Menus in the Capture Group configure and display packets the probe captures. You can set up filters to capture a subset of packets. They can be viewed in text format and can be exported to protocol analyzer format files for decoding by a network protocol analyzer program.

Viewing the RMON capture table

To view the RMON capture table, choose Display RmonCapture table from the Capture menu. From here you can

• View the current capture profiles for the selected probe
• Modify, add, or delete profiles
• View captured packets

The RmonCapture table displays a list of capture profiles:

View captured packets as text files

To download captured packets for the selected capture profile and view them as text

1. From the RMON Capture table, click View.

   You are asked to select a file name. The default file name is packet.cap. You should always use the ".cap" file extension.

2. Enter the file name and click OK.

A status dialog box is displayed while the data downloads. You can click Cancel at any time to cancel the download.

After the packets are downloaded, a Log View window opens for the new packet capture file. The capture file is saved as a normal text file. You can use any text editor to view the capture files.

The first line of each packet is the RMON variable and instance for the packet, and the time in seconds between this packet and the previous one. The packet displays on multiple lines of sixteen bytes each. Each sixteen-byte line displays in hexadecimal on the left, and ASCII on the right.

Use a log window to view the capture file. Doing so lets you use all Log menu commands except for the Cut command.

Saving a capture file

From the Capture menu, choose Export to File to save the file in protocol analyzer format.

Viewing a previously saved capture file

From the Capture menu, choose Open Saved File.

Deleting a capture file

1. Select the capture file you want to remove.
   
   
2. Click Del. You are asked to verify the operation.
   
   
3. Click Yes. The file is deleted.

Changing or adding a capture profile

1. Select a capture profile to edit. If you want to add a capture profile, begin at step 2.

2. Click Edit to change the selected capture profile or New to create a new capture profile.

3. Open the Network list and choose a network that is connected to the probe. If the network you want is not in this list, it may not be correctly attached to the network on the map.

4. To capture packets that match the filter criteria, click the Matched option. To capture packets that do not match the filter criteria, click the Different option.

5. Click the Wrap option to discard the oldest captured packets when the buffer is full to continue saving data, or click the Lock option to stop capturing data when the buffer is full.

6. Set the Capture Offset text box to the byte number of the first byte you want to capture from each packet. Use 0 for the first byte. Set the Capture Bytes edit box to the number of bytes after the Capture Offset that you want to capture. You can set the Capture Bytes to 0 if you want to count only matched packets.

7. Set the Buffer Size to the total number of bytes you want to allocate to store all captured packets.

8. Click Set to change the selected entry or to add a new one. The Allocated Bytes field updates to show how much buffer space was actually allocated. The Packets Captured field updates in real time to indicate how many packets have been captured. The Buffer Status updates in real time to indicate whether the buffer is full.

Filtering the capture profile

Use the Filter button to select filters for the capture profile. You can add one or more filter entries to the Filters list. The filters are inclusive-a packet is captured if it matches any of the filters in the list.

Each filter has a filter type that matches some part of the packet, and a source and destination address, which can be one of several types. You can select one of the filter types from the list box.

Predefined Filter Types

Each of these filter types is configured for an appropriate address type. Select one of the filter types and enter the Source and Destination addresses.

• MAC addresses-use the format "00 11 22 33 44 55" in hexadecimal. LI> IP addresses-use the standard dot notation (198.92.129.1).
• IPX-use the standard IPX net-host format (0aaa1-001122334455).

In all cases you can use the keyword "any" to match all addresses.

To add the filter

1. Click Add to add the filter to the list of filters.
   
   
2. Select a filter and click OK.
   
   
3. Click Done when you have installed all the required filters.

Use the New button to create new filter types.

To define a subset of one of the existing filter types, select one of the existing filters to use as a starting template from the Name of Filter pull-down list. Change the filter name to a short descriptive name for the new filter.

The Data offset is the first byte in the packet to start comparing against the filter data. Use 0 (zero) for the first byte in an Ethernet packet (the first byte of the destination address).

The Data, Data Mask, and Not Mask settings are hexadecimal byte strings that are compared to the received packet according to the following rules. Most filters do not use the Not Mask bit, so these rules do not apply. If you are using filters with the Not Mask bit, follow these rules. The simplest filters have a data field that matches some part of a packet and a data mask that specifies which bits should be compared.

• Only bits in the received packet and Data value that have a corresponding Data Mask bit set to one are used in the comparison.
  
  
• For each relevant bit from the packet with the corresponding Not Mask bit set to zero, if the bit from the packet is not equal to the corresponding bit from the Data then the packet will fail this data match.
  
  
• If for every relevant bit from the packet with the corresponding Not Mask bit set to one, the bit from the packet is equal to the corresponding bit from the Data, then the packet will fail this data match.

These rules match SNMP request packets by matching against 0800 as the Ethernet packet type (IP), 17 as the IP protocol (UDP), and a1 as the UDP Port (SNMP Request). The remaining fields in the Edit Filter dialog box let you describe the source and destination addresses. The Source and Destination Address Types can be one of the following predefined types:

Predefined Source and Destination Address Types

For the first three types, the offset and length of each address is already defined and cannot be changed. For the Hexadecimal type you must also specify the Source Offset, Source Length, Destination Offset, and Destination Length in the appropriate fields.

When you have finished entering the filter definition, click Add to add to the list of known types. To change an existing entry, use the same Type name, and delete an existing entry by using the Delete button. Any new filters will be available from the Filter Profile dialog box.

Viewing captured packets

Use the View Captured packets command to download and display the captured packets for a selected entry in an RmonCapture table.

Opening a saved file

Use the Open Saved File to display a previously downloaded capture file. A dialog box prompts you for a file name. The capture files have a ".cap" file extension. The file opens and is displayed in a log window. See the View button of the Display RmonCapture Table command for more information.

Exporting to file

Use the Export To File command to export the selected capture file view to a protocol analyzer file format. You are prompted for a file name to use.

This applies to:

LANDesk* Network Manager