Sniff Without a Sniffer

Instructions for using PacketWise devices to get the information typically gathered by a protocol analyzer.

Protocol analyzers are used for a variety of diagnostic purposes as they capture and analyze each passing packet. They are useful, but can be pricey if you want their benefits at all network locations. If you already have PacketWise devices deployed at these locations, you need not also invest in additional analyzers at every site.

PacketWise provides a platform that can be used to capture packets at strategic points on a network. In addition, you can even choose which traffic is logged and which is not with flexible criteria.

Many of the statistics presented by an analyzer are also available in PacketWise pages and graphs. If you need information that PacketWise does not provide, you can use PacketWise to capture all or some passing packets. Then you can read the log file with third-party analyzing software such as EtherPeek, Ethereal, or a Sniffer.

Note: The packet capture feature requires a minimum of 256 MB.

Steps:

1. Determine what type of information you want to collect.

• If you want information such as active applications and protocols, active IP addresses, bandwidth utilization, retransmissions, heavy users, and response times, this information is available in PacketWise. Check out the other solutions under Analyze Traffic, the list of PacketWise graphs, the Monitor Traffic window, the top hosts feature, as well as several CLI commands such as traffic flow and traffic history.
  
  
• If you want alarm-style notification of exceeded thresholds or values for specific metrics, check out the solution about notification and the list of PacketWise metrics.
  
  
• If you want to view packet headers, real-time display of top users, content at specific offsets into packets, or other information not available from PacketWise, you'll use the packet capture facility.
  
  First, you'll configure PacketWise to capture passing packets, and then you'll pass the resulting log file to a third-party analysis tool. Continue to the next steps.
  

2. Decide which packets you would like to collect.
   
   A major advantage of using PacketWise as a collector is that you define precisely which traffic to capture. You don't have to collect huge log files with mostly irrelevant traffic. Any traffic you can identify with matching rules in a traffic class can be captured independently.
   
   For example, if you want to capture all Telnet packets to or from a certain IP address — you can. Or if you want to capture only Oracle traffic for one particular database — you can.
   
   
3. Create a traffic class for each type of traffic you want to capture (if they do not already exist).
   
   For background information, see Traffic Classification Overview and Traffic Tree Overview.
   
   
4. If you created your traffic class for the express purpose of packet capture, make sure that your to-be-captured traffic will indeed match your new class. It must not satisfy the matching rules for a class that sits above your capture class in the traffic tree.
   
   For example, suppose you define a traffic class (just for the purpose of packet capture) called BobTraffic matching all traffic to or from the host Bob. If an SAP traffic class sits higher in your traffic tree, and Bob receives SAP traffic, then the traffic lands in SAP, not BobTraffic.
   
   If necessary, change your class to an exception class.
   
   
5. Add each of your classes whose traffic you want captured, one at a time, to PacketWise's capture list with the CLI command packetcapture add. Note that packet capture has not started yet. You're just specifying the classes that will be logged when packet capture does start.
   
   
6. If the information you want is at the beginning (or at least not at the end) of each traffic flow, consider limiting the number of packets that PacketWise captures for each flow with the CLI command packetcapture limit packets. Your logs won't fill as fast, and you'll still have the information you need.
   
   
7. Turn packet capture on.
   
   PacketWise stores captured packets in RAM. They are written to disk when the memory buffer is full or when you turn packet capture off.
   
   
8. If you want to monitor of the progress of your packet capture, use the packetcapture status command.
   
   
9. When enough traffic has passed, and you have enough captured data, turn off packet capture.
   
   PacketWise writes the log to disk in tcpdump format and puts it in the 9.258/pktlog directory.
   
   
10. Download the log file to the computer running third-party network analyzer software such as EtherPeek or Ethereal.
    
    
11. Open your log file with your analyzer software.