Steelcentral Packet Analyzer Plus User's Guide

SteelCentral™ Packet Analyzer Plus User’s Guide

Version 11.3.x

October 2017

© 2014-2017 Riverbed Technology. All rights reserved. Riverbed®, SteelApp™, SteelCentral™, SteelFusion™, SteelHead™, SteelScript™, SteelStore™, Steelhead®, Cloud Steelhead®, Virtual Steelhead®, Granite™, Interceptor®, Stingray™, Whitewater®, WWOS™, RiOS®, Think Fast®, AirPcap®, BlockStream™, FlyScript™, SkipWare®, TrafficScript®, TurboCap®, WinPcap®, Mazu®, OPNET®, and Cascade® are all trademarks or registered trademarks of Riverbed Technology, Inc. (Riverbed) in the United States and other countries. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed or their respective owners.

Riverbed Technology 680 Folsom Street San Francisco, CA 94107 www.riverbed.com 712-00305-05 Contents

Contents

1 - Graphical User Interface Elements...... 5 User Interface Main Components ...... 5 Configuration Tools, Status, and Product Information...... 7 Menu Button ...... 7 Quick Access Toolbar...... 8 Settings ...... 9 About ...... 12 Status Bar...... 13 Sources Panel ...... 13 Devices Tab ...... 13 Files Tab...... 13 Launching AppResponse 11 From a Packet Analyzer Plus Session ...... 14

2 - Ribbon Panel ...... 15 Home Ribbon...... 15 Trace Files...... 16 Remote...... 16 General ...... 17 View ...... 17 Chart Selection ...... 18 Time Control Ribbon ...... 19 Quick Navigation ...... 20 Select Duration ...... 20 Time Selection ...... 21 Policies/Alerts Ribbon ...... 22 Add Policy ...... 23 Selected Policies...... 23 Views Filter ...... 23 Severities Filter...... 24 Alerts Overlay...... 25 Report Ribbon ...... 25 Generate Report...... 26 Management ...... 28 Settings ...... 28 Designer...... 29 Report Designer Ribbon...... 29 Styles...... 29 Includes ...... 29

SteelCentral Packet Analyzer Plus User’s Guide 1 Contents

Visual Settings ...... 30 Page Setup...... 30 Display ...... 30 Designer...... 31 Remote Ribbon...... 31 Probe Management ...... 32 Probe Selection...... 33 Files ...... 34 View Selection...... 34

3 - Source Panel ...... 37 Devices...... 37 Monitoring Interface Groups (MIfGs) ...... 38 Context Menus in the Devices Tab ...... 38 Files ...... 44 Context Menus in the Files Tab...... 46

4 - Views and Charts ...... 63 The View Library ...... 63 Recently Used ...... 65 Context Menus ...... 66 Search Text Box ...... 66 Microflow Indexing ...... 67 Microflow Indexed File Tooltips ...... 68 Finding Views that Use a Microflow Index...... 69 Indexing a Trace File ...... 69 View Editor ...... 69 Activating the View Editor...... 69 The General Approach ...... 70 View Editor Controls...... 70 Saving a View and Exiting the View Editor...... 74 Multi-Chart Views ...... 74 Charts ...... 74 Bar Chart...... 75 Conversation Ring ...... 82 Data Grid Chart ...... 89 Grouping Bar ...... 90 Column Headers...... 91 Sorting ...... 91 Filter Bars ...... 91 Selection...... 93 Summaries...... 94 Context Menu...... 95 Node Chart...... 97 Node ...... 97

2 SteelCentral Packet Analyzer Plus User’s Guide Contents

Legend area ...... 107 Scroll bar...... 107 Pie Chart ...... 107 Context Menu...... 108 Tooltips ...... 110 Scatter Plot Chart ...... 110 Sequence Diagram ...... 110 Strip Chart ...... 112 Time Filter...... 112 Ruler Mode...... 114 Time Hints...... 114 Message Labels ...... 115 Strip Chart...... 116 Diagram ...... 116 Selection...... 121 Context Menu...... 122 Tooltips ...... 126 Bar Chart...... 126 Scatter Plot ...... 126 Context Menu...... 128 Tool-tips...... 130

5 - Filters...... 131 Introduction ...... 131 Filter Controls ...... 133 Filter Panel...... 133 Filter Editor...... 136 Filter Bar ...... 137 Working With Filters ...... 139 Applying An Existing Filter...... 139 Clearing An Applied Filter...... 142 Creating A New Custom Filter...... 142 Editing An Existing Filter ...... 142 Managing Filters ...... 142 Combining Filter Entries...... 142 SteelFilter Syntax...... 143 Basic Syntax ...... 143 Identifiers ...... 143 Operators ...... 143 Values ...... 144 Examples ...... 144

6 - Policies and Alerts...... 145 The Policies/Alerts Ribbon ...... 145 Creating Policies ...... 146

SteelCentral Packet Analyzer Plus User’s Guide 3 Contents

The Policy Editor Dialog...... 147 Policy in Sources Panel ...... 148 Policy Context Menu...... 149

7 - Working With Capture Jobs...... 153 Creating and Editing Capture Jobs...... 153 Create Job Dialog Controls ...... 154 The Jobs Repository ...... 155 Starting and Stopping Job Traces ...... 156 Working With Trace Clips ...... 156 Creating a Trace Clip...... 157 Exporting a Trace Clip...... 166

A - SteelFilter Identifiers...... 181

4 SteelCentral Packet Analyzer Plus User’s Guide 1

Graphical User Interface Elements

User Interface Main Components There are six main panels in the Riverbed® SteelCentral Packet Analyzer Plus graphical user interface. The Source and Ribbon panels each contain subpanels, opened by selecting the tab of interest.

 Devices and Files panels appear in the Sources panel.

 Home, Time Control, Policies/Alerts, Reporting, and Remote panels appear in the Ribbon panel. This guide has a chapter about each major panel, describing its components, operation, and use.

SteelCentral Packet Analyzer Plus User’s Guide 5 Graphical User Interface Elements User Interface Main Components

Figure 1-1. User Interface Main Sections

Description

Ribbon Panel—This panel provides access to actions for common traffic analysis activities, as well as management and operational settings. Sources Panel—This panel shows interfaces and trace files on the local system and connected AppResponse 11 systems.

View Library Panel—This panel contains a set of network traffic analyses called “views”. Each view computes specific metrics and displays the results in the form of charts (strip charts, bar charts, grids, and so forth).

Main Workspace Panel—This panel contains tabbed windows displaying applied views, report format previews, and Getting Started video tutorials.

Filters Panel—This panel contains all user filters organized in folders.

Violations Panel—This panel lists entries corresponding to both internal and external alerts.

6 SteelCentral Packet Analyzer Plus User’s Guide Configuration Tools, Status, and Product Information Graphical User Interface Elements

Configuration Tools, Status, and Product Information Use the following user interface controls to access tools, status, and product information.

Figure 1-2. Tools, Status, and Product Information Access

Menu Button

The Menu button controls manage:

 sharing Packet Analyzer Plus views, settings, and probes.

 settings used in operations by Packet Analyzer Plus.

 the display of license information.

Figure 1-3. Menu Button Controls

SteelCentral Packet Analyzer Plus User’s Guide 7 Graphical User Interface Elements Configuration Tools, Status, and Product Information

Import Global Settings The Import Global Settings menu option opens a file created by the Export Global Settings option and applies it to Packet Analyzer Plus. This applies to all settings in the global configuration file, which include many of the parameters described in this manual. Briefly, it includes items such as:

 Remote AppResponse 11 systems and MIfGs

 Custom filters

 Report settings

 Channel scan sequence

 Decryption keys

Import Probes Configuration This imports a probes configuration file from a saved probes configuration file (.ppf format). The new settings are applied after a restart.

Export Global Settings Prepares a file that can be imported into another instance of Packet Analyzer Plus. This file contains the global configuration file.

Export Probes Configuration Exports the current probes configuration to a probes configuration file (.ppf extension).

Print View Creates a default report from the current view and sends it to the printer. The report is not saved to disk.

License Opens the Packet Analyzer Plus License page, enabling you to view your license information.

Quick Access Toolbar

The Quick Access Toolbar provides these buttons:

Settings Opens the Settings dialog.

Add A Trace File Adds a local trace file to the Local System in the Files tab of the sources panel.

8 SteelCentral Packet Analyzer Plus User’s Guide Configuration Tools, Status, and Product Information Graphical User Interface Elements

Add Probe Connects to a probe.

Add Policy Opens the Policy Editor and creates a new policy on the currently selected chart contained in a view and a trigger condition based on the metric computed in the chart.

Send to Wireshark Sends traffic from the current selection to Wireshark. This button is enabled only if a selection is made in the currently selected chart in the view.

Note: Wireshark version 2.4.1 or later is required for use in conjunction with Packet Analyzer Plus. Send to File Extracts traffic from the current selection and sends it to disk as a PCAP trace file. This button is enabled only if a selection is made in the currently selected chart in the view.

Create Report from Current View Creates a report from the currently selected view.

Settings

The Settings dialog provides operating parameters for Packet Analyzer Plus. Open the Settings dialog by clicking the Configure Settings icon in the Quick Access Toolbar or by clicking the Menu button and selecting Settings from the drop-down list.

Figure 1-4. Accessing the Settings Dialog

SteelCentral Packet Analyzer Plus User’s Guide 9 Graphical User Interface Elements Configuration Tools, Status, and Product Information

The figure below shows the default settings in the Settings menu. Each section of the dialog is described below.

Figure 1-5. Default Settings on Settings Menu

Export file format These settings determine the format and timing precision for “Send to…” operations. The “Send to File” option lets you configure the format that Packet Analyzer Plus uses to create a trace file from another trace file or from a subset of one. In addition, this option is used when Packet Analyzer Plus exports packets from a trace clip. This option is especially useful if you need to use a trace file with a tool that does not support the pcap-ng format or nanosecond timestamps. The “Send to Wireshark” option lets you configure the format that Packet Analyzer Plus uses to export a trace file or a subset of a trace file to Wireshark.

Note: Wireshark version 2.4.1 or later is required for use in conjunction with Packet Analyzer Plus.

Name resolution These settings let you determine whether MAC or IP addresses or TCP/UDP port numbers are presented as numbers or names (when possible). In views, name resolution can be set per chart using the Name Resolution item on a chart’s submenu. When a box is checked, Packet Analyzer Plus searches its configuration files for names that are equivalent to MAC addresses, IP addresses, or TCP/UDP port numbers.

10 SteelCentral Packet Analyzer Plus User’s Guide Configuration Tools, Status, and Product Information Graphical User Interface Elements

When you modify an option, only new views reflect the new options. There may be a brief delay while names are resolved. For instance, here is a view with MAC and IP addresses not resolved. Hovering over an end point displays the MAC address and conversation details.

Figure 1-6. MAC and IP Addresses Not Resolved

And here is the same view with both MAC and IP addresses resolved. Names have replaced numbers in some of the addresses.

Figure 1-7. MAC and IP Addresses Resolved

Name resolution is performed in Packet Analyzer Plus, not in AppResponse 11 systems. MAC addresses and TCP/UDP port names are stored in these files:

 MAC addresses: [Packet Analyzer Plus installation folder]\data\Manufacturers.xml

 TCP/UDP port names: [Packet Analyzer Plus installation folder]\data\PortNumbers.xml

Subnet Mask This option allows you to configure which addresses are considered local for some views such as “Local vs Remote.”

SteelCentral Packet Analyzer Plus User’s Guide 11 Graphical User Interface Elements Configuration Tools, Status, and Product Information

 Disabled: All IP addresses are considered local.

 Automatic: Local System or AppResponse 11 determines which is the best local address range (for instance, 192.168.0.0/16).

 Manual: You specify the local address range by entering an IP address and a subnet mask. Changes are applied to the source type currently selected in the Devices/Files panel. This allows you to maintain separate configurations for both Local System and remote devices.

Miscellaneous The “Show all warnings and informative dialogs” button lets you turn on the display of all warnings and dialogs. This can be useful if you have previously turned off the display of some messages (by checking the “Do not show this again” box) but want to start seeing those messages again. The “Show advanced packet processing statistics” option determines if Packet Analyzer Plus reports processing details in tooltips. The example below shows advanced processing statistics for a view applied at the end of a drill-down workflow.

Figure 1-8. Tooltip with Advanced Packet Processing Statistics

About

Click the About button to open a window with information on the Packet Analyzer Plus software including:

 Version information

 Riverbed Technical Support

 Logs and Configuration files

12 SteelCentral Packet Analyzer Plus User’s Guide Sources Panel Graphical User Interface Elements

 Copyright information

Figure 1-9. About Button

Select a tab to see more information. Click OK to close the window.

Status Bar

The Status Bar lists the last operation done, such as applying a view. During certain operations, the status bar also includes a graphical horizontal bar on its right hand side displaying the completeness percentage of an in-progress operation.

Figure 1-10. Status Bar with In Progress Operation

Sources Panel The Sources Panel contains representations of AppResponse systems, interfaces, and trace files. It has two tabs, “Devices” and “Files” that can be cycled through by clicking on them.

Devices Tab

Shows both local interfaces under the Local System icon and interfaces on connected AppResponse systems that offer live sources of network traffic.

Files Tab

Shows folders and trace files on the local system and connected AppResponse systems.

SteelCentral Packet Analyzer Plus User’s Guide 13 Graphical User Interface Elements Launching AppResponse 11 From a Packet Analyzer Plus Session

Launching AppResponse 11 From a Packet Analyzer Plus Session Access the AppResponse 11 web interface for all AppResponse 11 configuration tasks. Click Remote > Web Interface to launch an AppResponse 11 session from within a Packet Analyzer Plus session. Log in with your AppResponse 11 credentials. The AppResponse 11 session is launched in a new tab inside the Packet Analyzer Plus workspace.

14 SteelCentral Packet Analyzer Plus User’s Guide 2

Ribbon Panel

The Ribbon Panel provides access to settings, tools, and actions used to monitor and analyze network traffic and trace files. There are five ribbon panels (Home, Time Control, Policies/Alerts, Reporting, and Remote) that can be selected.

 “Home Ribbon” on page 15

 “Time Control Ribbon” on page 19

 Policies/Alerts Ribbon

 Reporting Ribbon

 Remote Ribbon

Home Ribbon The Home ribbon provides a set of controls that enable you to perform some basic actions across the set of Packet Analyzer Plus features. The Home ribbon is divided into several sections:

 “Trace Files”—Operations such as adding a link to a trace file in the Sources panel.

 “Remote”—Connecting to an AppResponse 11 system.

 “General”—Miscellaneous actions.

 “View”—Buttons for creating new or interactive views and detaching a view.

 “Chart Selection”—Operations apply to the active selection in a chart in the Main Workspace. Drill- down steps such as send to Wireshark or SteelCentral Transaction Analyzer or File are available here.

SteelCentral Packet Analyzer Plus User’s Guide 15 Ribbon Panel Home Ribbon

Trace Files

The source and destination of Add Trace File and Add Folder are local to Packet Analyzer Plus. Trace files on the Local System can be added to the Files tab in the Sources panel for analysis. A reference to the file is used; the file is not copied. If the file moves on the local system the reference will no longer be valid. A file or folder name with an invalid link is shown in gray.

Add Trace File Adds a trace file for analysis under Local System in the Files panel. This operation only adds a reference to the file. It does not copy the whole file. If the file location changes, the reference will no longer be valid. The filename is grayed out in the Files tab until the program is restarted. Add Folder Adds a directory of trace files to the Files panel for analysis. The selected folder is scanned for all supported trace files. Similar to the add trace file operation, this operation adds a reference to the folder and relevant files and does not copy any files. This operation is not recursive and does not add subfolders. Clear List Clears the list of trace files and folders in the Files panel.

Remote

This section allows you to manage probes. The Probes button in this section is the same as the Probes button on the Remote Ribbon.

Probes The Probes button enables you to manage probes.

16 SteelCentral Packet Analyzer Plus User’s Guide Home Ribbon Ribbon Panel

General

This section contains buttons that apply to all devices and tabs.

Search This button opens a search dialog window that can be used to find data in charts. The search context is the labels of the items in a chart that can be selected. For instance, an IP address, MAC address, or hostname can be searched. The Search Dialog is described in its own section. Update Sources This button updates the list of sources for the Devices and Files panels. Please note that a device will not be available immediately after it is plugged in, nor will the device disappear immediately after being unplugged. It takes about 10 seconds before Packet Analyzer Plus recognizes a device change. Packet Analyzer Plus does not check for new sources automatically. It only checks when this button is clicked. Close All Tabs This button closes all open tabs. This applies to the following tabs:

 Views

 Report Designer Getting Started This button opens a tab in the main workspace that provides access to video tutorials.

View

The buttons in this section are used for view management.

Create This button opens the View Editor with a blank, fully editable new view. The submenu (drop-down arrow) gives you the choice of creating either a new view or an interactive view after performing a drill-down.

SteelCentral Packet Analyzer Plus User’s Guide 17 Ribbon Panel Home Ribbon

Save This button saves the current view.

Detach The Detach button detaches the currently selected view from the source, whether the source is live, off-line, local, or remote. Once detached, the view is no longer visible in the Packet Analyzer Plus main workspace. The view remains visible in the sources panel, but is grayed out.

Note: For live captures, the system (local or remote) continues to compute the corresponding view metric(s).

You can “attach” a view by right-clicking the view in the sources panel and selecting the Attach submenu item. The view is then visible in the Packet Analyzer Plus main workspace. Detaching a view from a capture job running on a AppResponse 11 is an excellent way to leave a view running overnight or over a weekend. When you start up Packet Analyzer Plus again and reconnect to the AppResponse 11, you can attach the view and see all the information that has been collected since the capture job started.

Chart Selection

Several functions are common among the charts and are enabled only if there is an active selection in a chart. These functions are on the Home Ribbon in the Chart Selection group. Each of these functions is also available through the context menu of any chart.

Send to Wireshark This button sends traffic from the current selection to Wireshark. A new instance of Wireshark is spawned and the selected packets are delivered to Wireshark.

Note: Wireshark version 2.4.1 or later is required for use in conjunction with Packet Analyzer Plus.

Note: If the source of traffic is on a remote probe, then the traffic is transmitted over the network to Wireshark running on the Packet Analyzer Plus local system. Send to SteelCentral Transaction Analyzer This button sends traffic from the current selection to Transaction Analyzer (formerly known as App Transaction Xpert (ATX)). A new instance of Transaction Analyzer is spawned on the local system and the selected packets are delivered to it for analysis.

 Requires Transaction Analyzer version 16.5.T PL1 (or higher) installed on the local system.

 “Send to SteelCentral Transaction Analyzer” cannot be used with data from a live interface.

Note: If the source of traffic is on a remote probe, then the traffic is transmitted over the network to Packet Analyzer Plus before being sent to Transaction Analyzer running on the local system.

18 SteelCentral Packet Analyzer Plus User’s Guide Time Control Ribbon Ribbon Panel

Send to File This button sends traffic from the current selection and stores it as a trace file. This is useful for storing a subset of the original capture. If the traffic was encrypted and is being properly decrypted at the time, then the trace file stores the decrypted traffic.

Note: If the source of traffic is on a remote probe, then the traffic is saved in the “My Files” directory on the remote probe. If the source of traffic is local to Packet Analyzer Plus, then the traffic is saved as a file located on the local system in the format selected in Settings > Export File Format (default is pcap). Drill Down This button applies a view to the current selection in a chart.

Copy The Copy button copies a textual representation of the chart information from the current selection to the system clipboard. The chart data can be exported to another application. The export format, text or Excel, is selected on the drop-down menu at the bottom of the button. The default is text (“Regular Format”).

Copy Chart The Copy Chart button copies the selected chart as a metafile to the system clipboard for pasting into another application. A chart must be selected for this button to be enabled.

Time Control Ribbon The Time Control feature of Packet Analyzer Plus allows the user to go “back in time” over a view that has been computed over days, weeks, or months. The Time Control Ribbon provides additional mechanisms for moving through a long-duration view. There are three sections within the Time Control Ribbon:

 “Quick Navigation”

 “Select Duration”

 “Time Selection”

SteelCentral Packet Analyzer Plus User’s Guide 19 Ribbon Panel Time Control Ribbon

Quick Navigation

Use these buttons to move the Current Selection interval in a view forward and backward to find time intervals of interest.

Begin This button allows a user to move the Current Selection interval to the beginning of the view (back-in-time).

Step Back This button allows a user to move the Current Selection interval one step back in time. The size of the step is equal to the length of the Current Selection interval.

Step Forward This button allows a user to move the Current Selection interval one step forward in time. The size of the step is equal to the length of the Current Selection interval.

End This button allows the user to move the Current Selection interval to the end of the current View.

Select Duration

This section of the Time Control Ribbon provides a number of alternatives for setting the length of the Current Selection interval.

Figure 2-1. Select Duration Section of the Time Control Ribbon

The Selection Duration section contains some fixed durations for example, 10 seconds, 10 minutes, All History. Click a time duration to set the Current Selection interval. For a trace file, the All History selection corresponds to the duration of the entire trace file. For a live capture, All History ends at the present time and begins either at the start of the capture or at an amount of time equal to the Data Retention Time of the capture, whichever is smaller.

20 SteelCentral Packet Analyzer Plus User’s Guide Time Control Ribbon Ribbon Panel

There also is a Custom option allowing a user to pick an arbitrary time interval by specifying the interval in days, hours, minutes, seconds and milliseconds.

Zoom In Clicking this button reduces the Current Selection interval by 66%.

Zoom Out Clicking this button increases the duration of the Current Selection interval to 150% of its current duration.

Zoom to Selection If a time duration selection is made in a Strip Chart, the Zoom to Selection button changes the Current Selection interval to the selection made on the Strip Chart.

Time Selection

The Time Selection section of the Time Control Ribbon allows the user to pick the absolute location and duration of the Current Selection interval within the current view (either live or off-line) by setting the Start Time, the End Time, and then clicking Apply.

Apply Sets the Current Selection interval to the start and end times entered.

Create Filter When the user clicks on this button, a new Filter is created that will filter out all packets that do not fall within the Current Selection interval. This filter can be used when applying a new view to a source and is very useful for comparing two different views with respect to the same time interval. For example, one can compare Bandwidth Over Time and IP Conversations during the same time interval to see which hosts were contributing to the spike in bandwidth.

SteelCentral Packet Analyzer Plus User’s Guide 21 Ribbon Panel Policies/Alerts Ribbon

Copy Copies the current Time Selection interval to the clipboard. If you have multiple views open you can then use the paste button to set the time interval of interest on other views.

Paste Changes the Current Selection interval to the interval contained on the clipboard. The destination Chart must be selected to paste an interval on it.

Policies/Alerts Ribbon Packet Analyzer Plus includes a sophisticated triggering and alerting technology called “Policies.” With a policy you are able to create a trigger on many view metrics and be alerted when a specified condition computed on a metric is met in live or off-line sources and files. For instance, you can be alerted when:

 unusually high bandwidth utilization occurs.

 slow server response times occur.

 high TCP round-trip times occur When a Policy detects that a trigger condition is met, a specified action is taken, such as logging the alert, sending an email, starting a packet trace capture, and more. The Policies/Alerts Ribbon is used to configure and manage policies and alerts. There are seven sections within the Policies/Alerts Ribbon:

 Add Policy

 Selected Policies

 Views Filter

 Probes Filter

 Severities Filter

 Policies and Alerts Filter

 Alerts Overlay

22 SteelCentral Packet Analyzer Plus User’s Guide Policies/Alerts Ribbon Ribbon Panel

Add Policy

The Add Policy button is enabled when there is either a strip chart or bar chart selected within the current view.

Add Policy Clicking this button brings up the Policy Editor page for creating a new policy for the selected chart within the current view.

Selected Policies

This ribbon section contains controls for managing currently applied policies.

Note: A policy applied to a trace file cannot be edited, enabled, or disabled. These buttons appears in gray in this section. A policy applied to a trace file can only be removed.

Edit After selecting a policy in the Sources panel, the Edit button opens the Policy Editor. Use the Policy Editor to modify the policy parameters.

Remove With a Policy selected in the Sources panel, this button is used to remove the policy. This also removes all of its associated alerts in the Alerts panel.

Enable With a disabled policy selected in the Sources panel, this button causes the policy to become active.

Disable With an enabled policy selected in the Sources panel, this button is used to disable the Policy. No alerts are generated during the time the policy is disabled.

Views Filter

This section of the ribbon deals with filtering the alerts displayed in the Alerts panel, based on their associated views. The three options are explained below. The default is No Filters.

 No Filters is selected. Filtering on view is disabled.

SteelCentral Packet Analyzer Plus User’s Guide 23 Ribbon Panel Policies/Alerts Ribbon

 Current View is selected. Only those alerts that are associated with the current view are displayed in the Alerts panel.

 Pinned Views is selected. The Pin List contains a list of views that have been “Pinned.” Only those alerts associated with a view in the “Pin List” are displayed in the Alerts panel.

Add to Pin List With a view selected in the Sources panel, clicking Add to Pin List adds the selected view to the Pin List.

Show the Pin List The Pin List button is active whenever there is at least one View in the Pin List. Clicking the Pin List button (when it is active), shows the Pin List.

The Pin List itself shows the pinned views and their sources. The sources can be either live or a trace file. Views can be removed from the Pin List by clicking the corresponding check boxes.

Probes Filter

Choose where the alerts displayed originate. There are two choices in the Probes Filter:

 Show the alerts from all of the AppResponse 11 systems, including the Local System, in the Alerts pane

 Only show the alerts from the AppResponse 11 currently selected in the Sources panel (default).

Severities Filter

By default, all alerts are reported. The Severities Filter section allows you to filter the Alert severities.

 Low

 Medium

 High

Policies and Alerts Filter

This ribbon section provides alert filtering based on the corresponding policy name, policy description, alert IDs, or time interval.

24 SteelCentral Packet Analyzer Plus User’s Guide Report Ribbon Ribbon Panel

The Start and End times can be filled in manually, or the Paste operation can be used. Typically, the clipboard is carrying a time interval that was obtained using the copy operation in the Time Selection section of the Time Control Ribbon. Conversely, if the time interval is available, the Copy operation can be used to save the interval to the clipboard for use in making time selections by pasting it into the Time Selection section of the Time Control ribbon.

Filter violations based on their start and end times.

Once all of the parameters in the Policies and Alerts Filter have been set, click the Apply button for the filter to take effect. Note: The Policies and Alerts Filter does not take effect until the user clicks the Apply button.

Alerts Overlay

By selecting the Overlay Enabled button, the radio buttons are enabled.

 Source Chart—Only show the alerts in a Chart of the Policies that are associated with the Chart. This is the usual case where you see the alerts only in the chart where the Policy was created.

 Source View—Show alerts associated with all of the Policies in a View in each Chart of a View. This is generally used when one of the charts in a View has a Policy and you want to see these alerts displayed in the other charts in the View.

 All Views—Show all the alerts of all the Policies in all of the charts of all of the Views. Is often used if only one chart has a Policy and you want to see where these alerts occur in the charts of all of the other Views.

Report Ribbon The Reporting Ribbon is used to create and manage reports created from Views. Certain sections and buttons of the ribbon are disabled by default. Reports can be made from one View or from all open Views. Reports can be generated for a number of different file formats in a single batch operation. Supported report formats are:

 PDF Report

 Zip Package

 Excel Spreadsheet

 Word Document

 Text File

 HTML Page

SteelCentral Packet Analyzer Plus User’s Guide 25 Ribbon Panel Report Ribbon

Many things can be customized in a generated report. The ribbon is described below top-to-bottom and left-to-right, by section.

Generate Report

This section manages how reports are generated.

Current View The Current View button is used to generate a report using the current View, which requires that a View be the foremost tab. Under any other situation, this button is disabled. This button and the next button, All Views, act differently depending on the settings of the final two buttons of the section, Format and Open Reports.

All Views The All Views button gives you options for generating a report using more than one view. This button and the previous button, Current View, act differently depending on the settings of the final two buttons of the section, Format and Open Reports. Clicking the All Views button directly generates a report using all views that are currently open in the main window. Clicking the drop-down arrow beside the All Views button gives you a choice of generating a report for all views or for views that are currently selected. You can select multiple views by clicking them in the Sources panel while holding down the Ctrl or Shift key.

26 SteelCentral Packet Analyzer Plus User’s Guide Report Ribbon Ribbon Panel

Format The Format button opens a submenu that specifies one or more export formats. These selections are saved in the global configuration file. By default, only the PDF option is selected. The meaning of each check box is as follows: PDF Report The PDF Report checkbox refers to a PDF 1.4 (Acrobat 5.x or newer) PDF document generated with all security turned off. Zip Package The Zip Package check box refers to a ZIP file with the following contents: • Each trace file analyzed in the report. • The MD5 cryptographic digests of the trace files (smaller than 50 MB). • The PDF version of the report. Excel Spreadsheet The Excel Spreadsheet check box refers to a Microsoft Excel spreadsheet with the tabular data of the report in a way that can be used to generate further graphs and charts with the spreadsheet graphing options that are available in Excel. Word Document The Word Document check box refers to a “Rich Text Formatted” (RTF) document that can be viewed in Microsoft Word. Text File The Text File check box refers to a plain text document. Naturally, no images are available, but the image data is made available in tabular form. HTML Page The HTML Page check box refers to a generated HTML page and a directory containing the images of the relevant charts in PNG format. The HTML is compatible with all major modern web browser Open Reports The Open Reports check box, selected by default, works in the following way: When On Pressing the Current View or All Views button instantiates the appropriate helper applications to be open with the generated reports. For instance, when generating Word and HTML formatted reports, then the default word processor and web browser open and display the reports. When Off No programs are opened when a report is generated.

SteelCentral Packet Analyzer Plus User’s Guide 27 Ribbon Panel Report Ribbon

Management

Generated reports are saved to a user-specified directory. The default directory is the “My Documents” directory in the user’s “Documents and Settings” directory (or the language equivalent). This can be changed as desired. The Management section provides a convenient way to get to the directory, manage recently created reports, and change the report directory.

. Recent The Recent button opens a submenu to manage recently generated reports. By default, reports are generated, the Recent button is disabled. After a report is generated, a reference to it is placed in the Recent submenu list. The list holds the five most recently generated reports and can be cleared at any time. Note that the clear operation does not remove the file(s) from disk but simply clears the referential list inside of Packet Analyzer Plus. Each submenu item has in turn another submenu to open one of the formatted reports from the generated report package. Additionally, reports can be renamed and removed irrevocably from disk Change Folder The Change Folder button changes where future generated reports will be saved.

Browse Folder The Browse Folder button opens a browser window to show the folder where future reports will be saved.

Settings

Title The Title edit box specifies what to call subsequently generated reports. The title goes on the cover page if the page is included in the report generation. See the section on the Report Designer Ribbon that follows for more information. Analyst/Client Information The Analyst/Client Information button presents a submenu that specifies what information appears on the cover page of a report. Each field is directly analogous to what appears on the cover page. Refer to the appendix on the example report for more information. The Report Designer button opens a new tab in the ribbon bar to do specific design actions on subsequently generated reports. This ribbon is described below.

28 SteelCentral Packet Analyzer Plus User’s Guide Report Designer Ribbon Ribbon Panel

Designer

Report Designer The Report Designer button opens a new tab in the Ribbon Bar to do specific design actions on subsequently generated reports. This ribbon is described below.

Report Designer Ribbon The Report Designer Ribbon is not always available. It is a contextual ribbon that appears only when reports are being designed. In order to get to it, click the Report Designer button at the end of the Reporting Ribbon (described at the end of the previous section). This displays a generic template report as a tabbed window that does not correspond to any specific data from a view. All changes made in the report designer take effect immediately and there is no need to save when exiting the designer. Additionally, the designer can be left open while generating reports for quick changes. Note that any changes made to the template via the report designer will only affect how subsequent reports are generated, not any existing reports.

Styles

The Styles section controls the thematic look and feel of subsequent reports. There are five choices to choose from and each can be viewed by simply hovering over them with the mouse. A theme can be selected and set as the default by clicking it. In the depiction on the left for instance, the first style is selected.

Includes

The Includes section has options that determine what is presented inside a report.

t Change Logo The Change Logo button is used to specify the logo that goes in the upper right hand side of the cover page of all subsequent reports.

Table of Contents The Table of Contents check box (checked by default) is used to specify whether to include a table of contents in subsequent reports. Checksums The Checksums check box (not checked by default) is used to specify whether SHA256 cryptographic digests are generated for trace files in subsequent reports. These digests are printed on the reports and placed in separate files when using the ZIP output format.

SteelCentral Packet Analyzer Plus User’s Guide 29 Ribbon Panel Report Designer Ribbon

Cover Page The Cover Page check box (checked by default) is used to specify whether to include cover pages in subsequent reports. Data as Table The Data as Table check box (checked by default) is used to specify whether to include quantitative data tables in subsequent reports.

Visual Settings

The Visual Settings section has options used to modify some technical aspects of the creation process of reports.

White Chart Background The White Chart Background check box (not checked by default) is used to specify whether the generated charts have a white background instead of the gradient one in Packet Analyzer Plus. Turning this feature on:

 Increases the visual contrast on monochrome (black and white) printers.

 Marginally decreases the file size of generated reports by about 10%. Draft Images (Faster) The Draft Images (Faster) check box (not checked by default) is used to specify the quality of the images in subsequent reports. Draft images are a suitable resolution for viewing on a computer while non-draft images are suitable for printing. Turning this feature on:

 Decreases the time needed to generate reports.

 Decreases the file size of the generated report.

Page Setup

The Page Setup section controls the format of generated reports.

Size Use the Size drop-down menu to select the report size. Orientation Use the Orientation drop-down menu to select the report orientation.

Display

The Display section controls the magnification of the report template. Page Width—Selecting Page Width changes the magnification level of the template so the width of a page matches all the space available in the tab.

30 SteelCentral Packet Analyzer Plus User’s Guide Remote Ribbon Ribbon Panel

Full Page—Selecting Full Page changes the magnification level of the template so that an entire page can be viewed. Custom—Selecting Custom enables you to specify the magnification level of the template. Magnification can range from 25% to 400%. Enter a desired magnification level in the box (default is 100), or use the up or down arrow to increase or decrease the magnification by 25% each time an arrow is clicked.

Designer

Close The Close Designer button closes the Report Designer Ribbon and template view tab. Since all changes are immediate, there is no prompt to save for changes.

Remote Ribbon Live and offline traffic sources are available from a variety of Riverbed products on your network. Remote traffic sources are accessed through probes. The Remote Ribbon contains tools to manage live and offline traffic sources from probes.

SteelCentral Packet Analyzer Plus User’s Guide 31 Ribbon Panel Remote Ribbon

Probe Management

Add Probe This button opens the Connect to Probe page where communication with a probe is configured.Once communication is established, the probe is added to the list of sources in the Sources panel of the UI. Probes The first item in the Probes Panel is the Create Probe Group. This selection is used to create a collection of probes that can be treated as a single group. An AppResponse 11 can be a member of at most one probe group. If a probe is member of a probe group, then it appears only within the probes group in the Probes Panel. Below the Create Probe Group is a list of all of the probes that have been added using the Add Probe panel and have not been removed from this list. Clicking the icon to the left of one of the probes on the list disconnects Packet Analyzer Plus from the probe if it is already connected. On the other hand, if the probe is initially disconnected, then clicking the icon reconnects the probe as the user shown in the Probes Panel. The last three items on the main panel act on the list as a whole. Delete All, Connect All, and Disconnect All. Selecting an AppResponse 11 on the list brings up a submenu for operations on the selected AppResponse 11, enabling the user to edit the system description, move the system into a probe group, connect to or disconnect from the system, display the system settings, and delete the system from the list. When an AppResponse 11 is configured for local authentication mode, the “Log in as” list includes the identity of all users having accounts on the selected AppResponse 11. The item in bold is the identity of the user who is currently logged into the AppResponse 11 from Packet Analyzer Plus. Selecting a user on this list initiates an attempt to connect to the AppResponse 11 on behalf of the selected user. When remote authentication is being used this list is not shown.

32 SteelCentral Packet Analyzer Plus User’s Guide Remote Ribbon Ribbon Panel

Probe Selection

Select All Probes The Select All Probes button highlights (selects) all probes in the Sources Panel (Devices and Files).

Expand Selection The Expand Selection button expands all the selected probes in the Sources Panel, thereby showing all their associated interfaces and file folders.

Collapse Selection The Collapse Selection button collapses all the selected probes in the Sources Panel, hiding all their associated interfaces, files, and views.

Disconnect from Selected The Disconnect from Selected button disconnects Packet Analyzer Plus from the selected probes. The selected probes continue to process live views and maintain the views associated with trace files.

Web Interface The Web Interface button opens the selected remote probe’s web interface.

Note: Connection to the web interface of a NetExpress is not supported.

SteelCentral Packet Analyzer Plus User’s Guide 33 Ribbon Panel Remote Ribbon

Files

Import Files into Probes The Import Files into Probes button transfers trace files from the Local System to the selected remote probe. The trace files are transferred to the selected directory of the remote probe.

Export Files from Probes The Export Files from Probes button transfers files from the selected remote probe to the Local System. If a folder on a remote probe is included in the selection, then the folder and its contents are transferred to the Local System. If a file on a remote probe is in the selection, then just the file is transferred. Multiple selections are permitted as long as the selections are either all folders or all files.

View Selection

Select All on Probes The Select All on Probes button highlights (selects) all the views on the selected probes.

Close Selected The Close Selected button closes all the selected views.

Attach to Selected The Attach to Selected button attaches to the selected views.

34 SteelCentral Packet Analyzer Plus User’s Guide Remote Ribbon Ribbon Panel

Detach from Selected The Detach from Selected button detaches from the selected views.

Share Selected with The Share Selected with button brings up a panel to allow selected views on AppResponse 11 systems to be shared with other groups.

SteelCentral Packet Analyzer Plus User’s Guide 35 Ribbon Panel Remote Ribbon

36 SteelCentral Packet Analyzer Plus User’s Guide 3

Source Panel

The Sources Panel is one of the most important parts of the Packet Analyzer Plus user interface. It contains icons representing the local system and connected probes. Live interfaces, trace files, and capture jobs available for analysis are listed under each icon.

Note: Packet Analyzer Plus is used to interface only with AppResponse 11 appliances.

Note: A probe is typically an AppResponse 11 appliance or virtual machine. The terms “probe” and “AppResponse 11 system” are used interchangeably in this section.

The two tabs in the Sources Panel change the contents displayed between devices and files. Click a tab to switch between displaying devices and displaying files. Devices—Shows local interfaces under the Local System icon and AppResponse 11 appliances or virtual machines with their associated interfaces. This offers access to live sources of network traffic to Packet Analyzer Plus for monitoring and analysis. Files—Shows local folders and trace files under Local System as well as AppResponse 11 systems with their associated folders and trace files.

Devices Devices on your local system require administrator privileges to capture network data. If you are running Packet Analyzer Plus in non-administrator mode, you will see the following prompt as the software initiates and tries to connect to your local resources.

Figure 3-1. Accessing Local Devices Requires Administrator Privileges

If you have administrator privileges on the system, you can double-click on the prompt to make those resources available for capture jobs. Remote capture devices, such as AppResponse 11 systems, do not require administrator privileges.

SteelCentral Packet Analyzer Plus User’s Guide 37 Source Panel Devices

Packet Analyzer Plus supports Wired Ethernet sources.

Wired Ethernet Adapters Interface Card—The actual network interface card in a probe. The default interface name appears, followed by the interface description. If the AppResponse 11 interface has been given a name, that name appears followed by the interface description.

Capture Job Virtual Interface—A virtual interface is displayed for each capture job. The capture job name appears, followed by “Job Virtual Device on ,” which is the interface used by the capture job. If configured, a capture job BPF filter is applied to traffic on this interface. If you add or change a BPF filter in an existing capture job, it is recommended that you close all views on the capture job virtual interface, click Update Sources, and then reapply the views to see the traffic filtered with the new or updated BPF filter.

Monitoring Interface Groups (MIfGs)

A monitoring interface group (MIfG) is a logical grouping of one or more monitoring interfaces on an AppResponse 11 system. The MIfGs defined on an AppResponse 11 system are accessible in Packet Analyzer Plus via the Devices tab. AppResponse 11 and Packet Analyzer Plus handle all analysis per MIfG rather than per the individual monitoring interfaces. A default MIfG, named “default_mifg”, contains all monitoring interfaces on the AppResponse 11 system and is created automatically when AppResponse 11 is installed. When Packet Analyzer Plus connects to that system as a probe, default_mifg and any other MIfGs that have been configured are listed in the Packet Analyzer Plus Devices tab. Each MIfG can be selected as a source of live traffic, and can have views applied to it and capture jobs defined for it.

Context Menus in the Devices Tab

A context menu provides additional actions and configuration settings that can be performed. A context menu is opened by right-clicking on a UI item, for example, an interface, a view, or a chart. There are six types of Context Menus in the Devices panel that appear under the six conditions below:

 “With No AppResponse 11 Selected” on page 39

 “With an AppResponse 11 Selected” on page 40

 “With an Interface Selected on Local system” on page 41

 “With an Interface Selected on an AppResponse 11” on page 42

 “With a Job Virtual Device Selected (AppResponse 11)” on page 42

 “With a View Selected (Local System and AppResponse 11)” on page 43 These context menus are described below.

38 SteelCentral Packet Analyzer Plus User’s Guide Devices Source Panel

With No AppResponse 11 Selected

Refresh Selected This menu option causes Packet Analyzer Plus to rescan the available interfaces on the local system and all connected AppResponse 11 systems to display the currently available devices. Additionally, the trace folders associated with the Local System and the connected AppResponse 11 systems are rescanned and updated to reflect whether files have been removed or modified.

Add a Probe This menu item opens the Connect to Probe panel where the connection to a new probe can be configured.

SteelCentral Packet Analyzer Plus User’s Guide 39 Source Panel Devices

With an AppResponse 11 Selected

Refresh Selected This menu option rescans the selected AppResponse 11 and displays the currently available interfaces. Additionally, the trace folders associated with the selected AppResponse 11 are rescanned and updated to reflect whether files have been removed or modified.

Disconnect This menu item disconnects the selected AppResponse 11 from Packet Analyzer Plus. The selected AppResponse 11 remains in the Probes list in the Remote Ribbon.

Web Interface This menu item opens the Web Interface of the selected remote probe.

Copy Configuration to Local System This menu item initiates a manual synchronization of an AppResponse 11’s port names, port groups, L4 mappings, and L7 fingerprints with the local system. This includes Service Response Time (SRT) ports (defined in Port Definitions on an AppResponse 11). This configuration is then used to analyze local files or views on local interfaces. Port names and port groups are effective immediately when downloaded from an AppResponse 11.

Settings This menu item opens the Connect to Probe panel showing the entries used to connect to the selected AppResponse 11.

Add a Probe This menu item opens the Connect to Probe panel where the connection to a new probe can be configured.

40 SteelCentral Packet Analyzer Plus User’s Guide Devices Source Panel

With an Interface Selected on Local system

Send to

This menu option instructs Packet Analyzer Plus to send traffic form the selected interface to another application or a trace file, as described below.

Wireshark The Wireshark menu option starts up Wireshark and sends all traffic from the selected trace file there.

Note: Wireshark version 2.4.1 or later is required for use in conjunction with Packet Analyzer Plus.

Wireshark with Filter The Wireshark with Filter menu option instructs Packet Analyzer Plus to start up Wireshark and send traffic that matches a user-defined filter from the selected device to Wireshark. The filter is specified using the Filter Dialog Box, which is explained in a later section.

File The File menu option instructs Packet Analyzer Plus to send all traffic from the selected device to a user-specified trace file.

File with Filter The File with Filter menu option instructs Packet Analyzer Plus to send traffic that matches a user-defined filter from the selected device to a user-specified trace file. The filter is specified using the filter dialog box, which appears first and is explained.

Refresh Selected The Refresh Selected menu option causes Packet Analyzer Plus to rescan the available interfaces on the local system and all connected AppResponse 11 systems to display the currently available devices. Additionally, the trace folders associated with the Local System and the connected AppResponse 11 systems are rescanned and updated to reflect whether files have been removed or modified.

SteelCentral Packet Analyzer Plus User’s Guide 41 Source Panel Devices

With an Interface Selected on an AppResponse 11

With a Job Virtual Device Selected (AppResponse 11)

The icon to the left shows the representation of a capture job interface in the Device Panel. With a capture job interface selected, the context menu is the same as that for s selected AppResponse 11 interface, with one addition, described below.

Go to Capture Job Selecting this option takes a user directly to the corresponding Job Trace in the Jobs Repository folder.

42 SteelCentral Packet Analyzer Plus User’s Guide Devices Source Panel

With a View Selected (Local System and AppResponse 11) View Selected, Generate Report Local System The Generate Report menu option generates a report from the selected View.

Edit The Edit menu option opens the View Editor. The View Editor cannot be used with live devices.

Share View with

Views applied to AppResponse 11 interfaces on one Packet Analyzer Plus can be shared with groups located at other Packet Analyzer Plus instances. The View Selected, privileges associated with each group are determined on a probe-by-probe Unlocked basis. Except for the Administrators, a user cannot close a View or delete a file AppResponse 11 that has been created by another user. However, Views can be shared with single groups using the Share View with menu item. As soon as a View is shared, the selected group will immediately see the View in their Sources Panel.

Note: The Share the View with menu item only applies to AppResponse 11 systems.

Lock, Unlock If Lock is selected, then a small padlock image is added to the View icon. When the View is in the “Locked” state, it cannot be closed. When the View is in the “Locked” state, the Context menu shows an Unlock menu item. The View must be “unlocked” before it can be closed.

Note: Note: The Lock menu item applies to only AppResponse 11 systems.

SteelCentral Packet Analyzer Plus User’s Guide 43 Source Panel Files

View Selected, Attach Locked If the selected View is Detached, then the Attach menu item attaches Packet AppResponse 11 Analyzer Plus to the View.

Note: The Attach menu item applies to only AppResponse 11 systems.

Detach If the selected View is currently Attached, the Detach menu option detaches the selected View.

Note: The Detach menu item applies to only AppResponse 11 systems.

Dock If the View has been undocked from the Main Window, the Dock menu option re-docks it.

Undock If the View is docked to the Main Window, the Undock menu option undocks it and places it in a separate window.

Rename The Rename menu option opens a dialog box that allows you to rename the View.

Save The Save menu option saves the View.

Close If the user is the creator of the selected View, then the Close menu option closes the selected View. This implies that the corresponding AppResponse 11 will terminate the View and it will no longer be available to other users.

Files Packet Analyzer Plus can analyze trace files of arbitrary size in the PCAP capture format with the following restrictions

 All wired trace files must have an Ethernet header. For instance, trace files created through software loopback devices, software tunnels, software based aggregators, and from non-Ethernet devices (ex. tun1, lo2, ppp3) are not readable. In most of these instances, the traffic passing through these interfaces will alertually pass through an Ethernet interface. 1.FreeBSD:http://www.freebsd.org/cgi/man.cgi?query=tun&manpath=FreeBSD+7.0- RELEASE&format=html

44 SteelCentral Packet Analyzer Plus User’s Guide Files Source Panel

Capture Jobs running on remote AppResponse 11 systems create network traffic recordings called Job Traces. Although Job Traces (and their derivatives, called Trace Clips) are not PCAP files, they can be analyzed by Packet Analyzer Plus exactly as if they were PCAP files. Trace Clips that exist on a AppResponse 11 can be converted to PCAP format using the Send-to-File feature of Packet Analyzer Plus. The resultant PCAP file will be stored in the AppResponse 11 system’s local file system. The Files Panel contains an item for the Local System and one for each attached AppResponse 11. The figures show an example file panel with all the items closed and one with all of the items expanded. They also show the icons for each type of object depicted in the Files panel.

Figure 3-2. Closed Files Panel

Figure 3-3. Expanded Files Panel

2.FreeBSD:http://www.freebsd.org/cgi/man.cgi?query=lo&manpath=FreeBSD+7.0-RELEASE&format=html 3.FreeBSD:http://www.freebsd.org/cgi/man.cgi?query=ppp&manpath=FreeBSD+7.0-RELEASE&format=html

SteelCentral Packet Analyzer Plus User’s Guide 45 Source Panel Files

Context Menus in the Files Tab

A context menu provides additional actions and settings that can be performed on a UI item. A context menu is opened by right-clicking on the UI item, for example, an icon, a view, or a chart. There are ten types of Context Menus in the Files panel that appear under the ten conditions below:

 “With Nothing or Local System Selected” on page 46“With an AppResponse 11 Selected” on page 47

 “With an AppResponse 11 Selected” on page 47

 “With a Trace Folder Selected on Local System” on page 48

 “With a Trace File Selected on Local System” on page 49

 “With a Trace Folder Selected on a Remote AppResponse 11” on page 52

 “With a Trace File Selected on a Remote AppResponse 11” on page 53

 “With the Jobs Repository Folder Selected on a Remote AppResponse 11” on page 55

 “With a Job Trace Selected on a Remote AppResponse 11” on page 56

 “With a Trace Clip Selected on a Remote AppResponse 11” on page 56

 “With an Applied View Selected” on page 58

With Nothing or Local System Selected

Add a Probe This menu item opens the Connect to Probe panel where the connection to a new probe can be configured.

46 SteelCentral Packet Analyzer Plus User’s Guide Files Source Panel

With an AppResponse 11 Selected

Disconnect This menu item disconnects the selected AppResponse 11 from Packet Analyzer Plus. The selected AppResponse 11 remains in the Probes list in the Remote Ribbon.

Web Interface This menu item opens the Web Interface of the selected remote probe.

Copy Configuration to Local System This menu item initiates a manual synchronization of a AppResponse 11’s port names, port groups, L4 mappings, and L7 fingerprints with the local system. This includes Service Response Time (SRT) ports (defined in Port Definitions on an AppResponse 11). This configuration is then used to analyze local files or views on local interfaces. Port names and port groups are effective immediately when downloaded from an AppResponse 11.

Settings This menu item opens the Connect to Probe panel showing the entries used to connect to the selected AppResponse 11.

Add a Probe This menu item opens the Connect to Probe panel.

SteelCentral Packet Analyzer Plus User’s Guide 47 Source Panel Files

With a Trace Folder Selected on Local System

Refresh Selected This menu option rescans a folder for new trace files and updates the status of those already added.

New Folder This menu option creates a new folder in the selected one. The user is asked to enter the name of the folder to create.

Browse Folder This menu option opens an explorer window pointed to the selected folder.

Edit

Cut This menu option is not enabled for trace folders.

Paste This menu option copies a previously Copied folder to the selected “paste” location. Remove from List This option removes all trace files from the Files panel with respect to the selected folder that do not have a view open on them.

Delete From Disk This menu option irrevocably deletes from the local system disk all trace files from the selected folder that do not have a view open on them.

Rename This menu option opens a dialog box that allows you to rename the View.

48 SteelCentral Packet Analyzer Plus User’s Guide Files Source Panel

With a Trace File Selected on Local System

Send to

This menu option lists destination and filter use choices for the selected trace file.

Wireshark This menu option starts up Wireshark and sends all traffic from the selected trace file there.

Wireshark with Filter This menu option starts up Wireshark and sends all traffic from the selected trace file that matches a user-defined filter there. The filter is specified using the Filter Dialog Box, which is explained .

SteelCentral Transaction Analyzer This menu option starts up SteelCentral Transaction Analyzer and sends all traffic from the selected trace file there.

SteelCentral Transaction Analyzer with Filter This menu option starts up SteelCentral Transaction Analyzer and sends all traffic from the selected trace file that matches a user- defined filter there. The filter is specified using the Filter Dialog Box. The Filter Dialog is explained in a later section.

File This menu option instructs Packet Analyzer Plus to send all traffic from the selected trace file to a user-specified trace file.

SteelCentral Packet Analyzer Plus User’s Guide 49 Source Panel Files

File with Filter This menu option sends traffic from the selected trace file through a filter to a new trace file. This is a useful function because it can greatly reduce the size of a trace file to only those packets of interest. The Filter Dialog is explained in a later section.

Create Multi-Segment Source When two or more files or traces are selected, the Create Multi- Segment Source option creates a multi-segment source file. For more information, please refer to “Multi-Segment and Merged Sources” at the end of this section.

Create Merged Source When two or more files or traces are selected, the Create Merged Source option creates a merged source file. For more information, please refer to “Multi-Segment and Merged Sources” at the end of this section.

Add Microflow Index This option adds microflow index information to the selected file or trace. For more information, please refer to “Microflow Indexing.”

Calculate Checksum This option calculates the SHA256 cryptographic digest of the selected trace file and presents it in a window. This value is stored and will be used later in tooltips and reports if applicable.

Browse Containing Folder The Browse Containing Folder menu option opens a Windows Explorer window pointed to the folder of the selected trace file.

Edit

Cut This menu option obtains a reference to the “to-be-cut” trace file. When the Paste operation is invoked, the file is copied to the “paste” location and removed from the original location.

50 SteelCentral Packet Analyzer Plus User’s Guide Files Source Panel

Copy This menu option obtains a reference to the “to-be-copied” trace file. When the Paste operation is invoked, the file is copied to the “paste” location and is NOT removed from the original location.

Paste This menu option copies a previously Cut or Copied file to the selected “paste” location.

Remove from List This menu option removes the selected trace file’s reference from the Files List, but not from the local file system.

Delete from Disk This menu option removes the selected trace file from disk. The trace file is not sent to the recycle bin, so it cannot be restored.

Rename This menu option renames the selected trace file. The file is renamed in the Files Panel and on the disk.

SteelCentral Packet Analyzer Plus User’s Guide 51 Source Panel Files

With a Trace Folder Selected on a Remote AppResponse 11

Refresh Selected The Rescan Folder menu option rescans a folder for new trace files and updates the status of those already added.

New Folder The New Folder menu option removes all trace files from the Files panel with respect to the selected folder that do not have a view open on them.

Edit

Cut This menu option is not enabled for trace folders.

Copy This menu option obtains a reference to the “to-be-copied” folder. When the Paste operation is invoked, the folder is copied to the “paste” location and is NOT removed from the original location. Paste The Paste menu option will copy a previously Copied folder to the selected “paste” location.

Delete from Disk This menu option removes the selected trace file from disk. The trace file is not sent to the recycle bin.

Note: This option is not available for permanent folders such as “My Files” and “Jobs Repository”

52 SteelCentral Packet Analyzer Plus User’s Guide Files Source Panel

With a Trace File Selected on a Remote AppResponse 11

Send to

This menu option lists destination and filter use choices for the selected trace file.

Wireshark This menu option starts up Wireshark and sends all traffic from the selected trace file there.

SteelCentral Packet Analyzer Plus User’s Guide 53 Source Panel Files

SteelCentral Transaction Analyzer This menu option starts up SteelCentral Transaction Analyzer and sends all traffic from the selected trace file there.

File This menu option instructs Packet Analyzer Plusto send all traffic from the selected trace file to a user-specified trace file.

Add Microflow Index This option adds microflow index information to the selected file or trace. For more information, please refer to “Microflow Indexing.”

Export from Probe This menu option transfers the selected files from the selected remote probe to the Local System.

54 SteelCentral Packet Analyzer Plus User’s Guide Files Source Panel

Edit

Cut This menu option obtains a reference to the “to-be-cut” trace file. When the Paste operation is invoked, the file is copied to the “paste” location and removed from the original location.

Paste This menu option copies a previously Cut or Copied file to the selected “paste” location.

Delete from Disk This menu option removes the selected trace file from disk. The trace file is not sent to the recycle bin, so it cannot be restored.

Rename This menu option renames the selected trace file. The file is renamed in the Files Panel and on the disk.

With the Jobs Repository Folder Selected on a Remote AppResponse 11

Refresh Selected This menu option rescans a folder for new trace files and updates the status of those already added.

SteelCentral Packet Analyzer Plus User’s Guide 55 Source Panel Files

With a Job Trace Selected on a Remote AppResponse 11 Paste Paste a copied trace clip.

Add Trace Clip This menu option brings up the Trace Clip time selection panel.

With a Trace Clip Selected on a Remote AppResponse 11

Trace Clip, Send to Unlocked

This menu option lists destination and filter use choices for the selected trace file.

Wireshark This menu option starts up Wireshark and sends all traffic from the selected trace clip there.

56 SteelCentral Packet Analyzer Plus User’s Guide Files Source Panel

Trace Clip, Locked Wireshark with Filter This menu option starts up Wireshark and sends all traffic from the selected trace clip that matches a user-defined filter there. The filter is specified using the Filter Dialog Box, which is explained .

SteelCentral Transaction Analyzer This menu option starts up SteelCentral Transaction Analyzer and sends all traffic from the selected trace file there.

SteelCentral Transaction Analyzer with Filter This menu option starts up SteelCentral Transaction Analyzer and sends all traffic from the selected trace file that matches a user-defined filter there. The filter is specified using the Filter Dialog Box. The Filter Dialog is explained in a later section.

File This menu option instructs Packet Analyzer Plus to send all traffic from the selected trace file to a user-specified trace file.

Export from Probe This menu option transfers the selected trace clips from the selected remote probe to the Local System. Use Add Trace File to display the file in the Files Panel.

Calculate Checksum The Calculate Checksum menu option is not applicable to trace clips.

Lock, Unlock By selecting the Lock menu option, the remote AppResponse 11 will lock the trace clip on disk, ensuring that the packet data is retained even as more traffic arrives on the system. The Unlock option unlocks a locked trace clip.

Edit

Cut This menu option obtains a reference to the “to-be-cut” trace clip. When the Paste operation is invoked, the trace clip is copied to the “paste” SteelCentral Packet Analyzer Pluslocation User’s and Guide removed from the original location. 57 Source Panel Files

Copy This menu option obtains a reference to the “to-be-copied” trace clip. When the Paste operation is invoked, the trace clip is copied to the “paste” location and is NOT removed from the original location.

Paste This menu option copies a previously Cut or Copied trace clip to the selected “paste” location.

Delete from Disk This menu option removes the selected trace clip. The trace clip cannot be deleted if one or more Views are currently applied to the trace clip.

Change Description The selected, unlocked trace file’s description can be revised using the Change Description menu option

With an Applied View Selected The context menu for a view applied on a file is the same as the context menu of view applied on a device, with one additional option, Create Interactive View, explained below. Please refer to ““With a View Selected (Local System and AppResponse 11)” on page 43” in the Device Panel section for information on the other context menu options.

Create Interactive View This menu option creates an interactive view from a series of drill downs made on a view. Right-click the last view in a drill down chain and select this menu option. An interactive view is created and selections made in the first view now automatically update the other views in the drill down chain.

58 SteelCentral Packet Analyzer Plus User’s Guide Files Source Panel

Multi-Segment and Merged Sources If you have selected multiple capture files or trace clips, you can combine them to form multi-segment or merged sources.

 Multi-segment sources—These generally include information in the same time span from capture points in different locations. A typical use for a multi-segment source is to follow packets through a network.

 Merged sources—These generally include information from the same capture point at different points in time. A typical use for a merged source is to combine sequential capture sessions to make a single session.

Important: Sources must be capture files or trace clips, not devices.

To make a multi-segment or merged source for Packet Analyzer Plus analysis:

 Trace clips must first be saved as a trace file using Send to File, a context menu option.

 All of the capture or trace files used to make a multi-segment or merged source must be stored on the same AppResponse 11 or on the local system. See “With a Trace File Selected on Local System” on page 49 or “With a Trace File Selected on a Remote AppResponse 11” on page 53 for information on the other context menu options.

SteelCentral Packet Analyzer Plus User’s Guide 59 Source Panel Files

For more information on Multi-Segment Analysis, see the Packet Analyzer Plus User’s Guide.

File context menu when Create Multi-Segment Source two or more sources are This option creates a multi-segment source from the selected selected, Local System sources.

The resulting multi-segment source is listed in the Files panel. One of the segments is designated as the primary segment and shown in bold type. The primary segment is used when a single-segment view is applied to a multi-segment source.

60 SteelCentral Packet Analyzer Plus User’s Guide Files Source Panel

File context menu when Create Merged Source two or more sources are This option creates a single merged source from the selected sources. selected, Remote AppResponse 11

The resulting merged source is listed as “merged” in the Files menu.

SteelCentral Packet Analyzer Plus User’s Guide 61 Source Panel Files

62 SteelCentral Packet Analyzer Plus User’s Guide 4

Views and Charts

A Packet Analyzer Plus view depicts a specific set of calculations that can be applied to a source, whether a live interface or a trace file or trace clip. The calculations that define a view are known as view metrics, and these metrics are presented visually, as charts. Graphical elements within each chart are selectable, such as bars within a bar chart and time intervals within a strip chart. Packet Analyzer Plus provides a large set of views that are built-in and ready to be applied to sources. Views can be used in conjunction with filters to display very specific network information, and can be used in conjunction with policies to generate alerts when network traffic matches specific criteria. Views can be customized by saving them to a different name and applying filters to them.

The View Library The View Library, shown in the Views panel, is the repository of all the views available in Packet Analyzer Plus. Floating the cursor over the icon next to a view’s name displays a help window that describes that particular view.

Figure 4-1. Views Panel

SteelCentral Packet Analyzer Plus User’s Guide 63 Views and Charts The View Library

Context Menu

Right-clicking on an item in the View library displays a context menu for executing actions on the selected item:

Apply The Apply menu option applies the selected view to the selected device or file in the Devices and Files panel. If a view is applied to an indexed source, you can force the view to be applied only on the index or only on the packets. Do this by pressing SHIFT while dragging a view over a source; a context menu appears, enabling you to choose Packets or Microflow Index.

Apply with Filter The Apply with Filter menu option applies the selected view to the selected device or file in the Devices and Files panel with a specified filter. The Filter Dialog (described later) pops up when this option is selected. Pressing the CTRL key while dragging and dropping a view will open the Filter Dialog, as well.

Apply as a Report The Apply as a Report menu option automatically creates a report with the “All Views” option to the selection view applied to the file selected in the Files panel. Apply as a Report cannot be applied to a live interface. Pressing ALT while dragging and dropping a view will enable you to apply the view as a report, also.

Keyboard Shortcuts for Context Controls

 Pressing the CTRL key while dragging and dropping a view will open the Filter dialog.

 Pressing ALT while dragging and dropping a view will enable you to apply the view as a report.

 Pressing CTRL and SHIFT will enable you to choose between applying the view to packets or the index, or displaying the Filter dialog.

 Pressing SHIFT and ALT will enable you to choose between applying the view to packets or the index, or applying as a report.

 Pressing CTRL and ALT will enable you to choose between selecting a filter and applying as a report.

64 SteelCentral Packet Analyzer Plus User’s Guide Recently Used Views and Charts

Granularity The Granularity menu option specifies the time granularity of the calculation for the corresponding View metric. The view calculations and time control options are performed with a specific time sampling interval, which typically defaults to one second. This context menu enables changing this interval, and the selected value is shown at the end of the textual representation of the view in the Views Library (along with the Data Retention Time value, described next).

Data Retention Time The Data Retention Time value specifies the time period for the View metric history that is retained for a View applied to a live source. Once the Data Retention Time is reached, the oldest metrics are discarded as new sample points are calculated. The Data Retention time has no effect on the duration of the View metrics retained for trace files, since the complete View metric history over the duration of the trace file is retained.

Copy to Custom The Copy to Custom menu option copies the currently selected view to the Custom folder.

Recently Used The Recently Used entry contains the five most recently used views. The Recently Used folder is not shown when the folder is empty, as is the case when Packet Analyzer Plus is started.

SteelCentral Packet Analyzer Plus User’s Guide 65 Views and Charts Search Text Box

Context Menus

The Recently Used section has two types of context menus. They are triggered by right-clicking on either of the following:

 Recently Used Folder

 View within the Recently Used Folder

Recently Used Folder The context menu for a folder in the recently used section has the following options.

Apply The Apply menu option applies all the views in the recently used folder to the selected device or file in the Devices and Files panel.

Apply with Filter The Apply with Filter menu option applies all the views in the recently used folder to the selected device or file in the Devices and Files panel with a specified filter. The filter dialog (described later) pops up when this option is selected.

Apply as a Report The Apply as a Report menu option will automatically create a report with the “All Views” option as all the views in the recently used folder are applied to the file selected in the Files panel. Apply as a Report cannot be applied to a device.

Search Text Box The Search box enables you to locate specific views. For example, if you type “VoIP” in the Search box, the search will find all of the views that have “VoIP” in the view’s name or description or tag. The drop- down check box also enables searching the chart notes of all the charts that are included in a view.

The Search box provides a convenient way to find one or more specific views.

66 SteelCentral Packet Analyzer Plus User’s Guide Microflow Indexing Views and Charts

Microflow Indexing Indexing a capture job or a trace file can improve the performance of some views by a factor of 100 to 1000. Indexing is selected when a capture job is added to an AppResponse 11 system. A trace clip from an indexed capture job contains an index also. The figure below shows two capture jobs in an AppResponse 11 Jobs Repository displayed in the Files tab of the Sources panel in Packet Analyzer Plus. A yellow lightning bolt appears over the icon for both the capture job and the trace clip, indicating that an index is present (DC-Link-Monitor). The capture job and trace clip with no indexes have no lightning bolts over their icons (Office-Monitor-2412).

A trace clip without an index can be saved as a file using the Send to option in the context menu. An index can be adding using the Add Microflow Index option in the trace file context menu. The icons associated with indexes are explained below.

Index Icons Status Index Applied An index has been successfully applied and views that use an index are accelerated.

Index Broken Either the trace file does not support indexing or the index was interrupted before completion. To show the cause of the broken index, text in gray appears on the right of the trace file.

Drag and Drop Cursors for Indexed Trace Files When dragging and dropping a view that supports indexed files, the Drag and Drop cursor includes a yellow lightning bolt when dragged over an indexed file, indicating that the index will be used. Add Microflow Index - Context Menu The Add Microflow Index menu option creates a Microflow Index on the selected file.

SteelCentral Packet Analyzer Plus User’s Guide 67 Views and Charts Microflow Indexing

Interrupt Microflow Index - Context Menu The Interrupt Microflow Index menu option interrupts the creation of an Index while it is being created on the selected file.

Remove Microflow Index - Context Menu The Remove Microflow Index menu option removes the current Index from the selected file.

Microflow Indexed File Tooltips

The indexed file tooltip shows the full path of the trace file that the mouse is hovering over along with these metrics.

Trace File The name of the file.

Microflow Data and Packets available Indicates that the index has been applied and both accelerated microflow data and detailed packet data are available for this trace file.

Size The size of the trace file.

Created on The date the trace file was created.

Format The type of trace file.

Link type The link type of the trace file. This is important because not all views can be applied on all files. In particular, if the Link type is PPI, then the index cannot be created.

Full path The location of the file in the filesystem.

68 SteelCentral Packet Analyzer Plus User’s Guide View Editor Views and Charts

Finding Views that Use a Microflow Index

Filter the View panel for views using a Microflow index by choosing Indexed Only from the context menu.

Indexing a Trace File

Creating a Microflow index does not take much more time than loading a single view. It is often more efficient to create an index on a large file and then apply multiple views on the indexed file.

Apply an Index to a Trace File A Microflow index can be applied to a trace file using the Add Microflow Index option in the trace file context menu option.

View Editor In addition to applying built-in views from the View Library, you can use the View Editor to modify an existing view or create your own view. When you have defined the view you want, you can use it as you would any other view—drill down, create reports, and so on. In addition, you can save the view and apply it to other sources in the same way as any of the built-in views.

Activating the View Editor

Display the View Editor using any of the following methods. Note that views can be created or edited for offline sources only:

 Select a source in the Files panel, then click the Create button in the View section of the Home Ribbon.

 Right-click a source in the Files panel and select Create View from the context menu.

 Right-click a view that has been applied to a source in the Files panel and select Edit from the context menu. The view can be a built-in view that was supplied with Packet Analyzer Plus or a custom view that you created. The supported chart types are strip charts, conversation rings, bar charts, pie charts, and grids.

SteelCentral Packet Analyzer Plus User’s Guide 69 Views and Charts View Editor

The General Approach

This example describes generally how the View Editor works. 1. Select an offline (non-live) source.

2. Create a new view by clicking View > Create in the Home ribbon. Alternatively, edit an existing view.

3. The View Editor appears. Change the view as you wish.

4. Click Update to display the view.

5. Name the new/modified view.

6. Save the view by clicking View > Save in the Home ribbon.

7. The new view is saved to the Custom folder of the View Library, and can be applied to other sources. A detailed explanation of the View Editor follows.

View Editor Controls

The View Editor consists of a central View panel, the View Editor panel on the left, and the Columns panel on the right. Define a view by dragging elements from the Columns panel to the Keys and Metrics panels in the View Editor, set other attributes as necessary, and update the View panel.

70 SteelCentral Packet Analyzer Plus User’s Guide View Editor Views and Charts

Columns The Columns panel contains several folders, which generally group related elements according to protocol type or networking layer. Each folder contains several fields. Each of these fields represents an entity that defines part of a view. Three types of columns are available, indicated by icons:

Categories: The key icon indicates that the field defines a category, and it will be used to define the “key” of the data set. For instance, in a bar chart there will be one bar per field value. Category fields can be used only as keys. (See description of keys, below.) Qualitative values: The stack icon indicates that the field defines a qualitative value. Qualitative fields can be used for either keys or metrics (see descriptions below). Since the only meaningful operation you can apply to a qualitative value is sorting, you can specify either a min or max calculation when using it as a metric. Quantitative values: The bar chart icon indicates that the field defines a quantitative value. Quantitative fields can be used for either keys or metrics (see descriptions below). When used as a metric, all calculations are available: min, max, sum, average, time average.

Widget Types The Widget Types drop-down list in the View Editor lets you select from five types of chart:

 Line widget

 Connection widget

 Table

 Bar widget

 Pie widget

Keys and Metrics Entries in the Keys and Metrics panels determine what information is displayed in the chart. You make entries in these panels by dragging fields from the Columns panel.

SteelCentral Packet Analyzer Plus User’s Guide 71 Views and Charts View Editor

A key is a field used to define categories in the data set. For example, a key could define:

 the lines or areas in a strip chart

 the source and destination in a conversation ring

 the bars in a bar chart

 the wedges in a pie chart

 the rows in a grid Any of the different column types can be used as a key.

Note: A conversation ring requires two keys of the same type, for example, Source IP and Destination IP or Caller Name and Receiver Name.

A metric is a value calculated for each packet of the source. A metric can be of the qualitative value or quantitative value field types, but it cannot be of the category field type. You can set the calculation for a qualitative field to min or max; for a quantitative field you can use any of the calculations: min, max, sum, average, or time average. These calculations are used to aggregate values from all the packets of a single sample or a time range and to show the result in a chart. In combination, the key and the metrics define the data used to populate the chart. Consider an example where you specify a strip chart to plot a key of type traffic and a metric of bits. Since a strip chart is a plot against time, the view performs a calculation for each unit of time. In this case the metric is bits with a calculation type of time average; and in each unit of time each packet is analyzed and the number of bits is assigned to the appropriate category. So, bits in ARP packets are assigned to the ARP category; bits in DHCP packets are assigned to the DHCP category; and so on. For each unit of time the number of bits in each category is averaged. The view shows each category as a trace on the plot over time.

You can show the same fields using different chart types. Note that conversation rings, bar charts, pie charts, and grids do not have a time component, so they show the data for each category aggregated over the entire time span of the source (or the range specified by the Time Control). Also, a conversation ring requires two keys, so for this example that chart type cannot be used. Bar charts and pie charts require a key field. (Without categories, bar charts would display a single bar showing 100% of the data, and pie charts would display a single wedge showing 100% of the data. Neither would provide any new insights about the data.)

72 SteelCentral Packet Analyzer Plus User’s Guide View Editor Views and Charts

Bar charts can also use an additional key to define a grouped or stacked bar chart.

Note: Conversation rings support only metrics of the same type.

Strip charts and grids can be displayed without specifying a key field. Strip charts, conversation rings and grids can also display multiple metrics. These are displayed as multiple traces on a strip chart, as multiple rows on a grid, or as multiple data types in a conversation ring. In a conversation ring, the metric displayed is selected from the chart’s context menu "Data” item. Right click in the chart to open the context menu, choose “Data” and select from the list of metrics displayed.

Bar charts can show up to two keys. If you have a bar chart with a single key and you drag a second field to the Keys panel and then update the view, the single bar chart switches to a stacked bar chart. You can change the chart to a grouped bar chart by selecting the Bar Chart Type property in the Properties panel, and choosing “Grouped”. Note that all keys have to be computed for a given packet if that packet is to be included in the data set. So, for instance, a view that attempted to use both TCP bits and UDP bits as keys would have no data, since TCP and UDP packets are mutually exclusive and no single packet has both TCP and UDP bits.

Metrics behave in a similar way: all metrics must be calculated for a given packet if that packet is to be included in the data set.

But metrics provide a way around this problem that is not available with keys: you can specify a default value for a metric. Just check the box in the line for the field (next to the “No default” legend that is there until you have specified a default value) and specify a default value for that field. That allows a metric to be calculated for the field, which allows the packet to be included in the data set.

Not all combinations of keys and metrics will give you useful results. Consider what network information you need, and explore the Fields panel to see what fields you might use to assemble that information. The standard views that are built into Packet Analyzer can provide you with good examples for useful views. In a conversation ring, some combinations of keys or metrics may not be allowed if they are not of the same type.

Properties The Properties panel lets you change the appearance of the view, primarily through labeling. Click the arrows to open the panel, and click the entries in the panel to change the values there or enter new values.

Documentation and Labeling To label the charts and provide documentation for the view’s tooltip, fill in the entries in the Documentation panel. The view title is transferred to the view’s tab in the main window, and the chart title is transferred to the selected chart.

SteelCentral Packet Analyzer Plus User’s Guide 73 Views and Charts Charts

Saving a View and Exiting the View Editor

When you have created a view that you want to apply to other capture files, you can save it by clicking the Save button in the View section of the Home tab. The view will be saved in the Custom folder of the Views panel, using the view title as the name of the view. Click the Done button at the bottom of the View Editor to exit. If you exit the View Editor without saving your view, the view will be lost. Though you can’t use the View Editor to create a view using a live device—the View Editor operates only on files—you can apply a view that you have created in the View Editor to a live device.

Multi-Chart Views

You can build views that contain multiple charts. Add a chart by clicking the Add button in the Charts panel of an existing chart. A new blank view appears and you can create a new chart by specifying all of its parameters: key, metric, chart title, notes, and so on. You can keep adding charts to the view until you have all the charts you want. By default, each chart occupies the whole view and you switch between charts by clicking on the tab of the chart you want to see.

You can rearrange the charts so that you can see all of them at the same time. For example, assume your view includes a strip chart and two pie charts, and that you want the final view to show the strip chart across the top of the view with the two pie charts side-by-side beneath it. Start by clicking the tab for the strip chart and dragging it toward the center of the view. As you drag the tab, the docking control appears. When you drag the tab over the docking control, the blue shading on the chart shows where the chart will appear in the view. When you have the charts the way you want them, save the view.

Charts Each view in Packet Analyzer Plus is made up of one or more charts, each depicting a specific metric. Views can include the following chart types:

 Bar chart

 Conversation ring

 Data grid chart

 Node chart

 Pie chart

 Scatter plot chart

 Sequence diagram [including multiple sequences]

 Strip chart

74 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

Bar Chart

This chart displays quantitative metrics in a graphical bar-based chart. It is used when there is a known domain for a metric and division of the domain is useful. Quantities are graphically represented and restricted to a linear scale. There are three types of Bar Charts:

 Single Bars

 Stacked Bar Chart

 Grouped Bars

Single Bar Chart Single Bar Charts are the most basic form of Bar Charts. Each column is a single valued bar. The colors of the bars match the labels in the legend. Along with the “Sampling Time” and “Date Retention Time” options as previously described, the Single Bar Chart is customizable in the following ways using the chart context menu:

 Reorder Bars

 Toggle legend visibility

 Toggle label visibility above individual bars

 Select value or percentage as label

Default This is an example of the default view for a Single Bar Chart:

Figure 4-2. Single Bar Chart

Selection A bar in a Single Bar Chart is selected by clicking on the bar itself, its column, or its representation in the legend. Clicking with the Control key pressed is supported for multiple selection.

SteelCentral Packet Analyzer Plus User’s Guide 75 Views and Charts Charts

Figure 4-3. Bar Chart Multiple Selection

Stacked Bar Chart A Stacked Bar Chart is similar to a Single Bar Chart except that each column is subdivided into predetermined constituents. These constituent components can be selected and analyzed individually or collectively. Along with the “Sampling Time” and “Data Retention Time” options previously described, the Stacked Bar Chart is customizable in the following ways using the chart context menu:

 Sort Bars

 Toggle of legend visibility

 Toggle of label visibility above individual bars

 Select value or percentage as label

Default This is an example of the default view for a Stacked Bar Chart:

Figure 4-4. Stacked Bar Chart

Selection A bar in a Stacked Bar Chart is selected by clicking on the bar itself, its column, or its representation in the legend. Clicking with the Control key pressed is supported for multiple selection.

Grouped Bar Chart A Grouped Bar Chart is similar to a Single Bar Chart except that each column is subdivided into two or more sub columns.

76 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

Along with the “Sampling Time” and “Data Retention Time” options previously described, the Grouped Bar Chart is customizable in the following ways using the chart context menu:

 Sort Bars

 Toggle legend visibility

 Toggle label visibility above individual bars

 Select value or percentage as label

Default This is an example of the default view for a Grouped Bar Chart:

Figure 4-5. Grouped Bar Chart

Selection Selection of the Grouped Bar Chart can happen three ways:

 Selection of a column.

 Selection of one of the components of a column.

 Selection of all instances of a certain subcomponent across all columns.

Column A column based selection selects all data corresponding to the column. This method of selection is achieved by selecting the area around the bar with respect to the desired column inside the chart, but not the bar itself.

SteelCentral Packet Analyzer Plus User’s Guide 77 Views and Charts Charts

Figure 4-6. Grouped Bar Chart Selection (Column) Component Instance A component instance based selection selects a subset of the data in a particular column. This method of selection is achieved by clicking on the component.

Figure 4-7. Grouped Bar Chart Selection (Component Instance)

Component A component based selection selects data in all columns for a particular component subset. This method of selection is achieved by clicking on the representation of the component in the legend.

Figure 4-8. Grouped Bar Chart Selection (Component)

78 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

Navigation Through Data

When there is not enough space to display all the bars clearly in a single chart, the system automatically ranks and displays data by relevance, based on the selected Figure 4-9. Bar Chart Top Bars sorting option. By default, the columns are sorted from high to low (usually by value). A small label displaying the total number of bars and the current interval is shown at the bottom of the view. One can navigate through data using the four buttons in the label. + and - buttons increase or decrease the length of the interval shown, while the arrows (<< and >>) shift the interval inside the data.

Context Menu All three types of Bar Charts (Single, Stacked, and Grouped) share the same context menu. Send to Wireshark The Send to Wireshark menu option sends the traffic from the selected bar(s) or component(s) to Wireshark for analysis.

Note: Wireshark version 2.4.1 or later is required for use in conjunction with Packet Analyzer Plus.

Send to SteelCentral Transaction Analyzer The Send to SteelCentral Transaction Analyzer menu option sends the selected bar(s) or component(s) to Transaction Analyzer for analysis. Send to File The Send to File menu option sends the traffic from the selected bar(s) or component(s) to a user- specified trace file that will appear, after completion, in the Files panel for immediate analysis. Drill Down The Drill Down menu option applies the user-specified view to the selected bar(s) or components(s) and opens a new view tab in the main workspace. Copy The Copy menu option copies a tabular form of the selected data to the system clipboard. Copy Chart The Copy Chart menu option copies the selected chart as a metafile to the system clipboard for pasting into another application. Create Filter The Create Filter menu option creates a filter based on the current selection within the bar chart and adds the filter to the Filter List. Add Watch

SteelCentral Packet Analyzer Plus User’s Guide 79 Views and Charts Charts

The Add Watch menu option opens the Watch Editor dialog window. The Trigger Condition is based on the currently selected bar chart. The Data Filter, if any, is based on the bars selected within the bar chart (if any). Search The Search menu option opens a search dialog window to find data in the charts. Name Resolution The Name Resolution menu option tries to identify unresolved IP addresses, ports, or MAC addresses from all or the selected bars. Default is from Settings menu. Enabled Turns on auto resolution of current and new addresses. Resolve Selected Resolve only selected addresses. Clear Selected and Clear All Resolved names not displayed. Select The Select menu option provides the option to select the bar(s) and component(s) of the Bar Chart. Select All Selects all bars in the chart. Select Inverse Deselects the currently selected bar(S) and selects all other bars. Data The Data menu option provides choices for how chart data is displayed and sorted. Percentage Sorts the bars numerically by their percentage of the total traffic. Value Sorts the bars numerically by their quantitative values. Default Reverts to the original sorting order. Sort By Label Sorts the bars alphabetically by their labeled column names. Sort By Value Sorts the bars numerically by their quantitative values. Descending Sorts the bars sequentially from left to right, either by name or value, as specified by the first group.

80 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

Ascending Sorts the bars sequentially from right to left, either by name or value, as specified in the first group. Show Previous/Next Bars When there are more bars than will fit in the display area, selecting this option displays a Previous bar and/or a Next bar. These bars show cumulative totals for all bars that come before and/or after the bars displayed in the current view. Settings The Settings menu option opens up a submenu with specific settings for the chart. Show Legend Toggles off or on the Bar Chart legend. Show Labels Toggles off or on the labels on each bar on a Bar Chart.

Tooltips The tooltips for the Bar Chart display the label of the bar over which the mouse is hovering.

SteelCentral Packet Analyzer Plus User’s Guide 81 Views and Charts Charts

Conversation Ring

A conversation ring is a type of view that depicts network connection endpoints arranged on the edge of an elipse. Connection endpoints are rendered at varying sizes, relative to the volume of traffic they’re associated with, and connections are shown as arrows, again varying in size relative to the volume of traffic they’re transmitting. Conversation rings are useful for viewing all the connections of a particular type, for a specified time period, and comparing their characteristics. Examples of the connection- based views shown in conversation rings include IP Conversations, VoIP Conversations, and Web Conversations.

Figure 4-10. Example of a Conversation Ring (Country Conversations)

Conversation Ring Elements and Behavior Conversations are depicted as two directional arrows between two endpoints (A and B).

Figure 4-11. Conversation Detail

For each conversation:

 The direction of each arrow shows the movement of data.

82 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

 Each arrow displays the amount of monodirectional traffic from endpoint A to endpoint B and from endpoint B to endpoint A.

 The width of each arrow is calculated from the monodirectional traffic.

 The conversations are rendered using transparent dark gray to stand out against the light gray background.

 Individual endpoints and directions can be selected within each conversation.

 For a highlighted conversation, the chart at the upper right of the window displays the total traffic associated with each endpoint. These depict the maximum, average, and minimum traffic in all displayed endpoints and conversations.

 The legend that appears at the upper right of the main workspace by default shows the amount of traffic for the highlighted monodirectional conversation.

 Conversation endpoints are listed in the legend at the right. Highlighting or selecting an endpoint in the legend displays a pop-up balloon summarizing the traffic corresponding to that endpoint, and also highlights or selects all other endpoints with which it shares conversations.

Using Conversation Rings Conversation rings provide several tools for isolating data of interest:

 Change the number of conversations shown in the view by clicking the + and - buttons in the Chart Element Manager at the bottom of the view.

 Zoom in and out on the view using your mouse’s scroll wheel.

 Display a tooltip summarizing the traffic corresponding to an endpoint by highlighting the endpoint. This also highlights the conversations in which the endpoint is a member.

 Display a tooltip summarizing the traffic corresponding to a connection vector by highlighting the connection arrow. This also highlights the conversation of which the vector is a part.

 Inspect a conversation more closely by right-clicking on it and choosing Drill Down to display it in the context of a different view.

SteelCentral Packet Analyzer Plus User’s Guide 83 Views and Charts Charts

Conversation Ring Context Menu Right-clicking on an object in a conversation ring displays this context menu: Send to Wireshark Send the traffic from the selected endpoint(s) and connection(s) to Wireshark for analysis.

Note: Wireshark version 2.4.1 or later is required for use in conjunction with Packet Analyzer Plus.

Send to SteelCentral Transaction Analyzer Send the traffic from the selected endpoint(s) and connection(s) to Transaction Analyzer for analysis.

Send to File Send the traffic from the selected endpoint(s) or connection(s) to a user-specified trace file which will appear in the Files panel after completion.

Drill Down Inspect the conversation more closely by applying a built-in view to the selected endpoint(s) or connection(s) and opening a new view tab in the main workspace.

Copy Copy a table of data values corresponding to the current selection to the clipboard. These are copied in the order that the hosts were discovered in the conversation ring. The only exception to this rule is that the “Last Seen” value is not included in what is copied to the clipboard.

Copy Chart Copy the selected chart as a metafile to the system clipboard for pasting into another application.

Create Filter Create a filter based on the current selection and adds the filter to the Filter List.

84 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

Search Open a search dialog that can be used to find data in the charts. The search context consists of the labels of the items in a chart which can be selected. For instance, an IP address, MAC address, or hostname can be searched.

Name Resolution Identify unresolved IP addresses, ports, or MAC addresses from all or the selected endpoints and/ or conversations. Default is from Settings menu.

Select Select all the connection(s) and endpoint(s) in the Conversation Ring, or to invert the current selection of the endpoint(s) and connection(s).

Data Set the data that are displayed from the available metrics.

Settings Open a submenu to change settings for the view.

Conversation Ring Tooltips Tooltips provide information on the metrics used in the conversation ring chart. In the examples given below, the chart metrics are Bytes and Packets. Your tooltips may differ, as they will reflect the metrics you used in your conversation ring chart. The conversation ring has two kinds of tooltips:

 Endpoint-Based Tooltips

 Connection-Based Tooltips

SteelCentral Packet Analyzer Plus User’s Guide 85 Views and Charts Charts

Endpoint-Based Tooltips When hovering over an endpoint, a tooltip appears, containing fields such as the following: Address The Address identifies the endpoint. For example, this may be the associated MAC or IP address or country (as applicable) of the endpoint.

Total Traffic The Total Traffic value refers to the sum of traffic that has been sent or received at the endpoint.

Received The Received value refers to the total amount of traffic received at that endpoint over a given sample period; for example. the sum of the packet size of all packets where the endpoint was the destination field in the packet.

Sent The Sent value refers to the total amount of traffic sent from that endpoint over a given sample period; for example, the sum of the packet size of all packets where the endpoint was the source field in the packet.

Total Packet Traffic The Total Packets value refers to the total number of packets that have been either sent from or received at that endpoint, i.e. the sum of Received and Sent packets.

Received The Received value refers to the total number of packets received at that endpoint over a given sample period, i.e. the count of all packets where the endpoint was the destination field in the packet.

86 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

Sent The Sent value refers to the total number of packets sent at that endpoint over a given sample period, i.e. the count of all packets where the endpoint was the source field in the packet.

Int Int refers to bytes and packets that are sent from the host to itself (i.e. the IP source is the same as the destination).

Ext Ext refers to bytes and packets that are sent to or received from other hosts.

Last Seen The Last Seen value refers to the last time a packet with either the source or the destination field of the endpoint was seen.

SteelCentral Packet Analyzer Plus User’s Guide 87 Views and Charts Charts

Connection-Based Tooltips When hovering over a connection, a tooltip appears, containing the following fields: Address(A) The Address(A) identifies the source in the first packet for that connection.

Address(B) The Address(B) identifies the destination in the first packet for that connection.

Total Traffic The Total Bytes value refers to the total number of bytes sent between the source and destination addresses over the given sample period and is the sum of A->B and B->A.

A->B The A->B value refers to the total number of bytes sent from the source address to the destination address over the view’s sample period.

B->A The B->A value refers to the total number of bytes sent from the destination address to the source address over the view’s sample period.

Total Packet Traffic The Total Packet Traffic value refers to the total number of packets sent between the source and destination addresses over the given sample period and is the sum of A->B and B->A.

A->B The A->B value refers to the total number of packets sent from the source address to the destination address over the view’s sample period.

88 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

B->A The B->A value refers to the total number of packets sent from the destination address to the source address over the view’s sample period.

Last Seen Last Seen refers to the last time a packet was seen with the source and destination field as the endpoints of the connection.

Data Grid Chart

The Data Grid chart shows quantitative information pertaining to a number of metrics in a hierarchically arranged grid. The grid has rows and columns. The columns can be:

 Rearranged in any order

 Resized

 Hidden and shown The rows can be:

 Filtered

 Sorted by

 one or multiple columns simultaneously

 Hierarchically grouped

 Summarized by selection, group, or the entire table. The figure below shows an example grid with a number of features enabled and some grid components identified.

SteelCentral Packet Analyzer Plus User’s Guide 89 Views and Charts Charts

Grouping Bar

The elements of the Grouping Bar, called groups, determine the row hierarchy. In the above example, columns in the view Performance and Errors>TCP>Connections and Requests> TCP Traffic Details by Connection have been dragged into the Grouping Bar to group the TCP traffic connections and metrics. The root level contains the Client IP. Each Client IP can be expanded to show the Server IP, which can in turn be expanded to show the Start Time.

Each element of the Grouping Bar also has a triangle before each group that specifies the sorting order of that level of the hierarchy. The order can be toggled by clicking on the group itself. Grid Grouping Bar Additionally, grouping can be changed by dragging group headers into a different order, and groups can be removed from the hierarchy by dragging them back to the grid. The data grid rows organized in a multi-tiered tree using the grouping bar can be fully expanded and collapsed using the context menu. The “+/-“ box next to a grid row can also be used to expand a group.

90 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

Column Headers

Column Headers refers to columns which can be shown or not shown using the Columns item in the right-click context menu. Column headers dragged to the top of the chart group rows in the hierarchy specified in the Grouping Bar. Grouped rows appear under the left-most column header.

Sorting

One or more column headers can be used to sort table rows. Clicking a column head sorts the rows by that column. An arrow appears above the column name indicating it is being used to sort the rows and the type of sort, ascending or descending, being performed. Click a column to change the type of sort done. Sort rows using additional columns by shift-clicking columns in the desired sort order. The sort type can be changed by shift-clicking on the column. Grid data is sorted as follows:

 Text fields – alphabetically

 IP addresses – numerically by each address component, left to right.

 Numbers – numerically

 Time

 – by time value Note: Sorting is done on the displayed value of the cell in each row of a column. The precision of a value may be higher than that of the displayed value, resulting in cells in some rows appearing to be the same when they are in fact different. When using groups, sorting on a grouped column sorts the groups; sorting on a non-grouped column sorts the rows within each group.

Filter Bars

A Data Grid Filter Bar enables the filtering of data rows by a column. A filter is made up of two elements :

 A value

 An operator Click in a column’s filter bar to enter a filter. Hold down the shift key and click in a column’s filter bar to enter additional filters.

Values A filter value can be entered in the filter bar or selected from a list of the column’s contents by clicking the funnel icon on the right side of the filter bar. Here is an example of selecting a value from a MIME Type column. The drop down list contains all MIME types present in the grid rows.

SteelCentral Packet Analyzer Plus User’s Guide 91 Views and Charts Charts

Entered values are evaluated as the same value type as the column’s values. For example, in a column of time values, the entries “2m” or “120s” are evaluated to the same value. Invalid entries, for example, text entered in a numeric column, are highlighted in red as shown in the figure above. All filtering is done on the displayed values, so different values can be displayed as the same and will be filtered as the same value. Note: Only rows can be selected in a grid table, not cells, so you cannot cut-and-paste the value in a cell for use in a filter. However, a cell’s value can be selected from the drop down list displayed when you click the funnel icon in a column’s filter bar. When a filter is applied, a red X appears over the funnel icon. Click the X to remove the filter.

92 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

Operators

A filter Operator is selected by clicking the icon on the left side of a column’s Filter Bar. A drop down list opens that lists the operators available based on the type of content in the column (strings, IP addresses, numbers or time values). After an operator is selected, rows not satisfying the filter are hidden. A filter bar has a default operator based on the type of content in the column. If you enter a value without selecting an operator, the default operator is used:

 Substring for text or IP addresses

 = for numbers or time values For strings or IP addresses

Further filters can be applied. The funnel now only lists the values from the rows that are not filtered out.

For numbers or time values Operators Drop Down Once a value and an operator are specified, the filter is enabled.

Selection

Select all or select none can be performed by clicking the cell at the left end of the column header row. The icon changes when the cell is clicked to indicate whether all or none of the rows will be selected.

SteelCentral Packet Analyzer Plus User’s Guide 93 Views and Charts Charts

Any combination of rows or groups can be selected although selecting rows when the parent group is already selected does not change the meaning of the selection. All of the standard Windows selection shortcut keys, for example, Control-A, can be used. All of the standard Windows selection shortcut keys, for example, Control-A, can be used. The context menu provides options on how selected content can be used.

Summaries

A table summary appears at the bottom of each table, providing item counts for unique values in a dimension column and calculated values for a metric column. The type of value calculated is set in the view and can be changed using the view editor. Right-click the view applied to the traffic source and click the Edit item. Set the type of calculation you want under Metrics. Below is the example grid we have been using as shown in the View Editor:

If no rows or groups are selected, the summary table includes all table rows and groups. If specific rows or groups are selected, the summary only includes the selected items. Selected rows that appear in a selected group are not double counted. A group summary is provided for each group. A grid with three groups, such as our example, will have a summary shown for each group. Our example includes a summary for Client IP. A summary for Server IP, and a summary for Start Time, as shown above.

94 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

Note: If a grid has 300 or more rows, a navigation pane appears in the lower right corner of the screen. The table summary includes the rows indicated by the navigation pane, which could be less than the number of rows in the entire table. To save a view with customized summary calculations, click Save in the View section of the Home ribbon. A new name must be used as standard views cannot be overwritten.

Context Menu

The context menu for the Data Grid is as follows: Send to Wireshark The Send to Wireshark menu option sends the traffic from the selected row(s) and group(s)to Wireshark for analysis.

Note: Wireshark version 2.4.1 or later is required for use in conjunction with Packet Analyzer Plus.

Send to SteelCentral Transaction Analyzer The Send to SteelCentral Transaction Analyzer menu option sends the traffic from the selected row(s) and group(s) to SteelCentral Transaction Analyzer for analysis. Send to File The Send to File menu option sends the traffic from the selected row(s) and group(s)to a user-specified trace file that will appear, after completion, in the Files panel for immediate analysis. Drill Down The Drill Down menu option applies the user-specified view to the selected row(s) and group(s)and opens a new view tab in the main workspace. Copy The Copy menu option copies a tabular form of the selected row(s) and group(s) to the system clipboard. Copy Chart The Copy Chart menu option is always disabled for the grid and is included in the context menu in order to be consistent with the other charts. Create Filter The Create Filter menu option creates a filter based on the current selection within the Grid and adds the filter to the Filter List. Search The Search menu option opens a search dialog window that can be used to find and select data in the chart. Note: Remove all groups from a grid table before using Search. Name Resolution The Name Resolution menu option is always disabled for the grid and is included in the context menu in order to be consistent with the other charts. Fit Content The Fit Content menu provides options for resizing the table columns.

SteelCentral Packet Analyzer Plus User’s Guide 95 Views and Charts Charts

No fitting - The ame default width is given to each column. Column widths can be manually adjusted. Fit Window - Column widths are adjusted so they use the entire horizontal space. Each column is given the same width. Column widths can be manually adjusted. Fit content - Column widths are adjusted based on the column content .Column widths cannot be manually adjusted. Columns The Columns menu option expands to a submenu that is used to show and hide columns in the grid. A menu shows a check box for each column. Toggling the various options will either show or hide the corresponding columns. A checkbox is also provided to show all items in a single click. Grouped columns visibility cannot be changed.

Expand All The Expand All menu option expands the ordered hierarchy of the rows. Collapse All The Collapse All menu option collapses the ordered hierarchy of the rows. Select The Select menu option has two submenu options. Select All The Select All menu option selects all visible rows and groups in the grid. Select Inverse The current selection in the grid is inverted. Settings The Settings menu option provides specific settings for the chart. Show Filter Bar Shows or hides the filter bar on the Data Grid Chart. Show Grouping Bar Shows or hides the Grouping Bar on the Data Grid Chart.

96 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

Node Chart

Node

Sequence Diagram nodes Nodes are visualized over the X axis and separated by columns of different shades of gray to emphasize the space among them.

A node is represented by three graphic objects: Head Half circles with a color for each host. Using the node head, it is possible to select, highlight and drag the node itself; Body Gray vertical line where messages arrive and leave; the body also allows selecting and highlighting the node itself; Label Node name, which is typically the IP address of the host or its resolved DNS name.

The node depiction varies based on selection and highlighting:

If a node or message is selected (i.e. clicked), then the label is bolded and is given a background color. The label, head and body of all other nodes are grayed out.

If a node is highlighted (i.e. by hovering the mouse on it), its label is bolded, and all other nodes are grayed out.

Selected node

Highlighted node

SteelCentral Packet Analyzer Plus User’s Guide 97 Views and Charts Charts

When dragging a node, it is represented as a transparent full circle head with no label. The node also stays in its original place until the drag is complete.

Node Layout The Sequence Diagram has a minimum column width which constrains the total number of nodes that can be shown to ensure they can be displayed properly. When a view is applied, the graph selects a default initial column width, and using the horizontal scroll bar, the user can scroll and zoom to change the set of displayed nodes. By default, the chart arranges the nodes from left to right based on the timestamp of the first message sent or received by the node. Users can override this ordering by dragging nodes and/or hiding nodes to reduce the number in the display.

Selection When selecting a node, the selection includes all messages sent or received by the specific host. If multiple nodes are selected (by pressing Control key), the selection includes only messages between the set of selected nodes. When holding the Shift key and selecting a node, the selection toggles among:

 All messages sent or received by the specific host;

 All messages

 sent by the selected host;

 All messages received by in the selected host.

Highlight When highlighting (hovering over) a single node, the chart highlights all messages sent or received by the highlighted host. If multiple selection is enabled (by pressing the Control key) and at least one other node has been selected, the chart highlights only messages between the selected host(s) and the highlighted one.

98 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

Also, when highlighting a host, the “Hide” button is shown to allow the user to hide the node itself, only if the column width is large enough to display it without overlapping the adjacent nodes.

Hide button

Drag As mentioned previously, users can manually arrange the order of the nodes by dragging hosts in different positions. Additionally, the user can use the selection to define a filter by dragging the selected node(s) over the Filter panel or the Filter Bar. This action creates a Packet Analyzer Plus filter for the selected host(s) and can then be used for additional views.

Context Menu

Node context menu With one or more nodes selected, the context menu provides the following options: Send to Wireshark

SteelCentral Packet Analyzer Plus User’s Guide 99 Views and Charts Charts

The Send to Wireshark menu option sends the traffic from the selected host(s) to Wireshark for analysis.

Note: Wireshark version 2.4.1 or later is required for use in conjunction with Packet Analyzer Plus.

Send to SteelCentral Transaction Analyzer The Send to SteelCentral Transaction Analyzer menu option sends the traffic from the selected host(s) to Transaction Analyzer for analysis.

Send to File The Send to File menu option sends the traffic from the selected host(s) to a user-specified trace file that will appear, after completion, in the Files panel for immediate analysis.

Drill Down The Drill Down menu option applies the user-specified view to the selected host(s) and opens a new view tab in the main workspace.

Copy The Copy menu option copies a tabular form of the selected data to the system clipboard.

Copy Chart The Copy Chart menu option copies the selected chart as a metafile to the system clipboard for pasting into another application.

Create Filter The Create Filter menu option creates a filter based on the current selection and adds the filter to the Filter List.

Search The Search menu option opens a search dialog window that can be used to find data in the charts.

Name Resolution The Name Resolution menu option tries to identify unresolved IP addresses, ports, or MAC addresses from all or the selected nodes. Default is from Settings menu. Enabled Turns on auto resolution of current and new addresses.

100 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

Resolve Selected Resolve only selected addresses. Clear Selected and Clear All Resolved names not displayed.

Ruler Mode Ruler Mode displays detailed timing information about one or more messages. For more information, see the description of Ruler Mode (below).

Fit selection The Fit Selection menu option arranges the horizontal range to fit the selected nodes.

Select The Select menu option allows user to control which messages are selected based on the set of selected hosts. If only one host is selected, options include selecting all messages From or To the node, all messages From the node or all messages To the node. If two nodes have been selected, options include Conversation between the selected nodes, all messages From the first node to the second or all messages From the second node to the first.

If more than two nodes are selected, the only option is Conversation Between Selected Nodes.

Nodes The Node menu provides options to control which nodes are hidden or shown. Show All Shows all hidden nodes. Show Selected Only Hides all nodes but the selected one(s). Show All But Selected Hide the selected nodes and show all others. Note that at least two nodes must be visible at all times. Inverse Inverts the hidden node set, by showing all hidden nodes and hiding all visible ones.

Data Time Hints

SteelCentral Packet Analyzer Plus User’s Guide 101 Views and Charts Charts

Enables the sequence diagram to visually represent the network delay between nodes. For more information, see the description of Time Hints. Absolute Time Displays the actual time covered by the file. Relative Time Displays the time that has elapsed since the beginning time of the file.

Settings The Settings menu allows you to set two parameters that affect the sequence diagram display. Show Legend Show Labels

Tooltip

The node tooltip shows data about the node itself. Node label IP address of the highlighted node. Messages Statistics about the number of messages to and from the highlighted node, as well as timing information about the messages.

102 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

Message

A message is displayed as an arrow from the source host line to the destination host line. The arrow itself is graphically composed by: Shaft Represents the body of the message as a line between source and destination nodes. Sequence message Head Represents the arrival of the message as a triangle pointing at the destination node. Tail Represents the source of the message as a square at the source node (only in “Ruler Mode”). Labels Shows text information about the message, including the protocol, packet and byte count, etc.

Compression The diagram applies a compression algorithm over the set of messages to maximize performance and clarify the display. The algorithm can both reduce the number of displayed messages and change the message layout.

First, message labels are not displayed if there is not enough room to show them. Second, overlapping messages are combined into a group messsage. A group message uses a special head and tail to inform the user that it represents more than one message. A highlighted or selected group message does not show Top, Bottom and Main labels.

If all messages in the group have the same orientation, then the arrow is shown in one direction. Otherwise it is shown with head and tail in both directions.

When all messages in a group have the same source and Group message tooltip destination ports, then they are shown. Otherwise, they are Filtered messages not. The group message tooltip shows the number of hidden messages.

SteelCentral Packet Analyzer Plus User’s Guide 103 Views and Charts Charts

Message and node status

If a message is selected or highlighted, it is brought to the foreground, increasing the likelihood that the label will be displayed.

Messages that are not selected or highlighted are grayed out to emphasize the selected ones.

Highlighted message

Not focused message

Selection Selecting one or more messages also selects the nodes that are the source or destination for one or more of the messages.

Highlight Highlighting a single message causes the chart to highlight the source and destination nodes.

Double click Double clicking on a message toggles between the layers and zooms the display to fit the message in the time range.

Context Menu By selecting one or more messages, the following actions can be performed through the context menu. Send to Wireshark The Send to Wireshark menu option sends the traffic from the selected message(s) to Wireshark for analysis.

Note: Wireshark version 2.4.1 or later is required for use in conjunction with Packet Analyzer Plus.

Send to SteelCentral Transaction Analyzer The Send to SteelCentral Transaction Analyzer menu option sends the traffic from the selected message(s) to Transaction Analyzer for analysis. Send to File

104 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

The Send to File menu option sends the traffic from the selected message(s) to a user-specified trace file that will appear, after completion, in the Files panel for immediate analysis. Drill Down The Drill Down menu option applies the user-specified view to the selected message(s) and opens a new view tab in the main workspace. Copy The Copy menu option copies a tabular form of the selected data to the system clipboard. Copy Chart The Copy Chart menu option copies the selected chart as a metafile to the system clipboard for pasting into another application. Create Filter The Create Filter menu option creates a filter based on the current selection and adds the filter to the Filter List. Search The Search menu option opens a search dialog window that can be used to find data in the charts. Name Resolution The Name Resolution menu option tries to identify unresolved IP addresses, ports, or MAC addresses from all or the selected chart elements. Default is from Settings menu. Enabled Turns on auto resolution of current and new addresses. Resolve Selected Resolve only selected addresses. Clear Selected and Clear All Resolved names not displayed. Ruler Mode Ruler Mode displays detailed timing information about one or more messages. For more information, see the description of Ruler Mode (below). Fit Selection The Fit Selection menu option sets the horizontal range to fit the source and destination nodes and the vertical range to fit the start and end times of the selected message. If more than one message is selected then the minimum start time and maximum end time are used. Select Conversation The Select Conversation selects all messages with the same source and destination IP addresses and source and destination ports as the selected message. Nodes The Node menu provides options to control which nodes are hidden or shown.

SteelCentral Packet Analyzer Plus User’s Guide 105 Views and Charts Charts

Show All Shows all hidden nodes. Show Selected Only Hides all nodes but the selected one(s). Show All But Selected Hide the selected nodes and show all others. Note that at least two nodes must be visible at all times. Inverse Inverts the hidden node set, by showing all hidden nodes and hiding all visible ones. Data Time Hints Displays detailed timing information about one or more messages. For more information, see the description of Time Hints (below). Absolute Time Absolute Time displays the actual time covered by the file. Relative Time Relative Time displays the time that has elapsed since the beginning time of the file. Settings The Settings menu allows you to set two parameters that affect the sequence diagram display. Show Legend Show Labels

Tooltip

The message tooltip shows information about the message itself Tooltip header Comprises the source and destination IP addresses. Tooltip body Displays the port numbers, a description of the message, and its sizing information. Message tooltip Tooltip footer Shows statistics about the start and end time in both absolute and relative terms.

106 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

Legend area

The Legend area always occupies the right side of the chart. It contains a set of legends that show information about the displayed diagram and enable interaction with the chart. The legend can be resized by dragging the handle, or collapsed and expanded by double clicking the handle. The legend area contains the following legends:

Layer Shows the currently selected layer and enables switching between layers. Nodes Checkbox list of nodes in the current sequence diagram. Enables selecting one or more hosts, highlighting a single host and hiding or showing a host by clicking the label icon. Message Colors List of colors used by messages in the current sequence layers and their meaning. Clicking on a color highlights all messages having the highlighted color. Sequence legend area Both the Message Colors and the Nodes legends can be expanded or collapsed by clicking the header.

Scroll bar

Scroll bars enable interaction with both the X and Y axis. In addition to panning l down by dragging the scroll thumb, you can expand or contract the view by dra thumb.

Scroll bar

Pie Chart

The Pie Chart shows quantitative values as a percentage of a whole. Pie Charts are useful for instance, when looking at local versus non-local traffic, or finding out what percentage of total traffic is constituted by a particular host. The elements of a Pie Chart are referred to as slices.

SteelCentral Packet Analyzer Plus User’s Guide 107 Views and Charts Charts

Default

Along with the “Sampling Time” and “Data Retention Time” options previously described, the Pie Chart is customizable in the following ways using the chart context menu:

 Toggle of percentage or quantitative value to be displayed for the time slices.

 Toggle of legend visibility. The Pie Chart can be zoomed in and out using the scroll wheel on the mouse. Pie Chart

Selection

Selection in a Pie Chart is done either by clicking on a slice in the Pie Chart or on its representation in the legend. Clicking with the Control key pressed for multiple selections is supported.

Pie Chart Selection

Context Menu

The context menu for the Pie Chart is as follows: Send to Wireshark The Send to Wireshark menu option sends the traffic from the selected slice(s) to Wireshark for analysis.

Note: Wireshark version 2.4.1 or later is required for use in conjunction with Packet Analyzer Plus.

Send to SteelCentral Transaction Analyzer The Send to SteelCentral Transaction Analyzer menu option sends the traffic from the selected slice(s) to Transaction Analyzer for analysis. Send to File The Send to File menu option sends the traffic from the selected slice(s) to a user-specified trace file that will appear, after completion, in the Files panel for immediate analysis. Drill Down

108 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

The Drill Down menu option applies the user-specified view to the selected slice(s) and opens a new view tab in the main workspace. Copy The Copy menu option copies a tabular form of the data to the system clipboard. Copy Chart The Copy Chart menu option copies the selected chart as a metafile to the system clipboard for pasting into another application. Create Filter The Create Filter menu option creates a filter based on the current selection within the Pie Chart and adds the filter to the Filter List. Search The Search menu option opens a search dialog window that can be used to find data in the charts. Name Resolution The Name Resolution menu option resolves, when applicable, the Port Name, IP Address, or MAC Address of the slice(s) in the Pie Chart. Default is from Settings menu. Enabled Turns on auto resolution of current and new addresses.

Resolve Selected Resolve only selected addresses. Clear Selected and Clear All Resolved names not displayed.

Select The Select menu option has two submenu options. Select All Selects all slices in the pie chart. Select Inverse Deselects the currently selected slice(s) and selects all others. Data The Data menu option provides choices on how data are displayed in the chart. Percentage The Percentage toggle labels the slice value(s) as a percentage of the whole pie. Value

SteelCentral Packet Analyzer Plus User’s Guide 109 Views and Charts Charts

The Value toggle labels the slice value(s) with their quantitative equivalents. Show Legend The Show Legend check box menu option toggles off or on the Pie Chart legend.

Tooltips

A tooltip comes up when hovering over a slice. It has the following values: Value The Value refers to the quantitative value associated with that slice. Pie Chart Tooltip Percent The Percent refers to the percentage that the slice constitutes of the whole. Last Seen The Last Seen refers to the last time that element of the slice was seen in traffic. This can give an idea as to what percentage in the time domain the slice refers to.

Scatter Plot Chart

Sequence Diagram

The sequence diagram presents a sequential analysis of transactions and messages between hosts. The chart represents hosts as vertical lines arranged over the X axis, and messages as arrows between the hosts. The vertical axis represents time proceeding downward, which can be either relative (default) or absolute.

Layers The chart can display data in one of two layers. The Transport layer displays each packet in the trace as a separate message in the sequence diagram. The Application layer decodes the packets for supported protocols and displays the protocol-specific messages. The user can toggle between these layers to gain different understandings of the underlying network transaction(s). For example, the figures below show both the transport layer view and the application layer view for an HTTP download transaction. In the transport layer, separate message arrows show the three way TCP handshake to establish the connection, and then each data and acknowledgement packet in the exchange. In the application layer, on the other hand, only three messages are shown – one to establish the TCP connection, one to represent the HTTP GET request, and one to represent the HTTP response.

110 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

Transport Layer View Application Layer View

Multi-Segment Sequence Diagram When a multi-segment sequence diagram view is applied to a multi-segment source, the resulting sequence diagram shows traffic between nodes across multiple segments in a network. In the following diagram, hosts are indicated by half-circles and capture points in the network are indicated by console icons.

For additional information on multi-segment analysis, refer to the section on “Multi-Segment Analysis (MSA).”

SteelCentral Packet Analyzer Plus User’s Guide 111 Views and Charts Charts

Strip Chart

Time Filter

By selecting a vertical region, the user selects a time range. All messages starting within the time range are displayed as selected.

Context Menu In the time selection area is possible to perform the following actions: The Send to SteelCentral Transaction Analyzer menu option sends all the traffic within the selected time range to Transaction Analyzer for analysis. Send to File The Send to File menu option sends all the traffic within the selected time range to a user-specified trace file that will appear, after completion, in the Files panel for immediate analysis. Drill Down The Drill Down menu option applies the user-specified view to the selected time range and opens a new view tab in the main workspace. Copy The Copy to Clipboard menu option copies a tabular form of the data within the selected time range to the system clipboard. Copy Chart The Copy Chart menu option copies the selected chart as a metafile to the system clipboard for pasting into another application. Create Filter The Create Filter menu option creates a time filter based on the current time selection. Search The Search menu option opens a search dialog window that can be used to find data in the charts.

Name Resolution The Name Resolution menu option tries to identify unresolved IP addresses from all or the selected chart elements. Default is from Settings menu. Enabled Turns on auto resolution of current and new addresses. Resolve Selected Resolve only selected addresses. Clear Selected and Clear All

112 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

Resolved names not displayed. Ruler Mode Ruler Mode displays detailed timing information about one or more messages. For more information, see the description of Ruler Mode (below).

Fit Selection The Fit Selection menu option arranges the horizontal range to fit the selected nodes. Select Not applicable. Nodes The Node menu provides options to control which nodes are hidden or shown. Show All Shows all hidden nodes. Show Selected Only Hides all nodes but the selected one(s). Show All But Selected Hide the selected nodes and show all others. Note that at least two nodes must be visible at all times. Inverse Inverts the hidden node set, by showing all hidden nodes and hiding all visible ones. Data Time Hints Enables the sequence diagram to visually represent the network delay between nodes. For more information, see the description of Time Hints (below). Absolute Time Displays the actual time covered by the file. Relative Time Displays the time that has elapsed since the beginning time of the file.

Settings The Settings menu allows you to set two parameters that affect the sequence diagram display. Show Legend Show Labels

SteelCentral Packet Analyzer Plus User’s Guide 113 Views and Charts Charts

Ruler Mode

Ruler mode displays detailed timing information about one or more messages. It is activated by clicking the mode icon.

Ruler Mode Icon The system shows timing information in two modes:

Node Mode When a message is selected or a time range is created, the diagram shows the start time, end time and delta value between the first and the last message in the range.

Message Mode When a first message terminator (head or tail) is clicked, followed a second terminator, the system shows the timing of the two messages as well as the interval between them.

Node ruler mode If a third terminator is selected, the initial selection is retained, and the system updates to show the timing information between the first Global ruler mode message terminator and the newly clicked one. Selecting another message or clicking in the background will clear the original selection.

Time Hints

Time hints enable the sequence diagram to visually represent the network delay between nodes. The feature is activated or deactivated using the icon in the upper-left corner of the chart.

Time Hints Icon

114 SteelCentral Packet Analyzer Plus User’s Guide Charts Views and Charts

When time hints are disabled, all messages are shown as horizontal lines, where the Y axis value represents the message timestamp as recorded in the trace file.

When time hints are enabled, the network delay is inferred from the TCP calculations, and the message lines are drawn with a slope that illustrates the network delay.

Time without hints

Time with hints

Message Labels

Message labels show information about the message: protocol, byte count, and so on. The feature is activated or deactivated using the icon in the upper-left corner of the chart.

Message Label Icon

SteelCentral Packet Analyzer Plus User’s Guide 115 Views and Charts Strip Chart

Typical message labels

Strip Chart The Strip Chart displays quantitative data with respect to time.

Diagram

The Strip Chart diagram has the following elements:

 Time Control Area

 Legend

 Data area

 Min/Max

Current Selection Interval This is an example of a View containing a Strip Chart:

116 SteelCentral Packet Analyzer Plus User’s Guide Strip Chart Views and Charts

Strip Chart

Note: The Current Selection bar (at the bottom of the View) simultaneously applies to all of the Charts contained in a View.

The View above shows 3 charts, namely a strip chart, a bar chart, and a pie chart. This section discusses the strip chart (the top-most chart). Current Selection: The data points displayed in the strip chart correspond to the View metric (Bits per Second) computed over the Current Selection Interval. Total Window: The Total Window interval shows the total duration of the source trace file or, for a live source, the total duration of the capture or the Data Retention Time, whichever is smaller.

SteelCentral Packet Analyzer Plus User’s Guide 117 Views and Charts Strip Chart

Strip Chart with Horizontal Zoom This shows the strip chart “zoomed” horizontally using the Selection bar in the Time Window. The Time Control Ribbon can also be used to set the duration and location of the Current Selection. The minimum and maximum values in the Current Selection are displayed (unless they are obvious from the context). The Selection Bar (upper bar) controls the portion of the data (trace file or live capture) that is displayed in the charts. Move the triangular markers above the ends of the Selection Bar to trim the time interval that is displayed. The Time Scroll Bar (lower bar) controls the resolution of the upper bar. As you bring the ends of the bar in toward the center, the time scale in the upper bar expands, allowing you to make finer selections of time intervals using the upper bar. Along with the “Sampling Time” and “Data Retention Time” options as previously described, the Strip Chart can be customized using the chart context menu:

 Toggling display mode (line chart or stacked area chart)

 Selecting data sources to be displayed

 Changing the stacking order (stacked area mode only)

 Toggle legend visibility

 Displaying Min and Max values

 Rescaling Y Axis

Display Modes There are two display modes for strip charts: normal (line) mode and stacked area mode. Normal mode is the default.

Normal strip chart

118 SteelCentral Packet Analyzer Plus User’s Guide Strip Chart Views and Charts

Stacked area strip chart In the normal (line) chart, each data point’s value at a given time is plotted relative to zero. In the stacked area chart, each data point’s value at a given time is plotted relative to the value of the data in the layer below. To switch from one mode to the other, click one of the display mode buttons in the upper left corner of the strip chart:

Alternatively, you can choose the display mode from the context menu (described below). To display a strip chart in stacked area mode by default, set the view to stacked area mode and save it as a custom view. (Click the Save button in the View section of the Home tab.) When you drag the custom view onto your data of interest, the strip chart displays in stacked area mode.

Data Display You can show or hide lines or areas of data by checking or unchecking the boxes in the legend area to the right of the data area.

SteelCentral Packet Analyzer Plus User’s Guide 119 Views and Charts Strip Chart

Stacking Order You can change the stacking order of areas in a stacked area chart by dragging the labels up or down in the legend area to the right of the data area.

Custom sampling interval By default, the sampling interval for a strip chart is calculated automatically by Packet Analyzer Plus.

120 SteelCentral Packet Analyzer Plus User’s Guide Strip Chart Views and Charts

A context menu in the time control bar shows the current sampling interval and allows you to select a different one. The allowed sampling intervals are calculated based on display considerations.

The strip chart is recalculated using the new sampling interval.

Selection

The Strip Chart supports two types of selection:

 Time-based

 Line

 - or area-based

Time-Based Selection A Time-Based Selection can be applied to any Strip Chart and is performed by clicking and dragging the mouse over a time period. An example result is shown below:

SteelCentral Packet Analyzer Plus User’s Guide 121 Views and Charts Strip Chart

Strip Chart Selection (Time) Note that multiple selection cannot be performed using time-based selection.

Line- or Area-Based Selection A Line- or Area-Based Selection can be applied to Strip Charts where more than one metric is being displayed, for example in the case of multiple protocols over time:

Strip Chart Selection (Element) Individual lines or areas are selected by clicking either on the line or area itself, or on its representation in the legend. Multiple lines or areas can be selected by clicking with the Control key pressed.

Context Menu

The context menu for a strip chart has the following options:

122 SteelCentral Packet Analyzer Plus User’s Guide Strip Chart Views and Charts

Send to Wireshark Sends traffic from the selected time slice or lines/areas to Wireshark for analysis.

Note: Wireshark version 2.4.1 or later is required for use in conjunction with Packet Analyzer Plus.

Send to SteelCentral Transaction Analyzer The Send to SteelCentral Transaction Analyzer menu option sends the traffic from the selected time slice or lines/areas to Transaction Analyzer for analysis. Send to File Sends traffic from the selected time slice or lines/areas to a user-specified trace file that will appear, after completion, in the Files panel, for immediate analysis. Drill Down Applies the user-specified view to the selected time slice or lines/areas and opens a new view tab in the main workspace. Copy Copies a tabular form of the selected data to the system clipboard.

Copy Chart The Copy Chart menu option copies the selected chart as a metafile to the system clipboard for pasting into another application.

Create Filter Creates a filter based on the current selection and adds the filter to the Filter List.

SteelCentral Packet Analyzer Plus User’s Guide 123 Views and Charts Strip Chart

Add policy Opens the Watch Editor dialog window. The Trigger Condition is based on the currently selected strip chart. The Data Filter, if any, is based on the line selection within the strip chart. Search Opens a search dialog window that can be used to find data in the charts.

Name Resolution The Name Resolution menu option tries to identify the port name, IP address, or MAC address of all or the selected elements in the strip chart. Default is from Settings menu. Enabled Turns on auto resolution of current and new addresses. Resolve Selected Resolve only selected addresses. Clear Selected and Clear All Resolved names not displayed.

Fit Y Axis Scales the vertical height of the strip chart to fit within the chart. Default is Fit All. Fit All Y Axis is fit to the currently available strips. Fit Selected Only Y axis is fit to the selected strips. Strips must be selected before this choice is available. Lines The Lines submenu allows you to choose what lines are displayed. Show All Shows all hidden lines. Show Selected Only Hides all lines but the selected one(s). Show All But Selected Hide the selected line(s) and show all others. Note that at least two lines must be visible at all times. Inverse Inverts the hidden line set, by showing all hidden lines and hiding all visible ones. Select Brings up two submenu options: Select All

124 SteelCentral Packet Analyzer Plus User’s Guide Strip Chart Views and Charts

Selects all lines or areas. Select Inverse Selects all lines or areas that are not currently selected (and deselects those that are currently selected). Settings Brings up three submenu options: Show Legend Shows the legend area to the right of the strip chart, indicating which data sets correspond to which lines or areas. Show Min/ Max Shows a minimum point and a maximum point for each data set on the chart:

Setup Y Axis Brings up the dialog for setting up the Y axis. You can set the upper and lower bounds of the Y axis, or choose Auto Size to let Packet Analyzer Plus choose the bounds automatically. And you can specify the number of increments displayed on the Y axis, or choose Auto Number of Rows to let Packet Analyzer Plus choose the number of rows automatically.

SteelCentral Packet Analyzer Plus User’s Guide 125 Views and Charts Bar Chart

Tooltips

The tooltips for the Strip Chart show the full quantitative value of a specific sample point of the element in the data area. Hover your mouse over a sample point to see its value.

Bar Chart

Scatter Plot The Scatter Plot is a versatile and flexible chart that can display complex relationships between values using three dimensions:

 Y Axis

 X Axis

 Size of the circles, referred to as points Each of these dimensions can be assigned to one of a predefined set of metrics. For instance, the user may specify that the Y-Axis represents either 802.11 Channel usage or average frame size. Scatter Plots are most useful when there is expected to be a correlation between metrics, such as the total number of packets and the total bytes sent out by a host. For example, if the Y Axis is “Packet Count” and the X Axis is “Byte Count,” then there is typically a diagonal line of points from the origin to the top right. An anomaly would then be visually evident if this relationship did not hold for certain situations.

126 SteelCentral Packet Analyzer Plus User’s Guide Scatter Plot Views and Charts

Default

Along with the “Sampling Time” and “Data Retention Time” options previously described, the scatter plot is customizable in the following ways using the chart context menu:

 Assignment of the dot size relation

 Assignment of X-Axis

 Assignment of Y-Axis

Scatter Plot

SteelCentral Packet Analyzer Plus User’s Guide 127 Views and Charts Scatter Plot

Selection

Selection in a Scatter Plot is done by one of four ways:

 Search operation

 Selection from the legend

 Drawing a box around the points

 Clicking on the Points to be selected Clicking with the Control key pressed for multiple selection is supported for point based and legend based selection.

Scatter Plot with Draw Box

Scatter Plot with Multiple Selections

Context Menu

The Send to SteelCentral Transaction Analyzer menu option sends the traffic from the selected point(s) to Transaction Analyzer for analysis. Send to File The Send to File menu option sends the traffic from the selected point(s) to a user-specified trace file that will appear, after completion, in the Files panel for immediate analysis. Drill Down The Drill Down menu option applies the user-specified view to the selected point(s) and opens a new view tab in the main workspace. Copy The Copy menu option copies a tabular form of the selected data to the system clipboard.

128 SteelCentral Packet Analyzer Plus User’s Guide Scatter Plot Views and Charts

Copy Chart The Copy Chart menu option copies the selected chart as a metafile to the system clipboard for pasting into another application. Create Filter The Create Filter menu option creates a filter based on the current selection within the scatter plot and adds the filter to the Filter List. Search The Search menu option opens a search dialog window that can be used to find data in the charts. Name Resolution The Name Resolution menu option resolves the Port Name, IP Address, or MAC Address of the point(s) in the Scatter Plot. This option is available only when the fields are not automatically resolved (see the Name Resolution submenu available in the Home Ribbon). Default is from Settings menu.

Enabled Turns on auto resolution of current and new addresses. Resolve Selected Resolve only selected addresses. Clear Selected and Clear All Resolved names not displayed. Fit X and Y Axes The Fit X and Y Axes menu option resizes the X and Y scales of the Scatter Chart so that all values fit within the chart. Select The Select menu option has two submenu options. Select All Selects all the point(s) in the Scatter Plot. Select Inverse Inverts the selection of point(s). Data The Data menu option provides choices for how chart data is displayed and sorted. X Axis Presents all possible choices for the metric of the X-Axis. Some charts may only have one option, while others may have multiple; for instance, “Bits/s” versus “Bytes/s” or “Packets/s.” Y Axis

SteelCentral Packet Analyzer Plus User’s Guide 129 Views and Charts Scatter Plot

Presents all possible choices for the metric of the Y-Axis. Some charts may only have one option, while others may have multiple; for instance, “Bits/s” versus “Bytes/s” or “Packets/s.” Size The dot size of the points can be enabled and associated with a metric or disabled by selecting “Nothing.”

Advanced Opens up a separate dialog box where drop-down lists provide options for a chart’s format.

Settings The Settings menu option provides choices on how a chart is displayed. Show Legend Toggles off or on the Scatter Plot legend. Show Labels Toggles off and on the point labels, which can otherwise be viewed via a tooltip. Autosize Toggles off and on whether the area will automatically resize based on maximum values.

Tool-tips

A tooltip is shown when hovering over a point. It has the following values: Name The Name of the point being charted, such as an IP address or an 802.11 wireless channel. Scatter Plot X The X value refers to the position the point currently occupies on the X axis and the significance of this with respect to the units for the X axis. Y The Y value refers to the position the point currently occupies on the Y axis and the significance of this with respect to the units for the Y axis. Size The Size value refers to the dot size of the point and the significance of this with respect to the units for the dot size.

130 SteelCentral Packet Analyzer Plus User’s Guide 5

Filters

Packet Analyzer Plus enables you to apply filters to views to refine the data they display. Packet Analyzer Plus includes a large number of built-in filters, and you can define custom filters, as well, if none of the built-in filters meets your needs. This chapter describes filter behavior in three sections:

 Introduction

 Filter Controls

 Working With Filters

Introduction A filter is an expression that, when applied to a view, reduces the amount of data shown in that view, making it more specific. As such, a filter is a convenient tool for removing unnecessary or uninteresting data from a view, leaving only the most pertinent data displayed. Many built-in views include by default a generic frame filter that omits invalid frames, and some built-in views include by default additional filters that help to refine the data they display. For example, the built-in DNS Responses view includes a filter that causes only traffic with a UDP port of 53 to be displayed. There are four types of filters, with each being a different language for specifying a filter definition. There are subtle differences in how Packet Analyzer Plus parses and processes the different filter types, and these differences affect the performance of the views to which the filters are applied.

SteelCentral Packet Analyzer Plus User’s Guide 131 Filters Introduction

The four filter types are:

SteelFilter The predefined filters that are built in to Packet Analyzer Plus use the SteelFilter type. SteelFilters can make use of the microflow index available in configured capture jobs or a microflow index added manually to any pcap file. When an index is available and an index aware view is applied, views are rendered significantly faster than when no index is available. When analyzing large capture jobs, apply SteelFilters to indexed packet data whenever possible for best performance. Wireshark Display Filter If SteelFilters cannot be used, we recommend applying Wireshark Display Filters to less than a gigabyte of packet data on your Packet Analyzer Plus workstation. For the widest field selection, Wireshark Display Filters should be applied but on smaller amounts of packet data. See http://www.wireshark.org/docs/dfref/ for a complete description of Wireshark Display Filter syntax. BPF The Berkeley Packet Filter is faster but less flexible than Wireshark Display Filters. BPF is the oldest and most restrictive language but performs better than Wireshark Display Filters. BPF is available as a filter type when creating a capture job on an AppResponse 11 system. Time Interval A time interval filter is simply a date and time range that narrows the display of data to a specific interval only. For example, this time interval filter specifies a two-minute interval for which to display data: 11/20/2007 12:31:00.000, 11/20/2007 12:33:00.000, GMT -8 Time interval filters are useful for constraining a view to a time period during which something of particular interest occurred.

132 SteelCentral Packet Analyzer Plus User’s Guide Filter Controls Filters

Filter Controls Packet Analyzer Plus furnishes several sets of controls for working with filters. These include the Filter panel, for working with the filter library generally, and the Filter bar, for working with filters that are applied to the current view.

Filter Panel

The Filter panel is located to the right of the main Packet Analyzer Plus workspace, listing all the filters that have been defined, both built-in and user-defined. The Filter panel comprises three components: the search box, the filter library, and the filter editor.

Filter Panel

1 Search Box Find specific filters in the filter library. Type a string to search for, and the filter library will display only those filters that contain that search string somewhere in their name or definition. The search string is not case- sensitive.

2 Filter Library This is the list of all built-in and user-defined filters that exist. Select a filter and drag it to a view to apply it, or right-click on a filter to display the context menu and perform an operation on it.

3 Filter Editor Select a filter in the library to modify it here, or create a new custom filter or folder.

SteelCentral Packet Analyzer Plus User’s Guide 133 Filters Filter Controls

Filter Panel Context Menus Context menus in the Filter panel provide options for using and managing folders and individual filters.

Folder Context Menu Right-click on a filter category folder (such as MAC, IP, or TCP/UDP) in the filter library to display this context menu:

With Filter Category Edit Selected Change focus to the Filter Editor at the bottom of the Filter panel to modify the selected item. If no view is applied, pressing the Enter key does the same thing.

Delete Remove the selected folders from the library after prompting for confirmation. Pressing the Del key does the same thing.

New Filter Create a new filter and add it to the library. If an existing filter is selected when this command is clicked, New Filter behaves like the Duplicate command. The With No Filter Category default filter name is New Filter, and a counter is appended if necessary. If no Selected filter is selected, a new SteelFilter is created by default.

New Folder Create a new empty folder for organizing filters. If an existing folder is selected, the new folder will be a subfolder.

Sort Arrange the contents of the library according to one of the following options: Default (the order defined in the Packet Analyzer Plus configuration file) or Name.

Reset Filters Restore the factory-default filter list.

134 SteelCentral Packet Analyzer Plus User’s Guide Filter Controls Filters

Filter Context Menu Right-click on an individual filter in the Filter library to display this context menu:

With Individual Filter Apply Selected Add the selected filter to the current view. Highlight Apply and then select an option on how to apply the filter.

Prepare Set up the selected filter for editing in the Filter bar (described below) without applying it. Highlight Prepare and select an option on how to apply the filter. See “Applying Filters” For details on how filters are applied.

Edit Change focus to the Filter Editor at the bottom of the Filter panel to edit the selected filter. If no view is applied, the same behavior is performed by pressing the Enter key.

Delete Remove the selected filters from the library after prompting for confirmation. The same behavior is performed by pressing the Del key.

Duplicate Copy the selected filter. The new copy has the same filter type and value as the original, but has a unique name, constructed by appending a counter to the original name.

Move to Top Move the selected filter to the top of the hierarchy level in which the filter is located, to give it more visibility.

New Filter Create a new filter and add it to the library. If an existing filter is selected when this command is clicked, New Filter behaves like the Duplicate command. The default filter name is New Filter, and a counter is appended if necessary. If no filter is selected, a new SteelFilter is created by default.

New Folder Create a new empty folder for organizing filters. If an existing folder is selected, the new folder will be a subfolder. Sort Arrange the contents of the library according to one of the following options: Default (the order defined in the Packet Analyzer Plus configuration file), Name, or By Type.

Reset Filters Restore the factory-default filter list.

SteelCentral Packet Analyzer Plus User’s Guide 135 Filters Filter Controls

Keyboard Shortcuts Some Filter panel operations can be performed using keyboard shortcuts:

 Double-click or Enter:

 Folder list item: expands the folder in the Filter panel to show its name and moves focus to it.

 Filter list item – If no view is applied, expands the Filter panel editor showing the filter details and moves focus to the editor. – If a view is applied, adds the filter to the view and updates it instantly.

 F2 expands the Filter editor and moves focus to it.

 F3 moves focus to the search box.

 Del removes the selected item.

 Typing a filter name executes a search and selects the first instance.

Filter Editor

The Filter editor has three elements:

 Name—The name of the filter to be modified.

 Type—The language in which the filter is written. These are described in the introduction.

 SteelFilter

 Wireshark Display Filter

 Berkeley Packet Filter

 Time Interval

 Filter String—The code that defines the filter, written in the language corresponding to the selected Type.

Applying Filters From the Filter Editor The Apply and the Prepare buttons in the filter editor both offer a list of options that can be used in applying the selected filter, based on the operator. This set matches that of Wireshark’s context menu for filters. Filters can be applied in one of two ways:

 The selected filters are applied in place of the applied filter of the same type. –Selected –Not Selected

 Selected filters are applied to the currently applied filter of the same type and the new filter value depends on the chosen operator. –… and selected –… and not selected –… or selected

136 SteelCentral Packet Analyzer Plus User’s Guide Filter Controls Filters

–… or not selected If more than one filter is selected, filters of the same type are aggregated using OR, while filters of different types are aggregated using AND. The selected filters are added to the selected filter bar entry, highlighted by a yellow background when the filter bar contains more than one filter entry.

Filter Editor Controls The Filter editor includes five buttons for working with filter definitions:

Apply Assign the selected filters to the current view. Click the icon and select an option on how to apply the filter. Prepare Set up the selected filter for editing in the Filter bar (described below) without applying it.

Delete Remove the selected filters from the library after prompting for confirmation. The same behavior is performed by pressing the Del key.

Filter Bar

The Filter bar resides at the top of the main workspace, and displays any filters that have been applied to the current view. It is the Packet Analyzer Plus equivalent of Wireshark’s “display filter input.” For each applied filter, it shows the filter string in the language (type) in which it was written. Adjacent controls enable you to execute actions that affect the filter.

SteelCentral Packet Analyzer Plus User’s Guide 137 Filters Filter Controls

The check box at the left of the Filter bar activates and deactivates the corresponding filter entry in the view, and selecting or unselecting the entry updates the view immediately. The Filter bar is collapsed if no filters are being used; expand it by clicking the down-arrow at its right end, or by dragging a chart element or filter over it. The Filter bar is empty if no filter has been applied to the current view; however, many views include the Generic Frame Filter in their default definition. Each filter entry uses a single filter type. Filters of the same type can be combined in a single entry using the Boolean operators AND and OR in conjunction with the Apply command. Filters of different types can be combined using AND.

Filter Bar Controls The buttons included in the Filter bar control the creation, application, and saving of filters applied to the current view.

Save Save the filter, adding it to the root folder in the Filter panel’s library.

Delete Deactivate an applied filter and update the view. If the filter isn’t applied, the filter definition is cleared.

Apply Execute the filter changes and update the view. Pressing the Enter key when finished editing a filter applies the filter, also.

Prepare Add an empty entry to the filter in preparation for defining it.

Delete All Remove all entries from the filter and update the view immediately.

Filter Bar Keyboard Shortcuts Some Filter bar operations can be performed using keyboard shortcuts:

 Enter—Apply the filter, if modified.

 Control+Z —Undo changes in the filter value combo box in order to show the history of the applied filters.

 Control+Y—Redo changes in the filter value combo box.

138 SteelCentral Packet Analyzer Plus User’s Guide Working With Filters Filters

Working With Filters This section describes the procedures for managing filters and applying them to views:

 Applying An Existing Filter

 Clearing An Applied Filter

 Defining A New Custom Filter

 Editing An Existing Filter

Applying An Existing Filter

Apply an existing filter using any of the following methods: Select a filter in the Filter panel, and drag it onto the current view. The view updates immediately, displaying data as stipulated by the filter. In addition, the Filter bar is populated with the newly applied filter definitions. Apply additional filters as necessary.

Dragging and Dropping Filters Drag and drop a filter to the filter bar to add a new filter entry. If you drag and drop a filter by keeping CTRL pressed, the filter bar will highlight the filter entry with a light blue background, and you can replace the highlighted filter text. Drag and drop filters any of these ways:

 Inside the Filter panel

 From the Filter panel

 To the Filter panel

SteelCentral Packet Analyzer Plus User’s Guide 139 Filters Working With Filters

Filters can be dragged in and out of the Filters panel easily to create, organize, or apply filters, as shown below.

Some charts allow filters to be created by making a selection in the chart and clicking Create Filter in the chart’s context menu, or by dragging the selection to the Filter bar or Filter panel.

Inside the Filter Panel

 Within the Filter panel itself, filters can be dragged around to change their position inside their folder, or to move them from one folder to another. If the Control key is held when dragging, a copy is performed instead of a move.

 Folders cannot be copied or moved. It is only possible to change their position by dragging them within the same hierarchy level.

From the Filter Panel

 Filters can be dragged over an unapplied standard view in the Views panel, creating a filtered view.

 Filters can be dragged onto the Filter bar or onto an open view chart to apply them. Multiple filter selection using the Control key is supported:

 Two or more filters of the same type are applied as a single filter item in the Filter bar using OR.

 Two or more filters of different type will be set on as many filter items in the Filter Bar as the number of different filter types in the multiple selection. Filters of the same type use OR, otherwise AND is used.

 When a filter is dragged onto the filter bar and a previous filter of the same type is already set, the new one replaces the old one. A new filter can be applied to a previous filter using OR.

 or AND by holding, respectively, the Control or Alt key while dropping.

140 SteelCentral Packet Analyzer Plus User’s Guide Working With Filters Filters

 A time filter can be dragged over the master controller at the bottom of a view to apply it. It can be dragged over a Strip Chart or Sequence Diagram to perform a time selection or over the Filter Bar to apply it to the view.

The Filter Library Filters in the filter library can be added to the Filter Bar by dragging and dropping them, or by means of the filter panel context menu. In addition, selected chart elements can be dragged to the filter bar to create a filter.

As mentioned above, any filter can be dragged over the Filter Bar to apply it instantly. See “Working With Filters” for a description of the various options for applying filters using drag and drop.

SteelCentral Packet Analyzer Plus User’s Guide 141 Filters Working With Filters

Clearing An Applied Filter

Remove a filter from a view using any of these methods:

 Unselect the filter entry in the Filter bar. This deactivates the filter in the current view without removing the filter completely. The view updates immediately to display data without the filter.

 Click the Delete button next to the filter entry in the Filter bar to remove it from the current view completely. The view updates immediately to display data without the filter. Remove additional filters as necessary. Note that you can remove all filters from the view at one time by clicking the Delete All button at the right side of the Filter panel.

Creating A New Custom Filter

To define a custom filter: 1. Click the New Filter button in the Filter editor.

2. Type a name for the new filter. Choose a filter type, and specify the filter string using syntax appropriate for the filter type. SteelFilter syntax is described in the SteelCentral NetShark Filters Guide.

3. Press Enter to add the new filter to the filter library.

Editing An Existing Filter

To modify an existing filter: 1. Select the filter in the Filter library. The filter editor displays the filter name, type, and filter string.

2. Modify the filter as necessary, and press Enter to make the changes take effect.

Managing Filters

To delete an existing filter: 1. Select the filter in the filter library.

2. Click the Delete button. This deletes the filter from the filter library.

Combining Filter Entries

Use the filter editor to combine multiple filter entries of the same type into a single entry. Use the Boolean operators AND and OR to join the terms.

142 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Syntax Filters

SteelFilter Syntax SteelFilter is a language for defining data filters that leverage the indexing functionality of AppResponse 11 systems. SteelFilter expressions enable you to reduce the amount of data to examine at one time, apply filters to views to refine the data they display.

Basic Syntax

A SteelFilter expression combines three basic component types: identifiers, operators, and values. These components are assembled in sequence as identifier operator value, such that the operator specifies a relationship between the identifier and the value. In addition, unary operators enable you to specify a condition for a value without associating it with an identifier. Identifiers, operators, and values can be combined in numerous to define complex expressions. An example of the identifier operator value sequence is: ip.src == 10.0.0.1 An example of the unary_operator identifier sequence is: NOT (ip == 10.0.0.1)

Identifiers

Identifiers begin with a letter, and can include letters, digits, underscore, dot, and colon characters. SteelFilter expressions support identifiers in English. A list of supported SteelFilter identifiers, with descriptions, is provided in the Appendix A, “SteelFilter Identifiers.”

Operators

SteelFilter supports the use of the following operators:

Operator Description

== or EQ

~= or EQ case-insensitive

< or LT

> or GT

!= or <> or NE not equal

<= or LE less than or equal

>= or GE greater than or equal

CONTAINS the first identifier includes the second identifier. multiple values require parentheses.

SteelCentral Packet Analyzer Plus User’s Guide 143 Filters SteelFilter Syntax

Operator Description

~CONTAINS case-insensitive

&& or AND

|| or OR

! or NOT

IN matches one or more values included in a list IN ANY same as IN

IN ALL matches all the items included in a list

IN EXACTLY matches all items included in the list, in the same order BETWEEN range from to, inclusive of each

Values

A value can be anything specified inside quotation marks, although numbers (integer or double) can be specified without quotes. SteelFilter expressions support values in English or UTF8 format.

Examples

A small selection of simple SteelFilter examples follows. The filters that are built-in to Packet Analyzer Plus provide a large number of examples that you can use as starting points for defining your own custom filters, if those built-in filters do not meet your needs.

 Filter traffic to or from 192.168.100.1: ip.addr == "192.168.100.1"

 Filter traffic from 192.168.100.1: src_ip.addr == "192.168.100.1"

 Filter for traffic inside the 192.168.0.0/24 subnet: (dst_ip.c_net == "192.168.0.0") && (src_ip.c_net == "192.168.0.0")

 Filter UDP traffic: ip.protocol.type == 17

 Filter HTTPS traffic: tcp.port == 443

 VoIP traffic to or from number 123456789: user_voip.number == "123456789"

144 SteelCentral Packet Analyzer Plus User’s Guide 6

Policies and Alerts

A policy defines a set of traffic criteria applied to a strip chart or a bar chart in a view. When the policy criteria are met, a violation is generated and listed in the Violations panel. Violations can result in alerts that are forwarded to one or more recipients. A policy comprises one or more trigger conditions and one or more associated alert recipients. Each time a trigger condition is met, a violation is generated and listed in the Violations panel. The policy is associated with a particular chart within a view, and the trigger condition is based on the metric computed in that chart. The view is applied to a source that is a live AppResponse 11 system.

Note: The trigger condition is checked at the underlying sampling time intervals, even if the chart shows sub- sampled or aggregated data for larger intervals.

For example, suppose the view is Bandwidth Over Time with a sampling time of one second and the selected chart within the view is Packet Bandwidth Over Time. This means that for every second, packets-per-second is computed over the packets that arrived during the previous sampling time – this is the quantity shown in the chart. If a policy were associated with this chart, its trigger condition would be checked every second using the computed packets-per-second.

The Policies/Alerts Ribbon The Policies/Alerts ribbon provides these controls:

Figure 6-1. The Policies/Alerts Ribbon

 Add Policy: Display the Policy Editor dialog for defining policies. The Add Policy button is enabled when there is either a strip chart or a bar chart selected within the current view.

 Selected Policies

 Edit: Display the Policy Editor dialog for changing the selected policy.

 Remove: Delete the selected policy and all its associated violations.

 Enable: Activate the selected policy.

 Disable: De-activate the selected policy. No violations are generated from a disabled policy.

SteelCentral Packet Analyzer Plus User’s Guide 145 Policies and Alerts Creating Policies

 Views Filter

 No Filters: Filtering on views is disabled.

 Current View: The Views Filter selects only those violations that are associated with the current view.

 Pinned Views: The Pin List itself shows the pinned views and their sources. Views can be removed from the Pin List by clicking the corresponding check boxes.

 Add to Pin List: Add the currently selected view to the pin list.

 Pin List: Show the current contents of the pin list.

 Probes Filter: Show in the Violations panel the violations from all AppResponse 11 systems, or show only those alerts from the AppResponse 11 system selected currently in the Sources panel.

 All Probes

 Current Probe

 Severities: Select which severities of violation to display.

 Low

 Medium

 High

 Policies and Alerts Filter: Filter violations based on the corresponding Policy Name, Policy Description, Alert IDs, or Time Interval.

 Policy Name: Type a string to filter the contents of the Violations panel by policy name.

 Policy Description: Type a string to filter the contents of the Violations panel by policy description.

 Alert IDs: Type a number to filter the contents of the Violations panel by alert ID.

 Time: Specify start and end times by which to filter the contents of the Violations panel.

 Apply: Click this to make the filter settings take effect.

 Events Overlay

 Overlay Enabled: Click to enable/disable the overlay controls.

 Source Chart: Show only the alerts for policies that are associated with the current chart.

 Source View: Show alerts associated with all of the policies in a view in each chart of the view.

 All Views: Show all alerts for all policies in all charts within all views.

Creating Policies You can create a policy for a chart by right-clicking on a line or a bar and choosing Add Policy from the context menu to display the Policy Editor dialog.

146 SteelCentral Packet Analyzer Plus User’s Guide Creating Policies Policies and Alerts

Figure 6-2. Strip Chart with Context Menu Figure 6-2 shows the context menu that appears when chart data is right-clicked in a view. Choosing Add Policy displays the Policy Editor dialog, enabling you to define a policy for the selected data.

The Policy Editor Dialog

Figure 6-3 shows the Policy Editor dialog. Descriptions of the controls follow.

SteelCentral Packet Analyzer Plus User’s Guide 147 Policies and Alerts Creating Policies

Figure 6-3. Policy Editor Dialog The Policy Editor dialog provides these controls:

 Name: Type a name to identify the policy.

 Description: Type explanatory text to document the policy’s purpose.

 Persistence: Specify a number of violations occurring in a number of minutes to generate an alert.

 Triggers: Specify values for the thresholds at which violations will be generated.

 Subscriptions: Specify the Email accounts that will receive notifications of violations.

Policy in Sources Panel

Each policy is listed in the Sources panel below its associated view. The small arrows next to the policy icon toggle the display of the list of policies.

Figure 6-4. Policy in Devices Sources Panel

148 SteelCentral Packet Analyzer Plus User’s Guide Creating Policies Policies and Alerts

Policy Context Menu

Right-clicking on a policy in the Sources panel provides access to the following commands:

 Edit: Display the Policy Editor dialog for changing the policy configuration.

 List violations: Toggles the display of violations associated with the policy.

 Enabled: Enables/Disables the policy.

 Remove: Delete the policy and all its associated alerts.

Figure 6-5. Context Menu For Policy Applied to Source

Figure 6-6. Trigger Condition Trigger conditions are context-sensitive; different trigger conditions are available and valid for different data. Packet Analyzer Plus populates the Trigger pulldown menu with metrics that are relevant for the data in the chart.

Figure 6-7. Relational Operators Finally, there is the right-most box, which contains the comparison value. The trigger condition in the example is True whenever Packets is greater than 5K. The example shows the “within” condition and what is shown when the trigger condition is expanded. The “within” condition requires two values, namely, lower and upper limits in that order. In this case, the trigger condition is True whenever the value (Packets per second) is less than or equal to the upper limit and greater than or equal to the lower limit (>= lower limit and <= upper limit). Similarly, the “outside” condition is specified with lower and upper limits and is True when the value falls out of the specified range (<= lower limit or >= upper limit).

SteelCentral Packet Analyzer Plus User’s Guide 149 Policies and Alerts Creating Policies

Entering Values in Policy Triggers A large set of units is valid for specifying a trigger value. Values can be entered as a number and a unit that specifies a multiplier. For example, a trigger condition value of 1000000 can be entered as 1M. The available units and their multiplier are listed below.

Prefix Multiplier Multiplier value k,K, kilo, Kilo 103 1000 M, mega,Mega 106 1000000 G, g,giga, Giga 109 1000000000 T,t,tera,Tera 1012 1000000000000 P, peta, Peta 1015 1000000000000000 E,e,exa, Exa 1018 1000000000000000000 ki,Ki 210 1024 Mi,mi 220 1048576 gi, Gi 230 1073741824 Ti,ti 240 1099511627776 Pi, pi 250 1125899906842624 Ei,ei 260 1152921504606846976 m,milli, Milli 10-3 0.001 u, micro, Micro 10-6 0.000001 n,nano, Nano 10-9 0.000000001 p, pico, Pico 10-12 0.000000000001 f, femto, Femto 10-15 0.000000000000001 a, atto, Atto 10^-18 0.000000000000000001 Entries for values (number times multiplier) must evaluate to integers. Engineering notation using “e” or “E” also is supported, for example, 2E6 corresponding to e*10^6 = 2000000. Time values cannot be entered using multipliers.

Multi-line Strip Charts In the case of a single line strip chart, the trigger condition is evaluated every sample time on the single value computed at each sample point. In the case of multi-line strip charts where multiple values are computed at each sample time, there are two cases: 1. Multiple characteristics are computed for each packet, or 2. The packets are partitioned into multiple categories and a single metric is computed for the packets in each category.

150 SteelCentral Packet Analyzer Plus User’s Guide Creating Policies Policies and Alerts

Single value, multiple packet types

Figure 6-8. Multi-line Strip Chart with Filtering Figure 6-8 depicts the case in which the multi-line strip chart shows Port Groups Over Time. Each packet is examined and partitioned according to its packet type and the bandwidth per second is computed for each packet type. In general, a policy on this strip chart would check the trigger condition for each port group for each sample time and generate an alert for each port group for which the trigger condition is met. This means that there could be as many alerts generated at each sample time as there are port groups. If a line selection is made before the policy is created, the Data Filter field will show the set of lines for which the packet bandwidth will be calculated. ___ shows that two lines, Web and Email, have been selected. The Policy Editor acknowledges the line selection under the Data Filter section that appears automatically.

Multiple values, single packet type Figure 6-9 shows another type of multi-line strip chart. This example comes from the Frame Size Over Time view in the Generic folder. In this case, the average, maximum, and minimum frame sizes are computed for each packet – there are three different values associated with each packet and the lines in the strip chart represent these values. Now different lines are represented as different “values” in the left-hand side of the trigger condition relational expression.

SteelCentral Packet Analyzer Plus User’s Guide 151 Policies and Alerts Creating Policies

Figure 6-9. Multiple Metrics for Triggers Note: When defining a single alert based on multiple metrics and multiple severities, alerts for metrics combined using AND will be sent when the threshold is attained for the minimum of the relevant severities. Alerts for metrics combined using OR will be sent when the threshold is attained for the maximum of the relevant severities.

152 SteelCentral Packet Analyzer Plus User’s Guide 7

Working With Capture Jobs

Capture jobs configure and manage network traffic packet capture on interfaces and MIfGs. Each capture job comprises the specific parameters associated with a packet recording session. These parameters include the job name, the associated network interface, a filter, an index setting, and parameters for configuring the retention of packet and index data. Up to 32 capture jobs can be configured per AppResponse system. Each capture job creates exactly one job trace, which has the same name as the capture job; this is the network traffic saved in the packet data store. Job traces reside on the AppResponse system in a folder named the Jobs Repository. Job traces can be very large in size, and working with them is made easier by creating trace clips; these are user-defined time intervals within a job trace that reduce the amount of network traffic to be examined at one time.

Creating and Editing Capture Jobs Capture jobs comprise the parameters that control the capture of packet data. The job trace associated with the capture job will reside in the Jobs Repository on the AppResponse system. To create a new capture job: 1. In the Devices tab, select the interface or MIfG for which you want to create a capture job.

2. In the Ribbon panel, click Remote > Create Job to display the Create Job dialog.

3. Specify the settings necessary to define the capture job.

4. Click OK when you’re finished defining the capture job. The associated job trace will appear in the Jobs Repository in the Files tab. To edit an existing capture job: 1. Right-click on the job trace in the Jobs Repository and choose Settings from the context menu to display the View Job Settings dialog. This is the same as the Create Job dialog.

2. Change the capture job settings as necessary and click Close to make the new settings take effect. A capture job that is running already will begin to use the new settings immediately.

SteelCentral Packet Analyzer Plus User’s Guide 153 Working With Capture Jobs Creating and Editing Capture Jobs

Create Job Dialog Controls

Click Remote > Create Job to display the Create Job dialog (Figure 7-1).

Figure 7-1. Create Job dialog

The Create Job dialog provides these controls:

 Capture Settings

 Name – Type a unique name for the capture job.

 Status – This information is supplied by the system. The status will be RUNNING or STOPPED.

 MIfG – Select an MIfG on the system from which to record traffic.

154 SteelCentral Packet Analyzer Plus User’s Guide Creating and Editing Capture Jobs Working With Capture Jobs

 Filter – if you want the capture job to collect only packets that match certain criteria, write a filter expression in either SteelFilter or Berkeley Packet Filter language to omit the unwanted packets. Refer to “SteelFilter Syntax” on page 143 for information about the SteelFilter language.

 Max Packet Size – This specifies an upper bound on the number of bytes saved for each packet (the snaplen). The default value of 65535 captures the entire packet.

 Enable Indexing – Indexing is enabled by default.

 Packet Data – Specify minimum and maximum values for retaining packets, in terms of data and time.

 Min Retention Size

 Max Retention Size

 Min Retention Time

 Max Retention Time

 Microflow Index – Specify minimum and maximum values for retaining the Microflow Index, in terms of data and time.

 Min Retention Size

 Max Retention Size

 Min Retention Time

 Max Retention Time

The Jobs Repository

The Files tab for an AppResponse system includes a Jobs Repository Folder. The Jobs Repository folder contains a job trace corresponding to each capture job that has been defined. The job trace has the same name as the capture job, and contains the network traffic recorded for that capture job. Each job trace has an associated icon that indicates the extent of Microflow Indexing data associated with it.

Denotes a capture job without Microflow Indexing data

Job Trace without Microflow Indexing

Denotes a capture job with Microflow Indexing enabled in which the Microflow Indexing data and the job trace packet recording durations are the same.

Job Trace with Microflow Indexing

SteelCentral Packet Analyzer Plus User’s Guide 155 Working With Capture Jobs Working With Trace Clips

Denotes a capture job with Microflow Indexing enabled, but for which the duration of Microflow Indexing data is longer than the duration of the job trace recording. Some views can operate on index data alone, while other views Job Trace with Mixed Microflow Indexing require the underlying trace (packet) data as well. Figure 7-2 shows the contents of the Jobs Repository folder for two AppResponse 11 systems. Each Jobs Repository contains two trace jobs, with varying options for Microflow Indexing shown by the icons. To enable a user to be able to view capture jobs without being able to start them or stop them, set the user’s role System Configuration privileges to Read-Only.

Figure 7-2. Jobs Repository folder in the Files panel

Starting and Stopping Job Traces

To start a job trace: 1. Click the Start icon next to the capture job’s name, or right-click on the name and choose Start from the context menu. To stop a job trace: 1. Click the Pause icon next to the capture job’s name, or right-click on the name and choose Stop from the context menu.

Working With Trace Clips It is not unusual for job traces to be multiple terabytes in size, making direct operations on them inefficient and slow. A trace clip is a user-defined portion of a job trace, constrained in time and optionally using one or more packet filters, to reduce the set of packets to be examined. A trace clip has all of the properties of an ordinary trace file, and can be analyzed using all of the capabilities of Packet Analyzer Plus. Trace clips do not require any additional storage and behave exactly like ordinary trace files. There are several simple and visually oriented ways in which trace clips can be created using Packet Analyzer Plus.

156 SteelCentral Packet Analyzer Plus User’s Guide Working With Trace Clips Working With Capture Jobs

Note: Unlike trace files, trace clips can expire, depending on a capture job’s retention settings. When a capture job reaches its maximum packet retention size, new packets overwrite the oldest job trace packets, expiring all trace clips for which the time interval included those overwritten packets. Expired trace clips are shown in red under a job trace in the Files panel. A trace clip that must be kept can be sent to a file (right click on the trace clip and select “Send to > File”) or locked (right click on the trace clip and select “Lock”). Lock is best used to retain a Trace clip for a short period of time, as it decreases the storage available for the capture job.

Creating a Trace Clip

A trace clip defines a subset of a job trace that makes it easier to isolate data of interest within it. Trace clips can be created using any of these methods:

 Using the time controls in the Trace Clip dialog (this is separate from the Time Control Ribbon)

 Dragging a time interval from a strip chart in a view and dropping it on a job trace

 Dragging an alert from the Alerts panel and dropping it on a job trace Trace clips are listed in the Files panel, under the corresponding job trace in the Jobs Repository folder. Each trace clip is represented by one of these icons:

Trace clip with packets and no Microflow Indexing data

Trace Clip

Trace clip with packets and Microflow Indexing data available throughout the time interval

Trace Clip with Index

Trace clip with packets for some or none of the interval, and Microflow Indexing data throughout the interval

Trace Clip with Microflow

SteelCentral Packet Analyzer Plus User’s Guide 157 Working With Capture Jobs Working With Trace Clips

Figure 7-3 shows a Trace clip named MondayClip for which there is no Microflow Indexing data available. Figure 7-4 shows two trace clips that have associated Microflow Indexing data.

Figure 7-3. Figure 25: Trace Clip With No Microflow Indexing

Figure 7-4. Figure 26: Trace Clips with Microflow Indexes

158 SteelCentral Packet Analyzer Plus User’s Guide Working With Trace Clips Working With Capture Jobs

Trace Clip Dialog Controls Clicking Add Trace Clip displays the Trace Clip dialog (Figure 7-5). The Trace Clip dialog provides controls that enable you to define a trace clip as a very specific subset of the data contained in the original job trace. Most of the Trace Clip dialog controls enable you to isolate a specific time interval within the job trace, but there are filter controls present, also, enabling you to isolate packets that match specific criteria. The most prominent components of the Trace Clip dialog are the two time scroll bars. The top time scroll bar defaults to showing the complete span of time encompassed by the job trace. The bottom time scroll bar enables you to examine in detail the selected portion of the complete time span. The other time-related controls in the dialog assist you in selecting the portion of the job trace that you want to use for the trace clip.

Figure 7-5. Trace Clip dialog

The Trace Clip dialog provides these controls:

 Description – Type explanatory text that will appear with the trace clip’s information in the Jobs Repository.

 Quick Navigation controls – Begin, Step Back, Step Forward, End. These controls enable you to position the selection box along the time scroll.

 Selection Duration controls – Select a time increment to use with the Step Back and Step Forward controls. For example, selecting 30 seconds will cause the selection box to advance by 30 seconds when you click Step Forward.

 Zoom In, Zoom Out – Change the portion of the job trace that is displayed in the time scroll section.

SteelCentral Packet Analyzer Plus User’s Guide 159 Working With Capture Jobs Working With Trace Clips

 Copy, Paste – Use these when creating trace clips for the same time interval from multiple job traces captured over the same time period. Select the time interval in the Trace Clip dialog for the first trace clip. Before pressing OK, press Copy to place the selected time interval on the clipboard. Go to the next job trace and right click on it, then select Paste from the context menu to create a trace file for the same time interval used in the first job trace.

 Time Scroll Bars – These provide a visual guide for selecting a time interval within the original job trace. A selection box shows the portion of the job trace that will be included in the trace clip.

 Timing Details controls – Specify the start time of the trace clip, along with an end time or a duration. These parameters determine the size of the selection box in the time scroll bar.

 Filter Details controls – These enable you to apply filters to the trace clip. Refer to the Filters chapter for detailed instructions for using filters. A filter applied to a trace clip is listed under the trace clip name in the Files panel.

Using Time Controls to Create a Trace Clip To create a trace clip using the Trace Clip dialog: 1. Select a job trace in the Jobs Repository.

2. Click the + icon on the job trace or right-click on the job trace and choose Add Trace Clip from the context menu. The Trace Clip dialog appears.

3. Specify the time period of the job trace that you want the trace clip to encompass. Optionally, apply a filter to specify criteria for which packets you want the trace clip to include.

Specifying a Time Interval There are multiple ways to use the Trace Clip dialog to specify the time interval for a trace clip. For network issues recognized at a particular onset time, a simple approach is to specify the From time in the Timing Details section (Figure 7-6), then specify either the To time or the For duration.

Figure 7-6. Timing Details controls

The time scroll bars enable you to examine the job trace for the types of data you want to include in the trace clip. You can look for time intervals that contain packets only, or Microflow Index data only, or both.

160 SteelCentral Packet Analyzer Plus User’s Guide Working With Trace Clips Working With Capture Jobs

Another set of options for selecting a time interval involve using the multi-level zoom scroll bars in the middle of the Trace Clip dialog (Figure 7-7). This has the advantage of making it clear whether the selected time interval contains packets and/or Microflow Indexing data.

Figure 7-7. Time Scroll Bars

When the Trace Clip dialog is first opened, the upper bar is a graphical representation of the duration of the entire job trace, and the lower Time Scroll Bar enables zooming in and out over the duration. In cases where the job trace contains both packets and Microflow Indexing data, the duration of the upper bar represents the maximum of the packet capture duration and the duration of the index data. A trace clip time interval can be selected by moving the triangular markers on top of the upper bar or by resizing the blue rectangle in the bar, representing the selected time interval. The Quick Navigation and Selection Duration controls at the top of the dialog (Figure 7-8) can be used to assist in specifying the time interval.

Figure 7-8. Quick Navigation and Selection Duration controls

Applying a Filter to a Trace Clip A trace clip can contain filtered packets within its specified time interval. Figure 7-9 shows the Filter Details section of the Trace Clip dialog. Click the funnel button to display the Filter Editor for selecting a filter. It is important to select a filter that is compatible with the Microflow Indexing data of the selected time interval, discussed above.

Figure 7-9. Filter Details controls

SteelCentral Packet Analyzer Plus User’s Guide 161 Working With Capture Jobs Working With Trace Clips

Figure 7-10 shows the Filter Editor. Note that nearly all of the filters in the default set are Microflow Indexing-compatible SteelFilters.

Figure 7-10. Filter Editor

The trace clip appears in the Files panel with the filters used appearing under the trace clip’s name (Figure 7-11).

Figure 7-11. Filtered Trace Clip in the Jobs Repository

To apply a filter when creating a trace clip. 1. Click on the funnel in the “Filters Details” section to open the Filters Editor.

2. Select an existing filter, modify an existing filter or right click in the Filter Editor and select “New Filter” to create a filter that meets your requirements.

3. Click OK when your filter is defined. The Filter Editor closes.

4. Click OK in the Trace Clip dialog to create the filtered trace clip. Note: When sending a trace clip to a file for saving, be sure to add filter information to the file name for reference.

162 SteelCentral Packet Analyzer Plus User’s Guide Working With Trace Clips Working With Capture Jobs

Dragging a Time Interval From A Strip Chart to Create a Trace Clip A different method for creating a trace clip easily is to select a time interval in a strip chart and drag it onto a job trace. The result is similar to specifying start and end times in the Trace Clip dialog. To create a trace clip by dragging a time interval from a strip chart: 1. Highlight a time interval in a strip chart (Figure 7-12).

Figure 7-12. User-Selected Interval In a Strip Chart

2. Drag the highlighted interval to the Files tab and drop it on a job trace. A new trace clip is created, comprising the dragged time interval (Figure 7-13).

Figure 7-13. User-Selected Interval Dragged To Create a Trace Clip

Dragging a Violation From The Violations Panel To Create a Trace Clip It is important to be able to isolate network traffic associated with a violation (alert) for troubleshooting and diagnostics. This can be accomplished easily by dragging the violation in question onto the job trace. A trace clip is created automatically that contains traffic occurring before and after the alert. To create a trace clip by dragging a violation from the Violation panel:

SteelCentral Packet Analyzer Plus User’s Guide 163 Working With Capture Jobs Working With Trace Clips

1. Select a violation in the Violations panel (Figure 7-14).

Figure 7-14. Selecting a Violation to Define a Trace Clip

164 SteelCentral Packet Analyzer Plus User’s Guide Working With Trace Clips Working With Capture Jobs

2. Drag the highlighted violation to the Files tab and drop it on a job trace. A new trace clip is created, comprising the dragged violation and an interval of time before it and after it (Figure 7-15).

Figure 7-15. Violation Dragged Onto a Job Trace

3. Investigate the alert by selecting a time period of interest and drilling down.

SteelCentral Packet Analyzer Plus User’s Guide 165 Working With Capture Jobs Multi-Segment Analysis (MSA)

Exporting a Trace Clip

You can send a trace file out from Packet Analyzer Plus to a PCAP file, or directly to Wireshark or SteelCentral Transaction Analyzer. The packet format and timestamp precision used when exporting trace clips are configured in the Settings dialog. (Choose Menu > Settings in the Ribbon bar).

Note: Wireshark version 2.4.1 or later is required for use in conjunction with Packet Analyzer Plus.

Right-click on the trace clip in the Jobs Repository and choose Send To from the context menu. Choose one of the following options:

 Wireshark – This launches a Wireshark session and loads the trace clip (if you have Wireshark installed).

 Wireshark With Filter – Apply an existing filter to the trace clip before exporting it to Wireshark.

 SteelCentral Transaction Analyzer – This launches a Transaction Analyzer session and loads the trace clip (if you have Transaction Analyzer installed). A series of dialogs will appear, showing the progress of Transaction Analyzer launching, including authentication.

 SteelCentral Transaction Analyzer With Filter – Apply an existing filter to the trace clip before exporting it to Transaction Analyzer.

 File – This writes the trace clip to a PCAP file. The exported file is written to My Files on the AppResponse system.

 File With Filter – Apply an existing filter to the trace clip before writing it to a PCAP file.

Multi-Segment Analysis (MSA) Multi-segment analysis (MSA) allows you to combine traffic data captured over the same time period from different locations on the network so you can view and analyze the traffic flows.

Figure 7-16. Typical network path using multiple segments between hosts

166 SteelCentral Packet Analyzer Plus User’s Guide Multi-Segment Analysis (MSA) Working With Capture Jobs

Figure 7-17. Typical multi-segment sequence diagram showing traffic flows through capture points between hosts

General Approach

Review Timestamp Settings At The Packet Source Accurate timestamps at the packet source and capture points are critical when performing multi- segment analysis. Inaccurate timestamps are very difficult to adjust automatically or manually, and frequently result in a failed MSA view. Observe the following practices to minimize timestamp issues when performing MSA analysis:

 If possible, use hardware taps to provide timestamps. Such devices can coordinate timestamps across network locations and help ensure accurate timestamps.

 Use NTP or other highly-accurate time references. Be sure that all capture devices reference the same time source.

 When using a hardware tap, make sure that your AppResponse 11 system specifies the correct tap type when configuring the capture interface. If your multi-segment source name indicates a problem “Some invalid timestamps found” follow the steps under “Adjust Time Skews (If Necessary)” to correct the problem. If your attempt to correct the problem fails, you need to check your timestamps and create new capture files.

SteelCentral Packet Analyzer Plus User’s Guide 167 Working With Capture Jobs Multi-Segment Analysis (MSA)

Assemble The Data Put all your source data in one place. Packet Analyzer Plus requires that all of the source capture files or trace clips that you use be in one location—either on a single AppResponse 11 system or on the computer that runs Packet Analyzer Plus. All the data processing for multi-segment analysis occurs locally on the AppResponse 11 or Packet Analyzer Plus local system where the data sources are stored. If that processing takes place on an AppResponse 11 system, only the results are sent across the network for Packet Analyzer Plus to display. Use small source files. If your capture files are large and you know that the time interval of interest is small, use trace clips that cover that interval. When sending files across the network to a central location, smaller files use less network bandwidth. You may be able to use high-level views, even if not multi-segment views (such as network usage by traffic type) to narrow down the interval of interest. Then you can drill down with multi-segment views.

Make A Multi-Segment Source 1. In the Files section of the Sources panel, select two or more sources that you will combine into a multi-segment source. (Use a click and multiple control-clicks, or a click and a shift-click.)

2. Right-click one of the sources to bring up a context menu. Click Create Multi-Segment Source.

Packet Analyzer Plus builds a multi-segment source and lists it in the Files panel. One of the segments is designated as the primary segment and shown in bold type. The primary segment is generally used when a single-segment view is applied to the multi-segment source.

168 SteelCentral Packet Analyzer Plus User’s Guide Multi-Segment Analysis (MSA) Working With Capture Jobs

Adjust Time Skews (If Necessary) Packet Analyzer Plus automatically adjusts the time skews between capture points, so in most cases you won’t need to do anything. If the adjustment succeeds, the Files panel shows the multi-segment source with a green check-mark icon.

If the adjustment fails, the check-mark icon is yellow and has a brief explanation of why it failed.

… You can run the time skew adjustment by right-clicking the multi-segment file and selecting Estimate Time Skews from the context menu that appears. The initial time skew estimate made when the multi- segment file is first created samples 1000 packets. When you right-click and select Estimate Time Skews, the computation uses all the packets in the sample. This should be somewhat more accurate, though it may take more time to compute. You can enter your own time skew values by right-clicking the multi-segment file and selecting Properties. The individual source files are listed, and each one has a time skew value that you can adjust manually.

SteelCentral Packet Analyzer Plus User’s Guide 169 Working With Capture Jobs Multi-Segment Analysis (MSA)

You may find it difficult to arrive at time skew values that improve on the automatic adjustments made by Packet Analyzer Plus. As an alternative, make sure that the timing values that go into your source data are as accurate as they can be:

 The AppResponse 11 software supports taps that can add more accurate timestamps to packets. Hardware tap vendors can also ensure that captures taken at different locations can be coordinated by GPS or CDMA signals. Make sure that you specify the correct tap type when configuring the NIC interfaces on your AppResponse 11 system.

 Use NTP or better time sources as your time reference, and make sure that all of your capture devices are referenced to the same source. When timestamping is perfectly synchronized among AppResponse 11 systems capturing trace files for multi-segment analysis, you should expect the time skew to equal 0.

Apply Views There are several views designed specifically for multi-segment analysis. You can find them easily by using the Search box (at the top of the Views panel) to search for “segment” or “MSA”.

170 SteelCentral Packet Analyzer Plus User’s Guide Multi-Segment Analysis (MSA) Working With Capture Jobs

Once you have applied a view you can select an area of interest and drill down (apply additional views). But note that:

 You can’t apply a multi-segment view to a normal (single-segment) trace file.

 If you apply a single-segment view to a multi-segment file, the view uses one trace. But if you drill down further with a multi-segment view, it uses all of the traces of the multi-segment file.

 When you can see all capture points in a multi-segment view, if you drill down further you can choose which capture points to include. If you right-click a selection in a multi-segment view and choose “Send to Wireshark” from the context menu, a pop-up dialog lets you choose which capture points to use. For each capture point you choose, the packets in the selection are sent to a separate instance of Wireshark.

Note: Wireshark version 2.4.1 or later is required for use in conjunction with Packet Analyzer Plus.

If you right-click a selection in a multi-segment view and choose “Send to File” from the context menu, a pop-up dialog lets you choose which capture points to use as sources for the new multi-segment file that corresponds to the selection.

SteelCentral Packet Analyzer Plus User’s Guide 171 Working With Capture Jobs Multi-Segment Analysis (MSA)

Navigating A Multi-Segment Sequence Diagram

There are several different ways to view the information in a sequence diagram. Choose the combination that works best for you.

Select And Zoom

 Click and drag in the view to select a time interval to examine more closely. Then double-click the selection to zoom in.

172 SteelCentral Packet Analyzer Plus User’s Guide Multi-Segment Analysis (MSA) Working With Capture Jobs

 To deselect, click anywhere inside the main window.

Use The Slider

 Drag the time slider up or down to move backward or forward in time.

 Drag the end of the slider in or out to zoom in or out.

 Double-click the middle of the slider to view the full time interval (unzoomed).

Use The Mouse Wheel Or The Up- And Down-Arrow Keys Click anywhere inside the main window. Then:

SteelCentral Packet Analyzer Plus User’s Guide 173 Working With Capture Jobs Multi-Segment Analysis (MSA)

 Hold down the CTRL key and scroll—using the mouse wheel or the up- and down-arrow keys— to zoom in or out. Zooming is centered on the cursor. (That is, the area around the cursor stays in place while the rest of the window moves in or out.)

 Release the CTRL key and scroll to move forward or backward along the time line. With a little practice, you will find that you can navigate the sequence diagram very quickly by scrolling and alternately holding or releasing the CTRL key.

View Delays And Round-Trip Times Click the Ruler Mode button to enter ruler mode. Then click a message line to see the delay for that message (the time it takes to go from the source node to the destination node). Note that the timing for capture points is precise, but that timing for end points is estimated.

174 SteelCentral Packet Analyzer Plus User’s Guide Multi-Segment Analysis (MSA) Working With Capture Jobs

Del

SteelCentral Packet Analyzer Plus User’s Guide 175 Working With Capture Jobs Multi-Segment Analysis (MSA)

Sta Or click a start point and an end point to see the time difference between any two time points on the sequence diagram.

Square dots represent the source of a message. Triangular dots represent the destination of a message. Circular dots represent capture points along the path of a message through the network. Unselected points are open; when you click a point, it fills with the color of the message line.

Ruler mode also shows the time span covered by a selection.

176 SteelCentral Packet Analyzer Plus User’s Guide Multi-Segment Analysis (MSA) Working With Capture Jobs

Estimate Network Delays Click the Time Hints button to generate an estimate of network delays. The delays are inferred from the capture data and show up as sloped, rather than flat, timelines between the hosts and their nearest capture points.

Tim

SteelCentral Packet Analyzer Plus User’s Guide 177 Working With Capture Jobs Multi-Segment Analysis (MSA)

Label Message Lines Click the Message Labels button to label the message lines with protocol information, byte counts, and so on.

Simplify A Sequence Diagram Sequence diagrams can get complicated. They are best used on small traces, or after drilling down from a larger data set. You may be able to simplify a sequence diagram if you know the TCP connections. For example, here is a somewhat complicated sequence diagram created by the MSA Sequence Diagram view.

178 SteelCentral Packet Analyzer Plus User’s Guide Multi-Segment Analysis (MSA) Working With Capture Jobs

If you know the TCP connection you want to see, you can apply the MSA Transaction Analysis by TCP Connection view to the same data. Choose the connection you want from the data grid…

…and a simplified sequence diagram, showing only that TCP connection, is displayed in the lower window.

SteelCentral Packet Analyzer Plus User’s Guide 179 Working With Capture Jobs Multi-Segment Analysis (MSA)

You can then zoom in more easily and continue your analysis. If you are trying to track down a problem but don’t know the TCP connection, you can quickly select successive TCP connections from the data grid until a troublesome-looking one appears.

Then you can zoom in, drill down, and diagnose the problem.

180 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

SteelFilter Identifiers

This appendix lists and describes identifiers supported for use in SteelFilter expressions. The identifiers are listed alphabetically by context. Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

ARP arp.class Class Value number ARP packet class code

ARP arp.hw.type Hardware Type number Hardware type code (e.g. 1) Value

ARP arp.is_arp ARP Traffic Flag boolean Indication of whether the current packet contains ARP or Reverse ARP traffic

ARP arp.is_gratuitous Gratuitous ARP number Indication of whether a particular ARP Flag request is gratuitous (0 for non-gratuitous)

ARP arp.protocol.type Protocol Type number Protocol type code (e.g. 0x0800) Value

ARP arp.type Type Value number ARP packet type code

ARP dst_arp.hw.address Destination ether Hardware address of the host Hardware Address

ARP dst_arp.hw.address. Destination number Delivery type used for the hardware layer delivery_type Delivery Type Value transmission

ARP dst_arp.hw.address. Destination string Hardware vendor (by lookup) for the vendor Hardware Address corresponding address

ARP src_arp.hw.address Source Hardware ether Hardware address of the host Address

ARP src_arp.hw.address. Source Delivery number Delivery type used for the hardware layer delivery_type Type Value transmission

SteelCentral Packet Analyzer Plus User’s Guide 181 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

ARP src_arp.hw.address. Source Hardware string Hardware vendor (by lookup) for the vendor Address corresponding address

ARP sum_arp.packets Total Packets number Packet count of ARP packets Traffic

ARP sum_arp.packets_ Total Packet number Packet count of ARP packets psg Throughput

ARP sum_arp.total_ Total Traffic number Byte count of ARP packets bytes

ARP sum_arp.total_ Total Throughput number Byte count of ARP packets bytes_psg

CIFS avg_cifs.data_ Data Transfer Time duration Data transfer time of each packet in the transfer_time message

CIFS avg_cifs.duration Transaction Time duration Duration of the message

CIFS avg_cifs.srv_ Server Response duration Service response time of the message response_time Time

CIFS cifs.cmd Command string CIFS command associated with the message

CIFS cifs.file_id File ID string CIFS file id associated with the message

CIFS cifs.file_path File Path string CIFS file path corresponding to the message

CIFS cifs.is_cifs CIFS Traffic Flag boolean Indication of whether the current packet contains CIFS traffic

CIFS cifs.oplock.status Oplock Status number CIFS oplock status Value

CIFS cifs.protocol Protocol Number number CIFS protocol

CIFS cifs.request_id Request ID number CIFS message request id

CIFS cifs.start_time Start Time timestamp Start time of the CIFS request

CIFS cifs.status. Status Description string CIFS status description code associated description with the response

CIFS cifs.status.severity Status Severity number CIFS status severity extracted from the first Value bits of status

CIFS cifs.tree_id Tree ID string CIFS tree id associated with the message

CIFS cifs.tree_path Tree Path string CIFS tree path corresponding to the message

182 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

CIFS granted_cifs.oplock Granted Oplock number CIFS oplock level - can be requested or Value granted

CIFS max_cifs.data_ Data Transfer TIme duration Data transfer time of each packet in the transfer_time (Max) message

CIFS max_cifs.duration Transaction Time duration Duration of the message (Max)

CIFS max_cifs.srv_ Server Response duration Service response time of the message response_time TIme (Max)

CIFS min_cifs.data_ Data Transfer Time duration Data transfer time of each packet in the transfer_time (Min) message

CIFS min_cifs.duration Transaction Time duration Duration of the message (Min)

CIFS min_cifs.srv_ Server Response duration Service response time of the message response_time Time (Min)

CIFS requested_cifs. Requested Oplock number CIFS oplock level - can be requested or oplock Value granted

CIFS sum_cifs.errors Error Message number Number of CIFS Error messages Count

CIFS sum_cifs.errors_ Error Message number Number of CIFS Error messages psg Rate

CIFS sum_cifs.requests CIFS Requests number Number of CIFS request messages

CIFS sum_cifs.requests_ CIFS Request Rate number Number of CIFS request messages psg

CIFS sum_cifs.total_ Total Traffic number Total Bytes for each CIFS bytes Transaction(include both request and response)

CIFS sum_cifs.total_ Total Throughput number Total Bytes for each CIFS bytes_psg Transaction(include both request and response)

CIFS sum_cifs.total_ Total Packet Traffic number Total Packets for each CIFS packets Transaction(include both request and response)

CIFS sum_cifs.total_ Total Packet number Total Packets for each CIFS packets_psg Throughput Transaction(include both request and response)

SteelCentral Packet Analyzer Plus User’s Guide 183 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

Citrix avg_citrix. Perceived Lag duration Citrix ICA perceived lag from other machine perceived_latency

Citrix citrix.encryption_ Encryption Type number Citrix ICA encryption type (None type Value

Citrix citrix.is_citrix Citrix Traffic Flag boolean Citrix traffic

Citrix citrix.priority Priority Value number Citrix ICA packet priority levels description (‘0 - High’ - ‘1 - Medium’ - ‘2 - Low’ - ‘3 - Background’)

Citrix citrix.protocol Protocol Number number Citrix protocol (ICA or CGP)

Citrix citrix.virtual_ Virtual Channel number Citrix ICA virtual channel identifier channel_id Value

Citrix citrix.virtual_ Virtual Channel string Citrix ICA virtual channel name (e.g. CTXWD - channel_name Configuration - CTXCTW - ...)

Citrix max_citrix. Perceived Lag duration Citrix ICA perceived lag from other machine perceived_latency (Max)

Citrix min_citrix. Perceived Lag duration Citrix ICA perceived lag from other machine perceived_latency (Min)

Citrix sum_citrix.virtual_ Virtual Channel number Number of bytes for each Citrix ICA virtual channel_bytes Traffic channel

Citrix sum_citrix.virtual_c Virtual Channel number Number of bytes for each Citrix ICA virtual hannel_bytes_psg Throughput channel

Citrix sum_citrix.virtual_c Virtual Channel number Number of commands in each Citrix ICA hannel_commands Count virtual channel

Citrix sum_citrix.virtual_ Virtual Channel number Number of commands in each Citrix ICA channel_commands Rate virtual channel _psg

DHCP cli_dhcp.ip Client IP Address ipaddr Client IP address

DHCP cli_dhcp.mac Client MAC ether MAC address Address

DHCP dhcp.is_ack DHCP ACK Flag boolean Indication of whether the current packet is DHCP ACK

DHCP dhcp.is_relayed DHCP Relayed Flag boolean Indication of whether the DHCP traffic is relayed

DNS avg_dns.response_ Response Time duration Time that elapsed from when the request time was issued to when the response is received

184 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

DNS dns.is_ Authenticated boolean Indication of whether the data in the authenticated_data Data Flag response has been verified or otherwise meets the local security policy of the issueing server

DNS dns.is_authoritative Authoritative Flag boolean Indication of whether the sending server is an authority for the domain name requested

DNS dns.is_query Query Flag boolean Indication of whether the packet is a query

DNS dns.is_recursion_ Recursion boolean Indication of whether the sending server available Available Flag supports recursive queries

DNS dns.is_recursion_ Recursion Desired boolean Indication of whether the sending client requested Flag requested recursion

DNS dns.is_response Response Flag boolean Indication of whether the packet is a response

DNS dns.is_success Status Code boolean Indication of whether the return code for the Success Flag DNS Query/Response is success

DNS dns.is_truncated Truncated Flag boolean Indication of whether only the first 512 bytes of the response was returned

DNS dns.opcode Opcode Value number Type of DNS packet

DNS dns.query.name Query Name string Name of the DNS query

DNS dns.query.type Query Type Value number Type of the DNS query

DNS dns.response_time_ Response Time number Time range that elapsed from when the range Range Value request was issued to when the response is received

DNS dns.status_code Status Code Value number Status code for the DNS Query/Response

DNS dns.transaction_id Transaction ID number The session identifier for this packet

DNS max_dns.response_ Response Time duration Time that elapsed from when the request time (Max) was issued to when the response is received

DNS min_dns.response_ Response Time duration Time that elapsed from when the request time (Min) was issued to when the response is received

DNS sum_dns.query. Query Count number Number of queries count

DNS sum_dns.query. Query Rate number Number of queries count_psg

SteelCentral Packet Analyzer Plus User’s Guide 185 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

DNS sum_dns.response. Additional RRs number Number of additional Resource Records additional_rrs (RRs)

DNS sum_dns.response. Additional RRs number Number of additional Resource Records additional_rrs_psg Rate (RRs)

DNS sum_dns.response. Answer RRs number Number of answer Resource Records (RRs) answer_rrs

DNS sum_dns.response. Answer RRs Rate number Number of answer Resource Records (RRs) answer_rrs_psg

DNS sum_dns.response. Authority RRs number Number of authority Resource Records (RRs) authority_rrs

DNS sum_dns.response. Authority RRs Rate number Number of authority Resource Records (RRs) authority_rrs_psg

Fabric- fabricpath.is_fabric Fabric Path Traffic boolean Indication of whether the packet contains path path Flag Fabric Path Header

FIX avg_fix.price Price number Price per unit of quantity (e.g. per share)

FIX avg_fix.quantity Avg Quantity number Quantity requested for NewOrder message or Quantity (e.g. shares) bought/sold on this (last) fill for execution report

FIX avg_fix.srv_ Server Response duration Delay between the order placement and response_time Time execution report

FIX fix.alloc_account Allocation Account string Sub-account mnemonic

FIX fix.alloc_status Allocation Status number Identifies status of allocation (e.g. ‘received’ Value

FIX fix.alloc_type Allocation Type number Allocation type or purpose of an allocation Value message (e.g. ‘Accept’

FIX fix.cl_ord_id Client Order ID string Order ID generated locally by the client

FIX fix.error_type Error Type Value number Type of the FIX error

FIX fix.exec_id Exec ID string Unique identifier of execution message as assigned by sell-side

FIX fix.exec_type Execution Type string Describes the specific Execution Report (e.g. Value ‘4 - Canceled’)

FIX fix.is_fix FIX Traffic Flag boolean FIX traffic

FIX fix.message_ Message Category number FIX Message category (e.g. ProgramTrading) category Value

186 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

FIX fix.message_seq_ Sequence number number Message sequence number num

FIX fix.message_start_ Message Start timestamp FIX message start time time Time

FIX fix.message_type Message Type string FIX Message type (e.g. NewOrderList) Value

FIX fix.ord_status Order Status Code string Order status description returned both for Value the request and the response messages (e.g. Request

FIX fix.ord_type Order Type Code string Value

FIX fix.order_id Order ID string Order ID

FIX fix.sender_compid Sender Firm ID string Sender Firm ID

FIX fix.sender_ Sender Location ID string Sender Location ID locationid

FIX fix.sender_subid Specific Sender ID string Specific Sender ID

FIX fix.sending_time Sending Time timestamp Time of message transmission

FIX fix.side Side Code Value string Side code of order (e.g. ‘2 - Sell’)

FIX fix.symbol Ticker Symbol string Common ‘human understood’ representation of the security

FIX fix.target_compid Target Firm ID string Target Firm ID

FIX fix.target_locationid Target Location ID string Target Location ID

FIX fix.target_subid Target Specific ID string Target Specific ID

FIX fix.version Version string Fix version string (e.g. FIX.4.2 - FIXT.1.1)

FIX max_fix.price Price (Max) number Price per unit of quantity (e.g. per share)

FIX max_fix.quantity Quantity (Max) number Quantity requested for NewOrder message or Quantity (e.g. shares) bought/sold on this (last) fill for execution report

FIX max_fix.srv_ Server Response duration Delay between the order placement and response_time Time (Max) execution report

FIX min_fix.price Price (Min) number Price per unit of quantity (e.g. per share)

SteelCentral Packet Analyzer Plus User’s Guide 187 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

FIX min_fix.quantity Quantity (Min) number Quantity requested for NewOrder message or Quantity (e.g. shares) bought/sold on this (last) fill for execution report

FIX min_fix.srv_ Server Response duration Delay between the order placement and response_time Time (Min) execution report

FIX sum_fix.errors Error Count number Number of FIX errors

FIX sum_fix.errors_psg Error Rate number Number of FIX errors

FIX sum_fix.message_ Total Traffic number Number of bytes used by the current bytes message

FIX sum_fix.message_ Total Throughput number Number of bytes used by the current bytes_psg message

FIX sum_fix.messages FIX Message Count number Number of FIX messages

FIX sum_fix.messages_ FIX Message Rate number Number of FIX messages psg

FIX sum_fix.order_qty Order Quantity number Order quantity

FIX sum_fix.order_qty_ Order Quantity number Order quantity psg Rate

FIX sum_fix.packets Total Packet Traffic number Number of packets carrying FIX traffic

FIX sum_fix.packets_ Total Packet number Number of packets carrying FIX traffic psg Throughput

FIX sum_fix.quantity Quantity number Quantity requested for NewOrder message or Quantity (e.g. shares) bought/sold on this (last) fill for execution report

FIX sum_fix.seq_num_ Sequence Number number Number of messages with a sequence errors Error Count number that is lower than expected

FIX sum_fix.seq_num_ Sequence Number number Number of messages with a sequence errors_psg Error Rate number that is lower than expected

FIX sum_fix.seq_num_ Sequence Number number Number of messages with a sequence gaps Gap Count number that is higher than expected

FIX sum_fix.seq_num_ Sequence Number number Number of messages with a sequence gaps_psg Gap Rate number that is higher than expected

FIX sum_fix.seq_num_ Sequence Number number Number of sequence reset messages resets Resets

188 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

FIX sum_fix.seq_num_ Sequence Number number Number of sequence reset messages resets_psg Reset Rate

FIX sum_fix.unfulfilled_ Unfulfilled Order number Number of unfulfilled orders orders Count

FIX sum_fix.unfulfilled_ Unfulfilled Order number Number of unfulfilled orders orders_psg Rate

Frame avg_frame.total_ Frame number Total packet length bytes

Frame frame.is_valid Valid Frame Flag boolean Indication of whether the frame is valid

Frame frame.pkt_num Absolute Packet number Absolute packet number including those Number dropped by filters (but not including those dropped by BPF filters)

Frame frame.relative_time Time From First duration Time differential from the first packet in the Packet capture

Frame frame.size_range Packet Length number Packet length range Range Value

Frame frame.timestamp Timestamp timestamp Timestamp of the packet

Frame max_frame. Timestamp (Max) timestamp Timestamp of the packet timestamp

Frame max_frame.total_ Frame (Max) number Total packet length bytes

Frame min_frame. Timestamp (Min) timestamp Timestamp of the packet timestamp

Frame min_frame.total_ Frame (Min) number Total packet length bytes

Frame sum_frame.fcs_ FCS Error Count number Number of invalid frames errors

Frame sum_frame.fcs_ FCS Error Rate number Number of invalid frames errors_psg

GTP gtp.is_gtp GTP Traffic Flag boolean Indication of whether the packet contains GTP traffic

GTP gtp.msg_type Message Type number Message type in GTP header Value

GTP gtp.seq_num Sequence Number number Sequence number in GTP header

SteelCentral Packet Analyzer Plus User’s Guide 189 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

GTP gtp.teid TEID number Tunnel ID in GTP header

Host cli_host_group.id TCP Client Group number Host group ID Group ID

Host host_group.id Host Group ID number Host group ID Group

Host srv_host_group.id TCP Server Group number Host group ID Group ID

ICMP avg_icmp.echo. Response Time duration Time that elapsed from when the request response_time was issued to when the response is received

ICMP icmp.checksum Checksum number Checksum of the ICMP header and payload

ICMP icmp.code Code number Control message code of ICMP message

ICMP icmp.control_ Control Message string Description of the type + code of ICMP message_ Description message (e.g. Source Route Failed) description

ICMP icmp.destination_ Destination number Destination unreachable code of the error unreachable.code Unreachable Code Value

ICMP icmp.destination_ Next-Hop MTU number Next-Hop MTU unreachable.next_ mtu

ICMP icmp.echo.response Response Time number Time category that elapsed from when the _time_range Range Value request was issued to when the response is received

ICMP icmp.time_ Time Exceeded number Time exceeded code of the error exceeded.code Code Value

ICMP icmp.type Type Value number Type of ICMP message

ICMP max_icmp.echo. Response Time duration Time that elapsed from when the request response_time (Max) was issued to when the response is received

ICMP min_icmp.echo. Response Time duration Time that elapsed from when the request response_time (Min) was issued to when the response is received

ICMP reply_icmp.echo. Echo Reply number Echo request/reply identifier identifier Identifier

ICMP reply_icmp.echo. Echo Reply number Echo request/reply sequence number seq_num Sequence Number

190 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

ICMP request_icmp.echo. Echo Request number Echo request/reply identifier identifier Identifier

ICMP request_icmp.echo. Echo Request number Echo request/reply sequence number seq_num Sequence Number

IP avg_ip.header_ Header Length number Length of the header in 32 bit words length

IP avg_ip.ttl Time To Live number Maximum time in seconds that a datagram will be allowed to survive

IP avg_ip.unique_ Avg Flow Count number Number of unique flows flows

IP dst_ip.a_net Destination A ipaddr IP Class A (/8) source or destination subnet Subnet

IP dst_ip.addr Destination IP ipaddr IP address Address

IP dst_ip.b_net Destination B ipaddr IP Class B (/16) source or destination subnet Subnet

IP dst_ip.c_net Destination C ipaddr IP Class C (/24) source or destination subnet Subnet

IP dst_ip.geoip. Destination string Source or Destination Country Based on a country Country GeoIP lookup

IP dst_ip.is_private Private boolean Indication of whether the IP address of the Destination IP Flag destination interface is private

IP ip.a_net Class A Subnet ipaddr IP Class A (/8) source or destination subnet

IP ip.addr IP Address ipaddr IP address

IP ip.b_net Class B Subnet ipaddr IP Class B (/16) source or destination subnet

IP ip.c_net Class C Subnet ipaddr IP Class C (/24) source or destination subnet

IP ip.checksum Checksum number Checksum of just the IP header itself

IP ip.delivery_type Delivery Type Value number Delivery type for the destination

IP ip.dscp DSCP Value number Differentiated service code point

IP ip.flags.dont_ DF Flag boolean Indication of whether the IP Don’t Fragment fragment flag is set

IP ip.flags.more_ MF Flag boolean Indication of whether the IP More fragments fragment flag is set

SteelCentral Packet Analyzer Plus User’s Guide 191 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

IP ip.frag_offset Fragment Offset number Position of the fragment in the total datagram measured in 64 bit units

IP ip.geoip.country Country string Source or Destination Country Based on a GeoIP lookup

IP ip.id Internal IP Address number Unique identifier for this datagram ID

IP ip.is_checksum_ Valid Checksum boolean Indication of whether the checksum is valid valid Flag

IP ip.is_fragmented Fragmented Flag boolean Description of the packet by fragmentation status

IP ip.protocol.type IP Protocol number IP protocol type Number

IP ip.ttl Time To Live number Maximum time in seconds that a datagram will be allowed to survive

IP ip.version IP Version number Format number of the IP header

IP lower_ip.addr Address B ipaddr IP address

IP max_ip.header_ Header Length number Length of the header in 32 bit words length (Max)

IP max_ip.ttl Time To Live (Max) number Maximum time in seconds that a datagram will be allowed to survive

IP min_ip.header_ Header Length number Length of the header in 32 bit words length (Min)

IP min_ip.ttl Time To Live (Min) number Maximum time in seconds that a datagram will be allowed to survive

IP src_ip.a_net Source A Subnet ipaddr IP Class A (/8) source or destination subnet

IP src_ip.addr Source IP Address ipaddr IP address

IP src_ip.b_net Source B Subnet ipaddr IP Class B (/16) source or destination subnet

IP src_ip.c_net Source C Subnet ipaddr IP Class C (/24) source or destination subnet

IP src_ip.geoip.country Source Country string Source or Destination Country Based on a GeoIP lookup

IP src_ip.is_private Private Source IP boolean Indication of whether the IP address of the Flag destination interface is private

192 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

IP sum_ip.active_ Active Hosts number Number of active IPs hosts

IP sum_ip.active_ Active Hosts Rate number Number of active IPs hosts_psg

IP sum_ip.lower_to_ Total Traffic (B->A) number Number of bytes from lower to upper upper_total_bytes

IP sum_ip.lower_to_up Lower to Upper number Number of bytes from lower to upper per_total_bytes_ Throughput psg

IP sum_ip.lower_to_ Packet Traffic (B- number Number of packets from lower to upper upper_total_ >A) packets

IP sum_ip.lower_to_up Lower to Upper number Number of packets from lower to upper per_total_packets_ Packet Throughput psg

IP sum_ip.total_bytes Total Traffic number Byte count of IP packets

IP sum_ip.total_bytes_ Total Throughput number Byte count of IP packets psg

IP sum_ip.total_ Total Packet Traffic number Number of IP packets packets

IP sum_ip.total_ Total Packet number Number of IP packets packets_psg Throughput

IP sum_ip.upper_to_ Total Traffic (A->B) number Number of bytes from upper to lower lower_total_bytes

IP sum_ip.upper_to_lo Upper to Lower number Number of bytes from upper to lower wer_total_bytes_ Total Throughput psg

IP sum_ip.upper_to_ Packet Traffic (A- number Number of packets from upper to lower lower_total_packets >B)

IP sum_ip.upper_to_lo Upper to Lower number Number of packets from upper to lower wer_total_packets_ Total Packet psg Throughput

IP upper_ip.addr Address A ipaddr IP address

LLDP lldp.capabilities System string Various roles the device is capable of playing Capabilities

SteelCentral Packet Analyzer Plus User’s Guide 193 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

LLDP lldp.mac_phy MAC/PHY string MAC/PHY configuration Configuration

LLDP lldp.mgmt_addr Management string Management address to manage the device Address

LLDP lldp.port_desc Port Description string Port description

LLDP lldp.port_id Port ID string Port name of LLDP interface

LLDP lldp.port_proto_vlan Port Protocol VLAN string VLAN port and protocol ID _id ID

LLDP lldp.port_vlan_id Port VLAN ID string VLAN ID assigned to port

LLDP lldp.sys_desc System string “System make, model, version” Description

LLDP lldp.sys_name System Name string Name used to perform DNS lookup

LLDP lldp.vlan_name VLAN Name string VLAN Name

MAC dst_mac.address Destination MAC ether Source and Destination MAC address Address

MAC dst_mac.delivery_ Destination number Type of delivery used for the MAC layer type Delivery Type Value transmission

MAC dst_mac.vendor Destination Vendor string Source and Destination vendor name

MAC dst_mac.vendor_ Destination MAC string Source and Destination vendor name with with_mac Vendor last 3 bytes of the MAC addresses

MAC mac.address MAC Address ether Source and Destination MAC address

MAC mac.protocol.type Protocol Type number Description of the protocol type Value

MAC mac.vendor Vendor string Source and Destination vendor name

MAC mac.vendor_with_ MAC Vendor string Source and Destination vendor name with mac last 3 bytes of the MAC addresses

MAC src_mac.address Source MAC ether Source and Destination MAC address Address

MAC src_mac.delivery_ Source Delivery number Type of delivery used for the MAC layer type Type Value transmission

MAC src_mac.vendor Source Vendor string Source and Destination vendor name

194 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

MAC src_mac.vendor_ Source MAC string Source and Destination vendor name with with_mac Vendor last 3 bytes of the MAC addresses

Market avg_market_data. Gap Size number The number of messages missing in this gap Data gap.size

Market market_data.gap. Gap End Sequence number The last missing sequence number for a gap Data end_seq_num Number in market data

Market market_data.gap. Gap End Sequence string The last missing sequence number for a gap Data end_seq_num_raw Number (raw hex in market data bytes)

Market market_data.gap. Gap End timestamp End time of a gap in market data Data end_time

Market market_data.gap. Gap Size number The number of messages missing in this gap Data size

Market market_data.gap. Gap Start number The first missing sequence number for a gap Data start_seq_num Sequence Number in market data

Market market_data.gap. Gap Start string The first missing sequence number for a gap Data start_seq_num_raw Sequence Number in market data (raw hex bytes)

Market market_data.gap. Gap Start timestamp Start time of a gap in market data Data start_time

Market market_data.group Market Data Group number The market data group identifier for this feed Data

Market market_data. Number of number The number of messages in each packet Data message_count Messages

Market market_data.seq_ Sequence Number number The starting sequence number of the current Data num packet

Market market_data.seq_ Sequence Number string The starting sequence number of the current Data num_raw (raw hex bytes) packet

Market market_data.type Market Data Type string The specific market protocol that the data Data applies to

Market max_market_data. Gap Size (Max) number The number of messages missing in this gap Data gap.size

Market min_market_data. Gap Size (Min) number The number of messages missing in this gap Data gap.size

Market sum_market_data. Gap Count number The number of gaps in an interval Data gap.count

SteelCentral Packet Analyzer Plus User’s Guide 195 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

Market sum_market_data. Gap Count Rate number The number of gaps in an interval Data gap.count_psg

Market sum_market_data. Gap Size (Sum) number The number of messages missing in this gap Data gap.size

Message message. Description string Message description. Note: it works only if description used with fields belonging to category ApplicationMessage or MSA- ApplicationMessage

Message message.end_time End Time timestamp Last packet timestamp of the stream. Category: ApplicationMessage or PacketMessage

Message message.end_time_ Estimated End timestamp Estimated arrival time of packet to the estimate Time receiving host. Category: ApplicationMessage or PacketMessage

Message message.filter_type Filter Type Value number “Message filter type. Note: it works only if used with fields belonging to category ApplicationMessage, PacketMessage or MSA-ApplicationMessage”

Message message.info Info string Message info. Note: it works only if used with fields belonging to category ApplicationMessage or MSA- ApplicationMessage

Message message.message_ Message ID number Message id. Note: it works only if used with id fields belonging to category MSA- ApplicationMessage

Message message.pkt_ Packet Description string Packet description. Note: it works only if description used with fields belonging to category PacketMessage

Message message.pkt_num Packet Number number Message packet number. Note: it works only if used with fields belonging to category ApplicationMessage or PacketMessage

Message message.pkt_type Packet Type string Packet type. Note: it works only if used with fields belonging to category PacketMessage

Message message.reference_ Reference Packet number Trace the Reference Packet Number. Note: it pkt_num Number works only if used with fields belonging to category MSA-ApplicationMessage

196 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

Message message.segment. Segment End time timestamp “Estimated arrival time of the segment if the end_time destination is an endpoint, capture time if the destination is a capture point. Category: MSA-ApplicationMessage”

Message message.segment. Segment Start timestamp “Estimated departure time of the segment if start_time time the source is an endpoint, capture time if the source is a capture point. Category: MSA- ApplicationMessage”

Message message.start_time Start time timestamp First packet timestamp of the stream. Category: ApplicationMessage or PacketMessage

Message message.start_time Estimated Start timestamp Estimated departure time of packet from the _estimate time sending host. Category: ApplicationMessage or PacketMessage

Message message.type Type string Message type. Note: it works only if used with fields belonging to category ApplicationMessage or MSA- ApplicationMessage

Message sum_message.total Traffic number “Message size. Note: it works only if used _bytes with fields belonging to category ApplicationMessage, PacketMessage or MSA-ApplicationMessage”

MPLS mpls.is_mpls MPLS Traffic Flag boolean MPLS vs. Non-MPLS

MPLS mpls.label MPLS Label number MPLS label

MPLS mpls.labels MPLS Labels string MPLS labels

MPLS mpls.traffic_class MPLS Traffic Class number MPLS Traffic Class

Multi- avg_multi_segment. Segment Delay duration Segment delay segment delay

Multi- avg_multi_segment. Segment RTT OWD duration Segment TCP Round Trip Time computed segment round_trip_time using the one way delay in the two directions

Multi- dst_multi_segment. Destination number Capture Point Index segment capture_point Capture Point

Multi- max_multi_segment Segment Delay duration Segment delay segment .delay (Max)

Multi- max_multi_segment Segment RTT OWD duration Segment TCP Round Trip Time computed segment .round_trip_time (Max) using the one way delay in the two directions

SteelCentral Packet Analyzer Plus User’s Guide 197 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

Multi- max_multi_segment TCP Connection duration “TCP connection duration, considering the segment .tcp.duration Duration (Max) first packet seen among all the capture points”

Multi- max_multi_segment UDP Flow Duration duration “UDP flow duration, considering the first segment .udp.duration (Max) packet seen among all the capture points”

Multi- min_multi_segment Segment Delay duration Segment delay segment .delay (Min)

Multi- min_multi_segment Segment RTT OWD duration Segment TCP Round Trip Time computed segment .round_trip_time (Min) using the one way delay in the two directions

Multi- min_multi_segment TCP Connection duration “TCP connection duration, considering the segment .tcp.duration Duration (Min) first packet seen among all the capture points”

Multi- min_multi_segment UDP Flow Duration duration “UDP flow duration, considering the first segment .udp.duration (Min) packet seen among all the capture points”

Multi- multi_segment. Capture Point number Capture Point Index segment capture_point

Multi- multi_segment. Reference DSCP number DSCP of the reference packet segment reference_dscp Value

Multi- multi_segment.tcp. TCP Connection timestamp “TCP connection start time, timestamp of segment start_time Start Time the first packet seen among all the capture points”

Multi- multi_segment.udp. UDP Flow Start timestamp “UDP flow start time, timestamp of the first segment start_time Time packet seen among all the capture points”

Multi- src_multi_segment. Source Capture number Capture Point Index segment capture_point Point

Multi- sum_multi_ Segment Dropped number Segment dropped packets segment segment.dropped Packets

Multi- sum_multi_ Segment Dropped number Segment dropped packets segment segment.dropped_ Packets Rate psg

Multi- sum_multi_ Total TCP Packet number Number of packets normalized using the segment segment.tcp. Traffic first CP in which the TCP connection is seen normalized_packets

Multi- sum_multi_ Total TCP Packet number Number of packets normalized using the segment segment.tcp. Throughput first CP in which the TCP connection is seen normalized_packets _psg

198 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

Multi- sum_multi_ Total TCP Traffic number Number of byte normalized using the first CP segment segment.tcp. in which the TCP connection is seen normalized_total_ bytes

Multi- sum_multi_ Total TCP number Number of byte normalized using the first CP segment segment.tcp. Throughput in which the TCP connection is seen normalized_total_ bytes_psg

Multi- sum_multi_ Number of Capture number Number of the Capture Points for the TCP segment segment.tcp. Points connection num_of_capture_ points

Multi- sum_multi_ Total UDP Packets number Number of packets normalized using the segment segment.udp. Traffic first CP in which the UDP flow is seen normalized_packets

Multi- sum_multi_ Total UDP Packet number Number of packets normalized using the segment segment.udp. Throughput first CP in which the UDP flow is seen normalized_packets _psg

Multi- sum_multi_ Total UDP Traffic number Number of byte normalized using the first CP segment segment.udp. in which the UDP flow is seen normalized_total_ bytes

Multi- sum_multi_ Total UDP number Number of byte normalized using the first CP segment segment.udp. Throughput in which the UDP flow is seen normalized_total_ bytes_psg

Multi- sum_multi_ Number of Capture number Number of the Capture Points for the UDP segment segment.udp.num_ Points flow of_capture_points

Network sum_network.total_ Total Traffic number Length of the datagram in bytes bytes

Network sum_network.total_ Total Throughput number Length of the datagram in bytes bytes_psg

PCOIP pcoip.dscp_ Suggested DSCP number Suggested DSCP computed using the packet mapping Value and the session priotity values

PCOIP pcoip.ec Explicit number PCoIP Explicit Congestion Congestion

SteelCentral Packet Analyzer Plus User’s Guide 199 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

PCOIP pcoip.media_ Media Channel ID number Media channel identifier (e.g. 1) channel Value

PCOIP pcoip.packet_ Packet Priority number PCoIP packet priority (e.g. 5) priority Value

PCOIP pcoip.packet_type Packet Type Value number Description of the PCoIP packet type (Control or Media)

PCOIP pcoip.session_ Session Priority number PCoIP session priority (e.g. 1) priority Value

RTP avg_rtp.delta Delta RTP Stream duration Delta RTP stream jitter Jitter

RTP avg_rtp.jitter RTP Stream Jitter duration RTP stream jitter

RTP avg_rtp.mos RTP Stream MOS number RTP stream MOS LQ

RTP avg_rtp.rfactor RTP Stream R- number RTP stream R-Factor Factor

RTP caller_rtp.jitter_ RTP Caller Stream string RTP stream Jitter Distribution (e.g. 20-40) distribution Jitter Distribution

RTP dst_rtp.ip RTP Stream ipaddr Destination IP Address

RTP dst_rtp.port RTP Stream port RTP stream port Destination Port

RTP max_rtp.delta Delta RTP Stream duration Delta RTP stream jitter Jitter (Max)

RTP max_rtp.jitter RTP Stream Jitter duration RTP stream jitter (Max)

RTP max_rtp.mos RTP Stream MOS number RTP stream MOS LQ (Max)

RTP max_rtp.rfactor RTP Stream R- number RTP stream R-Factor Factor (Max)

RTP min_rtp.delta Delta RTP Stream duration Delta RTP stream jitter Jitter (Min)

RTP min_rtp.jitter RTP Stream Jitter duration RTP stream jitter (Min)

RTP min_rtp.mos RTP Stream MOS number RTP stream MOS LQ (Min)

200 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

RTP min_rtp.rfactor RTP Stream R- number RTP stream R-Factor Factor (Min)

RTP receiver_rtp.jitter_ RTP Receiver string RTP stream Jitter Distribution (e.g. 20-40) distribution Stream Jitter Distribution

RTP rtp.codec Codec string Description of the RTP codec

RTP rtp.is_caller_stream RTP Stream boolean Indication of whether the RTP stream is from Direction Flag the caller to the receiver

RTP rtp.is_jitter_ RTP Jitter boolean Indication of whether the jitter computation supported Computation is supported by the specific codec Supported Flag

RTP rtp.is_quality_ RTP Quality boolean Indication of whether the quality supported Computation computation is supported by the specific Supported Flag codec

RTP rtp.payload_type RTP Stream string Description of the RTP stream payload type Payload Type (e.g. PCMU)

RTP rtp.ssrc RTP Stream SSRC string RTP stream Synchronization source

RTP src_rtp.ip RTP Stream ipaddr Source IP Address

RTP src_rtp.port RTP Stream port RTP stream port Source Port

RTP sum_rtp.lost_ RTP Stream Lost number Number of packets that have never been packets Packet Traffic received for an RTP stream

RTP sum_rtp.lost_ RTP Stream Lost number Number of packets that have never been packets_psg Packet Throughput received for an RTP stream

RTP sum_rtp.out_of_ RTP Stream number Number of out of order RTP packets order_packets Rejected Packet Traffic

RTP sum_rtp.out_of_ RTP Stream number Number of out of order RTP packets order_packets_psg Rejected Packet Throughput

SH cli_sh.rios.outer.ip Client IP ipaddr Client IP address for this proxied connection

SH cli_sh.rios.outer. Client Port port Client TCP port for this proxied connection port

SH sh.rios.csh_sport.id CSH Sport ID number SteelHead internal identifier

SteelCentral Packet Analyzer Plus User’s Guide 201 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

SH sh.rios.is_sh_inner SteelHead Inner boolean Indication of whether the current packet Flag contains SteelHead inner traffic

SH sh.rios.protocol.id Protocol ID number SteelHead internal protocol identifier

SH srv_sh.rios.outer.ip Server IP ipaddr Client IP address for this proxied connection

SH srv_sh.rios.outer. Server Port port Client TCP port for this proxied connection port

SIP sip.call_id Call identifier string “Call-ID header field, it uniquely identifies a particular invitation”

SIP sip.contact Display Name and string Contact URI whose meaning the type of URI Address request or response

SIP sip.cseq Sequence Number string CSeq header that contains decimal and Request sequence number and the request method Method

SIP sip.from From string Source address of a SIP Packet

SIP sip.from_display_ Display Name string Display name of the FROM field name

SIP sip.from_number Phone Number string Phone Number of FROM field

SIP sip.is_request Request Message boolean Indication of whether the current packet is a Value SIP request message

SIP sip.is_response Response boolean Indication of whether the current packet is a Message Value SIP response message

SIP sip.message_type Message Type number “Description of the SIP message type Value (method for the request, status for the response)”

SIP sip.reply_to Logical Return URI string Logical return URI that may be different from the From address

SIP sip.request_method Request Method string Description of the request method

SIP sip.response_class Response Class string Description of the response class

SIP sip.response_status Response Status string Description of the response status

SIP sip.to Request Recipient string “To header field, it specifies the logical recipient of the request”

SIP sip.to_display_ TO Display Name string Display name of the TO field name

202 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

SIP sip.to_number TO Phone Number string Phone Number of TO field

SIP sip.user_agent User Agent Client string User-Agent originating the request

SQL avg_sql.data_ Data Transfer Time duration Query Data transfer time of the request and transfer_time response

SQL avg_sql.duration Transaction Time duration Duration of the query from the request to the last packet of the response message

SQL avg_sql.packets Total PacketsnumberClient or DB packets

SQL avg_sql.srv_ Server Response duration Server response time of the query response_time Time

SQL avg_sql.total_bytes Total Traffic number DB bytes

SQL max_sql.data_ Data Transfer Time duration Query Data transfer time of the request and transfer_time (Max) response

SQL max_sql.duration Transaction Time duration Duration of the query from the request to the (Max) last packet of the response message

SQL max_sql.packets Total Packets number Client or DB packets (Max)

SQL max_sql.srv_ Server Response duration Server response time of the query response_time Time (Max)

SQL max_sql.total_bytes Total Traffic (Max) number DB bytes

SQL min_sql.data_ Data Transfer Time duration Query Data transfer time of the request and transfer_time (Min) response

SQL min_sql.duration Transaction Time duration Duration of the query from the request to the (Min) last packet of the response message

SQL min_sql.packets Total Packets (Min) number Client or DB packets

SQL min_sql.srv_ Server Response duration Server response time of the query response_time Time (Min)

SQL min_sql.total_bytes Total Traffic (Min) number DB bytes

SQL sql.db_instance DB Name string DB instance

SQL sql.db_username DB User string DB username

SQL sql.error_ Error Description string Code description of the error code based on description the DB type

SQL sql.error_message Error Message string Error message

SteelCentral Packet Analyzer Plus User’s Guide 203 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

SQL sql.is_rpc RPC Call Value boolean Indication of whether the current request is a RPC call

SQL sql.is_sql SQL Traffic Flag boolean DB traffic

SQL sql.query_command Query Operation string Query operation (e.g. SELECT UPDATE ...)

SQL sql.query_start_ Query Start Time timestamp Start time of the query time

SQL sql.query_status Query Status string

SQL sql.query_text Query Text string Query statement

SQL sql.rpc_id RPC Handle number Handle value of the current RPC

SQL sql.rpc_name RPC Name string Name of the current RPC

SQL sum_sql.packets Cumulative Total number Client or DB packets Packets

SQL sum_sql.queries_ Cumulative number Number of DB queries failed failed Queries Failed

SQL sum_sql.queries_ Queries Failed number Number of DB queries failed failed_psg Rate

SQL sum_sql.queries_ Cumulative number Number of DB queries started started Queries Started

SQL sum_sql.queries_ Queries Started number Number of DB queries started started_psg Rate

SQL sum_sql.total_bytes Cumulative Total number DB bytes Traffic

TCP avg_cli_tcp.delay Client-side Round duration RTT portion relative to one of the endpoint Trip Time

TCP avg_cli_tcp.window Client TCP Window number Size in bytes that the sender will accept _bytes

TCP avg_srv_tcp.delay Server-side Round duration RTT portion relative to one of the endpoint Trip Time

TCP avg_srv_tcp.window Server TCP number Size in bytes that the sender will accept _bytes Window

TCP avg_tcp.network_ Request Data duration Adjusted using the RTT time_c2s Transfer Time

204 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

TCP avg_tcp.network_ Response Data duration Adjusted using the RTT time_s2c Transfer Time

TCP avg_tcp. Request Retrans duration Retransmission time retransmission_ Delay time_c2s

TCP avg_tcp. Response Retrans duration Retransmission time retransmission_ Delay time_s2c

TCP avg_tcp.round_trip_ Round Trip Time duration Round Trip time time

TCP avg_tcp.srv_ Server Response duration Adjusted using the RTT response_time Time

TCP avg_tcp.transaction Transaction Time duration Transaction time _time

TCP avg_tcp.transfer_ Request duration Time experienced from the first data packet time_c2s Transaction Time to the last data packet

TCP avg_tcp.transfer_ Response duration Time experienced from the first data packet time_s2c Transaction Time to the last data packet

TCP avg_tcp.window_ Server TCP number Size in bytes that the sender will accept bytes Window

TCP cli_tcp.country Client Country string Country of the TCP host based on a GeoIP lookup

TCP cli_tcp.ip Client IP Address ipaddr IP address of the TCP host

TCP cli_tcp.port Client Port port TCP port

TCP cli_tcp.port_name Client Port Alias string TCP port name

TCP ctrl_tcp.port Control TCP Port port TCP port Number

TCP ctrl_tcp.port_name Control TCP Port string TCP port name

TCP dst_tcp.port Destination Port port TCP port Number

TCP dst_tcp.port_name Desination Port string TCP port name

TCP max_cli_tcp.delay Client-side Round duration RTT portion relative to one of the endpoint Trip Time (Max)

SteelCentral Packet Analyzer Plus User’s Guide 205 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

TCP max_cli_tcp.window Client TCP Window number Size in bytes that the sender will accept _bytes (Max)

TCP max_srv_tcp.delay Server-side Round duration RTT portion relative to one of the endpoint Trip Time (Max)

TCP max_srv_tcp. Server TCP number Size in bytes that the sender will accept window_bytes Window (Max)

TCP max_tcp.connection Connection duration Timestamp of the first packet seen for a _duration Duration (Max) connection

TCP max_tcp.network_ Request Data duration Adjusted using the RTT time_c2s Transfer Time (Max)

TCP max_tcp.network_ Response Data duration Adjusted using the RTT time_s2c Transfer Time (Max)

TCP max_tcp.retransmis Request Retrans duration Retransmission time sion_time_c2s Delay (Max)

TCP max_tcp. Response Retrans duration Retransmission time retransmission_ Delay (Max) time_s2c

TCP max_tcp.round_trip Round Trip Time duration Round Trip time _time (Max)

TCP max_tcp.srv_ Server Response duration Adjusted using the RTT response_time Time (Max)

TCP max_tcp. Transaction Time duration Transaction time transaction_time (Max)

TCP max_tcp.transfer_ Request Data duration Time experienced from the first data packet time_c2s Transfer Time to the last data packet (Max)

TCP max_tcp.transfer_ Response Data duration Time experienced from the first data packet time_s2c Transfer Time to the last data packet (Max)

TCP max_tcp.window_ Server TCP number Size in bytes that the sender will accept bytes Window (Max)

TCP min_cli_tcp.delay Client-side Round duration RTT portion relative to one of the endpoint Trip Time (Min)

TCP min_cli_tcp.window Client TCP Window number Size in bytes that the sender will accept _bytes (Min)

206 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

TCP min_srv_tcp.delay Server-side Round duration RTT portion relative to one of the endpoint Trip Time (Min)

TCP min_srv_tcp. Server TCP number Size in bytes that the sender will accept window_bytes Window (Min)

TCP min_tcp.network_ Request Data duration Adjusted using the RTT time_c2s Transfer Time (Min)

TCP min_tcp.network_ Response Data duration Adjusted using the RTT time_s2c Transfer Time (Min)

TCP min_tcp.retransmis Request Retrans duration Retransmission time sion_time_c2s Delay (Min)

TCP min_tcp. Response Retrans duration Retransmission time retransmission_ Delay (Min) time_s2c

TCP min_tcp.round_trip Round Trip Time duration Round Trip time _time (Min)

TCP min_tcp.srv_ Server Response duration Adjusted using the RTT response_time Time (Min)

TCP min_tcp.transaction Transaction Time duration Transaction time _time (Min)

TCP min_tcp.transfer_ Request Data duration Time experienced from the first data packet time_c2s Transfer Time (Min) to the last data packet

TCP min_tcp.transfer_ Response Data duration Time experienced from the first data packet time_s2c Transfer Time (Min) to the last data packet

TCP min_tcp.window_ Server TCP number Size in bytes that the sender will accept bytes Window (Min)

TCP src_tcp.port Source Port port TCP port Number

TCP src_tcp.port_name Source Port string TCP port name

TCP srv_tcp.country Server Country string Country of the TCP host based on a GeoIP lookup

TCP srv_tcp.ip Server IP Address ipaddr IP address of the TCP host

TCP srv_tcp.port Server Port port TCP port

TCP srv_tcp.port_name Server Port string TCP port name

SteelCentral Packet Analyzer Plus User’s Guide 207 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

TCP sum_cli_tcp. Packet Traffic (c- number Number of total packets for TCP traffic packets >s)

TCP sum_cli_tcp. Packet Throughput number Number of total packets for TCP traffic packets_psg (c->s)

TCP sum_cli_tcp.payloa Request Traffic number Payload bytes d_bytes

TCP sum_cli_tcp. Request number Payload bytes payload_bytes_psg Throughput

TCP sum_srv_tcp. Packet Traffic (s- number Number of total packets for TCP traffic packets >c)

TCP sum_srv_tcp. Packet Throughput number Number of total packets for TCP traffic packets_psg (s->c)

TCP sum_srv_tcp. Response Traffic number Payload bytes payload_bytes

TCP sum_srv_tcp. Response number Payload bytes payload_bytes_psg Throughput

TCP sum_tcp.aborted_ Connections number Number of TCP connections that were reset connections Aborted by one of the endpoints

TCP sum_tcp.aborted_ Connections number Number of TCP connections that were reset connections_psg Aborted Rate by one of the endpoints

TCP sum_tcp.attempted Connection number Number of attempted connections _connections Requests

TCP sum_tcp.attempted Connection number Number of attempted connections _connections_psg Request Rate

TCP sum_tcp.duplicate_ Total Duplicate number Number of the TCP duplicate acknowledges acks ACKs

TCP sum_tcp.duplicate_ Total Duplicate number Number of the TCP duplicate acknowledges acks_psg ACKs Rate

TCP sum_tcp.errors TCP Errors number Number of the TCP errors

TCP sum_tcp.errors_psg TCP Error Rate number Number of the TCP errors

TCP sum_tcp.failed_ Connections number Number of failed connections connections Failed

TCP sum_tcp.failed_ Connections number Number of failed connections connections_psg Failed Rate

208 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

TCP sum_tcp.lost_ Total Lost number Number of the TCP lost segments segments Segments

TCP sum_tcp.lost_ Total Lost number Number of the TCP lost segments segments_psg Segments Rate

TCP sum_tcp.missing_ ACKed Missing number Number of the TCP acknowledged missing segment_acks Segments Segments

TCP sum_tcp.missing_ ACKed Missing number Number of the TCP acknowledged missing segment_acks_psg Segments Rate Segments

TCP sum_tcp.opened_ Connections number Number of opened connections connections Opened

TCP sum_tcp.opened_ Connections number Number of opened connections connections_psg Opened Rate

TCP sum_tcp.out_of_ Total Out-of-Order number Number of the TCP out of order segments order_segments TCP Segments

TCP sum_tcp.out_of_ Total Out-of-Order number Number of the TCP out of order segments order_segments_ TCP Segments psg Rate

TCP sum_tcp.refused_ Connections number Number of TCP connections that failed connections Failed during the three way handshake

TCP sum_tcp.refused_ Connections number Number of TCP connections that failed connections_psg Failed Rate during the three way handshake

TCP sum_tcp.resets Total Resets number Number of resets

TCP sum_tcp.resets_psg Total Reset Rate number Number of resets

TCP sum_tcp. Total Retrans number Number of the TCP retransmissions retransmissions

TCP sum_tcp. Total Retrans Rate number Number of the TCP retransmissions retransmissions_ psg

TCP sum_tcp.total_ Total Traffic number Number of total bytes for TCP traffic bytes

TCP sum_tcp.total_ Total Throughput number Number of total bytes for TCP traffic bytes_psg

TCP sum_tcp.turns Server Responses number Number of turns

TCP sum_tcp.turns_psg Server Responses number Number of turns Rate

SteelCentral Packet Analyzer Plus User’s Guide 209 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

TCP tcp.acknum ACK Number number TCP ack number

TCP tcp.connection_ Start Time timestamp Connection duration measured from the first start_time to the last packet seen for a connection

TCP tcp.ecn.cwr ECN-CWR Flag boolean TCP CWR

TCP tcp.ecn.echo ECN-Echo Flag boolean TCP Echo

TCP tcp.ecn.ns ECN-NS Flag boolean TCP Signaling with Nonces

TCP tcp.error_type TCP Error Type number Type of TCP error (Retransmissions - Out of Value Order - Lost Segments - Duplicate Acks - Zero Windows - Resets)

TCP tcp.alert Connection Alert number Connection alert type (Open - Closed - Value Refused - Aborted)

TCP tcp.flags TCP Flags string Description of the TCP flags of the packet

TCP tcp.flags.ack ACK Flag boolean Indication of whether or not the ‘Acknowledgement Number’ field is valid

TCP tcp.flags.fin FIN Flag boolean Signals the end of data

TCP tcp.flags.push PSH Flag boolean Push flag

TCP tcp.flags.reset RST Flag boolean Signals connection reset

TCP tcp.flags.syn SYN Flag boolean Signals to synchronize the sequence numbers

TCP tcp.flags.urgent URG Flag boolean Indication of whether or not the ‘Urgent Pointer’ field is valid

TCP tcp.has_valid_round RTT Flag boolean Indication of whether the round trip time has _trip_time been computed for the tcp connection

TCP tcp.is_error TCP Error Flag boolean Set to true if the packet triggered a TCP error (Retransmissions - Out of Order - Lost Segments - Duplicate Acks - Zero Windows - Resets)

TCP tcp.port TCP Port Number port TCP port

TCP tcp.port_name TCP Port string TCP port name

TCP tcp.seq_num Sequence Number number TCP sequence number

TCP tcp.urgent_pointer Urgent Sequence number Contains the sequence number of the last Number byte in a block of urgent data

210 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

TCP tcp.window_zero Zero Window Sizes number Number of times the window size is zero

Traffic max_traffic. Traffic / 100 ms number Maximum byte count in 100ms interval microburst_100ms_ (Max) bytes

Traffic max_traffic. Packet Traffic / number Maximum packet count in 100ms interval microburst_100ms_ 100 ms (Max) packets

Traffic max_traffic. Traffic / 100 us number Maximum byte count in 100us interval microburst_100us_ (Max) bytes

Traffic max_traffic. Packet Traffic / number Maximum packet count in 100us interval microburst_100us_ 100 us (Max) packets

Traffic max_traffic. Traffic / 10 ms number Maximum byte count in 10ms interval microburst_10ms_ (Max) bytes

Traffic max_traffic. Packet Traffic / 10 number Maximum packet count in 10ms interval microburst_10ms_ ms (Max) packets

Traffic max_traffic. Traffic / 10 us number Maximum byte count in 10us interval microburst_10us_ (Max) bytes

Traffic max_traffic. Packet Traffic / 10 number Maximum packet count in 10us interval microburst_10us_ us (Max) packets

Traffic max_traffic. Traffic / 1 ms (Max) number Maximum byte count in 1ms interval microburst_1ms_ bytes

Traffic max_traffic. Packet Traffic / 1 number Maximum packet count in 1ms interval microburst_1ms_ ms (Max) packets

Traffic max_traffic. Traffic / 1 s (Max) number Maximum byte count in 1s interval microburst_1s_ bytes

Traffic max_traffic. Packet Traffic / 1 s number Maximum packet count in 1s interval microburst_1s_ (Max) packets

SteelCentral Packet Analyzer Plus User’s Guide 211 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

Traffic sum_traffic. Total Application number Number of application bytes (Application application_bytes Traffic Buffer)

Traffic sum_traffic. Total Application number Number of application bytes (Application application_bytes_ Throughput Buffer) psg

Traffic sum_traffic.network Total Network number Number of network bytes (Network Header + _bytes Traffic Transport buffer)

Traffic sum_traffic.network Total Network number Number of network bytes (Network Header + _bytes_psg Throughput Transport buffer)

Traffic sum_traffic.packets Total Packet Traffic number Number of total packets

Traffic sum_traffic.packets Total Packet number Number of total packets _psg Throughput

Traffic sum_traffic.total_ Total Traffic number Number of total bytes bytes

Traffic sum_traffic.total_ Total Throughput number Number of total bytes bytes_psg

Traffic sum_traffic. Total Transport number Number of transport bytes (Transport transport_bytes Traffic Header + Application Buffer)

Traffic sum_traffic. Total Transport number Number of transport bytes (Transport transport_bytes_ Throughput Header + Application Buffer) psg

Traffic sum_traffic.wire_ Total Wire Traffic number Number of total bytes on wire bytes

Traffic sum_traffic.wire_ Total Wire number Number of total bytes on wire bytes_psg Throughput

Traffic sum_traffic.wire_ Total MAC number Byte count of the overhead used by the overhead_bytes Overhead Traffic Ethernet protocol (i.e. preamble + CRC + inter frame gap + Ethernet header)

Traffic sum_traffic.wire_ Total MAC number Byte count of the overhead used by the overhead_bytes_ Overhead Ethernet protocol (i.e. preamble + CRC + psg Throughput inter frame gap + Ethernet header)

Traffic traffic.app_ Application string Traffic classification based on application classification definitions (includes no TCP/UDP traffic)

Traffic traffic.port_ Port Alias string Traffic classification based on port classification definitions (includes no TCP/UDP traffic)

212 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

Transport dst_transport.port Destination Port port TCP/UDP source or destination port Number

Transport dst_transport.port_ Destination Port string TCP/UDP source or destination port name name

Transport lower_transport. Lower Port port TCP/UDP source or destination port port Number

Transport lower_transport. Lower Port string TCP/UDP source or destination port name port_name

Transport src_transport.port Source Port port TCP/UDP source or destination port Number

Transport src_transport.port_ Source Port string TCP/UDP source or destination port name name

Transport sum_transport. Total Payload number Length of the TCP or UDP payload in bytes payload_total_bytes Traffic

Transport sum_transport. Total Payload number Length of the TCP or UDP payload in bytes payload_total_bytes Throughput _psg

Transport transport.client_ Transport Client/ string “TCP port converted into a traffic type string server_proto Server Application (e.g. “”Email”” or “”Web””), but only for applications that are client/server (i.e.: no instant messaging)”

Transport transport.is_client_ Client/Server boolean “Indication of whether the packet contains a server_proto Application Traffic client/server application traffic (e.g. email, Flag web, database)”

Transport transport.port Port Number port TCP/UDP source or destination port

Transport transport.port_ Port string TCP/UDP source or destination port name name

Transport upper_transport. Upper Port port TCP/UDP source or destination port port Number

Transport upper_transport. Upper Port string TCP/UDP source or destination port name port_name

UDP ctrl_udp.port Control UDP Port port UDP port Number

UDP ctrl_udp.port_name Control UDP Port string UDP port name

UDP dst_udp.port Destination Port port UDP port Number

SteelCentral Packet Analyzer Plus User’s Guide 213 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

UDP dst_udp.port_name Destination Port string UDP port name

UDP src_udp.port Source Port port UDP port Number

UDP src_udp.port_name Source Port string UDP port name

UDP sum_udp.packets Total Packet Traffic number Number of total packets for UDP traffic

UDP sum_udp.packets_ Packet Throughput number Number of total packets for UDP traffic psg

UDP sum_udp.total_ Total Traffic number Number of total bytes for UDP traffic bytes

UDP sum_udp.total_ Total Throughput number Number of total bytes for UDP traffic bytes_psg

UDP udp.port Port port UDP port

UDP udp.port_name Port Alias string UDP port name

VLAN vlan.id VLAN ID number VLAN Identifier

VLAN vlan.ids VLAN IDs string VLAN Identifiers

VLAN vlan.priority VLAN Priority number 802.1p CoS (0 to 7

VOIP avg_voip.duration Final Call Duration duration Call duration

VOIP avg_voip.post_dial_ Call Post Dial duration Call post dial delay or setup time delay Delay

VOIP caller_voip.failed. Failed Call Phone string Phone number of a failed call number Number

VOIP caller_voip.ip Caller IP ipaddr Call IP address

VOIP caller_voip.name Caller Name string Name

VOIP caller_voip.number Caller Phone string Phone number Number

VOIP dst_voip.failed.ip Destination IP ipaddr IP address of a failed call Address

VOIP max_voip.duration Call Duration (Max) duration Call duration

VOIP max_voip.early_ Early Streams number Cumulative number of early streams streams Count (Max)

VOIP max_voip.post_dial Post Dial Delay duration Call post dial delay or setup time _delay (Max)

214 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

VOIP max_voip.start_ Call Start Time timestamp Time call started time (Max)

VOIP min_voip.post_dial_ Post Dial Delay duration Call post dial delay or setup time delay (Min)

VOIP min_voip.start_time Call Start Time timestamp Time call started (Min)

VOIP receiver_voip.failed. Receiver Phone string Phone number of a failed call number Number

VOIP receiver_voip.ip Receiver IP ipaddr Call IP address

VOIP receiver_voip.name Receiver Name string Name

VOIP receiver_voip. Receiver Phone string Phone number number Number

VOIP src_voip.failed.ip Source IP Address ipaddr IP address of a failed call

VOIP sum_voip.answered Answered Calls number Number of answered calls _calls

VOIP sum_voip.answered Answered Call number Number of answered calls _calls_psg Rate

VOIP sum_voip.asr_ratio ASR Values number Succesfully answered to attempted calls ratio (Answer Seizure Ratio)

VOIP sum_voip.asr_ratio_ ASR Value Rate number Succesfully answered to attempted calls psg ratio (Answer Seizure Ratio)

VOIP sum_voip. Attempted Calls number Number of attempted calls attempted_calls

VOIP sum_voip. Attempted Call number Number of attempted calls attempted_calls_ Rate psg

VOIP sum_voip. Completed Calls number Number of completed calls completed_calls

VOIP sum_voip. Completed Calls number Number of completed calls completed_calls_ Rate psg

VOIP sum_voip.failed_ Failed Calls number Number of failed calls calls

VOIP sum_voip.failed_ Failed Call Rate number Number of failed calls calls_psg

SteelCentral Packet Analyzer Plus User’s Guide 215 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

VOIP sum_voip.packets Total Packet Traffic number Number of VoIP packets

VOIP sum_voip.packets_ Total Packet number Number of VoIP packets psg Throughput

VOIP sum_voip.sip.seer_ SIP SEER Values number Session Establishment Effectiveness Ratio ratio for all SIP ended calls

VOIP sum_voip.sip.seer_ SIP SEER Value number Session Establishment Effectiveness Ratio ratio_psg Rate for all SIP ended calls

VOIP user_voip.ip Caller or Receiver ipaddr Call IP address IP

VOIP user_voip.name Caller and string Name Receiver Name

VOIP user_voip.number Caller and string Phone number Receiver Phone Number

VOIP voip.asr Answered or number Description of the ASR answered status Attempted Calls (Answered or Attempted) Value

VOIP voip.asr_completion Completed or number Description of the ASR completion status Failed Calls Value (Completed or Failed)

VOIP voip.call_id Call-ID string Call-ID

VOIP voip.end_cause_ End Cause Code number “Description of the end cause code (Cancel, code Value Bye, 4xx, 5xx, 6xx/H.323, not available)”

VOIP voip.final_status Call Ended Status number “Description of the final call status Value (Canceled, Rejected, Completed or Timeout)”

VOIP voip.protocol Protocol Number number Call VoIP protocol

VOIP voip.start_time Call Start Time timestamp Time call started

VOIP voip.traffic_type Traffic Type Value number “VoIP call traffic type (SIP, H.323, SCCP, RTP or Unknown)”

VXLAN ctrl_vxlan.inner.port Encapsulated port Encapsulated VXLAN transport port Control Port Number

VXLAN ctrl_vxlan.inner.port Encapsulated Port string Encapsulated VXLAN transport port name _name

216 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

VXLAN dst_vxlan.inner.ip Encapsulated ipaddr IP address of the encapsulated VXLAN host Destination IP Address

VXLAN dst_vxlan.inner.port Encapsulated port Encapsulated VXLAN transport port Destination Port

VXLAN dst_vxlan.inner.port Encapsulated string Encapsulated VXLAN transport port name _name Destination Port

VXLAN dst_vxlan.vtep.ip VTEP Destination ipaddr VXLAN Tunnel End Point IP address IP Address

VXLAN lower_vxlan.inner.ip Encapsulated IP ipaddr IP address of the encapsulated VXLAN host Address B

VXLAN lower_vxlan.inner. Encapsulated port Encapsulated VXLAN transport port port Transport Port B

VXLAN lower_vxlan.inner. Encapsulated string Encapsulated VXLAN transport port name port_name Lower Port

VXLAN lower_vxlan.vtep.ip VTEP Lower IP ipaddr VXLAN Tunnel End Point IP address Address

VXLAN src_vxlan.inner.ip Encapsulated ipaddr IP address of the encapsulated VXLAN host Source IP Address

VXLAN src_vxlan.inner.port Encapsulated port Encapsulated VXLAN transport port Source Port Number

VXLAN src_vxlan.inner.port Encapsulated string Encapsulated VXLAN transport port name _name Source Port

VXLAN src_vxlan.vtep.ip VTEP Source IP ipaddr VXLAN Tunnel End Point IP address Address

VXLAN sum_vxlan.inner. Total number Encapsulated VXLAN bytes total_bytes Encapsulated Traffic

VXLAN sum_vxlan.inner. Total number Encapsulated VXLAN bytes total_bytes_psg Encapsulated Throughput

VXLAN upper_vxlan.inner.ip Encapsulated IP ipaddr IP address of the encapsulated VXLAN host Address A

VXLAN upper_vxlan.inner. Encapsulated port Encapsulated VXLAN transport port port Transport Port A

SteelCentral Packet Analyzer Plus User’s Guide 217 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

VXLAN upper_vxlan.inner. Encapsulated string Encapsulated VXLAN transport port name port_name Upper Port

VXLAN upper_vxlan.vtep.ip VTEP Upper IP ipaddr VXLAN Tunnel End Point IP address Address

VXLAN vxlan.inner.ip Encapsulated IP ipaddr IP address of the encapsulated VXLAN host

VXLAN vxlan.inner.ip. Encapsulated number VXLAN Encapsulated IP protocol type protocol.type Transport Protocol Number

VXLAN vxlan.inner.port Encapsulated port Encapsulated VXLAN transport port Transport Port

VXLAN vxlan.inner.port_ Encapsulated Port string Encapsulated VXLAN transport port name name

VXLAN vxlan.is_vxlan VXLAN Traffic Flag boolean Indication of whether the packet contains VXLAN traffic

VXLAN vxlan.vni VNI number VXLAN Network Identifier (Segment ID)

VXLAN vxlan.vtep.ip VTEP IP ipaddr VXLAN Tunnel End Point IP address

Web avg_web.data_ Total Data Transfer duration Data transfer time of the request and transfer_time Time response

Web avg_web.duration Transaction Time duration Request duration measured from the first request packet to the response packet

Web avg_web.packets Total Payload Pkts number Number of web payload packets per Page

Web avg_web.srv_ Server Response duration The time between request and response_time Time corresponding response

Web avg_web.total_ Page Object Size number Total Page throughput bytes

Web avg_web.total_ Page Object number Total Page throughput bytes_ps Throughput

Web avg_web.total_c2s_ Page Request Size number Total Page throughput bytes

Web avg_web.total_s2c_ Page Response number Total Page throughput bytes Size

Web max_web.data_ Total Data Transfer duration Data transfer time of the request and transfer_time Time (Max) response

218 SteelCentral Packet Analyzer Plus User’s Guide SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

Web max_web.duration Page Time (Max) duration Request duration measured from the first request packet to the response packet

Web max_web.packets Total Payload Pkts number Number of web payload packets per Page

Web max_web.srv_ Server Response duration The time between request and response_time Time (Max) corresponding response

Web max_web.total_ Page Total Size number Total Page throughput bytes (Max)

Web max_web.total_c2s Page Request Size number Total Page throughput _bytes (Max)

Web max_web.total_s2c Page Response number Total Page throughput _bytes Size (Max)

Web min_web.data_ Total Data Transfer duration Data transfer time of the request and transfer_time Time (Min) response

Web min_web.duration Page Time (Min) duration Request duration measured from the first request packet to the response packet

Web min_web.packets Total Payload Pkts number Number of web payload packets per Page

Web min_web.srv_ Server Response duration The time between request and response_time Time (Min) corresponding response

Web min_web.total_ Page Total Size number Total Page throughput bytes (Min)

Web min_web.total_c2s_ Page Request Size number Total Page throughput bytes (Min)

Web min_web.total_s2c_ Page Response number Total Page throughput bytes Size (Min)

Web sum_web.duration Transaction Time duration Request duration measured from the first request packet to the response packet

Web sum_web.num_ Objects Requested number Number of HTTP objects objects

Web sum_web.num_ Object Rate number Number of HTTP objects objects_psg

Web sum_web.packets Total Payload number Number of web payload packets Packet Traffic

SteelCentral Packet Analyzer Plus User’s Guide 219 SteelFilter Identifiers

Table 1: SteelFilter Identifiers

Context Identifier Label Type Description

Web sum_web.total_ Page Total Traffic number Total Page throughput bytes

Web sum_web.total_c2s Page Request number Total Page throughput _bytes Traffic

Web sum_web.total_s2c Page Response number Total Page throughput _bytes Traffic

Web web.bot_name Bot Name string Client browser model and version

Web web.browser Client Browser string Client browser model and version

Web web.content_length Content Length number HTTP content length

Web web.content_type Content Type string “Content type, either explicit found in HTTP’s Content-Type field or inferred from URL based on settings”

Web web.cookie Cookie string Cookie in the http request

Web web.host Hostname string Host name in the http header

Web web.is_web Web Traffic Flag boolean Web Traffic

Web web.method Object Method string HTTP method of object

Web web.parameters Resource string HTTP resource parameters Parameters

Web web.referrer Referrer string Object’s request’s ‘Referer’ HTTP field

Web web.resource Resource string HTTP resource without variable parameters

Web web.start_time Page Start Time timestamp Time of the first request packet

Web web.status_code Status Code Value number HTTP status code for a single object

Web web.status_code_ Status Code string HTTP status code name

Web web.test_stitcher Test Stitcher Flag boolean Add it(no matter what value) in the filter to test stitcher

Web web.url URL string URL of the object’s request

Web web.user_agent User Agent string User agent string of object

end_time End Time timestamp Used for time series data. Indicates the end of a resolution bucket.

start_time Start Time timestamp Used for time series data. Indicates the beginning of a resolution bucket.

220 SteelCentral Packet Analyzer Plus User’s Guide