Forensic search from the Forensics tab
The Forensics tab in the Capture Engines window displays the capture sessions available on the Capture Engine. Performing a forensic search from the Forensics tab lets you select one of the capture sessions, display its data in the Timeline graph, and then perform a forensic search on specific parts of the data.
IMPORTANT: One or more forensic captures on the Capture Engine are required before you can perform a forensic search from the Forensics tab.
To perform a forensic search from the Forensics tab:
1. From the Capture Engines window, select the Forensics tab of a connected Capture Engine. The Forensics tab displays the data currently available from the capture storage space of the Capture Engine.
The parts of the Forensics tab are described here:
• Header Information: The header information displays statistics for the capture session (data start time, data end time, duration, status, packets, packets dropped, adapter, etc.).
• Top Talkers by IP Address: This display shows a graph of top “talkers” on the network, broken out by node for the selected area in the Timeline graph below. You can right-click inside the display to display top talkers by Physical Address, IP Address, or IPv6 Address; or to select a Bar or Pie display. Mouse over a bar (or slice) of the graph to view a tooltip with additional details for the node.
• Top Applications by Bytes: This display shows a graph of top applications on the network for the selected area in the Timeline graph below. You can right-click inside the display to toggle the display with the Top Protocols display, or to select a Bar or Pie display. Mouse over a bar (or slice) of the graph to view a tooltip with additional details for the application.
• Top Protocols by Bytes: This display shows a graph of top protocols on the network for the selected area in the Timeline graph below. You can right-click inside the display to toggle the display with the Top Applications display, or to select a Bar or Pie display. Mouse over a bar (or slice) of the graph to view a tooltip with additional details for the protocol.
• Timeline graph: The Timeline graph displays the data of the selected capture session. Only one capture session at a time can be displayed inside the graph. By default, the graph shows network utilization in Mbits/s, but other statistics can be graphed as well by selecting the View type.
Here are descriptions of other parts of the Timeline graph:
• Right-click inside the graph to perform a forensic search (see Forensic search below), download selected packets to a capture file, refresh the window, or choose a different graph format: Bar, Stacked Bar, Skyline, Area, Stacked Area, Line, Line/Points, Linear, and Logarithmic. Additionally, you can also toggle displaying the minimum and maximum points for each series on the graph.
• Mouse over a data point in the graph to view a tooltip displaying timestamp and size information (e.g., time and rate, time and packet size, etc.).
• Any time there is more data than can be displayed on the screen, a scroll bar appears below the graph and allows you to view different points of time in the graph. (If the Time window is set to Automatic, the scroll bar will never appear.)
• If the Time window is set to anything other than Automatic, a scroll bar appears below the graph and allows you to view different points of time in the graph.
• View type: Select the type of statistics to display in the Timeline graph. You can select from:
• Network Utilization (Mbits/s)
• Network Utilization (Packets/s)
• Unicast/Multicast/Broadcast
• Packets sizes
• VLAN/MPLS
• Protocols (Mbits/s)
• Protocols (Packets/s)
• Call Quality
• Call vs. Network Utilization
• Wireless Packets (Packets/s)
• Wireless Retries (Packets/s)
NOTE: To display statistics for a Call Quality or Call vs. Network Utilization view type, the VoIP Stats option must be selected when you first create the capture and configure the General options of the Capture Options dialog.
• Time window: Select the time interval to display in the Timeline graph. By default, Automatic is selected to display the optimum window based on the available data. Intervals from 5 Minutes (1 Sec. Avg.) to 24 Hours (5 Min. Avg.) are also available.
• Forensic search: Click to display the Forensic Search dialog where you can adjust the forensic search settings. Click the small down arrow next to Forensic Search to display custom or pre-configured settings for performing a forensic search. You can change any option prior to clicking :
• Custom: Creates a Forensic Search window based on the customized settings that you configure.
• Overview: Creates a Forensic Search window based on settings that display an overview of the selected data in the capture session.
• Packets: Creates a Forensic Search window containing a packets-only view.
• Expert: Creates a Forensic Search window based on settings that are optimized for Expert analysis.
• Voice & Video: Creates a Forensic Search window based on settings that are optimized for Voice & Video analysis.
• Download Packets: Click to download the packets from the selected capture session, in the selected time range.
• Refresh: Click to refresh the screen. For an active capture session, you can also set an automatic refresh interval by selecting an interval from the drop-down list to the right of .
• Nested tabs: There are three nested tabs available from within the Forensics tab: Timeline, Storage, and Details. Each tab allows you to view and select the capture data you wish to search in various formats. The Timeline, Storage, and Details tabs are described in detail below.
2. From any of the nested tabs, click (double-click from the Details nested tab) the capture session you wish to search. The selected capture session is displayed in orange to indicate it is selected, and the data for the capture session is loaded into the Timeline graph at the top.
IMPORTANT: A session represents a contiguous period of time when packets are captured from a particular interface. A session is created each time you start a capture. A capture can have multiple sessions, and each session can be separated by periods of inactivity. Forensic analysis can then be performed on each session. Sessions are displayed in any of the nested tabs available from the Forensics tab.
3. In the Timeline graph, drag to select the area of the selected capture you wish to search. If no area of the graph is selected, the entire capture is selected by default.
NOTE: The packet count displayed above the Timeline graph is an approximation of the packets currently selected.
TIP: You can adjust the exact time range from the Forensic Search dialog.
4. Click (or click the small down arrow next to and select the type of forensic search you wish to perform). The Forensic Search dialog appears.
NOTE: Selecting one of the pre-defined types of forensic searches displays the Forensic Search dialog with the Analysis & Output options pre-configured for that type of forensic search. You can change any option prior to clicking .
5. Complete the dialog to specify the criteria for extracting data from the selected capture:
NOTE: If you wish to perform a forensic search on a capture session that is active and is currently capturing packets, we recommend that you stop the capture first before performing the forensic search. If you continue without stopping the capture first, make sure to clear the Packets check box in the Forensic Search dialog before clicking .
• Name: Enter a name for the forensic search.
• Time Range: Select this option and then configure the start and end times to extract the data.
• Start time: Set the start date and time for extracting data. Only the data captured between the start time and end time is extracted.
• End time: Set the end date and time for extracting data. Only the data captured between the start time and end time is extracted.
• Duration: Displays the amount of time between the specified start and end times.
• Filters: Click to select a filter from the display list. All packets will be accepted if no filters are applied to the forensic search.
To create an advanced filter, click Filters and select Insert filter, Insert Operator, or Insert Expression from the display.
• Analysis & Output: Select one or more of the options to enable and display that particular view in the new Forensic Search window. For various Analysis & Output options that have additional configurable settings, click the submenu to the right of the option.
6. Click . A new Forensic Search window appears along with two progress bars at the top of the window. (Clicking stops the search and then completes the processing of the packets.)
Once the processing of the packets is complete, the progress bars go away and the new Forensic Search window is populated with the data found based on the criteria you selected above.
7. From the new Forensic Search window, you can further narrow down the data by performing any of the post-capture analysis methods described in the Omnipeek User Guide.