|
|
Protocol Decode performs an in-depth analysis of the contents of data packets captured and stored in files created with Data Capture.
This analysis lets you view an individual packet using the full OSI seven-layer analysis feature to detect packet status at each layer. You can use the Zoom feature to examine the individual layers of a packet more closely, or use the Raw mode to examine the individual bytes of a packet.
Protocol Decode is slightly different for UNIX and Microsoft Windows platforms. Use the following section that applies to your specific platform:
The following sections describe how to use Protocol Decode on UNIX platforms:
You can start Protocol Decode from the Traffic, Protocol, or Application level of the TrafficDirector main window.
To use Protocol Decode, follow these steps:
Step 1 Load a data capture file.
Step 2 Click Traffic, Protocol, or Application to display the corresponding TrafficDirector window.
Step 3 Click the Protocol Decode icon.
The Protocol Decode window is displayed (Figure 29-1).
Step 4 Select File > Load.
The Select File window is displayed (Figure 29-2).
Step 5 Using the directory filter to help you select files, select the directory and file that contains the captured data you want to decode.
Step 6 Enter a directory path and file filter, such as *.dat.
Step 7 Click Filter.
The data is stored in a file named xxx.dat.
Step 8 Click OK to load the data capture file.
The Protocol Decode window is displayed (Figure 29-3) and the contents of the data capture file is displayed. Each line in the display represents one frame.
To modify the four default properties that determine how decoded data in each mode is displayed, follow these steps:
Step 1 In the Protocol Decode window, select the frame you want to decode.
Step 2 Click the Properties button on the main Protocol Decode window.
The Properties window is displayed (Figure 29-4).
Step 3 Select the protocol decode default properties you want to change by clicking the appropriate toggle button.
Step 4 Click Apply to apply the changes, or click Cancel to cancel your selections and return to the Protocol Decode window.
Table 29-1 describes the property fields.
| The Information in This Field.... | Performs This Function |
|---|---|
Raw Mode | Determines whether the decoded bytes are displayed in as ASCII (default) or EBCDIC characters. |
Time Mode | Determines whether the time displayed (in hh:min:sec:msecs) is absolute (the actual time the packet was captured, which is the default), or delta (the difference between arrival of the current and previous packet). |
Address Mode | Sets the Source/Destination address display as Network (IP, which is the default), Vendor, or Hex. |
Zoom Mode | Enables (default) and disables the multipaneled, multicolor effect in the seven-layer Protocol Decode window and the Zoom Mode feature. |
Post-capture filters let you to narrow the scope of the display of previously captured data. For example, if you only wanted to see IP, TCP, and FTP packets from all of the packets in a previously captured data file, you could do so by establishing a post-capture filter.
To establish a Post-Capture Filter, follow these steps.
Step 1 From the Protocol Decode window, select Post-Capture Filtering.
The Post-Capture Filters window is displayed (Figure 29-5).
The selection fields simplify how you select the parameters for post-capture filtering. These fields contain toggle buttons that you can click to indicate your preferences.
The selections include the following:
Step 2 Select the filter definition you want to use.
Step 3 Click Apply.
The Summary Mode list box on the Protocol Decode window now contains only packets that have passed your Post-Capture Filter definition.
Step 4 If you need to view all captured packets without any filtering, de-select all post-capture filters and click Apply.
Table 29-2 describes the methods you can use Protocol Decode to view contents of a data capture file.
| Use This Mode... | To View the Data Capture File in This Manner |
|---|---|
Summary | In a list box with a separate line entry for each frame within the Data Capture file loaded that has not yet been decoded. |
Raw | As a single frame you select that is decoded and presented in raw byte format. |
Protocol Decode | As a single frame you select that is decoded and presented in full seven-level format. |
Zoom | At any of the seven layers, as appropriate for the packet being decoded; can be displayed in the full window. |
Summary Mode is the default mode of the Protocol Decode main window. Each frame is represented by a single line numbered from 1 to n, where n is the total count of the frames in the capture buffer. The frame currently selected is highlighted.
Table 29-3 describes the headings in the Summary Mode list box.
| This Field... | Contains This Information |
|---|---|
Pkt ID | The index number of the frame, starting with 1. |
Timestamp | The timestamp value, determined by the time mode you selected when determining protocol decode properties. The format of the timestamp is: mmm dd hh:mm:ss:ttt.
|
Size | The number of bytes in the frame. |
Source Node | The address of the node that sent the frame. However, if Vendor Name is the default, the vendor ID displays instead. |
Destination Node | The address of the destination node specified in the frame.However, if Vendor Name is the default, the name of the vendor displays instead. |
Protocol | The name of the highest-level protocol in the frame. |
Information | The source and destination port numbers for TCP and UDP protocols. |
Status | If a frame is faulty, the type of fault (more than one may apply):
|
To specify a particular frame, follow these steps:
Step 1 In the Go to Packet field of the Protocol Decode main window, specify the Packet Id number of a desired frame.
Step 2 Press Enter.
The remaining functions in the top section of the main Protocol Decode window are represented by selection buttons.
Table 29-4 describes these buttons:
| Use This Button... | To Perform This Function |
|---|---|
(Change Mode) Raw | Switch directly to Raw Mode to display decoded data in raw (hexadecimal) byte format. |
(Change Mode) Protocol | Switch directly to Protocol Decode Mode to display up to seven list boxes, with each box corresponding to successive layers of the protocol. |
Up/Down arrows | Scroll up or down one frame at a time. |
Home | Display the first frame displayed in the list box. |
End | Display the last frame displayed in the list box. |
PgUp | Display the entire previous page (page toward the first packet). |
PgDn | Display the entire next page (page toward the last packet). |
Raw Mode is an option available from the Protocol Decode main window. The Raw Mode displays decoded data in raw (hexadecimal) byte format.
To view protocol information in Raw Mode, follow these steps:
Step 1 Highlight a Pkt Id number.
Step 2 Click Raw (next to the Change Mode label).
The Raw Decode window is displayed (Figure 29-6).
To specify a particular frame, follow these steps:
Step 1 In the Go to Packet field of the Raw Decode main window, specify the Packet Id number of a desired frame.
Step 2 Press Enter.
The last entry displayed in the top section of the Raw Decode window contains information for the Packet Id entered, the Frame Number, Size, Absolute Time (of Capture) and the format of the frame (ASCII or EBCDIC).
Table 29-4 describes the remaining functions of the Raw Decode window that are represented by selection buttons:
| Use This Button... | To Perform This Function |
|---|---|
(Change Mode) Protocol | Switch directly to Protocol Decode Mode to display up to seven list boxes, with each box corresponding to successive layers of the protocol. |
Up/Down Arrows | Scroll up or down one frame at a time. |
Home | Display the first frame displayed in the list box. |
End | Display the last frame displayed in the list box. |
PgUp | Display the entire previous page. |
PgDn | Display the entire next page. |
The seven-level, decoded format for Protocol Decode is an option available from the Protocol Decode main window and the Raw Decode window. Decoding is automatic and causes the frame to display in up to seven list boxes, with each box corresponding to successive layers of the protocol.
To view protocol information in the seven-level format, follow these steps:
Step 1 In the Protocol Decode main window or in the Raw Decode window, highlight a Pkt Id or frame number.
Step 2 Click Protocol (next to the Change Mode label).
The Seven-Level Protocol Decode window is displayed (Figure 29-7).
The window displays up to seven list boxes, with each box corresponding to successive layers of the protocol. Use the scroll bars on the right side of the list boxes to scroll through the contents of each layer.
If the frame contains no identifiable protocol after a certain layer, the remainder of the frame displays as a raw dump in the last list box, labelled User Data.
Protocol Decode Zoom Mode is an option available from the Seven-level Protocol Decode window. Zoom Mode presents a full display of any displayed protocol layer.
To select Zoom Mode (for the packet currently displayed in the Seven-level Protocol Decode window), click Zoom.
The Zoom Decode window is displayed (Figure 29-8).
The Zoom Decode window lets you continuously scroll backward and forward through the protocol layers of the selected packet by clicking next layer or prev layer. The display only cycles from the highest protocol layer to the lowest protocol layer of the selected packet.
The following sections describe how to use Protocol Decode on Microsoft Windows platforms:
To use Protocol Decode, follow these steps:
Step 1 Load a data capture file.
Step 2 From the TrafficDirector main window, click the Protocol Decode icon.
The Protocol Decode window is displayed (Figure 29-9):
Step 3 Select File > Open from the menu bar.
The Select File window is displayed (Figure 29-10).
Step 4 Select the Directory and File containing the captured data you want to decode.
xxx.dat.
Step 5 Click Open to load the data capture file.
The Protocol Decode window is displayed (Figure 29-11). It displays the contents of the data capture file, with each line representing one frame.
To modify the four default properties that determine how decoded data in each mode displays, follow these steps:
Step 1 In the Protocol Decode window, select the frame you want to decode.
Step 2 Select Properties from the menu bar.
The Properties window is displayed (Figure 29-12).
Step 3 Select the protocol decode properties you want to use by clicking the appropriate toggle button.
Step 4 Click OK to apply your selections, or click Cancel to cancel your selections and return to the Protocol Decode window.
Table 29-6 describes the properties fields and their contents.
| The Information in This Field.... | Performs This Function |
|---|---|
Raw Mode | Determines whether the decoded bytes are displayed in Raw Mode as ASCII (default) or EBCDIC characters. |
Time Mode | Determines whether the time displayed (in hh:min:sec:msecs) is absolute (the actual time the packet was captured, which is the default) or delta (the difference between arrival of the current and previous packet). |
Address Mode | Sets the Source/Destination address display as Network (IP, which is the default), Vendor, or Hex. |
Zoom Mode | Enables (default) and disables the multipaneled, multicolor effect in the seven-layer Protocol Decode window and the Zoom Mode feature. |
Post-capture filters let you further narrow the scope of the display of previously captured data.
To establish a Post-Capture Filter, follow these steps:
Step 1 Select Post-Capture Filtering from the Protocol Decode menu bar.
The Post-Capture Filters window is displayed (Figure 29-13):
The selection fields simplify how you specify the parameters for post-capture filtering. These fields contain toggle buttons you can click to indicate your preferences.
The selections include the following:
Step 2 Select the filter definition you want to use.
Step 3 Click OK.
The Summary Mode list box on the Protocol Decode window now contains only packets that have satisfied your Post-Capture Filter definition.
Step 4 If you need to view all of the captured packets (with no filtering), deselect all post-capture filters and click OK.
Table 29-7 describes how you can use Protocol Decode to view contents of a data capture file:
| Use This Mode... | To View the Data Capture File in This Manner |
|---|---|
Summary | In a list box with a separate line entry for each frame within the Data Capture file loaded that has not yet been decoded. |
Raw | A single frame you select that is decoded and presented in raw byte format. |
Protocol Decode | A single frame you select that is decoded and presented in full seven-level format. |
Zoom | Any of the seven layers, as appropriate for the packet being decoded; can be displayed in the full window. |
Summary Mode is the default mode of the Protocol Decode main window. Each frame is represented by a single line numbered from 1 to n, where n is the total count of frames in the capture buffer. The frame currently selected is highlighted.
Table 29-8 describes the Summary Mode list box headings.
| This Field... | Contains This Information |
|---|---|
Pkt ID | The index number of the frame, starting with 1. |
Timestamp | The timestamp value, determined by the time mode you selected when determining protocol decode properties. The format of the timestamp is: mmm dd hh:mm:ss:ttt.
|
Size | The number of bytes in the frame. |
Source Node | The address of the node that sent the frame. However, if Vendor Name is the default, the vendor ID displays instead. |
Destination Node | The address of the destination node specified in the frame.However, if Vendor Name is the default, the name of the vendor displays instead. |
Protocol | The name of the highest-level protocol in the frame. |
Information | The source and destination port numbers for TCP and UDP protocols. |
Status | If a frame is faulty, the type of fault (more than one may apply):
|
To specify a particular frame, follow these steps:
Step 1 In the Packet field of the main Protocol Decode window, specify the Packet Id number of a desired frame.
Step 2 Press Enter.
Table 29-9 describes the remaining functions in the top section of the main Protocol Decode window that are represented by selection buttons:
| Use This Button | To Perform This Function |
|---|---|
Up/Down Arrows | Scroll up or down one frame at a time. |
Home | Display the first frame displayed in the list box. |
End | Display the last frame displayed in the list box. |
PgUp | Display the entire previous page. |
PgDn | Display the entire next page. |
(Mode) Raw | Switch directly to Raw Mode to display decoded data in raw (hexadecimal) byte format. |
(Mode) Protocol | Switch directly to Protocol Decode Mode to display up to seven list boxes, with each box corresponding to successive layers of the protocol. |
Raw Mode is an option available from the Protocol Decode main window. Raw Mode displays decoded data in raw (hexadecimal) byte format.
To specify a particular frame, follow these steps:
Step 1 Highlight a Pkt Id number.
Step 2 Click Raw (next to the Mode label).
The Raw Decode window is displayed (Figure 29-14).
To specify a particular frame, follow these steps:
Step 1 In the Packet field in the top section of the Raw Decode window, specify the Packet Id number of a desired frame.
Step 2 Press Enter.
The last entry displayed in the top section of the Raw Decode window contains information for the Packet Id entered, the Frame Number, Size, Absolute Time (of Capture) and the format of the frame (ASCII or EBCDIC).
Table 29-10 describes the remaining functions of the Raw Decode window that are represented by selection buttons.
| Use This Button... | To Perform This Function |
|---|---|
(Change Mode) Protocol | Switch directly to Protocol Decode Mode to display up to seven list boxes, with each box corresponding to successive layers of the protocol. |
Up/Down Arrows | Scroll up or down one frame at a time. |
Home | Display the first frame displayed in the list box. |
Close | Display the last frame displayed in the list box. |
PgUp | Display the entire previous page. |
PgDn | Display the entire next page. |
The seven-level, decoded format of Protocol Decode is an option available from the Protocol Decode main window and the Raw Decode window. The decoding is fully automatic and causes the frame to display in up to seven list boxes, with each box corresponding to successive layers of the protocol.
To view protocol information in this format, follow these steps:
Step 1 Highlight a Pkt Id or frame number.
Step 2 Click Protocol (next to the Mode label).
The Seven-level Protocol Decode window is displayed (Figure 29-15).
The window displays up to seven list boxes, with each box corresponding to successive layers of the protocol. Use the scroll bars on right side of the list boxes to scroll through the contents within each layer.
If the frame contains no identifiable protocol after a certain layer, the remainder of the frame displays as a raw dump in the last list box, labelled User Data.
Zoom Mode is an option available from the Seven-level Protocol Decode window. Zoom Mode provides a full display of any protocol layer contained in the Seven-level Protocol Decode window.
To select Zoom Mode (for the packet currently displayed in the Seven-level Protocol Decode window), click Zoom.
The Zoom Decode window is displayed (Figure 29-16).
The Zoom Decode window lets you continuously scroll back and forth through the protocol layers of the selected packet by clicking Next Layer or Prev Layer. The display only cycles from the highest protocol layer to the lowest protocol layer of the selected packet.
To exit a window, click Close.
Posted: Fri Mar 31 09:08:04 PST 2000
Copyright 1989 - 2000©Cisco Systems Inc.