Exploring the Menus

Figure 4.8: File Menu

Open

To open a file (Figure 4.9), select File | Open.

Figure 4.9: Open Dialog Box

The Open dialog box provides normal mechanisms for navigation in selecting a file. Additionally, it provides a Filter: field where an Ethereal display filter string can be entered to filter which packets are read from the capture file. Clicking the Filter: button will open the Display Filter dialog box. The Display Filter dialog box is described in the section entitled “Analyze”.

The Open dialog box also has checkboxes to enable name resolution for MAC addresses, network names, and transport names. To open a file, browse to the correct location and select the desired file, optionally provide a filter string, and enable or disable the name resolutions you wish to use. Finally, click the OK button.

Ethereal provides three kinds of name resolution to make some of the numbers found in network protocols more comprehensible. You can choose to enable or disable MAC name resolution, network name resolution, and transport name resolution, when opening a file, starting a capture, or while a capture is running. It is useful to understand what the different name resolutions mean.

Every host on a LAN is identified by a unique six-byte MAC address. These addresses are used in Ethernet frames to provide source and destination addresses at the Datalink Layer. MAC addresses are supposed to be globally unique. To achieve this end the IEEE (Institute of Electrical and Electronic Engineers), assigns blocks of MAC addresses to manufacturers. The first three bytes of every MAC address designate the manufacturer who produced the device. Ethereal is shipped with a list of the assigned prefixes and the manufacturers to whom they’ve been assigned. When you select the Enable MAC name resolution checkbox in the Open dialog box, Ethereal will resolve the first three bytes of the MAC address to a manufacturer and display that information for each MAC address. For example the prefix 00:00:0c has been assigned to Cisco Systems. When MAC address resolution is enabled Ethereal will display the MAC address 00:00:0c:35:0e 1c as 00:00:0c:35:0e:1c (Cisco_35:0e:1c).

Every node on an IP network has an IP address. If you select the Enable network name resolution checkbox Ethereal will perform a reverse Domain Name System (DNS) lookup when it encounters an IP address to determine its associated domain name (like www.syngress.com). Ethereal will then display this domain name with the IP address. For example, the IP address 66.35.250.150 can be resolved via reverse DNS to the domain name slashdot.org. If network name resolution is enabled, Ethereal will display it as slashdot.org (66.35.250.150).

Transport layer protocols like TCP and UDP (User Datagram Protocol, a connectionless transport protocol over IP defined in RFC 768 and viewable at www.ietf.org/rfc/rfc0768.txt?number=768) typically provide some form of multiplexing by allowing a source and destination port to be specified. As a result, two hosts can have multiple clearly delineated conversations between them at the same time, as long as they have unique source port/destination port pairs for each conversation. Many protocols that use TCP or UDP for their transport layer have well-known ports that servers for those protocols traditionally listen on. When you select the Enable transport name resolution checkbox, Ethereal will display the name of the service that traditionally runs over each port. This behavior can be seen in many of our examples, where the port 179 has been labeled by the protocol that is well known to run over that port: bgp. It’s important to note that most ports have no protocols associated with them.

Save As

The Save As dialog box, shown in Figure 4.10, is displayed by selecting File | Save As, or by selecting File | Save for a capture that has not previously been saved to file.

Figure 4.10: Save As Dialog Box

The Save As dialog box allows you to perform normal tasks for saving a capture file in the desired place and with the desired name. You can choose to save only the packets that pass the currently active display filter by enabling the Save only packets currently being displayed checkbox, or to save only marked packets by enabling the Save only marked packets checkbox. Marking packets will be explained later in the “Edit” section. Selecting both checkboxes will save only those marked packets that match the current display filter.

Finally, you can choose to save the file in one of a large number of supported capture file formats (Figure 4.11).

Figure 4.11: Save As Dialog: File Formats

Print

The Print dialog box is displayed by selecting File | Print (Figure 4.12).

Figure 4.12: Print Dialog Box

The Print dialog box allows you to provide answers to the three questions relevant to printing in Ethereal:

1. How are you going to print?

2. Which packets are you going to print?

3. What information are you going to print for each packet?

The Printer section allows you to choose which packets you are going to print. You can choose as your output format either Plain Text or Postscript. Once you have selected your output format you may choose to print the output to a file by enabling the Output to File: checkbox and providing a filename in the Output to File: textbox. If you do not choose to print to file then you may provide a command to be executed to print in the Print command: textbox.

The Print Range section allows you to choose which packets you are going to print. You may choose to print only the packet currently selected in the Summary Window, only packets that are marked in the Summary Window (marked packets are discussed later in the “Edit” section), all packets displayed in the Summary Window by the currently applied filter, or all packets captured. You can choose to print only the packet currently selected in the Summary Window by selecting the Selected packet only radio button. To print only the packets that have been marked in the Summary Window, select the Marked packets only radio button. And, to print all packets displayed in the Summary Window by the currently applied display filter, selecting the All packets displayed radio button. Printing all packets displayed means that all packets that pass the currently applied filter will print, not just the packets that are currently visible in the Summary Window. If you are able to scroll up or down to a packet in the Summary Window, it is considered to be “displayed” for the purposes of this print range option. You can print all packets in the capture by selecting the All packets captured radio button.

The Packet Format section allows you to choose which information you are going to print for each packet. If you do not enable the Print packet details checkbox, then for each packet a one-line summary consisting of the columns currently being displayed in the Summary Window will be printed. Consider, for example, the state of Ethereal in Figure 4.3. Packet 8 is selected. If the Print packet details checkbox is unselected, the result of printing only the selected packet (packet 8) would be:

    No. Time      Source        Destination    Protocol Info       8 8.004042  192.168.0.15  192.168.0.33   BGP      OPEN Message

This output had some whitespace removed to contract it to fit the space. If you do enable the Print packet details checkbox, then more detailed information will be printed.

The Details section allows you to choose which details are printed for a packet when you have enabled the Print packet details checkbox. You may choose to print the protocol tree with all subtrees collapsed, the protocol tree with subtrees expanded (but only if those subtrees are expanded in the Protocol Tree Window), or with all subtrees in the protocol tree expanded. If you select the All dissections collapsed option, the protocol tree will be printed with all subtrees collapsed. For the situation shown in Figure 4.3, printing only the selected packet, the output would look like:

Frame 8 (83 bytes on wire, 83 bytes captured) Ethernet II, Src: 00:c0:4f:23:c5:95, Dst: 00:00:0c:35:0e:1c Internet Protocol, Src Addr: 192.168.0.15 (192.168.0.15), Dst Addr: 192.168.0.33 (192.168.0.33) Transmission Control Protocol, Src Port: 2124 (2124), Dst Port: bgp (179), Seq: 3593706850, Ack: 2051072070, Len: 29 Border Gateway Protocol

If you select the Dissections as displayed option, the protocol tree will be printed with those subtrees expanded that would be expanded in the Protocol Tree Window if that packet was selected in the Summary Window. Using this option to print only the selected packet from Figure 4.3 would produce output like:

Frame 8 (83 bytes on wire, 83 bytes captured) Ethernet II, Src: 00:c0:4f:23:c5:95, Dst: 00:00:0c:35:0e:1c Internet Protocol, Src Addr: 192.168.0.15 (192.168.0.15), Dst Addr: 192.168.0.33 (192.168.0.33) Transmission Control Protocol, Src Port: 2124 (2124), Dst Port: bgp (179), Seq: 3593706850, Ack: 2051072070, Len: 29 Border Gateway Protocol     OPEN Message         Marker: 16 bytes         Length: 29 bytes         Type: OPEN Message (1)         Version: 4         My AS: 65033         Hold time: 180         BGP identifier: 192.168.0.15         Optional parameters length: 0 bytes

If you select the All dissections expanded option, the protocol tree will be printed with all subtrees expanded. Printing just the selected packet in Figure 4.8 with this option would produce the output:

Frame 8 (83 bytes on wire, 83 bytes captured)     Arrival Time: Mar 29, 2000 23:56:56.957322000     Time delta from previous packet: 0.000088000 seconds     Time since reference or first frame: 8.004042000 seconds     Frame Number: 8     Packet Length: 83 bytes     Capture Length: 83 bytes Ethernet II, Src: 00:c0:4f:23:c5:95, Dst: 00:00:0c:35:0e:1c     Destination: 00:00:0c:35:0e:1c (Cisco_35:0e:1c)     Source: 00:c0:4f:23:c5:95 (DellComp_23:c5:95)     Type: IP (0x0800) Internet Protocol, Src Addr: 192.168.0.15 (192.168.0.15), Dst Addr: 192.168.0.33 (192.168.0.33)     Version: 4     Header length: 20 bytes     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)         0000 00.. = Differentiated Services Codepoint: Default (0x00)         .... ..0. = ECN-Capable Transport (ECT): 0         .... ...0 = ECN-CE: 0     Total Length: 69     Identification: 0x48e9 (18665)     Flags: 0x04         .1.. = Don't fragment: Set         ..0. = More fragments: Not set     Fragment offset: 0     Time to live: 64     Protocol: TCP (0x06)     Header checksum: 0x7049 (correct)     Source: 192.168.0.15 (192.168.0.15)     Destination: 192.168.0.33 (192.168.0.33) Transmission Control Protocol, Src Port: 2124 (2124), Dst Port: bgp (179), Seq: 3593706850, Ack: 2051072070, Len: 29     Source port: 2124 (2124)     Destination port: bgp (179)     Sequence number: 3593706850     Next sequence number: 3593706879     Acknowledgement number: 2051072070     Header length: 20 bytes     Flags: 0x0018 (PSH, ACK)         0... .... = Congestion Window Reduced (CWR): Not set         .0.. .... = ECN-Echo: Not set         ..0. .... = Urgent: Not set         ...1 .... = Acknowledgment: Set         .... 1... = Push: Set         .... .0.. = Reset: Not set         .... ..0. = Syn: Not set         .... ...0 = Fin: Not set     Window size: 32120     Checksum: 0x1903 (correct) Border Gateway Protocol     OPEN Message         Marker: 16 bytes         Length: 29 bytes         Type: OPEN Message (1)         Version: 4         My AS: 65033         Hold time: 180         BGP identifier: 192.168.0.15         Optional parameters length: 0 bytes

Regardless of the option you choose for expanding protocol tree subtrees, if you enable the Packet hex data checkbox, following the protocol tree for each packet will be a hex dump of that packet. Printing only the packet selected in Figure 4.3, with the All dissections collapsed checkbox enabled and the Packet hex data checkbox enabled would produce this output:

Frame 8 (83 bytes on wire, 83 bytes captured) Ethernet II, Src: 00:c0:4f:23:c5:95, Dst: 00:00:0c:35:0e:1c Internet Protocol, Src Addr: 192.168.0.15 (192.168.0.15), Dst Addr: 192.168.0.33 (192.168.0.33) Transmission Control Protocol, Src Port: 2124 (2124), Dst Port: bgp (179), Seq: 3593706850, Ack: 2051072070, Len: 29 Border Gateway Protocol 0000  00 00 0c 35 0e 1c 00 c0 4f 23 c5 95 08 00 45 00   ...5....O#....E. 0010  00 45 48 e9 40 00 40 06 70 49 c0 a8 00 0f c0 a8   .EH.@.@.pI...... 0020  00 21 08 4c 00 b3 d6 33 9d 62 7a 40 e0 46 50 18   .!.L...3.bz@.FP. 0030  7d 78 19 03 00 00 ff ff ff ff ff ff ff ff ff ff   }x..............  0040  ff ff ff ff ff ff 00 1d 01 04 fe 09 00 b4 c0 a8   ................ 0050  00 0f 00

Ethereal evolves very rapidly. It is not uncommon for there to be a new release of the software every four to six weeks. As a result, some things will change over time. An example of this is the Print dialog box, which has already been changed in CVS (Concurrent Version System, the source code control mechanism used by Ethereal) since the release of the 0.10.0a version of Ethereal (the latest release version as of the writing of this book). The new Print dialog box, which will likely be in Ethereal version 0.10.1, is shown in Figure 4.13

Figure 4.13: The New Print Dialog Box

The Packet Range section has been rewritten to provide more options when selecting the range of packets to be printed. The Captured and Displayed buttons are used to determine whether the selection criteria apply to all packets captured or all packets displayed. There are also two new packet selection criteria, From first to last marked packet, which selects all packets between the first marked packet and the last marked packet, and Specify a packet range, which will allow you to specify a packet range like the one shown in Figure 4.13: 1-12,15,17,17-19.

Edit

Figure 4.14: Edit Menu

Find Packet

The Find Packet dialog box, show in Figure 4.15, is displayed when you select Edit | Find Packet….

Figure 4.15: Find Packet Dialog Box

The Find Packet dialog box allows you to answer the three questions relevant to finding a packet in Ethereal:

1. What are we trying to find?

2. Which direction should we search in?

3. What type of thing are we trying to find?

The Filter: textbox allows you to define a search criteria by entering a string such as a display filter string, hex string, or ASCII string. If you need assistance constructing a filter string you can click the Filter: button to display the Display Filter dialog box. The Display Filter dialog box is described in more detail in the in the section entitled “Analyze”.

The Direction section allows you to choose which direction you wish to search in–Forward from the packet currently selected in the Summary Window, or Backward from the packet currently selected in the Summary Window.

The Find Syntax section allows you define your search criteria. You may choose to search for packets that match a display filter string, packets that contain a hex string, or packets that contain a character string. If you select the Display Filter option, the string in the Filter: textbox will be interpreted as a display filter string and you will search for matches to that display filter string. If you select the Hex option, the string in the Filter: textbox will be interpreted as a hex string and you will search for packets that contain that hex string.

If you select the String option, the string in the Filter: will be interpreted as a character string and you will search for packets that contain that character string.

The search for character strings is handled differently than the search for hex strings. Hexadecimal string searches attempt to search for a packet containing a particular sequence of bytes anywhere in the raw data of that packet. The search for character strings will not look for a packet that contains a string anywhere in the packet. Instead, you can use the Search In section to specify whether to look for the string in the Packet data left over after decoding all possible fields, look for the character string in the Decoded packet displayed in the Protocol Tree Window, or look for the character string in the one-line Packet summary in the Summary Window. If you select the Packet data option, Ethereal will search for the character string in the packet data. By packet data, we mean the data in the packet that is left over after decoding the protocol fields. Selecting the Find Decoded packet will cause Ethereal to search for the character string in the protocol field strings that are displayed in the Protocol Tree Window. It does not matter if the subtree of the protocol tree containing the character string is collapsed or expanded. If you use the Decoded packet option, you must also use the Character Set drop-down list to select the character set for the character string you are trying to find. To make your character string search case-insensitive, enable the Case Insensitive Search checkbox.

Go To Packet

The Go To Packet dialog box, shown in Figure 4.16, can be displayed by selecting Edit | Go To Packet Dialog.

Figure 4.16: Go To Packet Dialog Box

Enter a packet number in the Packet Number textbox and click OK. The packet with that packet number will be selected in the Summary Window.

Time Reference Submenu

Figure 4.17: Time Reference Submenu

When the Time column in the Summary Window is configured to display the time that has elapsed since the beginning of the capture, then the time displayed is the number of seconds since the beginning of the capture or the last time reference packet.

In Figure 4.18 , we have set packets 5 and 10 as time reference packets. This is indicated by their Time column value (*REF*). Packets 1-4 are marked with the time since the beginning of the capture in which they were captured. Packets 6-9 are marked with the time since the time referencepacket 5. Packets 11 and greater are marked with the time since the time reference packet 10.

Figure 4.18: Time Reference Submenu Example

Preferences

The Preferences dialog box, shown in Figure 4.19, is displayed when you select Edit | Preferences….

The Preferences dialog box allows you to set preferences for various subsystems of Ethereal, including setting preferences for decodes of various protocols. To edit preferences for an area of Ethereal, like Columns in Figure 4.19, select that area from the box on the left and change the settings displayed in the box on the right. It is strongly recommended that you browse through the protocol preferences for any protocol you use frequently, as protocol preferences can change the way a protocol is decoded or displayed.

Figure 4.19: Preferences Dialog Box

When you have made your changes to Ethereal’s preferences you can choose to apply them without closing the Preference dialog box by clicking the Apply button. To apply your settings and close the Preferences dialog box, click the OK button. To save your preferences for use in a different Ethereal session, click the Save button.

View

Figure 4.20: View Menu

Figure 4.21: Display Options Dialog Box

Display Options

The Display Options dialog box, shown in Figure 4.21, is displayed when you select View | Options….

The Display Options dialog box allows you to choose which time value will be displayed in the Time column of the Summary Window, whether automatic scrolling will be enabled for live captures, and what type of name resolution will be enabled.

For a given packet, you may choose to have the Time column in the Summary Window display the Time of day when that packet was captured, Date and time of day when that packet was captured, Seconds since beginning of capture (or the last time reference packet) that packet was captured, or the Seconds since the previous frame that matched the current display filter.

In a live capture, you can choose to have old packets scroll up and out of view as new packets are captured and appended to the end of the Summary Window. To do so, enable the Automatic scrolling in live capture checkbox. You may choose your name resolution options in the Display Options dialog box as well. Refer back to the section entitled “Open” for more information about name resolution choices.

Apply Color Filters

The Apply Color Filters dialog box, shown in Figure 4.22, can be displayed by selecting View | Coloring Rules….

Figure 4.22: Apply Color Filters Dialog Box

Ethereal has the ability to color packets in the Summary Window that match a given display filter string, making patterns in the capture data more visible. This can be immensely useful when trying to follow request response protocols where variations in the order of requests or responses may be interesting. You can color such traffic into as many categories as you’d like and will be able to see at a glance what is going on from the Summary Window instead of having to go through the Protocol Tree Window for each packet.

To create a color filter click the New button in the Apply Color Filters dialog box. The Edit Color Filter dialog box will be displayed (Figure 4.23).

Figure 4.23: Edit Color Filter Dialog Box

When the Edit Color Filter dialog box is first opened, the Name textbox will have the string name in it, and the String field will contain the string filter. To create a color filter you should first fill in a name for it in the Name textbox. Then, you should enter a filter string in the String textbox. You may use the Add Expression button to display the Filter Expression dialog box to assist you in constructing a filter string. The Filter Expression dialog box is described in the section entitled “Analyze”. Once you have a name and filter string you are happy with, you need to select the foreground and background color to colorize the packets matching your filter string. Click the Background Color… button to set the foreground color, as shown in Figure 4.24.

Figure 4.24: Background Color Dialog Box

When you are happy with the color you have selected click the OK button. The Edit Color Filter dialog box (Figure 4.25) will be displayed.

Figure 4.25: Edit Color Filter

Ethereal uses a widget set to provide its GUI elements (buttons, menus, radio buttons, file dialogs, color selection dialogs, etc.) called GTK+ (Gimp Tool Kit, www.gtk.org). By default, Ethereal builds with GTK+1, and so all of the screenshots you’ve seen in this book use GTK+1. There is already code in place in Ethereal for GTK+2, the next version of the GTK+ library. Many elements look very similar in GTK+2, just slightly cleaner, but a few things look very different. One of them is the color selection widget used in the Foreground Color and Background Color dialog boxes. You can see the new GTK+2 Foreground Color dialog box for Ethereal in Figure 4.26:

Figure 4.26: GTK+2 Foreground Color Dialog Box

In Figure 4.25 we have created a filter named BGP Update with a filter string bgp.type == 2. The name and filter string will be colored to match our background color choice. Click the Foreground Color… button to set the foreground color and proceed as you did with the background color. When you are happy with your name, filter string, and text coloring click the OK to close the Edit Color Filter dialog box.

Figure 4.27 shows the Apply Color Filters dialog box now populated with the new BGP Update entry and a BGP filter.

Figure 4.27: Apply Color Filters Dialog Box

Click the OK button to apply the changes and close the dialog box. Click Apply to apply the changes and leave the dialog box open. If you wish to use your color filters with another Ethereal session, click Save.

If you click the Revert button, all coloring will be removed from the Summary Window, the color filters will be removed from the Filter list, and the saved color file will be deleted. Use the Export or Import buttons to export your color filters to another file or import the color filters from a file of your choice. This is very useful for sharing color filters with coworkers or between different machines on which you have Ethereal installed. Notice the order of the color filters in the Filter list in Figure 4.27. For every packet in the Summary View the color filters strings will be tried in order until one is matched. At that point, its associated color will be applied. The filters in the Filter list are applied from the top down, so the BGP Update color filter will be tried first. Only if the BGP Update color filter does not match a packet will Ethereal proceed to try the BGP color filter to that packet. An example of the application of these color filters can be seen in Figure 4.28.

Figure 4.28: Application of Color Filters

In Figure 4.28, the BGP Update messages (lines 16 and 17) are black text on light blue, not white text on dark blue, even though they would also match the white text on dark blue BGP color filter. This is because the black text on light blue BGP Update filter is applied first, and since it matches, no further color filter is tried.

Show Packet in New Window

You can display a packet’s Protocol Tree Window and Data View Window in a new window by selecting a packet in the Summary Window and selecting View | Show Packet in New Window (see Figure 4.29). This is useful when you would like to be able to see detailed information about more than one packet at once. Note that the title bar shows the same information as the summary line for this packet in the Summary Window.

Figure 4.29: Show Packet in New Window

Capture

Figure 4.30: Capture Menu

Capture Options

The Capture Options dialog box, shown in Figure 4.31, can be displayed by selecting Capture | Start….

Figure 4.31: Capture Options Dialog

This dialog box allows us to answer the basic questions about capturing data:

1. What traffic are we capturing?

2. Where are we saving it?

3. How are we displaying it?

4. When do we stop capturing?

The Capture section allows us to choose which traffic we are capturing. When choosing what traffic to capture we can ask:

1. Which interface are we capturing from?

2. How much of each packet are we capturing?

3. Which packets arriving at the interface are we capturing?

The Interface drop-down list allows us to choose which interface we are going to be capturing from. You can choose from the interfaces listed in the drop–down list, or if the interface you are seeking isn’t listed there, you can enter it manually in the textbox. If both libpcap and the interface you select support multiple link layers for that interface, you can choose which link layer header type to capture using the Link-layer header type: selector.

The Limit each packet to field allows you to choose to capture less than the entire packet. If you enable the Limit each packet to checkbox and provide a number in the Limit each packet to textbox, then only the first number of bytes you indicate will be captured from each packet. Be aware that if you choose to capture less than the full packet Ethereal may mark many of your packets as fragments. This is because all of the data expected by the dissectors in Ethereal may not be present due to the packets having been truncated.

The Capture packets in promiscuous mode checkbox and the Filter: textbox allow you to choose which packets arriving at the interface will be captured. If you enable the Capture packets in promiscuous mode checkbox, Ethereal will put the interface into promiscuous mode before capturing data. Normally, an interface only passes onto the operating system packets that are addressed to the link layer address assigned to that interface. When an interface is in promiscuous mode it passes on all packets arriving at the interface to the operating system. So, if you choose not to capture in promiscuous mode, you will only capture packets addressed to or being sent by the interface on which you are capturing. If you choose to capture in promiscuous mode you will capture all packets arriving at the interface. Entering a tcpdump-style capture filter in the Filter textbox will cause Ethereal to only capture packets matching that capture filter. If you click on the Filter button then the Edit Capture Filter List dialog box will be displayed to allow you to choose among previously defined capture filters. See the section entitled “Edit Capture Filter List” for more details.

The Capture File(s) section allows you to choose where to save the capture. If you choose to leave this section blank, Ethereal will save the capture to a temporary file, and you can choose to save the capture at some later point by selecting File | SaveAs. If you enter a filename in the File textbox, Ethereal will save the capture to that file. Clicking the File button will open the Save As dialog box. If you enable the Use ring buffer checkbox, you can save your capture to a ring buffer. Saving to a ring buffer will be dealt with in a separate section.

The Display options section allows you to choose how you are going to display packets as they are captured. By default, Ethereal does not update the list of packets in the Summary Window during capture, but only once the capture is stopped. If you enable the Update list of packets in real time checkbox, Ethereal will update the Summary Window as soon as a packet is captured and processed. By default, when Ethereal is updating the Summary Window during live capture, new packets are appended to the end of the Summary Window, and the Summary Window does not scroll up old packets to reveal new ones. To have the Summary Window scroll up to display the most recent packets, enable the Automatic scrolling in live capture checkbox. If you change your mind about whether you want automatic scrolling once a capture has started, you can select View | Options to enable or disable this feature.

The Capture limits section allows you to choose when to stop capturing. You can, of course, always manually stop a capture by selecting Capture | Stop, but it is sometimes convenient to set conditions under which the capture will automatically stop. There are three types of automatic limits to a capture supported by Ethereal:

1. Capture a specified number of packets.

2. Capture a specified number of kilobytes of traffic.

3. Capture for a specified number of seconds.

Ethereal will allow you to set up any combination of these three limits simultaneously–it is possible to limit the number of packets, the number of kilobytes, and the number of seconds at the same time. Whenever one of the limits is satisfied, the capture will stop.

If you enable the Stop capture after… packet(s) captured checkbox and enter a number of packets in the Stop capture after… packet(s) captured textbox, the capture will stop when it has reached the specified number of packets. If you enable the Stop capture after… kilobyte(s) captured checkbox and enter a number of kilobytes in the Stop capture after… kilobytes(s) captured textbox, the capture will stop once it has reached the specified number of kilobytes. If you enable the Stop capture after… seconds(s) checkbox and enter a number of packets in the Stop capture after… seconds(s) textbox, the capture will stop when the specified number of seconds have elapsed since the beginning of the capture.

The Name resolution section allows you to choose the name resolution options for the capture. Name resolution options are described earlier in the chapter in the section entitled “Open”.

When you have specified your capture choices via the Capture Options dialog box, you can start the capture by clicking the OK button. The Capture Dialog will then be displayed, as shown in Figure 4.32.

Figure 4.32: Capture Dialog Box

The Capture dialog box displays the number of packets of various protocols that have been captured, and the percentage of all captured traffic consisting of those protocols. In Figure 4.32 a total of 707 packets have been captured, of which 363 (51.3%) are TCP packets, 4 (0.6%) are UDP packets, and 340 (48.1%) are ARP (Address Resolution Protocol) packets. You can stop the capture at any time by clicking the Stop button.

Ring Buffer Captures

There are applications in which it makes sense to capture network traffic to a series of smaller files. Frequently, you may want to limit the number of such smaller files, and delete the oldest when starting a new one. Such a structure is called a ring buffer, because conceptually the data fills up a buffer and when it reaches the end it loops back to the beginning.

There are certain questions that need to be answered about using ring buffer files:

1. How many capture files in the ring buffer?

2. What are those capture files named?

3. When do we rotate to the next capture file?

To enable ring buffer captures, access the Capture Options dialog box and enable the Use ring buffer checkbox. The appearance of the Capture Options dialog box will change, as shown in figure 4.33.

Figure 4.33: Capture Options Dialog Box: Use Ring Buffer Selected

The Rotate capture file every… second(s) checkbox becomes available and the Stop capture after… kilobytes captured checkbox is renamed Rotate capture file very… kilobyte(s) and becomes unavailable.

The Number of files textbox allows you to choose how many files are in the ring buffer. If you choose zero, the number of ring buffer files is assumed to be infinite–no old files will be deleted to make room for new files.

The File textbox provides the base name for the filenames in the capture ring buffer. The base name is broken up into a prefix and a suffix. The filename of a ring buffer capture file is prefix_NNNNN_YYYYMMDDhhmmss.suffix. Where NNNNN is a five-digit zero-padded count indicating the sequence number of the ring buffer file, YYYY is a four-digit year, MM is the two-digit zero-padded month, DD is a two-digit zero-padded date, hh is a two-digit zero-padded hour, mm is a two-digit zero-padded minute, and ss is a two-digit zero-padded second. For example, if the file foo.bar.libpcap was the fifth capture file in the ring buffer created at 23:21:01 on January 8, 2004, it would be named foo.bar_00005_20040108232101.libpcap. It is important to note that the sequence numbers in the filenames increase monotonically. If a ring buffer has three files in it, when the fourth capture file is started it will have the sequence number 00004, and the file with the sequence number 00001 will be deleted. The sequence numbers are not recycled as we loop through the ring.

The Rotate capture file every… kilobyte(s) textbox and the optional Rotate capture file every… second(s) textbox allow you to choose when the capture files will be rotated. You must provide a kilobyte limit to the size of a capture file in the ring buffer by entering a number (or accepting the default value) in the Rotate capture file every… kilobyte(s) textbox. If a capture file reaches the number of kilobytes you have specified, a new capture file will be created to store any new packets captured, and the oldest capture file in the ring buffer may be deleted if the new capture file puts you over the limit specified in the Number of files textbox. If you enable the Rotate capture file every… second(s) checkbox and enter a number of seconds in the Rotate capture file every… second(s) textbox, if a capture file has been open for the number of seconds you specify, a new capture file will be created to store any new packets captured. The oldest capture file in the ring buffer may then be deleted if the new capture file puts you over the limit specified in the Number of files textbox.

Into everyone’s life eventually falls a problem that involves enormous amounts of network data to analyze. Maybe it’s an intermittent problem that happens only every couple of days where you need to see the message exchange that leads up to the problem. Maybe it’s a problem on a fairly active network. Whatever the reason, the issue of capturing and analyzing large amounts of network traffic is a common one. As captures become larger, Ethereal consumes more memory, and filtering or finding packets begins to take a very long time.

In these situations it is best to use Tethereal, the console-based version of Ethereal, to do the actual capture and initial processing of the data. To capture to from an interface <interface> to a file <savefile> use this command:

tethereal –i <interface> -w <savefile>

If you have a limited amount of space and/or want to limit the size of your capture files, you can use the ring buffer functionality with Tethereal to capture from interface <interface> to <num_capture_files> capture files with maximum size each <filesize> and base filename <savefile> by executing the following at the command line:

tethereal –i <interface> -w <savefile> -b <num_capture_files> -a filesize:<filesize>

Once you have captured the data you need, you can then use Tethereal to prune down the capture to a more manageable size. To use a display filter string <filter string> to filter a capture file <savefile> and save the results to a new capture file <newsavefile>, you would execute the following at the command line:

tethereal –r <savefile> -w <newsavefile> -R <filter string>

An example might be if you needed to extract all packets from the capture file that were captured between Jan 8, 2004 22:00 and Jan 8, 2004 23:00. To perform this feat you would execute the following at the command line:

tethereal –r <savefile> -w <newsavefile> -R '(frame.time >= "Jan 8, 2004 22:00:00.00" ) && (frame.time <= "Jan 8, 2004 23:00:00.00")'

Once you have pruned the data down to a size where Ethereal’s performance is workable, open the capture file in Ethereal to perform more involved analysis.

Edit Capture Filter List

The Edit Capture Filter List dialog box is displayed by selecting Capture | Capture Filters… (Figure 4.34).

Figure 4.34: Edit Capture Filter List Dialog Box

This dialog box allows you to create new tcpdump-style capture filters, described in Chapter 5, and to save them for later use. To create a new capture filter, provide a name for your filter in the Filter name textbox, provide a tcpdump style capture filter string in the Filter string textbox, and click the New button. In Figure 4.35 we have created a capture filter named HTTP Traffic that provides filter string port 80.

Figure 4.35: Edit Capture Filter List Dialog Box Example

You can select an existing capture filter from the Capture Filters list and choose to change, delete, or copy it. To change an existing capture filter, select it from the Capture Filters list, change its name in the Filter name textbox and/or change its tcpdump style capture filter string in the Filter string textbox and then click the Change button. To copy an existing capture filter, select the capture filter from the Capture Filters list and click the Copy, as shown in Figure 4.36.

Figure 4.36: Edit Capture Filter List Dialog Box: Copy

You can delete a capture filter by selecting it from the Capture Filters list and clicking the Delete button. If you wish to have your list of capture filters available in a subsequent Ethereal session, then you must click the Save button to save them to disk.

Analyze

Figure 4.37: Analyze Menu

Edit Display Filter List

The Edit Display Filter List dialog box, shown in Figure 4.38, can be displayed by selecting Analyze | Display Filter....

Figure 4.38: Edit Display Filter List Dialog Box

This dialog box is designed to help you construct a filter string. To create a new filter string, click the Add Expression button. The Filter Expression dialog box (Figure 4.39) will be displayed.

Figure 4.39: Filter Expression Dialog Box

Select the protocol you are interested in for your filter expression and expand it to show which of its fields can be filtered. Select the desired filter field. When you pick a relation other than is present, the Filter Expression dialog box will change to show your options for that field, as shown in Figure 4.40.

Figure 4.40: Filter Expression Dialog: Equality

In this case, we have chosen the equality (==) relation. You can choose the value you wish to match and click the Accept button. The result will be to insert the filter expression you just constructed into the Filter string: textbox (Figure 4.41)

Figure 4.41: Edit Display Filter List Dialog Box: Filter String

If you wish to save the filter string you have just created, type a name in the Filter name textbox and click the New button. The filter string will be added to the Display Filters List dialog box (Figure 4.42)

Figure 4.42: Edit Display Filter List Dialog Box: Filter Name

You can select an existing display filter from the list and choose to change, delete, or copy it. To change an existing display filter, select it from the list, change its name in the Filter name textbox and/or change its display filter string in the Filter string textbox and then click the Change button. To copy an existing display filter, select it from the list and click the Copy button.

You can save the list for use in later Ethereal sessions by clicking the Save Button.

If you have accessed the Edit Display Filter List dialog box from the filter bar or some other part of Ethereal from which you can apply a display filter, then an OK button will also be available. Use this button to apply the filter and close the dialog box. Use the Apply button to apply your filter and leave the dialog box open (see Figure 4.43).

Figure 4.43: Display Filter Dialog Box: OK/Apply Buttons

This has only been a very rudimentary introduction to display filtering; a more in-depth discussion can be found in the Chapter 5.

Match and Prepare Submenus

The Match and Prepare submenus have the same options and behave in the same way with one exception; the Prepare submenu items prepare a display filter string and place it in the Filter textbox. The Match submenu items prepare a display filter string, place it in the Filter textbox and apply it to the capture. Because of their close similarity we will only discuss the Match submenu.

The Match submenu becomes available when you have selected a field in the Protocol Tree Window with an associated filter name that can be used in a display filter string. An example is shown in Figure 4.44.

Figure 4.44: Match Submenu

In Table 4.11, we can see the filter string that would be put in the Filter: textbox for each of the Match submenu options for the example in Figure 4.44.

Enabled Protocols

The Enabled Protocols dialog box, shown in Figure 4.45, is displayed by selecting Analyze | Enabled Protocols….

Figure 4.45: Enabled Protocols Dialog Box

This dialog box allows you to enable or disable the decoding of one or more protocols. You can do this by clicking its Status column to toggle its status between Enabled and Disabled. Additionally, you can enable all protocols by clicking the Enable All button, disable all protocols by clicking the Disable All button, or enable all disabled protocols and disable all enabled protocols by clicking the Invert button. You can apply these settings to all Ethereal sessions by clicking the Save button.

Decode As

To force the decode of a packet, select it in the Summary Window and then select Analyze | Decode As…. The Decode As dialog box will be displayed, as shown in Figure 4.46.

Figure 4.46: Decode As Dialog Box: Link Tab

When Ethereal is decoding a packet it uses magic numbers in each protocol to decide which dissector to use to decode subsequent parts of the packet. Magic numbers are values that specify some higher-level protocol, like Ethertype 0x0800 specifying that an Ethernet packet contains an IP packet, or IP protocol 6 specifying that an IP packet contains a TCP payload, or TCP port 179 specifying that a TCP packet is carrying a BGP payload. There are occasions when you want to override Ethereal’s choices in how to decode subsequent parts of the packet based on these magic numbers. The most common examples involve TCP ports. Ethereal frequently decides which dissector to call next for a TCP packet based upon the source or destination port. We may be running a protocol over a non-standard port, like running HTTP over port 7000 for example. The Decode As feature allows us to tell Ethereal about such non-standard cases.

Ethereal allows the user to force decodes based upon the magic numbers in the link layer, network layer, or transport layer. For the transport layer we have the option of decoding based on source, destination or both, as shown in Figure 4.47.

Figure 4.47: Decode As Dialog Box: Transport Tab

To force a particular decode you need to answer the questions:

1. After which layer do I want to start forcing my custom decode?

2. Which magic number do I want to key off of to determine whether to decode a packet with my custom decode?

3. Which protocol do I want the remaining traffic in the packet decoded as?

To choose the layer at which you want to start forcing your custom decode, select the appropriate tab (Link, Network, or Transport). You have a choice of which magic numbers to pick for the transport layer, where you can pick source port, destination port, or both. Then, you may select from the list of protocols as to how you want the remaining traffic in the packet decoded.

Click the Show Current button to open the Decode As: Show dialog box in order to see which decodes are currently being forced.

Decode As: Show

The Decode As: Show dialog box (Figure 4.48) can also be displayed by selecting Analyze | User Specified Decodes from the menu bar.

Figure 4.48: Decode As: Show

This dialog box displays the decodes you have specified through the Decode As Dialog box, one per line. The Table column shows the type of magic number for which we are showing the alternate decode, in this case the TCP port. The

Port column shows the magic number for which we are providing an alternate decode, in this case 179. The Initial column shows the dissector that would normally be used to decode the payload of a packet with this magic number and magic number type, in this case BGP. And, finally, the Current column shows the dissector currently being used to decode the payload of packets having this magic number and magic number type, in this case HTTP.

Contents of TCP Stream

The Contents of TCP Stream window (Figure 4.49) can be displayed by selecting a TCP packet in the Summary Window and then selecting Analyze | Follow TCP Stream from the menu bar.

Figure 4.49: Contents of TCP Stream Window

In this example, a TCP packet that was part of an HTTP conversation with the web server for www.syngress.com is shown. By default, one side of the conversation is shown in red (the upper portion), the other in blue (the lower portion). For readability purposes the side of the conversation that is normally blue has been changed to white text on a dark blue background, using the TCP Streams color selector. By scrolling down in this window you are able to see all of the data exchanged during this TCP conversation. If you click the Entire conversation selector you can choose between displaying the entire conversation, or one of the directions (Figure 4.50).

Figure 4.50: Follow TCP Stream: Direction Selector

Clicking the Save As button will bring up a Save As dialog box for you to save the stream contents as a text file. Clicking the Print button will print the capture as text. Note there is no dialog box associated with the Print button. The Filter out this stream button will append the necessary filter string to the one in the filter bar and close the Contents of TCP Stream window. This can be very handy when going through a large capture. As you look at the possible TCP streams of interest one by one and exclude them from the Summary Window, you have finished considering them so only the unconsidered data remains.

You also have the option of choosing how the TCP stream is presented. In Figure 4.50 the ASCII option is selected. By choosing the EBCDIC option you could cause the stream to be presented with EBCDIC (Extended Binary Coded Decimal Interchange Code, a proprietary IBM character set). If you choose the Hex Dump option you will see a hexadecimal dump of the TCP stream. And, if you choose the C Arrays option, the TCP stream will be shown as a series of C arrays (arrays in the C programming language).

TCP Stream Analysis Submenu

Figure 4.51: TCP Analysis Submenu

Time-Sequence Graph (Stevens)

The time-sequence graph (Stevens) produces a simple graph of TCP sequence number versus time for the TCP stream containing the packet that was selected in the Summary window. The first derivative of this graph is the TCP traffic throughput. In an ideal situation where we have a constant throughput, the graph would be a straight rising line with its slope equaling the throughput.

Unfortunately, things are seldom ideal, and you can learn a lot about where the source of throughput issues are coming from by looking at the time-sequence graph. In Figure 4.52, there is a graph showing a throughput problem. You can reproduce this graph by selecting the first packet of the tcp_stream_analysis.libpcap capture file, and selecting Analysis | TCP Stream Analysis | Time-Sequence Graph (Stevens). The captured file used in this graph is a classic example of TCP retransmit and the kind of issues you use the TCP Stream Analysis tool to debug. The full network capture can be found on the accompanying CD, and has been added to the collection of network captures on the Ethereal website.

In Figure 4.52 (after about 0.3 seconds), the traffic has a nice even slope (constant throughput) until around 3 seconds, when there is a major disruption, as shown by the discontinuity in the graph. This gap suggests TCP retransmissions. The Steven’s style time-sequence graph is simple, but you can see very clearly where your problems are.

Figure 4.52: Time-Sequence Graph (Stevens)

Time-Sequence Graph (tcptrace)

The time-sequence graph (tcptrace) is also primarily a graph of TCP sequence numbers vs. time. Unlike the Stevens’ style time-sequence graph, it conveys a lot more information about the TCP stream. In Figure 4.53 you can see that the tcptrace style time-sequence graph of this stream looks very similar to the Stevens’ style time-sequence graph.

Figure 4.53: Time-Sequence Graph (tcptrace)

Explaining the elements shown in the tcptrace style time-sequence graph is made easier by using some of the graph manipulation tools that are available in all of the TCP stream analysis graphs. By performing a Ctrl + right-click, on the graph, you can magnify a portion of the graph, as shown in Figure 4.54.

Figure 4.54: Time-Sequence Graph (tcptrace): Magnify

Figure 4.55: Time-Sequence Graph (tcptrace): Zoom

This is a zoom-in on the section of the graph just before the discontinuity. You can see the beginning of the discontinuity on the far right of the graph. Marked in bolded type are the different elements of the tcpgraph style time-sequence graph. The lower line represents the sequence number of the last ACK (TCP Acknowledgement) seen. The top line represents the TCP window. It consists of the sequence number of the last observed TCP ACK plus the last seen TCP window size advertised. The little hash marks on the lower line represent duplicate ACKs, and the little “I” bars represent transmitted segments.

Figure 4.56: Time-Sequence Graph(tcptrace): Diagnosis

In Figure 4.57 we see how this logjam finally resolves:

Figure 4.57: Time-Sequence Graph (tcptrace): Zoom in on Retransmit

In Figure 4.57 you can see the missing segment, presumed to be a retransmit, arrive. At this point, an ACK is transmitted acknowledging the last received segment, the TCP window increases, and the receiver begins to receive segments again.

Throughput Graph

The throughput graph (Figure 4.58) shows the throughput of the TCP stream versus time.

Figure 4.58: Throughput Graph

You can see in Figure 4.58 that the throughput fell off dramatically during the retransmit sequence seen in the time-sequence graphs.

RTT Graph

The RTT graph (Figure 4.59) shows the round trip time versus. sequence number.

Figure 4.59: RTT Graph

You can see the round trip time spike during around sequence number 1000000, roughly the same sequence number where we saw the discontinuity in the time-sequence graphs.

Graph Control

Throughout this section we will be referring to any of the windows containing a TCP stream analysis graph as a graph window. The term graph window may refer to a Stevens’ or tcptrace style time-sequence graph, a throughput graph, or an RTT graph. Whenever a graph window is created, a Graph Control dialog box is also created, as shown in Figure 4.60.

Figure 4.60: Graph Control Dialog Box: Zoom Tab

Notice that the number on the dialog box (1) matches the number on the graph window in Figure 4.56 (1). In the event that multiple graph windows are opened, you can use the index number to associate a Graph Control dialog box with its graph window.

The Zoom tab, shown in Figure 4.60, allows us to set the parameters related to the zoom functionality of the graph function. The Horizontal and Vertical textboxes are not for user entry of data, rather they show the amount of zoom currently employed in the graph window.

The Horizontal step and Vertical step textboxes allow you to set the horizontal and vertical zoom factors applied to the graph when you Shift + middle-click in the graph window. If you enable the Keep them the same checkbox, then whenever you change either the horizontal step or vertical step, the other will be changed to the same value. The Preserve their ratio checkbox causes the ratio between the horizontal step and the vertical step to be preserved. If the horizontal step was 1.2 and the vertical step was 2.4, when you changed the horizontal step to 1.3, then the vertical step would automatically change to 2.6.

The Zoom lock section allows you to lock either the horizontal or vertical so that zoom is not applied to them. If you enable the horizontal option, no matter what the value is for horizontal step, zooming will not change the horizontal scale at all. This is also true if you select the vertical option; no matter what the value is for vertical step, zooming will not change the vertical scale at all.

The Magnify tab, shown in Figure 4.61, allows you to control the parameters associated with the magnify functionality.

Figure 4.61: Graph Control Dialog Box: Magnify Tab

The Width and Height textboxes allow you to set the width and height of the magnification box that is displayed when you Ctrl + right-click in the graph window. The X: and Y: textboxes allow you to set the x and y offset of the magnification box from the location of the mouse pointer. This can be handy to offset the magnification box to somewhere where it won’t occlude the graph. The Horizontal: and Vertical: textboxes allow you to set the zoom factor used to blow up the graph in the agnification box. The Keep them the same checkbox will cause the horizontal and vertical zoom factors to change in accordance with one another, and the Preserve their ratio checkbox will cause the ratio between the horizontal and vertical zoom factor to remain constant.

The Origin tab, shown in Figure 4.62, allows you to change the various origins of the graph.

Figure 4.62: Graph Control Dialog Box: Origin Tab

The Time origin section will allow you to choose the zero of time for your graph. If you select the beginning of this TCP connection option, you establish the beginning of the TCP connection as being graphed as your zero of time. If you select the beginning of capture option, you establish the beginning of the capture as your zero of time.

The Sequence number origin section will allow you to choose whether your actual TCP sequence numbers or the relative TCP sequence numbers (the TCP sequence numbers minus your initial TCP sequence number) are shown on the graph. It is frequently convenient to use the relative sequence number because it gives you some notion of how much data has been transmitted. If you select the initial sequence number option, the relative TCP sequence numbers will be used. If you select the 0 (=absolute) option, the actual TCP sequence numbers will be used in the graph.

The Cross tab, shown in Figure 5.63, allows you to control whether crosshairs follow the mouse pointer in the graph window.

Figure 5.63: Graph Control Dialog Box: Cross Tab

If you select the off radio button, there will be no crosshairs following the mouse pointer in the graph window. If you select the on option, there will be crosshairs following the mouse pointer in the graph window.

Once you have the graph window displayed, you can use the Graph type tab, shown in Figure 5.64, to change which type of graph is being displayed.

Figure 5.64: Graph Control Dialog Box: Graph Type Tab

If you select the Time/Sequence (tcptrace-style) option, the time-sequence (tcpgraph) window will be displayed. If you select the Time/Sequence (Stevens’-style) option the time-sequence (Stevens’-style) window will be displayed. If you select the Throughput option, the throughput graph window will be displayed. If you select the Round-trip Time option, the RTT graph window will be displayed.

By default, if you have applied a zoom to the graph window for one graph type it will persist if you change graph types. If you enable the Init on change checkbox, each time you change graph types the zoom will be reset.

Summary

The Summary dialog box, shown in Figure 4.65, can be displayed by selecting Analyze | Summary from the menu bar.

Figure 4.65: Summary Dialog Box

This dialog box provides information about the capture file, basic statistics about the capture data, and basic information about the capture.

Protocol Hierarchy Statistics

The Protocol Hierarchy Statistics dialog box, shown in Figure 4.66, can be displayed by selecting Analyze | Protocol Hierarchy Statistics from the menu bar.

Figure 4.66: Protocol Hierarchy Statistics Dialog Box

This dialog box provides a tree representation of protocols and statistics associated with them. Table 4.13 provides a description of what the columns mean:

Statistics Submenu

The Statistics submenu, shown in Figure 4.67 provides a variety of specialized tools to analyze network traffic. These statistics are reported for certain protocol features.

Figure 4.67: Statistics Submenu

However, the tools in the Statistics submenu are quite specialized and beyond the scope of this book.

Help

Figure 4.68: Help Menu

Contents

The Contents dialog box, shown in Figure 4.69, can be displayed by selecting Help | Contents from the menu bar.

Figure 4.69: Help Contents Dialog Box

This dialog box provides tabs giving an overview of Ethereal, information about Capture Filters, information about Display Filters, some well-known information about networking, and answers to Frequently Asked Questions (FAQs).

Supported Protocols

The Supported Protocols dialog box, shown in Figure 4.70, can be displayed by selecting Help | Supported Protocols from the menu bar.

Figure 4.70: Supported Protocols Dialog Box

This dialog box provides a list of the protocols supported by the current version of Ethereal and a list of the display filter fields provided in the current version of Ethereal.

About Plugins

The About Plugins dialog box, shown in Figure 4.71, can be displayed by selecting Help | About Plugins from the menu bar.

Figure 4.71: About Plugins Dialog Box

This dialog box provides a list of the plugins currently loaded into Ethereal and their versions. Ethereal will load all plugins available to it at start time, but there is no GUI that allows you to load or unload a plugin.

About Ethereal

The About Ethereal dialog box, as shown in Figure 4.72, can be displayed by selecting Help | About Plugins from the menu bar.

Figure 4.72: About Ethereal Dialog Box

This dialog box contains information about the version of Ethereal you are running and which options it was compiled with. This information is important to know if you are ever reporting a bug to the Ethereal developers.

Pop-up Menus

Ethereal has context-sensitive pop-up menus to assist you in performing tasks. None of these menus actually provide any additional functionality beyond what is available through the menu bar, but they are easier and quicker to use in some circumstances.

Summary Window Pop-up Menu

The Summary Window pop-up menu, shown in Figure 4.73, can be displayed by right-clicking on the Summary Window.

Figure 4.73: Summary Window Pop-up Menu

The Summary Window pop-up menu provides functionality that has been covered earlier in the chapter. Table 4.15 indicates where to find more information in this chapter on the Summary Window pop-up menu options.

Protocol Tree Window Pop-up Menu

The Protocol Tree pop-up menu, shown in Figure 4.74, can be displayed by right-clicking on the Protocol Tree Window.

Figure 4.74: Protocol Tree Window Pop-up Menu

The Protocol Tree Window pop-up menu provides functionality that has been covered earlier in the chapter. Table 4.16 includes descriptions for some items and indicates where to find more information in this chapter for other items.

Data View Window Pop-up Menu

The Data View Window pop-up menu, shown in Figure 4.75, can be displayed by right-clicking in the Data View Window.

Figure 4.75: Data View Window Pop-up Menu

The Data View Window pop-up menu provides functionality that has been covered earlier in this chapter. Table 4.17 indicates where to find more information in this chapter on the Data View Window pop-up menu options.