Omnipeek GettingStarted
Omnipeek GettingStarted
20220819-GSG-OP222a
ii
Contents
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Omnipeek as a portable analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Omnipeek with distributed Capture Engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Network forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Voice and video over IP analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Compass dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Multi segment analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Supported adapters and drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Installing Omnipeek. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Renewing or upgrading subscription versions of Omnipeek . . . . . . . . . . . . . . . . . . . 4
Installing a Capture Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Main program window and Start Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 5 Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Timeline dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Network dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Applications dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Voice & Video dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Compass dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
iii
Omnipeek Getting Started Guide
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
iv
CHAPTER 1
Introduction
Welcome to Omnipeek, the network analyzer and software console for distributed network analysis from
LiveAction!
Omnipeek allows network engineers to troubleshoot problems and perform statistical analysis on remote
segments from a single location, as shown in the diagram above. A single Capture Engine can also link to
multiple installations of Omnipeek, allowing simultaneous connection and collaboration, as shown below.
1
Omnipeek Getting Started Guide
The separately purchased Capture Engines have no user interface of their own. Capture engines rely on
Omnipeek to provide a user interface through the Capture Engines window. For more information, see Chap-
ter 2, Using Omnipeek with Capture Engines. See also the Capture Engine for Omnipeek Getting Started
Guide that ships with the product or the online help in the Capture Engine Manager application.
Network forensics
Network forensics is the retrospective analysis of network traffic for the purpose of conducting an investiga-
tion. You can use Omnipeek and the Capture Engines to capture, store, and data mine large volumes of
traffic data in order to investigate items such as network problems, security attacks, HR policy violations,
and more.
See Chapter 4, Forensic Search or online help for information on how to perform a forensic search on your
own network.
Compass dashboard
The Omnipeek Compass dashboard provides an interactive forensics view of key network statistics, which
can be graphed, dynamically interacted with, and reported on. With its unique ability to aggregate traffic
from multiple segments, the Compass dashboard provides network engineers with more visibility and
insight into their networks.
The Compass dashboard offers both real-time and post-capture monitoring of high-level network statistics
with drill down capability into packets for the selected time range. Using the Compass dashboard, multiple
files can be aggregated and analyzed simultaneously. For more information, see Compass dashboard on
page 39.
Network forensics 2
Omnipeek Getting Started Guide
sion, report anomalies, and provide graphical visualization of multiple segments across the network. For
more information, see Chapter 9, Multi-Segment Analysis.
System requirements
The system requirements for Omnipeek are:
• Windows 11, Windows 10, Windows 8.1 64-bit, Windows 7 64-bit, Windows Server 2019, Windows Server
2016, Windows Server 2012, Windows Server 2012 R2, Windows Server 2008 R2 64-bit
Note For Windows 7 and Windows Server 2008 R2, SHA-2 code signing is required to run Omnipeek.
Typically, for users that are updated automatically using Microsoft Update, this is installed
automatically; otherwise, you will need to install the SHA-2 update manually. See Microsoft
KB3033929.
Omnipeek supports most rack mount, desktop and portable computers as long as the basic system
requirements to run the supported operating systems are met. Depending on traffic and the particular
usage of Omnipeek, the requirements may be substantially higher.
The following system is recommended for Omnipeek:
• Intel Core i3 or higher processor
• 4 GB RAM
• 40 GB available hard disk space
Factors that contribute towards superior performance include high speed CPU, number of CPUs, amount of
RAM, high performance disk storage subsystem (RAID 0), and as much additional hard disk space as is
required to save the trace files that you plan to manage.
Supported operating systems require users to have Administrator level privileges in order to load and
unload device drivers, or to select a network adapter for the program’s use in capturing packets. For more
information, please see our Web site at https://www.liveaction.com/products/.
Installing Omnipeek
To install Omnipeek:
1. Run the Omnipeek installer (e.g., Omnipeek_xx.x.x.msi). The installer removes any previous versions of
Omnipeek.
2. Follow the installation instructions that appear on the screen.
During installation you are asked to enter a valid product key. When prompted, you can select from the
following:
• Automatic: The installer uses your Internet connection to send an encrypted message to an
activation server, which retrieves and installs a license file.
• Manual: The installer guides you through generating a license file through a web page. Follow the
instructions to access the web activation page, fill in the required information, and you are provided
with a license file. The installer then guides you through installing the license file.
System requirements 3
Omnipeek Getting Started Guide
For more information about the product activation process, please see our website at: https://
www.liveaction.com/support/frequently-asked-questions/.
3. When the Installer has finished installing the program files, you can choose to view the Readme or
launch the program.
Note The Capture Engine Manager is installed by default with Omnipeek. This application lets you
configure and update settings for the separately purchased Capture Engines. For information,
see the Capture Engine for Omnipeek Getting Started Guide or the online help in the Capture
Engine Manager application.
• Click Renew subscription now to open the Omnipeek activation dialog where you can renew your
existing license, or update to a new license.
• Click Do not renew subscription to continue to use Omnipeek until your subscription expires.
Toolbar
Start
Page
Status Bar
• Toolbar: Provides buttons for frequently-used tasks in Omnipeek. To display different toolbars or to
customize toolbar options, on the View menu, click Toolbars.
• Start Page: Provides buttons for creating a new capture, opening saved capture files, and viewing the
Capture Engines window. Additionally, the Start Page lists ‘What’s new’ in the version of Omnipeek, and
also provides links to useful resources, both local and online.
• Status Bar: Shows brief context-sensitive messages on the left and the current monitor adapter on the
right. To toggle the display of the status bar, on the View menu, click Status Bar.
If you are using Omnipeek as a console for distributed Capture Engines, you will need to connect to the
Capture Engines from the Capture Engines window in Omnipeek. (If you are using Omnipeek as a portable
network analyzer only, and not as a console for distributed Capture Engines, you do not need to review this
section.)
Capture Engines let you capture and analyze data at any location across the network. Capture Engines per-
form real-time network analysis from the Omnipeek console on traffic from one or more network inter-
faces, including Ethernet, 802.11 a/b/g/n/ac wireless, 1 Gigabit, and 10 Gigabit.
The Capture Engines window in Omnipeek lets you view and interact with Capture Engines, which have no
user interface of their own.
Note Both Omnipeek and Capture Engine Manager maintain the same list of Capture Engines. Making
a change in either program automatically updates the list in the other program.
6
Omnipeek Getting Started Guide
Tip You can add multiple engines to the Capture Engines window by clicking Insert Engine.
4. Click Insert Group to add a new group of engines to the Capture Engines window. A new group folder
appears.
Insert Group
5. Select the Capture Engine group folder and click Insert Engine to add a Capture Engine to the group.
Capture windows are the main interface for presenting traffic analysis information about your network.
Omnipeek lets you create capture windows for local captures, as well as remotely from multiple interfaces
to an unlimited number of distributed Capture Engines.
You can create multiple configurable capture windows, each with its own selected adapter and its own cap-
ture settings. The number of capture windows you can have open at one time is limited only by the amount
of available system resources.
When configuring a capture window’s capture settings, keep in mind that the window’s capture perfor-
mance can be directly related to the number and type of capture options that you have enabled. For exam-
ple, enabling more options may give you more data, but may come at the price of a greater likelihood of
not capturing all the data.
The things that determine how much data (and therefore how many capture options) a capture can handle
is determined by the system memory and CPU power of the Omnipeek or Capture Engine computer, the
amount and kind of data that is being captured, and the number of capture options and analysis modules
that are enabled. Enabling capture options, such as Capture to disk, Expert Analysis, and Graphs; and
enabling an analysis module such as VoIP Analysis consumes much more machine resources than others.
Omnipeek
capture
options
9
Omnipeek Getting Started Guide
Note Click Help on the dialog for more information on how to configure these options. For a
description of other configuration options, see the Omnipeek User Guide or online help.
Capture
window
views
5. Click Start Capture to begin capturing packets. Start Capture changes to Stop Capture and traffic statistics
begin to populate the Network dashboard of the capture window.
6. Click the capture window views in the navigation bar to view captured packets, expert and statistical
analysis of the data, the Peer Map display, and more.
7. Click Stop Capture to end the capture. You can choose to save, discard, or resume the capture.
Tip To resume capturing from where you left off, hold down the Alt key and click Start Capture. To
empty the capture buffer and start a new capture, simply click Start Capture again.
3. From the Home tab, click New Capture and select the type of capture that you would like to create:
Note You can also select the options below from the Insert drop-down list available from the
Captures tab, and from the New Capture options available from the Adapters tab.
• New Capture…: This option lets you create a new Capture Engine capture based on the capture
settings that you define.
• New “Forensics Capture”: This option lets you create a new Capture Engine capture based on a
forensic capture template configured for post-capture forensic analysis.
• New “Monitoring Capture”: This option lets you create a new Capture Engine capture based on a
monitoring capture template configured to view higher level expert and statistical data in a
continuous real-time capture.
• Edit Capture Templates: This option opens the Capture Templates dialog and allows you to create
new or edit existing capture templates.
The General options of the Capture Engine Capture Options dialog appears.
Note Click Help on the dialog for more information on how to configure these options. For a
description of other configuration options, see the Omnipeek User Guide or online help.
Capture
window
views
7. Click Start Capture to begin capturing packets. Start Capture changes to Stop Capture and traffic statistics
begin to populate the Network dashboard of the capture window.
8. Click the capture window views in the navigation bar to view captured packets, expert, and statistical
analysis of the data, the Peer Map display, and more.
9. Click Stop Capture when you want to stop collecting packets into the Capture Engine capture buffer.
Note Users without permission to create or modify Capture Engine capture windows will find features
grayed out, missing, or receive an error message indicating the task is not allowed. For details,
see the Capture Engine for Omnipeek Getting Started Guide.
Note When opening large files, a progress bar in the status bar of the file window appears displaying
the progress of packet processing.
Tip From the Open dialog, you can click the Filter button to open the Filter dialog, which allows you
to select both the filters and analysis options to apply to each of the files that you select to
open. By applying one or more filters, you can greatly reduce the amount data you are opening
to only the data you are interested in analyzing. For example, if you want to load only the
packets from the files which match a particular IP address, you can create a simple filter from
the dialog and then select that filter when opening the files.
By disabling analysis options, you can free up system resources resulting in faster performance.
These analysis options are typically displayed in the navigation pane of a capture window.
Enabling/disabling analysis options is also available from the Capture menu (on the Capture
menu, click Analysis Options).
• Events Timeline: The events timeline is a small line below the overview graph which visualizes the
volume and severity of events in the capture file. It represents event counts by size (the larger the dot,
the more events in that range), and color (representing the severity of those events). You can right-click
inside the overview graph to show or hide the events timeline.
• Summary Info: The summary info located to the left of the overview graph displays the time range and
various counts (packets, flows, files, events, applications, IP addresses, countries) in the capture file.
When a selection is made in the overview graph, the summary info is updated and displays the counts
for the selection, as well as the totals for the entire capture file.
Tip You can show/hide the Overview graph from the View menu: On the View menu, click Overview.
Make Filter
Insert Into Name Table
Flow Visualizer
Resolve Names Details
List View Toggle List View Headers
Files Toggle Details Search Filter Files Content
• Details: Displays files in the list view as a details list with multiple columns. You can click a column
header to sort the files by that column. You can right-click a column header to add or remove
columns. You can also view this information in the Details tab of the details pane.
• Toggle Details: Toggles the details pane to appear either below or to the right of the list view (or hidden
completely). You can also resize the details pane by dragging the resize control located between the
details pane and list view. The details pane consists of the following tabs:
• Details: Displays various information about the selected file. You can also view this information in
the list view by toggling the list view to the Details option. To copy any text within this tab to the
clipboard, select the text, right-click, and click Copy.
• Headers: Displays request and response headers for the selected file. To copy any text within this
tab to the clipboard, select the text, right-click, and click Copy.
• Contents: Displays file contents as an image, text, or binary data. You can right-click inside the tab to
change the display mode to Auto, Image, Text, or Binary. Selecting Auto will pick the best mode
depending on the type of file. In Image mode, at the top of the contents tab, a small area displays
information about the image (proportions and color information). In Text mode, there are
additional options to set the text encoding used. In Binary mode, there are additional options to
change the display of data and offsets. To copy any text within this tab to the clipboard, select the
text, right-click, and click Copy.
• Search: Allows you to search the list of files for the text string that you enter in the text box. You can
search file names, request/response headers, or file contents by selecting the option from the drop-
down list to left of the text box.
• Filter Files: Allows you to filter the file list by content-type. The drop-down list contains common
content-types (for example, image/*, text/*). Additionally, you can type in any content-type (for
example, image/png) to filter files by that content-type. This essentially acts as a display filter—only
files which are of the type specified are displayed; non-matching files are hidden.
Forensic Search
Network forensics is the retrospective analysis of network traffic for the purpose of conducting an investiga-
tion. You can use Omnipeek to capture, store, and data mine large volumes of traffic data in order to inves-
tigate items such as network problems, security attacks, HR policy violations, and more.
From the Capture Engine window, you can perform network forensics analysis from the Files or Forensics tab
of a connected Capture Engine. See Forensic search from the Files tab on page 18 and Forensic search from
the Forensics tab on page 21.
Note You can also perform forensic analysis directly from a ‘Forensics Capture’ window. See Forensic
search from the ‘Forensics Capture’ window on page 27.
Important! One or more capture files saved to the Capture Engine computer are required before you can
perform a forensic search.
Tip Right-click inside the list of files for additional options for performing a forensic search,
grouping files, uploading and downloading packets, deleting files, synchronizing files to the file
system on the hard disk, and refreshing the display.
18
Omnipeek Getting Started Guide
Note Selecting one of the pre-defined types of forensic searches displays the Forensic Search dialog
with the Analysis & Output options pre-configured for that type of forensic search. You can
change any option prior to clicking Start.
4. Complete the dialog to specify the criteria for extracting data from the selected capture files:
• Name: Enter a name for the forensic search.
• Files: Choose one of the following:
• Search all files: Select this option to search through all of the files listed in the Files tab.
• Search selected files: Select this option to search through only the selected files in the Files tab.
• Captures: Select this option and then select the capture to search from those listed in the Capture
column of the Files tab.
• Network Media: Choose one of the following:
• Media type: Select this option and then select the media type to extract only the data of a
specific media type.
• Adapter: Select this option and then select the adapter to extract only the data captured by a
specific adapter.
• Time Range: Select this option and then configure the start and end times to extract the data.
• Start time: Set the start date and time for extracting data. Only the data captured between the
start time and end time is extracted.
• End time: Set the end date and time for extracting data. Only the data captured between the
start time and end time is extracted.
• Duration: Displays the amount of time between the specified start and end times.
• Filters: Click to select a filter from the display list. All packets will be accepted if no filters are
applied to the forensic search.
To create an advanced filter, click Filters and select Insert filter, Insert Operator, or Insert Expression
from the display.
• Analysis & Output: Select one or more of the options to enable and display that particular view in
the new Forensic Search window. For various Analysis & Output options that have additional
configurable settings, click the submenu to the right of the option.
5. Click Start. A new Forensic Search window appears along with two progress bars at the top of the window.
(Clicking Stop stops the search and then completes the processing of the packets.)
Once the processing of the packets is complete, the progress bars go away and the new Forensic Search
window is populated with the data found based on the criteria you selected above.
6. From the new Forensic Search window, you can further narrow down the data by performing any of the
post-capture analysis methods described in the Omnipeek User Guide.
Important! One or more forensic captures on the Capture Engine are required before you can perform a
forensic search from the Forensics tab.
Nested Tabs
• Top Protocols by Bytes: This display shows a graph of top protocols on the network for the selected
area in the Timeline graph below. You can right-click inside the display to toggle the display with
the Top Applications display, or to select a Bar or Pie display. Mouse over a bar (or slice) of the graph
to view a tooltip with additional details for the protocol.
• Timeline graph: The Timeline graph displays the data of the selected capture session. Only one
capture session at a time can be displayed inside the graph. By default, the graph shows network
utilization in Mbits/s, but other statistics can be graphed as well by selecting the View type.
Here are descriptions of other parts of the Timeline graph:
• Right-click inside the graph to perform a forensic search (see Forensic search below), download
selected packets to a capture file, refresh the window, or choose a different graph format: Bar,
Stacked Bar, Skyline, Area, Stacked Area, Line, Line/Points, Linear, and Logarithmic.
Additionally, you can also toggle displaying the minimum and maximum points for each series
on the graph.
• Mouse over a data point in the graph to view a tooltip displaying timestamp and size
information (e.g., time and rate, time and packet size, etc.).
• Any time there is more data than can be displayed on the screen, a scroll bar appears below the
graph and allows you to view different points of time in the graph. (If the Time window is set to
Automatic, the scroll bar will never appear.)
• If the Time window is set to anything other than Automatic, a scroll bar appears below the
graph and allows you to view different points of time in the graph.
• View type: Select the type of statistics to display in the Timeline graph. You can select from:
• Network Utilization (Mbits/s)
• Network Utilization (Packets/s)
• Unicast/Multicast/Broadcast
• Packets sizes
• VLAN/MPLS
• Protocols (Mbits/s)
• Protocols (Packets/s)
• Call Quality
• Call vs. Network Utilization
• Wireless Packets (Packets/s)
• Wireless Retries (Packets/s)
Note To display statistics for a Call Quality or Call vs. Network Utilization view type, the VoIP Stats
option must be selected when you first create the capture and configure the General options of
the Capture Options dialog.
• Time window: Select the time interval to display in the Timeline graph. By default, Automatic is
selected to display the optimum window based on the available data. Intervals from 5 Minutes (1
Sec. Avg.) to 24 Hours (5 Min. Avg.) are also available.
• Forensic search: Click to display the Forensic Search dialog where you can adjust the forensic search
settings. Click the small down arrow next to Forensic Search to display custom or pre-configured
settings for performing a forensic search. You can change any option prior to clicking Start:
• Custom: Creates a Forensic Search window based on the customized settings that you configure.
• Overview: Creates a Forensic Search window based on settings that display an overview of the
selected data in the capture session.
Important! A session represents a contiguous period of time when packets are captured from a particular
interface. A session is created each time you start a capture. A capture can have multiple
sessions, and each session can be separated by periods of inactivity. Forensic analysis can then
be performed on each session. Sessions are displayed in any of the nested tabs available from
the Forensics tab.
3. In the Timeline graph, drag to select the area of the selected capture you wish to search. If no area of
the graph is selected, the entire capture is selected by default.
Note The packet count displayed above the Timeline graph is an approximation of the packets
currently selected.
Tip You can adjust the exact time range from the Forensic Search dialog.
4. Click Forensic Search (or click the small down arrow next to Forensic Search and select the type of forensic
search you wish to perform). The Forensic Search dialog appears.
Note Selecting one of the pre-defined types of forensic searches displays the Forensic Search dialog
with the Analysis & Output options pre-configured for that type of forensic search. You can
change any option prior to clicking Start.
5. Complete the dialog to specify the criteria for extracting data from the selected capture:
Note If you wish to perform a forensic search on a capture session that is active and is currently
capturing packets, we recommend that you stop the capture first before performing the
forensic search. If you continue without stopping the capture first, make sure to clear the
Packets check box in the Forensic Search dialog before clicking OK.
7. From the new Forensic Search window, you can further narrow down the data by performing any of the
post-capture analysis methods described in the Omnipeek User Guide.
Day Timeline
Month Timeline
Year Timeline
Here are some useful notes for using the Timeline nested tab:
• Capture sessions are represented with a horizontal green or blue bar and the name of the main parent
capture. Simply click a capture session to view its data within the Timeline graph above.
• Only one capture session at a time can be selected and displayed in the Timeline graph.
• A capture session that is highlighted with an orange vertical bar indicates it is currently selected. A
capture session that has green colored text indicates it is currently active and is capturing packets.
• Capture sessions may be overwritten by another session in the same capture if the capture was created
as a ‘continuous capture,’ and the session ‘wraps’ after exceeding the disk space allocated for the
capture.
If a capture session ‘wraps,’ the horizontal green or blue bar appears with a lighter color to indicate that
capture sessions were overwritten. Any data that is overwritten is no longer available for analysis.
• Drag inside a timeline band to view different points of time within the timeline band. The other timeline
bands will move accordingly.
• Right-click inside a timeline band to quickly move to various points within the timeline. You can select
from:
• Go to Current: Moves all three timeline bands so that the currently selected capture session is
centered inside the display.
• Go to Now: Moves all three timeline bands so that the current time is centered inside the display.
• Go to Earliest: Moves all three timeline bands so that the earliest available capture session is
centered inside the display.
• Go to Latest: Moves all three timeline bands so that the latest available capture session is centered
inside the display.
Here are some useful notes for using the Storage nested tab:
• A capture session that is colored orange indicates it is currently selected. A capture session that is
colored green indicates it is currently active and is capturing packets.
• Capture sessions may be overwritten by another session in the same capture, if the capture was created
as a ‘continuous capture’ and the session ‘wraps’ after exceeding the disk space allocated for the
capture. When data from a capture session is overwritten with new data, the old data is no longer
available for analysis.
• Only one capture session at a time can be selected and displayed in the Timeline graph.
• Mouse-over a capture session container to view a tooltip displaying details about the capture session.
• Right-click a capture session to display the following options:
• View: Loads the selected capture session into the Timeline graph above.
• Delete Capture: Removes the selected capture and all of its capture sessions, packet data, and
statistics from the capture storage space on the Capture Engine. You will be prompted to verify any
deletions. Only a parent capture, and not individual capture sessions, can be deleted from the list.
• Delete All Captures: Removes all captures, capture sessions, packet data, and statistics from the
capture storage space on the Capture Engine. You will be prompted to verify any deletions.
• Show Unreserved Space: Displays the amount of space that is not currently being used as capture
storage space on the Capture Engine.
• Show Legend: Displays a color-coded legend for the capture sessions.
Here are some useful notes for using the Details nested tab:
• A capture session that is colored orange indicates it is currently selected. A capture session that is
colored green indicates it is currently active and is capturing packets.
• Capture sessions may be overwritten by another session in the same capture, if the capture was created
as a ‘continuous capture’ and the session ‘wraps’ after exceeding the disk space allocated for the
capture. An overwritten capture session is no longer available for analysis.
• Only one capture session at a time can be selected and displayed in the Timeline graph.
• Right-click a column heading to display or hide a specific column. Click a column heading to sort its
data.
• Right-click a capture session or parent capture to display the following options:
• View: Loads the selected capture session into the Timeline graph above. Only a capture session, and
not a parent capture, can be loaded into the Timeline graph.
• Delete Capture: Removes the selected capture and all of its capture sessions, packet data, and
statistics from the capture storage space on the Capture Engine. You will be prompted to verify any
deletions. Only a parent capture, and not individual capture sessions, can be deleted from the list.
• Delete All Captures: Removes all captures, capture sessions, packet data, and statistics from the
capture storage space on the Capture Engine. You will be prompted to verify any deletions.
• Expand All: Expands the list so that all capture sessions are displayed below the parent capture.
• Collapse All: Collapses the list so that all capture sessions are hidden below the parent capture.
Note You can also perform a forensic search from the Files or Forensics tab. See Forensic search from
the Files tab on page 18 and Forensic search from the Forensics tab on page 21.
Timeline Graph Header Information View Type Time Window Forensic Search Download Packets
Top Talkers by IP Address Top Applications by Bytes Refresh
• Any time there is more data than can be displayed on the screen, a scroll bar appears below the
graph and allows you to view different points of time in the graph. (If the Time window is set to
Automatic, the scroll bar will never appear.)
• If the Time window is set to anything other than Automatic, a scroll bar appears below the
graph and allows you to view different points of time in the graph.
• View type: Select the type of statistics to display in the Timeline graph. You can select from:
• Network Utilization (Mbits/s)
• Network Utilization (Packets/s)
• Unicast/Multicast/Broadcast
• Packets sizes
• VLAN/MPLS
• Protocols (Mbits/s)
• Protocols (Packets/s)
• Call Quality
• Call vs. Network Utilization
• Wireless Packets (Packets/s)
• Wireless Retries (Packets/s)
Note To display statistics for a Call Quality and Call vs. Network Utilization view type, the VoIP Stats
option must be selected when the capture was created and configured in the General options
of the Capture Options dialog.
• Time window: Select the time interval to display in the Timeline graph. By default, Automatic is
selected to display the optimum window based on the available data. Intervals from 5 Minutes (1
Sec. Avg.) to 24 Hours (5 Min. Avg.) are also available.
• Forensic search: Click to display the Forensic Search dialog where you can adjust the forensic search
settings. Click the small down arrow next to Forensic Search to display custom or pre-configured
settings for performing a forensic search. You can change any option prior to clicking Start:
• Custom: Creates a Forensic Search window based on the customized settings that you configure.
• Overview: Creates a Forensic Search window based on settings that display an overview of the
selected data in the capture session.
• Packets: Creates a Forensic Search window containing a packets-only view.
• Expert: Creates a Forensic Search window based on settings that are optimized for Expert
analysis.
• Voice & Video: Creates a Forensic Search window based on settings that are optimized for Voice &
Video analysis.
• Download Packets: Click to download the packets from the selected time range.
• Refresh: Click to refresh the screen. For an active capture session, you can also set an automatic
refresh interval by selecting an interval from the drop-down list to the right of Refresh.
3. In the Timeline graph, drag to select the area of the capture you wish to search. If no area of the graph is
selected, the entire capture is selected by default.
Note The packet count displayed above the Timeline graph is an approximation of the packets
currently selected.
Tip You can adjust the exact time range from the Forensic Search dialog.
4. Click Forensic Search (or click the small down arrow next to Forensic Search and select the type of forensic
search you wish to perform). The Forensic Search dialog appears.
Note Selecting one of the pre-defined types of forensic searches displays the Forensic Search dialog
with the Analysis & Output options pre-configured for that type of forensic search. You can
change any option prior to clicking Start.
5. Complete the dialog to specify the criteria for extracting data from the selected capture:
• Name: Enter a name for the forensic search.
• Time Range: Select this option and then configure the start and end times to extract the data.
• Start time: Set the start date and time for extracting data. Only the data captured between the
start time and end time is extracted.
• End time: Set the end date and time for extracting data. Only the data captured between the
start time and end time is extracted.
• Duration: Displays the amount of time between the specified start and end times.
• Filters: Click to select a filter from the display list. All packets will be accepted if no filters are
applied to the forensic search.
To create an advanced filter, click Filters and select Insert filter, Insert Operator, or Insert Expression
from the display.
• Analysis & Output: Select one or more of the options to enable and display that particular view in
the new Forensic Search window. For various Analysis & Output options that have additional
configurable settings, click the submenu to the right of the option.
6. Click Start. A new Forensic Search window appears along with two progress bars at the top of the window.
(Clicking Stop stops the search and then completes the processing of the packets.)
Once the processing of the packets is complete, the progress bars go away and the new Forensic Search
window is populated with the data found based on the criteria you selected above. The name of the
Forensic Search window is added to the list of currently active forensic searches in the Forensic Searches
tab.
7. From the new Forensic Search window, you can further narrow down the data by performing any of the
post-capture analysis methods described in the Omnipeek User Guide.
Dashboards
The Omnipeek dashboards display graphical data about your network summarized into several easy-to-
read displays. There are five dashboards available with Omnipeek: Timeline, Network, Applications, Voice &
Video, and Compass.
Timeline dashboard
The Timeline dashboard is available from Capture Engine capture windows that have any of the Timeline
Stats options enabled in the Capture Options dialog. The dashboard displays top talkers, top protocols, and
network utilization for the Capture Engine.
Timeline Graph Header Information View Type Time Window Forensic Search Download Packets
Top Talkers by IP Address Top Applications by Bytes Refresh
32
Omnipeek Getting Started Guide
• Top Applications by Bytes: This display shows a graph of top applications on the network for the
selected area in the Timeline graph. You can right-click inside the display to toggle the display with the
Top Protocols display, or to select a Bar or Pie display. Mouse over a bar (or slice) of the graph to view a
tooltip with additional details for the application.
• Top Protocols by Bytes: This display shows a graph of top protocols on the network for the selected
area in the TimeLine graph. You can right-click inside the display to toggle the display with the Top
Applications display, or to select a Bar or Pie display. Mouse over a bar (or slice) of the graph to view a
tooltip with additional details for the protocol.
• Timeline graph: The Timeline graph displays the data of the selected capture session. Only one capture
session at a time can be displayed inside the graph. By default, the graph shows network utilization in
Mbits/s, but other statistics can be graphed as well by selecting the View type.
Here are descriptions of other parts of the Timeline graph:
• Right-click inside the graph to perform a forensic search, download selected packets to a capture
file, refresh the window, or choose a different graph format: Bar, Stacked Bar, Skyline, Area, Stacked
Area, Line, Line/Points, Linear, and Logarithmic. Additionally, you can also toggle displaying the
minimum and maximum points for each series on the graph.
• Mouse over a data point in the graph to view a tooltip displaying timestamp and size information
(e.g., time and rate, time and packet size, etc.).
• Any time there is more data than can be displayed on the screen, a scroll bar appears below the
graph and allows you to view different points of time in the graph. (If the Time window is set to
Automatic, the scroll bar will never appear.)
• If the Time window is set to anything other than Automatic, a scroll bar appears below the graph
and allows you to view different points of time in the graph.
• View type: Select the type of statistics to display in the Timeline graph. You can select from:
• Network Utilization (Mbits/s)
• Network Utilization (Packets/s)
• Unicast/Multicast/Broadcast
• Packets sizes
• VLAN/MPLS
• Protocols (Mbits/s)
• Protocols (Packets/s)
• Applications (Mbits/s)
• Applications (Packets/s)
• Call Quality
• Call vs. Network Utilization
• Wireless Packets (Packets/s) (Capture Engine for Omnipeek (Windows) only)
• Wireless Retries (Packets/s) (Capture Engine for Omnipeek (Windows) only)
Note To display statistics for a Call Quality and Call vs. Network Utilization view type, the VoIP Stats
option must be selected when you first create the capture and configure the General options of
the Capture Options dialog.
• Time window: Select the time interval to display in the Timeline graph. By default, Automatic is
selected to display the optimum window based on the available data. Intervals from 5 Minutes (1
Sec. Avg.) to 24 Hours (5 Min. Avg.) are also available.
Timeline dashboard 33
Omnipeek Getting Started Guide
• Forensic search: Click to display the Forensic Search dialog where you can adjust the forensic search
settings. Click the small down arrow next to Forensic Search to display custom or pre-configured
settings for performing a forensic search. You can change any option prior to clicking OK:
Note When configuring the Forensic Search dialog, keep in mind that forensic search performance can
be directly related to the number and type of options that you have enabled.
• Custom: Creates a Forensic Search window based on the customized settings that you configure.
• Overview: Creates a Forensic Search window based on settings that display an overview of the
selected data in the capture session.
• Packets: Creates a Forensic Search window containing a packets-only view.
• Expert: Creates a Forensic Search window based on settings that are optimized for Expert
analysis.
• Voice & Video: Creates a Forensic Search window based on settings that are optimized for Voice &
Video analysis.
• Download Packets: Click to download the packets from the selected capture session, in the
selected time range.
• Refresh: Click to refresh the screen. For an active capture session, you can also set an automatic
refresh interval by selecting an interval from the drop-down list to the right of Refresh.
Network dashboard
The Network dashboard displays key statistics for the capture window.
• Network Utilization: This display graphs network traffic in Mbits/second. You can right-click inside the
display to drill-down to selected packets, or to select a Column, Skyline, Area, Line, or Line/Points
display.
Network dashboard 34
Omnipeek Getting Started Guide
• Wireless Signal: This display graphs wireless signal and/or noise strength (as a percentage) for the
wireless channel you are capturing on, or all channels you have configured the capture to scan. This
display is available only when a wireless adapter is selected as the capture adapter, or for a wireless
capture file. You can right-click inside the display to select the parameters to display. Hovering over a
channel will display a tooltip with additional channel information.
• Current Activity: This display shows network utilization (as a percent of capacity), traffic volume (in
packets per second), and error rate (total errors per second). You can right-click inside the display to
display values as numbers or as gauges, or to select an Automatic, Light, Dark, or Clean background
theme for the display.
• Events: This display shows the number of notifications generated by level of severity. You can right-click
inside the display to select an Automatic, Light, Dark, or Clean background theme for the display.
Clicking a severity icon navigates to the Events view and displays those events corresponding to the
severity clicked.
• Top Talkers by IP Address: This display shows a graph of top “talkers” on the network, broken out by
node. You can right-click inside the display to display top talkers by Physical Address, IP Address, IPv6
Address, or Country; or to select a Bar, Column, Pie or Donut display. Clicking a bar (or slice) of the
graph opens a Detail Statistics window populated with details for the node clicked.
Note This feature is automatically enabled for Capture Engine captures based on the Monitoring
Capture template. Top talkers are displayed as Not Available for Capture Engine captures using
the Forensic Capture template. See Forensics capture on a Capture Engine on page 54 and
Monitoring capture on a Capture Engine on page 55.
• Top Applications: This display shows a graph of top applications on the network. You can right-click
inside the display to toggle the display with the Top Protocols display, or to select a Bar, Column, Pie or
Donut display. Mouse over a bar (or slice) of the graph to view a tooltip with additional details for the
application. Clicking a bar (or slice) of the graph opens a Detail Statistics window populated with details
for the application clicked.
• Top Protocols: This display shows a graph of top protocols on the network. You can right-click inside
the display to toggle the display with the Top Applications display, or to select a Bar, Column, Pie or
Donut display. Mouse over a bar (or slice) of the graph to view a tooltip with additional details for the
protocol. Clicking a bar (or slice) of the graph opens a Detail Statistics window populated with details
for the protocol clicked.
Tip Several of the displays inside the Network dashboard support tooltips. Hover over the display to
view a tooltip with additional information.
You can also access additional options for viewing each display by clicking the small arrow in
the upper left corner of each display, or by right-clicking inside each display.
Applications dashboard
The Applications dashboard displays key statistics for applications in the capture window. This application
visibility provides insight into user behavior and traffic patterns on the network at certain times of day,
week, month, or year. It helps the analysts to better understand who is going to what web sites and using
which applications when.
Applications dashboard 35
Omnipeek Getting Started Guide
• Top Applications by Flows: This display shows a graph of top applications by flow count. Clicking any
application in this display lets you drill-down to that application in the Expert Applications view. You can
right-click inside the display to select a Bar, Column, Pie or Donut display; select Auto Scale or Fixed
Scale; or to select an Automatic, Light, Dark, or Clean background theme for the display.
• Top Applications by Bytes: This display shows a graph of top applications by bytes. You can right-click
inside the display to toggle the display with the Top Protocols by Bytes display; select a Bar, Column,
Pie or Donut display; select Auto Scale or Fixed Scale; or to select an Automatic, Light, Dark, or Clean
background theme for the display. Mouse over a bar (or slice) of the graph to view a tooltip with
additional details for the application. Clicking a bar (or slice) of the graph opens a Detail Statistics
window populated with details for the application clicked.
• Top Protocols by Bytes: This display shows a graph of top protocols by bytes. You can right-click inside
the display to toggle the display with the Top Applications by Bytes display; select a Bar, Column, Pie or
Donut display; select Auto Scale or Fixed Scale; or select an Automatic, Light, Dark, or Clean
background theme for the display. Mouse over a bar (or slice) of the graph to view a tooltip with
additional details for the protocol. Clicking a bar (or slice) of the graph opens a Detail Statistics window
populated with details for the protocol clicked.
• Top Application Categories by Bytes: This display shows a graph of top application categories by bytes.
You can right-click inside the display to select a Bar, Column, Pie or Donut display; select Auto Scale or
Fixed Scale; or to select an Automatic, Light, Dark, or Clean background theme for the display. Mouse
over a bar (or slice) of the graph to view a tooltip with additional details for the application categories.
• Application Utilization: This display shows the top applications by bits per second. You can right-click
inside the display to select a Stacked Column, Skyline, Stacked Skyline, Area, Stacked Area, Line, or
Line/Points display; select whether the display is Linear or Logarithmic; show Min/Max values; or select
an Automatic, Light, Dark, or Clean background theme for the display. You can select an area of the
graph, right-click and choose Select Packets. Only packets available in the capture buffer will be
accessible for Select Packets.
• Application Response Time: This display shows response time of the top applications by largest
response time. You can right-click inside the display to select a Skyline, Area, Line, Line/Points or Points
display; select whether the display is Linear or Logarithmic; show Min/Max values; or select an
Automatic, Light, Dark, or Clean background theme for the display. You can select an area of the graph,
right-click and choose Select Packets. Only packets available in the capture buffer will be accessible for
Select Packets.
Applications dashboard 36
Omnipeek Getting Started Guide
Tip Several of the displays inside the Applications dashboard support tooltips. Hover over the
display to view a tooltip with additional information.
You can also access additional options for viewing each display by clicking the small arrow in
the upper left corner of each display, or by right-clicking inside each display.
The parts of the Voice & Video dashboard are identified below.
• Call Summary: This display shows “Call Counter” information and “Closed Call Statistics” on voice and
video packet loss. In addition, the Call Summary displays the Max Call Time which is the point and time
when the maximum call limit was reached. The Max Call Time is displayed in red text and will
dynamically appear. You can right-click inside the display to select an Automatic, Light, Dark, or Clean
background theme for the display.
• Call Quality Distribution: This display shows open and closed calls by quality based on MOS scores. You
can right-click inside the display to select a Bar, Column, Pie, or Donut display; or select an Automatic,
Light, Dark, or Clean background theme for the display.
MOS scores are calculated for each media flow independently, and each call’s quality is the lowest MOS
score of any of its associated media flows. Voice media is scored with MOS-CQ, video media with MOS-
V, and audio media with MOS-A.
The quality thresholds are as follows:
• <2.6 = Bad (displayed in Red)
• >=2.6 to <3.1 = Poor (displayed in Orange)
• >=3.1 to <3.6 = Fair (displayed in Yellow)
• >=3.6 = Good (displayed in Green)
Media flows with unsupported codecs are not included in the display since we cannot obtain MOS
values for these calls. Additionally, the display reflects that same data present in the Calls and Media
views, and therefore is affected by the 2000 call limit.
• Call Quality: This display shows call quality over time for calls classified as good, fair, poor, bad, and
unknown. You can right-click inside the display to select a Stacked Column, Skyline, Stacked Skyline,
Area, Stacked Area, Line, Line/Points, or Points display; show Min/Max values; or select an Automatic,
Light, Dark, or Clean background theme for the display. You can also select an area of the Call Quality
graph, right-click and choose Select Packets.
• Call Quality by Codec: This display shows a line graph of the quality for each codec in use over time.
You can right-click inside the display to select a Line, Line/Points, or Points display; show Min/Max
values; or select an Automatic, Light, Dark, or Clean background theme for the display. You can also
select an area of the Call Quality graph, right-click and choose Select Packets.
MOS scores are used for the quality measurement. Voice media shall be scored with MOS-CQ, video
media with MOS-V, and audio media with MOS-A.
The quality for a time period shall be the average of the MOS scores for all open media flows for that
time period. In addition, this graph will only display MOS scores for supported codecs as unsupported
codecs do not provide MOS measurements.
• Call Volume by Codec: This display shows a graph of open calls (per codec) over time for voice and
video calls. This graph reflects all calls from the Calls and Media view, and unlike the other graphs in the
dashboard, the Call Volume graph includes data for calls using unsupported codecs. You can right-click
inside the display to select a Stacked Column, Skyline, Stacked Skyline, Area, Stacked Area, Line, Line/
Points, or Points display; show Min/Max values; or select an Automatic, Light, Dark, or Clean
background theme for the display. You can also select an area of the Call Volume graph, right-click and
choose Select Packets.
• Call Utilization: This display shows a graph of overall network utilization compared to network
utilization by VoIP protocols. You can right-click inside the display to select a Skyline, Area, Line, or
Line/Points display; select whether the display is Linear or Logarithmic; show Min/Max values; or select
an Automatic, Light, Dark, or Clean background theme for the display. You can also select an area of
the Call Utilization graph, right-click and choose Select Packets.
This graph displays two legends: Network Utilization and Call Utilization. Utilization values are
displayed in Mbits/second. The VoIP utilization shall be the total utilization for all VoIP packets (i.e.,
signaling, media RTP/RTCP, and unsupported codecs).
Tip Several of the displays inside the Voice & Video dashboard support tooltips. Hover over the
display to view a tooltip with additional information.
You can also access additional options for viewing each display by clicking the small arrow in
the upper left corner of each display, or by right-clicking inside each display.
Compass dashboard
The Compass dashboard is an interactive forensics dashboard that displays network utilization over time
including event, protocol, flow, node, channel, WLAN, VLAN, data rate, application, and country statistics.
These statistics are displayed in selectable Data Source widgets which can be viewed from a real-time cap-
ture or from a single supported capture file.
Network Utilization Graph
Tip You can use the orange horizontal splitter located between the network utilization graph and
the Data Source widgets to resize the displays.
Compass dashboard 39
Omnipeek Getting Started Guide
As you change the selected time range, the Data Source widgets will update accordingly to reflect the new
period. See Compass dashboard viewing tips on page 46 for additional information on using your mouse to
navigate inside the network utilization graph.
Tip For best results, it is recommended to zoom in on a selected time range until you can see the
details of the area of interest.
Top Graph
Overall Time Range Report Save as a Template Select Data Source
Aggregate Data
Units Graph Interval
Graph Types TXRX Selection Select Related
• Select Data Source: Enables/disables the Data Source widgets displayed inside the Compass
dashboard. If any Compass templates have been saved, you can select them from here.
Each Data Source widget displays statistics appropriate to the selected data source and for the selected
time range in the network utilization graph. The widget can be viewed as a List or Bar chart. See also
Data Source widgets on page 44.
The available Data Source widgets include:
• Expert Events
• Protocols
• Flows
• Nodes
• Channels
• WLAN
• VLAN
• Data Rates
• Applications
• Countries
Note For wired captures, the following Data Source widgets are not available: Channels, WLAN, and
Data Rates. For wireless captures, the VLAN Data Source widget is not available.
• Aggregate Data: Allows you to display the Y axis in the top and bottom graphs, Data Source widgets,
and legend as an aggregate of average, total, or maximum values:
• Average: In the top and bottom graphs, the average value for each time interval is graphed. In the
various Data Source widgets, the average value for the statistic over the selected time range is
graphed. If Bits, Bytes, Mbits, Gbits, Packets, or Retransmission Rate is the selected unit type, then
average calculations include non-values; otherwise, non-values are not included in the calculations.
Average calculations for Bits, Bytes, Mbits, Gbits, Packets, Signal Strength %, Noise Level %, and
Expert Events are rounded to the nearest whole number.
• Total: In the top and bottom graphs, the total value for each time interval is graphed. In the various
Data Source widgets, the total value for the statistic over the selected time range is graphed. If 2-
Way Latency, Response Time, Signal Strength %, Signal Strength dBm, Noise Level %, Noise Level
dBm, SNR, or Data Rate is the selected unit type, then Total values are unavailable.
• Maximum: In the top and bottom graphs, the maximum value for each time interval is graphed. In
the various Data Source widgets, the maximum value for the statistic over the selected time range is
graphed.
• Units: Allows you to set the unit type in the Y axis of the top and bottom graphs, Data Source widgets,
and legend. Depending on the packet type and how they are aggregated, the available unit types
include:
• Bits. Displays byte count in bits.
• Bytes. Displays byte count in bytes.
• Mbits. Displays byte count in Mbits.
• Gbits. Displays byte count in Gbits.
• Packets. Displays the packet count.
• 2-Way Latency. Displays 2-way latency. 2-way latency is the delta time between a request from the
client, and a response from the server.
• Response Time. Displays response time. Response time is the delta time between a request packet
from the client, and a response packet with data from the server.
• Signal Strength % (Wireless traffic only). Displays signal strength of the wireless data transmission,
expressed as a percentage.
• Signal Strength dBm (Wireless traffic only). Displays signal strength of the wireless data
transmission, expressed in dBm (decibel-milliWatts).
• Noise Level % (Wireless traffic only). Displays noise level reported of the wireless data transmission,
expressed as a percentage.
• Noise Level dBm (Wireless traffic only). Displays noise level reported of the wireless data
transmission, expressed in dBm (decibel milliWatts).
• SNR (Wireless traffic only). Displays Signal to Noise Ratio (SNR) of the wireless data transmission.
Basically, it is a measure of signal strength relative to background noise.
• Data Rate (Wireless traffic only). Displays data rate of the wireless data transmission.
• Retransmission Rate (Wireless traffic only). Displays retransmission rate percentage of the wireless
data transmission.
• Expert Events. Displays the total number of Expert events. Only the Expert events whose Event type
severity button is enabled and are selected in the Expert Events Data Source widget are included in
the count. If no Expert events are selected in the Expert event view, then all events whose Event
type severity button is enabled are included.
Note Selecting a unit type of Mbits or Gbits, and also selecting an aggregate value of Average, displays
data in the graphs, Data Source widgets, and legend as a graph average, and not as the Average
Utilization (bit/s). To see the Average Utilization (bit/s), click the Summary view under Statistics
in the navigation pane of a capture window, and view the Network statistics.
• Graph Type: Displays the top graph as a line, scatter, bar, or area graph.
• TXRX Selection: Enables or disables graphing of both the inbound and outbound utilization values for
the selected statistics (except for flows). The outbound values appear as a slightly lighter color than the
inbound values in both the graphs view and legend. Inbound and outbound values are not available for
the 2-Way latency mode, Response Time mode, and Expert Events mode.
• Uncheck All: Click to clear the check boxes of all the selected items in each of the Data Source widgets.
• Reset: Click to reset the Network Utilization Graph to its original state as if it was fully selected.
• Zoom In: For selected time ranges of a certain length, Zoom In (+ sign) is enabled and allows you to
zoom into the selected time range so that you can increase granularity in milliseconds, seconds,
minutes, hours, and days. You can hover the mouse over Zoom In to display a tooltip that contains the
maximum time range that can be zoomed into. Selecting a time range less than or equal to it will
enable Zoom In. (See also Graph Interval below).
For example, if the graph is in seconds with a one second average, you can zoom into milliseconds with
a particular millisecond average; or, if the graph is in hours you can zoom into minutes. See the Graph
Interval table below for more information as to what the graph interval will be for a particular time.
Zoom In is not available in real-time capture mode.
• Zoom Out: Zoom Out (- sign) brings you back out of the previous Zoom In selection. Zoom Out is not
available in real-time capture mode.
• Graph Interval: Graph Interval is the amount of time for each data point in the graph and is
automatically adjusted based on the duration of the selected time range. The Graph Interval is updated
according to the following chart:
1 second 30 minutes
30 seconds 15 hours
(doubles)... (doubles)...
Note The graph interval chart is also valid for determining the minimum and maximum ranges of
time that can be zoomed into when viewing capture files. See also Zoom In above.
Additionally, millisecond graph intervals are not automatic and only occur during Zoom In and
are not valid for live captures.
• Event Markers: Indicates triggered Expert events in the selected time range. The event markers are color
coded to the Expert event severities displayed in the Expert Events Data Source widget.
• Time Range: The time range indicator below the X axis of the top graph indicates the duration of the
currently selected time range. Use the arrow and slider controls to adjust the selected time range.
• Time Window Selection Controls: The single arrow and double arrow selection controls allow you to
move the selected time range in the top and bottom graph left or right in one unit increments (single
arrows) or in increments of the entire selection (double arrows). The single arrow with a line selection
control allows you to move the selected time range in the top and bottom graph all the way to the left
or right.
• Slider Controls: The two slider controls allow you to widen and narrow the selected time range in the
top and bottom graph. In a real-time capture, the slider controls work as follows:
• If the left and right sliders are pushed all the way to the left and right (respectively), new data is
displayed on the right as it becomes available, and old data on the left remains. Thus, the duration
of the selected time range continuously increases.
• If the left and right sliders are not pushed all the way to the left and right (respectively), new data is
not displayed on the right as it becomes available, and old data on the left remains. Thus, the
duration of the selected time range is maintained.
• If the left slider is pushed all the way to the left but the right slider is not pushed all the way to the
right, new data is not displayed on the right as it becomes available, and old data on the left
remains. Thus, the duration of the selected time range is maintained.
• If the left slider is not pushed all the way to the left but the right slider is pushed all the way to the
right, new data is displayed on the right as it becomes available, and the old data is removed from
the left. Thus, the duration of the selected time range is maintained.
Tip You can drag the area between the slider controls left or right to select different parts of the top
and bottom graph.
• Legend: Displays a legend of the graphed items. The values in the legend are displayed as a total,
average, or maximum depending on what is selected in the Aggregate Data drop-down list. Click the
color boxes in the legend to show or hide entries from the graphs.
• Pause/Play (real-time capture only): Toggles between updating and not updating the graphs in real
time.
Resize
• Gripper: Allows you to drag the widget to a different location within the dashboard.
• Type: Displays the type of Data Source widget.
• Statistics: Displays the number of statistics over the selected time range within the top limit count.
• List View: Displays statistics in a list view.
• Bar Chart: Displays statistics in a bar chart.
• Resize: Drag to resize the Data Source widget.
• Close: Click to disable the widget from the dashboard.
List view
In the list view, the columns appropriate for the statistic and unit selected are displayed. By default, only
the top 50 items are listed. This limit can be adjusted through the Compass options dialog.
Bar chart
The statistics bar chart displays the top 10 statistics, with all other statistics grouped as ‘Others.’
Gripper
List View
Type Bar Chart Other Close
Statistics
3. Click Highlight selected packets, Hide selected packets, Hide unselected packets, Copy selected packets to new
window, or Label selected packets.
Note Selecting packets based on protocols will include child protocols in the protocol hierarchy.
Packets are the units of data carried on the network and the basis for all higher level network analysis. The
Packets view of a capture window is where you can view information about the individual packets transmit-
ted on your network. Capture windows also allow you to view the decoded packet contents, in raw, hexa-
decimal and ASCII format.
48
Omnipeek Getting Started Guide
Window
Header
Decode
Hex ASCII
Tip You can open individual Packet Decode windows for up to 10 packets at once. When multiple
packets are selected in the active Packet List, click Enter to open them all.
2. Click on the - minus or + plus signs in the margin to collapse or expand the view of any header section.
• Window header: Click Decode Previous or Decode Next at the top of the window to step through the
packets shown in the Packet List of the active capture window.
• Decode view: The body of the Decode view is laid out in the same order as it appears in the packet. A
quick glance at this section often reveals the source of trouble. Problems like a misconfigured
client, or incompatible versions of the same protocol from different vendors can be easily
understood when you can see and compare the packets themselves.
• Hexadecimal view: The Hex view at the bottom of the decode window shows the offset of the first
character in each line, the raw packet data in hex, and the ASCII version of raw packet data
3. Highlight an item in one part of the window. The same bytes of the packet are highlighted in all the
other views or panes as well. The highlight matches in the Decode, Hex, and ASCII panes.
Color coding is used to link the Decode view with the Hex view for both Hex and its ASCII equivalent. The
Hex and ASCII views are in turn linked to the color of the protocol shown in the Protocols column of the
Packet List.
Toggle Orientation
Highlights match:
Decode
Hex
ASCII
Tip Use Toggle Orientation in the toolbar to tile the Decode and Hex views vertically or horizontally.
Creating Filters
Filters let you focus on specific traffic. If you want to check a problem between two particular devices, per-
haps a computer and a printer, address filters can capture just the traffic between these two devices. If you
are having a problem with a particular function on your network, a protocol filter allows you to focus on
traffic related to that particular function.
Filters work by testing packets against the criteria specified in the filter. Packets whose contents meet these
criteria match the filter. You can build filters to test for just about anything found in a packet: addresses,
protocols, sub-protocols, ports, error conditions, and more. Filters are so easy to create in that you can
often create a custom filter on-the-fly while analyzing suspect traffic on your network.
Note Filters created from a connected Capture Engine are available to that Capture Engine only. If
you are not connected to a Capture Engine and you create a filter, that filter is available for local
captures only.
Enabling a filter
In addition to the filters that you create, the Omnipeek and the Capture Engines include numerous pre-
defined filters. You can enable one or more filters when capturing or monitoring packets.
To enable filters when capturing packets:
4. Click the Filters view in a capture window.
52
Omnipeek Getting Started Guide
Note For a Capture Engine, you will need to send your selections to the Capture Engine by clicking
the bar below the toolbar icons labeled Click here to send changes.
6. Click Start Capture to begin capturing packets. Any packets that match the filters that are enabled are
placed into the capture buffer.
Alternately, you can choose to place the packets that do not match the filter in the capture buffer by
clicking Reject Matching.
Note For information on creating more advanced filters, refer to the Omnipeek User Guide or online
help.
Tip Click New Capture to create a new capture window that uses the filter that you are defining in
the Insert / Edit Filter dialog as the only enabled filter.
Expert Troubleshooting
The Expert features in Omnipeek and the Capture Engines provide real-time analysis of response time,
throughput, and a wide variety of network events and potential problems in a flow-centered view of traffic
in a capture window. You can also link end-user satisfaction with the performance of a network application
through the Application Performance Index (Apdex), an open standard that defines methods for reporting
application performance. See Applications view on page 58.
The Expert EventFinder detects nearly 200 different network events and provides descriptions, possible
causes, and possible remedies organized by OSI layer. Depending on your version of the program, network
events specifically related to VoIP, Wireless, WAN, and user-defined Network Policy items are also shown.
See Using the EventFinder on page 57.
56
Omnipeek Getting Started Guide
Resolve Names
Make Filter
Make Filter EventFinder Settings
Summary Counts Flow Visualizer Network Policy
Refresh
Upper pane
Expert views
Lower pane
Expert tabs
2. Right-click in the upper pane to collapse or expand the hierarchy to display the most relevant
information. When expanded, Expert events are displayed by ports. Ports are shown with directional
arrows.
Tip In the Expert Clients/Servers view, sorting by Events can help pinpoint potential problems on
your network.
Note You can also right-click an event inside the Event Summary or Event Log tab and select
EventFinder Settings to display the Expert EventFinder Settings window.
4. Click Show Info to see a complete description, possible causes, and possible remedies for this network
event.
The Expert EventFinder Settings window also provides information on what sensitivity or setting value was
used to flag this event as significant. You can configure the value, threshold, and memory settings for
each individual expert event in the EventFinder window. You can also save these settings by exporting
them to a file and importing them later into another capture.
Applications view
The Expert Applications view categorizes each flow by application. Flows are grouped together by applica-
tion, providing a hierarchical view of the use of each application, first by server, then by client, and then by
port. This view allows you to see who is using each application on your network and how each application is
performing.
To display the Applications view:
• Select Applications under Expert in the navigation bar of a capture window.
Applications view 58
Omnipeek Getting Started Guide
Applications view 59
CHAPTER 9
Multi-Segment Analysis
Important! The time it takes for Omnipeek to build and display an MSA project is dependent on the
number of segments, the number of flows, and the number of packets in each flow. MSA
includes a limit of 100,000 packets per flow (modifiable from Multi-Segment Analysis Options),
but there is no hard limit to the number of segments or flows that can be included in a project.
Be selective when choosing data for your MSA projects. If you find that an MSA project is taking
too long to build, you can cancel out and reduce your data set.
In order to facilitate the creation of MSA projects based on forensic searches, the following best practices
are suggested:
• Each Capture Engine should have a unique name. This can be done via the Capture Engine Manager, or
the Capture Engine Wizard.
• Make sure the time is accurate on all of the Capture Engines. If possible, configure the Capture Engine
to use an NTP server.
• Give each capture a unique name. For instance, name the captures based on the network segments.
• Once an MSA project (.msa file) has been created, you may want to save the packet files that were used
to create the MSA project for the following reasons:
• The packet files will be needed again if you want to add another segment to the MSA project.
• You may want to open a trace file related to a particular segment, to see different Omnipeek views,
such as the Packets or Flows view.
• It may be necessary to rebuild MSA projects to take advantage of new MSA features in future
versions of Omnipeek.
In addition, the following Capture Option settings must be enabled for MSA-based forensic searches:
• ‘Capture to disk’
• ‘Timeline Stats’ (on Classic Capture Engines only)
60
Omnipeek Getting Started Guide
Note MSA-based forensic searches require Timeline Stats. Classic Capture Engines support Timeline
Stats starting with version 6.8.
Note When calculating the delay values for the flow map and ladder, MSA assumes that the client is
on the left, and the server is on the right. If you create MSA projects that include multiple flows,
all of the flows in the project should be initiated from the same direction. For example, flows
initiated by two nodes on the private side of a firewall would be suitable to include in a single
MSA project. Flows initiated by a node on the private side of a firewall, and flows initiated by a
node on the public side of a firewall would not be suitable to include in a single MSA project.
Flow list
The flow list displays a hierarchical list of flows for each capture source, including relevant information for
each flow (client/server addresses and ports, protocols, packet counts, etc.) The flow list is hierarchical, with
flows at the top level, and capture segments listed below the flow. Each capture segment includes statistics
for that flow. Selecting the check box next to a flow displays that flow in the flow map and ladder diagram
below.
Note For any MSA project that has multiple flows, only one flow at a time can be selected in the flow
list. The flow that is selected is displayed in the flow map and ladder diagram.
Flow List
• Column header: Displays the column headings currently selected. Right-click the column header to
enable/disable columns. Here are the available columns:
• Flow/Segment: The name of the flow or segment.
• Client Addr: The address of the client for the flow.
• Client Port: The port on which the Client or Client Addr was communicating in the flow.
• Server Addr: The address of the Server or Server Addr for the flow.
• Server Port: The port on which the Server or Server Addr was communicating in the flow.
• Protocol: The protocol under which the packets in the flow were exchanged.
• Packets: The number of packets in the selected flow.
• Client Packets: The total number packets sent from the Client or Client Addr in the flow.
• Server Packets: The total number of packets sent from the Server or Server Addr in the flow.
• Packets Analyzed: The total number of packets in the flow that were analyzed by Omnipeek’s MSA
component. ‘Packets Analyzed’ will be the same as ‘Packets,’ unless the number of packets in the
flow exceeds the packet limit, as configured in MSA options.
• Packets Lost: The number of packets missing in the segment. Packets which are identified as ‘lost’ in
a particular segment appeared in an least one other segment in the MSA project.
Flow list 62
Omnipeek Getting Started Guide
• Client Packets Lost: The number of packets lost in the client direction.
• Server Packets Lost: The number of packets lost in the server direction.
• Client Retransmissions: The number of TCP retransmissions sent by the client.
• Server Retransmissions: The number TCP retransmissions sent by the server.
• Start: The timestamp of the first packet in the flow.
• Finish: The timestamp of the final packet in the flow.
• Duration: The elapsed time, from the first to the last packet in the flow.
• TCP Status: Notes whether the TCP session is open or closed.
• Columns…: Displays a dialog that lets you enable/disable and organize columns.
• Show All Columns: Displays all available columns.
Flow map
The flow map displays a graphical representation of the segments of the selected flow. Each segment in the
flow is displayed from end-to-end (client on the left and the server on the right), along with timing statistics
(average delay, minimum delay, and maximum delay) between each segment. Additionally, the hop count
between each segment is also displayed (the little number inside the cloud between the segments).
Flow Map
Flow map 63
Omnipeek Getting Started Guide
• Press the Ctrl key and use your scroll wheel (Ctrl+Wheel) to change segment widths.
• Arrows show the direction in which data flows.
• The client and server arrows use the same colors as from Client/Server Colors (Tools > Options).
• The number in the clouds are hop counts, as determined by the Time to Live (TTL) values within the
packets. If there is one number in the cloud, then both the client and server hops are the same. If there
are two numbers in the cloud, then the client and server hops are different, indicating that the client
and server paths are different. If there are multiple paths in one direction, no hop count is displayed for
this direction. Hop counts greater than one are displayed in red. The TTL of each packet can be
displayed in the Ladder diagram.
Ladder
The ladder diagram displays the flow of packets amongst the segments represented by the capture sources,
along with information such as timing.
Ladder
Ladder 64
Omnipeek Getting Started Guide
• Red boxes are packets that close the connection (FIN or RST).
• Right-click inside the diagram to show/hide additional statistics, or to adjust the time scale of the
ladder.
• The following keyboard/scroll wheel shortcuts are available from the ladder display:
• Wheel+Ctrl: Changes the time scale.
• Wheel+Ctrl+Shift: Zoom the time scale.
• Wheel+Ctrl+Shift+Alt: Change the segment width.
• Ctrl+Alt+Shift+F9: Save ladder display to text.
Important! The time it takes for Omnipeek to build and display an MSA project is dependent on the
number of segments, the number of flows, and the number of packets in each flow. MSA
includes a limit of 100,000 packets per flow (modifiable from Multi-Segment Analysis Options),
but there is no hard limit to the number of segments or flows that can be included in a project.
Be selective when choosing data for your MSA projects. If you find that an MSA project is taking
too long to build, you can cancel out and reduce your data set.
• Search for packets on remote engines: Select this option to create an MSA project based on packets
obtained from one or more Capture Engines.
• Use packet files: Select this option to create an MSA project based on one or more packet files.
• Start time: Select or enter the start date and time of the range you wish to search.
• End time: Select or enter the end date and time of the range you wish to search.
• +/- seconds: Select or enter the number of seconds to add to the search both before the start time and
after the end time.
• Duration: Displays the amount of time between the start and end time specified.
• Filter: Displays any filters currently defined for the search.
• Edit: Click to display the Edit Filter dialog, where you can define simple and advanced filters based on
any combination of addresses, protocols, and ports. A packet must match all of the conditions specified
in order to match the filter.
• Clear: Click to remove any filters currently defined for the search.
Engines
The Engines dialog displays the groups and Capture Engines currently listed in the Omnipeek Capture
Engines window. If you had selected the option to Search for packets on remote engines earlier in the MSA
wizard, the Engines dialog appears after clicking Next in the Time Range & Filter dialog of the MSA wizard.
• Select the check box of the Capture Engines you want to search in your MSA project. If you are not
already connected to the Capture Engine, you are first prompted to connect to the Capture Engine by
entering domain, username, and password information.
• Enable all: Click this option to select the check box of all groups and Capture Engine displayed in the
dialog.
• Disable all: Click this option to clear the check boxes of all groups and Capture Engines displayed in
the dialog.
Capture sessions
The Capture Sessions dialog displays the capture sessions found in each of the of the selected Capture
Engines. If you had selected the option to Search for packets on remote engines earlier in the MSA wizard,
the Capture Sessions dialog appears after clicking Next in the Engines dialog of the MSA wizard. A separate
*.wpz file is created for each capture session selected, and each file represents a different network segment.
When performing multi-segment analysis, Omnipeek uses *.wpz files to build the MSA project.
Engines 67
Omnipeek Getting Started Guide
• Column header: Displays the column headings currently selected. Right-click the column header to
enable/disable columns. Here are the available columns:
• Engine/Capture Session: The capture sessions available from the Capture Engines selected earlier.
Select the check box of the capture sessions you want to search in your MSA project. Capture
Engine captures that have both ‘Capture to disk’ and ‘Timeline Stats’ enabled in the capture
options, and all TimeLine network recorder captures that have ‘Capture to disk’ enabled in the
capture options, appear in the Capture Sessions screen. (MSA-based forensic searches require
‘Timeline Stats.’)
• Session Start Time: The start time of the capture.
• Data Start Time: The start time of when data first appeared in the capture.
• Data End Time: The end time of when data last appeared in the capture.
• Size: The size (in MB) of the capture session.
• Packets: The number of packets in the capture session.
• Packets Dropped: The number of dropped packets in the capture session.
• Media: The media type of the capture session.
• Adapter: The name of the adapter used for the capture session.
• Adapter Address: The address of the adapter used for the capture session.
• Link Speed: The link speed of the adapter used for the capture session.
• Owner: The owner name of the adapter used for the capture session.
• Enable all: Click this option to select the check box of all Capture Engine and capture sessions
displayed in the dialog.
• Disable all: Click this option to clear the check box of all Capture Engine and capture sessions
displayed in the dialog.
• Download files: Choose the location of where to save the *.wpz files created for each of the selected
capture sessions.
Progress
The Progress dialog displays the status for saving *.wpz files used for multi-segment analysis. If you had
selected the option to Search for packets on remote engines earlier in the MSA wizard, this dialog appears
after clicking Next in the Capture Sessions dialog of the MSA wizard.
Progress 68
Omnipeek Getting Started Guide
Tip You can cancel the progress of any one of the capture segments by right-clicking and selecting
Cancel. You can cancel any of the above stages, except for the Saving stage.
Segments
This Segments dialog lets you add supported capture files captured on separate network segments to your
MSA project. In order for the MSA analysis to display correctly in your flow maps and ladder diagrams, each
segment file must be properly ordered by the route taken from client to server (when displayed in the flow
map and ladder, the client is on the left and the server is on the right). You can manually choose to arrange
the files in the dialog.
Tip If you do not manually arrange the files by the route taken from client to server, you can use the
auto-arrange feature available from the Analysis Options dialog. See MSA project analysis
options on page 71.
Note When calculating the delay values for the flow map and ladder, MSA assumes that the client is
on the left, and the server is on the right. If you create MSA projects that include multiple flows,
all of the flows in the project should be initiated from the same direction. For example, flows
initiated by two nodes on the private side of a firewall would be suitable to include in a single
Segments 69
Omnipeek Getting Started Guide
MSA project. Flows initiated by a node on the private side of a firewall, and flows initiated by a
node on the public side of a firewall would not be suitable to include in a single MSA project.
• Insert: Click to insert a new segment. You will be prompted to name the segment and select a
supported capture file.
• Edit: Click to edit a selected segment. You can choose to rename the segment or choose another
supported file for the segment.
• Delete: Click to remove a selected segment.
• Move Up: Click to move a selected segment up in the ordered list of segments. You can also press (Shift
or Ctrl)+Up Arrow to move the segment up in the list
• Move Down: Click to move a selected segment down in the ordered list of segments. You can also press
(Shift or Ctrl)+Down Arrow to move the segment down in the list.
• Column Header: Displays the column headings currently selected. Right-click the column header to
enable/disable columns. Here are the available columns:
• Segment Name: The name of the segment.
• File: The location and file name of the segment.
Edit segment
This dialog lets you edit a selected segment.
• Name: Displays the name of the segment. Type a different name to rename the segment.
• File: Displays the location and name of the segment file.
Project file
This Project File dialog lets you save the MSA project file (*.msa). Once saved, the MSA project window is dis-
played.
Note If your MSA project window is blank, more than likely you have either selected a flow that is not
supported by MSA (for example, UDP or IPv6), or it is a flow with fragmented packets.
Edit segment 70
Omnipeek Getting Started Guide
• Project file: Displays the location and MSA project file name (*.msa).
should be initiated from the same direction. If you create MSA projects that include NAT (Network
Address Translation) segments, apply a Mapping Profile before selecting Auto Arrange.
• Clear Manual Offsets: Click to set the manual offsets to zero.
• Column Header: Displays the column headings currently selected. Right-click the column header to
enable/disable columns. Here are the available columns:
• Segment Name: The name of the segment.
• Calc. Offset: The automatically calculated synchronization offset for the segment.
• Manual Offset: The user-specified offset. A manual offset can be used instead of, or in addition
to, the automatically calculated offset.
• Total Offset: The calculated offset plus the manual offset.
• Mapping Profile: The mapping profile associated with the segment. A mapping profile can be
created to map private addresses/ports to public addresses/ports. See Creating a mapping
profile on page 72.
• File: The location and packet file on which the MSA segment information is based.
• Columns…: Displays a dialog that lets you enable/disable and organize columns.
• Show All Columns: Displays all available columns.
• Disable auto synchronization: Select this option to disable automatically calculating offset values.
• Automatically calculate synchronization offsets: Select this option to enable automatically
calculating synchronization offset values. All Capture Engines should be set to the correct time,
preferably through the use of an NTP server. But, even with the use of NTP servers, offsets may be
needed to adjust for slight timing inaccuracies across Capture Engines. Automatic calculation of
synchronization offsets is based on the TCP SYN and TCP SYN ACK packets. If a segment does not
contain the SYN and SYN ACK packets, there will be a dash (–) in the Calc. Offset field. If the MSA
project contains multiple flows, the automatic calculation of synchronization offsets is based on all
flows.
• Limits: Select this check box to enable the limit on the number of packets analyzed per flow, and
then enter or select the number of flows.
• Notes: Type any notes to append to the MSA project.
3. Click OK.
Note If your project includes a Network Address Translation (NAT) segment, the auto-arrange feature
should not be selected until you apply a mapping profile.
Statistics Analysis
Omnipeek and the Capture Engines calculate a variety of key statistics in real time and present these statis-
tics in intuitive graphical displays. You can save, copy, print, or automatically generate periodic reports on
these statistics in a variety of formats. (Please refer to the Omnipeek User Guide or online help for informa-
tion on generating statistics reports.)
This section introduces the features in the Nodes and WLAN views of capture windows.
74
Omnipeek Getting Started Guide
Tip Double-click a node to see more detail about the activity for the selected node and the
protocols it is using (or right-click the node and choose Node Details).
The Node Type drop-down list lets you limit the display to selected nodes (All Nodes, Clients, Access Points,
ESSID, Ad Hoc, Admin, Unknown, and Channels). When the WLAN hierarchy view is broken out by channels,
the root branches of the tree are channels numbers, with individual WLAN hierarchy views underneath it
(ESSID, BSSID, nodes, etc).
The Color globes identify each node by color:
• Blue: ESSID
• Pink: AP (access point) or Ad Hoc equivalent
• Orange: STA or client
• Gray: Admin or otherwise unknown
• Gray with (?): Indications for a particular node are contradictory or unexpected.
The Peer Map view in Omnipeek and the Capture Engines is a powerful tool for visualizing network traffic in
a capture window. The Peer Map graphically displays all of the nodes, or a user-defined subset, detected in
a particular capture window.
Communications between nodes is indicated with line segments. The line between nodes can be color-
coded to show which protocol is used. The thickness of the line indicates the volume of traffic between
nodes.
Tip Hold the cursor over a particular node in the Peer Map to see a tooltip with more information
about this node. You can also hover over a conversation line to get a tooltip with information
about that conversation.
76
Omnipeek Getting Started Guide
Options
Node details
Tooltip
Peer Map Tabs
3. Click Options to open the Peer Map Options dialog. This dialog lets you choose to show or hide
displayable node type icons (server, workstations, etc.), node visibilities, and protocol line segment gaps.
4. Click Node Details to view statistics about this node.
5. Use the tabs in the right pane to configure Peer Map settings:
• Configuration: This tab lets you set the basic parameters of the Peer Map, what part of the traffic in
the capture window’s buffer is displayed, and how the protocols (line segments) are displayed in the
Peer Map.
• Node Visibilities: This tab displays node counts and nodes that are both shown and hidden in the
Peer Map.
• Profiles: This tab lets you configure settings into a profile that controls the appearance and layout of
the Peer Map.
6. Right-click on a node for other options, including:
• Arrange: If you have changed the appearance of the Peer Map by dragging nodes to new positions,
this option arranges the node back to the ellipse of the Peer Map.
• Node Details: This option opens the Detail Statistics window and shows details of the selected node.
Keyboard Shortcuts
Shortcut Description
Ctrl + O Opens an Omnipeek capture file or other supported file type in a new capture file window.
Ctrl + S Opens the Save dialog to save all packets in the active window.
Ctrl + E Opens the Select dialog, where you can use filters, ASCII or hex strings, packet length, and
Analysis Modules to select captured packets.
Ctrl + H Removes selected packets from the display without deleting them. Hidden packets are not
processed further.
Ctrl + Shift + H Removes unselected packets from the display without deleting them. Hidden packets are not
processed further.
Ctrl + G Opens the Go To dialog where you can choose a packet number to jump to. If packets are
selected, the number of the first selected packet is shown.
Ctrl + Tab Makes the next window in sequence the active window.
Ctrl + Shift + Tab Makes the previous window in sequence the active window.
78
Omnipeek Getting Started Guide
Shortcut Description
79
Index
A E
adapter options event markers
analysis options ,
EventFinder settings
Apdex events
Application Performance Index (Apdex) events timeline
application view events, dashboard
applications ,
,
,
,
,
, Expert ,
applications dashboard F
ASCII files tab
C filter
call quality ,
, , creating a simple filter
call quality distribution enable a filter
call summary insert filter dialog
call utilization make filter command
call volume reject matching
view
call vs. network utilization , ,
flow list
Capture Engine
flow map ,
capture window
connect flows ,
files tab forensic search , , ,
forensics tab forensics capture , ,
installation forensics tab ,
Capture Engine Manager G
capture file general options
capture options dialog general view ,
,
adapter options graph inbound/outbound
general options graph interval
general view , , graph type
capture session , , , grouping files
capture templates
capture window , H
new capture hexadecimal view
new forensics capture hierarchy view
new monitor capture host
packets view HTML report
channels , I
Compass dashboard , , , , inbound
countries , installing Capture Engine
current activity, dashboard IP address ,
,
,
,
,
D IPv6 address ,
,
dashboard L
applications ladder ,
Compass legend
network limitations
timeline
voice & video M
data rates , make filter
details tab command
DNS server mapping profile
domain monitor capture
MSA
80
Omnipeek Getting Started Guide
81