Observer Analyzer : Observer Analyzer : Decodes : Working with packets
Working with packets
1. On the Home tab, in the Capture group, click Configuration > Packet Capture.
2. Click the Decode button. The Decode and Analysis window appears.
3. Click the Decode tab, then select a packet.
4. Right-click and a menu appears with many options. Those options are described in Table 16.
This list is configurable and contextual, that is, it varies based on the type of packet that is selected.
Table 16. Packet options
Menu option
Description
Start Packet Capture on Hardware/IP Address
Starts a new packet capture filtered on source, destination, or both, using either hardware or IP addresses to identify systems.
Fast Post-Filter on Hardware/IP Address
Applies a filter to the current buffer. Observer will open a new decode window, loading only the packets you have chosen to include.
Create Filter on Hardware/IP Address
Same as Start Packet Capture options described above, except these options let you preview and edit the filter without actually starting a capture.
Set Flag on Hardware/IP Address
Flags all packets that have the same address criteria (source, destination, pair) as the selected packet.
Remove Offset Flags
Removes any offset flags that have been set.
Remove Hardware/IP Address Flags
Removes all address flags that have been set.
Connection Dynamics
Opens a Connection Dynamics chart of the selected TCP conversation. See Using Connection Dynamics.
Add Comment
Allows you to add comments to specific packets in the buffer file.
TCP Dump
Sometimes may options after it such as (HTTP) or (NetBIOS session) when it can identify the type of packets. When selected the packets are processed and appear in the Expert Analysis tab.
Reconstruct Stream
Reconstructs the TCP stream and any files or other data objects exchanged. See Reconstructing TCP data streams.
Decrypt SSL Conversation
Shows you the decrypted SSL conversation if you have the SSL key.
Decrypt TACACS+ Conversation
Shows you the decrypted TACACS+ conversation if you have the TACACS+ shared secret.
Previous/Next Packet in Conversation
Lets you follow a TCP conversation backward and forward in time.
Maximize Pane
Zoom in to the current pane (headers, decode, or hex window).
Packet List Color Setup
Displays the Color dialog.
Set Decode Relative Time Origin to Selected Packet
Resets timestamps.
Calculate Cumulative Bytes
Displays the byte count from the beginning of the capture (or the relative time origin) to the current packet.
5. For additional settings, choose Settings > General tab. These settings are described in Table 17.
 
 
 
Table 17. Expanded packet options
Set focus on the last packet
Causes the packet display to set focus on the last (rather than the first) packet in the capture, allowing you to see the most recently captured information. This is particularly useful when viewing a capture live where the user wishes to examine data as it arrives.
Expand 2nd level trees
Causes the tree decode display to expand all second level trees.
Expand 3rd level trees
Causes the tree decode display to expand all third level trees.
Expand 4th level trees
Causes the tree decode display to expand all fourth level trees.
Use EBCDIC for displaying SNA data
If the packet contains SNA (Service Network Architecture) data, selecting this box causes Observer to use EBCDIC for representing characters as numbers when displaying SNA data. EBCDIC is used almost exclusively on IBM mainframe computers.
Use EBCDIC for all data
Observer uses EBCDIC for representing characters as numbers when displaying all data. EBCDIC is used almost exclusively on IBM computers.
Decode TCP payload in packets with bad checksum
Observer decodes the packet payload even if the checksum for that packet fails. The default behavior is to not decode these packet payloads.
Show full duplex 'Port' or ‘Link’ in ‘DCE/DTE’ parameters
Observer shows which side of a full-duplex connection the packet was captured from.
Show preview of summary comment text
Shows a truncated version of any comments you have added to the packet in the packet comment column.
When loading a local buffer file, exclude expert packets from the display
Choose to enable/disable the display of Observer Expert packets (the packets are not actually stripped from the file, they are just filtered from display).
Bytes Per Row in Hexadecimal Display radio buttons
Choose 16 or 10 bytes per row.
Show decode list using radio buttons
Choose either fixed-point or variable space font.
Packet timing display resolution list
Allows you to select the packet timing display resolution.