OmniPeek network analyzer is among the easiest network analysis and troubleshooting software solutions on the market. Its highly extensible architecture enables additional capture and analysis capabilities via plug-ins. Adapter plug-ins allow OmniPeek to capture data from additional remote sources, and analytic plug-ins provide targeted visualization and search abilities within OmniPeek.
WildPackets – and even some of our customers – have created over 40+ plug-ins with the following being the most popular.
Remote TCPDump Adapter
TCPdump is a standard tool on Linux and Unix-based systems. The Remote TCPdump adapter enables OmniPeek to perform real-time remote packet capture from those servers. The user interface allows standard BPF-style TCPdump capture filters, while the implementation uses SSH for fully automated control of the remote capture. Additionally, the use of SSH provides data protection for packets in transit, making this an excellent choice for remote capture, even across an untrusted network such as the public Internet.
Wireless Channel Aggregator
The Wireless Channel Aggregator extends OmniPeek’s wireless analyzer in order to provide true multi-channel capture of wireless packets, without the compromises of channel hopping or scanning. In an enterprise environment, there are likely to be multiple channels in use across the ESS, which means there is going to be a lot of roaming. Multi-channel capture with the Wireless Channel Aggregator lets you monitor client roaming, as well as assuring uninterrupted upper-layer data capture. It can also measure the latency of roaming devices and provides a full picture of channel use on your network.
Network analysis via packet capture faces a challenge in modern networks: switches are designed to reduce packet leakage, which makes capturing a challenge. While using port spanning or mirroring is a helpful solution, it’s just not practical to use the span port to monitor all switch traffic all the time. Fortunately, there is a useful compromise: NetFlow.
The NetFlow Analyzer plug-in for OmniPeek enables statistical analysis of traffic via metadata. While NetFlow doesn’t provide the full flow information, it does provide the kind of “Top 10” and trending data that network operations teams rely on for ongoing monitoring. Since the NetFlow data is coming directly from your switches, it also means that you can quickly change gears from monitoring to troubleshooting by changing the switch configuration from NetFlow to traffic mirroring, going from a “10,000 foot view” all the way down to a microscopic analysis.
In addition, since the NetFlow Analyzer is part of OmniPeek, it allows you to analyze and troubleshoot the NetFlow stream itself!
Data Analysis Plug-ins
Latency Monitor Plug-in
Part of network monitoring is detecting sources of latency. The Latency Monitor plug-in provides valuable insight by measuring two types of latency, network and application, in order to figure out whether the issue originated from the network or the application side.
This monitoring technique is completely passive, using packets already captured so that it does not affect network performance in any way. The latency results can be graphed together in order to easily see where the problems are with the network or the applications. This is a great plug-in for network intelligence giving IT staff the information to make intelligent decisions about how to improve network or application performance.
One important area of network monitoring is security incident response. Most security teams are very familiar with “regular expressions” or “regex,” which use a powerful text search language. To support those teams – and anyone else familiar with regex – we have developed the FilterMe plug-in. It adds a tab to our capture window, similar to the built-in filters tab, and allows a user to create and maintain a list of regular expressions that can be used as filters both during forensic searching and during real-time capture, making the creation and access to these regular expressions easy and convenient.
In addition, the UI for this plug-in features a tool bar with add, edit, copy, delete, import, and export buttons. Import and Export are especially important to allow team members to share regexes with each other, or to do bulk imports of regexes which have been extracted from locations such as Snort rules.
Application Specific Plug-Ins
The WebStats plug-in monitors web, FTP and TCP streams and displays the resulting statistics in the summary stats window. All of the different stats’ groups that this plug-in can monitor can be turned on or off through the option dialogue box like the one below. Through the summary stats area within OmniPeek you will be able to see the stats for all of these different data types.
The advantage of using the WebStats plug-in for OmniPeek is that you get insight into what’s really happening on the wire. Web server logs are notorious for displaying messages only about transactions that have completed. Server-side errors which result in partial page downloads may never show up in any web server log analytics. Viewing the transactions from the network allows deeper information and insight into the true browser-server interactions, because even partial transactions transfer information.
Instant Messenger Plug-in
This plug-in displays conversations for AIM, Yahoo, and MSN protocols. WildPackets customers in highly regulated industries such as financial trading and healthcare have used this plug-in in combination with our other plug-ins like the Regular Expression search to perform incident research on whether data has improperly (read: illegally!) been transmitted outside the network.
Even as web design tools become more common and more sophisticated, there is still a need for network-based analysis. If a browser refuses to display a page, but the server insists that it’s been sent, viewing the packets that traversed the network provides a straightforward answer to the question of what happened. To make this analysis even easier, the Browser plug-in will render the HTML that it extracts from the network traffic that it captured.
The buttons on the plug-in window allow a user to navigate through the webpages in the capture buffer. The Packets Text shows what packets were used to build each webpage—allowing a user to find key packets in order to troubleshoot webpage or web destination issues quickly.
Plug-Ins Just For Fun
Google™ Map Plug-In
By far our most popular plug-in, the Google Maps plug-in enhances the analysis capabilities of OmniPeek itself. It displays a Google map in OmniPeek that shows the location of all public IP addresses of captured packets. You can toggle over the Google map graphic to see exactly where the source of the data is for each of those bubbles (see image below).
For an in depth, step-by-step tour of our top ten plug-ins click here.
OmniPeek offers a very rich set of analytical and capture capabilities that will help to improve your network monitoring experience. To check out more of our plug-ins go to MyPeek.