Saving a packet capture
1. On the Home tab, in the Capture group, click Configuration > Packet Capture.
2. Click the Decode button. The Decode and Analysis window appears.
3. Click the Decode tab, then choose Tools > Save Capture Buffer. The Save Packet Capture dialog opens.
4. Complete the dialog and click Save As and choose a file name. Observer can save the file as BFR, CAP, ENC, PCAP, or XML.
First packet
Allows you to set the first packet in the capture buffer to be saved to the file. By default, this is packet 1.
Last packet
Allows you to set the last packet in the capture buffer to be saved to the file. By default, this is the last packet in the capture buffer.
Save as button
Displays a dialog that lets you choose from various formats to use when saving the capture buffer, including Observer’s native file format, various Sniffer formats, and XML. Unless you have a specific reason to do otherwise, choose Observer’s native .BFR format.
Append packets to existing file
When selected, allows you to add packets to the existing file.
Recombine ATM Packets
If this box is left unchecked, Asynchronous Transfer Mode (ATM) packets will be saved as they were captured off the wire (in other words, the 53-byte cell units used by ATM switching networks). Check the box to have Observer recombine the packets into Ethernet frames.
Store alias names inside file
When selected, the Discover Network Names-derived alias list is included with the packet capture. If you do not save the alias information along with the capture buffer, statistical displays will list hardware addresses rather than meaningful names.
Save Partial Packets
When selected, you can set how much of each packet to save (in bytes). This allows you to collect packet headers without payloads, which may be useful from a privacy or security standpoint.
Replace hardware address in all saved packets
when selected, enables hardware address substitution in the saved buffer. You can have Observer substitute either MAC addresses, IP addresses, or both. In either case, the controls are the same:
Original address—allows you to specify which addresses will be searched for during the replacement. Wildcard substitution with the asterisk character allows you to select multiple addresses. The last 10 specifications entered are conveniently available in a drop-down menu.
New address—allows you to specify which hardware address will be substituted in place of the original. An asterisk (*) or x used in the same position as the Original address specification causes that portion of the address to be retained in the saved file. For example, specifying
Original address: 123.123.100.*
New address: 10.20.30.*
will replace all addresses that match the 123.123.100 address segments with 10.20.30 and retain the address segment of the original where there is an asterisk. Hence the original address: becomes the new address:, and the original address: becomes the new address:
As the changes are made in the saved buffer file, and not in the buffer loaded into Observer, to change several hardware addresses, it will be necessary to change while saving and then reload the buffer file for each subsequent change.
Decrypt 802.11 WEP Encrypted Packets
If checked, you can select from several preconfigured WEP key profiles. The profiles themselves are configured as part of 802.11 setup.
Decompress FRF.9 compressed packets
If you have captured frames from a VIAVI WAN probe, Observer can decompress the frames before saving them. Decompression will not work unless the probe captured all the packets from the beginning of a connection initialization between the router and the CSU/DSU. You can force an initialization during data collection by resetting either the CSU/DSU or the router.