|
|
Once you have captured packets in a file (Chapter 23, "Capturing Packets"), you can decode the packets, one frame at a time, using the Protocol Decode application. Decoding packets involves loading a data capture file, selecting Protocol Decode properties, establishing post-capture filters (if necessary), and performing the actual decode. You have two options when you use Protocol Decode:
Before you can use the Protocol Decode application, you must first load the data capture file. To load a data capture file, take the following steps:
Step 1 Click the Protocol Decode icon from the TrafficDirector main window.
The TrafficDirector Protocol Decode window (Figure 24-1) opens.
Step 2 Select File>Load.
The Select File window (Figure 24-2) opens.
Step 3 Select the directory and file that contain the captured data you want to decode from the list boxes. Use the directory filter to help you select files. To use the filter, enter a directory path and file filter, such as *.dat, then click Filter. Note that the data is stored in a file named xxx.dat.
Step 4 Click OK to load the data capture file.
The Protocol Decode window (Figure 24-3) displays captured data. Each line represents one frame.
.
Before you decode a frame, you can modify the four default properties to determine how decoded data in each mode is displayed. To modify protocol decode properties, take the following steps:
Step 1 Select the frame you want to decode from TrafficDirector Protocol Decode window.
Step 2 Click Properties in the main Protocol Decode window. The Properties window (Figure 24-4) opens.
Step 3 Select the protocol decode properties you want to use. Click the appropriate radio button, then click Apply. Click Cancel to cancel the selections and return to the TrafficDirector Protocol Decode window. The properties fields are as follows:
Raw Mode--Determines whether the decoded bytes are displayed in raw mode as ASCII or EBCDIC characters. The default is ASCII.
Time Mode--Determines whether the time displayed is the default value, Absolute (Month-Day-Time in secs.msecs), or Delta (difference between arrival of the current and previous frames, in hh:min:sec:msecs).
Address Mode--Sets the Source/Destination address display as Network (IP), Vendor, or Hex. The default is Network.
Zoom Mode--Enables or disables the multipaneled, multicolor effect in the seven-layer Protocol Decode window (Figure 24-7) and the Zoom Mode feature. The default is Enable.
You may want to filter previously captured data to isolate the protocol information you need before performing the actual protocol decode. You can do this by using the Post-Capture Filters option in the Protocol Decode window. To establish post-capture filters, take the following steps:
Step 1 Load the data capture file (if not already loaded).
Step 2 Click Post-Capture Filtering in the Protocol Decode window.
The Post-Capture Filters window (Figure 24-5) opens.
Step 3 Select the filter definition you want to use.
Step 4 Use the radio buttons in the parameter fields to specify the following post-capture filtering options:
Address Type--Specify as either MAC or IP. The address or symbol in the Source or Destination Address field is interpreted according to this setting.
Source/Destination Address--Specify the source and destination addresses for filtering. You can select any valid MAC address, IP address, or name. Use these addresses to create more specific filters related to the source or destination of the data to be captured.
Both Directions--Determines whether traffic is captured from source-to- destination only, or in both directions. Select Yes to filter data in both directions, or No to filter data in only one direction.
Filter Type--Select Inclusive or Exclusive. Inclusive captures only the packets that match your filter list. Exclusive captures all packets except the ones that match your filter list.
Step 5 Click Apply. The Summary Mode list box in the Protocol Decode window now displays only the packets that have passed the post-capture filter definition.
To return to no filtering, deselect all postcapture filters and click Apply.
You can view a data capture file in the following ways:
| Summary Mode (default mode) | Displays in the Protocol Decode window list box all of the information for the loaded Data Capture file. Each line represents a frame of captured data that has not yet been decoded as displayed in the Protocol Decode window (Figure 24-7). |
| Raw Mode | Decodes a single frame you select and displays it in raw byte form. |
| Protocol Decode Mode | Decodes a single frame you select and displays it in full seven-level format. |
| Zoom Mode | Displays any of the seven layers, as appropriate for the packet being decoded, in the full window. |
Summary Mode is the default Protocol Decode mode in the main Protocol Decode window. Each frame is represented by a single line numbered from 1 to n, where n is the total count of frames in the capture buffer, as shown in Figure 24-7.
The summary mode list box contains the following headings:
| Pkt ID | The index number of the frame, starting with 1. You can scroll through the list of frames. The frame currently selected is highlighted. |
| Timestamp | The date and time this frame was captured. The format of the timestamp is: Month Date hh:mm:ss:ttt; for example, Dec 7 17:32:25.569. |
| Size | The number of bytes in the frame. |
| Source Node | The address of the node that sent the frame. If Vendor Name is the default, the vendor ID is displayed instead. |
| Destination Node | The address of the destination node specified in the frame. If Vendor Name is the default, however, the name of the vendor is displayed instead. |
| Status | If a frame is faulty, the type of fault (more than one may apply):
· R indicates a runt frame (a frame less than 12 bytes long). · J indicates a jabber frame (a frame more than 1518 bytes long). · C indicates a CRC/alignment error frame. · P indicates a processing error. For example, Frame #40 with a processing error indicates that the agent was not able to process packets just before capturing Frame #40. · --> indicates a packet from DTE to DCE (WAN only). · <-- indicates a packet from DCE to DTE (WAN only). |
| Protocol | The highest-level protocol in that frame. |
The following selection buttons in the Protocol Decode window (Summary Mode) let you specify the parameters for the decoding function:
| Change Mode | Lets you switch directly to Protocol Mode or Raw Mode. |
| GoTo Packet | Lets you enter the number of the packet you want to go to in the box next to GoTo packet. |
| Home | Moves you to the first data capture packet. |
| End | Moves you to the last data capture packet. |
| Pg Up | Moves you one page closer to the first data capture packet. |
| Pg Dn | Moves you one page closer to the last data capture packet. |
Raw Mode Protocol Decode option is available from the TrafficDirector Protocol Decode main window. The Raw mode presents decoded data in raw (hex) byte form. To view protocol information in Raw Mode, highlight a Pkt Id number, then select Raw from the Change Mode field in the TrafficDirector Protocol Decode main window. The Raw Decode window (Figure 24-6) opens.
Use buttons in the Raw Decode window (Figure 24-6) to specify the parameters for the following decoding functions:
| Change Mode | Switches directly to Protocol Decode. |
| GoTo Packet | Displays a specific frame in the list box. Enter a packet number in the Goto Packet field to display the raw decode for that frame. |
| Up/Down Arrow | Scrolls up or down one frame at a time. |
| Home | Jumps immediately to the first (Home) frame displayed in the list box. |
| End | Jumps immediately to the last (End) frame displayed in the list box. |
| PgUp | Goes up an entire page toward the first packet. |
| PgDn | Goes down an entire page toward the last packet. |
Select the Protocol Decode seven-level decoded format option from the TrafficDirector Protocol Decode main window. The decoding is fully automatic and displays the frame in up to seven list boxes, with each box corresponding to successive layers of the protocol. To view protocol information in the seven-level decoded format, highlight a Pkt Id or frame number, then select Protocol from the Change Mode field in either the Protocol Decode window or the Raw Decode window. The Seven-Level Decode window (Figure 24-7) is displayed. The window displays up to seven list boxes, with each box colored differently corresponding to successive layers of the protocol.
Select the Protocol Decode Zoom mode option from the seven-level Protocol Decode window. Zoom mode lets you see a full display of any protocol layer contained in the current frame as displayed in the Zoom Decode window (Figure 24-8). You can scroll back and forth through the protocol layers by clicking Next Layer or Prev Layer. The display wraps from the highest layer back to the lowest layer decode, and vice versa.
To select the Zoom Mode, click Zoom in the Seven-Level Decode window.
The Zoom Decode window (Figure 24-8) opens.
|
|
