Results 1 to 5 of 5

Thread: Eye P.A. User Guide

  1. #1

    Default Eye P.A. User Guide

    Eye P.A. User Guide


    visual packet analysis


    System Requirements
    1) Microsoft .NET Framework 4 Client Profile
    (Eye P.A. installer will direct you to download)

    2) Microsoft .NET Framework 4 Extended
    (Eye P.A. installer will direct you to download)



    Installation

    1) Download the latest version of Eye P.A. from MetaGeek
    http://www.metageek.net/products/eye-pa/download

    2) Once the file has finished downloading, double-click on the installer.
    Go through the installation dialogue. The program will install under
    the directory “MetaGeek.”

    3) Double click on the icon “Eye P.A.” to start the application.

    If this is the first time Eye P.A. is run, it will ask for a license key.
    If you do not have a license key, click the “Continue Trial” button to
    run Eye P.A. in full evaluation mode free for 15 days.


    Live Capture
    Eye P.A. can capture 802.11 packets with an accompanying AirPcap Nx USB adapter, available at: http://www.metageek.net/products/airpcap/
    To begin, connect your device to your computer’s USB and open Eye P.A. From within the FILE menu, select CAPTURE. A new window will appear which will allow you to select your AirPcap, the 2.4 or 5 GHz band and the channel (or two adjacent channels, also known as channel bonding) that you wish to scan. Click START CAPTURE when ready.






    Compatible File Formats

    Eye P.A. visualizes 802.11 captures from a variety of sources.
    Files containing ethernet traffic are not compatible with Eye P.A

    .pcap
    Not all .pcap files are structured in the same format. Eye P.A. requires the use of the Radiotap or 802.11-common headers to calculate the airtime of the wireless packets. The most common program to generate compatible captures is WireShark for Windows, Mac or Linux.

    .pcapng (WireShark 1.8)
    WireShark did change its default file type in 2012 to .pcap-ng. Any version of Wireshark installed within the last year will support this file type. Pcap-NG allows more flexibility like extended-interface and host information, and contains expanded annotation, but it is not compatible with all tools.

    .pkt & .apc (WildPackets Omnipeek)
    WildPackets Omnipeek files containing 802.11 frames can be opened in Eye P.A. if they have the extension .pkt or .apc. Each of these files will export to WireShark in the same manner .pcap or .pcapng will.

    .cap (Microsoft Network Monitor)
    Microsoft added limited support for 802.11 captures with the release of Network Monitor 3.4. The full monitor-mode capabilities are limited to certain wireless cards and might provide little to no information regarding data rate, RSSI and 802.11n frames depending on your wireless access card. However, it is free.

    CommView for Wi-Fi (.ncf)
    Acquire full 802.11n captures on a windows machine without an AirPcap Nx, use CommView for Wi-Fi. Supporting more wireless adapters than other packet analysis applications, it may have limitations similar to Microsoft Network Monitor.

  2. #2

    Default

    HOW TO GET A .pcap FILE

    Eye P.A. is a wireless network data visualization tool. It sorts and displays data that has been captured in a .pcap file in order to make it easy for you to troubleshoot problems with your wireless network.

    You can get a .pcap file in a lot of different ways. The ways listed below are the ones we’re accustomed to gathering them with. We’d love to hear more about how you use .pcap files in our user forum.


    WITH Windows and AirPcap Adapter
    AirPcap is a USB adapter that turns WireShark into a powerful 802.11 WLAN packet analysis tool for Windows computers. Use the AirPcap adapter to establish a baseline for every WLAN implementation and troubleshoot communication issues above and beyond the wired network.

    Get an AirPcap from MetaGeek



    To create a .pcap file with an AirPcap adapter, start WireShark and open WireShark Capture Interface selection tool.


    To configure the AirPcap adapter, click the options in the same row as the AirPcap interface.

    Here you can apply any pre-filters. To ensure accuracy in the packet capture, the filters !(malformed) && (wlan.fcs_good) will filter out any malformed packets and make sure the frame check sequence is accurate.


    In the capture options, click the Wireless Settings button.
    In the advanced Wireless Settings, select the Wi-Fi channel and Offset you would like the AirPcap adapter to scan. Make sure the “Include 802.11 FCS” is selected in the capture dialogue and select “Valid Frames” before clicking “Apply.”


    Once you have returned to the WireShark Capture Options window, click start to begin your capture using an AirPcap adapter.


    WITH Mac OS X Lion and WireShark
    There are two methods in capturing 802.11 frames in Mac OS X Lion:

    Method 1: Use the included utility application, “Wi-Fi Diagnostics”




    Open Finder and navigate to: /System/Library/CoreServices/
    Scroll down and select the Wi-Fi Diagnostics application.
    (you can also make an alias or drag the icon to your dock for easier access later)

    Select "Capture Raw Frames"


    Select "Capture all data from all nearby networks" and
    "Disconnect from the network and capture only data from channel"
    Choose the channel you wish to monitor.



    Click "OK" on the text dialogue window.


    Click Start Capture.
    (Warning: don't make the mistake of clicking continue!).

    Click Stop Capture when you are satisfied with the length of time.



    Choose "Show in finder" and extract the .tgz file to reveal a .pcap file that can be opened in WireShark or Eye P.A.


    Method 2: Use WireShark to create a pcap file using the internal wireless network interface.

    Select the adapter en1 and click options to go into the advanced settings. Select “Capture packets in monitor mode” and then click start. WireShark will begin to log all of the wireless frames. Click File -> Save to create a .pcap which will create a file that can be opened by Eye P.A.


    WITH Microsoft Network Monitor
    Microsoft Network Monitor is a free tool, but unfortunately it does not accurately portray HT 802.11n frames and data rates. MetaGeek recommends using an AirPcap adapter or CommView for Wi-Fi instead. However, the following will help you create files compatible with Eye P.A.

    A list of Network Monitor supported Wi-Fi adapters can be found at this link.

    To download Microsoft Network Monitor 3.4, visit this link.

    To capture 802.11 frames, deselect all of the adapters except for the wireless card in the “Select Networks” pane.


    Click “New Capture” in the top left of the screen.

    Click “Capture Settings” underneath the main menu. A new window will appear. Select your Wi-Fi adapter and then click properties.


    Click “Scanning Options” to put the Wi-Fi card in Monitor Mode.


    Put a check next to “Switch to Monitor Mode” and then select the Wi-Fi channels and time you would like Microsoft Monitor to spend on each channel.


    Click “Apply” and leave the window open. Return to the main window and click “Start.”

    Do not click “Close and Return to Local Mode” in the “Wi-Fi Scanning Options” unless you are done scanning.
    To save the file click “Save As” underneath the main menu.

  3. #3

    Default

    MAIN VIEWS

    Multi-Layered Pie Charts


    Eye P.A. uses multi-layered pie charts to display overall utilization of total packets, total bytes and total amount of air time. The size of the slices in the rings are proportionate to the total, while the colors represent the type of data being displayed.


    The data is a hierarchical breakdown by SSID > Client > Frame Type > Subframe Type. Each slice is divided into smaller slices in the next layer.

    For example, by clicking on a client, Eye P.A. will draw a new multi-layered pie chart with all of the data for that particular client.


    Time Graph



    Eye P.A. displays a historical summary of the data capture in the bottom time slider. By default, the time graph in Eye P.A. selects the capture in its entirety. The user can select a different window of time by dragging the start and stop handles on either side of the time slider. When the user selects a smaller time range both the data visuals and tables will update, only displaying data from the selected range to help you narrow in on unusual network activity.

    Active Selection Legend



    The Active Selection legend located in the top right displays the related data to the center of the multi-layer piechart. This data will change as the user drills down through layers. It displays total time, bytes, number of packets, BSSIDs, clients, and retry rate.

    Table



    The table displays quantifiable metrics for the layer on the next ring out from the center (ring 1). Upon opening a .pcap file, the table will show each BSSID, the total amount of airtime utilized, bytes, number of clients associated, average data frame rate and retry rate.

    The multi-layered pie chart can be rearranged by clicking the table's column headers to sort the data by Total Bytes, Packets or Retry Rate. Similar to a clock, the sorting will start at the 12 position and display clockwise in the pie chart with its order indicated in the table data.

    MULTI-LAYERED PIE CHARTS
    To alternate visually between the different types of data, click the arrow above any pie chart to select TIME, PACKETS, or BYTES and move it to the featured position. This will change the main pie chart and the time graph to that type of data.

    Packets:
    This view represents the proportionate amounts of packets in comparison to the total captured.

    Bytes:

    This view represents 100% of the total data captured in Bytes. Each slice is the total data sent by BSSID or client.

    Time:

    This view represents the proportionate amount of air time each station utilized. It is important to note that lower data rates use more air time than higher data rates to transfer the same number of bytes.

    Wireless is similar to wired communication in the sense that no two devices can “talk” at the same time. Therefore the amount of time each station takes prohibits the other stations from transmitting.

    To simplify and increase the performance speed of Eye P.A. the software will aggregate any small packets into a gray slice labeled “Miscellaneous.” To see the contents of a gray slice, use the associated data table and double click on it. If the gray slice is on the outside of a green ring, expand its parent by clicking on it. Eye P.A. will redraw all of the outer sections to display the data that was aggregated in a gray “Miscellaneous” slice.


    TIME GRAPH


    Time Segment Analysis


    Wireless environments can look different within minutes. Issues may be erratic and intermittent. By adjusting the time span in the slider, users can omit time when the WLAN was functioning properly and focus on a smaller time window when the issue occurred.


    Adjusting Time Window
    The time window is the line graph at the bottom of the display. When opening a .pcap file in Eye P.A., the software will automatically adjust the time window to the beginning and end of the capture. The time window has two handles that can be adjusted in and out to help you choose select times of the capture.

    To move the time window, click in the middle of the handle and drag it to another location in time.





    Packets, Bytes, and Time
    The line graph represents the current largest multi-layered pie chart and will automatically change when the user toggles between the pie charts.

  4. #4

    Default

    MAIN VIEWS

    Multi-Layered Pie Charts


    There are 3 multi-layered pie charts in the main window. Eye P.A.’s multi-layered pie charts continually divide each slice into more slices based on percentages. The size of each slice is proportionate to the total packets, bytes or time utilized.


    Ring Order


    The default ring order in Eye P.A:
    1. BSSID
    2. Associated Clients
    3. Frame Type
    4. Subframe Type


    Drill-Down
    Each element in the multi-layered pie chart can be clicked on, drilling down and breaking the data down into a new pie chart for easy troubleshooting.

    To return to a parent layer, click the center of the pie chart, or the home icon in the top left of the window. The layer directly outside of the center is represented in the table. Double clicking on a row will change the pie charts

    Bread Crumbs

    The bread crumbs represent the hierarchy of the current drill-down, helping you keep track of where you are in the file. Clicking the home icon will return to the default view with no drill-downs applied. The bread crumbs represent each click the user made to get to the current pie chart. At any level, the user can click on a bread crumb element to return to that multi-layered pie chart.


    Hover (Inspector Tool)


    When a user hovers over a slice in the pie chart, a tool tip box will appear, providing additional details like data rate, packet count and retry rate. This information is also displayed in the Associated Data Table.


    Display Filters
    E
    ye P.A. displays all packet types captured in a .pcap file. It can be helpful to filter out certain types of packets like beacons, acknowledgements, or other non-essential frame types to bring out the packets
    that matter the most.
    To remove specific frame types from the multi-
    layered pie charts, click “View” in the main menu at the top of the screen. Checking and unchecking frame types allows the user to selectively choose the which packets Eye P.A. will graph.




    Note: Filtering packets will affect the data exported to WireShark. If “Beacons” are unchecked from the display filters, they will be excluded from the data you can export to WireShark.


    Understanding Color



    Data Rate
    The first two layers in the multi-layered pie chart are colored by the average data rate of the traffic. The shade of green is based on a sliding scale. The minimum average data rate captured is represented by light green, while the highest is represented by dark green, with shades in between.



    Data Frames
    Data frames carry the actual data passed down from higher layer protocols.




    Management Frames
    A majority of the frame types in an 802.11 network.
    Used by wireless stations to join and leave the network.



    Control Frames
    Control frames help with the delivery of the data frames. Control frames must be able to be heard by all stations; therefore, they must be transmitted at one of the basic rates. Control frames are also used to clear the channel, acquire the channel, and provide unicast frame acknowledgments.
    Last edited by MetaGeek; 08-01-2012 at 03:11 PM.

  5. #5

    Default

    ASSOCIATED DATA TABLE



    The Associated Data Table provides details for the innermost ring (Ring 1) of the Multi Layer Pie Chart.

    Table Columns

    • SSID - This is the network name of the Access Point
    • MAC - A unique identifier for each network interface
    • Time - The amount of time used to transmit
    • Bytes - The amount of data transferred
    • Packets - The total # of packets per BSSID
    • Retransmit - The percentage of packets that had to be resent


    SEND TO WIRESHARK


    Send any layer of the multi-layer pie chart to WireShark by clicking “File” in the main menu and then “Send to WireShark.” Conveniently, Eye P.A. automatically bundles up the data in the current multi-layer pie chart, applies the filters you’ve drilled down to select, and sends all of the packets to WireShark for more in-depth analysis.


    FREQUENTLY ASKED QUESTIONS

    What is the “Broadcast” SSID?

    In 802.11 clients or stations can broadcast management frames called Probe Requests. Probe requests occur when stations are looking for access points they previously connected with. These do not occur in a SSID but Eye P.A. groups them into a broadcast group for organizational simplicity.

    Why won’t Eye P.A. open my .pcap file?

    There are currently two types of .pcap files that Eye P.A. can open. The .pcap must contain 802.11 frames with Radiotap or 802.11-common PPI headers. Typically these captures are created using:

    • Wireshark with Airpcap adapter
    • Mac OS X with Wi-Fi Diagnostics or WireShark in Monitor Mode
    • Linux with WireShark or Kismet
    • Export a .cap or .pcap from a wireless access point



    Why are the packet counts different in WireShark and Eye P.A.?
    Sometimes the capturing device receives packets that are malformed or corrupt. Eye P.A. drops any packets that do not have a proper Frame Check Sequence (FCS) in the packet even though Wireshark will display those packets.

    What is a Hidden SSID?
    Some wireless network administrators may hide their SSID, which tells the router not to broadcast its name. Typically only users who know the name of the wireless network can connect to a hidden SSID. However, hidden SSIDs do not really protect your network.


    What is the “Miscellaneous” gray slice?
    The gray slices contain valid packet data from a high amount of different sources. For example a capture file may have 10 top talkers that make up 90 percent of the total traffic. However 100 clients make up the remaining 10 percent. Instead of drawing each slice Eye P.A. aggregates them into miscellaneous slices. They are colored gray because they may contain management, data and control frames. To view any of the data in the gray slice click on its parent slice and all of the data will be redrawn.

    LEARN MORE
    You can learn more about Eye P.A. at our website:
    http://www.metageek.net/products/eye-pa

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •