capture Panel [PDF]