Using the Decode pane
The Decode and Analysis tab is where the captured buffer is decoded and the packet conversations can be examined and analyzed in detail.
This pane has several tabs on it that show you specific information about your packet decode. These include:
Expert Analysis
Displays all general, non-conversation specific problems that Observer finds when analyzing the packet capture. See Using the Expert Analysis feature.
Shows the raw packets for you to examine yourself. The tab has three sections. The top section shows the list of packets. Right-click any of the packets to see a list of actions you can take on it. The middle section is detailed information about the selected packet. The bottom section is the contents of the packet in hexadecimal and EBCDIC. Press F4 to maximize this bottom section to see more of the packet contents.
There are numerous settings, such as colors and protocol forcing, that you can configure by clicking the Settings button. You can save buffers, search for packets and other actions using options under the Tools menu.
Summarizes network details, errors, data rates, packets, and utilization for the traffic Observer saw. The information on the Summary tab is only for the packets seen on the Packet Capture window or in the buffer file you loaded.
Lists the protocols seen and shows how many packets and bytes of that protocol were seen, what percentage of the total packets or bytes that is, and utilization.
Top Talkers
Shows what devices are the most active on your network. The MAC address, DNS name, IP address are listed. There are several tabs to see the data in different ways. There are numerous settings that you can configure by clicking the Settings button. This feature is very similar to the Top Talkers covered in Discovering current top talkers on the network.
Pairs (Matrix)
Graphs the top 10 most active device pairs by packets per second. This feature is very similar to the Pairs Matrix in Discovering conversations between local devices and the Internet.
Internet Observer
Has three tabs that show a graph of the packets total by device on the Internet Patrol tab, and lists of IP Pairs and IP Subprotocol.
There are numerous settings that you can configure by clicking the Settings button. This feature is very similar to the Internet Patrol in Discovering conversations between local devices and the Internet.
Application Transaction Analysis
Contains several tabs for the applications that Observer analyzes, including response time and statistics, URL statistics,FIX, and SQL.
For more details about Application Transaction Analysis, see Understanding Application Transaction Analysis.
Lists a summary and stations of VLAN activity. Shows packets, bytes, broadcasts, multi-casts, and utilization. You can configure how the list appears by using the Settings button. This feature is very similar to VLAN Statistics described in Viewing optional VLAN statistics.
Forensic Analysis
Displays anomalies based on Snort rules on the Forensics Summary or Forensics Analysis Log tabs.
You can choose what Snort rules to use to analyze the data by clicking the Settings button.
This feature is similar to Forensic Analysis described in Examining your network traffic with forensic analysis.
Access Point (AP) Statistics
Shows wireless access point statistics. This is similar to Viewing wireless access point statistics.
Fibre Events
Shows details related to your Fibre traffic.
Figure 29: Decode tab
After you are in the view screen, select a packet in the top window to display the packet decoded information in the middle window. There are three window panes:
the packet header pane.
the decode pane.
the raw packet display pane.
The three panes are fully sizable by dragging the borders up or down. Packets that Observer does not recognize are shown in raw mode in the decode and raw panes. Each pane has a context-sensitive right-click menu. For example, you can right-click a packet header, and (if it is not a broadcast packet) immediately jump to a connection dynamics display of the network conversation.
The packet header pane shows the following:
Packets—the number of packets currently in the buffer.
First—the first packet number in the buffer.
Last—the last packet number in the buffer.
Offset—the offset display is only shown if you have highlighted a section of the decode screen. When a section of the decode screen is highlighted, Observer’s active highlight option is activated. This option shows the highlighted sections of actual data in the raw area of the packet decode screen, including the offset of the value from the beginning of the packet. This information can be used to configure an offset filter for that value.
You can highlight an item of the decode in the Raw Packet Display area and right-click it. Two options will be displayed: Start Packet Capture on Segment/Offset or Create Filter on Segment/Offset. These options are only available in this area.
For details about the packet header menu, see Working with packets.