Using the MSA Wizard - Omnipeek

Omnipeek Getting Started
ft:locale
en-US
Product name
Omnipeek

The MSA wizard guides you through the creation of an MSA project. You can access the MSA wizard in numerous ways as described in Creating an MSA project. This section describes the various screens of the MSA wizard.

Create a New Multi-Segment Project

The Create a new Multi-Segment Analysis project dialog of the MSA wizard is available by choosing File > New Multi-Segment Analysis…. The dialog lets you create a new multi-segment analysis project from scratch.

New Multi-Segment Analysis Project dialog

  • Search for packets on remote engines: Select this option to create an MSA project based on packets obtained from one or more Capture Engines.
  • Use packet files: Select this option to create an MSA project based on one or more packet files.

Time range & Filter

The Time Range & Filter dialog of the MSA wizard lets you choose a time range and filter to apply to your search.

Time Range & Filter settings

  • Start time: Select or enter the start date and time of the range you wish to search.
  • End time: Select or enter the end date and time of the range you wish to search.
  • +/- seconds: Select or enter the number of seconds to add to the search both before the start time and after the end time.
  • Duration: Displays the amount of time between the start and end time specified.
  • Filter: Displays any filters currently defined for the search.
  • Edit: Click to display the Edit Filter dialog, where you can define simple and advanced filters based on any combination of addresses, protocols, and ports. A packet must match all of the conditions specified in order to match the filter.
  • Clear: Click to remove any filters currently defined for the search.

Engines

The Engines dialog displays the groups and Capture Engines currently listed in the Omnipeek Capture Engines window. If you had selected the option to Search for packets on remote engines earlier in the MSA wizard, the Engines dialog appears after clicking Next in the Time Range & Filter dialog of the MSA wizard.

Select Engines

  • Select the check box of the Capture Engines you want to search in your MSA project. If you are not already connected to the Capture Engine, you are first prompted to connect to the Capture Engine by entering domain, username, and password information.
  • Enable all: Click this option to select the check box of all groups and Capture Engine displayed in the dialog.
  • Disable all: Click this option to clear the check boxes of all groups and Capture Engines displayed in the dialog.

Capture Sessions

The Capture Sessions dialog displays the capture sessions found in each of the of the selected Capture Engines. If you had selected the option to Search for packets on remote engines earlier in the MSA wizard, the Capture Sessions dialog appears after clicking Next in the Engines dialog of the MSA wizard. A separate *.wpz file is created for each capture session selected, and each file represents a different network segment. When performing multi-segment analysis, Omnipeek uses *.wpz files to build the MSA project.

Capture Sessions

  • Column header: Displays the column headings currently selected. Right-click the column header to enable/disable columns. Here are the available columns:
    • Engine/Capture Session: The capture sessions available from the Capture Engines selected earlier. Select the check box of the capture sessions you want to search in your MSA project. Capture Engine captures that have both ‘Capture to disk’ and ‘Timeline Stats’ enabled in the capture options, and all TimeLine network recorder captures that have ‘Capture to disk’ enabled in the capture options, appear in the Capture Sessions screen. (MSA-based forensic searches require ‘Timeline Stats.’)
    • Session Start Time: The start time of the capture.
    • Data Start Time: The start time of when data first appeared in the capture.
    • Data End Time: The end time of when data last appeared in the capture.
    • Size: The size (in MB) of the capture session.
    • Packets: The number of packets in the capture session.
    • Packets Dropped: The number of dropped packets in the capture session.
    • Media: The media type of the capture session.
    • Adapter: The name of the adapter used for the capture session.
    • Adapter Address: The address of the adapter used for the capture session.
    • Link Speed: The link speed of the adapter used for the capture session.
    • Owner: The owner name of the adapter used for the capture session.
  • Enable all: Click this option to select the check box of all Capture Engine and capture sessions displayed in the dialog.
  • Disable all: Click this option to clear the check box of all Capture Engine and capture sessions displayed in the dialog.
  • Download files: Choose the location of where to save the *.wpz files created for each of the selected capture sessions.

Progress

The Progress dialog displays the status for saving *.wpz files used for multi-segment analysis. If you had selected the option to Search for packets on remote engines earlier in the MSA wizard, this dialog appears after clicking Next in the Capture Sessions dialog of the MSA wizard.

Search and download progress

Each entry in the dialog lists the following:

  • Capture Engine and capture session name
  • Capture Engine IP address and port
  • Current status for each file

The progress status messages are as follows:

  • Search Progress: Progress of the forensic search, based on the time range and filter specified in the Wizard
  • Saving: Search results are saved as a .wpz file on the engine
  • Deleting Search: The forensic search is deleted on the engine
  • Download Progress: The .wpz file is downloaded to the Omnipeek computer
  • Deleting Remote File: The .wpz file is deleted from the engine
  • Complete: The entire process is complete. Once you see Complete for all capture segments, click Next to continue building the MSA project
Tip: You can cancel the progress of any one of the capture segments by right-clicking and selecting Cancel. You can cancel any of the above stages, except for the Saving stage.

Segments

This Segments dialog lets you add supported capture files captured on separate network segments to your MSA project. In order for the MSA analysis to display correctly in your flow maps and ladder diagrams, each segment file must be properly ordered by the route taken from client to server (when displayed in the flow map and ladder, the client is on the left and the server is on the right). You can manually choose to arrange the files in the dialog.

Tip: If you do not manually arrange the files by the route taken from client to server, you can use the auto-arrange feature available from the Analysis Options dialog. See MSA project analysis options.
Note: When calculating the delay values for the flow map and ladder, MSA assumes that the client is on the left, and the server is on the right. If you create MSA projects that include multiple flows, all of the flows in the project should be initiated from the same direction. For example, flows initiated by two nodes on the private side of a firewall would be suitable to include in a single MSA project. Flows initiated by a node on the private side of a firewall, and flows initiated by a node on the public side of a firewall would not be suitable to include in a single MSA project.

Segments

  • Insert: Click to insert a new segment. You will be prompted to name the segment and select a supported capture file.
  • Edit: Click to edit a selected segment. You can choose to rename the segment or choose another supported file for the segment.
  • Delete: Click to remove a selected segment.
  • Move Up: Click to move a selected segment up in the ordered list of segments. You can also press (Shift or Ctrl)+Up Arrow to move the segment up in the list
  • Move Down: Click to move a selected segment down in the ordered list of segments. You can also press (Shift or Ctrl)+Down Arrow to move the segment down in the list.
  • Column Header: Displays the column headings currently selected. Right-click the column header to enable/disable columns. Here are the available columns:
    • Segment Name: The name of the segment.
    • File: The location and file name of the segment.

Edit Segment

This dialog lets you edit a selected segment.

Edit segment

  • Name: Displays the name of the segment. Type a different name to rename the segment.
  • File: Displays the location and name of the segment file.

Project File

This Project File dialog lets you save the MSA project file (*.msa). Once saved, the MSA project window is displayed.

Note: If your MSA project window is blank, more than likely you have either selected a flow that is not supported by MSA (for example, UDP or IPv6), or it is a flow with fragmented packets.

Project File

  • Project file: Displays the location and MSA project file name (*.msa).