Sniff Without a Sniffer
Instructions for using PacketShapers
to get the information typically gathered by a protocol analyzer.
Protocol analyzers are used for a variety of diagnostic purposes
as they capture and analyze each passing packet. They are useful,
but can be pricey if you want their benefits at all network locations.
If you already have PacketShapers deployed at these locations,
you need not also invest in additional analyzers at every site.
PacketWise provides a platform that can be used to capture packets
at strategic points on a network. In addition, you can even choose
which traffic is logged and which is not with flexible criteria.
Many of the statistics presented by an analyzer are also available
in PacketWise pages and graphs. But if you need information that PacketWise
does not provide, you can use PacketWise to capture all or some
passing packets. Then you can read the log file with third-party
analyzing software such as EtherPeek, Ethereal, or a Sniffer.
Steps:
- Determine what type of information you want to collect.
- If you want information such as active applications and protocols,
active IP addresses, bandwidth utilization, retransmissions, heavy
users, and response times, this information is available in PacketWise.
Check out the other recommendations under Analysis / Monitoring, the list
of PacketWise graphs, the Monitor
Traffic window, the top
hosts feature, as well as several CLI commands such as traffic
flow and traffic
history.
- If you want alarm-style notification of exceeded thresholds
or values for specific metrics, check out the Monitor
and Respond to My Own Custom Condition and the list of PacketWise
metrics.
- If you want to view packet headers, real-time display of top
users, content at specific offsets into packets, or other information
not available from PacketWise, you'll use the packet capture facility.
First, you'll configure PacketWise to capture passing packets, and
then you'll pass the resulting log file to a third-party analysis
tool. Continue to the next steps.
- Decide which packets you would like to collect.
A major advantage of using PacketWise as a collector is that you
define precisely which traffic to capture. You don't have to collect
huge log files with mostly irrelevant traffic.
For example, if you want to capture all Telnet packets to or from
a certain IP address — you can. Or if you want to capture
only Oracle traffic for one particular database — you can.
In PacketWise v8.1.0, you can capture packets for a specified traffic class. In v8.1.1, you can capture packets for traffic classes, IP addresses and ranges, subnets, host lists, port numbers and ranges, and Xpress tunnels.
- If you want to capture traffic for a specific class and the class doesn't already exist, create
the traffic class.
- Add each of the classes, IP addresses/ranges, subnets, host lists, port numbers/ranges, or Xpress tunnels for the traffic you want captured, one
at a time, to PacketWise's capture list with the CLI command packetcapture
add. Note that packet capture has not started yet. You're
just specifying the traffic that will be logged when packet capture
does start.
- If the information you want is at the beginning (or at least
not at the end) of each traffic flow, consider limiting
the number of packets that PacketWise captures for each flow with
the CLI command packetcapture
limit packets. Your logs won't fill as fast, and you'll still
have the information you need.
- Turn
packet capture on.
PacketWise stores captured packets in RAM. They are written to
disk when the memory buffer is full or when you turn packet capture
off.
- If you want to monitor of the progress of your packet capture,
use the packetcapture
status command.
- When enough traffic has passed, and you have enough captured
data, turn
off packet capture.
PacketWise writes the log to disk in tcpdump format and puts it
in the 9.258/pktlog directory.
- Download
the log file to the computer running third-party network analyzer
software such as EtherPeek or Ethereal.
- Open your log file with your analyzer software.
|
